Intrusion Detection: Definitions
Download
Report
Transcript Intrusion Detection: Definitions
“The advanced exploration of computer
systems is commonly referred to as hacking.”
-- from ‘Hackers: a Canadian police perspective
Part I’
Reference: http://www.rcmp-grc.gc.ca/crim_int/index_e.htm
1
Security Attacks/Threats
These are actions that compromise the
security of information owned or transferred
by an entity. Attacks can be one of 4 forms:
Interruption
Interception
Modification
Fabrication
2
Type Of Attacks/Threats
Information
Information
source
(a) Normal Flow Destination
I
(b) Interruption
I
(c) Modification
I
(d) Fabrication
I
(e) Interception
3
Active and Passive Attacks
Attack/threats
Active threats
Passive threats
Interception
Release of message
contents
Interruption Modification
(Availability)
(Integrity)
Fabrication
(authentication)
Traffic analysis
Figure 2: Threats/Attacks
4
Active Attacks
A Passive attack can only observe communications or
data. Example: Interception ( also called eavesdropping or passive
wiretapping)
An Active attack can actively modify communications
or data
• Often difficult to perform, but very powerful
– Mail forgery/modification
– TCP session hijacking /IP spoofing
Examples: Interruption, Modification ( also called active wiretapping),
Fabrication
Types of Active Attacks: masquerade, replay,
modification and denial of service.
5
Types of Intruders:
•
Intrusion by a
•
•
•
Masquerader: One, who is not authorized to use a computer
system, but who penetrates and uses a legitimate user’s account
Misfeasor: A legitimate user who accesses data, programs or
resources, for which he is not authorized; or
A legitimate user who misuses his access privileges;
Clandestine User: One who seizes supervisory control and uses it
to evade access and audit controls or to suppress audit trail.
A masquerader is an outsider,
a misfeasor is an insider and
the clandestine user can be either an insider or an outsider.
6
Why do they attack?
The attacker may attack
- taking it as an intellectual challenge
- to have thrills by seeing reports of his
exploits in public media.
But a large majority of attacks are by foot-soldiers, called
script kiddies, who use attacks discovered, designed and
implemented by someone else. The script kiddies, simply
download the script and launch the attack, without
understanding anything.
Or - they may be indulging in espionage for
financial gain.
7
Survey: Type of attacks
FBI/CSI Survey of 2002:
- 80% of respondents acknowledged financial loss
due to intrusion
- Only 34% reported the intrusions to police
- 74% found misfeasors
- 40% detected DOS attacks
Reference: Annual FBI/Computer Security Institute Survey:
http://www.gocsi.com/press/20020407.html
8
Hacker’s METHODS
1.
Port Scan to find, for the target,
- which ports/services are running
- the O/S
nmap
- scans all the ports
- guesses the operating system (Please refer to the paper
by Fyodor to understand the methods used. These
methods depend upon the special features that each OS has.)
Reference: 1.Fyodor,’ Remote OS detection via TCP/IP Stack
FingerPrinting’ June, 2002, available at
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
2.Stephen Northcutt and Judy Novak, ‘Network Intrusion Detection: An
Analyst’s Handbook’, pp 81-85
9
Hacker’s Methods
cont.
2. Toolkits provided by manufacturers to make
products compatible with their products. These
may be used to discover the vulnerabilities of the
product.
3. Wireless Nets: * ‘AirMagnet’ from AirMagnet Inc.
* ‘Observer’ from Network Instruments *
‘Wireless Security Analyzer’ from IBM
can check whether a wireless network can be
accessed by outsiders.
(www.guerilla.net/freenets.html contains a list of access
points, by city, that can be accessed by anyone.
In 2002 Chris O’Ferrel, a security consultant, was able to
connect to the Pentagon wireless net, from outside the
building.)
10
Impersonation Methods
Guess the ID and password of an authorized user:
- by guessing passwords
- by using default passwords given with a system by
its manufacturer
(Many administrators fail to disable the defaults)
Example: SNMP uses a ‘community string’ as a password for
the community of devices, that can interact with one another.
Many administrators forget to change the default ‘community
string’ installed on a (new) router/switch.
by overflow
- in some ill designed systems,
authentication may be foiled by ‘overflow’ of
password (if the password overflows, the system may
assume authentication)
-
11
Impersonation Methods
continued
by non-existent authentication. In Unix, the file
-rhosts lists the trusted hosts
-rlogin lists trusted users, who can access
without authentication
A user may login one system as a guest- to
access public information and through this
host, he may connect to a trusted host.
12
Impersonation:
A few Definitions
Impersonation vs. Spoofing
Impersonation (mis)represents an authorized entity
during communication on a net.
Spoofing: A hacker spoofs when he falsely carries on
one side of the exchange between two parties.
