1 / 20

Vulnerabilities

Vulnerabilities. CSE 525 – Paper Presentation Winter 2004 Robert Nesius. Agenda. Practical attacks against wireless network protocols (Supplemental Paper #1) Exploiting Algorithmic Complexity (Supplemental Paper #2).

ccline
Download Presentation

Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerabilities CSE 525 – Paper Presentation Winter 2004 Robert Nesius

  2. Agenda • Practical attacks against wireless network protocols (Supplemental Paper #1) • Exploiting Algorithmic Complexity (Supplemental Paper #2). • Analysis of growth rates for Flash Worms, proposal for dealing with future threats more efficiently (Primary Paper).

  3. Beating up on 802.11 some more. • 802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions • August, 2003 • John Bellardo – Graduate student, UCSD • Stefan Savage – Assistant Professor, UCSD

  4. Key Points • Very practical paper • Authors describe some attacks, then implement them on commodity hardware! • Attacks are shown in action. • Propose non-cryptographic solutions.

  5. Client Attacker AP Auth req auth resp assoc. req assoc resp. deauth Data Deauth Attack: Deauthentication • Attacker sends arbitrary deauthenticate message • Can target one host • Or everyone • root cause – no mutual authentication on session-management frames. • Fix – APs take wait- and-see approach. • Attacks Identity

  6. More Attacks • Disassociation – exactly like deauthentication attack but not as severe. (Identity) • Energy-Saver mode – disrupt timing on synchronized wake-ups. • Media Access Vulnerabilities. • All 802.11 packets have a duration field. • Use RTS/CTS dialogs to “reserve channel” • Keep reserving it – never let anyone talk… • In practice – does not work due to poor standards conformance. (Worked fine in simulation. So what?) • Collision Avoidance Attack • Very power-hungry attack (50,000 packets/sec.)

  7. Summary of 802.11b bashing • Attacks are practical and feasible • Beware the Pocket-PC-of-Death • There are some workarounds • The workarounds have problems too. • Real solution is cryptographically secure mutual authentication • See CSE 506scp for further details on complications in this area. • Secure Protocol Design is HARD!

  8. Algorithmic Complexity Attacks • Denial of Service Via Algorithmic Complexity Attacks • Published 2003. • Scott A. Crosby – First Year PhD student. • Dan S. Wallach – Assistant Professor • Rice University

  9. Big Idea: Hash Smashing • Hashes used by many internet applications because of on-average constant time lookups. • Evil input can induce quadratic O(n^2) performance. • Evil input streams can be very small • ¼ of dialup connection! • Similar to SSL RSA-Decryption DOS.

  10. Generators • Generators are strings that yield a given hash result, no matter the number of times concatenated. • h(x) =0, h(xx) = 0, h(xxx) = 0. • Hash algorithms must be deterministic.

  11. Applications of Algorithmic Complexity Attacks • IDS systems use hash’s of IP addresses. • BOS (an Open Source IDS system) uses a deterministic hash. • Send evil-packets to tie up BOS. • OS on BOS system starts dropping packets. • Launch real attack – no forensics evidence is collected. • Paper demonstrated 16kbs stream DOS’d a 450Mghz Pentium-based IDS system.

  12. Defenses • For binary-tree based algorithms: • use algorithms with guaranteed worst case complexity. (Red-Black trees, etc…) • For Hashes: • use Universal Hashes • Parameters of the hashing function are determined (randomly) at run-time. • Have been around since 1975. • Perform comparably to perl (slightly slower, but safer).

  13. “0wning” the Internet. • How to 0wn the Internet in Your Spare Time. • Stuart Staniford – Silicon Defense • MS in CS, PhD in Physics – UC Davis. • Vern Paxson – ICSI Center for Internet Research. Senior Scientist @ LBNL. • Nicholas Weaver – UC Berkeley – PhD Candidate • Talks about worm propagation • Concludes with high-level considerations • Published 2002.

  14. I have a Dream… (Scream?) • One million 0wned host “End-of-Days” scenario. (Wishful thinking? Or boring?) • Code Red – 359,000 hosts. • Slammer – 75,000 hosts (worse than CR) • Growth patterns • Logistics Equation – Governs the rate of growth in a finite system when all entities are equally likely to infect each other. • Used by CDC to monitor epidemics. • Code Red exhibited this. *gasp*

  15. Growth Rates • Proposition • Given high-bandwidth nodes for initial propagations, and enough initial high-probability targets… • A flash worm could infect the target population on the Internet in 15 minutes. • Kudos: Within one year, Slammer reached peak scan-rates in 3 minutes. • Slammer was throttled by bandwidth constraints. • http://www.cs.ucsd.edu/~savage/papers/IEEESP03.pdf

  16. Better Worm Practices • Hit-List – (high-probability targets, built via stealth scans perhaps.) • Permutation Scanning (Divide and Conquer) • Warhol Worm - Hit-List + Permutation Scanning • Topology based – Lower latencies. • Flash Worm – Conclusion based on above analysis is that a “tight” worm with a good hit-list could take down the population in 10’s of seconds.

  17. Stealth Worms • Biological Metaphor extended: Contagion • Infection occurs “in-band” with normal communications. • Can escape detection by IDS systems. • Note the Peer-to-Peer infrastructure could be particularly vulnerable to this. • Good analysis of KaZaA.

  18. Programmatic Control & Updates • Two methods proposed. • Turn worms into peer-to-peer network to pass updates around. • Or use a pull methodology to retrieve instructions. • Authors don’t mention that this makes it highly more likely the perp will be caught. • Floppy-disk virii from the ‘old days’?

  19. Cyber “Center for Disease Control” • National-scale Defense (Homeland Security?) • Real CDC Mission – Monitor national and world-wide progression of diseases, identify new threats… Authors propose: • Identify Outbreaks – establish Comm channels, Automate detection. • Rapidly Analyze Pathogens. • Fight Infections - Manage patches/Network devices? • Anticipate New Vectors – (All previous worms used known exploits). • Devise Detectors – (being done commercially?) • Resist Future Threats – (Enforcing patching most effective approach?) • Openness – Suggest partially open model for collaboration. • Raises trust issues/ Diminishes Effectiveness (CERT).

  20. Summary • Denial-of-Service attacks exist in all aspects of computing. • Low-bandwidth attack vectors exist, and flash worms are a reality. • Wireless networks are hopelessly insecure. • One glaring root-cause not addressed – unpatched systems. • This problem is not going away any time soon.

More Related