Computer Security: Computer Science with Attackers Usable Privacy and Security
advertisement
Computer Security:
Computer Science with
Attackers
Usable Privacy and Security
Fall 2009
As told by David Brumley
1
Find X
There it
is
X is 5
X
3
4
2
My Security Axioms
I. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
3
Agenda
• Examples of Axioms,
(aka, how to think like an attacker)
– Example I: Ken Thompson
– Example II: APEG
– Example III: RSA
• How to argue security
4
Ken Thompson
• Born Feb 4, 1943
• Notable Work:
–
–
–
–
B Programming Language
UNIX
Plan 9
Popularized regular
expressions
• 1983: Turing Award (joint
with Ritchie) for UNIX and
work in OS
• 1999: US National Medal of
Technology
• 1999: First IEEE Tsutomu
Kanai Award
5
A Self-Reproducing Program
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c"
;main(){printf(f,34,f,34,10);}
6
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
char *f=
7
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
// 34 ascii is a quote (“)
char *f=“
8
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c
9
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”
10
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;
main() {printf(f,34,f,34,10);}
11
When Executed
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34
,10);
// 10 is newline
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;
main() {printf(f,34,f,34,10);}
12
Note
• This program can contain an arbitrary amount
of excess baggage that will be reproduced
along with the main algorithm.
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c"
;main(){printf(f,34,f,34,10);}
13
The C Compiler
• The C compiler (cc) is written in C
• Special characters, such as newlines, quotes,
etc., are escaped with backslashes. This is
called a “character escape sequence”
c = next();
if(c != ‘\\’) // Note, since compiler itself is written in C, must escape
backslash
return c;
c = next();
if(c == ‘\\’)
return ‘\\’; // Will return “\\”
if(c == ‘n’)
return ‘\n’
etc.
14
Adding a New Escape Sequence
• The C compiler (cc) is written in C
• How do we add a new escape sequence?
– Not yet valid C until added to compiler
– But compiling modified compiler will not work
because not valid C
c = next();
if(c != ‘\\’) // Note, since compiler itself is written in C, must escape
backslash
return c;
c = next();
…
if(c == ‘v’)
return ‘\v’; /// INVALID!
etc.
15
What you do
• Solution: Encode in current valid C
• ‘\v’ is ASCII 11
c = next();
if(c != ‘\\’) // Note, since compiler itself is written in C, must escape
backslash
return c;
c = next();
…
if(c == ‘v’)
return 11; // Works
etc.
16
Checkpoint
• Can make a program that prints itself out
• Can change the semantics of a compiler
17
How a compiler works
Source
Language
Source Code
Compiler
Target
Language
get(s);
compile(s);
Executable
Code
18
Trojaning Login
Compiler
‘login’
get(s);
compile(s);
if(s == ‘login’)
compile(backdoor);
Trojaned
‘login’
19
Trojaning Compiler
Compiler
‘cc’
get(s);
compile(s);
if(s == ‘login’)
compile(backdoor);
if(s == ‘cc’)
compile(cc-backdoor);
Trojaned
‘cc’
20
Using Trojaned Compiler
Source
‘cc’
source
‘login’
source
Compiler
get(s);
compile(s);
if(s == ‘login’)
compile(backdoor);
if(s == ‘cc’)
compile(cc-backdoor);
Trojaned
‘cc’
trojaned
exec ‘cc’
trojaned
exec
‘login’
21
Agenda
• Examples of Axioms,
(aka, how to think like an attacker)
– Example I: Ken Thompson
– Example II: APEG
– Example III: RSA
• How to argue security
22
B
Buggy Program
P
Patched New Program
Patches Help Security
“Regularly Install Patches”
− Computer Security Wisdom
Patches Can Help Attackers
− Evil David
Evil David
Delayed
Patch
Attack
Evil David
Use Patch to
Gets
Reverse
Patch Engineer Bug
T1
T2
Attack Unpatched Users
Evil David’s Timeline
Patch Delay
N. America
gets patched
version P
[Gkantsidis et al 06]
Asia gets P
I can reverse engineer the patched
bug and create an
exploit
in
minutes
Minutes
Gets
Patch
T1
Reverse
Engineer Bug
T2
Attack Unpatched Users
Evil David’s Timeline
Intuition
Particular
Input
program
Bad
Trigger Bug
Good
Intuition
Exploit
program
B
Buggy Program
Bad
Good
Intuition
program
B
Buggy Program
Bad
Good
P
Patched Program
Patch leaks:
1) Where
2) How to exploit
Automatic
Patch-Based Exploit Generation
Step 1: Get
B
P
program
Bad
Step 3:
Automatically
Calculate
Exploit
Good
Step 2:
Diff B & P
Automatic
Patch-Based Exploit Generation
Step 1: Get
B
P
program
Bad
Step 3:
Automatically
Calculate
Exploit
Good
Profit!