Masquerade of a site: An example:
Thus xxx.com bank may be the official site.
A hacker registers x_xx.com and asks clients to visit
the site. Thus passwords and pin numbers may be
collected for misuse.
13
Impersonation:
A few Definitions
cont.
Session Hijacking: An example:
A customer may select books on Amazon.com.
When it comes to taking the order and making the
payment, Amazon.org may hijack the session.
Man-in-the-middle Attack vs. Session Hijacking
Man-in-the-middle is wire-tapping actively from the
beginning,
whereas a session-hijacker takes over after part of
the session is over.
14
Examples of Attacks
Buffer Overflow
Dot-Dot and constrained environment
“Server-side include” problem
Incomplete Mediation
Time-of-check to Time-of use
DoS and DDoS
Misuse of Active Code
15
Buffer Overflow
All programming languages set aside a specific area
in memory for every variable.
For example:
char addr[10];
sets aside 10 bytes for the array.
If someone were to give an input to addr, which is
larger, it may overflow into some other area. This
area may have been allocated to:
-User data
-User’s program code
-System date
-System program code
16
Buffer Overflow
cont.
Overwriting User Data: may affect program result.
But will not affect any other program.
Overwriting User’s Program: If an instruction that
has already been executed(and is not to be executed
again) as overwritten -> no effect.
-Otherwise if the character that has been overwritten
is not a valid instruction, the system halts (Illegal
instruction exception)
-Otherwise the user program gives wrong output
Overwriting System data/program: Results similar
to the ones for user data/program. But it may affect
all the users since system data and programs are
used by every user on the machine
17
Buffer Overflow:
Usual Buffer Overflow Attacks
1.
2.
3.
The attacker may use the data input, close to
system code. Thus he may be able to go into the
O.S. which has the highest privileges.
He may use the Stack Pointer to return to a part of
the hackers code, which may have been placed
earlier.
Passing parameters through a URL:
Consider http://www.website.com/xxx/userinput
&parm1=(519)253-3000&parm2=2003Mar20
If instead of parm1 and parm2, a 500 or 100 digit value is
introduced, it could cause a problem in the web system.
Reference: IIS 4.0 remote overflow exploit.
http://spisa.act.uji.es/spi/progs/codigo/ftp.technotronic.com/
18
microsoft/iishack.asm
Buffer Overflow: An Example:
U.S. Army Web Server Attacked
Buffer Overflow Attack: A Web server was
attacked using a URL that was 4KB in length.
( Reference: eWeek, March 18, 2003 )
The machine was compromised.
It began mapping the network around it, looking
for other vulnerable machines.
It then started sending the results of its mapping
to a remote machine through TCP port 3389
using terminal services
19
Dot-Dot and constrained environment
To prevent an attack, external users, who
approach through the Internet, may be put in a
constrained environment.
A constrained environment: where a user is
allowed to use only specified and limited system
resources.
Accordingly the server may begin processing a
user’s program in a particular directory sub-tree
which contains everything the server needs.
20
Dot-Dot and constrained environment
(cont..)
But both in unix and windows,
.. is the directory indicator for the
predecessor.
Cereberus discovered in MS Index Server the
following fault:
Passing the following url to the web-server:
http://url/null.htw? CiWebHits File = /../../../..
/../winnt/system32/autoexec.nt
a user is able to get the autoexec.bat file of the
server.
Now the hacker may modify it!
21
Dot-Dot and constrained environment
(cont..)
Solution: Webserver should have no editors,
telnet programs or any utilities.
But the code and data, for web applications,
will have to be transferred manually to the
server or may have to be pushed as a raw
image. The webmaster may not like it.
22
“Server-side include” problem
EXAMPLE: ‘contact us’ part on web-pages
includes commands, which are supposed to be
given by the server.
Hence such commands may be accepted by the
system without any scrutiny. These commands
may be placed in HTML.
A hacker may use this facility to modify the
command to ‘telnet’ to gain access rights, which
he should not have.
23
“Good judgment is the result of experience –
and experience is the result of poor judgment.”
24
Examples of Attacks
Slide 15 again
Buffer Overflow
Dot-Dot and constrained environment
“Server-side include” problem
Incomplete Mediation
Time-of-check to Time-of use
DoS and DDoS
Misuse of Active Code
25
Incomplete Mediation
ACCEPTING DATA FROM A USER IN A WEB FORM:
The system could put checks of valid data to screen
out erroneous data.
However after taking the values from the user,
the program generates the URL line, based on the
validated data.
But the hacker can edit the URL generated by the
program, and resend it. The web server cannot
differentiate between an edited URL and a systemgenerated URL.
Such a system is said to have
incomplete mediation.
26
Application code Errors: Example of wrong code:
Assume that a client selects book1 from page4 of the web-site
of books.com and then moves to another page. Assume that
the book cost $69.
