Uploaded by Bo7MD

Slide 1

advertisement
Introduction
ISEC 322: Design & Analysis of Sec Protocols
Ezedin Barka
Fall’23
Associated Course Learning Outcomes
 Discuss Internet and e-commerce security protocols.
 Analyze vulnerabilities associated with Internet and ecommerce protocols.
© Levente Buttyán
2
Outline
 TCP/IP networking overview
 protocols and known vulnerabilities
–
–
–
–
–
–
ARP / ARP spoofing
IP / eavesdropping, alteration, traffic analysis, etc.
TCP / SYN attack
Telnet, FTP / password sniffing
SMTP / e-mail forgery, eavesdropping, alteration
DNS / DNS spoofing
 more known security problems
–
–
–
–
Web forms, cookies, and CGI scripts
mobile code (Java scripts, Java applets, and ActiveX controls)
denial of service (DoS)
exploiting bugs in software (buffer overflow problems)
 outline of the course
© Levente Buttyán
3
TCP/IP layering
HTTP
application
…
FTP
DNS
SMTP
…
SNMP
transport
UDP
TCP/IP networking overview
TCP
network
IGMP
ICMP
IP
ARP
hardware
interface
media
© Levente Buttyán
link
RARP
4
An example
end system
end system
HTTP
client
HTTP
server
HTTP
TCP
TCP
TCP
TCP/IP networking overview
router
IP
Ethernet
driver
IP
Ethernet
protocol
Ethernet
© Levente Buttyán
IP
IP
Ethernet
driver
token ring
driver
token
ring
protocol
IP
token ring
driver
token ring
5
Encapsulation
user data
HTTP
client
HTTP hdr
TCP
TCP hdr
TCP/IP networking overview
IP
IP hdr
Ethernet
driver
Eth. hdr
tr.
Ethernet
© Levente Buttyán
6
Demultiplexing
HTTP
FTP
…
DNS
SNMP
SMTP
TCP
TCP/IP networking overview
…
UDP
IGMP
ICMP
IP
demuxing based on
the port number
in the TCP or UDP
header
demuxing based on the
protocol id in the IP header
RARP
ARP
Ethernet
driver
© Levente Buttyán
demuxing based on frame type
in the Ethernet header
7
Names and addresses
 IP addresses
TCP/IP networking overview
– every interface has a unique IP address
– 32 bits long, usually given in dotted decimal notation
– 5 classes:
•
•
•
•
•
class A: “0” + 7 bits net ID + 24 bits host ID
class B: “10” + 14 bits net ID + 16 bits host ID
class C: “110” + 21 bits net ID + 8 bits host ID
class D: “1110” + 28 bits multicast group ID
class E: starts with “11110”, reserved for future use
– subnet addressing (CIDR - classless Internet domain routing)
• host ID portion is divided into a subnet ID and a host ID
• e.g., class B address: “10” + 14 bit net ID + 8 bit subnet ID + 8 bit host ID
hierarchical addressing
For more information:
https://www.tutorialspoint.com/ipv4/ipv4_address_classes.htm
© Levente Buttyán
8
Names and addresses
 hardware address (MAC addresses)
TCP/IP networking overview
–
–
–
–
every interface has a unique and fixed hardware address too
it is used by the data link layer
in case of Ethernet, it is 48 bits long
mapping between IP addresses and MAC addresses are done by ARP
 host names
– human readable, hierarchical names, such as www.hit.bme.hu
– every host may have several names
– mapping between names and IP addresses is done by the Domain Name
System (DNS)
© Levente Buttyán
9
ARP – Address Resolution Protocol
 mapping from IP addresses to MAC addresses
Request
.1
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
140.252.13
Protocols and vulnerabilities
arp req | target IP: 140.252.13.5 | target eth: ?
Reply
.1
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
140.252.13
arp rep | sender IP: 140.252.13.5 | sender eth: 00:00:C0:C2:9B:26
© Levente Buttyán
10
ARP spoofing
 an ARP request can be responded by another host
Request
.1
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
140.252.13
Protocols and vulnerabilities
arp req | target IP: 140.252.13.5 | target eth: ?
