PPT - USC`s Center for Computer Systems Security

Download Report

Transcript PPT - USC`s Center for Computer Systems Security

In-Class Presentations
• On the paper you read for a given report
– I will email you which report you’re presenting on
– Presentation is summary of your report
– Send me PPT of your presentation at least 1h before
• DEN students use WebEx – I sent the link
• 10 minutes long, 5 slides:
–
–
–
–
–
Problem, why important, why difficult
Solution
Evaluation
Your opinion
Your ideas
• Graded: Slide appearance, content and delivery
No Class Next Week
• No class 4/6
• I will post Quiz 4 and Quiz 5 soon and email
you
Sanitization
• Remove or obscure (anonymize) sensitive data
– Remove packet contents and application headers
– Anonymize IP addresses
• Positional - anonymize in order of appearance. Inconsistent
and lose information about networks
• Cryptographic - anonymize by encrypting with a key.
Consistent but still lose information about networks.
• Prefix-preserving - cryptographic approach is applied to
portions of IP separately to preserve network information.
• Sanitization loses a lot of data - application
headers, contents, IP addresses
– This is acceptable for some research but not for all
• Sanitized data still has sensitive information
Attack Classes
• Passive attacker
– Observe publicly released trace
– Use some public or private auxiliary information to
infer private data
• Active attacker
– Insert traffic during trace collection
– Identify this traffic later in public trace
• This creates an auxiliary information channel
• Can learn what method was used to obscure private data
• Can verify presence or absence of data items with
same/similar values in other records
– Provider cannot identify injected traffic
• Covert channel problem
Privacy of Sanitized Data
• Attacks focus on breaking anonymization or
discovering vulnerabilities to use in attacks
– Web page attack - identify Web pages based on size
and number of objects
– Clock skew attack - infer clock skew from packet
timing, link it to the one obtained by probing
– Link layer, Clustering and Behavior attack - infer
topology, cluster same prefix addresses, use behavior
models of popular servers to pinpoint them in the
trace
– Scan attack - infer relationship between IPs in scans
– Innumerable active attacks – insert data into trace
• Removing sensitive data for many of these
attacks makes sanitized trace unusable
Drawbacks of Sanitization Approach
• Low utility
– One-size-fits-all data is released
– Any field sensitive in some context must be
removed from all contexts
• Low privacy
– Known attacks are not handled because that
would seriously decrease utility
– Active attacks cannot be handled
– Data providers have no insight into trace usage
– Users get access to entire trace, regardless of
intent - future attacks can be launched by anyone
Our Proposal: Secure Queries
• Providers publish a query language
– Interpreter allows certain queries on certain
packet fields and in a given context
– The restrictions are mined from a providerspecified privacy policy
– Users submit queries to an online portal, receive
aggregate results: counts, distributions,
histograms, etc.
Advantages of Secure Queries
• Higher utility
– Fine-grain control over field processing and its context
allows safe access to some fields that would be
removed/obscured in sanitization - less data loss
– Even application headers or contents could be
processed
– Easy coding in a high-level language
• Better privacy
– Providers have insight into trace usage, can audit
– Can precisely control what is allowed
– Future attacks handled via policy/language changes only those users that previously ran forbidden queries
can launch attacks
Linkages – The Trail We Leave
• Identifiers
• IP Address, cookies, login IDs
• MAC Address and other unique IDs
• Where saved
• Log files
• Persistence
• How often does identifier change
• How can it be mapped to user identification
Unlinking the Trail
• Blind Signatures
• Content of the message is disguised before it is signed
• Resulting signature can be verified against original
content
• Analogy: Enclosing a message in a write-through
envelope which is signed and sealed. Signer doesn’t
see the message.
• Enable proof of some attribute without identifying
the prover
• Application in anonymous e-currency and e-voting
Unlinking the Trail
• Anonymizers
• A remote web proxy
• Hides originators IP address from sites that are visited
• Usually strips off cookies and other identifying
information
• Limitations
• You are dependent on the privacy protections of the
anonymizer itself
• All you activities are now visible at this single point of
compromise
• Use of the anonymizer may highlight those activities
that you want to go unnoticed
Onion Routing
• Layers of peer-to-peer anonymization
•
•
•
•
You contact some node in the onion routing network
Your traffic is forward to other nodes in the network
Random delays and reordering are applied.
With fixed probability, it is forwarded on to its
destination
• Traffic analysis requires linking packets through the
full chain of participants
• And may be different for each association
Trusted Computing
What Problem Are We Solving?
