intro to information security 1 introduction to information security mark stamp department of...

Intro to Information Security 1

Introduction to

Information Security

Mark StampDepartment of Computer Science

San Jose State [email protected]


The Cast of Characters

Alice and Bob are the good guys

Trudy is the bad guy

Trudy is our generic “intruder”


Alice’s Online Bank Alice opens Alice’s Online Bank (AOB) What are Alice’s security concerns? If Bob is a customer of AOB, what are

his security concerns? How are Alice and Bob concerns

similar? How are they different? How does Trudy view the situation?


CIA Confidentiality, Integrity and

Availability AOB must prevent Trudy from

learning Bob’s account balance Confidentiality: prevent

unauthorized reading of information


CIA Trudy must not be able to change

Bob’s account balance Bob must not be able to

improperly change his own account balance

Integrity: prevent unauthorized writing of information


CIA AOB’s information must be available

when needed Alice must be able to make transaction

o If not, she’ll take her business elsewhere Availability: Data is available in a

timely manner when needed Availability is a “new” security concern

o In response to denial of service (DoS)


Beyond CIA How does Bob’s computer know that

“Bob” is really Bob and not Trudy? Bob’s password must be verified

o This requires some clever cryptography What are security concerns of pwds? Are there alternatives to passwords?


Beyond CIA When Bob logs into AOB, how does AOB

know that “Bob” is really Bob? As before, Bob’s password is verified Unlike standalone computer case,

network security issues arise What are network security concerns? Protocols are critically important Crypto also important in protocols


Beyond CIA Once Bob is authenticated by AOB, then

AOB must restrict actions of Bobo Bob can’t view Charlie’s account infoo Bob can’t install new software, etc.

Enforcing these restrictions is known as authorization

Access control includes both authentication and authorization


Beyond CIA Cryptography, protocols and access

control are implemented in software

What are security issues of software?o Most software is complex and buggyo Software flaws lead to security flawso How to reduce flaws in software

development?


Beyond CIA Some software is intentionally evil

o Malware: computer viruses, worms, etc.

What can Alice and Bob do to protect themselves from malware?

What can Trudy do to make malware more “effective”?


Beyond CIA Operating systems enforce security

o For example, authorization OS: large and complex software

o Win XP has 40,000,000 lines of code!o Subject to bugs and flaws like any other

softwareo Many security issues specific to OSso Can you trust an OS?


My Book The text consists of four major

partso Cryptographyo Access controlo Protocolso Software


Cryptography “Secret codes” The book covers

o Classic cryptographyo Symmetric cipherso Public key cryptographyo Hash functionso Advanced cryptanalysis


Access Control Authentication

o Passwordso Biometrics and other

Authorizationo Access Control Lists (ACLs) and Capabilitieso Multilevel security (MLS), security modeling,

covert channel, inference controlo Firewalls and Intrusion Detection Systems


Protocols Simple authentication protocols

o “Butterfly effect” --- small change can have drastic effect on security

o Cryptography used in protocols Real-world security protocols

o SSL, IPSec, Kerberoso GSM security


Software Software security-critical flaws

o Buffer overflowo Other common flaws

Malwareo Specific viruses and wormso Prevention and detectiono The future of malware


Software Software reverse engineering (SRE)

o How hackers “dissect” software Digital rights management

o Shows difficulty of security in softwareo Also raises OS security issues

Limits of testingo Open source vs closed source


Software Operating systems

o Basic OS security issueso “Trusted” OS requirementso NGSCB: Microsoft’s trusted OS for PC

Software is a big security topico Lots of material to covero Lots of security problems to consider


Think Like Trudy In the past, no respectable sources

talked about “hacking” in detail It was argued that such info would

help hackers Very recently, this has changed

o Books on network hacking, how to write evil software, how to hack software, etc.


