960 likes | 977 Views
This course focuses on the concepts of confidentiality, control, availability, integrity, and authenticity in computer security. It covers application security examples in the banking industry and discusses the importance of ethical behavior in the field.
E N D
Computer Security – Ymir Vigfusson Introduction
Confidentiality Control/Possession Utility SECURITY Availability Integrity Authenticity
Our focus APPLICATION SECURITY
Application security examples • Banking application inttransferMoney(USER *acct, USER *rcpt,int amount){ // Ensure user has enough money • if(acct->balance <= amount) • return(EINSUFFICIENTFUNDS); • // Do the transfer • acct->balance -= amount; • rcpt->balance += amount; • return(SUCCESS); • }
Application security examples Compiler ... if(program == “login”)add-login-backdoor(); if(program == “compiler”) add-compiler-backdoor(); 011001001111010 6
Application security examples • Issue encountered at Microsoft intvalidatePassword(char*realPwd){ charpwd[128]; bool validated = FALSE; ... readInput(pwd,128); if(!strcmp(pwd,realPwd)) validated = TRUE; ... // remove plaintext password from memory memset(pwd,0,sizeof(pwd)); return(validated); }
About the course • Focus from 10,000’ • The detection, exploitation and prevention of software vulnerabilities. • Deep-dive into memory bugs in C programs • Key take-away • This is going to be awesome! … but a lot of fun work • Your instructor and TAs Petur Helga Helgi Others! Ymir
Ethical behavior • The key to good defense is understanding offense • By taking/auditing this course you agree to use the knowledge and skills learned in an ethical manner • You will use computer equipment only in ways you are authorized, and with owner‘s knowledge and consent • You will not mount illegal or malicious attacks, or compromise any computer system without permission • You understand that inappropriate, unethical or illegal activity may be reported to appropriate authorities
SPCA Policy http://www.mathcs.emory.edu/spca.php • You are expected to adhere to the SPCA policy • You should solve and write assignments yourself • You can ask reasonable questions from me & TAs, but we won‘t write code for you • You take precautions to protect the confidentiality of your work • Your code submissions should include the following statement at the top: • THIS CODE IS MY OWN WORK, IT WAS WRITTEN WITHOUT CONSULTING A TUTOR OR CODE WRITTEN BY OTHER STUDENTS - YOUR NAME • Plagiarism/collusion will be referred to Honor Council
Summary of policies THOU SHALT ASK PERM-ISSION THOU SHALT NOT CHEAT
Logistics • Weekly schedule • MW 11:30-12:45 E408 Lectures • F 11:30-12:20 E308A Lab/help section. Recommended! • Office hours • M 13:00-14:00 E416 Ymir • W 13:00-14:00 E425 Helga, Petur, Helgi • Assignments on triton.mathcs.emory.edu • Use SSH (e.g. Putty), your Emory login with pw “ethicalHAKR“ • Hand-ins normally on Fridays. Late hand-in: -20%/day. • Time? • Mostly individual assignments
HACKING The craft of making software do something it was not intended to do
HACKING NOW&THEN
Turn of a tide 2000 2014 Fun, fame Power, money, espionage, ...
The value of a bug http://www.theinquirer.net/inquirer/news/2158127/google-hands-usd60-chrome-exploit-windows http://www.h-online.com/security/news/item/Speculations-over-the-price-of-exploits-on-the-black-market-1190998.html • $60,000 (last year) • $500,000- $1,000,000 (estimated on the black market)
No shortage http://betanews.com/newswire/2012/03/22/ibm-x-force-report-2011-shows-progress-against-security-threats-but-attackers-adapt/ • Number of vulnerabilities reported
Where do the bugs come from? Steve McConnell: Code Complete: A Practical Handbook of Software Construction • Emphasis on new features • Features pay now; security is an investment • Programmers often unaware of security issues • Code complexity has exploded • Linear increase in SLOC (source lines of code) • Every line of code might have a bug • Code reuse is very common • Trends not likely to shift soon
Many Vulnerabilities But How Are They Used?
