Cybersecurity incident report
sb230529
CH02.pptxChapter 2 Controlling a Computer
Chapter 2 Overview
Overview of the general strategies for controlling access
Buffer overflow: a well-known technique for subverting computer software
Introduction to attack scenarios and case studies
Mechanisms typically used to control access within a computer
Security planning: describing the protections needed and how to implement them
CPU Hardware: Motherboard
Left: © iStockphoto/Thinkstock; Middle: © Péter Gudella/Dreamstime.com; Right: Courtesy of Dr. Richard Smith.
Programs
Data resides in RAM
Numbers and other coded data
Examined and modified by programs
Stored in consecutively numbered locations
Programs are lists of instructions
Instructions reside in RAM
Each is a single arithmetic operation or comparison
Stored in consecutively numbered locations
Executing a Machine Instruction
Left: Courtesy of Dr. Richard Smith; Right: © iStockphoto/Thinkstock
Organizing RAM into “Sections”
Control sections
Contain instructions to execute
Contain unchanging data
Data sections
Contain variables that change
Contain “free form” RAM
Buffers, stacks
Control and Data Sections
Functions, Procedures, Subroutines
We break programs into pieces
A piece with a particular job = function or procedure or subroutine, all roughly the same
One function can execute another function
PC is pointed to the called function’s address
We save the current function’s “state”
Saving the variables and the caller’s PC
Saved in RAM, often on a “stack”
One Function Calls Another Function
We save the program counter in the “calling function”
We execute the instructions in the “called function”
At the end of the “called function” we restore the program counter
This returns the CPU to where the “calling function” left off
Processes
A program is a group of instructions
A process is a running program
Its PC is, or can be, changing
It has some RAM with instructions and data
Windows example
Run two command shells
One program, two processes
Looking at processes with the Task Manager
List Applications; List Processes
Switching Processes
The “dispatcher” procedure in the operating system (OS) switches running processes
Stops (pauses) one process and starts another
Save the PC for the stopped process
Save other CPU data from the stopped process
Locate the “saved state” for the one to start
Load up the saved CPU data for the process
Load the PC with the starting process’s PC value
The Operating System
Dispatching and process management is only one of its many tasks.
RAM management – assigns RAM to active processes and manages free RAM
I/O management – handles external devices
File management – hard drives & mass storage
User interface management – keyboards and GUIs
Network protocols – connect to other computers
Buffer Overflow: The Morris Worm
Morris Worm – first major Internet worm
1988 – disabled about 10% of Internet computers
Used several attacks
Buffer overflow vulnerability
A program fails to keep track of its input
The input data modifies RAM that it shouldn’t
Attacker can take over the computer if the wrong RAM gets modified
The “finger” Program
Retrieved information about other users
Rarely used today
Command “finger [email protected]”
Retrieved information about JSL at BU.EDU
If the sender typed too many letters, like:
finger [email protected] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and so on… the program overflowed a buffer
What Overflows?
It Overflows the Stack
When we call another procedure, we must save the PC and the current procedure’s working variables inside the CPU
We save the information on a last-in first-out block of RAM called the stack
If a storage area on the stack is overrun, the data may modify the saved PC
When the procedure is finished, it jumps back to the wrong instructions in RAM
The Stack Overflow
The Worm Connection
Why Does the Shellcode Work?
Programs execute from a control section
The stack is in the data section
If the computer has data execution prevention (DEP), it only executes instructions in a control section
Not all systems – or programs – can use DEP
The Worm Released
Released in October 1988
Promptly infected 10% of Internet computers
The worm was designed to infect each computer once
The restricting code did not work
Each computer was infected hundreds of times
Infected computers became unusable
Spread nationwide between 9pm and 11pm
Fighting the Worm
Telephone lines were not affected
Analysts shared information by phone
Many were at a meeting in Berkeley, fortunately
As sites cleaned themselves up, they shared status and defensive data via email
Site cleanup was tricky – a “clean” computer had to be hardened against the worm or it would be infected all over again
Security Alerts and Coordination
The worm incident helped create the Computer Emergency Response Team (CERT)
First nationwide, multi-organization computer security team – tracked and reported problems
Today, reports are tracked by the Common Vulnerability Enumeration (CVE)
Numerous public and private security organizations, like the “Internet Storm Center”
Studying Cyber Attacks
A systematic analysis, based on attack reports
Attack scenarios
May study potential or actual attacks
Elements are all based on recorded attacks
Attack case studies
Report actual attacks
A scenario that includes threat agent data
23
Attack Scenario
Goals – a few sentences describing the goals of the attack.
Resources required – personnel, skills, equipment, preparation, timing constraints
How it happens – describe how it takes place
Collateral results – attack results in addition to the goals noted above
Recommended mitigation – basic steps that could prevent the attack. Acts
References – authoritative sources
Attack Case Study
Overview – summarizes the attack
Perpetrator – brief description of threat agent
Attack scenario – as described previously
Risk management – how pre-attack risk management steps affected the attack’s outcome (omissions or comissions)
References – consolidated list including those from the attack scenario
Resources Required: Details
Skills and/or training – special skills required for the attack
Personnel – number and types of people required for the attack
Equipment – special equipment required for the attack
Preparation time – amount of lead time required to set up the attack
Timing constraint – is the attack tied to a particular schedule or event?