Think Like Trudy Good guys must think like bad

guys! A police detective

o Must study and understand criminals In information security

o We want to understand Trudy’s motives

o We must know Trudy’s methodso We’ll often pretend to be Trudy


Think Like Trudy Is all of this security information a

good idea? “It’s about time somebody wrote a

book to teach the good guys what the bad guys already know.” --- Bruce Schneier


Think Like Trudy We must try to think like Trudy We must study Trudy’s methods We can admire Trudy’s cleverness Often, we can’t help but laugh at

Alice and Bob’s stupidity But, we cannot act like Trudy


Security Books


Security Books Security Engineering: A Guide to

Building Dependable Distributed Systems, Anderson, John Wiley & Sons, Inc., 2001

Plusseso Highly readable/entertainingo Case studieso Emphasis on human factors

Minuseso Glosses over technical issueo Not a textbook


Security Books Network Security: Private Communication

in a Public World, second edition, Kaufman, Perlman, and Speciner, Prentice Hall, 2002

Plusseso Solid on protocolso Brief but good on crypto

Minuseso No software, access controlo Too much RFC detail


Security Books Security in Computing, third edition,

Pfleeger and Pfleeger, Prentice Hall, 2003

Plusseso Good on OS topicso OK on software topics

Minuseso Datedo Boring


Security Books Applied Cryptography: Protocols,

Algorithms and Source Code in C, Second Edition, Schneier, John Wiley & Sons, Inc., 1995 (2nd edition)

Plusseso Encyclopedico Widely used

Minuseso Crypto onlyo Sloppy in places


Security Books Computer Security, Gollmann, John

Wiley & Sons, Inc., 1999 Plusses

o Chapter 8: How things go wrongo Good on security modeling

Minuseso Mostly theoreticalo No software/limited topics


Security Books Computer Security: Art and

Science, Bishop, Addison Wesley, 2003 Plusses

o Security modelingo Theory

Minuseso Theory, theory, and more theoryo As much fun to read as a calculus textbook


Security Books Fundamentals of Secure Computer

Systems, Tjaden, Franklin, Beedle, and Associates, 2003

Plusseso Intrusion detection systemso Good general approach

Minuseso Weak crypto, software, protocolso Good approach, not well executed


Security Books Cryptography and Network

Security: Principles and Practice, 3rd edition, Stallings, Prentice Hall, 2002

Plusseso Some OK protocols material

Minuseso Lots of pointless factso Not coherent


“Hacker” Books Counter Hack: A Step-by-Step Guide

to Computer Attacks and Effective Defenses, Skoudis, Prentice Hall, 2001

Shellcoder’s Handbook: Discovering and Exploiting Security Holes, Koziol et al, Wiley, 2004

Hacker Disassembling Uncovered, Kaspersky, A-List, 2003

Reversing: Secrets of Reverse Engineering, Eilam, Wiley, 2005


My Book Information Security:

Principles and Practice, Stamp, John Wiley & Sons, Inc., 2005

Plusseso Too many to list…

Minuseso Can’t think of any…


Crypto


Crypto Topics Crypto Basics Symmetric ciphers

o Stream ciphers, Block ciphers Public key crypto

o Knapsack, RSA, DH, ECC, signatures, etc. Hash functions Advanced cryptanalysis


Crypto Cryptology The art and science

of making and breaking “secret codes”

Cryptography making “secret codes”

Cryptanalysis breaking “secret codes”

Crypto all of the above (and more)


How to Speak Crypto A cipher or cryptosystem is used to encrypt

the plaintext The result of encryption is ciphertext We decrypt ciphertext to recover plaintext A key is used to configure a cryptosystem A symmetric key cryptosystem uses the same

key to encrypt as to decrypt A public key cryptosystem uses a public key

to encrypt and a private key to decrypt (sign)


Crypto Basis assumption

o The system is completely known to the attacker

o Only the key is secret Also known as Kerckhoffs Principle

o Crypto algorithms are not secret Why do we make this assumption?

o Experience has shown that secret algorithms are weak when exposed

o Secret algorithms never remain secreto Better to find weaknesses beforehand


Crypto as Black Box

plaintext

keykey

plaintext

ciphertext

encrypt decrypt


Taxonomy of Cryptography

Symmetric Keyo Same key for encryption as for decryptiono Stream cipherso Block ciphers

Public Keyo Two keys, one for encryption (public), and

one for decryption (private)o Digital signatures --- nothing comparable in

symmetric key crypto Hash algorithms


Taxonomy of Cryptanalysis

Ciphertext only Known plaintext Chosen plaintext

o “Lunchtime attack”o Protocols might encrypt chosen text

Adaptively chosen plaintext Related key Forward search (public key crypto only) Etc., etc.


