SLIDE 1
CIS-5373: 6.January.2020
1
Bogdan Carbunar
CIS-5373 Systems Security
Class 1
CIS-5373: 6.January.2020
2
- Administrative Issues
- Textbooks
- Security Overview
CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: - - PowerPoint PPT Presentation
CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: - - PowerPoint PPT Presentation
CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: 6.January.2020 Outline Administrative Issues Textbooks Security Overview 2 CIS-5373: 6.January.2020 Administrative Issues Staff Bogdan Carbunar, associate
SLIDE 2
SLIDE 3
CIS-5373: 6.January.2020
3
- Staff
- Bogdan Carbunar, associate professor
- Communications
- Class web page:
http://www.cs.fiu.edu/~carbunar/teaching/cis5373/cis5373.S.2020/cis5373.htm
- E-mail: carbunar@cs.fiu.edu or carbunar@gmail.com
- Office Hours
- Mondays, ECS 383, 4pm – 5pm
- Prior appointment recommended
Administrative Issues
SLIDE 4
CIS-5373: 6.January.2020
4
- 1 final worth: 35%
- Date of exam: TBD, but May 2020
- Paper presentation: 35%
- Homework: 30%
- Extra credit: 5-10%
- Exceptional class participation
- Additional activities (e.g., programming project)
Class Grading (subject to changes)
SLIDE 5
CIS-5373: 6.January.2020
5
- Student paper presentations: 35%
- Papers will be posted on class web page
- Let me know in time (FIFO assignment rule)
Class Grading: Details (cont’d)
SLIDE 6
CIS-5373: 6.January.2020
6
- Administrative Issues
- Textbooks
- Security Overview
Outline
SLIDE 7
CIS-5373: 6.January.2020
7
- Security In Computing – 4th edition
Pfleeger and Pfleeger
- Cryptography and Network Security
William Stallings
- Applied Cryptography – 2nd edition
Bruce Schneier Available online
- Papers assigned for reading
- See class webpage
Textbooks
SLIDE 8
CIS-5373: 6.January.2020
8
- You don’t need to buy the books!
- http://www.wikipedia.org/
Textbooks (cont’d)
SLIDE 9
CIS-5373: 6.January.2020
9
- Administrative Issues
- Textbooks
- Security Overview
Outline
SLIDE 10
CIS-5373: 6.January.2020
10
- Vulnerabilities
- Malware
- Access Control
- Authentication & Key exchange
- Network Security
Some Topics (Subject to Change)
SLIDE 11
CIS-5373: 6.January.2020
11
- Administrative Issues
- Class Overview
- Security Overview
Outline
SLIDE 12
CIS-5373: 6.January.2020
12
- Protecting information and information
systems from unauthorized access [Source: wikipedia]
Information Security
SLIDE 13
CIS-5373: 6.January.2020
13
- Branch of information security applied to computers
- Objective: protection of information and property
- Theft, corruption, or natural disaster
- Allow the information and property to remain accessible and
productive to its intended users
[Source: wikipedia]
Computer Security
SLIDE 14
CIS-5373: 6.January.2020
14
- Provisions and policies adopted by a network
administrator to prevent and monitor
- Unauthorized access
- Misuse
- Modification
- Denial of access of network and resources
[Source: wikipedia]
Network Security
SLIDE 15
CIS-5373: 6.January.2020
15
- Goals: Protect
- Confidentiality
- Integrity
- Availability
Integrity Confidentiality Availability System Security
System Security
SLIDE 16
CIS-5373: 6.January.2020
16
- Information about system or its users cannot be learned
by an attacker
- Data Confidentiality:
- Private or confidential information is not revealed to
unauthorized individuals
Confidentiality
Confidentiality
SLIDE 17
CIS-5373: 6.January.2020
17
- The system continues to operate properly, only
reaching states that would occur if there were no attacker
- Data Integrity
- Information and programs are changed only in
specified and authorized manner
- System Integrity
- System performs intended function and nothing else
Integrity
Integrity
SLIDE 18
CIS-5373: 6.January.2020
18
- Actions by an attacker do not prevent users from
having access to use of the system
- Enable access to data and resources
- Timely response
- Fair resource allocation
Availability
Availability
SLIDE 19
CIS-5373: 6.January.2020
19
- Authenticity
- Being able to be verified and trusted
- Confidence in the validity of a message (originator)
- Accountability
- Actions of an entity can be traced to it
- Tracing a security breach to a responsible party
More Required Concepts
SLIDE 20
CIS-5373: 6.January.2020
20
System
- Security is about
- Honest user (e.g., Alice, Bob, …)
- Dishonest Attacker
- How the Attacker
- Disrupts honest user’s access to the system (Integrity, Availability)
- Learns information intended for Alice only (Confidentiality)
Alice Malory
General Picture
SLIDE 21
CIS-5373: 6.January.2020
21
Examples
- Confidentiality
- Student grades
- Available only to student, parents, employer
- Integrity
- Patient information e.g., allergies
- Can lead to loss of human life
- Availability
- Authentication service
- Unavailability can lead to financial loss
SLIDE 22
CIS-5373: 6.January.2020
22 Class 2
Program Security and Vulnerabilities
SLIDE 23
CIS-5373: 6.January.2020
23
- System correctness
- If user supplies expected input, system generates
desired output
- Good input Good output
- More features: better
- Security
- If attacker supplies unexpected input, system does not
fail in certain ways
- Bad input Bad output
- More features: can be worse
What is Security ?
