Internet attacks the gory details bill cheswick l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 164

Internet Attacks: The Gory Details Bill Cheswick PowerPoint PPT Presentation

Internet Attacks: The Gory Details Bill Cheswick [email protected] The Internet Ad hoc collection of TCP/IP interconnections No real central authority No central knowledge of connections maybe flows, but not yet No per-packet billing, in most places

Related searches for Internet Attacks: The Gory Details Bill Cheswick

Download Presentation

Internet Attacks: The Gory Details Bill Cheswick

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internet attacks the gory details bill cheswick l.jpg

Internet Attacks: The Gory DetailsBill Cheswick

[email protected]


The internet l.jpg

The Internet

  • Ad hoc collection of TCP/IP interconnections

  • No real central authority

  • No central knowledge of connections

    • maybe flows, but not yet

  • No per-packet billing, in most places

  • Core equipment too busy to help law enforcement

  • Large perimeters are impossible to control


Remote attacks and anonymity are easy l.jpg

Attacks can be laundered through many hosts around the world

brief attacks are hard to track down

the average defender is clueless

Remote Attacks, and anonymity, are easy


Traceback can be very hard l.jpg

clueless ISPs

ignorant law enforcement

treaties with foreign countries

may not be against the local law

attacker may cease attack before traceback is completed

Traceback can be very hard


Monoculture l.jpg

“Monoculture”

  • Small set of target types and versions

    • Microsoft OS and applications

    • Apache

    • Samba

    • DNS

    • Cisco IOS

  • Like planting Kansas with a single strain of wheat, or vineyards with a single root stock


Attacking scripts are published and shared l.jpg

Attacking scripts are published and shared

  • Loners develop attack software for the rest of us

  • Hacking FAQs are common

  • Software tools are easily available

    • look up “rootkit”

  • “Script kiddies” are a major source of current Internet attacks


Unsafe services l.jpg

Useful

Poorly written

Poor auditing

Found in most hosts

Safer services and protocols are rare

Vendors sell flawed software

Users don’t fix holes

Host-based security is usually broken

Security requires discipline: not found in market leaders

And often not found in open source software either

Unsafe Services


Unsafe services some typical errors l.jpg

Unchecked user input submitted to the shell or Perl

wildcard and escape characters take over the process

CGI scripts

Secret options, commands, or back doors

DEBUG and others in sendmail

Input string length is not checked

string buffer overrun corrupts stack

strcpy, gets, sprintf

caller supplies assembly code, and jumps to it

finger (Morris worm)

early Netscape

statd (latest)

Unsafe ServicesSome Typical Errors


Unsafe services privileged programs are much too large l.jpg

Unsafe Services: Privileged programs are much too large

  • Sendmail is tens of thousands of lines of complex code, running as root.

  • Netscape browser/communicator is huge

  • Operating systems are huge

    • Windows

    • Unix

    • Features are never retired, only added

  • A short, simple program is hard to get right


Unsafe protocols l.jpg

Unsafe Protocols

  • Passwords transmitted in the clear

    • Challenge/response is better, though subject to dictionary attacks

    • EKE can hide this

    • Machine generated passwords are better, but require devices or printouts

  • Address-based authentication

    • Can be OK in controlled environments

    • DNS and routing attacks can fool these


Weakest link compromises many targets l.jpg

Vulnerabilities are common in network services

One break-in compromises

the rest of the host

the host’s net (via sniffers)

trusting hosts

“non-vital” targets may be vital

Weakest Link Compromisesmany targets


How do they find dangerous ports l.jpg

How Do They Find Dangerous Ports?

  • Port scanners

  • Easy to write

  • Half-open (SYN-only) scanners often don’t show up in logs

  • Harder to scan for UDP services, but not by much

  • “Firewalking” can scan through a firewall

    • Uses packets that a firewall often admits, such as ICMP or TCP SYN/ACK


Attacks l.jpg

Attacks

Stack Smashing


Programs don t check their input l.jpg

Programs don’t check their input

  • Routines like gets, strcpy, and sprintf, which are inherently dangerous

  • If input length is too long, it can overwrite memory in C, overwriting variables and subroutine return addresses.

  • Every piece of external data must be checked before it is used.

