1

Recap

AuthenticationWhat a user knows, has, is

Password authenticationBasic model, why hashOnline, offline dictionary attackTime-memory tradeoff (dictionary, attack, advantage)Password salting

1

abc h(abc) h(h(abc)) … ht-1(abc) ht(abc)

abd h(abd) h(h(abd)) … ht-1(abd) ht(abd)

… … … … … …

foo h(foo) h(h(foo)) … ht-1(foo) ht(foo)

Alice md5(‘foo’||r1) r1

Bob md5(‘abc’||r2) r2

... ... ...

Outline

Basic ConceptPassword Challenge-ResponseBiometrics

and gummy bears

2

2

One-Time Password

Password replaySniff password then replay

SolutionHave many passwords, use each exactly once!

How to transmit so many passwords?How do user and server synchronize? Lamport’s scheme

Let server tell you which password to use

3

Let server tell you which password to useChallenge-response mechanismChallenge: hey, use that passwordResponse: okay, here’s the password

Lamport’s Schemeh: one-way hash function (e.g., MD5 or SHA-1)hn(k): h(h(h(...h(k)...)))

Registration

User Server

k ksecure channel

n

hn(k)

1st Authentication

hn-1(k)

4

k hn(k)hn-1(k) hn-1(k)

2nd Authentication

k hn-1(k)hn-2(k) hn-2(k)

3

Challenge-Response

U

Objective: prevent password replay dictionary attack

DES, RSA, HMAC, etc.

kUser Serverchallenge

response

5

k

response

time timechallenge

DES, RSA, HMAC, etc.

Hardware Support

SecurID displays a different number every 30-90sThe number is a function of the current time and date, and the ID of that particular cardAnother version has a keypad used to enter a PIN code

6

4

Pre-Encrypted Key Exchange

Objective: avoid sending challenge in clearHowever, this protocol is still open to dictionary attack

Alice BobAlice || {ks}p

Alice Bob

Alice Bob

{ChallengeB}ks

p, ksp

p, ks , ChallengeB

{ChallengeA || ChallengeB}ks

p, ks

p, ks , ChallengeB

p, ks , ChallengeB, ChallengeA

7

Alice Bob{ChallengeA}ks

p: password ks: session key{AAA}k: encryption Z||W: concatenation

g B

p, ks , ChallengeB, ChallengeA

p, ks , ChallengeB, ChallengeA

Encrypted Key Exchange (RSA)This defeats dictionary attacks

Alice || {e }pp, eAlice , dAlice pAlice Bob

Alice || {eAlice}p

Alice Bob{{(ks}eAlice}p

Alice Bob{ChallengeA}ks

Al B b

p, Alice , Alice p

p, eAlice , dAlice p, eAlice, ks

p, eAlice , dAlice , ks

{ChallengeA || ChallengeB}ks

p, eAlice, ks

8

Alice Bob

Alice Bob{ChallengeB}ks

p: password ks: session keyeAlice: public key chosen by Alice dAlice: the private key

5

Outline

Basic ConceptPassword Challenge-ResponseBiometrics

and gummy bears

9

BiometricsAutomated measurement of biological, behavioral features that identify a person

Fingerprints: graph isomorphismFingerprints: graph isomorphismVoices: statistical techniquesEyes: patterns in irisesFaces: image, or specific characteristics like distance from nose to chinKeystroke dynamics: keystroke intervals, pressure,

10

y y y , p ,duration of stroke, where key is struck

6

Gummy Bears Defeat BiometricsMany commercial fingerprint scanners can be reliably fooled with $10 worth of household suppliessupplies

From both real fingers or residue fingerprintsCan wear a transparent fake finger on real fingerUsing

Gelatin, what Gummy Bears are made out ofDigital camera, inkjet printer, photo-sensitive PCB, etc.Fool all 11 commercial fingerprint scanners 80% of time

11

Fool all 11 commercial fingerprint scanners, 80% of time

Gummy Bears Defeat Biometrics

Borrowed from Tsutomu Matsumoto’s talk ‘Importance of Open Discussion on Adversarial Analyses for Mobile Security Technology’

12

7

INSE 6130 Operating System Security

Logging/Auditing and Vulnerability/Defense

13

Prof. Lingyu Wang

Outline

Logging and AuditingVulnerability and Defensey

14

8

OverviewMotivation

Normal users - trust, but verify (Доверяй, но проверяй)проверяй)Attacker – track down what has happened

LoggingRecord events or statistics (summary) to logsExample: failed logins, failed su’s, last logins, system calls, network traffic, etc.

15

AuditingAnalyze log records for meaningful resultsExample: manual inspection, intrusion detection (IDS), alert correlation, IP trace back, etc.

Overview (Cont’d)

RelationshipLogging provides inputs to auditingAuditing makes sense out of logs

ChallengeLogging: Attackers will alter or delete logs of their activities Auditing: Heavily depend on human intervention

G d h i H i ll f l

16

Good research topic: How to automatically extract useful information from logs

9

Logging Example: WindowsThree logs for different types of events

System event log: system crashes, component failures, etcApplication event log: as requested by applicationsApplication event log: as requested by applicationsSecurity event log: logging in and out, system file accesses, etc

Log files are binaryUse Event Viewer to read

Default location: C:\WINNT\system32\config\(AppEvent.Evt, SecEvent.Evt, SysEvent.Evt)

HKEY LOCAL MACHINE\SYSTEM\C C lS \S i \E l

17

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

Default size 512KCan set to overwrite events when exceeding a certain size

Logging Example: Windows (Cont’d)

18

10

Logging Example: Windows (Cont’d)

Performance logsPerformance data from local or remote computersIn a comma-separated or tab-separated format, a binary log-file format, or SQL database formatBecause logging runs as a service, data collection occurs regardless of whether any user is logged onThree types

Counter: e.g., cpu usage, memory, etc.

19

Counter: e.g., cpu usage, memory, etc.Trace: begin logging only after an event occur, e.g., crashAlert: a message be sent, a program be run, an entry be made to the application event log, etc.

Auditing Example - Backtracker

Question: When break-ins happen, how can we figure out which application was exploited?

Backtracker solution:In operating systems, causal dependencies exist between processes and files/file names (e.g., read/write a common file)Use the causal dependency to track from detected

20

Use the causal dependency to track from detected event (e.g., using Tripwire) back to exploited applications

Based on Sam King and Peter Chen’s Slides here

11

BackTracker

intrusion detected

intrusion occurs

BackTracker runs, shows source of intrusion

21

Online component logs objects and events - LoggingOffline component find entry point and sequences of events leading to the detecting point - Auditing

Based on Sam King and Peter Chen’s Slides here

What Dependency To Track?

Process / Processfork, clone, etc (creating, sharing memory, signaling)

Process / Fileread, write, exec

Process / Filenameopen, creat, link, unlink, mkdir, rmdir, chmod, etc

22Based on Sam King and Peter Chen’s Slides here

12

Process

File

Socket

Detection pointDetection point

Fork event

Read/write event

23

Based on Sam King and Peter Chen’s Slides here

Outline

Logging and AuditingVulnerability and Defensey

24

13

Top Vulnerabilities - Windows

Top Vulnerabilities in Windows SystemsInternet Explorer (buffer overflowed by examples)Microsoft Office (buffer overflowed by examples)Windows Libraries, for example:

.WMF image causes remote execution (CVE-2005-4560)Buffer overflow DOS in HTML help (.hhp) (CVE-2006-3357)

Windows Services, for example:Buffer overflow in Server Service (CVE-2006-3439)

25

Buffer overflow in Server Service (CVE 2006 3439)

Windows Configuration WeaknessesNTLM password hashes

http://www.sans.org/top20

Top Vulnerabilities - UNIX Top Vulnerabilities in UNIX Systems

UNIX Configuration WeaknessesE B t f tt k SSH dE.g., Brute-force attack on SSH passwords

Mac OS XE.g., Safari, when rendering RTF files, can directly access URLs without performing the normal security checks (CVE-2005-2516)Securing Mac OS X 10.4 Tiger (http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger pdf)

26

os x tiger.pdf)

Resources for vulnerabilityCVE, Bugtraq, Nessus plugin DB, NVD, etc.

http://www.sans.org/top20

14

Vulnerability Example

PHP open_basedir race condition vulnerabilityRelease Date: 2006/10/04Author: Stefan Esser [sesser@hardened-php.net]Application: PHP 4/5 Risk: CriticalThe successful exploitation of this vulnerability allows access to files normally not accessible due to the open basedir restriction

27

open_basedir restrictionE.g., /etc/shadow

http://www.hardened-php.net/advisory_082006.132.html

Background

PHP open_basedir configuration directiveIt tells PHP only files within the specified directory trees can be opened by scriptsSymbolic links are fully parsed, so no get around (well, let’s see)

ExampleIf my web space’s root is /www/home/w/wang, then my php scripts cannot visit /etc

28

my php scripts cannot visit /etcYou cannot even create a symbolic link to /etc using function symlink(), eitherBut…

15

Create the Link to /Symbolic links are fully parsed

So no easy get aroundSuppose we are in /www/home/w/wang and we want to take a look at / through php scripts<?php mkdir("a/a/a/a"); symlink("a/a/a/a", "dummy"); symlink("dummy/../../../../", “mylnk");

29

y ( y/ / / / / , y );unlink("dummy"); symlink(".", "dummy"); ?>

Now mylnk points to /

Let’s Race

Run two scripts simultaneouslya.php: keeps alternating a symbolic link ‘newlnk’between ‘mylnk’ and ‘/www/home/w/wang’ in a loopb.php: keeps listing directory “newlnk” in a loop

Sooner or laterb.php gives you the content in /

30

16

Race Condition

There is a small time span between php checks permissions and it actually opens a file

When php check for permission, newlnk points to ‘/www/home/w/wang’, which is allowedWhen php opens the directory, newlnk points to ‘mylnk’, which in turn points to ‘/’

open_basedir

okayopen

b.php

31

/www/home/w/wang

/

okay

/www/home/w/wang

/

a.php

Defense - Objectives

Detect intrusionsPreviously known attacksZero-day attacks

In a timely fashionReal-time

Present accurate resultsFalse positives, false negatives

32

p , g

In an easy-to-understand formatAlerts versus attack scenarios

17

Classification of Intrusion Detection

(We are considering Host-Based IDS)Anomaly detectiony

Assumption: attacks vary from normal behaviorsMethod: statistics, data mining, Machine learning, etc.Advantage: potentially detect zero-day attacksDisadvantage: (theoretically) less accurate

Misuse detection

33

Assumption: attacks can be identified with a signatureMethod: state transition, colored Petri net, etc.Advantage: more accurateDisadvantage: can only detect modeled attacks

Example of Anomaly Detection

Sequence of system calls (Forrest 1996)Trainingg

Training data: open read write open mmap write fchmod close

Sliding window of size 1+3 (1 followed by 3)open read write open

open mmap write fchmod

read write open mmap

34

write open mmap write

write fchmod close

mmap write fchmod close

fchmod close

close

This is the normal behavior

18

Example of Anomaly DetectionDetection

open read write openopen mmap write fchmodread write open mmapread write open mmapwrite open mmap writewrite fchmod closemmap write fchmod closefchmod closeclose

open read read open mmap write fchmod closeDiffers in 5 places:

Second read should be write (1st line)Second read should be write (3rd line)

35

Second read should be write (3rd line)Second open should be write (3rd line)mmap should be open (3rd line)write should be mmap (3rd line)

18 possible places of difference18=5*3+2+1Mismatch rate 5/18 ≈ 28% ? A pre-defined threshold

Difficulty w/ Anomaly Detection

Question: Is an 99% accurate IDS any good?Intuitivelyy

Answer: maybe?