Reply
.1
08:00:20:03:F6:42
.2
.3
00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.4
.5
140.252.13
arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0
© Levente Buttyán
11
Protocols and vulnerabilities
IP – Internet Protocol
 provides an unreliable, connectionless datagram delivery
service to the upper layers
 its main function is routing
 it is implemented in both end systems and intermediate
systems (routers)
 routers maintain routing tables that define the next hop router
towards a given destination (host or network)
 IP routing uses the routing table and the information in the IP
header (e.g., the destination IP address) to route a packet
© Levente Buttyán
12
IP security problems
 user data in IP packets is not protected in any way
– anyone who has access to a router can read and modify the user data in the
packets
 IP packets are not authenticated
– it is fairly easy to generate an IP packet with an arbitrary source IP address
Protocols and vulnerabilities
 traffic analysis
– even if user data was encrypted, one could easily determine who is
communicating with whom by just observing the addressing information in the
IP headers
 information exchanged between routers to maintain their routing tables is
not authenticated
–
–
–
–
correct routing table updates can be modified or fake ones can be disseminated
this may screw up routing completely leading to loops or partitions
it may also facilitate eavesdropping, modification, and monitoring of traffic
it may cause congestion of links or routers (i.e., denial of service)
© Levente Buttyán
13
TCP – Transmission Control Protocol
 provides a connection oriented, reliable, byte stream service to
the upper layers
 connection oriented:
Protocols and vulnerabilities
– connection establishment phase prior to data transfer
– state information (sequence numbers, window size, etc.) is maintained
at both ends
 reliable:
– positive acknowledgement scheme (unacknowledged bytes are
retransmitted after a timeout)
– checksum on both header and data
– reordering of segments that are out of order
– detection of duplicate segments
– flow control (sliding window mechanism)
© Levente Buttyán
14
TCP connection establishment
3 way handshake
client
SYN = ISNC
SYN = ISNS, ACK(ISNC)
server
ISN – Initial Sequence Number
ACK(ISNS)
Protocols and vulnerabilities
data transfer
– sequence numbers are 32 bits long
– the sequence number in a data segment identifies the first byte in the
segment
– sequence numbers are initialized with a “random” value during
connection setup then incremented every transmission
© Levente Buttyán
15
TCP SYN Flood Attack
© Levente Buttyán
TCP Starvation Attack
© Levente Buttyán
FTP – File Transfer Protocol
client
user
interface
user
server
Protocols and vulnerabilities
protocol
interpreter
data
transfer
function
file system
© Levente Buttyán
control connection
(FTP commands and replies)
protocol
interpreter
data connection
data
transfer
function
file system
18
FTP cont’d
 typical FTP commands:
–
–
–
–
–
RETR filename – retrieve (get) a file from the server
STOR filename – store (put) a file on the server
TYPE type – specify file type (e.g., A for ASCII)
USER username – username on server
PASS password – password on server
 FTP is a text (ASCII) based protocol
server
Protocols and vulnerabilities
client
% ftp ftp.epfl.ch
<TCP connection setup to port 21 of ftp.epfl.ch>
“220 ftp.epfl.ch FTP server (version 5.60) ready.”
Connected to ftp.epfl.ch.
Name: buttyan
“USER buttyan”
“331 Password required for user buttyan.”
Password: kiskacsa
“PASS kiskacsa”
“230 User buttyan logged in.”
…
© Levente Buttyán
19
Telnet
Protocols and vulnerabilities
 provides remote login service to users
 works between hosts that use different operating systems
 uses option negotiation between client and server to determine
what features are supported by both ends
Telnet client
kernel
Telnet server
login shell
kernel
terminal
driver
TCP/IP
TCP/IP
pseudoterminal
driver
TCP connection
user
© Levente Buttyán
20
Telnet cont’d
 Telnet session example (“character at a time” mode)
server
client
% telnet ahost.epfl.ch
Connected to ahost.epfl.ch.
Escape character is ‘^]’.
