Recap - Encsusers.encs.concordia.ca/home/w/wang/lecture/lecture/handout8t.pdf · 3...
Transcript of Recap - Encsusers.encs.concordia.ca/home/w/wang/lecture/lecture/handout8t.pdf · 3...
1
Recap
AuthenticationWhat a user knows, has, is
Password authenticationBasic model, why hashOnline, offline dictionary attackTime-memory tradeoff (dictionary, attack, advantage)Password salting
1
abc h(abc) h(h(abc)) … ht-1(abc) ht(abc)
abd h(abd) h(h(abd)) … ht-1(abd) ht(abd)
… … … … … …
foo h(foo) h(h(foo)) … ht-1(foo) ht(foo)
Alice md5(‘foo’||r1) r1
Bob md5(‘abc’||r2) r2
... ... ...
Outline
Basic ConceptPassword Challenge-ResponseBiometrics
and gummy bears
2
2
One-Time Password
Password replaySniff password then replay
SolutionHave many passwords, use each exactly once!
How to transmit so many passwords?How do user and server synchronize? Lamport’s scheme
Let server tell you which password to use
3
Let server tell you which password to useChallenge-response mechanismChallenge: hey, use that passwordResponse: okay, here’s the password
Lamport’s Schemeh: one-way hash function (e.g., MD5 or SHA-1)hn(k): h(h(h(...h(k)...)))
Registration
User Server
k ksecure channel
n
hn(k)
1st Authentication
hn-1(k)
4
k hn(k)hn-1(k) hn-1(k)
2nd Authentication
k hn-1(k)hn-2(k) hn-2(k)
3
Challenge-Response
U
Objective: prevent password replay dictionary attack
DES, RSA, HMAC, etc.
kUser Serverchallenge
response
5
k
response
time timechallenge
DES, RSA, HMAC, etc.
Hardware Support
SecurID displays a different number every 30-90sThe number is a function of the current time and date, and the ID of that particular cardAnother version has a keypad used to enter a PIN code
6
4
Pre-Encrypted Key Exchange
Objective: avoid sending challenge in clearHowever, this protocol is still open to dictionary attack
Alice BobAlice || {ks}p
Alice Bob
Alice Bob
{ChallengeB}ks
p, ksp
p, ks , ChallengeB
{ChallengeA || ChallengeB}ks
p, ks
p, ks , ChallengeB
p, ks , ChallengeB, ChallengeA
7
Alice Bob{ChallengeA}ks
p: password ks: session key{AAA}k: encryption Z||W: concatenation
g B
p, ks , ChallengeB, ChallengeA
p, ks , ChallengeB, ChallengeA
Encrypted Key Exchange (RSA)This defeats dictionary attacks
Alice || {e }pp, eAlice , dAlice pAlice Bob
Alice || {eAlice}p
Alice Bob{{(ks}eAlice}p
Alice Bob{ChallengeA}ks
Al B b
p, Alice , Alice p
p, eAlice , dAlice p, eAlice, ks
p, eAlice , dAlice , ks
{ChallengeA || ChallengeB}ks
p, eAlice, ks
8
Alice Bob
Alice Bob{ChallengeB}ks
p: password ks: session keyeAlice: public key chosen by Alice dAlice: the private key
5
Outline
Basic ConceptPassword Challenge-ResponseBiometrics
and gummy bears
9
BiometricsAutomated measurement of biological, behavioral features that identify a person
Fingerprints: graph isomorphismFingerprints: graph isomorphismVoices: statistical techniquesEyes: patterns in irisesFaces: image, or specific characteristics like distance from nose to chinKeystroke dynamics: keystroke intervals, pressure,
10
y y y , p ,duration of stroke, where key is struck
6
Gummy Bears Defeat BiometricsMany commercial fingerprint scanners can be reliably fooled with $10 worth of household suppliessupplies
From both real fingers or residue fingerprintsCan wear a transparent fake finger on real fingerUsing
Gelatin, what Gummy Bears are made out ofDigital camera, inkjet printer, photo-sensitive PCB, etc.Fool all 11 commercial fingerprint scanners 80% of time
11
Fool all 11 commercial fingerprint scanners, 80% of time
Gummy Bears Defeat Biometrics
Borrowed from Tsutomu Matsumoto’s talk ‘Importance of Open Discussion on Adversarial Analyses for Mobile Security Technology’
12
7
INSE 6130 Operating System Security
Logging/Auditing and Vulnerability/Defense
13
Prof. Lingyu Wang
Outline
Logging and AuditingVulnerability and Defensey
14
8
OverviewMotivation
Normal users - trust, but verify (Доверяй, но проверяй)проверяй)Attacker – track down what has happened
LoggingRecord events or statistics (summary) to logsExample: failed logins, failed su’s, last logins, system calls, network traffic, etc.
