System Security - College of Engineering and Computer Science
Download
Report
Transcript System Security - College of Engineering and Computer Science
2
Security Awareness 2014
Prabhaker Mateti
Network security
Internet security
Computer security
System security
Homeland security
Security
Prabhaker Mateti
2003
813
1009
2871
1521
80
32000
Security Awareness 2014
2014
31564
18995
39812
107303
24629
194118
3
2013: 100000+
“CERT uses the word "incident" as an
administrative term …
A single "incident" can involve anything
from a single host computer to a very
large number of host computers, at a
single site or at hundreds of thousands of
sites.”
Security Awareness 2014
Prabhaker Mateti
4
2003
2000
171,638,297
72,398,092
Security Awareness 2014
Prabhaker Mateti
5
MLOC
1993
Windows NT 3.1
6
1996
Windows NT 4.0
11
2001
Windows XP
45
2000
Linux Debian 2.2
55
2012
Linux Debian 7.0
419
2005
Mac OS X 10.4
2001
Linux Kernel 2.4.2
2012
Linux Kernel 3.6
Prabhaker Mateti
86
2
16
Security Awareness 2014
6
Table from “Code Complete” book
Not to be taken as too authentic
Don’t believe the 0 at the low end
Security Awareness 2014
Prabhaker Mateti
7
Your machine has been compromised.
root = administrator = super-user
An unauthorized user has obtained root
privileges.
A rootkit may have been installed.
Forensic analyses made with tools existing
on that system are unreliable.
Security Awareness 2014
Prabhaker Mateti
9
We think of computer systems as providing
services to authorized users.
When a system is deliberately made to
crash, or made to run legitimate users'
programs so very slowly that it is unusable,
we refer to it as a "denial of service attack."
The attacker accomplishes this by running
certain cleverly composed programs, and is
pre-aware of the consequences.
Security Awareness 2014
Prabhaker Mateti
10
Black hats are the "bad" guys in that they
use their knowledge to unauthorizedly
break into even more systems, and pass
their knowledge to other insiders.
White hats are the "good" guys: they are
mostly into forensics and prevention of
attacks.
Security Awareness 2014
Prabhaker Mateti
11
Vulnerability: A weakness that can be
exploited to cause damage.
Attack: A method of exploiting a
vulnerability.
Threat: A motivated, capable adversary
that mounts attacks.
Security Awareness 2014
Prabhaker Mateti
12
Hacker = One who programs
enthusiastically, even obsessively.
An expert at a particular program, as in ‘a
Unix hacker’.
A hacker enjoys exploring the details of
programmable systems and how to stretch
their capabilities.
A hacker has ethics.
Security Awareness 2014
Prabhaker Mateti
13
Any “program” that has a “malicious”
intent …
Viruses + Worms + Trojans + …
Security Awareness 2014
Prabhaker Mateti
14
Viruses are "programs" that modify other
programs on a computer, inserting copies
of themselves.
Viruses are not officially programs:
› They cannot run on their own.
› Need to have some host program.
› When the host program is run, the virus runs.
Security Awareness 2014
Prabhaker Mateti
15
Worms are programs that propagate from
computer to computer on a network.
Worms can run independently.
Worms may have (different) portions of
themselves running on many different
machines.
Worms do not change other programs,
although they may carry other code that
does.
Security Awareness 2014
Prabhaker Mateti
16
A Trojan mimics the functionality of its
namesake legitimate program.
But has a hidden “agenda.”
Ex: wu-ftpd Trojan - Login with specific
user/password gives a root shell.
Security Awareness 2014
Prabhaker Mateti
17
Also called trap doors.
Allow unauthorized access to a system.
The absence of backdoors cannot be
established.
Security Awareness 2014
Prabhaker Mateti
18
“System Security” =
Computer Security + Network Security
Trojan Horses, Viruses and Worms
Privacy and Authentication
TCP/IP exploits
Firewalls
Secure Configuration of Personal Machines
Buffer Overflow and Other Bug Exploitation
Writing Bug-free and Secure Software
Secure e-Commerce Transactions
…
Security Awareness 2014
Prabhaker Mateti
19
and their problems
Out of the box installations are rarely
properly configured.
Standard user accounts with standard
passwords.
Running unneeded services.
Leaving sensitive files read/write-open.
Security Awareness 2014
Prabhaker Mateti
21
Start with a properly configured system.
Delete weak or unneeded components.
Add protective layers.
Keep detailed logs.