Symmetric Key Crypto Stream cipher --- like a one-time pad

o Key is relatively shorto Key is stretched into a long keystreamo Keystream is then used like a one-time pad

Block cipher --- based on codebook concepto Block cipher key determines a codebooko Each key yields a different codebooko Employ both “confusion” and “diffusion”


Block Cipher Notation P = plaintext block C = ciphertext block Encrypt P with key K to get ciphertext C

o C = E(P, K) Decrypt C with key K to get plaintext P

o P = D(C, K)


Block Cipher Modes Many modes of operation

o We discuss two Electronic Codebook (ECB) mode

o Obvious thing to doo Encrypt each block independentlyo There is a serious weakness

Cipher Block Chaining (CBC) modeo Chain the blocks togethero More secure than ECB, virtually no extra

work


ECB Mode Notation: C=E(P,K) Given plaintext P0,P1,…,Pm,… Obvious way to use a block cipher is

Encrypt DecryptC0=E(P0,K), P0=D(C0,K),

C1=E(P1,K), P1=D(C1,K),

C2=E(P2,K),… P2=D(C2,K),… For a fixed key K, this is an electronic

version of a codebook cipher A new codebook for each key


ECB Weaknesses

Suppose Pi=Pj

Then Ci=Cj and Trudy knows Pi=Pj

This gives Trudy some information, even if she does not know Pi or Pj

Trudy might know Pi

A “cut and paste” attack also possible


Alice Hates ECB Mode Alice’s uncompressed image, Alice ECB encrypted (TEA)

Why does this happen? Same plaintext block same ciphertext!


CBC Mode Blocks are “chained” together A random initialization vector, or IV, is

required to initialize CBC mode IV is random, but need not be secret

Encryption DecryptionC0 = E(IVP0,K), P0 = IVD(C0,K),

C1 = E(C0P1,K), P1 = C0D(C1,K),

C2 = E(C1P2,K),… P2 = C1D(C2,K),…


CBC Mode Identical plaintext blocks yield different

ciphertext blocks Cut and paste is still possible, but more

complex (and will cause garbles) If C1 is garbled to, say, G thenP1 C0D(G,K), P2 GD(C2,K)

But, P3 = C2D(C3,K), P4 = C3D(C4,K), … Automatically recovers from errors!


Alice Likes CBC Mode Alice’s uncompressed image, Alice CBC encrypted (TEA)

Why does this happen? Same plaintext yields different ciphertext!


Access Control


Access Control Topics Authentication

o Something you know (passwords) o Something you have (smartcard)o Something you are (biometrics)

Authorizationo ACLs/capabilities, MLS, CAPTCHAo Firewalls, IDS


Turing Test Proposed by Alan Turing in 1950 Human asks questions to one other human

and one computer (without seeing either) If human questioner cannot distinguish the

human from the computer responder, the computer passes the test

The gold standard in artificial intelligence No computer can pass this today


CAPTCHA CAPTCHA Completely Automated

Public Turing test to tell Computers and Humans Apart

Automated test is generated and scored by a computer program

Public program and data are public Turing test to tell… humans can pass

the test, but machines cannot pass the test

Like an inverse Turing test (sort of…)


CAPTCHA Paradox “…CAPTCHA is a program that can

generate and grade tests that it itself cannot pass…”

“…much like some professors…” Paradox computer creates and scores

test that it cannot pass! CAPTCHA used to restrict access to

resources to humans (no computers) CAPTCHA useful for access control


CAPTCHA Uses? Original motivation: automated “bots”

stuffed ballot box in vote for best CS school

Free email services spammers used bots sign up for 1000’s of email accountso CAPTCHA employed so only humans can get

accts Sites that do not want to be automatically

indexed by search engineso HTML tag only says “please do not index me” o CAPTCHA would force human intervention


CAPTCHA: Rules of the Game

Must be easy for most humans to pass Must be difficult or impossible for

machines to passo Even with access to CAPTCHA software

The only unknown is some random number

Desirable to have different CAPTCHAs in case some person cannot pass one typeo Blind person could not pass visual test, etc.