  • It doesn’t hurt to check internal stuff, too

    • assert.h

    • CPU time is cheap


A stack before a procedure call l.jpg

A Stack: before a procedure call

Variables


A stack while a procedure is running l.jpg

A Stack: while a procedure is running

Other

stuff

Return addr

Local vars.

String buffer

Local vars

Where to go after the

procedure is finished


A stack while a procedure is running18 l.jpg

A Stack: while a procedure is running

Other

stuff

Return addr

Local vars.

String buffer

Local vars

Input line goes in here


A stack while a procedure is running19 l.jpg

A Stack: while a procedure is running

Other

stuff

Return addr

Local vars.

String buffer

Local vars

Input line goes in here


Stack smashing attack l.jpg

“Stack smashing” attack

Other

stuff

Return addr

Local vars.

String buffer

Local vars

New return address, points

to...


Stack smashing attack21 l.jpg

“Stack smashing” attack

Other

stuff

Return addr

Local vars.

String buffer

Local vars

…new code loaded in

some space on the stack

The code runs with the

privileges of the attacked

program, usually root


Some former victims of stack smashing attacks l.jpg

Fingerd (Morris worm)

sendmail

syslogd

rstatd

early Netscape browsers

file names in attachments to mail

sshd

IIS web server

Some former victims of stack-smashing attacks


Attacks23 l.jpg

Attacks

Portable Programs


Dangerous services portable programs l.jpg

Dangerous services:portable programs

  • JAVA

  • ActiveX^H^H^H^H^H^H^HCOMX^H^H^H^HSOAP

  • Viruses:

    • PC

    • Word

    • Excel


Where do programs run l.jpg

Program

Kernel

Where do Programs Run?


Where do programs run26 l.jpg

Program

Kernel

Where do Programs Run?

This model is wrong!


Applets run in an incompletely defined environment l.jpg

Applets run in an incompletely-defined environment

Kernel

Program


Java s sandbox l.jpg

Is incompletely defined

Can be different for each vendor

Often optimized for speed, not security

Allows “native methods”, which can break the security model

ActiveX

like Java, but no sandbox at all

Java’s “sandbox”


Attacks29 l.jpg

Attacks

Sniffing attacks (“eavesdropping”)


Host with tcp services l.jpg

Host withTCP Services

Client

Server

Attacker


Ethernet and passwords l.jpg

Was never secure from eavesdropping

“Sniffing” tools are common

grab host name, user name, and password

check any hacker collection

Credit card numbers are easy

Over 1,000,000 captured in 1994

It doesn’t matter how good your password is if it can be sniffed!

Still in wide use - even for root!

Ethernet and Passwords


Wireless passwords l.jpg

Wireless passwords


Wireless passwords33 l.jpg

Wireless passwords


Attacks34 l.jpg

Attacks

IP Spoofing a trusted host


Ip spoofing l.jpg

IP Spoofing

  • Defeats address-based authentication

    • i.e. rlogin, rsh, tcp wrappers

  • Common tools available to the hackers

    • they don’t have to be TCP/IP experts

  • This was used to crack Tsutomu Shimomura’s machines in “Takedown.”

  • Robert Morris Jr. wrote a paper on this in 1984

  • Steve Bellovin republished it in 1989

  • First known use in 1994


Normal tcp connection initial syn packet l.jpg

Normal TCP connection,initial SYN packet

Client

Server

SYN,SEQ0


Response to open connection is half open l.jpg

Response to Open, connection is “half open”