Botnets • Computers unknowingly joined into rogue networks • DDoS attacks Clouds
Botnets http://www.guardian.co.uk/technology/blog/2010/feb/25/microsoft-waledac-botnet-beheaded • Computers unknowingly joined into rogue networks • DDoS attacks • Spam
Botnets • Computers unknowingly joined into rogue networks • DDoS attacks • Spam • Clickbots • Theft
More elaborate attacks http://www.codeproject.com/Articles/246545/Stuxnet-Malware-Analysis-Paper • The Stuxnet worm destroyed 20% of Iran‘s nuclear centrifuges in 2010 • Exploits used: 4 x
More elaborate attacks http://www.zdnetasia.com/china-linked-to-new-breaches-tied-to-rsa-62300614.htm • Information on RSA SecurID keys stolen in 2011 • E-mail that exploited a vulnerability. Likely from China. • Consequently: • Operation Aurora: Google, Yahoo!, Juniper, Symantec ...
SPEAR PHISHING
Tentative schedule • Weeks 1-5 • x86 assembly and reverse engineering. Lab #1: Defusing the Bomb (9%) • Buffer overflows in C. Lab #2: Buflab++ (9%) • Shellcodes and stack overflows. Lab #3: Stacklab (7%) • Weeks 6-11 • Ethics: With great power comes great responsibility • Web security: Lab #4: InjectionLab (5%) • OWASP 10. Lab #5: OWASP lab(5%) • Heap overflows / Format string attacks. Lab #6: Tauntlab (13%) • Mid term exam (15%) • Defenses (NX, DEP, ASLR). • Weeks 12-15 • Student presentations (12%) • Network security, wireless security, spoofing, sniffing, botnets... • Exploiting randomness. Optional lab: Blackjack(+5%) • Sandboxes and other topics. Optional lab: Sandbox escape (+5%) • Final exam(25%. Minimum 5.0/10.0 to pass)
Next two weeks • Start digging into x86 assembly • Note: No class on Monday (Labor day) • Goals: • Ability to reverse engineer binary code • Ability to better visualize process memory layout • Ability to understand shellcodes • Our first lab (by 9/12): Defuse a bomb! • Each person has a unique bomb on triton • 6 phases defused with secret keys. Wrong key: -0.5 pts • Scoreboard: http://triton.mathcs.emory.edu/
Hacking • Hacking: The craft of exploiting software to do something it‘s not supposed to do. • Much can be done at a high level • E.g. JavaScript on a page made to do something naughty • .. but real understanding involves low-level stuff • Plan for today! • Review of x86 assembly, C and gdb.
Programmer-Visible State PC: Program counter Address of next instruction Called “EIP” (IA32) or “RIP” (x86-64) Register file Heavily used program data Condition codes Store status information about most recent arithmetic operation Used for conditional branching Memory Byte addressable array Code and user data Stack to support procedures Assembly Programmer’s View CPU Memory Addresses Registers Code Data Stack Data PC Condition Codes Instructions
Turning C into Object Code • Code in filesp1.c p2.c • Compile with command:gcc –O1 p1.c p2.c -o p • Use basic optimizations (-O1) • Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm program (p1.s p2.s) Assembler (gcc or as) binary Object program (p1.o p2.o) Static libraries (.a) Linker (gcc orld) binary Executable program (p)
Compiling Into Assembly Generated IA32 Assembly C Code sum: pushl%ebp movl%esp,%ebp movl12(%ebp),%eax addl8(%ebp),%eax popl%ebp ret intsum(intx, inty) { intt = x+y; return t; } Some compilers use instruction “leave” • Obtain with command • /usr/local/bin/gcc –O1 -S code.c • Produces file code.s
Assembly Characteristics: Operations • Perform arithmetic function on register or memory data • Transfer data between memory and register • Load data from memory into register • Store register data into memory • Transfer control • Unconditional jumps to/from procedures • Conditional branches
Object Code Code for sum • Assembler • Translates .s into .o • Binary encoding of each instruction • Nearly-complete image of executable code • Missing linkages between code in different files • Linker • Resolves references between files • Combines with static run-time libraries • E.g., code for malloc, printf • Some libraries are dynamically linked • Linking occurs when program begins execution 0x401040 <sum>: 0x55 0x89 0xe5 0x8b 0x45 0x0c 0x03 0x45 0x08 0x5d 0xc3 • Total of 11 bytes • Each instruction 1, 2, or 3 bytes • Starts at address 0x401040
Machine Instruction Example • C Code • Add two signed integers • Assembly • Add 2 4-byte integers • “Long” words in GCC parlance • Same instruction whether signed or unsigned • Operands: x: Register %eax y: Memory M[%ebp+8] t: Register %eax • Return function value in %eax • Object Code • 3-byte instruction • Stored at address 0x80483ca int t = x+y; addl8(%ebp),%eax Similar to expression: x+= y More precisely: inteax; int*ebp; eax+= ebp[2] 0x80483ca: 03 45 08
Disassembling Object Code Disassembled • Disassembler objdump -d p • Useful tool for examining object code • Analyzes bit pattern of series of instructions • Produces approximate rendition of assembly code • Can be run on either a.out (complete executable) or .o file 080483c4 <sum>: 80483c4: 55 push %ebp 80483c5: 89 e5 mov %esp,%ebp 80483c7: 8b 45 0c mov 0xc(%ebp),%eax 80483ca: 03 45 08 add 0x8(%ebp),%eax 80483cd: 5d pop %ebp 80483ce: c3 ret
Alternate Disassembly Disassembled • Within gdb Debugger gdb p disassemble sum • Disassemble procedure x/11xb sum • Examine the 11 bytes starting at sum Object 0x401040: 0x55 0x89 0xe5 0x8b 0x45 0x0c 0x03 0x45 0x08 0x5d 0xc3 Dump of assembler code for function sum: 0x080483c4 <sum+0>: push %ebp 0x080483c5 <sum+1>: mov %esp,%ebp 0x080483c7 <sum+3>: mov 0xc(%ebp),%eax 0x080483ca <sum+6>: add 0x8(%ebp),%eax 0x080483cd <sum+9>: pop %ebp 0x080483ce <sum+10>: ret
What Can be Disassembled? • Anything that can be interpreted as executable code • Disassembler examines bytes and reconstructs assembly source % objdump -d WINWORD.EXE WINWORD.EXE: file format pei-i386 No symbols in "WINWORD.EXE". Disassembly of section .text: 30001000 <.text>: 30001000: 55 push %ebp 30001001: 8b ecmov%esp,%ebp 30001003: 6a ff push $0xffffffff 30001005: 68 90 10 00 30 push $0x30001090 3000100a: 68 91 dc 4c 30 push $0x304cdc91
%eax %ecx %edx %ebx %esi %edi %esp %ebp Moving Data: IA32 • Moving Data movlSource, Dest: • Operand Types • Immediate: Constant integer data • Example: $0x400, $-533 • Like C constant, but prefixed with ‘$’ • Encoded with 1, 2, or 4 bytes • Register: One of 8 integer registers • Example: %eax, %edx • But %espand %ebpreserved for special use • Others have special uses for particular instructions • Memory: 4 consecutive bytes of memory at address given by register • Simplest example: (%eax) • Various other “address modes”
movl Operand Combinations Cannot do memory-memory transfer with a single instruction Source Dest Src,Dest C Analog Reg movl $0x4,%eax temp = 0x4; Imm Mem movl $-147,(%eax) *p = -147; Reg movl %eax,%edx temp2 = temp1; movl Reg Mem movl %eax,(%edx) *p = temp; Mem Reg movl (%eax),%edx temp = *p;
Simple Memory Addressing Modes • Normal (R) Mem[Reg[R]] • Register R specifies memory addressmovl (%ecx),%eax • Displacement D(R) Mem[Reg[R]+D] • Register R specifies start of memory region • Constant displacement D specifies offsetmovl 8(%ebp),%edx
Using Simple Addressing Modes swap: pushl%ebp movl%esp,%ebp pushl%ebx movl 8(%ebp), %edx movl 12(%ebp), %ecx movl (%edx), %ebx movl (%ecx), %eax movl %eax, (%edx) movl %ebx, (%ecx) popl %ebx popl %ebp ret Set Up void swap(int *xp, int *yp) { intt0 = *xp; intt1 = *yp; *xp = t1; *yp = t0; } Body Finish