Advanced Operating Systems, CSci555
Download
Report
Transcript Advanced Operating Systems, CSci555
USC CSci530
Computer Security Systems
Lecture notes
Fall 2006
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Administration
http://ccss.usc.edu/530
• Mid-term should be graded by
Wednesday.
• Assignment 2 due tonight.
• Working on responses to proposal in
order received.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CSci530:
Security Systems
Lecture 10 – October 27, 2006
Countermeasures
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Exam Discussion Q1
•
•
•
•
•
•
•
DES CBC weak conf, weak integ
RSA private no Conf, w/s integ
RSA public key w/s Conf, no integ
One Time Pad Prov conf, no integ
AES CBC strong conf, stong integ
AES OFB stong conf, no integ
B) explained in class and lab.
– Session key and checksum
– Both pub and private keys
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Exam Discussion Q2
• Bob’s approach, typical problems with
key management.
• Alice’s approach requires whole
company to have company private key
• Improvements: Company decrypts, then
encrypts.
• Need way for signing individually,
perhaps company becomes a subornate
CA.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Exam Discussion Q3
• X-realm Kerberos: all intermediate KDC’s
• PGP: Those signing keys, holder of the key
too, and the systems on which they run.
• Online Banking: Verisign, other CA’s, thebank
itself.
• PK SSH: The storage site for the authorized
keys file. The users system can compromise
private keys.
• Trusted Computing: Hardware, OS, Software,
certifiers, software development organizations.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Exam Discussion Q4
• They might have to move toward something you have.
• Registration process may involve issuing hardware.
• Separate the authentication services from the heavily
accessed data services.
• Could register users, and authorize access to characters,
or register characters as separate entities.
• Should allow interim registration without hardware so that
one doesn’t limit impulse signups.
• Require hardware when requested operations have value –
e.g. after a character has built up value by playing.
• As hardware authentication is more prevalent, then users
will already have token.
Lots more here, but answers for many details can
vary widely and still be correct.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Everything
• Intrusion Prevention
– Marketing buzzword
– Good practices fall in this category
▪ We will discuss network architectures
▪ We will discuss Firewalls
– Intrusion detection (next week)
▪ Term used for networks
▪ But applies to host as well
– Tripwire
– Virus checkers
– Intrusion response (part now, part next week)
▪ Evolving area
– Anti-virus tools have a response component
– Can be tied to policy tools
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Architecture: A first step
• Understand your application
– What is to be protected
– Against which threats
– Who needs to access which apps
– From where must the access it
• Do all this before you invest in the
latest products that salespeople will
say will solve your problems.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
What is to be protected
• Is it the service or the data?
– Data is protected by making it less
available
– Services are protected by making
them more available (redundancy)
– The hardest cases are when one
needs both.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Classes of Data
• Decide on multiple data classes
– Public data
– Customer data
– Corporate data
– Highly sensitive data
(not total ordering)
• These will appear in different parts of
the network
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Classes of Users
• Decide on classes of users
– Based on the access needed to the
different classes of data.
• You will architect your system and
network to enforce policies at the
boundaries of these classes.
– You will place data to make the
mapping as clean as possible.
• You will manage the flow of data
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Example
• Where will you place your companies
public web server, so that you can be
sure an attacker doesn’t hack your site
and modify your front page?
• Where will you place your customer’s
account records so that they can view
them through the web?
– How will you get updates to these
servers?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Other Practices
• Run Minimal Systems
– Don’t run services you don’t need
• Patch Management
– Keep your systems up to date on the current
patches
– But don’t blindly install all patches right away
either.
• Account management
– Strong passwords, delete accounts when
employees leave, etc.
• Don’t rely on passwords alone
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
How to think of Firewalled Network
Crunchy on the outside.
Soft and chewy on the inside.
– Bellovin and Merrit
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Firewalls
• Packet filters
– Stateful packet filters
▪ Common configuration
• Application level gateways or Proxies
– Common for corporate intranets
• Host based software firewalls
– Manage connection policy
• Virtual Private Networks
– Tunnels between networks
– Relationship to IPsec
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Packet Filter
• Most common form of firewall and what one
normally thinks of
• Rules define what packets allowed through
– Static rules allow packets on particular ports
and to and from outside pairs of addresses.
– Dynamic rules track destinations based on
connections originating from inside.
– Some just block inbound TCP SYN packets
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Network Address Translation
• Many home firewalls today are NAT boxes
– Single address visible on the outside
– Private address space (net 10, 192.168) on the
inside.
• Hides network structure, hosts on inside are not
addressable.
– Box maps external connections established
from inside back to the private address space.
• Servers require persistent mapping and manual
configuration.
