PSC CyberSecurity 4 Systems v2
-
Upload
powerglobe-course-material -
Category
Documents
-
view
221 -
download
2
description
Transcript of PSC CyberSecurity 4 Systems v2
Cri$cal Infrastructure Security: The Emerging Smart Grid
Cyber Security Lecture 3: System Vulnerabili$es
Carl Hauser & Adam Hahn
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Vulnerability Characteris$cs • Time introduced
– Design • oEen due to incorrect, insufficient system requirements
– Implementa$on • Some error or overlooked detail in the coding process
– Opera$onal • Result from the opera$onal use of soEware in some environment
• System Components – SoEware – Hardware – Network
• Impact – Confiden$ality, Integrity Availability
Most Dangerous SoEware Errors 1. Improper Neutraliza$on of Special Elements used in an SQL
Command ('SQL Injec$on') 2. Improper Neutraliza$on of Special Elements used in an OS
Command ('OS Command Injec$on') 3. Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow') 4. Improper Neutraliza$on of Input During Web Page Genera$on
('Cross-‐site Scrip$ng') 5. Missing Authen$ca$on for Cri$cal Func$on 6. Missing Authoriza$on 7. Use of Hard-‐coded Creden$als 8. Missing Encryp$on of Sensi$ve Data 9. Unrestricted Upload of File with Dangerous Type 10. Reliance on Untrusted Inputs in a Security Decision
hhp://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf
• Buffer larger than the allocated space can overwrite return value
• Ahacker can influence return loca$on to usurp control
Buffer Overflow Basics
Related Problems
• Integer wraparound – Can cause many issues with memory management
• Unsigned/signed value conversions • In summary C programming language is very fast
C programming language is not type-‐safe or memory-‐safe language
• Other languages have problems – Many recent vulnerabili$es found within Java JRE
TOCTTOU: Another Kind of Problem
Essen$al problem: OS func$on (permission checking) cannot be correctly performed in user-‐level processes using available Unix syscalls. [Example from Wikipedia]
Running setuid (i.e, as root) Running concurrently
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Hardware Security • Ahacker may have physical access to hardware:
– Example: smart meter
• Ahacker can use physical access to: – Extract cryptographic keys or other data – Understand device func$on
• Approaches – Reverse engineering – Side channel analysis
Hardware Reverse Engineering
• Read memory/firmware – EEPROM, Flash/ROM, RAM
• Monitor buses – Serial Peripheral Interfaces (SPI) bus/JTAG – Use logic analyzers to interpret bus signals protocols
• Connect to bus, pins
• Vendors oEen employ tamper-‐resistant techniques – Cover components in epoxy
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Side Channel • Side channel ahack
– alterna$ve methods to obtain key from crypto system (i.e., not brute force, cryptanalysis)
– Requires some ability to monitor power/computa$on $me of system (usually physical access)
• Types of side channels: – Power consump$on of chip (differen$al power analysis) – Timing of some algorithm
Source: Rostami, M.; Koushanfar, F.; Karri, R., "A Primer on Hardware Security: Models, Methods, and Metrics," Proceedings of the IEEE , vol.102, no.8, pp.1283,1295, Aug. 2014
• Example – Timing analysis – RSA Encryp$on
• computes (c = me mod n)
– Can infer key based on whether a mul$plica$on occurs every itera$on
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Social Engineering • Humans are oEen the weakest link in a security system
• Social Engineering – ahemp$ng to gain and manipulate trust from others in order to gain access to a system or informa$on
• Examples: – Malware on USB – when people find a USB device, they’ll generally plug it in
– Phone – call people and try to impersonate IT staff or other trusted par$es (e.g., Kevin Mitnick)
– Phishing …
Phishing Example • Phishing – malicious email message which ahempts to come from trusted
source – Spear phishing – very targeted phishing where ahacker leverages personal
informa$on about you to tailor the message • Why?