• Can’t protect applications from within
themselves
– Exploits can turn off defenses
• Can’t protect the OS from within itself
– Exploits can turn off defenses
– Rootkits can hide any sabotage from users
• May not be able to trust users
– They may be uninformed
– They may be malicious – OK for their computer but
risk for the others they communicate with
– Digital right management issues
What is Trusted Computing
• Attestation
– Means of ensuring someone (user, remote computer)
of the system’s trustworthy status
• Usually means authentic/approved apps
– Root of trust needed to store keys
– Trusted path (allows user to have confidence in the
system)
– Chain of trust (like for certificate authorities)
• Separation
– Secure storage (data/keys)
– Protection of processes
• The rest is policy
– That’s the hard and controversial part
Trusted Path
• We need a “trusted path”
– For user to communicate with a domain that is
trustworthy.
• Usually initiated by escape sequence that application
can not intercept: e.g. CTL-ALT-DEL
– Could be direct interface to trusted device:
– Display and keypad on smartcard
Communicated Assurance
• We need a “trusted path” across the
network.
• Provides authentication of the software
components with which one
communicates
What Can We Do with TC?
• Clearer delineation of security domains
– We can run untrusted programs safely
• Run in domain with no access to sensitive resources
– Such as most of your filesystem
– Requests to resources require mediation by TCB (trusted
computing base), with possible queries to the user through
trusted path.
Mediating Programs Today
• Why are we so vulnerable to
malicious code today?
– Running programs have full access to system files
– Why? NTFS and XP provide separation
• But many applications won’t install, or even run,
unless users have administrator access
– So we run in “System High”
Corporate IT Departments’
Solution
• Users don’t have administrator access even
on their own laptops
– This keeps end users from installing their own
software, and keeps IT staff in control
– IT staff select only software for end users that will
run without administrator privileges
– But systems still vulnerable to exploits in
programs that cause access to private data
– Effects of “Plugins” can persist across sessions
The Next Step
• But, what if programs were accompanied by
third party certificates that said what they
should be able to access?
– IT department can issue the certificates for new
applications
– Access beyond what is expected results in system
dialogue with user over the trusted path
Red / Green Networks
• Butler Lampson of Microsoft and MIT
suggests we need two computers (or two
domains within our computers)
– Red network provides for open interaction with
anyone, and low confidence in who we talk with
– We are prepared to reload from scratch and lose
our state in the red system
Red / Green Networks
• The Green system is the one where we store
our important information, and from which
we communicate to our banks, and perform
other sensitive functions
– The Green network provides high accountability,
no anonymity, and we are safe because of the
accountability
– But this green system requires professional
administration
– A breach anywhere destroys the accountability
for all
Somewhere Over the Rainbow
• But what if we could define these systems on
an application by application basis
– There must be a barrier to creating new virtual
systems, so that users don’t become accustomed
to clicking “OK”
– But once created, the TCB prevents the
unauthorized retrieval of information from
outside this virtual system, or the import of
untrusted code into this system
– Question is who sets the rules for information
flow, and do we allow overrides (to allow the
creation of third party applications that do need
access to the information so protected)
A Financial Virtual System
• I might have my financial virtual system. When
asked for financially sensitive data, I hit CTL-ALT-DEL
to see which virtual system is asking for the data
• I create a new virtual system from trusted media
provided by my bank
• I can add applications, like Quicken, and new
participants, like my stock broker, to a virtual
system only if they have credentials signed by a
trusted third party.
