1 / 81

Security Engineering 1

Security Engineering 1. Agenda Today. Types of Security Problems Integrating Security into Software Process Security Toolbag. Threats and Vulnerabilities. Two major categories of computer security risks are: Threats Threats are a person, thing, or event which will compromise the system

whitney-sheppard
Download Presentation

Security Engineering 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Engineering 1

  2. Agenda Today • Types of Security Problems • Integrating Security into Software Process • Security Toolbag

  3. Threats and Vulnerabilities • Two major categories of computer security risks are: • Threats • Threats are a person, thing, or event which will compromise the system • All systems have potential threats • Some examples of threats are: • Natural and Physical – These imperil the physical plant and the state of the actual equipment • Unintentional – These are the dangers brought on by ignorance • Intentional – These are malicious attacks against a system

  4. Threats and Vulnerabilities (Continued) • Vulnerabilities • Vulnerabilities are perceived threats • If they were exploited, the system would no longer be reliable • The more vulnerabilities can be perceived, the more threats can be determined • Every system is vulnerable to attack • Some examples of vulnerabilities are • Physical & Natural – Natural disasters and environmental threats can adversely impact a facility and its IT resources • Hardware & Software – IT resources can start malfunctioning • Media – Disks, tapes, printouts, etc. can be stolen or damaged • Network – Machines can be remotely breached • Human – Users can make errors which will put data in jeopardy

  5. Malicious Logic • Trojan Horse • Virus • Worms • Rabbits (Bacteria) • Logic Bomb

  6. Example • Shell script on a UNIX system: cp /bin/sh /tmp/.xyzzy chmod u+s,o+x /tmp/.xyzzy rm ./ls ls $* • Place in program called “ls” and trick someone into executing it • You now have a setuid-to-them shell!

  7. Trojan Horse • Program with an overt purpose (known to user) and a covert purpose (unknown to user) • Often called a Trojan • Example: previous script is Trojan horse • Overt purpose: list files in directory • Covert purpose: create setuid shell

  8. Example: NetBus • Designed for Windows NT system • Victim uploads and installs this • Usually disguised as a game program, or in one • Acts as a server, accepting and executing commands for remote administrator • This includes intercepting keystrokes and mouse motions and sending them to attacker • Also allows attacker to upload, download files

  9. Replicating Trojan Horse • Trojan horse that makes copies of itself • Also called propagating Trojan horse • Early version of animal game used this to delete copies of itself • Hard to detect • 1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler • 1980s: Thompson implements this

  10. Viruses • designed to replicate themselves • removable storage media, email, file transfer • intended to cause damage • need a host program • attach to and modify host • execute as part of host • virus detection • check program length (virus can hide or compress program) • check for virus “signature” (viruses use encryption)

  11. First Reports • Brain (Pakistani) virus (1986) • Written for IBM PCs • Alters boot sectors of floppies, spreads to other floppies • MacMag Peace virus (1987) • Written for Macintosh • Prints “universal message of peace” on March 2, 1988 and deletes itself

  12. Types of Viruses • Boot sector infectors • Executable infectors • Multipartite viruses • TSR viruses • Stealth viruses • Encrypted viruses • Polymorphic viruses • Macro viruses

  13. Boot Sector Infectors • A virus that inserts itself into the boot sector of a disk • Section of disk containing code • Executed when system first “sees” the disk • Including at boot time …  • Example: Brain virus • Moves disk interrupt vector from 13H to 6DH • Sets new interrupt vector to invoke Brain virus • When new floppy seen, check for 1234H at location 4 • If not there, copies itself onto disk after saving original boot block

  14. Executable Infectors • A virus that infects executable programs • Can infect either .EXE or .COM on PCs • May prepend itself (as shown) or put itself anywhere, fixing up binary so it is executed at some point

  15. Multipartite Viruses • A virus that can infect either boot sectors or executables • Typically, two parts • One part boot sector infector • Other part executable infector

  16. TSR Viruses • A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed • TSR is “Terminate and Stay Resident” • Examples: Brain, Jerusalem viruses • Stay in memory after program or disk mount is completed

  17. Stealth Viruses • A virus that conceals infection of files • Example: IDF virus modifies DOS service interrupt handler as follows: • Request for file length: return length of uninfected file • Request to open file: temporarily disinfect file, and reinfect on closing • Request to load file for execution: load infected file

  18. Encrypted Viruses • A virus that is enciphered except for a small deciphering routine • Detecting virus by signature now much harder as most of virus is enciphered

  19. Polymorphic Viruses • A virus that changes its form each time it inserts itself into another program • Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine • At instruction level: substitute instructions • At algorithm level: different algorithms to achieve the same purpose • Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)

  20. Example • These are different instructions (with different bit patterns) but have the same effect: • add 0 to register • subtract 0 from register • xor 0 with register • no-op • Polymorphic virus would pick randomly from among these instructions

  21. Macro Viruses • A virus composed of a sequence of instructions that are interpreted rather than executed directly • Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus 1-2-3 spreadsheet virus) • Independent of machine architecture • But their effects may be machine dependent

  22. Example • Melissa • Infected Microsoft Word 97 and Word 98 documents • Windows and Macintosh systems • Invoked when program opens infected file • Installs itself as “open” macro and copies itself into Normal template • This way, infects any files that are opened in future • Invokes mail program, sends itself to everyone in user’s address book

  23. Computer Worms • A program that copies itself from one computer to another • Origins: distributed computations • Schoch and Hupp: animations, broadcast messages • Segment: part of program copied onto workstation • Segment processes data, communicates with worm’s controller • Any activity on workstation caused segment to shut down