– Email is usually not authen$cated – Emails contain :
• Ahachments with malware (e.g., .pdf, .doc, .exe) • URLs to websites with malware (WSU uses “Proofpoint URL Defense” to defend
against this) • Example:
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Malware • Malicious SoEware (Malware)
– Runs on system without user’s consent – Does some malicious func$on
• Malware categorize – Viruses, worms, trojan horses, spyware, dishonest
adware, scareware, crimeware…
• Key components – Infec$on/propaga$on method
• SoEware vulnerabili$es, social engineering, etc • “Shellcode” to exploit a vulnerability & install malware
– Payload • What malicious func$on is performed
– Obfusca$on techniques
This quan$ta$ve illustra$on shows the early (yellow), middle (orange), and late (red) stages in the spread of the Code Red worm over a period of 13 hours on July 19, 2001 (360,000 hosts) (www.caida.org)
Infec$on/Propaga$on • How does malware spread?
• Remotely accessible soEware vulnerabili$es (e.g., buffer overflows)
• File sharing – Download from website
• <A href=“badstuff.exe”>En$cingImage.jpg</A> – Portable media (USB keys, floppy disks, CDROMS, etc.)
• En$cingImage.jpg.exe (Windows likes to hide “known file suffixes” • Automa$c execu$on of a file when media inserted • Automa$c installa$on of a driver when new USB device inserted
– Anything that can contain executable code is poten$ally a threat: • Documents with macros (Word, Excel, PDF, …) • Email ahachments
• Hard-‐coded, well known authen$ca$on creden$als
Payload – Malicious func$on • Low-‐level extor$on (encrypt data, holding it “hostage” un$l vic$m pays $$$)
– hhp://arstechnica.com/tech-‐policy/2015/04/police-‐chief-‐paying-‐the-‐bitcoin-‐ransom-‐was-‐the-‐last-‐resort/
• Steal financial/credit card data – hhp://krebsonsecurity.com/2014/09/home-‐depot-‐56m-‐cards-‐impacted-‐malware-‐contained/
• Steal privacy data – hhp://www.infosecurity-‐magazine.com/news/socialpath-‐malware-‐backs-‐up-‐to-‐cc/
• Send SPAM emails to your colleagues, etc. – hhps://nakedsecurity.sophos.com/2014/08/05/how-‐to-‐send-‐5-‐million-‐spam-‐emails/
• Log user keystrokes (acquire passwords for bank accounts, etc.) – hhp://www.csoonline.com/ar$cle/2112405/social-‐networking-‐security/how-‐keylogging-‐
malware-‐steals-‐your-‐informa$on-‐-‐includes-‐video-‐.html
• Persistent ads (some$mes for malware removal soEware) – hhps://zeltser.com/malver$sing-‐malicious-‐ad-‐campaigns/
Botnets • Botnet:
– a collec$on of computers (perhaps hundreds of thousands) running remote-‐control soEware under the (illegi$mate) control of an individual or group
• Typically the computers are doing everyday work for their legi$mate owners as well as par$cipa$ng in the botnet
• Control takes place using IRC (Internet Relay Chat) or other peer-‐to-‐peer soEware
• Uses: – DDoS – Spam sending – Click fraud – Distribute new exploit code
Disguise/Obfusca$on Techniques • Encrypt the virus code
– Constant encryp$on technique and variable key • Encrypted files stored on system • Encrypt network C&C communica$on
– Variable encryp$on technique and variable key (so-‐called polymorphic virus)
• Obfusca$on – Re-‐write binaries so they different, but func$onally equivalent
– This can be applied inside the virus so “copies” are not literal but rather func$onal copies
– Tools available to make it easy for the virus writer
Rootkits • Ahackers want to maintain administra$ve (root) privileges aEer an ahack
• Types – Kernel mode
• Modify OS kernel or device driver to maintain highest privilege level
• Direct Kernel Object Manipula$on (DKOM) -‐ rootkit directly modifies entries in the OS process table, scheduler to hid presence
– Bootkit • Modifies Master Boot Record (MBR) to manipulate OS when it boots
• Difficult to detect/remove because has same privileges as OS/AV soEware
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Supply Chain Issues • Modern informa$on technology has very complex supply chain – SoEware
• Examples: – Pla|orms: Opera$ng systems, services, drivers – Third-‐party libraries (e.g., graphics, math, strings, encryp$on)