15
AuditingAnalyze log records for meaningful resultsExample: manual inspection, intrusion detection (IDS), alert correlation, IP trace back, etc.
Overview (Cont’d)
RelationshipLogging provides inputs to auditingAuditing makes sense out of logs
ChallengeLogging: Attackers will alter or delete logs of their activities Auditing: Heavily depend on human intervention
G d h i H i ll f l
16
Good research topic: How to automatically extract useful information from logs
9
Logging Example: WindowsThree logs for different types of events
System event log: system crashes, component failures, etcApplication event log: as requested by applicationsApplication event log: as requested by applicationsSecurity event log: logging in and out, system file accesses, etc
Log files are binaryUse Event Viewer to read
Default location: C:\WINNT\system32\config\(AppEvent.Evt, SecEvent.Evt, SysEvent.Evt)
HKEY LOCAL MACHINE\SYSTEM\C C lS \S i \E l
17
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Default size 512KCan set to overwrite events when exceeding a certain size
Logging Example: Windows (Cont’d)
18
10
Logging Example: Windows (Cont’d)
Performance logsPerformance data from local or remote computersIn a comma-separated or tab-separated format, a binary log-file format, or SQL database formatBecause logging runs as a service, data collection occurs regardless of whether any user is logged onThree types
Counter: e.g., cpu usage, memory, etc.
19
Counter: e.g., cpu usage, memory, etc.Trace: begin logging only after an event occur, e.g., crashAlert: a message be sent, a program be run, an entry be made to the application event log, etc.
Auditing Example - Backtracker
Question: When break-ins happen, how can we figure out which application was exploited?
Backtracker solution:In operating systems, causal dependencies exist between processes and files/file names (e.g., read/write a common file)Use the causal dependency to track from detected
20
Use the causal dependency to track from detected event (e.g., using Tripwire) back to exploited applications
Based on Sam King and Peter Chen’s Slides here
11
BackTracker
intrusion detected
intrusion occurs
BackTracker runs, shows source of intrusion
21
Online component logs objects and events - LoggingOffline component find entry point and sequences of events leading to the detecting point - Auditing
Based on Sam King and Peter Chen’s Slides here
What Dependency To Track?
Process / Processfork, clone, etc (creating, sharing memory, signaling)
Process / Fileread, write, exec
Process / Filenameopen, creat, link, unlink, mkdir, rmdir, chmod, etc
22Based on Sam King and Peter Chen’s Slides here
12
Process
File
Socket
Detection pointDetection point
Fork event
Read/write event
23
Based on Sam King and Peter Chen’s Slides here
Outline
Logging and AuditingVulnerability and Defensey
24
13
Top Vulnerabilities - Windows
Top Vulnerabilities in Windows SystemsInternet Explorer (buffer overflowed by examples)Microsoft Office (buffer overflowed by examples)Windows Libraries, for example:
.WMF image causes remote execution (CVE-2005-4560)Buffer overflow DOS in HTML help (.hhp) (CVE-2006-3357)
Windows Services, for example:Buffer overflow in Server Service (CVE-2006-3439)
25
Buffer overflow in Server Service (CVE 2006 3439)
Windows Configuration WeaknessesNTLM password hashes
http://www.sans.org/top20
Top Vulnerabilities - UNIX Top Vulnerabilities in UNIX Systems
UNIX Configuration WeaknessesE B t f tt k SSH dE.g., Brute-force attack on SSH passwords
Mac OS XE.g., Safari, when rendering RTF files, can directly access URLs without performing the normal security checks (CVE-2005-2516)Securing Mac OS X 10.4 Tiger (http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger pdf)
26
os x tiger.pdf)
Resources for vulnerabilityCVE, Bugtraq, Nessus plugin DB, NVD, etc.
http://www.sans.org/top20
14
Vulnerability Example
PHP open_basedir race condition vulnerabilityRelease Date: 2006/10/04Author: Stefan Esser [[email protected]]Application: PHP 4/5 Risk: CriticalThe successful exploitation of this vulnerability allows access to files normally not accessible due to the open basedir restriction
27
open_basedir restrictionE.g., /etc/shadow
http://www.hardened-php.net/advisory_082006.132.html
Background
PHP open_basedir configuration directiveIt tells PHP only files within the specified directory trees can be opened by scriptsSymbolic links are fully parsed, so no get around (well, let’s see)
ExampleIf my web space’s root is /www/home/w/wang, then my php scripts cannot visit /etc
28
my php scripts cannot visit /etcYou cannot even create a symbolic link to /etc using function symlink(), eitherBut…
15
Create the Link to /Symbolic links are fully parsed
So no easy get aroundSuppose we are in /www/home/w/wang and we want to take a look at / through php scripts<?php mkdir("a/a/a/a"); symlink("a/a/a/a", "dummy"); symlink("dummy/../../../../", “mylnk");
29
y ( y/ / / / / , y );unlink("dummy"); symlink(".", "dummy"); ?>
Now mylnk points to /
Let’s Race
Run two scripts simultaneouslya.php: keeps alternating a symbolic link ‘newlnk’between ‘mylnk’ and ‘/www/home/w/wang’ in a loopb.php: keeps listing directory “newlnk” in a loop
Sooner or laterb.php gives you the content in /
30
16
Race Condition
There is a small time span between php checks permissions and it actually opens a file
When php check for permission, newlnk points to ‘/www/home/w/wang’, which is allowedWhen php opens the directory, newlnk points to ‘mylnk’, which in turn points to ‘/’
open_basedir
okayopen
b.php
31
/www/home/w/wang
/
okay
/www/home/w/wang
/
a.php
Defense - Objectives
Detect intrusionsPreviously known attacksZero-day attacks
In a timely fashionReal-time
Present accurate resultsFalse positives, false negatives
32
p , g
In an easy-to-understand formatAlerts versus attack scenarios
17
Classification of Intrusion Detection
(We are considering Host-Based IDS)Anomaly detectiony
Assumption: attacks vary from normal behaviorsMethod: statistics, data mining, Machine learning, etc.Advantage: potentially detect zero-day attacksDisadvantage: (theoretically) less accurate
Misuse detection
33
Assumption: attacks can be identified with a signatureMethod: state transition, colored Petri net, etc.Advantage: more accurateDisadvantage: can only detect modeled attacks
Example of Anomaly Detection
Sequence of system calls (Forrest 1996)Trainingg
Training data: open read write open mmap write fchmod close
Sliding window of size 1+3 (1 followed by 3)open read write open
open mmap write fchmod
read write open mmap
34
write open mmap write
write fchmod close
mmap write fchmod close
fchmod close
close
This is the normal behavior
18
Example of Anomaly DetectionDetection
open read write openopen mmap write fchmodread write open mmapread write open mmapwrite open mmap writewrite fchmod closemmap write fchmod closefchmod closeclose
open read read open mmap write fchmod closeDiffers in 5 places:
Second read should be write (1st line)Second read should be write (3rd line)
35
Second read should be write (3rd line)Second open should be write (3rd line)mmap should be open (3rd line)write should be mmap (3rd line)
18 possible places of difference18=5*3+2+1Mismatch rate 5/18 ≈ 28% ? A pre-defined threshold
Difficulty w/ Anomaly Detection
Question: Is an 99% accurate IDS any good?Intuitivelyy
Answer: maybe?