–
How Many Virtual Systems
• Some examples:
– Open, untrusted, wild Internet
– My financial virtual system
– My employer’s virtual system
– Virtual systems for collaborations
• Virtual Organizations
– Virtual systems that protect others
• Might run inside VM’s that protect me
– Resolve conflicting policies
– DRM vs. Privacy, etc
What do we need for TC
• Trust must be grounded
– Hardware support
• How do we trust the hardware
• Tamper resistance
– Embedded encryption key for signing next level certificates
• Trusted HW generates signed checksum of the OS and
provides new private key to the OS
Non-Maskable Interrupts
• We must have hardware support for a nonmaskable interrupt that will transfer program
execution to the Trusted Computing Base (TCB)
when user demands it
– This invokes the trusted path
The Hardware Basis
• Trusted computing is proof by induction
– Each attestation stage says something about the next level
– Just like PKI Certification hierarchy
• One needs a basic step
– On which everything is built
– Hardware is that step
Trusted Platform Module (TPM)
• Basically a key storage and cryptographic
functionality device
• Capabilities:
– Generation of new keys
– Storage and management of keys
– Use of keys for cryptographic functions
Trusted Platform Module (TPM)
Smartcard-like module
on the motherboard that:
• Performs cryptographic functions
– RSA, SHA-1, RNG
– Meets encryption export requirements
• Can create, store and manage keys
– Provides a unique Endorsement Key (EK) whose extraction destroys
the hardware
– Provides a unique Storage Root Key (SRK)
• Performs digital signature operations
• Holds Platform Measurements (hashes)
• Anchors chain of trust for keys and credentials
• Protects itself against attacks
Slide From Steve
Lamb at Microsoft
Source: http://www.cs.bham.ac.uk/~mdr/teaching
Attestation with TPM
• An Attestation Identity Key (AIK) is a key pair created
during attestation, for use by a particular application
• Generated using EK
• Benefits:
– CPU can perform encryption with AIK
– Hides EK from cryptanalysis
– Addresses privacy issues since it cannot be tied back to a
single machine
Source: http://www.cs.bham.ac.uk/~mdr/teaching
Remote Attestation with TPM
• Sign something with EK
– Compromises user privacy since different sessions can be
linked together
• Using remote CA
– AIK is generated and signed by a remote CA
Source: http://www.cs.bham.ac.uk/~mdr/teaching
Using Encryption for Atestation
• PCR – Platform configuration register that stores
hashes of applications
• Extend
– Add data to a PCR
– SHA-1(PCR+measurement)
– As each module loaded its hash extends the PCR
• Quote
– Sign current value of PCR to be offered as proof of
authenticity
Source: http://www.cs.bham.ac.uk/~mdr/teaching
Secure Storage with TPM
• Users' data can be encrypted by TPM-generated
and TPM-protected keys (binding keys)
– Not every key can be stored on TPM but it can be
protected by keys that are stored on TPM
• Eventually, every binding key is secured by the
TPM's Storage Root Key (SRK)
Source: http://www.cs.bham.ac.uk/~mdr/teaching
Secure Storage with TPM
• Two ways to protect data with TPM:
– Data binding: encrypting with a binding key
– Data sealing: data is encrypted, bound to a specific
TPM platform and a particular configuration
• Take data, a binding key and requested PCR values as
input, then outputs a sealed data package.
• To decrypt this package, one must be running the same
TPM, have the key, and the current PCR value has to
match with the value used in the sealing process.
• E.g., one seals a Word document with a binding key,
and PCR values indicating that Microsoft Word and
Symantec antivirus were loaded. To read that
document, other users must have access to the key,
use Microsoft Word and Symantec antivirus, in the
same TPM.
OS Support for Trusted Computing
• Separation of address space
– So running processes don’t interfere with one another
• Key and certificate management for processes
– Process tables contain keys or key identifiers needed by
application, and keys must be protected against access by
others
– Processes need ability to use the keys
OS Support for Trusted Computing
• Fine-grained access controls on persistent resources
– Protects such resources from untrusted applications
• The system must protect against actions by the
owner of the system (!!!)
Discussion - Risks
• Trusted computing is a tool that can be misused
– If one party has too much market power, it can dictate
unreasonable terms and enforce them
• Too much trust in trusted computing
– Attestation does not make a component trustworthy
(vulnerabilities may still exist, component may still
misbehave)
Discussion - Benefits
• Allows systems to be developed that require
trustworthy remote components
– Provides protection of data when out of the hands of its
owner
• Provides isolation and virtualization beyond local
system
– Provides containment of compromise
Equal Opportunity for Discrimination
• Trusted computing means that the entities that
interact with one another can be more certain
about their counterparts
• This gives all entities the ability to discriminate
based on trust
• Trust is not global – instead one is trusted “to act
a certain way”
Equal Opportunity for Discrimination
• Parties can impose limits on what the software
they trust will do
• That can leave less trusted entities at a
disadvantage
• Open source has fewer opportunities to become
“trusted”
Privacy Concerns
• Strong DRM systems require trust in the
systems that receive and process protected
content
– Trust is decided by the provider
of the content
– This requires that the system provides assurance
that the software running on the system is
software trusted by the provider
Privacy and Anti-Trust Concerns
• The provider decides its basis for trust
– Trusted software may have features that are
counter to the interests of the customer
• Imposed limits on fair use
• Collection and transmission of data the customer
considers private
• Inability to access the content on alternative
platforms, or within an open source OS
Trusted Computing Cuts Both Ways
• The provider-trusted application might be
running in a protected environment that
doesn’t have access to the user’s private data
– Attempts to access the private data would thus
be brought to the users attention and mediate
through the trusted path
– The provider still has the right not to provide the
content, but at least the surreptitious snooping
on the user is exposed.
