Transcript Darpa Presentation - CMU/ECE

18487 Course Review
Vyas Sekar
Carnegie Mellon University
This Class: Introduction to the Four
Research Cornerstones of Security
Software Security
OS Security
Network Security
Cryptography
2
Software Security
3
Control Flow Hijacks
shellcode (aka payload) padding
computation
+
&buf
control
Allow attacker ability to run arbitrary code
– Install malware
– Steal secrets
– Send spam
4
5
6
7
Cryptography
8
Crypto Terminology
9
Goals
• Understand and believe you should never,
ever invent your own algorithm
• Basic construction
• Basic pitfalls
10
Network and System Security
11
What is Network Security?
Public Channel
Alice
Bob
The Network,
typically runs IP “protocol”
1. Providing a “reliable” channel
 If the network protocols have flaws, crypto may not save you
12
E.g., Unauthorized origin ISP (prefix
theft)
G
Destination
Route
Destination
Route
Google
G←B
Google
M
B
C
M
M’s route to G is
better than B’s
13
Takeaways on routing security
• BGP was built on the assumption of cooperation
– Assumption does not apply anymore
• Many routing misconfigurations, bugs, and even attacks (several per
day)
• Proposed fixes are many, but all have some limitations
– TTL hacks, MD5 signatures
– S-BGP
• Relies on a PKI
• Potentially significant overhead
• Very hard to retrofit security in an existing model!
14
What is Network Security?
Public Channel
Alice
Bob
The Network,
typically runs IP “protocol”
2. Providing an “available” channel
 Can Alice talk to Bob? Can Eve deny service to Alice/Bob?
15
DoS: General definition
• DoS is not access or theft of information or
services
• Instead, goal is to stop the service from
operating
• Deny service to legitimate users
• Why?
– Economic, political, personal etc ..
16
Why is DDoS a hard problem
• Simple form of attack
– No complex technique, just send a lot of traffic
– Toolkits readily available
• Prey on the Internet’s strengths
– Simplicity of processing in routers
– Total reachability
• Attack machines readily available
– Easy to find 10,000’s vulnerable machines of the Internet
• Attack can look like normal traffic
– E.g., HTTP requests
• Lack of Internet enforcement tools
– No traceability
• Lack of cooperation between targets
– ISPs are competitive, and cooperation only at human timescales
• Effective solutions hard to deploy
– We can’t change the core of the Internet easily
17
TCP SYN Flood I: low rate
C
S
(DoS bug)
Single machine:
SYNC2
• SYN Packets with
random source IP
addresses
SYNC3
• Fills up backlog queue
on server
SYNC1
SYNC4
SYNC5
• No further connections
possible
18
Backscatter analysis
• Internet telescope/backscatter measurement
(example: SYN flood)
Attacker
Network “telescope”, e.g.,
empty /8 network
SYN, from IP = A
SYN-ACK, to IP = A
• By monitoring unused portion of address space, possibility to see
evidence of backscatter and infer type/number of DDoS attacks
• Does this work with botnet-based attacks?
19
DDoS Defense Taxonomy
• Location
– Host vs network vs protocol
• Response timescale
– Preventive vs Reactive
• Response action
– E.g., filter, rate limit, multiply, bug fix/patch
20
What is Network Security?
Public Channel
Alice
Bob
The Network,
typically runs IP “protocol”
3. Providing an “enforcement” for observing/mediating access
 Stop Eve’s malware from reaching Bob in the first place
 Observe aggregated view of malicious intents
21
•
•
•
•
Taxonomy
Approach: Policy vs Anomaly
Location: Network vs. Host
Action: Detect vs. Prevent
Semantics: IP vs TCP vs App
Type
Example
Host, Rule, IDS
Tripwire
Host, Rule, IPS
Personal Firewall
Net, Rule, IDS
Snort
Net, Rule, IPS
Network firewall
Host, Anomaly, IDS
System call monitoring
Net, Anomaly, IDS
Working set of connections
Net, Anomaly, IPS
22
Ω
Think of the Bayesian detection rate as the
set of intrusions raising an alert normalized
by the set of all alerts. (vs. detection rate
which normalizes on intrusions.)
I
Defn: Bayesian Detection rate
A
!
Crux of IDS
usefulness
23
Key things to remembers for firewall/IDS
• Firewalls
– 3 types: Packet filtering, Stateful, and Application
– Placement and DMZ
• IDS
– Anomaly vs. policy-based detection
• How can we exploit for evasion?
– E.g., fragmentation, TCP session reassembly, TTL
• How can we attack the defense infrastructure?
– E.g., overload, algorithmic complexity
• Detection theory
– Base rate fallacy
24
Web Security
“Injection flaws occur when an application
sends untrusted data to an interpreter.”
--- OWASP
Like Buffer Overflow and Format
String Vulnerabilities, A result of
from the possibility of
interpreting data as code
https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
26
“Cross site scripting (XSS) is the ability to get a
website to display user-supplied content laced
with malicious HTML/JavaScript”
27
Cross Site Request Forgery (CSRF)
A CSRF attack causes the end user browser to
execute unwanted actions on a web
application in which it is currently
authenticated.
28
Clickjacking
Clickjacking occurs when a malicious site
tricks the user into clicking on some element
on the page unintentionally.
Click for a FREE
iPad!
Slides modeled after presentation by Lin-Shung Huang at USENIX 2012.
Paper: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson. 2012. Clickjacking: attacks and defenses.
In Proceedings of the 21st USENIX conference on Security symposium (Security'12). USENIX Association, Berkeley, CA, USA, 22-22.
29
Key takeaways for web security
• Different attack models
• Understand the differnet classes of attacks
–
–
–
–
Injection
XSS
CSRF
Clickjacking etc
• Proposed defenses
– E.g., sanitization, secure tokens etc
30
Designing Secure Systems
Vyas Sekar
Carnegie Mellon University
Protection Mechanism
Control Transfer of Information
Among Users of the Utility
32
Abstract Access Control Model
Audit
Requested
Operation
Approved
Operation
Principal
Reference
Monitor
Object
Source
Guard
Resource
Authentication
Authorization
33
Design Principles
•
•
•
•
•
•
•
•
•
Economy of mechanism a.k.a KISS /Low TCB
Fail-safe defaults
Complete mediation
Separation of privilege
Least privilege
Factor in users/acceptance/psychology
Work factor/economics
Detect if you cant prevent
Don’t rely on security by obscurity
34
Key takeaways for system security
• Know Lampson’s “gold” standard
– Authentication
– Authorization
– Audit
• Know types of authorization mechanisms
• Understand concept of TCB
• Internalize design principles for secure systems
35
Key takeaways for mobile security
• How is mobile security different?
– Ecosystem, hardware, software?
• How do popular systems work?
– iOS vs Android
• What new threats arise?
– Poor use of crypto, PII leakage
• Techniques to detect misuse
– E.g., control and call graphs
36
Exam 3
37
Exam 3 Mechanics
• Same format as exams 1 and 2. In class,
closed note, closed book, closed computer
• BRING A CALCULATOR (no cell phones,
PDA’s, computers, etc.) Think of this as a
hint.
• Topics: Anything from class
38
The Most Important Things
Anything is fair game, but the below are things
you absolutely must know
•
•
•
•
•
Base Rate Fallacy
Web attacks
Authenticated encryption
Stack diagrams/buffer overflow/etc.
Questions from exam 1 and exam 2
(study what you missed)
39
Questions?
40
END