Counter-intuitivelyAnswer: not necessarily!If attack rate is one attack per 1,000,000 calls
Which is reasonable
36
The base rate fallacy says the IDS will generate about 10,000 false positives for every real attack it detects
Which is absolutely not acceptable
Why?
19
Base Rate Fallacy
What does the attack rate mean?In 100,000,000 calls, there are 100 real attacks
What does 99% accuracy mean? False positives: (100,000,100 - 100)*1/100= 1,000,000False negatives: 100*1/100= 1
100,000,000-1001 000 000
attack but not detected
37
normal and not detected1,000,000
normal but detected attack and
detected
99
1
1,000,000 false positives per 99 detected attacks!false negativefalse positive
Example of Misuse Detectiont1 %cp /bin/csh /usr/spool/mail/roott2 %chmod4755 /usr/spool/mail/roott3 %touch xt4 %mail root<xt5 %/usr/spool/mail/roott6 $
t1 t2 t SUID h ll ‘/ / l/ il/ t’
38
t1,t2 create a SUID shell ‘/usr/spool/mail/root’t3,t4 let mail to change the shell’s owner to be rootThen you have an executable root’s shell
Cool, but how do we create a signature for this attack?
20
Colored Petri Net
The attack steps are partially orderedt1<t2, t3<t4, t1<t5, …?Modeled with a colored Petri net
39
Colored Petri Net (Cont’d)
Will these be detected?t3, t1, t2, t4t1, t3, t2, t4t2, t1, t3, t4t1, t2, t4
40
21
Difficulty of Misuse Detection
Zero day exploitExploit is on the same day or before the vulnerability is publicizedIt has no signature
Other defense methods, for example,Buffer overflow overwrite memory from the buffer to the et n dd e
41
to the return address So put a ‘canary word’ before return addressIf it’s been changed, the function won’t returnThe canary word must be random, why?
Other OS Defense Methods
NX bitNo eXecute bit (last bit of the paging table entry)Can be used to mark stack as non-executable to prevent buffer overflow attacksPentium 4 or later, AMD64Many OS support this or emulate it via software
Linux, Solaris 10, WinXP SP2, Win2003 SP1, etc.
Vulnerable to return-to-libc attack
42
Vulnerable to return-to-libc attackNo need to return to shell code on stack, but return to existing function
22
Other OS Defense Methods
Memory randomizationMake buffer overflow, including return-to-libc, more difficultBasic idea:
Buffer overflow and return-to-libc exploits need to know the address of attack code in the buffer, or address of a standard kernel library routineSame address is used on many machines
Slammer infected 75 000 MS SQL servers using same code
43
Slammer infected 75,000 MS-SQL servers using same code
So introduce artificial diversity Make stack addresses, addresses of library routines, random
Supported by OpenBSD, Windows vista, PaX, Hardened Gentoo, etc.
w/o Randomization
Stack Frame
ret
addr
ret
addr
code
buf
Exploit!
44
3 GB
23
w/ Randomization
Stack Frame
ret
addr
ret
addr
code
buf
crash
buf
45
3 GB
De-Randomization
The amount of randomness is limitedPaX only uses 16 bit of random shift
Subject to de-randomization attacksRepetitively guess randomized addressSpraying injected attack code
46
24
De-Randomization 1
Stack Frame
ret
addr
ret
addr
code
buf
Pad
crash
47
Step 1
De-Randomization 2
Stack Frame
ret
addr
ret
addr
code
buf
Pad
crash
48
Step 2
25
De-Randomization 3
Stack Frame
ret
addr
ret
addr
code
buf
Exploit!
Pad
49
Step 3216 seconds (avg.) to de-randomize!
http://www.stanford.edu/~blp/papers/asrandom.pdf
Spraying AttacksExploit a buggy application and “spray” attack code in write-able user-level memory areas
code
buf
50
Exploit!