Network Programming and Network Programming and Network SecurityNetwork Security

Lane ThamesLane Thames

Graduate Research AssistantGraduate Research Assistant

Outline for TodayOutline for Today

Discuss Network security and how it Discuss Network security and how it relates to network programmingrelates to network programming

After the presentation, we will go to DNAL After the presentation, we will go to DNAL to tour our data center. Then we are going to tour our data center. Then we are going to hack some computers :>)to hack some computers :>)

Network ProgrammingNetwork Programming

What is the Goal? What is the Goal?

Sending data to and Sending data to and from hosts via TCP/IP from hosts via TCP/IP over a network.over a network.

Client—ServerClient—Server

Source—SinkSource—Sink

A

C

B

Information SecurityInformation Security

NETWORK NETWORK SECURITYSECURITY

FirewallFirewall IDSIDS IPSEC (VPN)IPSEC (VPN)Encryption….Encryption….

Data flowing thru the Data flowing thru the networknetwork

COMPUTER COMPUTER SECURITYSECURITY

FirewallFirewallVirus ProtectionVirus ProtectionEncryption…Encryption…

Data on a machineData on a machine

DefinitionsDefinitions

Virus?Virus?

Passive malware that is embedded within Passive malware that is embedded within a program. Will not execute on its on. You a program. Will not execute on its on. You have to run the “host” program. After have to run the “host” program. After being activated, it attempts to spread to being activated, it attempts to spread to other programs and hosts (usually via other programs and hosts (usually via email)email)

DefinitionsDefinitions

Worm?Worm?

Acitve malware that can spread on its own Acitve malware that can spread on its own using a network. Takes advantage of using a network. Takes advantage of some exploit (usually an anomaly known some exploit (usually an anomaly known as buffer overflow)as buffer overflow)

The Infamous BufferThe Infamous Buffer

So, how does a worm take advantage of So, how does a worm take advantage of an exploit?an exploit?

send(sockfd,&buffer,sizeof(buffer),0);send(sockfd,&buffer,sizeof(buffer),0);

recv(sockfd,&buffer,sizeof(buffer),0);recv(sockfd,&buffer,sizeof(buffer),0);

What if the receiving buffer keeps getting What if the receiving buffer keeps getting data added beyond its boundary?data added beyond its boundary?

OVERFLOW—overwrite data beyond the OVERFLOW—overwrite data beyond the boundary and causes problems.boundary and causes problems.

Common Types of Computer Common Types of Computer AttacksAttacks

Buffer Overflow Attacks—used for local and Buffer Overflow Attacks—used for local and remote root exploitsremote root exploits The ultimate goal is to redirect program control flow The ultimate goal is to redirect program control flow

which causes the computer to execute carefully which causes the computer to execute carefully injected malicious code (example to follow)injected malicious code (example to follow)

Code can be crafted to elevate the privileges of a user Code can be crafted to elevate the privileges of a user by obtaining super user (root) privileges (demo in the by obtaining super user (root) privileges (demo in the lab afterwards)lab afterwards)

Note: These exploits can create a “propagation Note: These exploits can create a “propagation medium” for wormsmedium” for worms

Common Types of AttacksCommon Types of Attacks

Denial of Service (DoS)Denial of Service (DoS) Exhaust a computer’s resources: e.g. TCP Exhaust a computer’s resources: e.g. TCP

SYN flooding attack. (3-way handshake SYN flooding attack. (3-way handshake exploit)exploit)

Consume a computer’s available networking Consume a computer’s available networking bandwidth: e.g. ICMP Smurf Attack (IP bandwidth: e.g. ICMP Smurf Attack (IP spoofing and ICMP)spoofing and ICMP)

TCP SYN Flooding Attack—what TCP SYN Flooding Attack—what happens?happens?

ICMP Smurf AttackICMP Smurf Attack

Victim

Subnet Slaves

Master

Spoof IP with the IP of the Victim

Why will this program crash?Why will this program crash?

Buffer Overflow-Stack ImageBuffer Overflow-Stack Image

Overflow buf with *str Overflow buf with *str so that the Return so that the Return Address (RA) is Address (RA) is overwrittenoverwritten

If carefully designed, If carefully designed, the RA is overwritten the RA is overwritten with the address of with the address of the injected code the injected code (contained in the *str (contained in the *str input—shell code)input—shell code)

buf

SFP

Return Address

* str = buffer

Rest of Stack

Buffer OverflowBuffer Overflow

After running the After running the program on XP we program on XP we get the famous get the famous Microsoft alertMicrosoft alert

In Linux you get In Linux you get “Segmentation Fault”“Segmentation Fault”

Buffer Overflow—Exception InfoBuffer Overflow—Exception Info

Buffer Overflow—Stack TraceBuffer Overflow—Stack Trace

So, How does the worm work (in a So, How does the worm work (in a nutshell)?nutshell)?

Programmer finds a flaw in a program, i.e. a server using Programmer finds a flaw in a program, i.e. a server using a buffer where length is not checked.a buffer where length is not checked.Calculate approximate return address for the given Calculate approximate return address for the given machine.machine.Create a buffer that holds copies of the desired address, Create a buffer that holds copies of the desired address, followed by a NOP (No Operation code) sled, and then followed by a NOP (No Operation code) sled, and then followed by the code to be executed, and create the followed by the code to be executed, and create the code needed to send the buffer to server’s running the code needed to send the buffer to server’s running the flawed program.flawed program.The code injected into the buffer is a replica of the The code injected into the buffer is a replica of the original program.original program.

Generic ExampleGeneric Example

buf

Return Address

buffer

data

data

0xbfffff00

NOP sled

0xbfffff00

0xbfffff00

Replication code

What are we doing in Network What are we doing in Network Security?Security?

Created a Honynet—a network of Created a Honynet—a network of computers waiting to be hacked.computers waiting to be hacked.Network Monitoring—monitor the Network Monitoring—monitor the Honeynet with packet sniffers, traffic Honeynet with packet sniffers, traffic monitors, and host-based monitoring monitors, and host-based monitoring softwaresoftwareArtificial Intelligence Classifier—make Artificial Intelligence Classifier—make intelligent security decisions based on the intelligent security decisions based on the data collected by the monitorsdata collected by the monitors

The Network SetupThe Network Setup

AI Classifier—Hybrid System AI Classifier—Hybrid System ArchitectureArchitecture

Init. Train. Data

SOM Training

Modified Data

Struct. Developer

Struct. File Processed Data

Bayesian Trainer

Bayesian/SOMClassifier

Monitored Data

IDS ClassificationFile

Related Grad ClassesRelated Grad Classes

ECE 6607—Computer Communication ECE 6607—Computer Communication Networks (Dr. Abler)Networks (Dr. Abler)

ECE 6612—Network Security (Dr. John ECE 6612—Network Security (Dr. John Copeland) (Real time hacking competition)Copeland) (Real time hacking competition)

ECE 8833—Intelligent Systems (Dr. ECE 8833—Intelligent Systems (Dr. Ashraf Saad)Ashraf Saad)

Questions?Questions?

Want to go hack a computer and Want to go hack a computer and see some of this stuff in action?see some of this stuff in action?