Security Awareness 2014
Prabhaker Mateti
22
Often “equated” with fortification.
Rebuilding an OS from the same source
code but by using a more rigorous
compiler.
Redesigning portions of an OS.
Statically v. dynamically configured.
Security Awareness 2014
Prabhaker Mateti
23
“A rootkit is a collection of tools and utilities
that attackers use to hide their presence
and gather data to help them infiltrate
further across the network. Rootkits insert
backdoors, install Trojans, and patch
existing programs.”
Installed after the attacker gains access.
Cannot be detected by firewalls or antivirus scanners.
200+ results for search “rootkit’’ on
www.packetstormsecurity.org
Security Awareness 2014
Prabhaker Mateti
24
null.sys
HE4Hook
Hacker Defender
Slanret
He4Hook
Vanquish
Fu
…
Security Awareness 2014
Prabhaker Mateti
25
Linux Rootkit (LRK)
TeLeKit
Adore
Knark
t0rnkit
Kernel Intrusion System (KIS)
…
Security Awareness 2014
Prabhaker Mateti
26
BIOS
OS Kernel
Initialization
User logins
Security Awareness 2014
Prabhaker Mateti
27
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(9)\WINDOWS
[operating systems]
C:\bootsect\hdc3grub.bin="Booting From FAT32on120GB"
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Windows XP Pr
multi(0)disk(0)rdisk(0)partition(9)\WINDOWS="Windows XP Pr
multi(0)disk(0)rdisk(0)partition(14)\WINDOWS="Windows XP P
C:\bootsect\hdc3grub.bin="Linux via Grub"
Security Awareness 2014
Prabhaker Mateti
28
timeout 10
default 1
title failsafe
kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe devfs=nomount
hdc=ide-scsi acpi=off
initrd (hd0,6)/boot/initrd.img
title linux-smp
kernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount
hdc=ide-scsi acpi=off
initrd (hd0,6)/boot/initrd-smp.img
title windows
root (hd0,0)
chainloader +1
Security Awareness 2014
Prabhaker Mateti
29
Something you know
(e.g., a password or other secret);
Something you have
(e.g., smart card, credit card);
Something you are
(e.g., fingerprints, retinal scan, voice print).
Security Awareness 2014
Prabhaker Mateti
30
Weak passwords; social engineering.
telnet, ftp, … passwords travel the
network in the clear; can be sniffed.
One Time Passwords
Security Awareness 2014
Prabhaker Mateti
31
"Computationally Infeasible”
N = 2^a * 3^b * 5^c * 7^d * ...
One way hash function
› takes a variable-length input sequence of
bytes and converts it into a fixed-length
sequence.
› designed to be computationally infeasible to
reverse the process
Security Awareness 2014
Prabhaker Mateti
32
sender and receiver of a message share
a single, common key.
If ct = encryption (pt, key), then pt =
decryption (ct, key).
DES
IDEA
Blowfish
Security Awareness 2014
Prabhaker Mateti
33
a public key known to everyone, and a
private or secret key known only to the
recipient of the message
The two keys are mathematically related,
yet it is computationally infeasible to
deduce one from the other.
A global registry of public keys is needed
RSA
Security Awareness 2014
Prabhaker Mateti
34
The public key-based communication between say Alice and Bob is
vulnerable.
Let us assume that Mallory, a cracker, not only can listen to the traffic
between Alice and Bob, but also can modify, delete, and substitute Alice's
and Bob's messages, as well as introduce new ones. Mallory can
impersonate Alice when talking to Bob and impersonate Bob when talking to
Alice. Here is how the attack works.
Bob sends Alice his public key. Mallory intercepts the key and sends her own
public key to Alice.
Alice generates a random session key, encrypts it with "Bob’s" public key
(which is really Mallory's), and sends it to Bob.
Mallory intercepts the message. He decrypts the session key with his private
key, encrypts it with Bob's public key, and sends it to Bob.
Bob receives the message thinking it came from Alice. He decrypts it with his
private key and obtains the session key.
Alice and Bob start exchanging messages using the session key. Mallory, who
also has that key, can now decipher the entire conversation.
Security Awareness 2014
Prabhaker Mateti
35
“Quick: What's the computer vulnerability of the decade? It's not the Y2K bug,
according to computer science and security analysts, but a security
weakness known as the buffer overflow .”
Executable code is injected on to the runtime
stack.
The return address that was on the stack is
modified to point to the beginning of this code.
The executable code chosen produces a shell.
A root-privileged program is so exploited; so, you
are r00ted.