Do CAPTCHAs Exist? Test: Find 2 words in the following

Easy for most humans Difficult for computers (OCR problem)


CAPTCHAs Current types of CAPTCHAs

o Visual Like previous example Many others

o Audio Distorted words or music

No text-based CAPTCHAso Maybe this is not possible…


CAPTCHA’s and AI

Computer recognition of distorted text is a challenging AI problemo But humans can solve this problem

Same is true of distorted soundo Humans also good at solving this

Hackers who break such a CAPTCHA have solved a hard AI problem

Putting hacker’s effort to good use!


Protocols


Protocol Topics Simple authentication protocols

o Nonces, session keys, timestamps, etc.o Perfect forward secrecy, zero knowledge

proofs Real-world security protocols

o SSLo IPSeco Kerberoso GSM


Authentication Authentication on a stand-alone

computer is relatively simpleo “Secure path” is the primary issueo Main concern is an attack on authentication

software (we discuss software attacks later) Authentication over a network is much

more complexo Attacker can passively observe messageso Attacker can replay messageso Active attacks may be possible (insert,

delete, change messages)


Symmetric Key Authentication

Alice and Bob share symmetric key KAB

Key KAB known only to Alice and Bob Authenticate by proving knowledge

of shared symmetric key How to accomplish this?

o Must not reveal keyo Must not allow replay attack


Authentication with Symmetric Key

Alice, KABBob, KAB

“I’m Alice”

E(R,KAB)

Secure method for Bob to authenticate Alice Alice does not authenticate Bob

Can we achieve mutual authentication?

R


Mutual Authentication Since we have a secure one-way

authentication protocol… The obvious thing to do is to use

the protocol twiceo Once for Bob to authenticate Aliceo Once for Alice to authenticate Bob

This has to work…


Mutual Authentication

Alice, KAB Bob, KAB

“I’m Alice”, RA

RB, E(RA,KAB)

E(RB,KAB)

This provides mutual authentication Is it secure? See the next slide…


Mutual Authentication Attack

Bob, KAB

1. “I’m Alice”, RA

2. RB, E(RA,KAB)

Trudy

Bob, KAB

3. “I’m Alice”, RB

4. RC, E(RB,KAB)

Trudy

5. E(RB,KAB)


Mutual Authentication Our one-way authentication protocol

not secure for mutual authentication Protocols are subtle! The “obvious” thing may not be secure Also, if assumptions or environment

changes, protocol may not worko This is a common source of security failureo For example, Internet protocols


Symmetric Key Mutual Authentication

Alice, KABBob, KAB

“I’m Alice”, RA

RB, E(“Bob”,RA,KAB)

E(“Alice”,RB,KAB)

Do these “insignificant” changes help? Yes!


Socket layer “Socket layer”

lives between application and transport layers

SSL usually lies between HTTP and TCP

application

transport

network

link

physical

Socket“layer”

OS

User

NIC


What is SSL? SSL is the protocol used for most secure

transactions over the Internet For example, if you want to buy a book

at amazon.com…o You want to be sure you are dealing with

Amazon (authentication)o Your credit card information must be

protected in transit (confidentiality and/or integrity)

o As long as you have money, Amazon doesn’t care who you are (authentication need not be mutual)


Simple SSL-like Protocol

Alice Bob

I’d like to talk to you securely

Here’s my certificate

{KAB}Bob

protected HTTP

Is Alice sure she’s talking to Bob? Is Bob sure he’s talking to Alice?