Client

Server

SYN,SEQ0

SYN,ACK,

SEQ0+1,SEQ0


Client completes handshake tcp connection is now open l.jpg

Client completes handshake, TCP connection is now open

Client

Server

SYN,SEQ0

SYN,ACK,

SEQ0+1,SEQ0

ACK,

SEQ0+1,SEQ0+1


Ip spoof of a trusted client determine likely seq 0 l.jpg

IP Spoof of a Trusted Client Determine Likely SEQ0

Client

Server

Attacker


Ip spoof of a trusted client suppress the trusted client l.jpg

IP Spoof of a Trusted ClientSuppress the Trusted Client

Client

Server

killer packet

or SYN attack

Attacker


Ip spoof of a trusted client suppress the trusted client41 l.jpg

IP Spoof of a Trusted ClientSuppress the Trusted Client

Client

Server

Attacker


Attacker opens connection from trusted client l.jpg

Attacker opens connection “from” trusted client

Client

Server

SYN,SEQ0

Attacker


Open seems to come from trusted client l.jpg

Open seems to come fromtrusted client

Client

Server

SYN,SEQ0

Attacker


Ip spoof of a trusted client server responds to dead client l.jpg

IP Spoof of a Trusted ClientServer responds to dead client

Client

Server

SYN,ACK,

SEQ0+1,SEQ0

Attacker


Ip spoof of a trusted client spoof final open message l.jpg

IP Spoof of a Trusted ClientSpoof final open message

Client

Server

ACK,

SEQ0+1,SEQ0+1

Attacker


Ip spoof of a trusted client open is complete l.jpg

IP Spoof of a Trusted Client“Open” is complete

Client

Server

Attacker


Ip spoof of a trusted client open server to outside access l.jpg

IP Spoof of a Trusted ClientOpen Server to outside access

Client

Server

“evil trusted command”

Attacker


Preventing ip spoofing l.jpg

Preventing IP spoofing

  • Spoofing can be stopped at the perimeter

    • “No internal addresses accepted from the outside”

    • Helps to have a coherent address space

  • A firewall can prevent access also

  • Address-based authentication is a BAD IDEA.


Attacks49 l.jpg

Attacks

TCP hijacking


Attacker is watching an existing connection perhaps through the strong authentication stage l.jpg

Attacker is watching an existing connection, perhaps through the strong authentication stage

Client

Server

Attacker


Kill the client connection l.jpg

Kill the client connection...

Client

Server

killer packet

Attacker


And continue the connection l.jpg

…and continue the connection

Client

Server

Attacker


Tcp hijacking l.jpg

TCP hijacking

  • Takes over an existing, authenticated connection

  • Needs access to the packet flow

  • Common tools are available to the hackers now

  • Cryptographic signatures of packets can defeat this


Attacks54 l.jpg

Attacks

Denial of Service


Host with tcp services55 l.jpg

Host withTCP Services

Client

Server

Attacker


Denial of service attacks l.jpg

Denial-of-service Attacks

  • In your face - not subtle like traditional hacking attacks

  • Random packets are very hard to trace

  • Can go on for weeks

  • Attackers can exploit poor local software or...

  • Simply flood the site’s network with incoming packets

  • These attacks are always possible on a public service


Attacks57 l.jpg

Attacks

Denial of Service: SYN packet attacks


Normal tcp open l.jpg

Normal TCP open

Client

Server

SYN,SEQ0

SYN,ACK,

SEQ0+1,SEQ0

ACK,

SEQ0+1,SEQ0+1


Normal tcp open59 l.jpg

Normal TCP open

Client

half-open

<300ms


Syn attacks l.jpg

First seen at Panix.com in fall 1996

Half-open processing was implemented poorly

Quadratic behavior

Wasn’t much call for improving it

We’ve been expecting it

The only thing we left out of our firewalls book

Removed at the last minute

We knew of no good solution

We are sorry we left it out

A new one appeared in fall 1997

SYN with same source and destination address kills some TCP/IP implementation

There will be more attacks on TCP/IP implementations

lots of code involved

hard to test code in a kernel

SYN Attacks


Attacks61 l.jpg

Attacks

Denial of Service

Ping flood (smurf)


Identify ping generator networks l.jpg

Identify ping generatornetworks

G

G

target

G

G

G

G


Trigger packets with spoofed return address l.jpg

Trigger packets withspoofed return address

G

G

target

G

G

G

G

packet

cannon


Generators flood the target with packets l.jpg

Generators flood the targetwith packets

G

G

target

G

G

G

G

packet

cannon


Traceback l.jpg

Traceback

  • The target cannot tell where the trigger is coming from

  • Attacking hosts may not know that they are being used

  • Broadcast storms can generate more load


Attacks66 l.jpg

Attacks

DNS, routing, and infrastructure attacks


Routing attacks packet diversion and man in the middle attacks l.jpg

Routing attacksPacket Diversion and man-in-the-middle attacks

Client

Server

Attacker


Routing attacks packet diversion and man in the middle attacks68 l.jpg

Routing attacksPacket Diversion and man-in-the-middle attacks

Client

Server

(router)

Attacker


Routing attacks packet diversion and man in the middle attacks69 l.jpg

Routing attacksPacket Diversion and man-in-the-middle attacks

Client

Server

(router)

Attacker


Dns attacks l.jpg

DNS attacks

  • Include an extra “glue” record on a DNS query

    • short cache time-out hides the evidence

    • newest bind program checks for this

    • “DNS cache poisoning”

  • Capture DNS server and return incorrect result

  • DNSSEC can fix this

    • going through final comments now


Infrastructure attacks l.jpg

Infrastructure attacks

  • Our tools are still weak

    • authenticated SBGP4 is coming, maybe

  • Keep up with the latest name server

  • Move to secure router implementations, when available

  • Question: what will you do if the entire Internet is down for a week?