<TCP connection setup to port 23 of ahost.epfl.ch>
<Telnet option negotiation>
“UNIX(r) System V Release 4.0”
Protocols and vulnerabilities
“Login:”
Login: b
“b”
Login: bu
“u”
…
Login: buttyan
“n”
“Password:”
Password: k
“k”
…
Password: kiskacsa
“a”
<OS greetings and shell prompt, e.g., “%”>
© Levente Buttyán
…
21
SMTP – Simple Mail Transfer Protocol
sending host
user
agent
mails to
be sent
user
local
MTA
SMTP
relay
MTA
TCP connection SMTP
Protocols and vulnerabilities
TCP port 25
MTA: Message Transfer Agent
relay
MTA
SMTP
receiving host
local
MTA
user
agent
user
© Levente Buttyán
SMTP
relay
MTA
user
mailbox
22
SMTP cont’d
 SMTP is used by MTAs to talk to each other
 SMTP is a text (ASCII) based protocol
sending MTA (rivest.hit.bme.hu)
receiving MTA (shamir.hit.bme.hu)
<TCP connection establishment to port 25>
“HELO rivest.hit.bme.hu.”
“250 shamir.hit.bme.hu Hello rivest.hit.bme.hu., pleased to meet you”
Protocols and vulnerabilities
“MAIL from: buttyan@rivest.hit.bme.hu”
“250 buttyan@rivest.hit.bme.hu... Sender ok”
“RCPT to: hubaux@lca.epfl.ch”
“250 hubaux@lca.epfl.ch… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>
.
“250 Mail accepted”
“QUIT”
“221 shamir.hit.bme.hu delivering mail”
© Levente Buttyán
23
SMTP security problems
 SMTP does not provide any protection of e-mail messages
– messages can be read and modified by any of the MTAs involved
– fake messages can easily be generated (e-mail forgery)
Protocols and vulnerabilities
 Example:
% telnet frogstar.hit.bme.hu 25
Trying...
Connected to frogstar.hit.bme.hu.
Escape character is ‘^[’.
220 frogstar.hit.bme.hu ESMTP Sendmail 8.11.6/8.11.6;
Mon, 10 Feb 2003 14:23:21 +0100
helo abcd.bme.hu
250 frogstar.hit.bme.hu Hello [152.66.249.32], pleased to meet you
mail from: bill.gates@microsoft.com
250 2.1.0 bill.gates@microsoft.com... Sender ok
rcpt to: buttyan@ebizlab.hit.bme.hu
250 2.1.5 buttyan@ebizlab.hit.bme.hu... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Your fake message goes here.
.
250 2.0.0 h1ADO5e21330 Message accepted for delivery
quit
221 frogstar.hit.bme.hu closing connection
Connection closed by foreign host.
%
© Levente Buttyán
24
DNS – Domain Name System
Protocols and vulnerabilities
 The DNS is a distributed database that provides mapping
between hostnames and IP addresses
 the DNS name space is hierarchical
– top level domains: com, edu, gov, int, mil, net, org, ae, …, hu, … zw
– top level domains may contain second level domains
e.g., uaeu, epfl…
– second level domains may contain third level domains, etc.
 each domain has name servers
– usually a name server knows the IP address of the top level name
servers
– if a domain contains sub-domains, then the name server knows the IP
address of the sub-domain name servers
– when a new host is added to a domain, the administrator adds the
(hostname, IP address) mapping to the database of the local name
server
© Levente Buttyán
25
DNS Spoofing Attack
The cache of a DNS name server is poisoned with false information.
How?
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
https://www.youtube.com/watch?v=71gpJ2wx7z8
© Levente Buttyán
Web security – Browser side risks
 obtaining a valid browser
– IE usually comes with the OS
– How can you be sure that you are downloading a genuine copy?
(remember DNS spoofing)
– a fake browser can look like a genuine one, but it can
Web security problems
• obtain and send passwords typed in by the user
• downgrade browser security (e.g., reduce key length used in SSL)
• …
 web forms
– used to send data from the user to the server (e.g., online applications,
queries to a database, etc.)
