Understanding Internet Security Threats: Buffer Overruns, Virus Detection, Spam Filtering,, Study notes of Programming Languages

Download Understanding Internet Security Threats: Buffer Overruns, Virus Detection, Spam Filtering, and more Study notes Programming Languages in PDF only on Docsity! LL ee NU CC ns De OO T tr Ls CME os OCR EC at ul POCO EL LC lg a VOL DEON’ = 0100008" = 111 O1100" a cat Clee a) a) 10000" Ata ana PU ae UL) Ty PO eee Le BLT Sa CR «001108 OC TC he a aL Sos Pe LC Cs [ees 1010" 90000 011011" aOR eo LL ss yond wo O1101110 011" UC Oa ce aC Le ee LU A Lae ml SO re Le aL Tea PO ae a 7 UU a Pe ae a UCT Caer LL mn Dir PLLC rea Lh a Ue ee Te LC ea OL 5 Se NL ee wee 0 eee nO1lb. ei a Ue CO at Internet Security All the PIRACY, none of the SCURVY. #2 One-Slide Summary • Physical security and operating system security are of critical importance and must be understood. • Key issues in internet security, including buffer overruns, virus detection, spam filtering, SQL code-injection attacks, and cross-site scripting can all be understood in terms of lexing and parsing. #5 Physical Security • It is generally accepted that anyone with physical access to a machine (i.e., anyone who can open the case) can compromise that entire machine. • Given physical access ... – How would I read your personal files? – How would I leave a backdoor (rootkit) for myself? – How would I log in as you? • Ignore networked filesystems for now ... #6 • Them: Important user, NT box, lost admin password, sad, sad, sad. • Me: No problem, change password with magic linux disk, offline NT password editor. • Them: No, no, no. Never work. NT secure. Get real. • Me: Watch. (reboot) • Them: Gasp! This floppy is dangerous! Where did you get it? • Me: Internet. Been around forever. • Them: How do we keep students from using this? • Me: Can't. Migrate. Linux. Mac. • Them: No, no, no. Just make NT safe. • Me: Can't. NT inherently unsafe. • Them: Must be safe. NT good. We have never seen problems. • Me: You just saw one now. • Them: No, no, no. NT good. Win2k better. • Me: Win2k is NT. Same thing. Should I give this floppy to a student? • Them: No, no, no. Give here. • Me: Whatever. What do you want me to do? • Them: Change admin password. • Me: Fine. To what? • Them: "p-a-s-s-w-o-r-d" • Me: No, no, no. A Fairy Tale? Not Quite. ‘offling nt password alitor - Google Search, htputwww-google com/search?4=ol ince n+ password editordtie=uif- Baloo ull -BAray=18s= lof3 Web Images Maps News Shopping Gmail more ¥ Sign in Google > 5 Advanced Search offline nt password editor ‘uae Web Results 1 -@0 of about 903,000 for offline nt password editor. (0.32 Seconds) Offline NT pw & reg-editor, bootdisk Offline NT Password & Registry Editor, Bootdisk / CD... Tested on: NT 3.51, NT 4 (all versions and SPs}, Windows 2000 (all versions & ponsored Links Active@ Password Changer SPs), Windows XP (all ... Reset passwords XP Vista 2003 2000 home.eunet.no/pnordahl/ntpasswd/bootdisk.html - 12k - DOS & Win boot disk. Download now! Cached - Similar pages www.Password-Changer.com/ Offline NT Password & Registry Editor Forgot your NT admin password? Reinstall? Oh no... But not any more. ... It works offline, that is, you have to shutdown your computer and bootoffa... home.eunet.no/pnordahl/ntpasswd/ - 1k - Cached - Similar pages More results from home.eunet.no » Lost or forgotten Windows NT / 2000 / XP password. The offline NT password & registry editor is a great utility that enables users to overwrite their Windows NT, 2000, and XP SAM file, the file containing ... www.computerhope.com/issues/ch0001 72 htm - 13k - Cached - Similar pages Offline NT Password and Registry Editor Offline NT Password and Registry Editor is a utility for setting or resetting the password of any user that has a valid (local) account on your NT system. ... searchwindowssecurity.techtarget.com/ downloadPage/0,295339,sid45_gci1115030,00.html - 42k - Cached - Similar pages Oe 16/2008 02:19 PM #7 #10 Death By Heat Lamps? • Sophisticated physical attacks are possible – S. Govindavajhala and A. Appel: Using Memory Errors to Attack a Virtual Machine. IEEE Symposium on Security and Privacy, 2003 • They write a Java program that can break out of the Java Virtual Machine if a single bit error occurs in memory ... – Shine lamp on memory! • For the rest of this talk I'll assume physical security. #11 Is Unix Any Better? • No; if you have physical access to a unix machine you can get root access. – Linux example: reboot, wait for GRUB/LILO, ask for the bootloader prompt, and type:       linux init=/bin/bash • One solution: store important files on encrypted (sub-)filesystem – Either requires frequent password entry or stores password in memory – This is only secure if no malicious programs run – Thus: we still need operating system security! #12 Unix Security Model • All files in Unix filesystems have permissions – -rwxr-xr-x 1 root root 735004 2008-01-15 09:29 /bin/bash • Three levels: user, group, others • Exception: a special root user can change the permissions on any file (and thus do anything) • Passwords must be stored for login to work • Password file stores hashes: – smt6k:SETBehbzDTZE4:510:511:Sean Talts:/home/smt6k:/bin/bash – eas2h:pqr98124zmne:511:513:Elizabeth Soechting:/home/eas2h:/bin/bash – dsn9m:awel;itSDLGJdn348:512:514:David Noble:/home/dsn9m:/bin/bash #15 Escalation • One key problem with this approach is that you must constantly update your database of virus signatures in response to new virus inventions #16 Does This Work? • Assume we've solved the update problem. • What could go wrong with searching for exact code sequences? #17 Stealth • Any change to the virus defeats the signature • Beware: self-modifying virus! • Encryption with a new key per file – payload = decrypt module + encrypted virus code • Polymorphic Virus: new decrypt per file – payload = unique decrypt + encrypted virus code • Metamorphic Virus: rewrite each time – Basically: insert no-ops, “optimize” virus, etc. – Win32/Smile is >14000 lines of ASM, 90% of which is metamorphic engine ... and was out in 2002 #20 My Secret Identity • If you know another user's password, you can become that user (i.e., substitute its userid for yours --- like logging in as that person) • The su and sudo programs implements this Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program. #21 A Sendmail Dilemma • Some programs, such as sendmail, must run as root to do useful work – Mail programs must be able to append incoming mail to the end of a given user's mailbox file • These programs also do less-critical work – Mail programs may run a user-specified “vacation” program that responds to mail with “I'm away for two weeks”-style messages • Any possible problems? #22 Dropping Privileges • Important system tasks that must run as root try to drop those privileges as quickly as possible – Sendmail appends incoming mail to your inbox, then throws away its super powers, then runs your vacation program • However, if you have a buffer overrun (or somesuch) I may be able to trick you into doing something before you drop privileges #25 Side-Channel Attacks • Imagine it takes t microseconds to read in the entire password file – Then it takes t microseconds to return false for a made-up username – But t/2 microseconds (on average) to return false for a real username with a bad password • A side-channel attack is any attack based on information gained from the implementation of a cryptosystem, not from a theoretical weakness – Examples: timing info, power consumption, electromagnetic leaks (TEMPEST), ... #26 Server Design Mockup remote_cmd(socket) { bool auth = false; char name[1024], pword[1024], cmd[1024]; recv(socket, name); recv(socket, pword); if (matches(name,pword)) auth = true; if (!auth) then return false; recv(socket, cmd); if (auth) exec(cmd); } #27 Non-Control Data Attacks remote_cmd(socket) { bool auth = false; char name[1024], pword[1024], cmd[1024]; recv(socket, name); recv(socket, pword); if (matches(name,pword)) auth = true; recv(socket, cmd); if (auth) exec(cmd); } • Buffer Overrun 2 (Electric Buffaloo) – why? #30 SPAM • SPAM also works because of a cost- benefit analysis – Benefit (mico) – Cost (none) (why?) • Ultimately, some people click on spam. – Not just phishing spam either! #31 Harvesting • How do I get a list of email addresses? • Dictionary Spamming – Guess by using a dictionary of plausible names as prefixes to known (registered) domain names • Spambot Web Crawling – Gather from web sites, newsgroups, special- interest group postings, chat-room conversations – Basically, regular expressions! (cf. early HW) – Wow, it's lexing again! • Selling email lists is a big business ... #32 Stopping Spam • Blacklisting – do not accept messages from domain X? – Defeated by zombie botnets, remailers, ... • How to find domain X? – Wait for users to report it ... – List poisoning: subscribe fake “honeypot” email addresses to mailing lists, post them on web: any email that gets to them is spam • Other, more technical approaches (e.g., greylisting), but mostly ... #35 Your post advocates a ( ) technical ( ) legislative ( ) market-based ( ) vigilante approach to fighting spam. Your idea will not work because: ( ) Spammers can easily use it to harvest email addresses ( ) Mailing lists and other legitimate email uses would be affected ( ) No one will be able to find the guy or collect the money ( ) It is defenseless against brute force attacks ( ) It will stop spam for two weeks and then we'll be stuck with it ( ) Users of