Attacks72 l.jpg

Attacks

Social Engineering

(a.k.a. spying)


Social engineering cont l.jpg

Social Engineering (cont.)

Click here to infect your computer.


Slide74 l.jpg

Another problem with strange programs


Social engineering l.jpg

Social Engineering

``Hello, this is Dennis Ritchie calling.

I’m in Israel now and I have forgotten

my password.’’

``Hello, <admin-name>, I’ve just

started work here. <Boss-name>

said I should have an account on

<target-host>‘‘


Attacks76 l.jpg

Attacks

Unsafe services


Host with tcp services77 l.jpg

Host withTCP Services

Client

Server

Attacker


Host with tcp services78 l.jpg

Host withTCP Services

Client

Server

Attacker


Default services sgi workstation l.jpg

Default servicesSGI workstation

ftp stream tcp nowait root /v/gate/ftpd

telnet stream tcp nowait root /usr/etc/telnetd

shell stream tcp nowait root /usr/etc/rshd

login stream tcp nowait root /usr/etc/rlogind

exec stream tcp nowait root /usr/etc/rexecd

finger stream tcp nowait guest /usr/etc/fingerd

bootp dgram udp wait root /usr/etc/bootp

tftp dgram udp wait guest /usr/etc/tftpd

ntalk dgram udp wait root /usr/etc/talkd

tcpmux stream tcp nowait root internal

echo stream tcp nowait root internal

discard stream tcp nowait root internal

chargen stream tcp nowait root internal

daytime stream tcp nowait root internal

time stream tcp nowait root internal

echo dgram udp wait root internal

discard dgram udp wait root internal

chargen dgram udp wait root internal

daytime dgram udp wait root internal

time dgram udp wait root internal

sgi-dgl stream tcp nowait root/rcv dgld

uucp stream tcp nowait root /usr/lib/uucp/uucpd


More default services l.jpg

More default services

mountd/1 stream rpc/tcp wait/lc root rpc.mountd

mountd/1 dgram rpc/udp wait/lc root rpc.mountd

sgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountd

sgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountd

rstatd/1-3 dgram rpc/udp wait root rpc.rstatd

walld/1 dgram rpc/udp wait root rpc.rwalld

rusersd/1 dgram rpc/udp wait root rpc.rusersd

rquotad/1 dgram rpc/udp wait root rpc.rquotad

sprayd/1 dgram rpc/udp wait root rpc.sprayd

bootparam/1 dgram rpc/udp wait root rpc.bootparamd

sgi_videod/1 stream rpc/tcp wait root ?videod

sgi_fam/1 stream rpc/tcp wait root ?fam

sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd

sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd

sgi_pod/1 stream rpc/tcp wait root ?podd

tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerd

tcpmux/sgi_printer stream tcp nowait root ?print/printerd

9fs stream tcp nowait root /v/bin/u9fs u9fs

webproxy stream tcp nowait root /usr/local/etc/webserv


Some dangerous services l.jpg

Telnet

FTP

NFS

RPC

“secure” RPC

rlogin/rsh/rcp

X11

DNS

(web servers)

Some Dangerous Services


Why are they insecure telnet l.jpg

Why are they insecure?telnet

  • Eavesdropping attacks sniff passwords

    • >1,000,000 sniffed in 1994 from hacked ISPs

  • TCP hijacking takes over authenticated connections: strong passwords aren’t enough

  • Insecure accounts are subject to probes and use

  • Corruption of client host compromises the session


Why are they insecure ftp l.jpg

Why are they insecure?FTP

  • Same as telnet, plus

  • history of bugs in servers

  • setup errors for anonymous FTP

    • get permissions wrong

    • distribute the real password file to the masses

    • “why”