Human Element
Social Engineering
• Organization invest into sophisticated security systems
–
–
–
–
Firewalls
Intrusion detection systems
Safes
Smart cards
• Humans repeatedly prove to be the weakest link
–
A skillful attacker will be able to obtain best guarded
information by making a few phone calls …
“The Art of Deception”, K. Mitnick and W. Simon, Wiley Publishing, 2002
How Do They Do It?
• They deploy similar techniques as when breaking in
using technical means
–
–
–
–
–
–
–
They get well acquainted with the organization
procedures and lingo
They pick up a few names and phone numbers
They pretend to be insiders
They gather little bits of information and piece them together
into a valuable whole
They sound friendly and confident
They work slowly and build trust
They play on people’s feelings
Robbing a Bank Without a Gun
• Stanley Rifkin worked for a contracting company to
develop backup system for wire room of Security Pacific
National Bank
–
–
–
People in wire room used one-day codes to authorize wire
transfers
They wrote those on a paper each day and posted
it inside the room
Stanley walked in a room one day to “take notes on operation
procedures for the backup system” and memorized the code
Robbing a Bank Without a Gun
• Stanley next walked to a phone in the bank’s lobby, gave
a name and office number of an authorized employee,
then gave daily code
–
–
–
–
He asked that $10M be transferred to his account in
Switzerland
Wire-room employee asked for an interoffice settlement
number
Stanley said he will check and call back
He called another department claiming to work in the wire
room and asked for an interoffice settlement number then
called back the wire-room and finalized the transaction
Getting Credit History Information
• Grace was a PI who was following a trail of money that
his client’s husband withdrew from their joint account
–
–
–
–
Grace knew that banks call a credit verification service
CreditChex to verify new client information
Grace first called husband’s bank and got familiar with the
lingo – what do they give to CreditChex when they ask for
information, because he’s writing a book …
Grace then called another bank employee presenting himself
as CreditChex customer service representative and asked for
employee’s MerchantID among other things
Grace called CreditChex next presenting himself as bank
employee and got information about the husband’s new
accounts
Getting a List of Employees
• Didi was a head-hunter who wanted to steal a few
employees for her client from his competition
–
–
–
–
Didi first called a reception desk at the competition,
presenting as branch employee and got connected to
Accounting
She called Accounting and got cost center – charge code for
billing each department’s needs
Didi then called a random other department, pretending to be
a branch employee and asked how to get a printed phonebook
for a contractor – call Publications
She called Publications and asked for phonebook to be mailed
to branch contractor – a rented mailbox; she sweet talked the
guy there to skip formal procedure for paperwork filing and
just bill this to the cost center
Getting a Private Phone Number - 1
• The attacker dials private phone company’s number for
Mechanized Line Assignment Center
–
–
–
Presents himself as cable splicer in the field
Gives a few convincing statements
Asks for help to rewire the terminal and gets all phone
numbers assigned to the wires
Getting a Private Phone Number - 2
•
The attacker calls utility company “from some company
branch and he has a vice president’s office on the
phone”
–
–
He says his computer is down and could he get some help
The attacker then gives victim’s name and asks for account
number, phone number and address
Getting Info from Law Enforcement
• Frank Parsons has been running from the FBI
–
–
–
–
–
He moved to a new state and was looking for a job
He found a good job but they wanted a background criminal
check
The form asked for a fingerprint to check state criminal record
(which Frank didn’t have)
Frank wanted to find out if this will be transmitted to the FBI
He called the state patrol and asked, said he worked with State
Department of Justice and they were doing a research …
Getting Credit Card Information
• Doyle Lonnegan is a collection man for gambling debts
and he needs to collect a debt from X
–
–
–
–
Doyle finds out X’s frequented video rental store
Doyle calls another branch pretending to be a satisfied
customer and asks for store number, manager’s name, etc.
Doyle then calls X’s store, presents himself as fellow employee
from a different store – says X is there and wants to rent and
wants to use his credit card number on file but computers are
down …
He can now charge the debt to the credit card
Getting a Free Cell Phone
• Company CLPhone advertised 1-cent cell phone with a
contract subscription
–
–
–
Mark wants the phone but not the subscription
He calls a local CLPhone branch and presents himself as a
customer who talked to a sales person the other night and
would like to sign up – Mark gets sales person’s name
Mark calls another CLPhone branch presenting himself as a
sales person who has a customer waiting – customer already
signed up but branch is out of cell phones
Breaking into the Network - 1
• Bobby wants to break into company’s network
–
–
–
–
–
–
He first calls an employee, Ted, presenting himself as Eddie
from the Help Desk
Eddie asks Ted how has his network service been because they
have been having problems – supplies his cell phone for when
the problem arises (reverse social engineering).
