Computer Security Exam

Malikbinn

CPSC353PowerPoints-A.zip

Home >Computer Science homework help >Computer Security Exam

Ch03-BufferOverflow.pptx

Buffer Overflow Attacks

2009-01-28

Operating Systems: Basic Concepts

CS 166

What is an Exploit?

An exploit is any input (i.e., a piece of software, an argument string, or sequence of commands) that takes advantage of a bug, glitch or vulnerability in order to cause an attack

An attack is an unintended or unanticipated behavior that occurs on computer software, hardware, or something electronic and that brings an advantage to the attacker

10/13/10

Buffer Overflow

not necessarily a program... while it can be a program that communicates bad input to a vulnerable piece of software, it can also be just the bad input itself... any bad input (or even valid input that the developer just failed to anticipate) can cause the vulnerable application to behave improperly...

Operating Systems: Basic Concepts

2009-01-28

CS 166

Buffer Overflow Attack

One of the most common OS bugs is a buffer overflow

The developer fails to include code that checks whether an input string fits into its buffer array

An input to the running process exceeds the length of the buffer

The input string overwrites a portion of the memory of the process

Causes the application to behave improperly and unexpectedly

Effect of a buffer overflow

The process can operate on malicious data or execute malicious code passed in by the attacker

If the process is executed as root, the malicious code will be executing with root privileges

10/13/10

Buffer Overflow

Because of the nature of the address space, locally declared buffers are allocated on the stack

Since the stack grows downward, if you write past the end of the buffer, you can corrupt the content of the rest of the stack, thus, if enough information is known about the program, one could write over known register information and the return address

2009-01-28

Operating Systems: Basic Concepts

CS 166

Address Space

Every program needs to access memory in order to run

For simplicity sake, it would be nice to allow each process (i.e., each executing program) to act as if it owns all of memory

The address space model is used to accomplish this

Each process can allocate space anywhere it wants in memory

Most kernels manage each process’ allocation of memory through the virtual memory model

How the memory is managed is irrelevant to the process

10/13/10

Buffer Overflow

This would also be consistent with the process model proposed earlier where each process feels like it “owns” the machine. The size of the address space is machine dependent, until the Intel 386 came around, most address spaces were 16 bit, for most of the past 15 years, we have been sing 32 bit machines, though increasingly larger number of processors with 64 bit modes are making their way into people’s computers.

2009-01-28

Operating Systems: Basic Concepts

CS 166

Virtual Memory

Mapping virtual addresses to real addresses

10/13/10

Buffer Overflow

Another

Program

Hard Drive

Program Sees

Actual Memory

Unix Address Space

Text: machine code of the program, compiled from the source code

Data: static program variables initialized in the source code prior to execution

BSS (block started by symbol): static variables that are uninitialized

Heap : data dynamically generated during the execution of a process

Stack: structure that grows downwards and keeps track of the activated method calls, their arguments and local variables

10/13/10

Buffer Overflow

Low Addresses

0x0000 0000

High Addresses

0xFFFF FFFF

Stack

Heap

BSS

Data

Text

Vulnerabilities and Attack Method

Vulnerability scenarios

The program has root privileges (setuid) and is launched from a shell

The program is part of a web application

Typical attack method

Find vulnerability

Reverse engineer the program

Build the exploit

10/13/10

Buffer Overflow

Buffer Overflow Attack in a Nutshell

First described in

Aleph One. Smashing The Stack For Fun And Profit. e-zine www.Phrack.org #49, 1996

The attacker exploits an unchecked buffer to perform a buffer overflow attack

The ultimate goal for the attacker is getting a shell that allows to execute arbitrary commands with high privileges

Kinds of buffer overflow attacks:

Heap smashing

Stack smashing

10/13/10

Buffer Overflow

Retrieves domain registration info

e.g., domain brown.edu

10/13/10

Buffer Overflow

domain.c

Main(int argc, char *argv[ ])

/* get user_input */

{

char var1[15];

char command[20];

strcpy(command, “whois ");

strcat(command, argv[1]);

strcpy(var1, argv[1]);

printf(var1);

system(command);

}

Top of

Memory

0xFFFFFFFF

Bottom of

Memory

0x00000000

Stack

Fill

Direction

var1 (15 char)

command

(20 char)

strcpy() Vulnerability

argv[1] is the user input

strcpy(dest, src) does not check buffer

strcat(d, s) concatenates strings

10/13/10

Buffer Overflow

domain.c

Main(int argc, char *argv[])

/*get user_input*/

{

char var1[15];

char command[20];

strcpy(command, “whois ");

strcat(command, argv[1]);

strcpy(var1, argv[1]);

printf(var1);

system(command);

}

var1 (15 char)

command

(20 char)

argv[1] (15 char)

argv[1] (20 char)

Top of

Memory

0xFFFFFFFF

Bottom of

Memory

0x00000000

Stack

Fill

Direction

Overflow

exploit

strcpy() vs. strncpy()

Function strcpy() copies the string in the second argument into the first argument

e.g., strcpy(dest, src)

If source string > destination string, the overflow characters may occupy the memory space used by other variables

The null character is appended at the end automatically

Function strncpy() copies the string by specifying the number n of characters to copy

e.g., strncpy(dest, src, n); dest[n] = ‘\0’

If source string is longer than the destination string, the overflow characters are discarded automatically

You have to place the null character manually

10/13/10

Buffer Overflow

Return Address Smashing

The Unix fingerd() system call, which runs as root (it needs to access sensitive files), used to be vulnerable to buffer overflow

Write malicious code into buffer and overwrite return address to point to the malicious code

When return address is reached, it will now execute the malicious code with the full rights and privileges of root

10/13/10

Buffer Overflow

void fingerd (…) {

char buf[80];

…

get(buf);

…

}

current frame

previous frames

f() arguments

buffer

local variables

program code

next location

padding

attacker’s input

malicious code

return address

f() arguments

EIP

return address

EIP

The fragment of C code for fingerd() above shows the problem

A local array buf[80] is declared, which gets allocated on the stack, but the function get does not do bounds checking, and hence makes buffer overflows possible.

2009-01-28

Operating Systems: Basic Concepts

CS 166

Unix Shell Command Substitution

The Unix shell enables a command argument to be obtained from the standard output of another

This feature is called command substitution

When parsing command line, the shell replaces the output of a command between back quotes with the output of the command

Example:

File name.txt contains string farasi

The following two commands are equivalent

finger `cat name.txt`

finger farasi

10/13/10

Buffer Overflow

Shellcode Injection

An exploit takes control of attacked computer so injects code to “spawn a shell” or “shellcode”

A shellcode is:

Code assembled in the CPU’s native instruction set (e.g. x86 , x86-64, arm, sparc, risc, etc.)

Injected as a part of the buffer that is overflowed.

We inject the code directly into the buffer that we send for the attack

A buffer containing shellcode is a “payload”

10/13/10

Buffer Overflow

Now comes the question of injecting our own code to be executed. We inject the code directly into the buffer that we send for the attack.

Buffer Overflow Mitigation

We know how a buffer overflow happens, but why does it happen?

This problem could not occur in Java; it is a C problem

In Java, objects are allocated dynamically on the heap (except ints, etc.)

Also cannot do pointer arithmetic in Java

In C, however, you can declare things directly on the stack

One solution is to make the buffer dynamically allocated

Another (OS) problem is that fingerd had to run as root

Just get rid of fingerd’s need for root access (solution eventually used)

The program needed access to a file that had sensitive information in it

A new world-readable file was created with the information required by fingerd

10/13/10

Buffer Overflow

Why doesn’t get do a bounds check and why does the operating system allow writing beyond the array bounds?

In Java can’t just overwrite the stack because you don’t know where the stack is!

In Java, cannot access memory without direct access, since we lack pointer arithmetic

2009-01-28

Operating Systems: Basic Concepts

CS 166

Stack-based buffer overflow detection using a random canary

The canary is placed in the stack prior to the return address, so that any attempt to over-write the return address also over-writes the canary.

10/13/10

Buffer Overflow

Buffer

Other local variables

Canary (random)

Return address

Other data

Buffer

Corrupt return address

Attack code

Normal (safe) stack configuration:

Buffer overflow attack attempt:

Overflow data

Ch03-OS.pptx

Operating Systems Concepts

10/13/10

Introduction

A Computer Model

An operating system has to deal with the fact that a computer is made up of a CPU, random access memory (RAM), input/output (I/O) devices, and long-term storage.

Disk Drive

RAM

CPU

I/O

OS Concepts

An operating system (OS) provides the interface between the users of a computer and that computer’s hardware.

An operating system manages the ways applications access the resources in a computer, including its disk drives, CPU, main memory, input devices, output devices, and network interfaces.

An operating system manages multiple users.

An operating system manages multiple programs.

Multitasking

Give each running program a “slice” of the CPU’s time.

The CPU is running so fast that to any user it appears that the computer is running all the programs simultaneously.

Public domain image from http://commons.wikimedia.org/wiki/File:Chapters_meeting_2009_Liam_juggling.JPG

The Kernel

The kernel is the core component of the operating system. It handles the management of low-level hardware resources, including memory, processors, and input/output (I/O) devices, such as a keyboard, mouse, or video display.

Most operating systems define the tasks associated with the kernel in terms of a layer metaphor, with the hardware components, such as the CPU, memory, and input/output devices being on the bottom, and users and applications being on the top.

User Applications

Non-essential OS Applications

The OS Kernel

CPU, Memory, Input/Output

Userland

Operating System

Hardware

Input/Output

The input/output devices of a computer include things like its keyboard, mouse, video display, and network card, as well as other more optional devices, like a scanner, Wi-Fi interface, video camera, USB ports, etc.

Each such device is represented in an operating system using a device driver, which encapsulates the details of how interaction with that device should be done.

The application programmer interface (API), which the device drivers present to application programs, allows those programs to interact with those devices at a fairly high level, while the operating system does the “heavy lifting” of performing the low-level interactions that make such devices actually work.