Why are they insecure nfs l.jpg

Why are they insecure?NFS

  • Root file handle can be sniffed

  • Relies on RPC software


Why are they insecure rpc and secure rpc l.jpg

RPC

address-based

local relay feature can obscure address information from the server

Secure RPC

cryptographically weak

Why are they insecure?RPC and secure RPC


Why are they insecure rlogin rsh rcp l.jpg

Why are they insecure?Rlogin, rsh, rcp

  • rlogin, rsh, rcp

    • can be hijacked

    • can be spoofed

      • use addressed-based authentication

    • .rhosts and /etc/hosts.equiv leak trusted host information

    • .rhosts: users should not be making security policy


Why are they insecure x11 l.jpg

Why are they insecure?X11

  • Clear text leaks secrets

  • Cookie authentication is in the clear

  • Advanced authentication not widely available

  • xhost configuration errors

  • Historically, bugs in xdm


Why are they insecure dns domain name system l.jpg

Why are they insecure?DNS - domain name system

  • Bind runs as root

    • it is big, and not well understood

    • runs on vital hosts

  • Cache poisoning: cache wrong answers

    • attack address-based auth

    • spoof servers


Dns lookup a asks d for b s ip address l.jpg

DNS lookupA asks D for B’s IP address

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

A

B?

Client

Attacker


Dns lookup d asks b or someone who knows about b l.jpg

DNS lookup: D asks B (or someone who knows about B)

D

B: 1.2.3.4

cache

Server

B?

B -> 1.2.3.4

A

Client

Attacker


Dns lookup b answers d caches the answer and tells a l.jpg

DNS lookup: B answers, D caches the answer, and tells A

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

B -> 1.2.3.4

A

Client

B -> 1.2.3.4

Attacker


Dns lookup a uses the answer l.jpg

DNS lookupA uses the answer

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

B -> 1.2.3.4

A

Client

X: 5.6.7.8

Attacker


Dns lookup d remembers the answer for a given period l.jpg

DNS lookup: D remembers the answer for a given period

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

B -> 1.2.3.4

A

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack attacker c arranges for d to ask him a question l.jpg

DNS cache poisoning attack:Attacker C arranges for D to ask him a question

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

A

X?

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack attacker c arranges for d to ask him a question95 l.jpg

DNS cache poisoning attack:Attacker C arranges for D to ask him a question

D

B: 1.2.3.4

cache

Server

B -> 1.2.3.4

A

X?

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack the attacker gives an answer plus l.jpg

DNS cache poisoning attack: The attacker gives an answer, plus…

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack a gets his answer and uses it l.jpg

DNS cache poisoning attack:A gets his answer, and uses it

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

Client

X: 5.6.7.8

X -> 5.6.7.8

Attacker


Dns cache poisoning attack the cache has an extra answer l.jpg

DNS cache poisoning attack:The cache has an extra answer

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack now a asks for b s address l.jpg

DNS cache poisoning attack:Now A asks for B’s address

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

B?

Client

X: 5.6.7.8

Attacker


Dns cache poisoning attack d knows the answer already and returns it l.jpg

DNS cache poisoning attack: D “knows” the answer already, and returns it

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

Client

X: 5.6.7.8

B -> 5.6.7.8

Attacker


Dns cache poisoning attack a uses the answer l.jpg

DNS cache poisoning attack: A uses the answer

D

B: 1.2.3.4

cache

Server

X -> 5.6.7.8

B -> 5.6.7.8

B -> 1.2.3.4

A

Client

X: 5.6.7.8

B -> 5.6.7.8

Attacker


Dns cache poisoning l.jpg

DNS cache poisoning

  • Gives the wrong answer on inverse lookups, foiling rsh, rlogin

  • If you connect to the wrong site they can

    • spoof a login, and capture passwords

    • spoof a web page, and give wrong answers

    • set themselves up for man-in-the-middle attacks, relaying info to the real server


Dns cache poisoning103 l.jpg

DNS cache poisoning

  • Older versions of bind fall for this

  • You can even send an answer without a query, to some implementations!

  • DNS responses can be spoofed to

    • what if the query gets two answers: use the first?!