Eddie also obtains Ted’s port number from Ted
Bobby then calls IT, presenting himself as Eddie from the Help
Desk and asks that the port be disabled
Frustrated Ted calls and Eddie “fixes the problem”
Eddie asks Ted to install a piece of software so “this doesn’t
happen again”
Breaking into the Network - 2
• Attacker wants to get an inside access
–
–
He first calls HR and asks for the list of new employees
Attacker then calls one new employee and gives her security
briefing – he also gets her username and gets her to change
her password with his help
Breaking into the Network - 3
• Attacker wants to get confidential files for project X
–
–
–
–
–
He calls company switchboard and gets phone number of any
employee - Sam
Attacker calls Sam, saying he is from FedEx and there is a
package for project X – gets project lead’s name (Jerry) and
number
Calls Jerry’s office and learns he’s on vacation but gets his
secretary’s number – Michelle
Calls Michelle and asks for project X people E-mails “because
Jerry asked me for a favor”
Calls IT and claims he is employee who just bought a laptop –
gets dial-in access
Breaking into the Network - 3
• Attacker then finds a computer with a guest account
and breaks in – this computer runs Unix system
• He examines a shadow file and figures out that one of
the project people (Steve) has password Janice
–
–
–
But password doesn’t work
Attacker waits for the weekend and calls Steve pretending to
be from IT and repairing crashed network
He asks for Steve’s password, providing the old one
Breaking into the Network - 4
• Attacker calls the switchboard asking for employee
Jones – learns his first name Jo
–
–
–
Speaks to Jo and claims to be from payroll – Joe’s paycheck has
been deposited to Credit Union account
Jo provides his employee number to clear up the mess
Attacker calls another branch and asks to be given a temporary
username and password while on business trip – gives Joe’s
name and employee number for verification
Breaking into the Network - 5
• Danny wants to break into company’s network and steal
some confidential files on product X but they use twofactor authentication
–
–
Secure ID – a time based token that changes every 60 seconds
Username and password
• Danny learns some employee’s name (Bob), number, his
manager’s number, username, password, etc.
–
–
Waits for a stormy day
Calls IT and claims to be Bob who left his secure ID at his desk
and could someone fetch it and read the info
Breaking into the Network - 5
• IT refuses but offers a temporary secure ID that will
work just the same
–
A guy in IT even calls his manager to check that this is OK and
vouches for “Bob”
• Danny searches newsgroups for postings on product X –
gets the name of the guy working on it (Scott)
–
–
–
Scott happens to be in the office and happily provides server
name to “IT guy”
Danny can’t connect to the server from dial-up and he calls IT
again and asks for a temporary account in IT
From IT computers he finds a vulnerability on the
development server and grabs files on product X
What are the Key Steps?
• Knowing the lingo
• Being familiar, relaxed and friendly
• Playing on people’s feelings
–
–
–
People want to help
Especially if you work for their boss
Or they can be easily intimidated
• Pretending to be an insider
• Asking for “insignificant” pieces of information
How to Protect from Social Engineering?
• Limit the number of people who know key information
• Educate employees about security
• Establish authentication procedures going through a
single site
• Ask employees to call back when providing sensitive
information, and to use the number on file
Botnets Fun Facts: ROI for Attackers
• Researchers subverted a botnet’s command
and control infrastructure (proxy bots)
– Modified its spam messages to point to the Web
server under researcher control
• That server mimicked the original Web page
from the spam emails
– A pharmacy site
– A greeting card download site
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C.
Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and
S. Savage, ACM CCS 2009
What Is ROI for Attackers
• How many spam emails reach recipients: open
a few email accounts themselves and append
them to email delivery lists in spam messages
• How many emails result in Web page visits
– Must filter out defense accesses
• How many users actually buy advertised
products or download software
– No “sale” is finalized
• Ethical issues abound
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C.
Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and
S. Savage, ACM CCS 2009
Most-targeted E-mail Domains
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C.
Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and
S. Savage, ACM CCS 2009
Spam Conversion Pipeline
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C.
Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and
S. Savage, ACM CCS 2009
Spam Conversion Pipeline
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion” C.
Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and
S. Savage, ACM CCS 2009
Spam Filter Misses
"Spamalytics: An Empirical Analysis of Spam Marketing Conversion”
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson,
and S. Savage, ACM CCS 2009
For More on Botnets
http://www.shadowserver.org
http://www.honeynet.org/papers/bots/
http://www.honeynet.org/papers/ff