System Calls

User applications don’t communicate directly with low-level hardware components, and instead delegate such tasks to the kernel via system calls.

System calls are usually contained in a collection of programs, that is, a library such as the C library (libc), and they provide an interface that allows applications to use a predefined series of APIs that define the functions for communicating with the kernel.

Examples of system calls include those for performing file I/O (open, close, read, write) and running application programs (exec).

Processes

A process is an instance of a program that is currently executing.

The actual contents of all programs are initially stored in persistent storage, such as a hard drive.

In order to be executed, a program must be loaded into random-access memory (RAM) and uniquely identified as a process.

In this way, multiple copies of the same program can be run as different processes.

For example, we can have multiple copies of MS Powerpoint open at the same time.

Process IDs

Each process running on a given computer is identified by a unique nonnegative integer, called the process ID (PID).

Given the PID for a process, we can then associate its CPU time, memory usage, user ID (UID), program name, etc.

File Systems

A filesystem is an abstraction of how the external, nonvolatile memory of the computer is organized.

Operating systems typically organize files hierarchically into folders, also called directories.

Each folder may contain files and/or subfolders.

Thus, a volume, or drive, consists of a collection of nested folders that form a tree.

The topmost folder is the root of this tree and is also called the root folder.

File System Example

File Permissions

File permissions are checked by the operating system to determine if a file is readable, writable, or executable by a user or group of users.

In Unix-like OS’s, a file permission matrix shows who is allowed to do what to the file.

Files have owner permissions, which show what the owner can do, and group permissions, which show what some group id can do, and world permissions, which give default access rights.

Memory Management

The RAM memory of a computer is its address space.

It contains both the code for the running program, its input data, and its working memory.

For any running process, it is organized into different segments, which keep the different parts of the address space separate.

As we will discuss, security concerns require that we never mix up these different segments.

Memory Organization

Text. This segment contains the actual (binary) machine code of the program.

Data. This segment contains static program variables that have been initialized in the program code.

BSS. This segment, which is named for an antiquated acronym for block started by symbol, contains static variables that are uninitialized.

Heap. This segment, which is also known as the dynamic segment, stores data generated during the execution of a process.

Stack. This segment houses a stack data structure that grows downwards and is used for keeping track of the call structure of subroutines (e.g., methods in Java and functions in C) and their arguments.

Memory Layout

Virtual Memory

There is generally not enough computer memory for the address spaces of all running processes.

Nevertheless, the OS gives each running process the illusion that it has access to its complete (contiguous) address space.

In reality, this view is virtual, in that the OS supports this view, but it is not really how the memory is organized.

Instead, memory is divided into pages, and the OS keeps track of which ones are in memory and which ones are stored out to disk.

ATM

Page Faults

Process

1. Process requests virtual address not in memory,

causing a page fault.

2. Paging supervisor pages out

an old block of RAM memory.

3. Paging supervisor locates requested block

on the disk and brings it into RAM memory.

“read 0110101”

“Page fault,

let me fix that.”

Blocks in

RAM memory:

Paging supervisor

External disk

old

new

Virtual Machines

Virtual machine: A view that an OS presents that a process is running on a specific architecture and OS, when really it is something else. E.g., a windows emulator on a Mac.

Benefits:

Hardware Efficiency

Portability

Security

Management

Public domain image from http://commons.wikimedia.org/wiki/File:VMM-Type2.JPG

Stack

Dynamic

BSS

Data

Text

Another Program

Hard Drive

Program Sees: Actual Memory:

Ch04-Malware.pptx

Malware: Malicious Software

10/21/2010

Malware

2009-02-02

CS 166 - Malware

Viruses, Worms, Trojans, Rootkits

Malware can be classified into several categories, depending on propagation and concealment

Propagation

Virus: human-assisted propagation (e.g., open email attachment)

Worm: automatic propagation without human assistance

Concealment

Rootkit: modifies operating system to hide its existence

Trojan: provides desirable functionality but hides malicious operation

Various types of payloads, ranging from annoyance to crime

10/21/2010

Malware

Name derives from the wooden horse left by the Greeks at the gates of Troy during the siege of Troy

A Trojan horse program intentionally hides malicious activity while pretending to be something else

Usually described as innocuous looking, or software delivered through innocuous means which either allows to take control of systems

Trojan horse programs do not replicate themselves

Sometimes passed on using commonly passed executables, things like jokes forwarded by e-mail

Sometimes marketed/distributed as “remote administration tool”

Often combined with rootkits to disguise activity and remote access

Popularized to an extent by software like Cult of the Dead Cow’s Back Orifice, offered as a free download for running “remote administration” tasks or playing spooky jokes on friends

The line between user-launched worms and Trojans is highly blurred, with many user-launched worms behaving in a manner similar to worms.

Trojans are by definition malicious. The classic movie/television exploit of remotely opening disk drives is a definite symptom of being infected by a Trojan.

Have lately begun using much of the same defense mechanisms used by viruses, there are known Trojans which use WSH to run.

To detect infected computers, attackers often use so called sweep lists, list of IP addresses known to be online. One of the popular ways of doing this is to monitor IRC chat rooms and use the IP addresses of participants in these rooms.

Payload examples

perform amusing or annoying pranks

destroy/corrupt files and applications

monitor and transmit user activity (spyware, logger)

install backdoor (makes the infected computer a zombie)

email spam

launch denial-of-service attack

alter browser settings to display ads

dial out international or 900 numbers (dialer)

2009-02-02

CS 166 - Malware

Insider Attacks

An insider attack is a security breach that is caused or facilitated by someone who is a part of the very organization that controls or builds the asset that should be protected.

In the case of malware, an insider attack refers to a security hole that is created in a software system by one of its programmers.

10/21/2010

Malware

Backdoors

A backdoor, which is also sometimes called a trapdoor, is a hidden feature or command in a program that allows a user to perform actions he or she would not normally be allowed to do.

When used in a normal way, this program performs completely as expected and advertised.

But if the hidden feature is activated, the program does something unexpected, often in violation of security policies, such as performing a privilege escalation.

Benign example: Easter Eggs in DVDs and software

10/21/2010

Malware

Logic Bombs

A logic bomb is a program that performs a malicious action as a result of a certain logic condition.

The classic example of a logic bomb is a programmer coding up the software for the payroll system who puts in code that makes the program crash should it ever process two consecutive payrolls without paying him.

Another classic example combines a logic bomb with a backdoor, where a programmer puts in a logic bomb that will crash the program on a certain date.

10/21/2010

Malware

The Omega Engineering Logic Bomb

An example of a logic bomb that was actually triggered and caused damage is one that programmer Tim Lloyd was convicted of using on his former employer, Omega Engineering Corporation. On July 31, 1996, a logic bomb was triggered on the server for Omega Engineering’s manufacturing operations, which ultimately cost the company millions of dollars in damages and led to it laying off many of its employees.

10/21/2010

Malware

The Omega Bomb Code

The Logic Behind the Omega Engineering Time Bomb included the following strings:

7/30/96

Event that triggered the bomb

Focused attention to volume F, which had critical files

F:\LOGIN\LOGIN 12345

CD \PUBLIC

Moves to the public folder of programs

FIX.EXE /Y F:\*.*

Run a program, called FIX, which actually deletes everything

PURGE F:\/ALL

Prevent recovery of the deleted files

10/21/2010

Malware

Defenses against Insider Attacks

Avoid single points of failure.

Use code walk-throughs.

Use archiving and reporting tools.

Limit authority and permissions.

Physically secure critical systems.

Monitor employee behavior.

Control software installations.

10/21/2010

Malware

Computer Viruses

A computer virus is computer code that can replicate itself by modifying other files or programs to insert code that is capable of further replication.

This self-replication property is what distinguishes computer viruses from other kinds of malware, such as logic bombs.

Another distinguishing property of a virus is that replication requires some type of user assistance, such as clicking on an email attachment or sharing a USB drive.

10/21/2010

Malware

Biological Analogy

Computer viruses share some properties with Biological viruses

10/21/2010

Malware

Attack

Penetration

Replication and assembly

Release

Early History

1972 sci-fi novel “When HARLIE Was One” features a program called VIRUS that reproduces itself

First academic use of term virus by PhD student Fred Cohen in 1984, who credits advisor Len Adleman with coining it

In 1982, high-school student Rich Skrenta wrote first virus released in the wild: Elk Cloner, a boot sector virus

(c)Brain, by Basit and Amjood Farooq Alvi in 1986, credited with being the first virus to infect PCs

10/21/2010

Malware

Much of the macro classification carries over from viruses, worms based on macro capabilities of programs are programmed in much the same way as viruses, with minor differences

Primary classification has often been based on a worm relying on e-mail or IRC, ICQ, AIM.

Through much of the mid-90s IRC was a popular target, and worms were often combined with Trojans to allow for remotely controlling systems

Examples include IRC.Worm.Ceyda and IRC.Worm.Whacked, the later of which is also a Trojan

Simultaneously with a growth in instant messaging, popular IM clients have been targeted by worms

There are known worms targeting AIM (W32.AimVen.Worm), MSN (W32.Kelvir and variants), ICQ (W32.Bizex), Yahoo Messenger (W32.Hawawi) and pretty much every other popular IM network

P2P networks have been targeted of late, with W32.Hawawi and others spreading through Kazza

E-mail, exploited indirectly by the Morris Worm continues to be a popular propagation method, with worms like W97M.Melissa, and W32.Navidad relying on MAPI to provide them with an easy way to e-mail themselves out.

CS 166 - Malware

2009-02-02

Virus Phases

Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detection.

Propagation phase. During this phase, the virus is replicating itself, infecting new files on new systems.

Triggering phase. In this phase, some logical condition causes the virus to move from a dormant or propagation phase to perform its intended action.

Action phase. In this phase, the virus performs the malicious action that it was designed to perform, called payload.

This action could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as deleting all essential files on the hard drive.