Security Awareness 2014
Prabhaker Mateti
36
Many of the Top 20 vulnerabilities are
buffer overflow problems.
Caused by a simple class of
programming errors.
C and its promiscuous style.
Security Awareness 2014
Prabhaker Mateti
37
38
Ethernet is a broadcast
medium.
So is: wifi
Packet switching.
Security Awareness 2014
Prabhaker Mateti
Least secure: Wireless networking
Second least secure: Always-on wired
connections
Second most secure: Intermittent wired
connections (dial-up)
Most secure: Never connected.
Security Awareness 2014
Prabhaker Mateti
39
Designed with too little concern for
security.
All data, including various fields in the
protocol headers, are sent in the clear.
Sender and Receiver in the packet can
be spoofed.
Security Awareness 2014
Prabhaker Mateti
40
IP address: a.b.c.d, 4-bytes.
IP packet contains the IP addresses of
sender and receiver.
Everything in the clear.
IP spoofing replaces the IP address of
(usually) the sender or (in rare cases) the
destination with a different address.
Services that authenticate based on the IP
addresses are vulnerable.
RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X
windows, …
Security Awareness 2014
Prabhaker Mateti
41
When packets are too large to be sent in a single IP packet,
due to interface hardware limitations for example, they can
be split up by an intermediate router.
The final destination will reassemble all the fragments of an IP
packet.
Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly.
In the IP layer implementations of nearly all OS, there are
bugs in the reassembly code.
Attackers create fragments that trigger these bugs.
Security Awareness 2014
Prabhaker Mateti
42
The SYN Flood
Connection Killing by RST
Closing a Connection by FIN
Connection Hijacking
Security Awareness 2014
Prabhaker Mateti
43
Sending of “data” not in the payload,
but via other “places.”
Headers.
Sequence numbers.
Security Awareness 2014
Prabhaker Mateti
44
Port Scanning is one of the most popular
among the reconnaissance techniques.
Find open ports
Fingerprint the OS
Stealth scan, Bounce scan, …
nmap
Security Awareness 2014
Prabhaker Mateti
45
A packet sniffer is a program that
eavesdrops on the network traffic.
It copies packets as they pass the NIC.
An NIC in the normal mode reads packets
destined to its specific MAC address, and
all other packets are ignored.
An NIC in promiscuous mode, receives all
packets regardless of the MAC address.
Security Awareness 2014
Prabhaker Mateti
46
Several machines participate in a DoS
attack of a victim.
These participants are often
compromised innocent machines
serving the “attacks.”
A remote client triggers the attack
servers.
Security Awareness 2014
Prabhaker Mateti
47
Domain Name Service protocol is inherently
vulnerable.
DNS cache poisoning.
BIND 8 is the most popular DNS server.
DNS servers running BIND are not up to date
with security patches and software
updates.
On October 21, 2002, 9 of the 13 root name
servers were the target of a DDoS attack.
Security Awareness 2014
Prabhaker Mateti
48
49
Security Awareness 2014
Prabhaker Mateti
Highly capable networked computer
systems
› Quad-core 1.2 GHz CPUs
› 1 GB RAM
› 16 GB persistent storage
Standard : GSM, Wi-Fi, GPS, Bluetooth,
camera, microphone, various sensors
Used by millions of computer-illiterates
Constrained by battery capacity
Security Awareness 2014
Prabhaker Mateti
50
Android’s global market share
78.4
Number of daily activations of Android devices
Global shipments of Android smartphones
1,500,000
1,133Mn
Number of Android smartphone users in the U.S.
76Mn
Number of apps downloaded from the Play store
50Bn
Average unique monthly users of Facebook app
42.38Mn
http://www.statista.com/topics/876/android/
Prabhaker Mateti
Security Awareness 2014
51
Soon to match PCs in malware
Kaspersky reports attacks per month
› Aug 2013:
69,000
› Mar 2014: 650,000
Pocket Spy?
Hot Research Topic
› 1000+ papers
› Permissions: 500+
› Privacy improvements: 50+
Security Awareness 2014
Prabhaker Mateti
52
Secure Shell, PGP, …
Firewall Kits
Tools
› Top 50 Security Tools survey from www.nmap.org
› http://www.packetfactory.net
› nmap, SAINT, …
› tcpdump, ethereal, snort, …
› Password cracking
› Tcpwrapper
Security Awareness 2014
Prabhaker Mateti
54
telnet, rlogin, … do not authenticate the
remote machine; SSH does.