  • DNSSEC fixes this


Why are they insecure web servers l.jpg

Complex, and buggy

stack smashing attacks, etc

CGI scripts :it is always dangerous to add programs

Numerous configuration options

Apache security relies on good configuration

Needs access to internal databases

Why are they insecure?Web servers


Unsafe services smb l.jpg

Unsafe services: SMB

  • Protocol uses weak authentication

  • samba is big: I prefer using chroot


Unsafe services microsoft authentication over pptp l.jpg

Unsafe services: Microsoft authentication over PPTP

  • Weak authentication

  • Probably weak encryption implementation

    • see Bruce Schneier’s paper in ACM CCS-5


Other services l.jpg

Other services

  • POP3 and IMAP

  • IRC - no!

  • Realaudio

    • UDP is dangerous, TCP ok

  • Mbone

    • hard to gate

    • some UDP implementations respond to multicast packets


Exponential attacks l.jpg

Exponential attacks


Viruses l.jpg

Viruses

  • PC viruses

    • there are tens of thousands of them, including variants

    • defense is best made at the host, with a virus checker

      • update the database often

  • Unix viruses

    • Tom duff made one

    • Shell viruses are easy

    • Unix viruses are rare!


Viruses110 l.jpg

Viruses

  • Firewalls can filter them

    • It seems like the right place

    • It requires a lot of work, and they can be hidden

  • Macro viruses are the most alarming

  • They have access to the entire PC, with a little work


The morris worm l.jpg

The Morris Worm

  • November 2, 1988

  • Spread using

    • fingerd (stack smashing)

    • sendmail (DEBUG back door)

    • password guessing

  • Poorly controlled exponential growth

  • A team of experts fought it quickly


Attacks112 l.jpg

Attacks

Unsafe programs


Slide113 l.jpg

Root: the gateway to privilege

find / -perm -4000 -user root -print | wc -l


Slide114 l.jpg

Setuid-root

AIX 4.2 & 242 & a staggering number \\

BSD/OS 3.0 & 78\\

FreeBSD 4.3 & 42 & someone's guard machine\\

FreeBSD 4.3 & 47 & 2 appear to be third-party\\

FreeBSD 4.5 & 43 & see text for closer analysis \\

HPUX A.09.07 & 227 & about half may be special for this host \\

Linux (Mandrake 8.1) & 39 & 3 appear to be third-party \\

Linux (Red Hat 2.4.2-2) & 39 & 2 third-party programs \\

Linux (Red Hat 2.4.7-10) & 31 & 2 third-party programs\\

Linux (Red Hat 5.0) & 59\\

Linux (Red Hat 6.0) & 38 & 2--4 third-party \\

Linux 2.0.36 & 26 & approved distribution for one university \\

Linux 2.2.16-3 & 47 \\

Linux 7.2 & 42\\

NCR Intel 4.0v3.0 & 113 & 34 may be special to this host \\

NetBSD 1.6 & 35 \\

SGI Irix 5.3 & 83 \\

SGI Irix 5.3 & 102 \\

Sinux 5.42c1002 & 60 & 2 third-party programs\\

Sun Solaris 5.4 & 52 & 6 third-party programs\\

Sun Solaris 5.6 & 74 & 11 third-party programs\\

Sun Solaris 5.8 & 70 & 6 third-party programs\\

Sun Solaris 5.8 & 82 & 6 third-party programs\\

Tru64 4.0r878 & 72 & \\


Insecure clients l.jpg

Insecure clients

  • This is not the same as TCP hijacking

  • encryption on the link won’t fix this

  • any persistent connection is vulnerable

    • rlogin, ftp, ssh

  • Tsutomu left an rlogin session running when he went skiing

  • YOU HAVE TO BE ABLE TO TRUST YOUR CLIENT

    • laptop PCs vs. terminal rooms


Insecure clients attacker takes over client host l.jpg

Insecure clients:attacker takes over client host

Client

Server

Attacker


Insecure clients attacker takes over client host117 l.jpg

Insecure clients:attacker takes over client host…

Client

Server

Attacker


Installs the tap kernel load module l.jpg

…installs the TAP kernel load module…

Client

Server

TAP

Attacker


User makes authenticated connection to server l.jpg

…user makes authenticated connection to server…

Client

Server

TAP

Attacker


Hacker takes over terminal connection with tap l.jpg

hacker takes over terminal connection with “TAP”

Client

Server

TAP

Attacker


We ve been losing ground for decades l.jpg

We’ve been losing ground for decades

  • Bad guys are figuring out attacks that we have been waiting for over the years

    • Very few surprises

  • Defense has not improved much

    • Ssh

    • IPsec

    • Better Linux and Unix systems


How do we fix all this l.jpg

How Do We Fix All This?