Access Control Strategies
How do we control access? Four strategies:
Islands
A process is an island
Vaults
Safe deposit box; access control on a computer
Puzzles
Cryptography; Kerckhoff/Shannon
Patterns
Photo IDs; anti-virus; biometrics
An Island
On an island, we can only touch what is there
Everything else is brought from elsewhere
A process can execute its instructions in RAM and modify variables in RAM
It can only use resources brought into its RAM
It can’t access anything else
We restrict a process by not allowing it access to resources
“Isolation and mediation”
A Vault
We can retrieve things from the vault only if allowed
Someone/something restricts access
Least privilege: we only have access to some items
A bank safe deposit box – we have the key
The banker lets us retrieve the box
We can modify the box contents
We can’t retrieve or modify any other boxes
Computer access control – a process can retrieve a file or print data if granted the right permissions
Puzzles
Protect data by presenting a puzzle
Authorized users know the puzzle’s answer
Security Through Obscurity (STO)
A weak puzzle, like protecting data by hiding it
Strong puzzles use cryptography (“crypto”)
Mathematical techniques to hide or protect data
Quality cryptography is very hard to break
Weak cryptography is simply a form of STO
Open Design: A Basic Principle
We open our systems for third-party analysis to help ensure their effectiveness
We withhold changeable, secret information
“More eyes make bugs shallow” – Eric Raymond
Kerckhoff’s Principle and crypto design
Rely on a changeable secret, but make the rest of the design public and open to review
Shannon’s Maxim: “The enemy knows the system”
Pattern Matching
Make decisions based on similarities
Photo IDs – guard compares face against poor photo
Photos are often laughably inaccurate
Anti-virus software
Searches computer for patterns found in viruses
Must be updated continuously for new viruses
Biometrics – fingerprint readers, for example
Compare reading against a stored pattern
Problems: false positives and false negatives
Chain of Control: Another Principle
We must never run programs that violate or bypass our security policy. To avoid this, we:
Start the computer using a BIOS that maintains our security policy
If the software we start (i.e., the OS) can start other software, then the other software either
Complies with the security policy, OR
Is constrained from violating the policy via access restrictions or other mechanisms
Subverting the Chain of Control
At the BIOS, we may
Boot a different OS from a CD-ROM
Boot a different OS from a USB drive
The other OS doesn’t enforce access restrictions
Inside the OS, we may
Install a privileged (administrative) program that can bypass access restrictions
Trick an authorized user into leaking sensitive files
Keeping Processes Separate
Relies on hardware and software
Hardware: two CPU features
Program modes
RAM protection
Software: Operating system features
Program dispatcher
Memory manager
User identities
Program Modes
Kernel or supervisor mode
For highly privileged operating system programs with full CPU access
Allows full access to RAM
Dangerous! Used as rarely as possible
User mode
For most programs and all applications
CPU blocks any attempt to use kernel mode instructions
Personal Computer Evolution
1970s: PCs ran one program at a time
Microprocessor CPUs didn’t support multitasking
1980s: Programs politely took turns
Allowed several windows to be open at once
Illusion of multitasking
1990s: Multitasking in desktop computers
Microprocessor CPUs support multitasking
Unix on PCs, Windows NT
Operating System Protections
Originally only available on mainframes and higher-end minicomputer OSes (Unix, VMS)
Adapted to desktop OSes during 1990s
OS security features
Processes must take turns (“dispatching”)
Processes are assigned different parts of RAM
Processes can’t damage other areas of RAM
User-oriented interface and access controls
Sharing a Program
Screenshots used with permission from Microsoft.
Access Matrix
A way to specify access permissions
Rows for resources or RAM
Columns for active entities or processes
Sharing Data
The problem: Allow two processes to share data stored in RAM
Normally we isolate processes from each other
This prevents one process from damaging the other one
OS provides a separate data section
Processes still have exclusive access to own data
All shared data resides in this separate section
Both processes have RW access to the shared section
Constructing a Security Plan
The Security Plan is a detailed assessment
A high-level analysis is an overview
The Plan contains the details
List of assets (see Chapter 1)
Full risk assessment (see Chapter 1)
Prioritized list of risks (see Chapter 1)
Security requirements (see Chapter 1)
Implementation – a list of security controls
Requirements and Controls
Requirements say what we want for protection
Controls says what we get
For each requirement, pick security controls
Each control addresses one or more policy statements
Security Plan: Process Protection
How does the OS protect processes?
Goals:
Processes share the CPU
Processes may share control sections
Processes don’t share RAM except by request
Risks:
A process monopolizes the CPU
A process reads or writes RAM that it shouldn’t
Policy and Implementation
Six policy statements (Table 2.5 in textbook)
Specifies security to be arranged by the dispatcher
Specifies when things should happen
Security controls (Table 2.5 in textbook)
All are functional controls provided by software
Some are steps in the dispatcher procedure
Others are features of how the OS ensures that the dispatcher is run or how security is applied
45