– Many protocols, including attacks, are designed
to work through NAT boxes.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Application FW or Proxies
• No direct flow of packets
– Instead, connect to proxy with application protocol.
– Proxy makes similar request to the server on the outsdide.
• Advantage
– Can’t hide attacks by disguising as different protocol.
– But can still encapsulate attack.
• Disadvantage
– Can’t do end to end encryption or security since packets
must be interpreted by the proxy and recreated.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Host Based Firewalls
• Each host has its own firewall.
– Closer to the data to be protected
– Avoids the chewy on the inside problem in that
you still have a boundary between each
machine and even the local network.
• Problems
– Harder to manage
– Can be manipulated by malicious applications.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Virtual Private Networks
• Extend perimeter of firewalled networks
– Two networks connected
– Encrypted channel between them
– Packets in one zone tunneled to other and
treated as originating within same perimeter.
• Extended network can be a single machine
– VPN client tunnels packets
– Gets address from VPN range
– Packets encrypted in transit over open network
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
IPSec
• IP Security (IPsec) and the security features
in IPv6 essentially move VPN support into
the operating system and lower layers of
the protocol stack.
• Security is host to host, or host to network,
or network to network as with VPN’s
– Actually, VPN’s are rarely used host to
host, but if the network had a single host,
then it is equivalent.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Attack Paths
• Many attacks today are staged from
compromised machines.
– Consider what this means for network
perimeters, firewalls, and VPN’s.
• A host connected to your network via a
VPN is an unsecured perimeter
– So, you must manage the endpoint even
if it is your employees home machine.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Defense in Depth
• One should apply multiple firewalls at
different parts of a system.
– These should be of different types.
• Consider also end to end approaches
– Data architecture
– Encryption
– Authentication
– Intrusion detection and response
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Protecting the Inside
• Firewalls are better at protecting
inward threats.
– But they can prevent connections to restricted
outside locations.
– Application proxies can do filtering for allowed
outside destinations.
– Still need to protect against malicious code.
• Standalone (i.e. not host based) firewalls provide
stronger self protection.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
Virus Checking
• Signature based
– Looks for known indicators in files
– Real-time checking causes files to be scanned
as they are brought over to computer (web
pages, email messages) or before execution.
– On server and client
• Activity based
– Related to firewalls, if look for communication
– Alert before writing to boot sector, etc.
• Defenses beyond just checking
– Don’t run as root or admin
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
16
CSci530:
Security Systems
Lecture 11 – November 03, 2006
Intrusion Detection and Response
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Types
• External attacks
– Password cracks, port scans,
packet spoofing, DOS attacks
• Internal attacks
– Masqueraders, Misuse of privileges
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Attack Stages
• Intelligence gathering
– attacker observes the system to determine
vulnerabilities (e.g, port scans)
• Planning
– decide what resource to attack and how
• Attack execution
– carry out the plan
• Hiding
– cover traces of attack
• Preparation for future attacks
– install backdoors for future entry points
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Detection
• Intrusion detection is the problem of
identifying unauthorized use, misuse,
and abuse of computer systems by
both system insiders and external
penetrators
• Why Is IDS Necessary?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDS types
• Detection Method
– Knowledge-based (signature-based ) vs
behavior-based (anomaly-based)
• Behavior on detection
– passive vs. reactive
• Deployment
– network-based, host-based and
application -based
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Components of ID systems
• Collectors
– Gather raw data
• Director
– Reduces incoming traffic and finds
relationships
• Notifier
– Accepts data from director and takes
appropriate action
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Advanced IDS models
• Distributed Detection
– Combining host and network
monitoring (DIDS)
– Autonomous agents
(Crosbie and Spafford)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Response
• Intrusion Prevention
– (marketing buzzword)
• Intrusion Response
– How to react when an intrusion is
detected
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Possible Responses
– Notify administrator
– System or network lockdown
– Place attacker in controlled environment
– Slow the system for offending processes
– Kill the process
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Phase of Response
(Bishop)
– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Follow up
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
PREPARATION
• Generate baseline for system
– Checksums of binaries
▪ For use by systems like tripwire
• Develop procedures to follow
• Maintain backups
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDENTIFICATION
• This is the role of the ID system
– Detect attack
– Characterize attack
– Try to assess motives of attack
– Determine what has been affected
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CONTAINMENT
• Passive monitoring
– To learn intent of attacker
– Learn new attack modes so one can defend
against them later
• Constraining access
– Locking down system
– Closing connections
– Blocking at firewall, or closer to source
• Combination
– Constrain activities, but don’t let attacker know
one is doing so (Honeypots, Jail).
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
ERADICATION
• Prevent attack or effects of attack from
recurring.