How do we fix all this123 l.jpg

How Do We Fix All This?

Hide behind a perimeter defense?


Slide124 l.jpg

Firewalls

Perimeter defenses


Firewalls not a panacea l.jpg

Backdoors usually diminish the effectiveness

Commercial firewalls are probably OK

May give community a false sense of security

The firewall is often the only secure part of a configuration

People go around them

People go through the bad ones

No protection from insiders

Firewalls: Not a panacea


Anything large enough to be called an intranet is probably out of control l.jpg

Anything large enough to be calledan “intranet” is probably out of control


Slide128 l.jpg

This was

Supposed

To be a

VPN


Some intranet statistics from lumeta clients l.jpg

Some intranet statisticsfrom Lumeta clients


You don t know to whom you are connected l.jpg

Modems are cheap and easy to hook up.

Sun’s “fax” machines

Home commuting networks may link to spouse’s company, or the Internet.

even routing worked!

Remote managers can make extranet connections that aren’t authorized.

these connections can be very hard to find

but the security threat is still there

You don’t know to whom you are connected


You don t know how many hosts you have l.jpg

You don’t know how many hosts you have

  • Most control is at the network level, not the host level.

  • Name server entries are optional.

  • Nobody keeps the reverse name service information up-to-date.

  • Mapping takes work, and doesn’t catch hosts that are down

  • Some network links are ephemeral.


Lucent s intranet c 1997 l.jpg

Lucent’s intranetc. 1997

The Internet

Columbus

Murray

Hill

Murray

Hill

Holmdel

Allentown

SLIP

PPP

ISDN

X.25

cable

...

Lucent - 130,000, 266K IP addresses, 3000 nets ann.

thousands of

telecommuters

~200 business partners


None of this protects us from an insider threat so l.jpg

None of this protects us from an insider threat, so…


How do we fix all this134 l.jpg

How Do We Fix All This?

Life without a firewall

“skinny dipping”


Secure computing needs l.jpg

Secure computing needs…

  • Safe clients

  • Secure communication

  • Safe servers

  • Strong, 2-factor authentication

    • Something you have and something you know

    • Emergency 1-factor authentication, something you know, used extremely rarely


Safe clients and servers need l.jpg

Safe clients and servers need:

  • A trustable Trusted Computing Base

  • Simple, well-specified and debugged kernel

    • Check out the semantics of setuid in Unix flavors (Setuid Demystified. Chen, Wagner, and Dean; Usenix Security 2002)

    • MAC controls: more permissions, use of file system permissions, and programs that know how to use them

      • “root” is bad; see Multics!)

    • Better, more routing sandboxing

      • Make chroot much better, and easier


Free new servers by don knuth l.jpg

Free, new servers by Don Knuth?

  • He’s busy with Volume 4

  • Literate programming of key servers might be the way to go

  • Other languages might be better: C and C++ still have buffer overflow problems

    • Modula 3?

    • Java?


We need better suspenders l.jpg

We need better suspenders

  • We should never trust the application writers to get it right, though they should try hard

  • Jails/chroot/sandboxes need to be easy and common-place

    • More restrictive jails should be possible

    • Unprivileged user should be able to set these up, even if he is already in a jail

      • The /etc/passwd problem

    • Static builds should be easier

    • Careful documentation of what a program needs to access.


Improve chroot l.jpg

Improve chroot

  • Already some new work in this area: FreeBSD jail

  • Goal: routine jailing of everything that processes external input

    • Netscape client routinely jailed

    • mail readers

    • SpamAssassin

    • Openssl (!)

  • See Plan 9 for some good ideas

    • Network access through the file system?!


Related chroot wishes l.jpg

Related chroot wishes

  • Easier builds of static binaries: dynamic libraries make the TCB tougher to build

  • Chroot options to all the useful network services: they should jail themselves!

    • Apache (Ben Laurie is considering this)

    • Samba

    • Ntp

    • DNS (done)


Microsoft desperately needs to do this l.jpg

Microsoft desperately needs to do this

  • I am convinced that they actually are trying to get better

  • They have a long way to go

  • I wonder if they can wedge good sandboxing into their OS


Simpler software l.jpg

Simpler Software

  • One of the underlying problems with Microsoft applications is creeping featurism

    • For most uses, is Word much better than WordStar or any of the other early word processors?