Step 2:
Diff B & P
IE6 Bug Example
read input
B
if input % 2==0
F
s := input + 3
T
s := input + 2
ptr := realloc(ptr, s)
• All integers unsigned
32-bits
• All arithmetic mod 232
• B is binary code
IE6 Bug Example
input = 232-2
read input
B
232-2 % 2 == 0
if input % 2==0
F
s := input + 3
T
s := 0 (232-2 + 2 % 232)
s := input + 2
ptr := realloc(ptr, s)
ptr := realloc(ptr,0)
Using ptr is a problem
IE6 Bug Example
read input
B
Wanted:
s > input
if input % 2==0
F
s := input + 3
T
s := input + 2
ptr := realloc(ptr, s)
Integer Overflow when:
¬(s > input)
Patch
read input
B
read input
P
if input % 2==0
if input % 2==0
F
s := input + 3
T
s := input + 2
F
T
s := input + 3
ptr := realloc(ptr, s)
s := input + 2
if s > input
T
F
Error
ptr := realloc(ptr, s)
Patch
read input
B
read input
P
if input % 2==0
if input % 2==0
F
s := input + 3
T
s := input + 2
F
T
s := input + 3
ptr := realloc(ptr, s)
s := input + 2
if s > input
T
F
Error
ptr := realloc(ptr, s)
Exploits for B are inputs that fail
new safety condition check in P
(s > input) = false
Result Overview
ASPNet_Filter
Information Disclosure
29 sec
GDI
Hijack Control
135 sec
PNG
Hijack Control
131 sec
IE COMCTL32 (B)
Hijack Control
456 sec
IGMP
Denial of Service
186 sec
• No public exploit for 3 out of 5
• Exploit unique for other 2
Does Automatic Patch-Based Exploit Generation
Always Work?
NO!
However, in security attackers get lucky,
defenders do not
Current Delayed Patch Distribution Insecure
Intermission
40
Agenda
• Examples of Axioms,
(aka, how to think like an attacker)
– Example I: Ken Thompson
– Example II: APEG
– Example III: RSA
• How to argue security
41
RSA Cryptosystem
• Invented in 1978 by Rivest, Shamir, and
Adleman
• RSA is widely used
–
–
–
–
–
Apache+mod_SSL (https)
stunnel (Secure TCP/IP servers)
sNFS (Secure NFS)
bind (name service)
ssh (secure shell)
• We believe RSA is secure
42
RSA Algorithm
• RSA Initialization:
–
–
–
–
–
pick prime p (secret)
pick prime q (secret)
Let N = pq (N is public)
pick e (public)
Find d s.t. d*e = 1 mod (p1)(q-1) (private)
• RSA encryption of m:
calculate me mod N = c
• RSA decryption of c:
calculate cd mod N = m
•
•
•
•
p = 61, q = 53
N = 3233
e = 17
d = 2753
• Suppose m = 123
• c = 12317 mod 3233 =
855
• m = 8552753 mod 3233 =
123
Why is RSA Secure
• Step 1: define “security”
• Step 2: Show that RSA meets definition
44
Step 1: Define Security
Public Parameters
– N = pq (N is public)
– e (public)
Private Parameters
– p (secret)
– q (secret)
– d (derived from e, p, and q,
private)
RSA Problem:
Given N,e, me mod N, compute m
RSA is secure if the RSA problem
cannot be solved efficiently
45
Step 2: Show RSA Meets Definition
RSA Problem:
Given N,e, me mod N, compute m
Public Parameters
– N = pq (N is public)
– e (public)
Private Parameters
– p (secret)
– q (secret)
– d (derived from e, p, and q,
private)
Fact: we do not know RSA is
secure
46
2 Ways to Break RSA
RSA Problem:
Given N,e, me mod N, compute m
Fact: if we can factor, we can
break RSA
Public
N
e
Factoring
Algorithm
Private
p
q
d
Given me, we can decrypt just like
those who know d
47
2 Ways to Break RSA
RSA Problem:
Given N,e, me mod N, compute m
Fact: if we can take roots
modulo N, we can break RSA
Public
me mod N
Roots
m
48
Arguing Security
• Define what is public and private
• Define protocol
– What bad guy gets to see
– What bad guy cannot see
• Show that any run of the protocol the bad guy
– cannot see what he is not suppose to
– cannot efficiently compute what he is not suppose
to
49
I. Attackers Get Lucky
Defenders Do Not
50
NP Complete
(i.e., it could be difficult)
is Insufficient
Hard Instances
Problem Domain
Probability of picking a hard instance is low
51
We believe RSA is hard on average
assume
ciphertexts are
easy to decrypt
Random ciphertext c
Problem Domain
52
We believe RSA is hard on average
Can move instance
(homomorphism)
assume
ciphertexts are
easy to decrypt
Random ciphertext c
Problem Domain
53
II. Attackers are Creative
54
Breaking RSA in Practice
• RSA decryption: gd mod N = m
– d is private decryption exponent, N is public modulus
• Chinese remaindering (CRT) uses factors directly. N=pq,
and d1 and d2 are pre-computed from d:
1. m1 = gd1 mod q
2. m2 = gd2 mod p
3. combine m1 and m2 to yield m (mod N)
• Goal: learn factors of N.