SLIDE 24
CIS-5373: 6.January.2020
24
- Some contributing factors
- Few courses in computer security
- Programming text books do not emphasize security
- Few security audits
- C is an unsafe language
- Programmers have many other things to worry about
- Consumers do not care about security
- Security is expensive and takes time
Why Security Vulnerabilities ?
SLIDE 25
CIS-5373: 6.January.2020
25
- Buffer Overflow
- SQL Injection Attack
- Incomplete Mediation
- Time-of-Check to Time-of-Use Errors
- Malicious Code
In this lecture
SLIDE 26
CIS-5373: 6.January.2020
26
slide 26
- Morris worm (1988): overflow in fingerd
- 6,000 machines infected (10% of existing Internet)
- CodeRed (2001): overflow in MS-IIS web server
- Internet Information Services (IIS)
- Web server application
- The most used web server after Apache HTTP Server
- 300,000 machines infected in 14 hours
- SQL Slammer(2003): overflow in MS-SQL server
- 75,000 machines infected in 10 minutes (!!)
Famous Buffer Overflow Attacks
SLIDE 27
CIS-5373: 6.January.2020
27
slide 27
- Sasser (2004): overflow in Windows LSASS
- Local Security Authority Subsystem Service
- Process in Windows OS
- Responsible for enforcing the security policy on the system.
- Verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens
- Around 500,000 machines infected
- Conficker (2008-09): overflow in Windows Server
- Around 10 million machines infected (estimates vary)
Famous Buffer Overflow Attacks
SLIDE 28
CIS-5373: 6.January.2020
28
slide 28
- Buffer is a data storage area inside computer memory
(stack or heap)
- Intended to hold pre-defined amount of data
- If executable code is supplied as “data”, victim’s
machine may be fooled into executing it
- Code will give attacker control over machine
Memory Exploits
SLIDE 29
CIS-5373: 6.January.2020
29
slide 29
- Suppose Web server contains this function
void func(char *str) { char buf[126]; strcpy(buf,str); }
- When this function is invoked, a new frame with local
variables is pushed onto the stack
Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer
Top of stack
Stack grows this way
buf
Local variables
Frame of the calling function
ret addr
Execute code at this address after func() finishes
str
Arguments
sfp
Pointer to previous frame
Stack Buffers
SLIDE 30
CIS-5373: 6.January.2020
30
slide 30
- When func returns
- The local variables are popped from the stack
- The old value of the stack frame pointer (sfp) is recovered
- The return address is retrieved
- The stack frame is popped
- Execution continues from return address (calling function)
Top of stack
Stack grows this way
buf
Local variables
Frame of the calling function
ret addr
Execute code at this address after func() finishes
str
Arguments
sfp
Pointer to previous frame
Stack Buffers (cont’d)
SLIDE 31
CIS-5373: 6.January.2020
31
slide 31
- Memory pointed to by str is copied onto stack…
void func(char *str) { char buf[126]; strcpy(buf,str); }
- If a string longer than 126 bytes is copied into buffer,
it will overwrite adjacent stack locations
strcpy does NOT check whether the string at *str contains fewer than 126 characters
What If Buffer Is Overstuffed
Top of stack
Stack grows this way
Frame of the calling function
ret addr str
sfp buf
- verflow
This will be interpreted as return address!