– Locking down system (also in
containment phase)
– Blocking connections at firewall
– Isolate potential targets
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
RECOVERY
• Restore system to safe state
– Check all software for backdoors
– Recover data from backup
– Reinstall but don’t get re-infected before
patches applied.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FOLLOWUP
• Take action against attacker.
– Find origin of attack
• Notify other affected parties
– Some of this occurs in earlier
phases as well
• Assess what went wrong and
correct procedures.
• Find buggy software that was
exploited and fix
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Limitations of Monolithic ID
•
•
•
•
Single point of failure
Limited access to data sources
Only one perspective on transactions
Some attacks are inherently distributed
– Smurf
– DDoS
• Conclusion: “Complete solutions” aren’t
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Benefits
– Increased robustness
– More information for all components
– Broader perspective on attacks
– Capture distributed attacks
• Risks
– Eavesdroppers, compromised
components
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Communication risks can be
resolved cryptographically (at least
in part)
• Defining appropriate level of
expression
– Efficiency
– Expressivity
– Specificity
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CIDF
• Common Intrusion Detection
Framework
– Collaborative work of DARPAfunded projects in late 1990s
– Task: Define language, protocols
to exchange information about
attacks and responses
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Common Intrusion Specification
Language
– Conveys information about attacks
using ordinary English words
– E.g., User joe obtains root access
on demon.example.com at 2003
Jun 12 14:15 PDT
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problem: Parsing English is hard
• S-expressions (Rivest)
– Lisp-like grouping using parentheses
– Simplest examples: (name value) pairs
(Username ‘joe’)
(Hostname ‘demon.example.com’)
(Date ‘2003 Jun 12 14:15 PDT’)
(Action obtainRootAccess)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problems with simple pairs
– Confusion about roles played by entities
▪ Is joe an attacker, an observer, or a
victim?
▪ Is demon.example.com the source or
the target of the attack?
– Inability to express compound events
▪ Can’t distinguish attackers in multiple
stages
• Group objects into GIDOs
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Roles
• Clarifies roles identified by descriptors
(Attacker
(Username ‘joe’)
(Hostname ‘carton.example.com’)
(UserID 501)
)
(Target
(Hostname ‘demon.example.com’)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Verbs
• Permit generic description of actions
(Compromise
(Attacker …)
(Observer
(Date ‘2003 Jun 12 14:15 PDT’)
(ProgramName ‘GrIDSDetector’)
)
(Target …)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Conjunctions
• Permit expression of compound
events
– HelpCause: Indicates partial
causality
– InOrder: Indicates sequencing
– AsAWayOf: Indicates multiple
views of the same attack
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Lambda calculus-like macros
(def CompromiseHost $1 $2 $3
(Compromise
(Attacker (Username $1))
(Target (Hostname $2))
(Observer (Date $3))
)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Originally defined to reduce payload
• Also usable for database queries
– Look for all records matching
‘CompromiseHost’
– Difficulty: Store expanded form or
macro form in database?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• CISL is expressive, leading to questions
– Is it ambiguous?
▪ Does a given GIDO have more than
one interpretation?
– Is it overbuilt?
▪ Is there more than one GIDO that
expresses the same thing (aside from
reordering)?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• GIDO Bake-offs
– June 1999: Demonstration of simple
corroboration
– October 2000: Semantic testing
▪ Group A: Devised
scenarios/questions
▪ Group B: Only knows scenarios,
creates GIDOs
▪ Group C: Only knows questions,
receives GIDOs
▪ Three levels: Easy, medium, gnarly
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Lessons from CISL
• Lessons from testing,
standardization efforts
– Heavyweight
– Not ambiguous, but too many
ways to say the same thing
– Mismatch between what CISL can
say and what detectors/analyzers
can reliably know
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Enter IDWG
• Intrusion Detection Working Group
– WG of Internet Engineering Task
Force
– Chief product: IDMEF
▪ Intrusion Detection Message
Exchange Format
▪ Driven by many CIDF
participants
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDMEF
• XML-based; defines DTD for ID
• Reduced vocabulary
– Roles reduced to analyzer (observer),
source, target
– Extra information for identifying
exploits, buffer overflows
– Provision for indicating that previous
alerts are related
– No provision for response prescriptions
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDWG Status
• IDMEF (and other IDWG drafts)
– Submitted to IESG for
advancement to IETF Draft
Standard (as standards-track RFC)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Current Event
From SlashDot, October 25
The Register is reporting on the new 'Extended
Validation SSL' cert currently being touted by
Verisign. Vista and IE7 will be using this but not,
apparently, Firefox anytime soon. For this the
Verisign Product Marketing Director Tim Callan
squarely blames the Firefox dev team for 'not
keeping up' with their new technology. However, the
whole thing just seems to be a way for Verisign to
enjoy ridiculous markup on selling 'more secure'
certs."
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE