CS 134: Operating Systems Security (continued) 1 / 23 Overview - - PowerPoint PPT Presentation

cs 134 operating systems
SMART_READER_LITE
LIVE PREVIEW

CS 134: Operating Systems Security (continued) 1 / 23 Overview - - PowerPoint PPT Presentation

Nov 27, 2023 387 likes •684 views

CS34 2012-12-10 CS 134: Operating Systems Security (continued) CS 134: Operating Systems Security (continued) 1 / 23 Overview CS34 Overview 2012-12-10 Attacks Overview Defenses Attacks Defenses 2 / 23 Attacks Defense Rule #1

slide-1
SLIDE 1

CS 134: Operating Systems

Security (continued)

1 / 23

CS 134: Operating Systems

Security (continued)

2012-12-10

CS34

slide-2
SLIDE 2

Overview

Attacks Defenses

2 / 23

Overview

Attacks Defenses

2012-12-10

CS34 Overview

slide-3
SLIDE 3

Attacks

Defense Rule #1

Rule #1 of defending against bad guys is the same regardless of whether you’re doing computer security, neighborhood crime patrols, or interstellar warfare: think like the enemy. This means you need to develop a nasty attitude. When you walk

  • ut of here today, look for all the ways an off-campus thief could

(try to) get rich. Could they succeed?

3 / 23

Defense Rule #1

Rule #1 of defending against bad guys is the same regardless of whether you’re doing computer security, neighborhood crime patrols, or interstellar warfare: think like the enemy. This means you need to develop a nasty attitude. When you walk
  • ut of here today, look for all the ways an off-campus thief could
(try to) get rich. Could they succeed?

2012-12-10

CS34 Attacks Defense Rule #1

HMC depends a lot on a combination of the honor code and the fact that we have good mechanisms for keeping outsiders off campus.

slide-4
SLIDE 4

Attacks

Common Attacks

We’ve already seen MITM. Other common attacks include:

◮ Logic bombs ◮ Trap doors ◮ Random probes ◮ Password guessing ◮ Privilege escalation ◮ Buffer overflows (oh my!) ◮ Trojan horses ◮ Viruses ◮ Worms ◮ Social engineering

But that’s not all. . .

4 / 23

Common Attacks

We’ve already seen MITM. Other common attacks include: ◮ Logic bombs ◮ Trap doors ◮ Random probes ◮ Password guessing ◮ Privilege escalation ◮ Buffer overflows (oh my!) ◮ Trojan horses ◮ Viruses ◮ Worms ◮ Social engineering But that’s not all. . .

2012-12-10

CS34 Attacks Common Attacks

The point here is that no list of attacks is comprehensive.

slide-5
SLIDE 5

Attacks

The Rounding Attack

This really happened:

◮ Banks have to round interest to nearest penny ◮ Programmer rewrote rounding code:

  • 1. If < 0.5, round down normally
  • 2. If ≥ 0.5, still round down

. . . But that leaves bank out of balance, so credit leftover penny to

  • wn account and everything works out just fine!

◮ Every month, hits 50% of customers on average ◮ Even small bank has thousands of customers. . . big one has

hundreds of thousands or millions

  • So. . . how did he get caught? (Yes, he got caught.)

5 / 23

The Rounding Attack

This really happened: ◮ Banks have to round interest to nearest penny ◮ Programmer rewrote rounding code:
  • 1. If < 0.5, round down normally
  • 2. If ≥ 0.5, still round down
. . . But that leaves bank out of balance, so credit leftover penny to
  • wn account and everything works out just fine!
◮ Every month, hits 50% of customers on average ◮ Even small bank has thousands of customers. . . big one has hundreds of thousands or millions
  • So. . . how did he get caught? (Yes, he got caught.)