Simplified SSL Protocol

Alice Bob

Can we talk?, cipher list, RA

Certificate, cipher, RB

{S}Bob, E(h(msgs,CLNT,K),K)

Data protected with key K

h(msgs,SRVR,K)

S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants


SSL MiM Attack

Alice Bob

RA

certificateT, RB

{S1}Trudy,E(X1,K1)

E(data,K1)

h(Y1,K1)

Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a

certificate authority (such as Verisign) What does Web browser do if sig. not valid? What does user do if signature is not valid?

Trudy

RA

certificateB, RB

{S2}Bob,E(X2,K2)

E(data,K2)

h(Y2,K2)


Software


Software Topics Flaws Malware Software-based attacks Software reverse engineering (SRE) Digital rights management (DRM) Software development Operating systems/trusted OS NGSCB


Why Software? Why is software as important to security

as crypto, access control and protocols? Virtually all of information security is

implemented in software If your software is subject to attack,

your security is brokeno Regardless of strength of crypto, access

control or protocols Software is a poor foundation for

security


Bad Software is Everywhere

NASA Mars Lander (cost $165 million)o Crashed into Marso Error in converting English and metric units

Denver airporto Buggy baggage handling systemo Delayed airport opening by 11 monthso Cost of delay exceeded $1 million/day

MV-22 Ospreyo Advanced military aircrafto Lives have been lost due to faulty software


Software Issues

Attackers Actively look for

bugs and flaws Like bad software… …and try to make

it misbehave Attack systems

thru bad software

“Normal” users Find bugs and

flaws by accident Hate bad

software… …but must learn to

live with it Must make bad

software work


Complexity “Complexity is the enemy of security”, Paul

Kocher, Cryptography Research, Inc.

Netscape 17,000,000

Space shuttle 10,000,000

Linux 1,500,000

Windows XP 40,000,000

Boeing 777 7,000,000

system Lines of code (LOC)

A new car contains more LOC than was required to land the Apollo astronauts on the moon


Buffer Overflow Attack Scenario

Users enter data into a Web form Web form is sent to server Server writes data to buffer, without

checking length of input data Data overflows from buffer Sometimes, overflow can enable an

attack Web form attack could be carried out by

anyone with an Internet connection


Buffer Overflow

Q: What happens when this is executed?

A: Depending on what resides in memory at location “buffer[20]”o Might overwrite user data or codeo Might overwrite system data or code

int main(){

int buffer[10];

buffer[20] = 37;}


Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag

allowing anyone to authenticate!

buffer

FTF O U R S C …

Boolean flag

In some cases, attacker need not be so lucky as to have overflow overwrite flag


Memory Organization

Text == code Data == static variables Heap == dynamic data Stack == “scratch

paper” o Dynamic local variableso Parameters to functionso Return address

stack

heap

data

text

high address

low address

SP


Simplified Stack Example

high

void func(int a, int b){

char buffer[10];

}

void main(){

func(1, 2);

}

::

buffer

ret

a

b

return address

low

SP

SP

SP

SP


Smashing the Stack

high

What happens if buffer overflows?

::

buffer

a

b

ret…

low

SP

SP

SP

SP

retoverflow

Program “returns” to wrong location

NOT!

???

A crash is likelyoverflow


Smashing the Stack

high

Attacker has a better idea… :

:

evil code

a

b

low

SP

SP

SP

SP

retret

Code injection Attacker can run

any code on affected system!


Smashing the Stack

Attacker may not knowo Address of evil codeo Location of ret on stack

Solutionso Precede evil code with

NOP “landing pad” o Insert lots of new ret

evil code

::

::

ret

ret

:

NOP

NOP:

ret ret


Stack Smashing Summary

A buffer overflow must exist in the code Not all buffer overflows are exploitable

o Things must line up correctly If exploitable, attacker can inject code Trial and error likely required

o Lots of help available onlineo Smashing the Stack for Fun and Profit, Aleph

One Also possible to overflow the heap Stack smashing is “attack of the decade”

http://www.phrack.org/show.php?p=49&a=14


Stack Smashing Example Program asks for a serial number that the

attacker does not know Attacker also does not have source code Attacker does have the executable (exe)

Program quits on incorrect serial number


Example By trial and error, attacker discovers an

apparent buffer overflow

Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!