The password that the user types as part of
the login ritual is sent as clear text by telnet
and rlogin; SSH sends it encrypted.
The data being sent and received by the
RTF is also sent as clear text; SSH sends and
receives it in encrypted form.
Security Awareness 2014
Prabhaker Mateti
55
ssh1 v. ssh2
SSH exploits do exist.
Susceptible to man in the middle attack
Encryption and decryption consumes
computing and elapsed time.
Can be a nuisance. If the remote system
has been legitimately reinstalled ...
Security Awareness 2014
Prabhaker Mateti
56
ssh
putty
ttermpro
openssh
Security Awareness 2014
Prabhaker Mateti
57
Data travels over public networks, usually
the Internet.
The information needed to allow the data
packets to be routed between the source
node and the destination node is available
to the public medium as in ordinary TCP/IP
traffic,
But, all other information is encrypted.
PPTP, L2TP, IPsec
Security Awareness 2014
Prabhaker Mateti
58
“Is the file what I installed? Did it change?”
Time stamps, file size, … are not reliable.
MD5 checksums.
The MD5 algorithm takes as input an arbitrary length byte
sequence and produces a 16-byte "fingerprint" or
"message digest" of the input. It is conjectured that it is
computationally infeasible to produce two messages
having the same message digest, or to produce any
message having a given pre-specified target message
digest.
Security Awareness 2014
Prabhaker Mateti
59
Scanners hook themselves in the
read/write methods of the file sys.
Search for patterns in the file content.
Search for specific file names, …
Can yield false positives.
Can miss identifying malware.
Security Awareness 2014
Prabhaker Mateti
60
Drop packets based on matching
certain parts: IP addresses, port numbers,
protocols, flags.
Network Address Translation - NAT
IP port forwarding
iptables -A FORWARD -d ! 192.168.17.0/24 -i eth1 -j
prvt-extrn iptables -A FORWARD -s 130.108.17.0/24 -i
eth2 -j dmz-extrn iptables -A FORWARD -d
130.108.17.0/24 -i eth0 -j extrn-dmz iptables -A
FORWARD -j DROP -l
Security Awareness 2014
Prabhaker Mateti
61
Packet filters
Bastion Host
Proxy services
Stateful Inspection
Three Myths of Firewalls
Firewalls make the assumption that the only way in or out of a
corporate network is through the firewalls; that there are no
"back doors" to your network.
Firewalls make the assumption that all of the bad guys are on
the outside of the firewall, and everyone on the inside of the
can be considered trustworthy.
With macros, JavaScript, Java, … executable fragments can
be embedded inside data.
Security Awareness 2014
Prabhaker Mateti
62
Detect probes.
Constantly check file integrity.
Constantly check which ports are open
and why.
Keep detailed logs of suspicious activity
on a separate system.
Security Awareness 2014
Prabhaker Mateti
63
64
Security Awareness 2014
Prabhaker Mateti
Many bugs are exploitable from a
security perspective.
› A simple array-index out of bounds bug can
lead to computer being owned by the
attacker.
2014 State of the Art:
Cannot produce bug-free software
(unless tiny)
Security Awareness 2014
Prabhaker Mateti
65
Out of the box installations are rarely
properly configured.
Standard user accounts with standard
passwords.
Running unneeded services.
Leaving sensitive files read/write-open.
Security Awareness 2014
Prabhaker Mateti
66
Designed with too little concern for
security.
All data, including various fields in the
protocol headers, are sent in the clear.
Sender and Receiver in the packet can
be spoofed.
Security Awareness 2014
Prabhaker Mateti
67
Too focused on performance
Not enough on security
Too much trust on components
› E.g., kernel trusts /sbin/init
Security Awareness 2014
Prabhaker Mateti
68
69
Security Awareness 2014
Prabhaker Mateti
“There is an oceanic amount of material
on network security available over the
Internet.”
-- A
Web Page.
10000+ web sites
Select list follows
Security Awareness 2014
Prabhaker Mateti
70
www.incidents.org
www.cert.org
www.cerias.purdue.edu
www.securityfocus.com
lwn.net/security
www.microsoft.com/security
www.phrack.org
Security Awareness 2014
Prabhaker Mateti
71
CEG 4420 Cyber Security UG course
www.cs.wright.edu/~pmateti/Courses/44
20
Android Internals and Security at Amrita
www.cs.wright.edu/~pmateti/Courses/79
00
Security Awareness 2014
Prabhaker Mateti
72