2012-12-10

CS34 Attacks The Rounding Attack

The point of talking about this attack is that it doesn’t fall into the neat categories from the previous slide. The bad guy was caught because a “little old lady” checked her statement carefully, and when it didn’t make sense she went to the bank and asked for help. But there’s another enduring principle here: greed. The bad guy could have fled before he was uncovered, but the money was rolling in every month and so he kept wanting more.

slide-6
SLIDE 6

Attacks

Logic Bombs

Insider adds code that will destroy system on condition x Typically, x becomes true when insider gets fired

◮ E.g., daily deadman switch

Variant: don’t destroy system, just encrypt it and use key for blackmail

6 / 23

Logic Bombs

Insider adds code that will destroy system on condition x Typically, x becomes true when insider gets fired ◮ E.g., daily deadman switch Variant: don’t destroy system, just encrypt it and use key for blackmail

2012-12-10

CS34 Attacks Logic Bombs

slide-7
SLIDE 7

Attacks

Trap Doors

Rewrite login program to accept hardwired account and password Insider can now get root access even after being fired and having account deleted For insidiously nasty variant, read “Reflections on Trusting Trust,” Ken Thompson’s Turing Award lecture Scary thought: it can be done in hardware, and neither we nor Intel have a way to find out if it has been

7 / 23

Trap Doors

Rewrite login program to accept hardwired account and password Insider can now get root access even after being fired and having account deleted For insidiously nasty variant, read “Reflections on Trusting Trust,” Ken Thompson’s Turing Award lecture Scary thought: it can be done in hardware, and neither we nor Intel have a way to find out if it has been

2012-12-10

CS34 Attacks Trap Doors

slide-8
SLIDE 8

Attacks

Random Probes

Myth: “Sure, they attack Google all the time. But nobody knows my machine even exists.” Reality: Bad guys don’t need to know your name or where you

  • are. They just have to try all possible IP addresses. (Even in IPv6,

this can be done.) ⇒ Assume intruders will find you and probe you, unless a firewall (or possibly NAT box) protects you

8 / 23

Random Probes

Myth: “Sure, they attack Google all the time. But nobody knows my machine even exists.” Reality: Bad guys don’t need to know your name or where you
  • are. They just have to try all possible IP addresses. (Even in IPv6,
this can be done.) ⇒ Assume intruders will find you and probe you, unless a firewall (or possibly NAT box) protects you

2012-12-10

CS34 Attacks Random Probes

slide-9
SLIDE 9

Attacks

Password Guessing

Having probed, log into an account:

◮ User guest, password guest ◮ admin/admin ◮ root/<null> (really!)

Bad guys have huge lists of common accounts (e.g., phpadmin, cisco, help) and passwords Variation: acquire encrypted passwords and rather than decrypting, run common passwords through one-way encryption algorithm to search for hits (“dictionary attack”)

9 / 23

Password Guessing

Having probed, log into an account: ◮ User guest, password guest ◮ admin/admin ◮ root/<null> (really!) Bad guys have huge lists of common accounts (e.g., phpadmin, cisco, help) and passwords Variation: acquire encrypted passwords and rather than decrypting, run common passwords through one-way encryption algorithm to search for hits (“dictionary attack”)

2012-12-10

CS34 Attacks Password Guessing

slide-10
SLIDE 10

Attacks

Privilege Escalation

Insiders can do bad things by getting unauthorized access Especially bad in military-ish settings Outsiders can first crack an inside account with a weak password, then use privilege escalation to get more sensitive access (outside→inside attack)

10 / 23

Privilege Escalation

Insiders can do bad things by getting unauthorized access Especially bad in military-ish settings Outsiders can first crack an inside account with a weak password, then use privilege escalation to get more sensitive access (outside→inside attack)

2012-12-10

CS34 Attacks Privilege Escalation

slide-11
SLIDE 11

Attacks

Buffer Overflows

You did this in CS 105 Typically allows execution of arbitrary code with privileges of attacked process One of the worst! All due to bad design decisions in C language (where “bad” == “couldn’t reliably predict the future”) New variant: return-oriented programming can overcome (almost?) all current defenses

11 / 23

Buffer Overflows

You did this in CS 105 Typically allows execution of arbitrary code with privileges of attacked process One of the worst! All due to bad design decisions in C language (where “bad” == “couldn’t reliably predict the future”) New variant: return-oriented programming can overcome (almost?) all current defenses

2012-12-10

CS34 Attacks Buffer Overflows

ROP is a bit like level 0 of the buffer bomb, where you just called a preexisting function. The only defense I can see is to arrange that every time a new stack frame is created, the VM tables are adjusted such that nothing above the local variables is writable. I don’t think that’s practical, for several reasons.

slide-12
SLIDE 12

Attacks

Command Injection

Many Web sites insert client input into a command SELECT id FROM employees WHERE name = ’user input’;

12 / 23

Command Injection

Many Web sites insert client input into a command SELECT id FROM employees WHERE name = ’user input’;