– if pure HTTP is used, then the data is sent in clear
– sensitive information can be eavesdropped and/or modified
© Levente Buttyán
27
Browser side risks cont’d
 helper applications
– the browser cannot handle all kind of downloaded data
– it invokes an external program (the helper) on the user’s machine with
the downloaded data as parameter
– downloaded content can be dangerous (e.g., MS Word and Excel files
may contain macro viruses)
 mobile code
Web security problems
– Java applets
• normally run within a controlled environment (sandbox)
• access to local resources is strictly controlled by a security manager
• however, an applet may escape from the sandbox due to some bugs in the
implementation of the Java Virtual Machine
• several such bugs have been discovered, reported, and fixed
© Levente Buttyán
28
Browser side risks cont’d
 mobile code (cont’d)
– ActiveX controls
• a Microsoft approach to mobile code
• ActiveX controls are executables that run directly on the machine (there’s
no sandbox)
• ActiveX controls can be signed and declared safe by their creators
• but an ActiveX control declared safe may turn out to be dangerous
Web security problems
– Compaq signed a control safe which allowed for remote management of
servers
– Microsoft signed a control which could write arbitrary file on the hard disk (it
was exploited by a virus Kak.Worm)
– JavaScript != Java applet
• scripts are interpreted by the browser itself
• not as powerful as Java (e.g., many attacks require that the user clicks on a
button to activate the malicious code)
• successful attacks reported include history tracking, stealing files, helping
Java applets to bypass firewalls, etc.
© Levente Buttyán
29
Browser side risks cont’d
 cookies
Web security problems
– a cookie is a (name, value) pair
– cookies are set by web servers and stored by web browsers
– a cookie set by a server is sent back to the server when the browser
visits the server again
– used to create “HTTP sessions” (session state information is stored in
cookies)
– example:
client
server
get index.html
content of index.html + set-cookie: sessionID=123456789
get nextlink.html + cookie: sessionID=123456789
…
© Levente Buttyán
30
Browser side risks cont’d
 cookies (cont’d)
– if cookies are sent in clear, then they can be eavesdropped and used to
hijack an “HTTP session”
– cookies can be used to track what sites the user visits (can lead to
serious privacy violation!)
Web security problems
• many sites use third party advertisements
• the third party can set a cookie that identifies the user
• this cookie is sent to the third party each time an ad is downloaded by the
user’s browser along with the address of the page that contains the link to
the ad (the “referrer” field of the HTTP header contains this address)
whatever.com
index.html
browser
get ad_server.asp +
referrer=“whatever.com/index.html” +
cookie: user=123456789
© Levente Buttyán
<html>
…
<img src=“http://thirdparty.com/ad_server.asp”>
…
</html>
thirdparty.com
31
Web security – Server side risks
 interactive web sites are based on forms and scripts
– forms are written in html
– the user fills the form and clicks on a button to submit it
– this creates a request to the server that contains the data typed in by
the user
 unexpected user input may have unexpected effects
Web security problems
– special characters
– too much data (may cause buffer overflow)
 at best, the server crashes
 at worst, the attacker gains control over the server
© Levente Buttyán
32
Server side risks cont’d
 an example: password based user authentication
– assume the following server side script is used to check the supplied
username and password:
query$ = ‘SELECT name, pass FROM database WHERE name = “ ’ + name$ + ‘ ” AND
pass = “ ’ + pass$ + ‘ ” ’
Result = SQLquery(query$)
if Result <> 0 then OK
– with name$ = buttyan and pass$ = kiskacsa
Web security problems
SELECT name, pass FROM database WHERE name = “buttyan” AND pass = “kiskacsa”
– with name$ = buttyan” OR TRUE OR name = “ and pass$ = kiskacsa
SELECT name, pass FROM database WHERE name = “buttyan” OR TRUE OR name = “”
AND pass = “kiskacsa”
© Levente Buttyán
33
Server side risks cont’d
 Buffer overflow attacks
Web security problems
– if the program doesn’t verify that the supplied data fits in the allocated
space, then it may overwrite some parts of the memory, which may
contain data, instructions, or addresses
– many attacks use buffer overflow bugs (e.g., infamous Internet Worm by
Morris used a buffer overflow bug in the sendmail program)
© Levente Buttyán
34
Cross site scripting (XSS)
Web security problems
 the attacker arranges that the victim receives a malicious
script from a trusted server
© Levente Buttyán
35
Attack Sophistication and Intruder Knowledge
© Levente Buttyán
Conclusion
there are many more vulnerabilities and attacks
https://cybermap.kaspersky.com/
https://www.varonis.com/blog/cybersecurity-statistics/
some of these cannot be prevented by technical means, but only with careful
procedures and education of people
 this course will focus on countermeasures




© Levente Buttyán
37
Download