Transcript Security and Privacy

CS 4700 / CS 5700
Network Fundamentals
Lecture 20: Malware and Tinfoil Hats
(Parasites, Bleeding hearts and Spies)
S O M E S L I D E S S TO L E N F R O M V E R N PA X S O N ( I C S I ) A N D S T E FA N S AVA G E
(UCSD)
Course Evaluations
Please do them!
◦ It’s important for me to get feedback
◦ You will help NU improve courses
TRACE can be taken on smartphones and tablets
◦ Completely anonymous
◦ Open through 11:59 PM on Fri, Dec 16, 2016 EST
2
Final exam
In class
Closed notes, closed book, phones off
3 hours
No calculator needed
I’ll post a study guide this week
◦ All topics are eligible (cumulative)
◦ But of course it will focus more on stuff since the final
◦ Papers, video lectures are on the table
3
Motivation
Internet currently used for important services
◦ Financial transactions, medical records
Increasingly used for critical services
◦ 911, surgical operations, water/electrical system control,
remote controlled drones, etc.
Networks more open than ever before
◦ Global, ubiquitous Internet, wireless
4
Malicious Users
Miscreants, e.g. LulzSec
◦ In it for thrills, street cred, or just to learn
◦ Defacing web pages, spreading viruses, etc.
Hacktivists, e.g. Anonymous
◦ Online political protests
◦ Stealing and revealing classified information
Organized Crime
◦ Profit driven, online criminals
◦ Well organized, divisions of labor, highly motivated
5
Network Security Problems
Host Compromise
◦ Attacker gains control of a host
◦ Can then be used to try and compromise others
Denial-of-Service
◦ Attacker prevents legitimate users from gaining service
Attack can be both
◦ E.g., host compromise that provides resources for denial-of-service
6
Definitions
Virus
◦ Program that attaches itself to another program
Worm
◦ Replicates itself over the network
◦ Usually relies on remote exploit (e.g. buffer overflow)
Rootkit
◦ Program that infects the operating system (or even lower)
◦ Used for privilege elevation, and to hide files/processes
Trojan horse
◦ Program that opens “back doors” on an infected host
◦ Gives the attacker remote access to machines
Botnet
◦ A large group of Trojaned machines, controlled en-mass
◦ Used for sending spam, DDoS, click-fraud, etc.
7
Outline
 WORMS
 Basics
 HEARTBLEED
 PRIVACY
 Anonymous communication
 Mobile privacy (if time)
8
Host Compromise
One of earliest major Internet security incidents
◦ Internet Worm (1988): compromised almost every BSD-derived
machine on Internet
Today: estimated that a single worm could compromise
10M hosts in < 5 min
Attacker gains control of a host
◦ Read data
◦ Erase data
◦ Compromise another host
◦ Launch denial-of-service attacks on another host
9
Host Compromise: Stack Overflow
Typical code has many bugs because those bugs are not
triggered by common input
Network code is vulnerable because it accepts input from
the network
Network code that runs with high privileges (i.e., as root) is
especially dangerous
◦ E.g., web server
10
Example
What is wrong with this code?
0
Packet
34
name_len
name
// Copy a variable length user name from a packet
#define MAXNAMELEN 64
int offset = OFFSET_USERNAME;
char username[MAXNAMELEN];
int name_len;
name_len = packet[offset];
memcpy(&username, packet[offset + 1], name_len);
11
Example
Packet
34
name_len
name
void foo(packet) {
#define MAXNAMELEN 64
int offset = OFFSET_USERNAME;
char username[MAXNAMELEN];
int name_len;
name_len = packet[offset];
memcpy(&username,
packet[offset + 1],name_len);
…
}
Stack
X
X-4
Address:
X-72
“foo” return
address
int offset
X-8
[Malicious assembly
char username[]
instructions]
Christo
Wilson
0
X-72
X-76
(MAXNAMELEN + 15
8)
int72name_len
12
Effect of Stack Overflow
Write into part of the stack or heap
◦ Read/Write arbitrary code to part of memory
◦ Cause program execution to jump to arbitrary code
Worm
◦ Probes host for vulnerable software
◦ Sends bogus input
◦ Attacker can do anything that the privileges of the buggy program
allows
 Launches copy of itself on compromised host
◦ Spread at exponential rate
◦ 10M hosts in < 5 minutes
13
Worm Spreading
f = (e K(t-T) – 1) / (1+ e K(t-T) )
f – fraction of hosts infected
K – rate at which one host can compromise others
T – start time of the attack
1
f
T
t
14
Heartbleed Attack
Vulnerability in OpenSSL
◦ Used by HTTPS, SSH, many others to encrypt communication
Heartbeat attack
◦ Message of form: “Here’s some data, echo it back to me”
◦ Takes as input: Data and length (L), where L <= 64KB
◦ Echoes back a block of data L
◦ What’s the problem?