email will not put up with it ( ) Microsoft will not put up with it ( ) The police will not put up with it ( ) Requires too much cooperation from spammers ( ) Requires immediate total cooperation from everybody at once ( ) Many email users cannot afford to lose business or alienate potential employers ( ) Spammers don't care about invalid addresses in their lists ( ) Anyone could anonymously destroy anyone else's career or business Specifically, your plan fails to account for: ( ) Laws expressly prohibiting it ( ) Lack of centrally controlling authority for email ( ) Open relays in foreign countries ( ) Ease of searching tiny alphanumeric address space of all email addresses ( ) Asshats ( ) Jurisdictional problems ( ) Unpopularity of weird new taxes ( ) Public reluctance to accept weird new forms of money ( ) Huge existing software investment in SMTP ( ) Susceptibility of protocols other than SMTP to attack ( ) Willingness of users to install OS patches received by email ( ) Armies of worm riddled broadband-connected Windows boxes ( ) Eternal arms race involved in all filtering approaches ( ) Extreme profitability of spam ( ) Joe jobs and/or identity theft ( ) Technically illiterate politicians ( ) Extreme stupidity on the part of people who do business with spammers ( ) Dishonesty on the part of spammers themselves ( ) Bandwidth costs that are unaffected by client filtering ( ) Outlook and the following philosophical objections may also apply: ( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical ( ) Any scheme based on opt-out is unacceptable ( ) SMTP headers should not be the subject of legislation ( ) Blacklists suck ( ) Whitelists suck ( ) We should be able to talk about Viagra without being censored ( ) Countermeasures should not involve wire fraud or credit card fraud ( ) Countermeasures should not involve sabotage of public networks ( ) Countermeasures must work if phased in gradually ( ) Sending email should be free ( ) Why should we have to trust you and your servers? ( ) Incompatiblity with open source or open source licenses ( ) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email ( ) Killing them that way is not slow and painful enough #36 Cat and Mouse • Suppose I have a server (e.g., Amazon.com) • Let's imagine that I have solved ... – Viruses: no malicious code on machine – Buffer overruns: no injection of evil assembly code – Buffer overruns: no non-control data attacks – Privileges: no running at root – Spam: as long as I'm dreaming, I'd like a pony ... • I can still convince the server to do the wrong thing with the resources it legitimately has access to ... #37 Three-Tier Web Application • This is how Amazon is structured • Query is a SQL database command generated by program logic #40 The Bad Place // $userid == “1'; DROP TABLE unp_user; --” if (!eregi('[0-9]+', $userid)) { unp_msg('You entered an invalid user ID.'); exit; } $user = $DB->query(“SELECT * FROM `unp_user`”. “WHERE userid='$userid'”); if (!DB->is_single_row($user)) { unp_msg('You entered an invalid user ID.'); exit; } #41 The Bad Place: Destroying Data // $userid == “1'; DROP TABLE unp_user; --” if (!eregi('[0-9]+', $userid)) { unp_msg('You entered an invalid user ID.'); exit; } $user = $DB->query(“SELECT * FROM `unp_user`”. “WHERE userid='$userid'”); if (!DB->is_single_row($user)) { unp_msg('You entered an invalid user ID.'); exit; } SELECT * FROM `unp_user` WHERE userid='1'; DROP TABLE unp_user; --' #42 Also A Bad Place: Viewing Data // $userid == “1' OR 1 = 1 --” if (!eregi('[0-9]+', $userid)) { unp_msg('You entered an invalid user ID.'); exit; } $user = $DB->query(“SELECT * FROM `unp_user`”. “WHERE userid='$userid'”); if (!DB->is_single_row($user)) { unp_msg('You entered an invalid user ID.'); exit; } SELECT * FROM `unp_user` WHERE userid='1' OR 1 = 1 --' #45 SQL Injection • Note that it's basically a parsing problem • We have a string constant in PHP plus a string constant from the user, and when combined they must make a valid SQL program • One Solution: Dynamic Taint Analysis – Propagate a “taint” bit with every string • One Solution: Dynamic Grammar Analysis – Partially parse PHP string fragment – If PHP string fragment + user string fragment parses to something with a different top-level structure, bail! #46 Parse Trees To The Rescue! • Do the user input strings contribute to something “too high” on the parse tree? Su & Wassermann, POPL '06 #47 Cross-Site Scripting • Cross-Site Scripting (XSS) has the same flavor • Evil X posts a message with evil JavaScript in it (e.g., send passwords to me) to Blog B – Blog B can also be a forum, etc. • Later, Luser browses Blog B • Blog B sends over data, including Evil X's Message • Luser thinks it is from Blog B (misplaced trust) • Luser renders and interprets it