Example Next, disassemble bo.exe to find

The goal is to exploit buffer overflow to jump to address 0x401034


Example Find that 0x401034 is “@^P4” in ASCII

Byte order is reversed? Why? X86 processors are “little-endian”


Example Reverse the byte order to “4^P@” and…

Success! We’ve bypassed serial number check by exploiting a buffer overflow

Overwrote the return address on the stack


Example

Attacker did not require access to the source code

Only tool used was a disassembler to determine address to jump too Can find address by trial and erroro Necessary if attacker does not have

exeo For example, a remote attack


Example

Source code of the buffer overflow

Flaw easily found by attacker

Even without the source code!


Malicious Software Malware is not new! Fred Cohen’s initial virus work in

1980’so Used viruses to break MLS systems

Types of malware (lots of overlap)o Virus passive propagationo Worm active propagationo Trojan horse unexpected functionalityo Trapdoor/backdoor unauthorized accesso Rabbit exhaust system resources


SQL Slammer

Infected 250,000 systems in 10 minutes!

Code Red took 15 hours to do what Slammer did in 10 minutes

At its peak, Slammer infections doubled every 8.5 seconds

Slammer spread too fast “Burned out” available

bandwidth


SQL Slammer

Why was Slammer so successful?o Worm fit in one 376 byte UDP

packeto Firewalls often let small packet thru,

assuming it could do no harm by itselfo Then firewall monitors the connectiono Expectation was that much more data

would be required for an attacko Slammer defied assumptions of

“experts”


Polymorphic Malware Polymorphic worm (usually) encrypted New key is used each time worm

propagateso The encryption is weak (repeated XOR)o Worm body has no fixed signatureo Worm must include code to decrypt itselfo Signature detection searches for decrypt code

Detectable by signature-based methodo Though more challenging than non-

polymorphic…


Metamorphic Malware A metamorphic worm mutates before

infecting a new system Such a worm can avoid signature-based

detection systems The mutated worm must do the same

thing as the original And it must be “different enough” to

avoid detection Detection is currently unsolved problem


Metamorphic Worm To replicate, the worm is disassembled Worm is stripped to a base form Random variations inserted into code

o Rearrange jumpso Insert dead codeo Many other possibilities

Assemble the resulting code Result is a worm with same functionality

as original, but very different signature


Warhol Worm “In the future everybody will be world-

famous for 15 minutes” Andy Warhol A Warhol Worm is designed to infect the

entire Internet in 15 minutes Slammer infected 250,000 systems in

10 minuteso “Burned out” bandwidtho Slammer could not have infected all of

Internet in 15 minutes too bandwidth intensive

Can a worm do “better” than Slammer?


Warhol Worm One approach to a Warhol worm… Seed worm with an initial hit list

containing a set of vulnerable IP addresseso Depends on the particular exploito Tools exist for finding vulnerable systems

Each successful initial infection would attack selected part of IP address space

No worm this sophisticated has yet been seen in the wild (as of 2004)o Slammer generated random IP addresses

Could infect entire Internet in 15 minutes!


Flash Worm

Possible to do “better” than Warhol worm? Can entire Internet be attacked in < 15

min? Searching for vulnerable IP addresses is

slow part of any worm attack Searching might be bandwidth limited

o Like Slammer A “flash worm” is designed to infect entire

Internet almost instantly


Flash Worm Predetermine all vulnerable IP addresses

o Depends on the particular exploit Embed all known vulnerable addresses in

worm Result is a huge worm (perhaps 400KB) Whenever the worm replicates, it splits Virtually no wasted time or bandwidth!

Original worm

1st generation

2nd generation


Flash Worm Estimated that an ideal flash worm could

infect the entire Internet in 15 seconds! Much faster than humans could respond How to defend against this?

intro to information security 1 introduction to information security mark stamp department of...

Documents