security engineering 1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Engineering 1 PowerPoint Presentation
Download Presentation
Security Engineering 1

Security Engineering 1

270 Views Download Presentation
Download Presentation

Security Engineering 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Engineering 1

  2. Agenda Today • Types of Security Problems • Integrating Security into Software Process • Security Toolbag

  3. Threats and Vulnerabilities • Two major categories of computer security risks are: • Threats • Threats are a person, thing, or event which will compromise the system • All systems have potential threats • Some examples of threats are: • Natural and Physical – These imperil the physical plant and the state of the actual equipment • Unintentional – These are the dangers brought on by ignorance • Intentional – These are malicious attacks against a system

  4. Threats and Vulnerabilities (Continued) • Vulnerabilities • Vulnerabilities are perceived threats • If they were exploited, the system would no longer be reliable • The more vulnerabilities can be perceived, the more threats can be determined • Every system is vulnerable to attack • Some examples of vulnerabilities are • Physical & Natural – Natural disasters and environmental threats can adversely impact a facility and its IT resources • Hardware & Software – IT resources can start malfunctioning • Media – Disks, tapes, printouts, etc. can be stolen or damaged • Network – Machines can be remotely breached • Human – Users can make errors which will put data in jeopardy

  5. Malicious Logic • Trojan Horse • Virus • Worms • Rabbits (Bacteria) • Logic Bomb

  6. Example • Shell script on a UNIX system: cp /bin/sh /tmp/.xyzzy chmod u+s,o+x /tmp/.xyzzy rm ./ls ls $* • Place in program called “ls” and trick someone into executing it • You now have a setuid-to-them shell!

  7. Trojan Horse • Program with an overt purpose (known to user) and a covert purpose (unknown to user) • Often called a Trojan • Example: previous script is Trojan horse • Overt purpose: list files in directory • Covert purpose: create setuid shell

  8. Example: NetBus • Designed for Windows NT system • Victim uploads and installs this • Usually disguised as a game program, or in one • Acts as a server, accepting and executing commands for remote administrator • This includes intercepting keystrokes and mouse motions and sending them to attacker • Also allows attacker to upload, download files

  9. Replicating Trojan Horse • Trojan horse that makes copies of itself • Also called propagating Trojan horse • Early version of animal game used this to delete copies of itself • Hard to detect • 1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler • 1980s: Thompson implements this

  10. Viruses • designed to replicate themselves • removable storage media, email, file transfer • intended to cause damage • need a host program • attach to and modify host • execute as part of host • virus detection • check program length (virus can hide or compress program) • check for virus “signature” (viruses use encryption)

  11. First Reports • Brain (Pakistani) virus (1986) • Written for IBM PCs • Alters boot sectors of floppies, spreads to other floppies • MacMag Peace virus (1987) • Written for Macintosh • Prints “universal message of peace” on March 2, 1988 and deletes itself

  12. Types of Viruses • Boot sector infectors • Executable infectors • Multipartite viruses • TSR viruses • Stealth viruses • Encrypted viruses • Polymorphic viruses • Macro viruses

  13. Boot Sector Infectors • A virus that inserts itself into the boot sector of a disk • Section of disk containing code • Executed when system first “sees” the disk • Including at boot time …  • Example: Brain virus • Moves disk interrupt vector from 13H to 6DH • Sets new interrupt vector to invoke Brain virus • When new floppy seen, check for 1234H at location 4 • If not there, copies itself onto disk after saving original boot block

  14. Executable Infectors • A virus that infects executable programs • Can infect either .EXE or .COM on PCs • May prepend itself (as shown) or put itself anywhere, fixing up binary so it is executed at some point

  15. Multipartite Viruses • A virus that can infect either boot sectors or executables • Typically, two parts • One part boot sector infector • Other part executable infector

  16. TSR Viruses • A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed • TSR is “Terminate and Stay Resident” • Examples: Brain, Jerusalem viruses • Stay in memory after program or disk mount is completed

  17. Stealth Viruses • A virus that conceals infection of files • Example: IDF virus modifies DOS service interrupt handler as follows: • Request for file length: return length of uninfected file • Request to open file: temporarily disinfect file, and reinfect on closing • Request to load file for execution: load infected file

  18. Encrypted Viruses • A virus that is enciphered except for a small deciphering routine • Detecting virus by signature now much harder as most of virus is enciphered

  19. Polymorphic Viruses • A virus that changes its form each time it inserts itself into another program • Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine • At instruction level: substitute instructions • At algorithm level: different algorithms to achieve the same purpose • Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)

  20. Example • These are different instructions (with different bit patterns) but have the same effect: • add 0 to register • subtract 0 from register • xor 0 with register • no-op • Polymorphic virus would pick randomly from among these instructions

  21. Macro Viruses • A virus composed of a sequence of instructions that are interpreted rather than executed directly • Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus 1-2-3 spreadsheet virus) • Independent of machine architecture • But their effects may be machine dependent

  22. Example • Melissa • Infected Microsoft Word 97 and Word 98 documents • Windows and Macintosh systems • Invoked when program opens infected file • Installs itself as “open” macro and copies itself into Normal template • This way, infects any files that are opened in future • Invokes mail program, sends itself to everyone in user’s address book

  23. Computer Worms • A program that copies itself from one computer to another • Origins: distributed computations • Schoch and Hupp: animations, broadcast messages • Segment: part of program copied onto workstation • Segment processes data, communicates with worm’s controller • Any activity on workstation caused segment to shut down