SLIDE 32
CIS-5373: 6.January.2020
32
slide 32
- Suppose buffer contains attacker-created string
- For example, *str contains a string received from the
network as input to some network service daemon
Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”) In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address
code str
Frame of the calling function
ret
Top of stack
Attack 1: Smashing the Stack
- When function exits, code in the buffer will be
executed, giving attacker a shell
- Root shell if the victim program is setuid root
SLIDE 33
CIS-5373: 6.January.2020
33
Attack 2: Variable Overflow
char buf[80]; int authenticated = 0; void vulnerable() { gets(buf); }
- Somewhere in the code authenticated is set only if
login procedure is successful
- Other parts of the code test authenticated to provide
special access authenticated buf
- verflow
- Attacker passes 81 bytes as input to buf
authenticated becomes 1!
buf
SLIDE 34
CIS-5373: 6.January.2020
34
slide 34
Attack 3: Pointer Variables
void func(char *s){ char buf[80]; int (*fnptr)(); gets(buf); }
- fnptr is invoked somewhere else in the program
- This is only the definition
buf
Local variables
Frame of the calling function
ret addr
Execute code at this address after func() finishes
s
Arguments
sfp
Pointer to previous frame
fnptr
SLIDE 35
CIS-5373: 6.January.2020
35
slide 35
Attack 3: Pointer Variables (cont’d)
void func(char *s){ char buf[80]; int (*fnptr)(); gets(buf); }
- Send malicious code in s
- Overflow fnptr
- Pass more than 80 bytes in gets
- fnptr now points to malicious code
- When fnptr is executed, malicious
code is executed !
buf
Local variables
Frame of the calling function
ret addr
Execute code at this address after func() finishes
s
Arguments
sfp
Pointer to previous frame
fnptr
malicious code
buf
- ’flow
SLIDE 36
CIS-5373: 6.January.2020
36
slide 36
Attack 4: Frame Pointer
slide 36
void func(char *s){ char buf[80]; gets(buf); }
buf
Local variables
Frame of the calling function
ret addr
Execute code at this address even after func() finishes
s
Arguments
sfp
Pointer to previous frame
malicious code
buf
- ’flow
Send malicious code in s Change the caller’s saved frame ptr. Pass more than 80 bytes in gets sfp now points to start of malicious code When func returns, code is still on stack! One way to address overflows: zero out emptied stack locations Not enough!
SLIDE 37
CIS-5373: 6.January.2020
37
slide 37
- Executable attack code is stored on stack, inside the
buffer containing attacker’s string
- Stack memory is supposed to contain only data, but…
- For the basic attack, overflow portion of the buffer
must contain correct address of attack code in the RET position
- The value in the RET position must point to the beginning of
attack assembly code in the buffer
- Otherwise application will give segmentation violation
- Attacker must correctly guess in which stack position his
buffer will be when the function is called
Buffer Overflow Difficulties
SLIDE 38
CIS-5373: 6.January.2020
38
slide 38
- strcpy does not check input size
- strcpy(buf, str) simply copies memory contents into buf
starting from *str until “\0” is encountered, ignoring the size of area allocated to buf
- Many C library functions are unsafe
- strcpy(char *dest, const char *src)
- strcat(char *dest, const char *src)
- gets(char *s)
- scanf(const char *format, …)
- printf(const char *format, …)
Problem: No Range Checking
SLIDE 39
CIS-5373: 6.January.2020
39
slide 39
- strncpy(char *dest, const char *src, size_t n)
- If strncpy is used instead of strcpy, no more than n
characters will be copied from *src to *dest
- Programmer has to supply the right value of n
- Potential overflow in htpasswd.c (Apache 1.3):
… strcpy(record, user); strcat(record, ”:”); strcat(record, cpw); …
- Published “fix” (do you see the problem?):
… strncpy(record,user, MAX_STRING_LEN-1); strcat(record,”:”); strncat(record,cpw, MAX_STRING_LEN-1); …
Copies username (“user”) into buffer (“record”), then appends “:” and hashed password (“cpw”)
Does Range Checking Help ?
SLIDE 40
CIS-5373: 6.January.2020
40
Strncpy Missuse in htpasswd “Fix”
- Published “fix” for Apache htpasswd overflow:
MAX_STRING_LEN bytes allocated for record buffer
contents of *user
Put up to MAX_STRING_LEN-1 characters into buffer
:
Put “:”
contents of *cpw
Again put up to MAX_STRING_LEN-1 characters into buffer
… strncpy(record,user, MAX_STRING_LEN-1); strcat(record, ”:”); strncat(record,cpw, MAX_STRING_LEN-1); …
SLIDE 41
CIS-5373: 6.January.2020
41
slide 41