slides (PowerPoint)

Download Report

Transcript slides (PowerPoint)

Vulnerabilities
CSE 525 – Paper Presentation
Winter 2004
Robert Nesius
Agenda



Practical attacks against wireless network
protocols (Supplemental Paper #1)
Exploiting Algorithmic Complexity
(Supplemental Paper #2).
Analysis of growth rates for Flash Worms,
proposal for dealing with future threats more
efficiently (Primary Paper).
Beating up on 802.11 some more.

802.11 Denial-of-Service Attacks: Real
Vulnerabilities & Practical Solutions



August, 2003
John Bellardo – Graduate student, UCSD
Stefan Savage – Assistant Professor,
UCSD
Key Points




Very practical paper
Authors describe some attacks, then
implement them on commodity
hardware!
Attacks are shown in action.
Propose non-cryptographic solutions.
Attack: Deauthentication
Attacker sends arbitrary deauthenticate message

Can target one host Client
Attacker
AP

Or everyone
Auth req

root cause – no
auth resp
mutual authentication on
assoc. req
session-management
assoc resp.
frames.

Fix – APs take waitdeauth
and-see approach.
Data

Attacks Identity

Deauth
More Attacks



Disassociation – exactly like deauthentication attack
but not as severe. (Identity)
Energy-Saver mode – disrupt timing on
synchronized wake-ups.
Media Access Vulnerabilities.





All 802.11 packets have a duration field.
Use RTS/CTS dialogs to “reserve channel”
Keep reserving it – never let anyone talk…
In practice – does not work due to poor standards
conformance. (Worked fine in simulation. So what?)
Collision Avoidance Attack

Very power-hungry attack (50,000 packets/sec.)
Summary of 802.11b bashing





Attacks are practical and feasible
Beware the Pocket-PC-of-Death
There are some workarounds
The workarounds have problems too.
Real solution is cryptographically secure
mutual authentication


See CSE 506scp for further details on
complications in this area.
Secure Protocol Design is HARD!
Algorithmic Complexity Attacks

Denial of Service Via Algorithmic
Complexity Attacks




Published 2003.
Scott A. Crosby – First Year PhD student.
Dan S. Wallach – Assistant Professor
Rice University
Big Idea: Hash Smashing



Hashes used by many internet
applications because of on-average
constant time lookups.
Evil input can induce quadratic O(n^2)
performance.
Evil input streams can be very small


¼ of dialup connection!
Similar to SSL RSA-Decryption DOS.
Generators



Generators are strings that yield a
given hash result, no matter the
number of times concatenated.
h(x) =0, h(xx) = 0, h(xxx) = 0.
Hash algorithms must be deterministic.
Applications of Algorithmic
Complexity Attacks






IDS systems use hash’s of IP addresses.
BOS (an Open Source IDS system) uses a
deterministic hash.
Send evil-packets to tie up BOS.
OS on BOS system starts dropping packets.
Launch real attack – no forensics evidence
is collected.
Paper demonstrated 16kbs stream DOS’d a
450Mghz Pentium-based IDS system.
Defenses

For binary-tree based algorithms:


use algorithms with guaranteed worst case
complexity. (Red-Black trees, etc…)
For Hashes:




use Universal Hashes
Parameters of the hashing function are
determined (randomly) at run-time.
Have been around since 1975.
Perform comparably to perl (slightly slower, but
safer).
“0wning” the Internet.

How to 0wn the Internet in Your Spare Time.

Stuart Staniford – Silicon Defense






MS in CS, PhD in Physics – UC Davis.
Vern Paxson – ICSI Center for Internet
Research. Senior Scientist @ LBNL.
Nicholas Weaver – UC Berkeley – PhD
Candidate
Talks about worm propagation
Concludes with high-level considerations
Published 2002.
I have a Dream… (Scream?)

One million 0wned host “End-of-Days”
scenario. (Wishful thinking? Or boring?)



Code Red – 359,000 hosts.
Slammer – 75,000 hosts (worse than CR)
Growth patterns



Logistics Equation – Governs the rate of growth
in a finite system when all entities are equally
likely to infect each other.
Used by CDC to monitor epidemics.
Code Red exhibited this. *gasp*
Growth Rates

Proposition



Given high-bandwidth nodes for initial
propagations, and enough initial high-probability
targets…
A flash worm could infect the target population
on the Internet in 15 minutes.
Kudos: Within one year, Slammer reached
peak scan-rates in 3 minutes.

Slammer was throttled by bandwidth constraints.

http://www.cs.ucsd.edu/~savage/papers/IEEESP03.pdf
Better Worm Practices





Hit-List – (high-probability targets, built via
stealth scans perhaps.)
Permutation Scanning (Divide and Conquer)
Warhol Worm - Hit-List + Permutation
Scanning
Topology based – Lower latencies.
Flash Worm – Conclusion based on above
analysis is that a “tight” worm with a good
hit-list could take down the population in
10’s of seconds.
Stealth Worms




Biological Metaphor extended:
Contagion
Infection occurs “in-band” with normal
communications.
Can escape detection by IDS systems.
Note the Peer-to-Peer infrastructure
could be particularly vulnerable to this.

Good analysis of KaZaA.
Programmatic Control & Updates

Two methods proposed.




Turn worms into peer-to-peer network to
pass updates around.
Or use a pull methodology to retrieve
instructions.
Authors don’t mention that this makes it
highly more likely the perp will be caught.
Floppy-disk virii from the ‘old days’?
Cyber “Center for Disease Control”


National-scale Defense (Homeland Security?)
Real CDC Mission – Monitor national and world-wide
progression of diseases, identify new threats… Authors
propose:







Identify Outbreaks – establish Comm channels, Automate
detection.
Rapidly Analyze Pathogens.
Fight Infections - Manage patches/Network devices?
Anticipate New Vectors – (All previous worms used known
exploits).
Devise Detectors – (being done commercially?)
Resist Future Threats – (Enforcing patching most effective
approach?)
Openness – Suggest partially open model for collaboration.

Raises trust issues/ Diminishes Effectiveness (CERT).
Summary





Denial-of-Service attacks exist in all aspects
of computing.
Low-bandwidth attack vectors exist, and
flash worms are a reality.
Wireless networks are hopelessly insecure.
One glaring root-cause not addressed –
unpatched systems.
This problem is not going away any time
soon.