  24. Example: Internet Worm of 1988 • Targeted Berkeley, Sun UNIX systems • Used virus-like attack to inject instructions into running program and run them • To recover, had to disconnect system from Internet and reboot • To prevent re-infection, several critical programs had to be patched, recompiled, and reinstalled • Analysts had to disassemble it to uncover function • Disabled several thousand systems in 6 or so hours

  25. Rabbits, Bacteria • A program that absorbs all of some class of resources • Example: for UNIX system, shell commands: while true do mkdir x chdir x done • Exhausts either disk space or file allocation table (inode) space

  26. Logic Bombs • A program that performs an action that violates the site security policy when some external event occurs • Example: program that deletes company’s payroll records when one particular record is deleted • The “particular record” is usually that of the person writing the logic bomb • Idea is if (when) he or she is fired, and the payroll record deleted, the company loses all those records

  27. Buffer overflow • The most important avenue for vulnerabilities • Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

  28. Normal Stack State

  29. Modified Stack State

  30. Authentication • Four classic ways to authenticate: • something you know (passwords) • something you have (smartcard) • something you are (fingerprint) • something you do (usage signature) • None of these is perfect

  31. Identity theft • Fastest rising crime in the US • FBI won’t help unless losses above $100,000. • Someone can steal an identity with just a social security number!!!

  32. Passwords • Account - person using the system • Username - Identity of account (public) • limited characters, alphanumeric & special characters • typically related to real name of user (not always), certain names reserved • unique on system • fixed at account creation • Passwords – Verification of identity (private) • Less limited length and characters • Fixed until changed • Non-unique passwords – (both users have bad password)

  33. Password Security • Password security depends on ONLY you knowing the password • Secure selection • Secure handling • Secure storage

  34. Password Attacks • Easy to Hard • Given password • Grab password • Generate password • Guess password

  35. Denial of Service Attack (DoS) • Attempts to "flood" a network, thereby preventing legitimate network traffic;

  36. Remote Execution • remote execution • upload and start code on remote machine • mobile agent: may migrate among machines • unlike worm, relies on legitimate servers for migration

  37. Eavesdropping • Reads plain text communicated through a channel.

  38. Identity Spoofing (IP Address Spoofing) • Packets appears to be generated by a valid IP address but they are actually generated by a hacker.

  39. Social Engineering • Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.

  40. Problem Sources • Requirements definitions, omissions, and mistakes • System design flaws • Hardware implementation flaws, such as wiring and chip flaws • Software implementation errors, program bugs, and compiler bugs • System use and operation errors and inadvertent mistakes • Willful system misuse • Hardware, communication, or other equipment malfunction • Environmental problems and natural causes. • Evolution, maintenance, faulty upgrades, and decommissions

  41. Security Defects • We live in an age with constant threat of security breaches • Holes in web software • Flaws in server software • Security defects very easy to make • Blaster worm defect only two lines long • One line error can be catastrophic • Here we look at 19 common security defects (sins of security)

  42. Sin 1 : Buffer Overruns • You’ve heard this one many times… • Occurs when a program allows input to write beyond the end of the allocated buffer • Program might crash or allow attacker to gain control • Still possible in languages like C#, Java since they use libraries written in C/C++ but more unlikely

  43. Spotting Buffer Overflows • Look for input read from the network, a file, the user interface, or the command line • Transfer of data from input to internal structures • Use of unsafe string handling calls • Use of arithmetic to calculate an allocation size or remaining buffer size

  44. Sin 2 : Format String Problems • A C/C++ type of problem • First mentioned June 23, 2000 • Pretty simple, what could go wrong? void main(int argc, char * argv[]) { printf(argv[1]); }

  45. Format String • What if the program is invoked as : bug.exe “%x %x” • Output something like: The %x specifier reads the stack 4 bytes at a time and outputs them Leaks important info to the attacker 12FFC0 4011E5

  46. Format String • Another obscure format string: %n unsigned int bytes; printf(“%s%n\n”, argv[1], &bytes); printf(“Input is %d characters long.\n”, bytes); Usage: bug.exe “Hello“ Hello Input is 5 characters long The %n specifier writes 4 bytes at a time based on the length of the previous argument Carefully crafted, allows an attacker to place own data into the stack

  47. Sin 3 : Integer Overflows • When an unsigned integer gets too big for the number of bits allocated, it overflows back to 0 • For signed integers, positive numbers suddenly become negative numbers • “Obvious” errors where integers are multiplied/added/etc. and overflow • Result can be very bad and unpredictable behavior if relational operators suddenly behave the opposite of how they are supposed to • Also many less obvious errors

  48. Casting • Implicit type casting is a frequent cause of integer overflows • Most languages require the same types to be compared so an up-cast is done const long MAX_LEN = 0x7FFF; short len = strlen(input); if (len < MAX_LEN) { // Do stuff } If a short is 2 bytes and input > 32767, then len becomes a negative number

  49. Casting • Signed int to Larger signed int • Smaller value is sign-extended • 0x7F to an int becomes 0x0000007F • 0x80 to an int becomes 0xFFFFFF80 • Signed int to Larger unsigned int • Positive numbers behave as expected • Negatives unexpected • (char) -1 becomes 0xFFFFFFFFF or 4,294,967,295

  50. Overflow Problem • Problem here to detect whether two unsigned 16-bit numbers would overflow when added? bool IsValidAddition(unsigned short x, unsigned short y) { if (x + y < x) return false; return true; }