10/21/2010

Malware

Infection Types

Overwriting

Destroys original code

Pre-pending

Keeps original code, possibly compressed

Infection of libraries

Allows virus to be memory resident

E.g., kernel32.dll

Macro viruses

Infects MS Office documents

Often installs in main document template

10/21/2010

Malware

virus

compressed

original code

Resident viruses continue running after executing the infected file

Modified system calls

Modified DLLs

Non-resident viruses

Resident viruses are more common than non-resident viruses, and essentially latch onto system calls, DLLs and the like, and stay resident, affecting every program run subsequent to them being introduced into memory.

Non resident viruses are executed every time an infected file is executed

All Windows DLLs have an export table listing the functions provided and their addresses

A virus can hook onto a DLL

Fairly easy for viruses using DLLs to get memory resident

kernel32.dll is a collection of core Windows API calls (system calls) that is imported by most applications

Most viruses relying on patching DLLs usually attack kernel32.dll

For instance W32.Kriz will attack any PE executable, and also kernel32.dll to get a hook on system calls

Hooking system calls may be done by legitimate programs, such as Regmon (a registry monitoring utility)

Viruses hook onto DLLs by either changing their exported symbol table, so as to call malicious code, or by adding mallicious code to the DLL.

CS 166 - Malware

2009-02-02

Degrees of Complication

Viruses have various degrees of complication in how they can insert themselves in computer code.

10/21/2010

Malware

Concealment

Encrypted virus

Decryption engine + encrypted body

Randomly generate encryption key

Detection looks for decryption engine

Polymorphic virus

Encrypted virus with random variations of the decryption engine (e.g., padding code)

Detection using CPU emulator

Metamorphic virus

Different virus bodies

Approaches include code permutation and instruction replacement

Challenging to detect

10/21/2010

Malware

Computer Worms

A computer worm is a malware program that spreads copies of itself without the need to inject itself in other programs, and usually without human interaction.

Thus, computer worms are technically not computer viruses (since they don’t infect other programs), but some people nevertheless confuse the terms, since both spread by self-replication.

In most cases, a computer worm will carry a malicious payload, such as deleting files or installing a backdoor.

10/21/2010

Malware

Early History

First worms built in the labs of John Shock and Jon Hepps at Xerox PARC in the early 80s

CHRISTMA EXEC written in REXX, released in December 1987, and targeting IBM VM/CMS systems was the first worm to use e-mail service

The first internet worm was the Morris Worm, written by Cornell student Robert Tappan Morris and released on November 2, 1988

10/21/2010

Malware

Much of the macro classification carries over from viruses, worms based on macro capabilities of programs are programmed in much the same way as viruses, with minor differences

Primary classification has often been based on a worm relying on e-mail or IRC, ICQ, AIM.

Through much of the mid-90s IRC was a popular target, and worms were often combined with Trojans to allow for remotely controlling systems

Examples include IRC.Worm.Ceyda and IRC.Worm.Whacked, the later of which is also a Trojan

Simultaneously with a growth in instant messaging, popular IM clients have been targeted by worms

There are known worms targeting AIM (W32.AimVen.Worm), MSN (W32.Kelvir and variants), ICQ (W32.Bizex), Yahoo Messenger (W32.Hawawi) and pretty much every other popular IM network

P2P networks have been targeted of late, with W32.Hawawi and others spreading through Kazza

CS 166 - Malware

2009-02-02

Worm Development

Identify vulnerability still unpatched

Write code for

Exploit of vulnerability

Generation of target list

Random hosts on the internet

Hosts on LAN

Divide-and-conquer

Installation and execution of payload

Querying/reporting if a host is infected

Initial deployment on botnet

Worm template

Generate target list

For each host on target list

Check if infected

Check if vulnerable

Infect

Recur

Distributed graph search algorithm

Forward edges: infection

Back edges: already infected or not vulnerable

10/21/2010

Malware

Worm Propagation

Worms propagate by finding and infecting vulnerable hosts.

They need a way to tell if a host is vulnerable

They need a way to tell if a host is already infected.

10/21/2010

Malware

initial infection

Propagation: Theory

Classic epidemic model

N: total number of vulnerable hosts

I(t): number of infected hosts at time t

S(t): number of susceptible hosts at time t

I(t) + S(t) = N

b: infection rate

Differential equation for I(t):

dI/dt = bI(t) S(t)

More accurate models adjust propagation rate over time

10/21/2010

Malware

Source:

Cliff C. Zou, Weibo Gong, Don Towsley, and Lixin Gao. The Monitoring and Early Detection of Internet Worms, IEEE/ACM Transactions on Networking, 2005.

Propagation: Practice

Cumulative total of unique IP addresses infected by the first outbreak of Code-RedI v2 on July 19-20, 2001

10/21/2010

Malware

Source:

David Moore, Colleen Shannon, and Jeffery Brown. Code-Red: a case study on the spread and victims of an Internet worm, CAIDA, 2002

Trojan Horses

A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with negative consequences (e.g., launches a keylogger).

Trojan horses can be installed as part of the payload of other malware but are often installed by a user or administrator, either deliberately or accidentally.

10/21/2010

Malware

Current Trends

Trojans currently have largest infection potential

Often exploit browser vulnerabilities

Typically used to download other malware in multi-stage attacks

10/21/2010

Malware

Source:

Symantec Internet Security Threat Report, April 2009

Rootkits

A rootkit modifies the operating system to hide its existence

E.g., modifies file system exploration utilities

Hard to detect using software that relies on the OS itself

RootkitRevealer

By Bryce Cogswell and Mark Russinovich (Sysinternals)

Two scans of file system

High-level scan using the Windows API

Raw scan using disk access methods

Discrepancy reveals presence of rootkit

Could be defeated by rootkit that intercepts and modifies results of raw scan operations

10/21/2010

Malware

Malware Zombies

Malware can turn a computer in to a zombie, which is a machine that is controlled externally to perform malicious attacks, usually as a part of a botnet.

10/21/2010

Botnet Controller (Attacker)

Victim

Botnet:

Attack Commands

Attack Actions

Financial Impact

Malware often affects a large user population

Significant financial impact, though estimates vary widely, up to $100B per year (mi2g)

Examples

LoveBug (2000) caused $8.75B in damages and shut down the British parliament

In 2004, 8% of emails infected by W32/MyDoom.A at its peak

In February 2006, the Russian Stock Exchange was taken down by a virus.

10/21/2010

Malware

2009-02-02

CS 166 - Malware

Economics of Malware

New malware threats have grown from 20K to 1.7M in the period 2002-2008

Most of the growth has been from 2006 to 2008

Number of new threats per year appears to be growing an exponential rate.

10/21/2010

Malware

Source:

Symantec Internet Security Threat Report, April 2009

Professional Malware

Growth in professional cybercrime and online fraud has led to demand for professionally developed malware

New malware is often a custom-designed variations of known exploits, so the malware designer can sell different “products” to his/her customers.

Like every product, professional malware is subject to the laws of supply and demand.

Recent studies put the price of a software keystroke logger at $23 and a botnet use at $225.

10/21/2010

Malware

Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg

used by permission under the Creative Commons Attribution ShareAlike 3.0 License

Adware

10/21/2010

Malware

Adware software payload

Adware engine infects

a user’s computer

Computer user

Adware agent

Adware engine requests

Chart1

1997	1997
1998	1998
1999	1999
2000	2000
2001	2001
2002	2002
2003	2003
2004	2004
2005	2005
2006	2006

Impact

Impact2

Source: Computer Economics

3300000000

3.3

6100000000

6.1

13000000000

17100000000

17.1

13200000000

13.2

11100000000

11.1

13000000000

17500000000

17.5

14200000000

14.2

13300000000

13.3

Sheet2

Year	Impact	Impact2
1997	$3B	$ 3
1998	$6B	$ 6
1999	$13B	$ 13
2000	$17B	$ 17
2001	$13B	$ 13
2002	$11B	$ 11
2003	$13B	$ 13
2004	$17B	$ 18
2005	$14B	$ 14
2006	$13B	$ 13

Ch03-FilesystemSecurity.pptx

Filesystem Security

General Principles

Files and folders are managed by the operating system

Applications, including shells, access files through an API

Access control entry (ACE)

Allow/deny a certain type of access to a file/folder by user/group

Access control list (ACL)

Collection of ACEs for a file/folder

A file handle provides an opaque identifier for a file/folder

File operations

Open file: returns file handle

Read/write/execute file

Close file: invalidates file handle

Hierarchical file organization

Tree (Windows)

DAG (Linux)

Discretionary Access Control (DAC)

Users can protect what they own

The owner may grant access to others

The owner may define the type of access (read/write/execute) given to others

DAC is the standard model used in operating systems

Mandatory Access Control (MAC)

Alternative model not covered in this lecture

Multiple levels of security for users and documents

Read down and write up principles

Ripasso DAC

Closed vs. Open Policy

Closed policy

Also called “default secure”

Give Tom read access to “foo”

Give Bob r/w access to “bar

Tom: I would like to read “foo”

Access allowed

Tom: I would like to read “bar”

Access denied

Open Policy

Deny Tom read access to “foo”

Deny Bob r/w access to “bar”

Tom: I would like to read “foo”

Access denied

Tom: I would like to read “bar”

Access allowed

Default sicuro

Closed Policy with Negative Authorizations and Deny Priority

Give Tom r/w access to “bar”

Deny Tom write access to “bar”

Tom: I would like to read “bar”

Access allowed

Tom: I would like to write “bar”

Access denied

Policy is used by Windows to manage access control to the file system

Access Control Entries and Lists

An Access Control List (ACL) for a resource (e.g., a file or folder) is a sorted list of zero or more Access Control Entries (ACEs)

An ACE refers specifies that a certain set of accesses (e.g., read, execute and write) to the resources is allowed or denied for a user or group

Examples of ACEs for folder “Bob’s CS167 Grades”

Bob; Read; Allow

TAs; Read; Allow

TWD; Read, Write; Allow

Bob; Write; Deny

TAs; Write; Allow

Linux vs. Windows

Linux

Allow-only ACEs

Access to file depends on ACL of file and of all its ancestor folders

Start at root of file system

Traverse path of folders

Each folder must have execute (cd) permission

Different paths to same file not equivalent

File’s ACL must allow requested access

Windows

Allow and deny ACEs

By default, deny ACEs precede allow ones

Access to file depends only on file’s ACL

ACLs of ancestors ignored when access is requested

Permissions set on a folder usually propagated to descendants (inheritance)

System keeps track of inherited ACE’s

Linux File Access Control

File Access Control for:

Files

Directories

Therefore…

\dev\ : devices

\mnt\ : mounted file systems

What else? Sockets, pipes, symbolic links…

Because of the way devices and mounted file systems are represented in Linux as part of the file system, they are also covered by the same access control scheme as normal files.

Linux File System

Tree of directories (folders)

Each directory has links to zero or more files or directories

Hard link

From a directory to a file

The same file can have hard links from multiple directories, each with its own filename, but all sharing owner, group, and permissions

File deleted when no more hard links to it

Symbolic link (symlink)

From a directory to a target file or directory

Stores path to target, which is traversed for each access

The same file or directory can have multiple symlinks to it

Removal of symlink does not affect target

Removal of target invalidates (but not removes) symlinks to it

Analogue of Windows shortcut or Mac OS alias

Unix Permissions

Standard for all UNIXes

Every file is owned by a user and has an associated group

Permissions often displayed in compact 10-character notation

To see permissions, use ls –l

jk@sphere:~/test$ ls –l

total 0

-rw-r----- 1 jk ugrad 0 2005-10-13 07:18 file1

-rwxrwxrwx 1 jk ugrad 0 2005-10-13 07:18 file2

Permissions Examples (Regular Files)

read/write/execute to everyone

-rwxrwxrwx

read-only to everyone, including owner

-r--r--r--

read/write/execute for owner, forbidden to everyone else

-rwx------

read/write for owner, read-only for group, forbidden to others

-rw-r-----

read/write for owner, read-only for everyone else

-rw-r—r--

Permissions for Directories

Permissions bits interpreted differently for directories

Read bit allows listing names of files in directory, but not their properties like size and permissions

Write bit allows creating and deleting files within the directory

Execute bit allows entering the directory and getting properties of files in the directory

Lines for directories in ls –l output begin with d, as below:

jk@sphere:~/test$ ls –l

Total 4

drwxr-xr-x 2 jk ugrad 4096 2005-10-13 07:37 dir1

-rw-r--r-- 1 jk ugrad 0 2005-10-13 07:18 file1

Permissions Examples (Directories)

full access to everyone

-rwxrwxrwx

full access to owner, group can access known filenames in directory, forbidden to others

drwx--x---

full access to owner and group, forbidden to others

drwxrwx---

all can enter and list the directory, only owner can add/delete files

drwxr-xr-x

File Sharing Challenge

Creating and modifying groups requires root

Given a directory with permissions drwx------x and a file in it

Give permission to write the file to user1, user2, user3, … without creating a new group

Selectively revoke a user

Solution 1

Give file write permission for everyone

Create different random hard links: user1-23421, user2-56784, …

Problem! Selectively removing access: hard link can be copied

Solution 2

Create random symbolic links

Problem! Symbolic link tells where it points

Creating and adding users to groups in Linux requires root. Thus, groups, in a sense, are not “dynamic.” The example on this slide hints at a problem with this permission system: it is difficult to manage by-user access to files.

Working Graphically with Permissions

Several Linux GUIs exist for displaying and changing permissions

In KDE’s file manager Konqueror, right-click on a file and choose Properties, and click on the Permissions tab:

Changes can be made here (more about changes later)

Special Permission Bits

Three other permission bits exist

Set-user-ID (“suid” or “setuid”) bit

Set-group-ID (“sgid” or “setgid”) bit

Sticky bit

Set-user-ID

Set-user-ID (“suid” or “setuid”) bit

On executable files, causes the program to run as file owner regardless of who runs it

Ignored for everything else

In 10-character display, replaces the 4th character (x or -) with s (or S if not also executable)

-rwsr-xr-x: setuid, executable by all

-rwxr-xr-x: executable by all, but not setuid

-rwSr--r--: setuid, but not executable - not useful

Set-group-ID

Set-group-ID (“sgid” or “setgid”) bit

On executable files, causes the program to run with the file’s group, regardless of whether the user who runs it is in that group

On directories, causes files created within the directory to have the same group as the directory, useful for directories shared by multiple users with different default groups

Ignored for everything else

In 10-character display, replaces 7th character (x or -) with s (or S if not also executable)

-rwxr-sr-x: setgid file, executable by all

drwxrwsr-x: setgid directory; files within will have group of directory

-rw-r-Sr--: setgid file, but not executable - not useful

The setgid bit is used by many games. The executable files are in group games and are setgid. No users are in group games, but the high-score files are. Being setgid games allows games to update high scores!

Sticky Bit

On directories, prevents users from deleting or renaming files they do not own

Ignored for everything else

In 10-character display, replaces 10th character (x or -) with t (or T if not also executable)

drwxrwxrwt: sticky bit set, full access for everyone

drwxrwx--T: sticky bit set, full access by user/group

drwxr--r-T: sticky, full owner access, others can read (useless)

Working Graphically with Special Bits

Special permission bits can also be displayed and changed through a GUI

In Konqueror’s Permissions window, click Advanced Permissions:

Changes can be made here (more about changes later)

Root

“root” account is a super-user account, like Administrator on Windows

Multiple roots possible

File permissions do not restrict root

This is dangerous, but necessary, and OK with good practices

There can be multiple root accounts, but root is the conventional name. Any account with user ID 0 has root powers. This is like the Windows Administrators group. As the system administrator, root can change any file’s owner, group, or permissions, or delete the file, regardless of who owns it or its permissions. This is clearly dangerous, but necessary, and in practice can be secure. Choosing a good root password is very important, as well as minimizing programs and commands which are run as root. Finally, root is the entity charged with making sure that permissions allow no other users to disrupt the system (accidentally or intentionally), but there is nobody doing oversight on root. Thus, it is wise to think twice before doing anything as root, to guard against mistakes.

Becoming Root

Changes home directory, PATH, and shell to that of root, but doesn’t touch most of environment and doesn’t run login scripts

su -

Logs in as root just as if root had done so normally

sudo <command>

Run just one command as root

su [-] <user>

Become another non-root user

Root does not require to enter password

To become root, type su or su - and put in the root password when prompted. Sudo functions similarly, but only for the duration of one command.

Changing Permissions

Permissions are changed with chmod or through a GUI like Konqueror

Only the file owner or root can change permissions

If a user owns a file, the user can use chgrp to set its group to any group of which the user is a member

root can change file ownership with chown (and can optionally change group in the same command)

chown, chmod, and chgrp can take the -R option to recur through subdirectories

Examples of Changing Permissions

Sets the setuid bit on file1. (Doesn’t change execute bit.)

chmod u+s file1

Sets file1’s group to testgrp, if the user is a member of that group

chgrp testgrp file1

Adds group read/write permission to dir1 and everything within it, and group execute permission on files or directories where someone has execute permission

chmod -R g=rwX dir1

Adds group write permission to file1 and file2, denying all access to others

chmod g+w,o-rwx file1 file2

Changes ownership of dir1 and everything within it to root

chown -R root dir1

Octal Notation

Previous slide’s syntax is nice for simple cases, but bad for complex changes

Alternative is octal notation, i.e., three or four digits from 0 to 7

Digits from left (most significant) to right(least significant): [special bits][user bits][group bits][other bits]

Special bit digit = (4 if setuid) + (2 if setgid) + (1 if sticky)

All other digits = (4 if readable) + (2 if writable) + (1 if executable)

Octal Notation Examples

read/write/execute to everyone (dangerous!)

777 or 0777

same as 777, plus sticky bit

1777

same as 775, plus setgid (useful for directories)

2775

read/write for owner, read-only for group, forbidden to others

640 or 0640

read/write/execute for owner and group, read/execute for others

775 or 0775

read/write for owner, read-only for everyone else

644 or 0644

Limitations of Unix Permissions

Unix permissions are not perfect

Groups are restrictive

Limitations on file creation

Linux optionally uses POSIX ACLs

Builds on top of traditional Unix permissions

Several users and groups can be named in ACLs, each with different permissions

Allows for finer-grained access control

Each ACL is of the form type:[name]:rwx

Setuid, setgid, and sticky bits are outside the ACL system

Unix permissions are not perfect. There is, for instance, no way to have specific permissions for two or three users, groups, etc. There is also limited ability to set permissions on newly created files, and non-root users cannot create groups and may only use the groups provided by root. At some risk of giving away the next slide, an optional solution is provided in POSIX ACLs.

Linux supports Access Control Lists (ACLs) specified by a POSIX draft standard, which works with Linux filesystems such as Ext2, Ext3, XFS, JFS, and ReiserFS. ACLs build on top of traditional Unix permissions, which still work, but allow for finer-grained access control. Several users and groups can be named in ACLs, each with different permissions. POSIX ACLs also permits a default ACLs for new files within directories.

Minimal ACLs

In a file with minimal ACLs, name does not appear, and the ACLs with type “user” and “group” correspond to Unix user and group permissions, respectively.

When name is omitted from a “user” type ACL entry, it applies to the file owner.

ACL Commands

ACLs are read with the getfacl command and set with the setfacl command.

Changing the ACLs corresponding to Unix permissions shows up in ls -l output, and changing the Unix permissions with chmod changes those ACLs.

Example of getfacl:

jimmy@techhouse:~/test$ ls -l

total 4

drwxr-x--- 2 jimmy jimmy 4096 2005-12-02 04:13 dir

jimmy@techhouse:~/test$ getfacl dir

# file: dir

# owner: jimmy

# group: jimmy

user::rwx

group::r-x

other::---

More ACL Command Examples

jimmy@techhouse:~/test$ setfacl -m group::rwx dir

jimmy@techhouse:~/test$ ls -l

total 4

drwxrwx--- 2 jimmy jimmy 4096 2005-12-02 04:13 dir

jimmy@techhouse:~/test$ chmod 755 dir

jimmy@techhouse:~/test$ getfacl dir

# file: dir

# owner: jimmy

# group: jimmy

user::rwx

group::r-x

other::r-x

Note that in the first example, the setfacl command changed the permissions just like chmod would. In the second, chmod's permissions change is reflected in the getfacl output.

Extended ACLs

ACLs that say more than Unix permissions are extended ACLs

Specific users and groups can be named and given permissions via ACLs, which fall under the group class (even for for ACLs naming users and not groups)

With extended ACLs, mapping to and from Unix permissions is a bit complicated.

User and other classes map directly to the corresponding Unix permission bits

Group class contains named users and groups as well as owning group permissions. How to map?

Mask-type ACLs

Unix group permissions now map to an ACL of type “mask”, which is an upper bound on permissions for all group class ACLs.

All group class ACLs are logically and-ed with the mask before taking effect

rw-—xrw- & r-x—x--- = r----x--

The ACL of type “group” with no name still refers to the Unix owning group

Mask ACLs are created automatically with the necessary bits such that they do not restrict the other ACLs at all, but this can be changed

Extended ACL Example

jimmy@techhouse:~/test$ ls -l

total 4

drwxr-xr-x 2 jimmy jimmy 4096 2005-12-02 04:13 dir

jimmy@techhouse:~/test$ setfacl -m user:joe:rwx dir

jimmy@techhouse:~/test$ getfacl dir

# file: dir

# owner: jimmy

# group: jimmy

user::rwx

user:joe:rwx

group::r-x

mask::rwx

other::r-x

jimmy@techhouse:~/test$ ls -l

total 8

drwxrwxr-x+ 2 jimmy jimmy 4096 2005-12-02 04:13 dir

Extended ACL Example Explained

The preceding slide grants the named user joe read, write, and execute access to dir.

dir now has extended rather than minimal ACLs.

The mask is set to rwx, the union of the two group class ACLs (named user joe and the owning group).

In ls -l output, the group permission bits show the mask, not the owning group ACL

Effective owning group permissions are the logical and of the owning group ACL and the mask, which still equals r-x.

This could reduce the effective owning group permissions if the mask is changed to be more restrictive.

The + in the ls -l output after the permission bits indicates that there are extended ACLs, which can be viewed with getfacl.

Default ACLs

The kind of ACLs we've mentioned so far are access ACLs.

A directory can have an additional set of ACLs, called default ACLs, which are inherited by files and subdirectories created within that directory.

Subdirectories inherit the parent directory's default ACLs as both their default and their access ACLs.

Files inherit the parent directory's default ACLs only as their access ACLs, since they have no default ACLs.

The inherited permissions for the user, group, and other classes are logically and-ed with the traditional Unix permissions specified to the file creation procedure.

Default ACL Example

jimmy@techhouse:~/test$ setfacl -d -m group:webmaster:rwx dir

jimmy@techhouse:~/test$ getfacl dir

# file: dir

# owner: jimmy

# group: jimmy

user::rwx

user:joe:rwx

group::r-x

mask::rwx

other::r-x

default:user::rwx

default:group::r-x

default:group:webmaster:rwx

default:mask::rwx

default:other::r-x

Note how this starts the default ACLs out as equal to the existing access ACLs plus the specified changes.

Default ACL Example Continued

jimmy@techhouse:~/test$ mkdir dir/subdir

jimmy@techhouse:~/test$ getfacl dir/subdir

# file: dir/subdir

# owner: jimmy

# group: jimmy

user::rwx

group::r-x

group:webmaster:rwx

mask::rwx

other::r-x

default:user::rwx

default:group::r-x

default:group:webmaster:rwx

default:mask::rwx

default:other::r-x

The default ACLs from the parent directory are both the access and default ACLs for this directory. Group webmaster has full access.

Default ACL Example Continued

jimmy@techhouse:~/test$ touch dir/file

jimmy@techhouse:~/test$ ls -l dir/file

-rw-rw-r--+ 1 jimmy jimmy 0 2005-12-02 11:36 dir/file

jimmy@techhouse:~/test$ getfacl dir/file

# file: dir/file

# owner: jimmy

# group: jimmy

user::rw-

group::r-x #effective:r--

group:webmaster:rwx #effective:rw-

mask::rw-

other::r--

The default ACLs from the parent directory are the basis for the access ACLs on this file, but since touch creates files without any execute bit set, the user and other classes, and the group class as well via the mask ACL, have their execute bits removed to match.

NTFS Permissions

NTFS Partition

ACL

User 1

User 2

Read

Group 1

User 1

Read

Group 1

Full Control

ACE

Basic NTFS Permissions

Group A

User 1

Multiple NTFS permissions

NTFS permissions are cumulative

File permissions override folder permissions

Deny overrides Allow

File1

File2

Group B

Group A

Write denied

User 1

Read

Read/Write

Folder A

Group B

Write

NTFS: permission inheritance

Folder A

Access allowed for File 1

Access denied for File 1

Block of Inheritance

Permission Inheritance

File1

Read/Write

Folder A

File1

NTFS File Permissions

Explicit: set by the owner for each user/group.

Inherited: dynamically inherited from the explicit permissions of ancestor folders.

Effective: obtained by combining the explicit and inherited permission.

Rules

inherited

explicit

effective

Determining effective permissions:

By default, a user/group has no privileges.

Explicit permissions override conflicting inherited permissions.

Denied permissions override conflicting allowed permissions.

Access Control Algorithm

The DACL of a file or folder is a sorted list of ACEs

Local ACEs precede inherited ACEs

ACEs inherited from folder F precede those inherited from parent of F

Among those with same source, Deny ACEs precede Allow ACEs

Algorithm for granting access request (e.g., read and execute):

ACEs in the DACL are examined in order

Does the ACE refer to the user or a group containing the user?

If so, do any of the accesses in the ACE match those of the request?

If so, what type of ACE is it?

Deny: return ACCESS_DENIED

Allow: grant the specified accesses and if there are no remaining accesses to grant, return ACCESS_ALLOWED

If we reach the end of the DACL and there are remaining requested accesses that have not been granted yet, return ACCESS_DENIED

Example

Customers Group Write Folder1

Marketing Group Read Folder1

Customers Group Read Folder1

Marketing Group Write Folder2

Customers Group Modify Folder1

File2 should only be accessible to Marketing Group, and only for read access

File2

Folder1

Folder2

File1

User1

NTFS

Customers Group

Marketing Group

NTFS move vs. copy in same volume

If you move a file or a folder inside the same volume your permission will be the same of the source folder

If you copy a file or a folder inside the same volume your permission will be the same of the destination folder

NTFS E:\

Copy

Move

NTFS move vs. copy across volumes

If you copy or move a file or a folder on different volumes your permission will be the same of the destination folder

NTFS D:\

NTFS E:\

NTFS C:\

Copy

Move

Setting File Permissions in Win XP

NTFS permissions in Windows XP Pro are disabled by default.

Using Folder Options… from Tools menu inside Windows Explorer is possible to activate NTFS permission in windows by unchecking Use simple file sharing

Qui devo cambiare le immagini dalla versione in inglese di windows

Windows Tools

Access control management tools provide detailed information and controls, across multiple dialogs.

Focus on single file/folders.

It is challenging for an inexperienced user, or a system administrator dealing with very large file structures, to gain a global view of permissions within the file system

Treemap Access Control Evaluator (TrACE)

Alexander Heitzmann, Bernardo Palazzi, Charalampos Papamanthou, Roberto Tamassia. Effective Visualization of File System Access Control, VizSEC 2008

Sponsors:

TrACE Highlights

At a glance, determine the explicit, inherited, and effective permissions of files and folders.

Understand access control relationships between files and their ancestors

Quickly evaluate large directory structures and find problem areas

Layout based on treemaps

What is a Treemap?

A visualization method to display large hierarchical data structures (trees)

Layout based on nested rectangles.

Treemaps were introduced by Ben Shneiderman in “Tree visualization with tree-maps: 2-d space-filling approach”; TOG 1991

Acknowledgment

Much of these POSIX ACL slides are adapted (and some pictures are taken) from Andreas Grünbacher’s paper POSIX Access Control Lists on Linux, available online at: http://www.suse.de/~agruen/acl/linux-acls/

Read

Open files and subfolders

Open files

List Folder Contents

Read and Execute

Write

Modify

Full Control

NTFS Permission

Folders

Files

Not applicable

List contents of folder, traverse

folder to open subfolders

Create subfolders and add files

Not applicable

Open files, execute

programs

All the above + delete

All the above +

change permissions

and take ownership,

delete subfolders

All the above

Modify files

All the above +

change permissions

and take ownership

Ch06-Firewalls.pptx

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls

A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another.

Firewall Policies

To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies.

Trusted internal network

Firewall

Firewall policies

Untrusted

Internet

Policy Actions

Packets flowing through a firewall can have one of three outcomes:

Accepted: permitted through the firewall

Dropped: not allowed through with no indication of failure

Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected

Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:

TCP or UDP

the source and destination IP addresses

the source and destination ports

the application-level payload of the packet (e.g., whether it contains a virus).

Blacklists and White Lists

There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer).

Blacklist approach

All packets are allowed through except those that fit the rules defined specifically in a blacklist.

This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall, but is naïve from a security perspective in that it assumes the network administrator can enumerate all of the properties of malicious traffic.

Whitelist approach

A safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall.

Firewall Types

packet filters (stateless)

If a packet matches the packet filter's set of rules, the packet filter will drop or accept it

"stateful" filters

it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet.

application layer

It works like a proxy it can “understand” certain applications and protocols.

It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...)

Stateless Firewalls

A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously.

Trusted internal

network

SYN

Seq = x

Port=80

SYN-ACK

Seq = y

Ack = x + 1

ACK

Seq = x + 1

Ack = y + 1

Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80

Client

Server

Firewall

Stateless Restrictions

Stateless firewalls may have to be fairly restrictive in order to prevent most attacks.

Trusted internal

network

SYN

Seq = y

Port=80

Allow outbound SYN packets, destination port=80

Drop inbound SYN packets,

Allow inbound SYN-ACK packets, source port=80

Client

Attacker

(blocked)

Firewall

Statefull Firewalls

Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network.

Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets.

Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network.

Statefull Firewall Example

Allow only requested TCP connections:

Trusted internal

network

SYN

Seq = x

Port=80

SYN-ACK

Seq = y

Ack = x + 1

ACK

Seq = x + 1

Ack = y + 1

Allow outbound TCP sessions,

destination port=80

Client

SYN-ACK

Seq = y

Port=80

Attacker

(blocked)

Established TCP session:

(128.34.78.55, 76.120.54.101)

128.34.78.55

76.120.54.101

Firewall state table

Server

Firewall

Tunnels

The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session.

One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol.

In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible.

Tunneling Prevents Eavesdropping

Packets sent over the Internet are automatically encrypted.

Server

Client

Tunneling protocol

(does end-to-end encryption and decryption)

Payloads are encrypted here

TCP/IP

Untrusted Internet

Secure Shell (SSH)

A secure interactive command session:

The client connects to the server via a TCP session.

The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports.

The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications.

The server sends the client a list of acceptable forms of authentication, which the client will try in sequence. The most common mechanism is to use a password or the following public-key authentication method:

If public-key authentication is the selected mechanism, the client sends the server its public key.

The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client.

The client decrypts the challenge with its private key and responds to the server, proving its identity.

Once authentication has been successfully completed, the server lets the client access appropriate resources, such as a command prompt.

IPSec

IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets

Each protocol can operate in one of two modes, transport mode or tunnel mode.

In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated.

In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet.

Virtual Private Networking (VPN)

Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport.

VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission.

There are two primary types of VPNs, remote access VPN and site-to-site VPN.

Types of VPNs

Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.

For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself.

To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication.

Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.

Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling.

Intrusion Detection Systems

Intrusion

Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)

Intrusion detection

The identification through intrusion signatures and report of intrusion activities

Intrusion prevention

The process of both detecting intrusion activities and managing automatic responsive actions throughout the network

IDS Components

The IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred.

This determination is based on a set of site policies, which are rules and conditions that define probable intrusions.

If an IDS manager detects an intrusion, then it sounds an alarm.

Untrusted Internet

IDS Manager

IDS Sensor

router

IDS Sensor

Firewall

Intrusions

An IDS is designed to detect a number of threats, including the following:

masquerader: an attacker who is falsely using the identity and/or credentials of a legitimate user to gain access to a computer system or network

Misfeasor: a legitimate user who performs actions he is not authorized to do

Clandestine user: a user who tries to block or cover up his actions by deleting audit files and/or system logs

In addition, an IDS is designed to detect automated attacks and threats, including the following:

port scans: information gathering intended to determine which ports on a host are open for TCP connections

Denial-of-service attacks: network attacks meant to overwhelm a host and shut out legitimate accesses

Malware attacks: replicating malicious software attacks, such as Trojan horses, computer worms, viruses, etc.

ARP spoofing: an attempt to redirect IP traffic in a local-area network

DNS cache poisoning: a pharming attack directed at changing a host’s DNS cache to create a falsified domain-name/IP-address association

Possible Alarm Outcomes

Alarms can be sounded (positive) or not (negative)

Intrusion Attack

No Intrusion Attack

Alarm

Sounded

Alarm

Sounded

True Positive

False Positive

True Negative

False Negative

The Base-Rate Fallacy

It is difficult to create an intrusion detection system with the desirable properties of having both a high true-positive rate and a low false-negative rate.

If the number of actual intrusions is relatively small compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced.

In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.

This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event.

Base-Rate Fallacy Example

Suppose an IDS is 99% accurate, having a 1% chance of false positives or false negatives. Suppose further…

An intrusion detection system generates 1,000,100 log entries.

Only 100 of the 1,000,100 entries correspond to actual malicious events.

Because of the success rate of the IDS, of the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.

Nevertheless, of the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!

Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That is, roughly 99% of our alarms are false alarms.

IDS Data

In an influential 1987 paper, Dorothy Denning identified several fields that should be included in IDS event records:

Subject: the initiator of an action on the target

Object: the resource being targeted, such as a file, command, device, or network protocol

Action: the operation being performed by the subject towards the object

Exception-condition: any error message or exception condition that was raised by this action

Resource-usage: quantitative items that were expended by the system performing or responding to this action

Time-stamp: a unique identifier for the moment in time when this action was initiated

Types of Intrusion Detection Systems

Rule-Based Intrusion Detection

Rules identify the types of actions that match certain known profiles for an intrusion attack, in which case the rule would encode a signature for such an attack. Thus, if the IDS manager sees an event that matches the signature for such a rule, it would immediately sound an alarm, possibly even indicating the particular type of attack that is suspected.

Statistical Intrusion Detection

A profile is built, which is a statistical representation of the typical ways that a user acts or a host is used; hence, it can be used to determine when a user or host is acting in highly unusual, anomalous ways.

Once a user profile is in place, the IDS manager can determine thresholds for anomalous behaviors and then sound an alarm any time a user or host deviates significantly from the stored profile for that person or machine.

Ch05-NetworksTCP-IP.pptx

Networks: IP and TCP

11/1/2010

Networks: IP and TCP

Internet Protocol

Connectionless

Each packet is transported independently from other packets

Unreliable

Delivery on a best effort basis

No acknowledgments

Packets may be lost, reordered, corrupted, or duplicated

IP packets

Encapsulate TCP and UDP packets

Encapsulated into link-layer frames

11/1/2010

Networks: IP and TCP

Data link frame

IP packet

TCP or UDP packet

IP Addresses and Packets

IP addresses

IPv4: 32-bit addresses

IPv6: 128-bit addresses

Address subdivided into network, subnet, and host

E.g., 128.148.32.110

Broadcast addresses

E.g., 128.148.32.255

Private networks

not routed outside of a LAN

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

IP header includes

Source address

Destination address

Packet length (up to 64KB)

Time to live (up to 255)

IP protocol version

Fragmentation information

Transport layer protocol information (e.g., TCP)

11/1/2010

Networks: IP and TCP

fragmentation info

source

destination

TTL

prot.

length

IP Address Space and ICANN

Hosts on the internet must have unique IP addresses

Internet Corporation for Assigned Names and Numbers

International nonprofit organization

Incorporated in the US

Allocates IP address space

Manages top-level domains

Historical bias in favor of US corporations and nonprofit organizations

Examples

003/8 May 94 General Electric

009/8 Aug 92 IBM

012/8 Jun 95 AT&T Bell Labs

013/8 Sep 91 Xerox Corporation

015/8 Jul 94 Hewlett-Packard

017/8 Jul 92 Apple Computer

018/8 Jan 94 MIT

019/8 May 95 Ford Motor

040/8 Jun 94 Eli Lily

043/8 Jan 91 Japan Inet

044/8 Jul 92 Amateur Radio Digital

047/8 Jan 91 Bell-Northern Res.

048/8 May 95 Prudential Securities

054/8 Mar 92 Merck

055/8 Apr 95 Boeing

056/8 Jun 94 U.S. Postal Service

11/1/2010

Networks: IP and TCP

A Typical University’s IP Space

Most universities separate their network connecting dorms and the network connecting offices and academic buildings

Dorms

Class B network 138.16.0.0/16 (64K addresses)

Academic buildings and offices

Class B network 128.148.0.0/16 (64K addresses)

CS department

Several class C (/24) networks, each with 254 addresses

11/1/2010

Networks: IP and TCP

IP Routing

A router bridges two or more networks

Operates at the network layer

Maintains tables to forward packets to the appropriate network

Forwarding decisions based solely on the destination address

Routing table

Maps ranges of addresses to LANs or other gateway routers

11/1/2010

Networks: IP and TCP

Internet Routes

Internet Control Message Protocol (ICMP)

Used for network testing and debugging

Simple messages encapsulated in single IP packets

Considered a network layer protocol

Tools based on ICMP

Ping: sends series of echo request messages and provides statistics on roundtrip times and packet loss

Traceroute: sends series ICMP packets with increasing TTL value to discover routes

11/1/2010

Networks: IP and TCP

ICMP Attacks

Ping of death

ICMP specifies messages must fit a single IP packet (64KB)

Send a ping packet that exceeds maximum size using IP fragmentation

Reassembled packet caused several operating systems to crash due to a buffer overflow

Smurf

Ping a broadcast address using a spoofed source address

11/1/2010

Networks: IP and TCP

Smurf Attack

11/1/2010

Networks: IP and TCP

Attacker

Victim

Amplifying

Network

echo request

echo response

IP Vulnerabilities

Unencrypted transmission

Eavesdropping possible at any intermediate host during routing

No source authentication

Sender can spoof source address, making it difficult to trace packet back to attacker

No integrity checking

Entire packet, header and payload, can be modified while en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks

No bandwidth constraints

Large number of packets can be injected into network to launch a denial-of-service attack

Broadcast addresses provide additional leverage

11/1/2010

Networks: IP and TCP

Denial of Service Attack

Send large number of packets to host providing service

Slows down or crashes host

Often executed by botnet

Attack propagation

Starts at zombies

Travels through tree of internet routers rooted

Ends at victim

IP source spoofing

Hides attacker

Scatters return traffic from victim

11/1/2010

Networks: IP and TCP

Source:

M.T. Goodrich, Probabalistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking 16:1, 2008.

