18487 Course Review Vyas Sekar Carnegie Mellon University This Class: Introduction to the Four Research Cornerstones of Security Software Security OS Security Network Security Cryptography 2 Software Security 3 Control Flow Hijacks shellcode (aka payload) padding computation + &buf control Allow attacker ability to run arbitrary code – Install malware – Steal secrets – Send spam 4 5 6 7 Cryptography 8 Crypto Terminology 9 Goals • Understand and believe you should never, ever invent your own algorithm • Basic construction • Basic pitfalls 10 Network and System Security 11 What is Network Security? Public Channel Alice Bob The Network, typically runs IP “protocol” 1. Providing a “reliable” channel If the network protocols have flaws, crypto may not save you 12 E.g., Unauthorized origin ISP (prefix theft) G Destination Route Destination Route Google G←B Google M B C M M’s route to G is better than B’s 13 Takeaways on routing security • BGP was built on the assumption of cooperation – Assumption does not apply anymore • Many routing misconfigurations, bugs, and even attacks (several per day) • Proposed fixes are many, but all have some limitations – TTL hacks, MD5 signatures – S-BGP • Relies on a PKI • Potentially significant overhead • Very hard to retrofit security in an existing model! 14 What is Network Security? Public Channel Alice Bob The Network, typically runs IP “protocol” 2. Providing an “available” channel Can Alice talk to Bob? Can Eve deny service to Alice/Bob? 15 DoS: General definition • DoS is not access or theft of information or services • Instead, goal is to stop the service from operating • Deny service to legitimate users • Why? – Economic, political, personal etc .. 16 Why is DDoS a hard problem • Simple form of attack – No complex technique, just send a lot of traffic – Toolkits readily available • Prey on the Internet’s strengths – Simplicity of processing in routers – Total reachability • Attack machines readily available – Easy to find 10,000’s vulnerable machines of the Internet • Attack can look like normal traffic – E.g., HTTP requests • Lack of Internet enforcement tools – No traceability • Lack of cooperation between targets – ISPs are competitive, and cooperation only at human timescales • Effective solutions hard to deploy – We can’t change the core of the Internet easily 17 TCP SYN Flood I: low rate C S (DoS bug) Single machine: SYNC2 • SYN Packets with random source IP addresses SYNC3 • Fills up backlog queue on server SYNC1 SYNC4 SYNC5 • No further connections possible 18 Backscatter analysis • Internet telescope/backscatter measurement (example: SYN flood) Attacker Network “telescope”, e.g., empty /8 network SYN, from IP = A SYN-ACK, to IP = A • By monitoring unused portion of address space, possibility to see evidence of backscatter and infer type/number of DDoS attacks • Does this work with botnet-based attacks? 19 DDoS Defense Taxonomy • Location – Host vs network vs protocol • Response timescale – Preventive vs Reactive • Response action – E.g., filter, rate limit, multiply, bug fix/patch 20 What is Network Security? Public Channel Alice Bob The Network, typically runs IP “protocol” 3. Providing an “enforcement” for observing/mediating access Stop Eve’s malware from reaching Bob in the first place Observe aggregated view of malicious intents 21 • • • • Taxonomy Approach: Policy vs Anomaly Location: Network vs. Host Action: Detect vs. Prevent Semantics: IP vs TCP vs App Type Example Host, Rule, IDS Tripwire Host, Rule, IPS Personal Firewall Net, Rule, IDS Snort Net, Rule, IPS Network firewall Host, Anomaly, IDS System call monitoring Net, Anomaly, IDS Working set of connections Net, Anomaly, IPS 22 Ω Think of the Bayesian detection rate as the set of intrusions raising an alert normalized by the set of all alerts. (vs. detection rate which normalizes on intrusions.) I Defn: Bayesian Detection rate A ! Crux of IDS usefulness 23 Key things to remembers for firewall/IDS • Firewalls – 3 types: Packet filtering, Stateful, and Application – Placement and DMZ • IDS – Anomaly vs. policy-based detection • How can we exploit for evasion? – E.g., fragmentation, TCP session reassembly, TTL • How can we attack the defense infrastructure? – E.g., overload, algorithmic complexity • Detection theory – Base rate fallacy 24 Web Security “Injection flaws occur when an application sends untrusted data to an interpreter.” --- OWASP Like Buffer Overflow and Format String Vulnerabilities, A result of from the possibility of interpreting data as code https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References 26 “Cross site scripting (XSS) is the ability to get a website to display user-supplied content laced with malicious HTML/JavaScript” 27 Cross Site Request Forgery (CSRF) A CSRF attack causes the end user browser to execute unwanted actions on a web application in which it is currently authenticated. 28 Clickjacking Clickjacking occurs when a malicious site tricks the user into clicking on some element on the page unintentionally. Click for a FREE iPad! Slides modeled after presentation by Lin-Shung Huang at USENIX 2012. Paper: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson. 2012. Clickjacking: attacks and defenses. In Proceedings of the 21st USENIX conference on Security symposium (Security'12). USENIX Association, Berkeley, CA, USA, 22-22. 29 Key takeaways for web security • Different attack models • Understand the differnet classes of attacks – – – – Injection XSS CSRF Clickjacking etc • Proposed defenses – E.g., sanitization, secure tokens etc 30 Designing Secure Systems Vyas Sekar Carnegie Mellon University Protection Mechanism Control Transfer of Information Among Users of the Utility 32 Abstract Access Control Model Audit Requested Operation Approved Operation Principal Reference Monitor Object Source Guard Resource Authentication Authorization 33 Design Principles • • • • • • • • • Economy of mechanism a.k.a KISS /Low TCB Fail-safe defaults Complete mediation Separation of privilege Least privilege Factor in users/acceptance/psychology Work factor/economics Detect if you cant prevent Don’t rely on security by obscurity 34 Key takeaways for system security • Know Lampson’s “gold” standard – Authentication – Authorization – Audit • Know types of authorization mechanisms • Understand concept of TCB • Internalize design principles for secure systems 35 Key takeaways for mobile security • How is mobile security different? – Ecosystem, hardware, software? • How do popular systems work? – iOS vs Android • What new threats arise? – Poor use of crypto, PII leakage • Techniques to detect misuse – E.g., control and call graphs 36 Exam 3 37 Exam 3 Mechanics • Same format as exams 1 and 2. In class, closed note, closed book, closed computer • BRING A CALCULATOR (no cell phones, PDA’s, computers, etc.) Think of this as a hint. • Topics: Anything from class 38 The Most Important Things Anything is fair game, but the below are things you absolutely must know • • • • • Base Rate Fallacy Web attacks Authenticated encryption Stack diagrams/buffer overflow/etc. Questions from exam 1 and exam 2 (study what you missed) 39 Questions? 40 END