Send one byte, get 64KB of RAM!
◦ Private keys, passwords, etc have been leaked
15
As described by XKCD
16
As described by XKCD
17
As described by XKCD
18
As described by XKCD
19
As described by XKCD
20
As described by XKCD
21
Heartbleed results
Every vulnerable site operator should have
◦ Revoked old certificate
◦ Reissued a certificate with a new key
What actually happened?
22
Low reissue rates, lower revocations
23
Revocations take weekends off
24
Revolting Revocation Handling
25
Outline
 WORMS
 Basics
 HEARTBLEED
 PRIVACY
 Anonymous communication
26
27
You Are Not Anonymous
Your IP address can be linked directly to you
◦ ISPs store communications records
◦ Usually for several years (Data Retention Laws)
◦ Law enforcement can subpoena these records
Your browser is being tracked
◦ Cookies, Flash cookies, E-Tags, HTML5 Storage
◦ Browser fingerprinting
Your activities can be used to identify you
◦ Unique websites and apps that you use
◦ Types of links that you click
28
"Remember when, on the Internet, nobody knew who you were?"
29
Wiretapping is Ubiquitous
Wireless traffic can be trivially intercepted
◦ Airsnort, Firesheep, etc.
◦ Wifi and Cellular traffic!
◦ Encryption helps, if it’s strong
 WEP and WPA are both vulnerable!
Tier 1 ASs and IXPs are compromised
◦ NSA, GCHQ, “5 Eyes”
◦ ~1% of all Internet traffic
◦ Focus on encrypted traffic
30
Why Do We Want Anonymity?
To protect privacy
◦ Avoid tracking by advertising companies
◦ Viewing sensitive content
 Information on medical conditions
 Advice on bankruptcy
Protection from prosecution
◦ Not every country guarantees free speech
◦ Downloading copyrighted material
To prevent chilling-effects
◦ It’s easier to voice unpopular or controversial opinions if you are
anonymous
31
Anonymity Layer
Function:
Application
Anonymity
Presentation
Session
Transport
Network
Data Link
Physical
◦ Hide the source, destination, and
content of Internet flows from
eavesdroppers
Key challenge:
◦ Defining and quantifying anonymity
◦ Building systems that are resilient to
deanonymization
◦ Maintaining performance
32
Quantifying Anonymity
How can we calculate how anonymous we are?
◦ Anonymity Sets
Suspects (Anonymity Set)
Who sent this
message?

Larger anonymity set = stronger anonymity
33
Other Definitions
Unlinkability
◦ From the adversaries perspective, the inability the link two or
more items of interest
 E.g. packets, events, people, actions, etc.
◦ Three parts:
 Sender anonymity (who sent this?)
 Receiver anonymity (who is the destination?)
 Relationship anonymity (are sender A and receiver B linked?)
Unobservability
◦ From the adversaries perspective, items of interest are
indistinguishable from all other items
35
Crypto (SSL)
Data Traffic
Content is unobservable
◦ Due to encryption
Source and destination are trivially linkable
◦ No anonymity!
36
Anonymizing Proxies
Source is known
Destination anonymity
HTTPS Proxy
No anonymity!


Destination
is known
Source
anonymity
37
Anonymizing VPNs
Source is known
Destination anonymity
VPN Gateway
No anonymity!


Destination
is known
Source
anonymity
38
Using Content to Deanonymize
HTTPS Proxy
•
•
•
•
Reading Gmail
Looking up directions to home
Updating your Facebook profile
Etc…
No anonymity!
Fact: the NSA leverages common cookies from ad
networks, social networks, etc. to track users
39
Statistical Inference Attacks
VPN Gateway
Statistical analysis of traffic patterns can compromise
anonymity, i.e. the timing and/or volume of packets
40
Data To Protect
Personally Identifiable Information (PII)
◦ Name, address, phone number, etc.