IP Traceback

Problem

How to identify leaves of DoS propagation tree

Routers next to attacker

Issues

There are more than 2M internet routers

Attacker can spoof source address

Attacker knows that traceback is being performed

Approaches

Filtering and tracing (immediate reaction)

Messaging (additional traffic)

Logging (additional storage)

Probabilistic marking

11/1/2010

Networks: IP and TCP

Probabilistic Packet Marking

Method

Random injection of information into packet header

Changes seldom used bits

Forward routing information to victim

Redundancy to survive packet losses

Benefits

No additional traffic

No router storage

No packet size increase

Can be performed online or offline

11/1/2010

Networks: IP and TCP

Transmission Control Protocol

TCP is a transport layer protocol guaranteeing reliable data transfer, in-order delivery of messages and the ability to distinguish data for multiple concurrent applications on the same host

Most popular application protocols, including WWW, FTP and SSH are built on top of TCP

TCP takes a stream of 8-bit byte data, packages it into appropriately sized segment and calls on IP to transmit these packets

Delivery order is maintained by marking each packet with a sequence number

Every time TCP receives a packet, it sends out an ACK to indicate successful receipt of the packet.

TCP generally checks data transmitted by comparing a checksum of the data with a checksum encoded in the packet

11/1/2010

Networks: IP and TCP

Ports

TCP supports multiple concurrent applications on the same server

Accomplishes this by having ports, 16 bit numbers identifying where data is directed

The TCP header includes space for both a source and a destination port, thus allowing TCP to route all data

In most cases, both TCP and UDP use the same port numbers for the same applications

Ports 0 through 1023 are reserved for use by known protocols.

Ports 1024 through 49151 are known as user ports, and should be used by most user programs for listening to connections and the like

Ports 49152 through 65535 are private ports used for dynamic allocation by socket libraries

11/1/2010

Networks: IP and TCP

TCP Packet Format

11/1/2010

Networks: IP and TCP

Bit Offset	0-3	4-7		8-15	16-18	19-31
0	Source Port				Destination Port
32	Sequence Number
64	Acknowledgment Number
96	Offset	Reserved	Flags		Window Size
128	Checksum				Urgent Pointer
160	Options
>= 160	Payload

Establishing TCP Connections

TCP connections are established through a three way handshake.

The server generally has a passive listener, waiting for a connection request

The client requests a connection by sending out a SYN packet

The server responds by sending a SYN/ACK packet, indicating an acknowledgment for the connection

The client responds by sending an ACK to the server thus establishing connection

11/1/2010

Networks: IP and TCP

SYN

Seq = x

SYN-ACK

Seq = y

Ack = x + 1

ACK

Seq = x + 1

Ack = y + 1

SYN Flood

Typically DOS attack, though can be combined with other attack such as TCP hijacking

Rely on sending TCP connection requests faster than the server can process them

Attacker creates a large number of packets with spoofed source addresses and setting the SYN flag on these

The server responds with a SYN/ACK for which it never gets a response (waits for about 3 minutes each)

Eventually the server stops accepting connection requests, thus triggering a denial of service.

Can be solved in multiple ways

One of the common way to do this is to use SYN cookies

11/1/2010

Networks: IP and TCP

SYN cookies: Instead of allocating space on the connection table, the sequence number on the SYN/ACK packet is a carefully calculated hash of the connection requestors details, and when the server receives a response it adds the connection to the connection table after verifying information in the cookie.

TCP Data Transfer

During connection initialization using the three way handshake, initial sequence numbers are exchanged

The TCP header includes a 16 bit checksum of the data and parts of the header, including the source and destination

Acknowledgment or lack thereof is used by TCP to keep track of network congestion and control flow and such

TCP connections are cleanly terminated with a 4-way handshake

The client which wishes to terminate the connection sends a FIN message to the other client

The other client responds by sending an ACK

The other client sends a FIN

The original client now sends an ACK, and the connection is terminated

11/1/2010

Networks: IP and TCP

Sequence numbers are 32 bit numbers, wrapping to 0. ACKs include sequence number for the received package so sender can keep track of packets received by the receiver.

TCP Data Transfer and Teardown

11/1/2010

Networks: IP and TCP

Data seq=x

Ack seq=x+1

Data seq=y

Ack seq=y+1

Client

Server

Client

Server

Fin seq=x

Ack seq=x+1

Fin seq=y

Ack seq=y+1

TCP Congestion Control

During the mid-80s it was discovered that uncontrolled TCP messages were causing large scale network congestion

TCP responded to congestion by retransmitting lost packets, thus making the problem was worse

What is predominantly used today is a system where ACKs are used to determine the maximum number of packets which should be sent out

Most TCP congestion avoidance algorithms, avoid congestion by modifying a congestion window (cwnd) as more cumulative ACKs are received

Lost packets are taken to be a sign of network congestion

TCP begins with an extremely low cwnd and rapidly increases the value of this variable to reach bottleneck capacity

At this point it shifts to a collision detection algorithm which slowly probes the network for additional bandwidth

TCP congestion control is a good idea in general but allows for certain attacks.

11/1/2010

Networks: IP and TCP

Optimistic ACK Attack

An optimistic ACK attack takes advantage of the TCP congestion control

It begins with a client sending out ACKs for data segments it hasn’t yet received

This flood of optimistic ACKs makes the servers TCP stack believe that there is a large amount of bandwidth available and thus increase cwnd

This leads to the attacker providing more optimistic ACKs, and eventually bandwidth use beyond what the server has available

This can also be played out across multiple servers, with enough congestion that a certain section of the network is no longer reachable

There are no practical solutions to this problem

11/1/2010

Networks: IP and TCP

Session Hijacking

Also commonly known as TCP Session Hijacking

A security attack over a protected network

Attempt to take control of a network session

Sessions are server keeping state of a client’s connection

Servers need to keep track of messages sent between client and the server and their respective actions

Most networks follow the TCP/IP protocol

IP Spoofing is one type of hijacking on large network

11/1/2010

Networks: IP and TCP

IP Spoofing

IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another

If the server thinks it is receiving messages from the real source after authenticating a session, it could inadvertently behave maliciously

There are two basic forms of IP Spoofing

Blind Spoofing

Attack from any source

Non-Blind Spoofing

Attack from the same subnet

11/1/2010

Networks: IP and TCP

Blind IP Spoofing

The TCP/IP protocol requires that “acknowledgement” numbers be sent across sessions

Makes sure that the client is getting the server’s packets and vice versa

Need to have the right sequence of acknowledgment numbers to spoof an IP identity

11/1/2010

Networks: IP and TCP

Used to be that programs such as Rlogin used extremely predictable patterns of acknowledgment numbers

Simply by sending packets to the server and getting responses, one could decode the pattern of acknowledgment numbers

Once an intruder had the acknowledgment number algorithm, it was a simple matter of sending packets with the correct numbers to spoof a client

Most modern systems make acknowledgment sequences random so this cannot be done

Non-Blind IP Spoofing

IP Spoofing without inherently knowing the acknowledgment sequence pattern

Done on the same subnet

Use a packet sniffer to analyze the sequence pattern

Packet sniffers intercept network packets

Eventually decodes and analyzes the packets sent across the network

Determine the acknowledgment sequence pattern from the packets

Send messages to server with actual client's IP address and with validly sequenced acknowledgment number

11/1/2010

Networks: IP and TCP

Packet Sniffers

Packet sniffers “read” information traversing a network

Packet sniffers intercept network packets, possibly using ARP cache poisoning

Can be used as legitimate tools to analyze a network

Monitor network usage

Filter network traffic

Analyze network problems

Can also be used maliciously

Steal information (i.e. passwords, conversations, etc.)

Analyze network information to prepare an attack

Packet sniffers can be either software or hardware based

Sniffers are dependent on network setup

11/1/2010

Networks: IP and TCP

Detecting Sniffers

Sniffers are almost always passive

They simply collect data

They do not attempt “entry” to “steal” data

This can make them extremely hard to detect

Most detection methods require suspicion that sniffing is occurring

Then some sort of “ping” of the sniffer is necessary

It should be a broadcast that will cause a response only from a sniffer

Another solution on switched hubs is ARP watch

An ARP watch monitors the ARP cache for duplicate entries of a machine

If such duplicates appear, raise an alarm

Problem: false alarms

Specifically, DHCP networks can have multiple entires for a single machine

11/1/2010

Networks: IP and TCP

Stopping Packet Sniffing

The best way is to encrypt packets securely

Sniffers can capture the packets, but they are meaningless

Capturing a packet is useless if it just reads as garbage

SSH is also a much more secure method of connection

Private/Public key pairs makes sniffing virtually useless

On switched networks, almost all attacks will be via ARP spoofing

Add machines to a permanent store in the cache

This store cannot be modified via a broadcast reply

Thus, a sniffer cannot redirect an address to itself

The best security is to not let them in in the first place

Sniffers need to be on your subnet in a switched hub in the first place

All sniffers need to somehow access root at some point to start themselves up

11/1/2010

Networks: IP and TCP

Port Knocking

Broadly port knocking is the act of attempting to make connections to blocked ports in a certain order in an attempt to open a port

Port knocking is fairly secure against brute force attacks since there are 65536k combinations, where k is the number of ports knocked

Port knocking however if very susceptible to replay attacks. Someone can theoretically record port knocking attempts and repeat those to get the same open port again

One good way of protecting against replay attacks would be a time dependent knock sequence.

11/1/2010

Networks: IP and TCP

Port knocking proceeds as follows:

Client wants to connect to port n on server, port n on server is blocked

Client tries to connect to ports a, b, c and d, not receiving any response while doing so, since the firewall blocks all responses

A port knocking daemon on the server keeps track of all the attempts

Once the correct knocking sequence is received it opens port n.

User Datagram Protocol

UDP is a stateless, unreliable datagram protocol built on top of IP, that is it lies on level 4

It does not provide delivery guarantees, or acknowledgments, but is significantly faster

Can however distinguish data for multiple concurrent applications on a single host.

A lack of reliability implies applications using UDP must be ready to accept a fair amount of error packages and data loss. Some application level protocols such as TFTP build reliability on top of UDP.

Most applications used on UDP will suffer if they have reliability. VoIP, Streaming Video and Streaming Audio all use UDP.