• Can contain unknown backdoors, vulnerabili$es – Hidden hardware
• Addi$onal processing capability built into a product that does something other than the main purpose of the product
– E.g., Network sniffer that looks for password-‐containing packets; periodically sends to ahacker
• The hardware operates completely outside the control of the installed soEware/firmware of the main product
Reflec$on on Trus$ng Trust Ken Thompson
Turing Award Lecture, 1983
Lesson: Can’t trust anything you didn’t completely develop yourself
SoEware Supply Chain
hhps://buildsecurityin.us-‐cert.gov/ar$cles/best-‐prac$ces/acquisi$on/a-‐systemic-‐approach-‐assessing-‐soEware-‐supply-‐chain-‐risk
Supply Chain Risk • Examples:
– Lenovo Superfish • Malicious soEware added to laptops directly from store to MitM secure web conntec$ons
– hhp://www.cnet.com/news/lenovos-‐superfish-‐screwup-‐highlights-‐biggest-‐problem-‐in-‐soEware/
– FBI report on knock-‐off Cisco device • Large number of knock-‐off devices found within govt
– hhp://www.ny$mes.com/2008/05/09/technology/09cisco.html?_r=0 – Dragonfly/Energe$c Bear hack
• Sophis$cated ahacks against both energy companies and vendors – hhp://www.symantec.com/connect/blogs/dragonfly-‐western-‐energy-‐
companies-‐under-‐sabotage-‐threat
– HP devices shipped with malware • hhp://www.gao.gov/assets/590/589568.pdf
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Access Control
• Enforced by – Hardware (processor) – SoEware (OS)
• Hardware enforced – Various HW enforced privilege levels (or “rings”)
• Ring 3 – user mode applica$ons (e.g., Firefox, MS Word) • Ring 0 – kernel mode (e.g., Windows kernel, Linux)
– Privileged instruc$ons include memory mgmt, I/O
– CPU checks instruc$on vs privilege level before execu$ng
– System calls & hardware interrupts allow data flow across rings
Access Control • Opera$ng System
– Based on subjects and objects • Subject – user, process • Object – file, hardware driver access
– Access control matrix – • Specify whether the subject and read, write, or execute the object
– Approaches • Discre$onary -‐ object owner determine who has access • Mandatory -‐ security administrator determines who has access to the objects • Role-‐based – subject’s role determines their access to file
• Example: Linux file permissions (discre$onary) – Format:
• R – read, W – write, X – execute • |Owner|Group|Everyone |
– -‐rw-‐r-‐-‐-‐-‐-‐ 1 root shadow Feb 4 16:15 shadow – -‐rw-‐r-‐-‐r-‐-‐ 1 root root Feb 4 16:15 passwd – -‐rwxr-‐xr-‐x 2 ahahn ahahn Sep 10 2014 file.txt
Overview
• System Vulnerabili$es – SoEware – Hardware – Side Channel – Social – Malware – Supply Chain
• Security Mechanisms – Access Control – Malware Detec$on
Malware Detec$on
• An$virus soEware – Compares programs to known malware paherns – Analyzes programs for malicious opera$ons – Scanning
• Pahern matching on known virus signatures • Integrity checks: has a file changed (use checksums) • Run program in emulated environment and see if it produces either data that matches a signature or an execu$on sequence that matches a signature
Malware Detec$on
• Difficult because: – Malware performs muta$on/obfusca$on/encryp$on – AV companies must first obtain the malware in the wild before developing a signature
• Only common malware is detected • Detec$on of new, sophis$cated malware tends towards 0% • Malware developers can also use AV to test their malware
– AV poorly detects malware samples using well known obfusca$on techniques
hhp://www.sans.org/reading-‐room/whitepapers/casestudies/effec$veness-‐an$virus-‐detec$ng-‐metasploit-‐payloads-‐2134
Malware detec$on in control systems
• Tradi$onal AV – Blacklist of known malicious signatures
• Control systems – suggests whitelists – Specify all programs that should execute, block others
• Example – MS Windows
• Specify allowed applica$ons with “Group Policy” • AppLocker , rules based white list on Win 7, Server 2008
– Can be bypassed
– ICS Whitelist (hhps://www.icswhitelist.com) • Maintains library of hashes of common ICS applica$ons • Can be used to compare running programs against known valid program hashes