OS and browser information
◦ Cookies, etc.
Language information
IP address
Amount of data sent and received
Traffic timing
41
Mix Networks
A different approach to anonymity than Crowds
Originally designed for anonymous email
◦ David Chaum, 1981
◦ Concept has since been generalized for TCP traffic
Hugely influential ideas
◦ Onion routing
◦ Traffic mixing
◦ Dummy traffic (a.k.a. cover traffic)
42
Mix Proxies and Onion Routing
Encrypted
Tunnels
[KP , KP , KP]
Mix
<KP, KS>
<KP, KS>
<KP, KS>
<KP, KS>
<KP, KS>
E(KP , E(KP , E(KP , M))) = C
<KP, KS>
<KP, KS>
<KP, KS>
Non-encrypted
data
Mixes form a cascade of anonymous proxies
All traffic is protected with layers of encryption
43
Another View of Encrypted Paths
<KP, KS>
<KP, KS>
<KP, KS>
44
Return Traffic
In a mix network, how can the destination respond to the
sender?
During path establishment, the sender places keys at each
mix along the path
◦ Data is re-encrypted as it travels the reverse path
<KP1 , KS1>
<KP2 , KS2>
<KP3 , KS3>
KP1
KP2
KP3
45
Traffic Mixing
Hinders timing attacks
◦ Messages may be artificially delayed
◦ Temporal correlation is warped
Problems:
◦ Requires lots of traffic
◦ Adds latency to network flows
• Mix collects messages for
t seconds
• Messages are randomly
shuffled and sent in a
different order
Arrival Order
1
4
2
3
Send Order
1
2
3
4
46
Dummy / Cover Traffic
Simple idea:
◦ Send useless traffic to help obfuscate real traffic
47
Legacy of Mix Networks
Hugely influential ideas
◦ Onion routing
◦ Traffic mixing
◦ Dummy traffic (a.k.a. cover traffic)
48
Tor: The 2nd Generation Onion Router
Basic design: a mix network with improvements
◦ Perfect forward secrecy
◦ Introduces guards to improve source anonymity
◦ Takes bandwidth into account when selecting relays
 Mixes in Tor are called relays
◦ Introduces hidden services
 Servers that are only accessible via the Tor overlay
49
Deployment and Statistics
Largest, most well deployed anonymity preserving service
on the Internet
◦ Publicly available since 2002
◦ Continues to be developed and improved
Currently, ~5000 Tor relays around the world
◦ All relays are run by volunteers
◦ It is suspected that some are controlled by intelligence agencies
500K – 900K daily users
◦ Numbers are likely larger now, thanks to Snowden
50
Celebrities Use Tor
51
How Do You Use Tor?
1. Download, install, and execute the Tor client
◦ The client acts as a SOCKS proxy
◦ The client builds and maintains circuits of relays
2. Configure your browser to use the Tor client as a proxy
◦ Any app that supports SOCKS proxies will work with Tor
3. All traffic from the browser will now be routed through
the Tor overlay
52
Timing attacks
Encryption protects contents of messages, but not
endpoint identities
◦ Tor “protects” the latter through onion routing
◦ But it sends messages with very low delay
Intersection attack
◦ Monitor packets being sent and received
◦ If two hosts consistently send and receive within a short time…
◦ … and do so repeatedly
◦ … then they are probably communicating
53
Intersection attack
How quickly does anonymity degrade?
◦ Dataset of call times from large cellular provider
◦ Simulate intersection attack on 370M calls
◦ 98.3% of calls traced within one month
Key challenges for anonymity
◦ VoIP requires low latency/jitter for call quality
◦ Increases susceptibility to traffic analysis
54
Our Design: Herd
Anonymity + low latency + reasonable cost
Onion routing through mixes located in trust zone
Constant-rate traffic at small multiples of call bitrates
Untrusted superpeer architecture and coding scheme for
offloading mixes
55
Class Wrap Up
Networking is fundamental to nearly every interaction in
our daily digital lives
◦ Layering
◦ End system design principles
◦ Internet design goals
◦ Economics
The Internet continues to evolve
◦ Overlays
◦ SDNs
◦ Mobile
The only constant is change, … and IPv4
56