Lecture 0. Course Introduction

Prof. Taeweon SuhComputer Science &

EngineeringKorea University

COM850 Computer Hacking and Security

Korea Univ

Course Information

• Instructor Prof. Taeweon Suh

• Textbook HACKING – The Art of Exploitation, 2nd Edition, Jon Erickson, 2008

• Prerequisites C-programming, Network Programming, Computer Architecture, Operating

Systems

• References Practical Packet Analysis using Wireshark to Solve Real-world Network

Problems, Chris Sanders, 2nd Edition, no starch press, 2011 TCP/IP Protocol Suite, Behrouz Forouzan, 4th Edition, McGraw-Hill, 2009 TCP/IP Illustrated, Volume 1, W. Richard Stevens, Addison-Wesley, 1994

• Office hours After class as needed By appointment at Lyceum 307

• Course materials will be posted on the course web at http://esca.korea.ac.kr/

• Contact Information suhtw@korea.ac.kr 02-3290-2397

2

Korea Univ

Pioneers of Hacking

• John Draper Hacked telephone line to make free

calls Arrested on toll fraud charges in 1972 Inspired 2 Steves

3Discovery Channel’s The Secret History of Hacking http://www.youtube.com/watch?v=Y47m1cOyKjA

Korea Univ

Pioneers of Hacking

• Steve Wozniack Apple co-founder Started revolution in computers

• Kevin Mitnick Hacked many computer systems Convicted of various computer

and communication-related crimes

4Discovery Channel’s The Secret History of Hacking http://www.youtube.com/watch?v=Y47m1cOyKjA

Korea Univ

Hacking is Bad?

• Most people associate hacking with breaking the law and assume that everyone who engages in hacking activities is a criminal Hackers are outlaws, snooping,

stealing, and spreading viruses. No one has good words for them

• The essence of hacking is finding unintended or overlooked uses and applying them in a new and inventive ways Hacked solutions follow the rules of

the system, but they use those rules in counterintuitive ways

5

Korea Univ

“My” Hacking Classification

• Software hacking Exploit vulnerabilities in software

• Hardware Trojan Implant malicious hardware inside a chip

• Hybrid (hardware + software) Software to trigger Hardware Trojans Software based on the understanding of

hardware details

6

Korea Univ

Abstractions in Computer

7

Hardware Implementatio

n

Instruction Set Architecture (ISA)

Assembly language

orMachine language

Operating Systems

Programming using APIs

Provides APIs (Application

Programming Interface)

Korea Univ

Software Hacking

• Exploit vulnerabilities in software Classic buffer overflow Heap-based overflow Function pointer overflow …

8

Layout of virtual address space on IA-32

Korea Univ

Software Hacking

• Exploit weakness in network protocols and their implementation in software Denial of Service (DoS): SYN flooding, Ping flooding,

Ping of Death, Teardrop, Smurf and Fraggle attacks, Distributed DoS…

9

Korea Univ

Hardware Trojan

• Relatively new and different attack method• Implant malicious logic into a chip

10

Implantation during Design Phase

IPs

HDL Implantation during

fabrication

Implantation via CAD tools

Korea Univ

Hardware Trojan

• Israel’s strike to nuclear plants in Syria (2007)

• European chip maker recently built into its microprocessors a kill-switch that could be accessed remotely. French defense contractors have used the chips in military equipment

• Time-bomb …

11• “The Hunt for The Kill Switch,” IEEE Spectrum, May 2008

Korea Univ

Hybrid

• Certain conditions created by software-triggered Hardware Trojans

• Software hacks computer systems based on understanding of hardware details

12• “Hardware Security in Practice: Challenges and Opportunities,” HOST, 2011

• Insecure hardware initialization by the BIOS• The BIOS didn’t lock remapping registers

after configuration

• Attackers reprogram these registers to map to TSEG

• Corrupt SMI handlers with malicious code

Korea Univ

Objectives

• Our focus is on software hacking and security In-depth understanding of x86 processor,

compiler outcome, networking, and hopefully OS Understand vulnerabilites in software

• Classic buffer overflow in stack• Denial of Service (DoS) attacks• TCP/IP Hijacking• …

Study countermeasures to prevent from attacks As a side effect, get used to:

• Linux system programming• x86-based assembly

13

Korea Univ

Lab Environment

• Hardware: x86-based computers Personal laptops are preferred

• Software: 32-bit Linux The textbook contain a CD you

can play with Or, experiment with the latest

Linux, but recent OSs are patched against well-known security threats

GDB, Wireshark …

14

Korea Univ

Grading Policy

• Midterm Exam: 30%

• Final Exam: 30%

• Class Presentations: 40%

• Fail rule You will be given an “F” if you are absent more than 3 times

• 2 late show-ups will be counted as 1 absence

15

Korea Univ

Understand Computer?

• How much do you “exactly” understand computers?

• Answer to the following 2 questions

16

Korea Univ

0.025 != 0.025 ?

17

Korea Univ

0.07 != 0.07 ?

18

Korea Univ

a x b x c != b x c x a ?

19

Korea Univ

What Would You Get?

20

#include <stdio.h>

int main(){

signed int sa = 7;signed int sb = -7;unsigned int ua = *((unsigned int *) &sa);unsigned int ub = *((unsigned int *) &sb);

printf("sa = %d : ua = 0x%x\n", sa, ua);printf("sb = %d : ub = 0x%x\n", sb, ub);

return 0;}

Korea Univ

What Would You Get?

21

#include <stdio.h>

int main(){

float f1 = -58.0;unsigned int u1 = *((unsigned int *) &f1);

printf("f1 = %f\n", f1);printf("f1 = %3.20f\n", f1);printf("u1 = 0x%X\n", u1);

return 0;}

What is this?

Korea Univ

What Would You Get?

22

#include <stdio.h>

int main(){

double d1 = -58.0;unsigned long long u1 = *((unsigned long long *) &d1);

printf("d1 = %lf\n", d1);printf("d1 = %3.20lf\n", d1);printf("u1 = 0x%llX\n", u1);

return 0;}

What is this?

Korea Univ

What Would You Get?

23

#include <stdio.h>

int main(){

float f2 = -0.1;unsigned int u2 = *((unsigned int *) &f2);

printf("f2 = %f\n", f2);printf("f2 = %3.20f\n", f2);printf("u2 = 0x%X\n", u2);

return 0;}

And What is this?

Why are these different?

Korea Univ

What Would You Get?

24

#include <stdio.h>

int main(){

float f3 = 0.7;unsigned int u3 = *((unsigned int *) &f3);

printf("f3 = %f\n", f3);printf("f3 = %3.20f\n", f3);printf("u3 = 0x%X\n", u3);

return 0;}

What is this?

Why are these different?

Korea Univ

Intel’s Core i7 (2nd Gen.)

25

2nd Generation Core i7

995 million transistors in 216 mm2 with 32nm

technology

L1 32 KB

L2 256 KB

L3 8MB

Sandy Bridge