    • Is this version of PowerPoint that much better than the first ones (bugs aside)?


Simpler software in unix l.jpg

Simpler Software in Unix

  • Skim through the Unix V7 man pages (http://plan9.bell-labs.com)

  • How many options does cat(1) need?

  • How many setuid-to-root programs does your system have?


New file system switch l.jpg

New file system switch

  • Revisit the DOOFUS wars of the mid 80s

  • Check Plan 9 for possible uses

  • Kernel file system switch that has userland file system computation

    • Must be robust…hung inodes, etc.

    • Does not involve the network, as NFS does

  • Reimplement SFS, Samba client, etc.,


Communications l.jpg

Communications


Communication encryption options l.jpg

Communication encryption options

  • Ssh

  • IPsec

  • SSL


Communications solutions ssh l.jpg

Communications solutions: ssh

  • Source code is available

  • Widely examined

  • But: 2 protocol flaws found so far

  • stack smashing scare

  • Tunneling is valuable

  • IPsec has better crypto, maybe


Ipsec l.jpg

IPsec

  • Protocol well-vetted by expert community

  • We have the CPUs, I want everyone to use it, for all communications

  • Needs simpler setup

    • Microsoft requires certificates, no?

    • Secret key pairs are fine for small setups

  • Key exchange daemons worry me

    • They gotta run as root, no?

    • They can use complicated crypto libraries, and are exposed network services


Slide149 l.jpg

SSL

  • Well-documented and ver. 3 is probably ok

  • Implemented by openssl…

  • …which uses X.509…

  • …which uses ASN.1…

  • …which is complicated, a monoculture, and has had several bugs exposed

  • Can you jail the SSL parts of your web server? (I have: sslwrap + chroot)


Authentication l.jpg

Authentication


Security doesn t need to be inconvenient l.jpg

Security doesn’t need to be inconvenient

  • Modern hotel room keys

  • Modern car keys


Some solutions hardware tokens l.jpg

Some solutions:Hardware tokens

  • SecureID

    • time-based

  • S/Key

    • software or printout solution

  • Many others

    • usually proprietary server software

    • New USB dongles are just the ticket!

Digital Pathways

SNK-004


One time passwords l.jpg

One-time Passwords

RISC/os (inet)

Authentication Server.

Id? ches

Enter response code for 70202: 04432234

Destination? cetus

$


How does it work server and client share a secret key l.jpg

Secret key

Secret key

How does it work? Server and client share a secret key

Client

Server


How does it work server generates a unique challenge l.jpg

Secret key

Secret key

How does it work? Server generates a unique challenge

Client

Server

70202

challenge


How does it work the client encrypts the challenge with key l.jpg

Secret key

Secret key

How does it work? The client encrypts the challenge with key…

Client

Server

70202


How does it work and returns the result l.jpg

Secret key

Secret key

How does it work?…and returns the result

Client

Server

70202

04432234


How does it work the server checks the result l.jpg

Secret key

Secret key

How does it work?The server checks the result

Client

Server

70202

04432234

04432234


One time passwords159 l.jpg

One-time passwords

  • The client proves he has the key, without revealing it

  • With hardware, he may not even know the key

  • the keys are computer-generated

    • no weak passwords

  • If the challenges don’t repeat, an eavesdropper can’t predict the answer, unless the encryption (DES) is broken


One time passwords160 l.jpg

One-time passwords

  • The key can be generated from a password but the challenge/response pair is subject to a dictionary attack

  • This extra work for the user is worth the effort:

    • very strong authentication

    • spies use this

    • needs about a page of C code

    • can be implemented in a remote authentication server


Human computed one time password a research project l.jpg

Human-computed one-time password: a research project

challenge: 00193 Wed Sep 11 11:22:09 2002

response: ab0dh1kd0jkfj1kye./


Not gory enough for you l.jpg

Not Gory Enough For You?

  • Bugtraq mailing list

  • Firewalls and Internet Security

  • Chapman and Zwicky

  • Keyword search in search engines for hacking tools

    • “rootkit”


Questions l.jpg

Questions

  • http://research.lumeta.com/ches/

  • [email protected]

  • Yes, I’d love to sign your book


  • Login