18487 course review vyas sekar carnegie mellon university
TRANSCRIPT
18487 Course Review
Vyas SekarCarnegie Mellon University
This Class: Introduction to the Four Research Cornerstones of Security
2
Software Security Network Security
OS Security Cryptography
Software Security
3
Control Flow Hijacks
4
shellcode (aka payload) padding &buf
computation + control
Allow attacker ability to run arbitrary code– Install malware– Steal secrets– Send spam
5
6
7
Cryptography
8
9
Crypto Terminology
Goals
• Understand and believe you should never, ever invent your own algorithm
• Basic construction
• Basic pitfalls
10
Network and System Security
11
Alice Bob
Public Channel
What is Network Security?
1. Providing a “reliable” channel If the network protocols have flaws, crypto may not save you
The Network, typically runs IP “protocol”
12
E.g., Unauthorized origin ISP (prefix theft)
13
M
Destination Route
Google G←B
Destination Route
Google M
G CB
M’s route to G is better than B’s
Takeaways on routing security• BGP was built on the assumption of cooperation
– Assumption does not apply anymore• Many routing misconfigurations, bugs, and even attacks (several per
day)
• Proposed fixes are many, but all have some limitations– TTL hacks, MD5 signatures– S-BGP
• Relies on a PKI• Potentially significant overhead
• Very hard to retrofit security in an existing model!
14
Alice Bob
Public Channel
What is Network Security?
2. Providing an “available” channel Can Alice talk to Bob? Can Eve deny service to Alice/Bob?
The Network, typically runs IP “protocol”
15
DoS: General definition
• DoS is not access or theft of information or services
• Instead, goal is to stop the service from operating
• Deny service to legitimate users
• Why?– Economic, political, personal etc ..
16
Why is DDoS a hard problem
• Simple form of attack– No complex technique, just send a lot of traffic– Toolkits readily available
• Prey on the Internet’s strengths– Simplicity of processing in routers– Total reachability
• Attack machines readily available– Easy to find 10,000’s vulnerable machines of the Internet
• Attack can look like normal traffic– E.g., HTTP requests
• Lack of Internet enforcement tools– No traceability
• Lack of cooperation between targets– ISPs are competitive, and cooperation only at human timescales
• Effective solutions hard to deploy– We can’t change the core of the Internet easily
17
TCP SYN Flood I: low rate (DoS bug)
18
C
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5
S Single machine:
• SYN Packets withrandom source IPaddresses
• Fills up backlog queueon server
• No further connectionspossible
• Internet telescope/backscatter measurement
• By monitoring unused portion of address space, possibility to see evidence of backscatter and infer type/number of DDoS attacks
• Does this work with botnet-based attacks?
Backscatter analysis
19
SYN, from IP = A
SYN-ACK, to IP = A
Network “telescope”, e.g., empty /8 network
(example: SYN flood)
Attacker
20
DDoS Defense Taxonomy
• Location– Host vs network vs protocol
• Response timescale– Preventive vs Reactive
• Response action– E.g., filter, rate limit, multiply, bug fix/patch
Alice Bob
Public Channel
What is Network Security?
3. Providing an “enforcement” for observing/mediating accessStop Eve’s malware from reaching Bob in the first placeObserve aggregated view of malicious intents
The Network, typically runs IP “protocol”
21
22
Taxonomy• Approach: Policy vs Anomaly• Location: Network vs. Host• Action: Detect vs. Prevent• Semantics: IP vs TCP vs App
Type Example
Host, Rule, IDS Tripwire
Host, Rule, IPS Personal Firewall
Net, Rule, IDS Snort
Net, Rule, IPS Network firewall
Host, Anomaly, IDS System call monitoring
Net, Anomaly, IDS Working set of connections
Net, Anomaly, IPS
23
Ω
I A
Think of the Bayesian detection rate as the set of intrusions raising an alert normalized by the set of all alerts. (vs. detection ratewhich normalizes on intrusions.)
Defn: Bayesian Detection rateCrux of IDS usefulness!
24
Key things to remembers for firewall/IDS• Firewalls
– 3 types: Packet filtering, Stateful, and Application– Placement and DMZ
• IDS– Anomaly vs. policy-based detection
• How can we exploit for evasion?– E.g., fragmentation, TCP session reassembly, TTL
• How can we attack the defense infrastructure?– E.g., overload, algorithmic complexity
• Detection theory– Base rate fallacy
Web Security
26
“Injection flaws occur when an application sends untrusted data to an interpreter.”
--- OWASP
https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Like Buffer Overflow and Format String Vulnerabilities, A result of
from the possibility of interpreting data as code
27
“Cross site scripting (XSS) is the ability to get a website to display user-supplied content laced with malicious HTML/JavaScript”
Cross Site Request Forgery (CSRF)
A CSRF attack causes the end user browser to execute unwanted actions on a web application in which it is currently authenticated.
28
Clickjacking
29
Click for a FREE iPad!
Clickjacking occurs when a malicious site tricks the user into clicking on some element on the page unintentionally.
Slides modeled after presentation by Lin-Shung Huang at USENIX 2012.Paper: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson. 2012. Clickjacking: attacks and defenses. In Proceedings of the 21st USENIX conference on Security symposium (Security'12). USENIX Association, Berkeley, CA, USA, 22-22.
30
Key takeaways for web security• Different attack models
• Understand the differnet classes of attacks– Injection– XSS– CSRF– Clickjacking etc
• Proposed defenses– E.g., sanitization, secure tokens etc
Designing Secure Systems
Vyas SekarCarnegie Mellon University
32
Protection Mechanism
Control Transfer of InformationAmong Users of the Utility
33
PrincipalReferenceMonitor
Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
AuditAbstract Access Control Model
34
Design Principles• Economy of mechanism a.k.a KISS /Low TCB• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
35
Key takeaways for system security• Know Lampson’s “gold” standard
– Authentication– Authorization– Audit
• Know types of authorization mechanisms
• Understand concept of TCB
• Internalize design principles for secure systems
Key takeaways for mobile security• How is mobile security different?
– Ecosystem, hardware, software?
• How do popular systems work? – iOS vs Android
• What new threats arise?– Poor use of crypto, PII leakage
• Techniques to detect misuse– E.g., control and call graphs
36
Exam 3
37
38
Exam 3 Mechanics
• Same format as exams 1 and 2. In class, closed note, closed book, closed computer
• BRING A CALCULATOR (no cell phones, PDA’s, computers, etc.) Think of this as a hint.
• Topics: Anything from class
The Most Important Things
Anything is fair game, but the below are things you absolutely must know
• Base Rate Fallacy• Web attacks• Authenticated encryption• Stack diagrams/buffer overflow/etc.• Questions from exam 1 and exam 2
(study what you missed)
39
40
Questions?
END