UDP does not come with built in congestion protection, so while UDP does not suffer from the problems associated with optimistic ACK, there are cases where high rate UDP network access will cause congestion.

11/1/2010

Networks: IP and TCP

Network Address Translation

Introduced in the early 90s to alleviate IPv4 address space congestion

Relies on translating addresses in an internal network, to an external address that is used for communication to and from the outside world

NAT is usually implemented by placing a router in between the internal private network and the public network.

Saves IP address space since not every terminal needs a globally unique IP address, only an organizationally unique one

While NAT should really be transparent to all high level services, this is sadly not true because a lot of high level communication uses things on IP

11/1/2010

Networks: IP and TCP

Whenever the router encounters a datagram it translates the address depending on what way the packet is headed

Usually any given internal IP address is bound to one of many IP addresses dynamically when it creates a session

NAT often needs to handle certain protocols like FTP in a special manner

While most NAT routers can handle popular protocols well, even when they need special attention, well, there are protocols which these routers cannot handle, and hence not all applications can run transparently through NAT.

Translation

Router has a pool of private addresses 192.168.10.0/24

NAT route

global realm

private realm

192.168.10.237

s=192.168.10.237 d=128.148.36. 11

s=128.148.36.179

d=128.148.36.11

s=128.148.36.11

d=128.148.36.179

s=128.148.36.11

d=192.168.10.237

128.148.36.11

11/1/2010

Networks: IP and TCP

IP Packet Modifications

source IP address

type of service

total length

ident

header checksum

destination IP address

options

data

vers

len

flags

fragment offset

time to live

proto

padding

Modified on input

Modified on output

????

Computed

11/1/2010

Networks: IP and TCP

Ch02-Locks.pptx

Section 2.2 – Locks and Keys

Digital security often begins with physical security…

Legal Notice

Laws regarding lock picking vary significantly state-by-state

In most states purchase and possession of dedicated lock picking tools is legal

Penalties are raised significantly if you get caught using them in the commission of a crime

Public domain image from http://commons.wikimedia.org/wiki/File:Madame_Restell_in_jail.jpg

What Is Physical Security?

Any physical object that creates a barrier to unauthorized access

This includes: locks, latches, safes, alarms, guards, guard dogs, doors, windows, walls, ceilings, floors, fences, door strikes, door frames and door closers

Is Physical Security An IT Concern?

You have been working hard to secure your network from cyber attacks

Redundant layers of antivirus programs, firewalls and intrusion detection systems should protect against every possible electronic method of entry

But what if an attacker gains access to the server room or network wiring closet ...

Is you network still safe?

Destructive vs. Nondestructive Entry

Destructive entry

Involves using force to defeat physical security

Methods involve crowbars, bolt cutters and sledge hammers

Negative impact on IT resources is apparent

Remediation steps also obvious

Nondestructive entry

Compromises security without leaving signs of a breach

Defeats intrusion detection

Greater and long-term threat

Compromising Locks

For centuries, the lock has been one of the cornerstones of physical security

We rely on dozens of them every day to protect people and assets

The trust most people place in locks is unwarranted

Most locks can be easily compromised with nondestructive methods

Sometimes within seconds and with readily available tools

“Locks keep honest people honest”

Lock Picking

Lock picking had been the exclusive art of locksmiths, professional thieves, spies and magicians for hundreds of years

However, with the advent of the Internet, information about lock picking methods and tools has become readily available

E.g., YouTube has many lock picking videos

Lock Picking in Movies

Genuine lock picking in movies used to be prohibited

Before 1967, the Hays code (Motion Picture Production Code) required censorship of Hollywood movies

“All detailed (that is, imitable) depiction of crime must be removed, such as lock picking or mixing of chemicals to make explosives”

Public domain image from http://commons.wikimedia.org/wiki/File:Motion_Picture_Production_Code.gif

LOCK TYPES

Image from http://commons.wikimedia.org/wiki/File:Ancient_warded_lock_open.jpg used with permission under Gnu Free Documentation License 1.2

TSA Lock

The U.S. government has established a set of rules for the inspection of baggage without the presence of passengers

Special TSA-approved locks allow both inspection and protection against theft

An important element is that the inspection must be easily verifiable by the user

Public domain government image

Warded Locks

Locks of this type were used in ancient times

The key moves the bolt assisted by a support spring

Security relies on the fact that not all keys pass through the key hole

Usually in old style doors or desks

Different concentric obstructions

Easy to lock pick with Skeleton keys

Skeleton Key

Usually in old style doors or desks

Different concentric obstructions

Easy to lock pick with Skeleton keys

They come from ancient Rome

Images from http://en.wikipedia.org/wiki/File:Warded_locked.png used by permission under Gnu free documentation license 1.2

Pick vs. Bypass

Break open a lock in a nondestructive manner can be achieved either through:

Pick: acting on the lock mechanism simulating the operation of the key

Bypass: manipulation of the bolt without using the lock

1860: Yale Pin Tumbler Lock

Double-detainer theory of locking

Created shear line

Modern version of the Egyptian single-pin design

Utilizes two pins for locking

Public domain image of Linus Yale, Jr.

Image from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

How Does a Pin Tumbler Lock Work?

When a key is not present, the pin stacks are pushed down by the springs so that the driver (top) pins span the plug and the outer casing, preventing the plug from rotating.

When the correct key is inserted, the ridges of the key push up the pin stacks so that the cuts of the pin stacks are aligned with the shear line.

The alignment of the cuts with the shear line allows the plug to be rotated.

Images from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

How Does a Pin Tumbler Lock Work?

If an inappropriate key is insered, then the pins do not align along the shear line and the lock does not turn.

Image from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

LOCK PICKING

Photo by Dan Rosenberg included with permission.

Terminology

shell or hull

tumbler spring

sheer line

cylinder or plug

keyway

top or driver

bottom or key

driver

Image from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

Lockpicking Tools

Feelers

Scrubbers

Tension tools

Photo by Jennie Rogers included with permission.

Feeler Picking

Apply light tension

Lift one pin at a time

Identify binding pin

Lift binding pin until it reaches the shear line

Setting the binding pin will rotate the lock slightly

Find next pin and repeat the process

Image from http://commons.wikimedia.org/wiki/File:Pin_and_tumbler_lock_picking.PNG used with permission under Gnu Free Documentation License 1.2

Scrubbing / Raking

Apply light tension

Work over pins back to front in a circular motion

attempting to pop them into the shear line with the combination of tension

Good for beginners

Usually employ snake pick or half diamond

Photo by Jennie Rogers included with permission.

The Math of Lock Picking

Suppose we have

40 different kinds of key blanks

7 pin positions

8 different possible pin heights

Then the total number of possible locks is

40 x 87 = 83,886,080

Not all these are possible, however, as it is difficult to put long teeth next to small teeth.

Rights Amplification in

Master Keyed Systems

Reverse engineer master key from change key

Each lock has P pins, with D potential cut heights

Create D-1 test keys for each pin position p

Cut all pin positions except p as known change key

Published by Matt Blaze at Penn

Rights Amplification (continued)

Query the lock until you find each pin position

i.e. To determine first key cut depth insert each of the D-1 test keys and determine which one does not bind to the pin

Repeat for each pin

Rights Amplification Statistics

Consumes P(D-1) blanks

Can reduce to P blanks and file down on the fly

But this looks suspicious

Search space is practically pruned by manufacturer specs

maximum distance limit in legal adjacent cuts

Older installations sometimes require MKs to be higher on the pin stack

Tubular lock

Usually on car alarms or vending machines

6-8 pins

Easy to pick with special tool

The tool could become a new key

Images from http://en.wikipedia.org/wiki/File:Tubular_locked.png used with permission under Gnu Free Documentation License 1.2

Statistics

4-6 pins, 4-10 levels

106 = 1,000,000 possible keys!

The angular positions of the cylinders allow to obtain about 180 different positions (18010)6 = 3.4012224 × 1019

(Un) fortunately there is a need for some tolerance in locks

Combination Locks

There are locks that do not require a physical key to be opened but a code

Number of combinations is

Number of digits

times

Length of combination

Images from http://en.wikipedia.org/wiki/File:Combination_unlocked.png and

http://commons.wikimedia.org/wiki/File:Electronic_lock_yl88.jpg used with permission under Gnu Free Documentation License 1.2

Combination Locks

Inexpensive combination padlocks allow attacks based on reducing the space of possible combinations to try

The gears have a higher tolerance of the external disk combination

Nominal number of combinations is 403 = 64,000

Possibilities can be reduced to about 80 by detecting critical gear points

Public domain image from http://commons.wikimedia.org/wiki/File:Lock.JPG

E.g., see http://www.wikihow.com/Crack-a-%22Master-Lock%22-Combination-Lock

Bumping

A different way of picking locks

Virtually all traditional Yale and similar locks can be opened by bumping

What lock pickers say about bumping:

RELIABLE

REPEATABLE

SIMPLE TO LEARN

	Risks (NIST)
	Business processes	Strategical information	Privacy violation	Others
Service availability	✓
Cloning	✓		✓	✓
Read	✓	✓	✓	✓
Write	✓			✓
Information	✓	✓	✓	✓

Computer Security Exam

Ch03-OS.pptx

Ch04-Malware.pptx

Chart1

Sheet2

Ch03-FilesystemSecurity.pptx

Ch06-Firewalls.pptx

Ch05-NetworksTCP-IP.pptx

Ch02-Locks.pptx

Ch03-OSSec.pptx

Ch02-Direct.pptx

Ch05-NetworkModelsARP.pptx

Ch02-Authentication.pptx

Ch02-RFIDSecurity.pptx

Ch01-Introduction.pptx

Ch02-ComputerForensics.pptx

ARP Cache
192.168.1.105	00:11:22:33:44:02

ARP Cache
192.168.1.1	00:11:22:33:44:01

Poisoned ARP Cache
192.168.1.1	00:11:22:33:44:03

Poisoned ARP Cache
192.168.1.105	00:11:22:33:44:03