In retrospect…

SOEN321, Fall 2004

Serguei Mokhov

Contents

• Scale

• Threats– Trojan Horses

• Object Reuse

• Hash Functions

• Salt

Scale

• Criminal exploits using the net often are analogous to their physical-world counterparts but they can have a special flavor.

• Consider an e-tailer like Amazon.com that maintains a database of the credit-card numbers of its customers.

• A hacker might succeed in compromising this database.• Why worry about this when a crooked restaurant waiter

can make an extra imprint of your credit card and steal very similar information?

• Answer this question by describing the leverage the hacker can obtain that is not obtainable by even an organized team of crooked waiters.

Threats (1)

• In the context of a well-configured information system of moderate size connected to the Internet, give an example of– a high-probability, low-impact electronic threat, and– a low-probability, high-impact electronic threat.

• Finally, give an example of an electronic threat so overwhelming that not even a large corporation would even consider defending against it.

• In risk assessment and mitigation, why is commercial insurance often an option for a commercial corporation but rarely --- if ever --- an option for the armed forces or an intelligence agency?

Threats (2): Trojan Horses

• Why do mandatory access controls protect confidentiality requirements from compromise by Trojan horses better than do discretionary access controls?

Object Reuse

• In most operating systems, file deletion merely removes a link to a file but does not physically overwrite it. (In PCs, there are standard utilities to recover deleted files).

• In a local area network with a file server and hundreds of users, will a fully deleted file physically survive very long?

• On what does this depend? (We are not considering sophisticated physical recovery methods here).

Hash Function (1)• One often hears, "If you change even a single bit of this 5-GB file, the hash

result (image) will totally change". That's probably true.• Still, consider a hash function h with domain D and codomain C, given by:

– D = {1, 2, ..., 100}, domain of x– C = {0, 1, ..., 63}, domain of h– h(x): x |--> (67*x2 + 13*x + 5 + x mod 2) mod 64

• If x <> x' in D collide, what mathematical relationship is there between x and x'?

– h(x) = h(x’)• Could you flip a single bit to transform x into x'? Explain.

– Let’s take a particular case:– x = 00000001, x’ = 00000011, no– Find me x, so that h(x) = h(1) = 22, and x differs from 0 by a one bit, so x has to

be a power of 2 + 1, eg. 3, 5, 9, 17– Basically, can you solve 3x^2 + 13x + 6 = 22 so the some of the numbers above

are (is) roots?– Same for even.

Salt• The traditional Unix password hash function has the form:

– <hash value> = DES^25 (<salt>, <password>, initially 0)• which means that DES is applied iteratively 25 times to blocks, the

first one of which is a block of 64 0's, using parameters 'salt' and 'password‘ as arguments to DES.

• DES is a block encryption algorithm.• How is the success of off-line dictionary attacks very closely

dependent on the generally available computer power?• Given your answer, imagine a possible requirement on a

replacement hash function. • How is using a shadow password file a different defense approach?• Now does NIS change things? ;-)

Digital Signature (1)

• Why are cryptographic hash functions essential in all practical implementations of digital-signature schemes?

• What bad things might happen if hashes were not bound to the messages they are allegedly digests of?

• How would you (practically) achieve all three goals:– i) message confidentiality,– ii) message integrity, and– iii) message-origin authentication, in one message

transmission?

Firewall (1)

• Stateful packet filters do not examine packets in isolation.

• They use state information derived from past communications to make control decisions for new communication attempts.– Show how a stateful packet filter has a better chance

of verifying an incoming FTP data connection by remembering the history of the FTP session.

– Why is it difficult to use packet filtering of any kind to filter RPC services?

DDoS

• Why is it a good idea to maintain a number of out-of-band communication channels to aid in defending against a DDoS attack?

• Identify a scaling problem with this idea. • Why might this scaling problem suggest

that the response must come from the network itself?

• Why is naive trust in authentication not necessarily a good solution to DDoS?

IDS

• An attacker is trying to use subterfuge to defeat a stand-alone network intrusion-detection system.

• Why is finding a traffic pattern that will be interpreted by the IDS monitor in one fashion and by the target host in a different fashion the key to a subterfuge (deception/fraud) attack?

• Give two examples of how this can be done.

Buffer Overflow• An attacker is trying to use a buffer-overflow attack against a

privileged program 'p'.• The defender has put a "canary word“ next to the return address.• The attacker is trying to overcome this defense.• Imagine the stack of activation records is growing down.• The calling procedure pushes arguments onto the stack, pushes a

return address onto the stack, and then pushes a canary word onto the stack.

• The buffer has been allocated at an imperfectly-known offset 'd' from the return address, and the linear, sequential write of bytes to the buffer proceeds in the up direction.

• If the sequence of canary values used in different invocations of 'p' has been guessed by the attacker, and the attacker knows roughly where in the sequence the system is, show how the attacker can succeed in smashing the stack.

SUID

• Unix allows suid-root files. If an ordinary user can create a file whose owner has uid 0 and whose suid bit is set, would this compromise the system? Explain.

• If an ordinary user can execute a system file whose owner has uid 0 and whose suid bit is set, would this by itself compromise the system? Explain.

• What additional event is required to produce a compromise?

Confinement• An application may be untrusted if it is exposed to outside attack but

not trusted to protect itself against adversarial inputs.• Confinement can be achieved---on the interface the OS presents to

the untrusted application---if we intercept system calls made by the untrusted application and filter potentially harmful requests before they are executed.

• We try to enforce the Principle of Least Privilege.– Show that any user-level mechanism we provide must reside in a

different address space.– We place the untrusted application in a particular directory and allow it

to access files in or below this directory. If 'chroot' sets this up, what system call must we forbid? (You may need to mention parameters).

– Why must network access be carefully controlled in addition to the 'chroot' confinement?

DNSSec

• Consider the following proposal:

• A DNS record is a triple <'hostname', 'IPaddress', 'host's public key'>. Each DNS record is signed with the relevant authority's private key (so lcs.mit.edu's record is signed by mit.edu, mit.edu's record is signed by edu, and edu's record is signed by the DNS root 'dot'). The public key for 'dot' is assumed to be known to all DNS clients.

• This way, when you perform a query, say, on lcs.mit.edu, and get back a DNS record, it will be recursively self-authenticating.

• What is the purpose of adding the public key to the DNS record?

Key Transport

• Using a predefined scheme, Alice sends to Bob a 128-bit crypto key.

• The hash function h(x) generates 64-bit hashes.• Alice chooses 128-bit random number rn and sends:

– {A,{rn, h(rn)}k-A} k-B

• Can Bob prove Alice is the sender?• If there’s no interity problem Alice sends:

– {A,{rn}k-A} k-B

• Can Ted choose his own 128-bit random key rn, and send it to Bob making Bob believe it came from Alice?

Integrity

• Suppose when you modify a file, you always change its length.

• There are independent system functions that return the length: size() and length().

• Alice keeps the lengths offline for integrity check.• If she uses either function, what are her trust

assumptions?• If she uses both, any added security value?

Vulnerabilities

• SOEN and SOFTDEV revolution.

• Radically reduces # of sys. vulnerabilities.

• Are firewalls much less essential?

• Firewalls + penetrate and patch– Why the former do not remove the need for

latter?

Protection

• Pure capabilities system• Secure mechanism to insert, modify,

delete capabilities from the protection domain of a running process.

• Is it good support for Principle of Least Privilege?

• Comprehensive Mandatory Access Control policy less susceptible to Trojan horses?