  24. Example: Internet Worm of 1988 • Targeted Berkeley, Sun UNIX systems • Used virus-like attack to inject instructions into running program and run them • To recover, had to disconnect system from Internet and reboot • To prevent re-infection, several critical programs had to be patched, recompiled, and reinstalled • Analysts had to disassemble it to uncover function • Disabled several thousand systems in 6 or so hours

  25. Rabbits, Bacteria • A program that absorbs all of some class of resources • Example: for UNIX system, shell commands: while true do mkdir x chdir x done • Exhausts either disk space or file allocation table (inode) space

  26. Logic Bombs • A program that performs an action that violates the site security policy when some external event occurs • Example: program that deletes company’s payroll records when one particular record is deleted • The “particular record” is usually that of the person writing the logic bomb • Idea is if (when) he or she is fired, and the payroll record deleted, the company loses all those records

  27. Buffer overflow • The most important avenue for vulnerabilities • Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

  28. Normal Stack State

  29. Modified Stack State

  30. Authentication • Four classic ways to authenticate: • something you know (passwords) • something you have (smartcard) • something you are (fingerprint) • something you do (usage signature) • None of these is perfect

  31. Identity theft • Fastest rising crime in the US • FBI won’t help unless losses above $100,000. • Someone can steal an identity with just a social security number!!!

  32. Passwords • Account - person using the system • Username - Identity of account (public) • limited characters, alphanumeric & special characters • typically related to real name of user (not always), certain names reserved • unique on system • fixed at account creation • Passwords – Verification of identity (private) • Less limited length and characters • Fixed until changed • Non-unique passwords – (both users have bad password)

  33. Password Security • Password security depends on ONLY you knowing the password • Secure selection • Secure handling • Secure storage

  34. Password Attacks • Easy to Hard • Given password • Grab password • Generate password • Guess password

  35. Denial of Service Attack (DoS) • Attempts to "flood" a network, thereby preventing legitimate network traffic;

  36. Remote Execution • remote execution • upload and start code on remote machine • mobile agent: may migrate among machines • unlike worm, relies on legitimate servers for migration

  37. Eavesdropping • Reads plain text communicated through a channel.

  38. Identity Spoofing (IP Address Spoofing) • Packets appears to be generated by a valid IP address but they are actually generated by a hacker.

  39. Social Engineering • Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.

  40. Problem Sources • Requirements definitions, omissions, and mistakes • System design flaws • Hardware implementation flaws, such as wiring and chip flaws • Software implementation errors, program bugs, and compiler bugs • System use and operation errors and inadvertent mistakes • Willful system misuse • Hardware, communication, or other equipment malfunction • Environmental problems and natural causes. • Evolution, maintenance, faulty upgrades, and decommissions

  41. Security Defects • We live in an age with constant threat of security breaches • Holes in web software • Flaws in server software • Security defects very easy to make • Blaster worm defect only two lines long • One line error can be catastrophic • Here we look at 19 common security defects (sins of security)

  42. Sin 1 : Buffer Overruns • You’ve heard this one many times… • Occurs when a program allows input to write beyond the end of the allocated buffer • Program might crash or allow attacker to gain control • Still possible in languages like C#, Java since they use libraries written in C/C++ but more unlikely

  43. Spotting Buffer Overflows • Look for input read from the network, a file, the user interface, or the command line • Transfer of data from input to internal structures • Use of unsafe string handling calls • Use of arithmetic to calculate an allocation size or remaining buffer size

  44. Sin 2 : Format String Problems • A C/C++ type of problem • First mentioned June 23, 2000 • Pretty simple, what could go wrong? void main(int argc, char * argv[]) { printf(argv[1]); }

  45. Format String • What if the program is invoked as : bug.exe “%x %x” • Output something like: The %x specifier reads the stack 4 bytes at a time and outputs them Leaks important info to the attacker 12FFC0 4011E5

  46. Format String • Another obscure format string: %n unsigned int bytes; printf(“%s%n\n”, argv[1], &bytes); printf(“Input is %d characters long.\n”, bytes); Usage: bug.exe “Hello“ Hello Input is 5 characters long The %n specifier writes 4 bytes at a time based on the length of the previous argument Carefully crafted, allows an attacker to place own data into the stack

  47. Sin 3 : Integer Overflows • When an unsigned integer gets too big for the number of bits allocated, it overflows back to 0 • For signed integers, positive numbers suddenly become negative numbers • “Obvious” errors where integers are multiplied/added/etc. and overflow • Result can be very bad and unpredictable behavior if relational operators suddenly behave the opposite of how they are supposed to • Also many less obvious errors

  48. Casting • Implicit type casting is a frequent cause of integer overflows • Most languages require the same types to be compared so an up-cast is done const long MAX_LEN = 0x7FFF; short len = strlen(input); if (len < MAX_LEN) { // Do stuff } If a short is 2 bytes and input > 32767, then len becomes a negative number

  49. Casting • Signed int to Larger signed int • Smaller value is sign-extended • 0x7F to an int becomes 0x0000007F • 0x80 to an int becomes 0xFFFFFF80 • Signed int to Larger unsigned int • Positive numbers behave as expected • Negatives unexpected • (char) -1 becomes 0xFFFFFFFFF or 4,294,967,295

  50. Overflow Problem • Problem here to detect whether two unsigned 16-bit numbers would overflow when added? bool IsValidAddition(unsigned short x, unsigned short y) { if (x + y < x) return false; return true; }

More Related