Counter-intuitivelyAnswer: not necessarily!If attack rate is one attack per 1,000,000 calls

Which is reasonable

36

The base rate fallacy says the IDS will generate about 10,000 false positives for every real attack it detects

Which is absolutely not acceptable

Why?

19

Base Rate Fallacy

What does the attack rate mean?In 100,000,000 calls, there are 100 real attacks

What does 99% accuracy mean? False positives: (100,000,100 - 100)*1/100= 1,000,000False negatives: 100*1/100= 1

100,000,000-1001 000 000

attack but not detected

37

normal and not detected1,000,000

normal but detected attack and

detected

99

1

1,000,000 false positives per 99 detected attacks!false negativefalse positive

Example of Misuse Detectiont1 %cp /bin/csh /usr/spool/mail/roott2 %chmod4755 /usr/spool/mail/roott3 %touch xt4 %mail root<xt5 %/usr/spool/mail/roott6 $

t1 t2 t SUID h ll ‘/ / l/ il/ t’

38

t1,t2 create a SUID shell ‘/usr/spool/mail/root’t3,t4 let mail to change the shell’s owner to be rootThen you have an executable root’s shell

Cool, but how do we create a signature for this attack?

20

Colored Petri Net

The attack steps are partially orderedt1<t2, t3<t4, t1<t5, …?Modeled with a colored Petri net

39

Colored Petri Net (Cont’d)

Will these be detected?t3, t1, t2, t4t1, t3, t2, t4t2, t1, t3, t4t1, t2, t4

40

21

Difficulty of Misuse Detection

Zero day exploitExploit is on the same day or before the vulnerability is publicizedIt has no signature

Other defense methods, for example,Buffer overflow overwrite memory from the buffer to the et n dd e

41

to the return address So put a ‘canary word’ before return addressIf it’s been changed, the function won’t returnThe canary word must be random, why?

Other OS Defense Methods

NX bitNo eXecute bit (last bit of the paging table entry)Can be used to mark stack as non-executable to prevent buffer overflow attacksPentium 4 or later, AMD64Many OS support this or emulate it via software

Linux, Solaris 10, WinXP SP2, Win2003 SP1, etc.

Vulnerable to return-to-libc attack

42

Vulnerable to return-to-libc attackNo need to return to shell code on stack, but return to existing function

22

Other OS Defense Methods

Memory randomizationMake buffer overflow, including return-to-libc, more difficultBasic idea:

Buffer overflow and return-to-libc exploits need to know the address of attack code in the buffer, or address of a standard kernel library routineSame address is used on many machines

Slammer infected 75 000 MS SQL servers using same code

43

Slammer infected 75,000 MS-SQL servers using same code

So introduce artificial diversity Make stack addresses, addresses of library routines, random

Supported by OpenBSD, Windows vista, PaX, Hardened Gentoo, etc.

w/o Randomization

Stack Frame

ret

addr

ret

addr

code

buf

Exploit!

44

3 GB

23

w/ Randomization

Stack Frame

ret

addr

ret

addr

code

buf

crash

buf

45

3 GB

De-Randomization

The amount of randomness is limitedPaX only uses 16 bit of random shift

Subject to de-randomization attacksRepetitively guess randomized addressSpraying injected attack code

46

24

De-Randomization 1

Stack Frame

ret

addr

ret

addr

code

buf

Pad

crash

47

Step 1

De-Randomization 2

Stack Frame

ret

addr

ret

addr

code

buf

Pad

crash

48

Step 2

25

De-Randomization 3

Stack Frame

ret

addr

ret

addr

code

buf

Exploit!

Pad

49

Step 3216 seconds (avg.) to de-randomize!

http://www.stanford.edu/~blp/papers/asrandom.pdf

Spraying AttacksExploit a buggy application and “spray” attack code in write-able user-level memory areas

code

buf

50

Exploit!