The webserver may pass the following string to the client:
http://www.books.com/page4&isbn1 =
0849308887&pl=6900
Then the client selects book 2 from page 7. It costs $129.
The webserver passes to the client:
http://www.books.com/page7&isbn1 =
0849308887&p1=6900&isbn2=3540002235&p2 = 12900
27
Application code Errors:
Example of wrong code (cont…)
The malicious client may change the
string to 1900 for both p1 and p2,
before clicking ‘order’. He may get both
the books at $38 only.
28
Time-of-check to Time-of use (TOCT TOU)
Every OS has access control. A file may be presented
with a valid user, who can be authenticated and a
valid job to be done.
While the OS is checking for authentication, the file
remains in the users area. So the user may modify
the file, with malicious commands. The OS comes
back after checking authentication and allows the file
to be processed.
And the malicious commands may be executed!
29
Denial of Service Attacks:
ECHO CHARGEN: chargen is a protocol that generates a
stream of echo packets. (Refer to ICMP)
If a hacker continuously generates such packets for a server,
the server would be busy in continuously responding to these
packets.
Ping of Death: an attacker, on a wide bandwidth net,
can overwhelm a victim machine on a smaller BW
net through sending a large number of ping
messages.
SMURF: spoofs a message ( which would generate
an ICMP error message) as if it is coming from the
victim. The spoofer broadcasts it on a large net. All
hosts on the net respond to the victim.
30
SYN FLOOd:
SYN_RECV queue:
usually designed to have only 10-20 entries
the usual time-out for deleting an entry is of many
minutes
So a SYN packet every few second can keep
the host from accepting a new connection.
To avoid detection, every new SYN packet is
spoofed from a new IP address. (ICMP dest
unreachable, sent by the host of the spoofed
address back to the victim, goes to ICMP
module of the victim and not to the TCP
module of the victim)
31
DDoS
Distributed Denial of Service attack:
use trojan horses sent through an exe file
thro e-mail or by buffer overflow-to a large
number of machines.
All the machines are triggered at the same
time to jointly attack the victim
Example: Tribal flood Network of 1999.
32
DDOS
T
T
Attacker
Victim
T
T
33
DDOS (cont…)
The attacker plants a Trojan horse on a large
number of machines.
He then triggers the attack, from all these
machines (called zombies, now) on the
victim.
CERT has advised that now a single tool, which
does the following, is available
Identifies the zombies
Installs the Trojans horse in Zombies
Activates the zombies to wait for a trigger signal
Reference:Kevin J. Houle and George M. Weaver, “CERT
Coordination Center Trends in Denial of Service Attack Technology”
October 2001 at http://www.cert.org/archive/pdf/DoS_trends.pdf
34
Active or Mobile Code:
Definition: Active or Mobile Code: Code sent by a server to a
client for execution on the client machine.
The Objective of having the facility of Active or Mobile Code:
Server is not over-loaded.
The under loaded work station may be used for
processing.
Bandwidth use is reduced.
Disadvantage: Without the knowledge or permission of the
owner of the client machine, a remote machine causes a
program to be executed on the client machine.
35
Examples of Active Code, that can be misused:
1. Cookies
Definition: Cookies: Data files caused to be
stored on client machine by web-server
Information
- about the client
- kept on client machine but
encrypted by a key known only to
web-server.
A cookie may be…
A per-session Cookie or
A Persistent Cookie
36
Examples of Active Code, that can be misused:
2. Executing Scripts on Server
Web Server cannot differentiate
between …
Commands legitimately generated by the
browser, as the client fills up a web page.
A hand-crafted set of commands generated
by a malicious user.
37
Examples of Active Code, that can be misused:
3. Escape Character attack on Server
CGI (common Gateway Interface)
Commonly used on web servers for
scripting.
It Uses..
%nn to represent ASCII special characters.
%0a to instruct interpreter to accept characters
after %0a, as new command.
38
Escape Character attack on Server
……continued
The following command requests a copy of
the password file:
http://www.test.com/cgibin/query?%0a/bin/cat%20/etc/password
Another Example: A CGI script of the form..
<!-#action arg1=value arg2=value…..>
is followed by a command.
If someone gives the following string
immediately after the above…..
<!-# exec cmd = “rm *” >
it would delete all the files in the current
directory of the web-server.
39
Escape Character attack on Server
……continued
MS uses ASP for scripting..
These pages instruct the browser on…
how to display files;
how to maintain context and Interact with the
server.
These pages can be seen at the browser
and any weaknesses in the ASP code may
be exploited by a malicious user.
40
Active Code: Comments
Java Script:
Java 1.1
sandbox very restrictive.
Java 1.2
opened the sandbox to permit
stored disk files and executable procedures. This
makes v1.2 more convenient to use at the cost
of increase in security vunerability.