Suppose I implement RSA as:
if (d == 1)
sleep(1)
decrypt(c)
if(d == 2)
sleep(2)
decrypt(c)
if(d==3)
sleep(3)
decrypt(c)
Time to decrypt
leaks key
56
RSA Decryption Time Variance
• Causes for decryption time variation:
– Which multiplication algorithm is used.
• OpenSSL uses both basic mult. and Karatsuba mult.
– Number of steps during a modular reduction
• modular reduction goal: given u, compute u mod q
• Occasional extra steps in OpenSSL’s reduction alg.
• There are MANY:
– multiplications by input c
– modular reductions by factor q (and p)
Reduction Timing Dependency
• Modular reduction:
given u, compute u
mod q.
– OpenSSL uses Montgomery reductions
[M’85] .
• Time variance in Montgomery
reduction:
– One extra step at end of reduction
algorithm
with probability
Pr[extra step]
(c mod q)
2q
Decryption Time
q
2q
Value c
p
Multiplication Timing Dependency
• Two algorithms in OpenSSL:
– Karatsuba (fast): Multiplying two numbers of
equal length
– Normal (slow): Multiplying two numbers of
different length
• To calc xc mod q OpenSSL does:
– When x is the same length as (c mod q), use
Karatsuba mult.
– Otherwise, use Normal mult.
Multiplication Summary
Decryption Time
Karatsuba
Multiplication
Normal Multiplication
c
c<q
q
c>q
Data Dependency Summary
• Decryption value c < q
– Montgomery effect: longer decryption time
– Multiplication effect: shorter decryption time
• Decryption value c > q
– Montgomery effect: shorter decryption time
– Multiplication effect: longer decryption time
Opposite effects! But one will always dominate
Timing Attack
High Level Attack:
1)
Suppose g=q for the top i-1 bits, and 0 elsewhere.
2)
ghi = g, but with the ith bit 1. Then g < ghi
Goal: decide if g<q<ghi or g<ghi<q
3)
Sample decryption time for g and ghi:
t1 = DecryptTime(g)
t2 = DecryptTime(ghi)
4)
If |t1 - t2| is large
else
q)
g and ghi
straddle q
don’t
straddle q
large vs. small
creates
0-1 gap
bit i is 0
(g < q < ghi)
bit i is 1
(g < ghi <
Timing Attack Details
• We know what is “large” and “small” from attack on previous
bits.
• Decrypting just c does not work because of sliding windows
– Decrypt a neighborhood of values near g
– Will increase diff. between large and small values
larger 0-1 gap
• Only need to recover 1/2 bits of q [C’97]
• Attack requires only 2 hours, about 1.4 million queries
The Zero-One Gap
Zero-one gap
How does this work with SSL?
How do we get the server to decrypt our c?
Normal SSL Decryption
1. ClientHello
Regular Client
SSL Server
2. ServerHello
(send public key)
3. ClientKeyExchange
(re mod N)
Result: Encrypted with computed shared master secret
Attack SSL Decryption
1. ClientHello
Attack Client
2. ServerHello
(send public key)
3. Record time t1
Send guess g or ghi
4. Alert
5. Record time t2
Compute t2 –t1
SSL Server
Attack requires accurate clock
• Attack measures 0.05% time difference
between g and ghi
– Only 0.001 seconds on a P4
• We use the CPU cycle counter as fineresolution clock
– “rdtsc” instruction on Intel
– “%tick” register on UltraSparc
Attack extract RSA private key
in OpenSSL
Montgomery reductions
Dominates
zero-one gap
Multiplication routine dominates
Attack extract RSA private key
Montgomery reductions
Dominates
zero-one gap
Multiplication routine dominates
Timing channels fell outside RSA
security game
RSA Problem:
Given N,e, me mod N, compute m
72
My Security Axioms
I. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
73
Good Guy vs. Bad Guy
VS
Good Guy
Bad Guy
74
Good Guy vs. Many Bad Guys
VS
Good Guy
Bad Guys
75
What if they are powerful?
VS
Good Guy
76
My Work
I. Securing the entire
software lifecycle
77
Updating
Designing
Writing
Debugging
Releasing
Developer
Running
Installing
User
Exploiting
Verifying
My Work
I. Securing the entire
software lifecycle
II. Allowing everyone to
reason about the security
of the code they execute
79
BAP:
Binary Code Analysis Platform
• Binary code is everywhere
• Security of the code you run
(not just the code compiled)
Formal
Methods
Compilers
Programming
Languages
My Security Axioms
I. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
82
Thoughts?
83
That is all I have for today.
84