Java 1.4
supposed to correct these
problems??
Active X: Using it, objects of arbitrary type
can be downloaded to a client.
The Object may lead to an automatic
download of the handler required for a file
41
type.
Active Code: Comments
Active X
MS uses authentication certificates which
certify the origin’s validity.
But Proof of origin does not mean safety of
code.
Auto Exec by file-type:
Besides the file’s extension, a file contains its type
information inside the file also.
So even if a file does not have an extension, it
may be opened automatically, if one clicks on it.
42
Active Code: Comments
Java vs. Active X
You can put only partial trust in a program, while
ActiveX requires either full trust or no trust at all.
A Java-enabled browser could keep a record of which
dangerous operations are carried out by each trusted
program, so it would be easier to reconstruct what
happened if anything went wrong.
Java offers better protection against accidental
damage caused by buggy programs.
Reference:http://www.cs.princeton.edu/sip/faq/java-vs
activex.html
SIP: Secure Internet Programming
43
Procedures for secure active code:
1. System must control applets’ access to
sensitive system resources, such as:
File system
Processor
Network
User’s Delay
Internal State Variables.
44
Procedures for secure active code:
continued
2.The Language must protect memory by
preventing
forged memory pointers and
array(buffer) overflows.
3. The system must prevent object reuse by
clearing memory contents for new
objects.
45
Procedures for secure active code:
continued
The system must perform garbage collection to
reclaim memory no longer in use.
4. The system must control
inter –applet communication as well as
applet’s effects on the environment outside the
Java System through system calls.
Reference: Dean, D.; Felten, E.W.; Wallach, D.S.,
‘Java security: from HotJava to Netscape and
beyond’ Proceedings of IEEE Symposium on
Security and Privacy, 1996, pp190-200
46
A Networked System:
More Vulnerable?
Attacker can be
anonymous,
safe behind an electronic shield,
at a great distance, and
can make his system hide behind a chain of other
hosts.
A large network has many points from which attack
may be mounted and many targets.
Sharing-Networks permit a number of users to share
the services. a larger number of attacker entitiesusers/systems
47
A Networked System:
More Vulnerable?
cont.
Complexity of a system: Each operating system is
complex. A network operating system, which may
deal with multiple operating system, is even more
complex.
Even desktops have become powerful. So the user may
not even know fully what his system is doing.
Ill-defined perimeter –since networks are
interconnected in a variety of ways.
Multiple paths may exist between two legitimate
communicators;hosts/networks in each path may
have different security policies.
-
Reference: Pfleeger and Pfleeger, ‘Security in Computing’
Prentice Hall 3rd Ed., 2003, pp 387-389
48
Security Services
•
•
Confidentiality: Protection of the message from
disclosure to unauthorized persons;
In addition the secrecy of the identity of the sender may
also be required. Confidentiality may be compromised by
-misdelivery, exposure in some part of the network, traffic
flow analysis
Integrity:
Maintaining data consistency;
message may not be altered during transmission.
AUTHENTICATION: Verifying a principal’s claimed
identity.
Principal: a user logged on a remote system or
- a local user logged on the server or
- the server itself
49
Security Services: Authentication
continued
Authentication: A two - step process:
- User Name
- Password
(check: - something you know (common)
- Something you have
- Something you are
- what you do (Ex:key-stroke patterns)
- where you are )
50
Security Services
(continued )
Distributed Authentication of users, processes,
servers and services is even more difficult. Thus NT
4.0 had the concept of a single Primary Domain
Controller.
Windows 2000 has a Multi-master system. It
makes the system more robust, but more vulnerable
•
Non-repudiation: Originator of communications
can’t deny it later
Digital Signatures are used to relate an entity to information.
51
Security Services
•
•
•
•
•
(continued )
Availability
Legitimate users have access when they need it
Access control
Unauthorized users are kept out
Receipt
Acknowledgement for received information
Certificate
Endorsement of information by a trusted party
Anonymity
Hiding the identity of an entity
52
Security Services
Most Internet security problems are
•
(continued )
access control or
authentication ones
Denial of service is also popular, but mostly an annoyance
Security services are often combined:
• User authentication used for access control
purposes
• Non-repudiation combined with authentication
53
CERT Coordination Center
(CERT/CC)
CERT/CC: a part of Software Engineering Institute
(SEI) Networked Systems Survivability Program,
Carnegie Mellon University, Pittsburgh, Pennsylvania
History:
2nd November 1988: Morris worm incident, 1988, which
brought 10 percent of Internet systems to a halt
Defense Advanced Research Projects Agency (DARPA)
charged the SEI with setting up a center
to coordinate communication among experts during
security emergencies and
to help prevent future incidents.
17th November 1988: Computer Emergency Response
Team was set up.
Today: CERT/CC: a Center of Internet security expertise.
54