2012-12-10

CS34 Attacks Command Injection

slide-13
SLIDE 13

Attacks

Command Injection

Many Web sites insert client input into a command SELECT id FROM employees WHERE name = ’user input’;

12 / 23

Command Injection

Many Web sites insert client input into a command SELECT id FROM employees WHERE name = ’user input’;

2012-12-10

CS34 Attacks Command Injection

slide-14
SLIDE 14

Attacks

Trojan Horses

Pretend to be what you’re not Canonical example: clear_screen(); printf("Login: "); gets(login_name); printf("Password: "); gets(password); /* record the stolen information */ printf("Login failed\n"); execv("/bin/login", NULL); User reveals password, thinks she just mistyped it Note that phishing is a variant on the Trojan horse

13 / 23

Trojan Horses

Pretend to be what you’re not Canonical example: clear_screen(); printf("Login: "); gets(login_name); printf("Password: "); gets(password); /* record the stolen information */ printf("Login failed\n"); execv("/bin/login", NULL); User reveals password, thinks she just mistyped it Note that phishing is a variant on the Trojan horse

2012-12-10

CS34 Attacks Trojan Horses

slide-15
SLIDE 15

Attacks

Viruses and Worms

Both are self-propagating programs: make new copies in places that will let them spread further Virus: attaches itself to a legitimate program; when real program is run, it spreads Worm: standalone program that tries to infect other systems, either via network or “sneakernet” (e.g., USB drive) Worm propagation is often via weaknesses such as phishing or buffer overflows Virus-ness or worm-ness is secondary; they’re just carriers for malware

14 / 23

Viruses and Worms

Both are self-propagating programs: make new copies in places that will let them spread further Virus: attaches itself to a legitimate program; when real program is run, it spreads Worm: standalone program that tries to infect other systems, either via network or “sneakernet” (e.g., USB drive) Worm propagation is often via weaknesses such as phishing or buffer overflows Virus-ness or worm-ness is secondary; they’re just carriers for malware

2012-12-10

CS34 Attacks Viruses and Worms

slide-16
SLIDE 16

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-17
SLIDE 17

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

◮ Hey, I’m at a customer site and I must have forgotten the

stupid root password. What is it again?

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal: ◮ Hey, I’m at a customer site and I must have forgotten the stupid root password. What is it again?

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-18
SLIDE 18

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

◮ Hey, I’m at a customer site and I must have forgotten the

stupid root password. What is it again?

◮ Click here for naked pictures of Dustin Hoffman

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal: ◮ Hey, I’m at a customer site and I must have forgotten the stupid root password. What is it again? ◮ Click here for naked pictures of Dustin Hoffman

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-19
SLIDE 19

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

◮ Hey, I’m at a customer site and I must have forgotten the

stupid root password. What is it again?

◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of

Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca.

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal: ◮ Hey, I’m at a customer site and I must have forgotten the stupid root password. What is it again? ◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca.

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-20
SLIDE 20

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

◮ Hey, I’m at a customer site and I must have forgotten the

stupid root password. What is it again?

◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of

Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca. . . . or just drop a USB drive in a parking lot.

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal: ◮ Hey, I’m at a customer site and I must have forgotten the stupid root password. What is it again? ◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca. . . . or just drop a USB drive in a parking lot.

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-21
SLIDE 21

Attacks

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal:

◮ Hey, I’m at a customer site and I must have forgotten the

stupid root password. What is it again?

◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of

Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca. . . . or just drop a USB drive in a parking lot. Note that phishing is a special case of social engineering

15 / 23

Social Engineering

Basic idea: trick humans into doing what you want Usually depends on fact that people are either (a) helpful or (b) venal: ◮ Hey, I’m at a customer site and I must have forgotten the stupid root password. What is it again? ◮ Click here for naked pictures of Dustin Hoffman ◮ My name is Mrs. Abdullah Suckergrabber and in the name of Jesus I needs your help to transfer $40 MILLION dollars my late husband stoll from the impoverished person of Afirca. . . . or just drop a USB drive in a parking lot. Note that phishing is a special case of social engineering

2012-12-10

CS34 Attacks Social Engineering

Note that the USB-drive attack only works because Windows will stupidly auto-run software from an unknown source. Kevin Mitnick’s book has a wealth of social-engineering attacks. Basic principle: carry a clipboard and people will trust you.

slide-22
SLIDE 22

Defenses

Defenses

So What to Do?

16 / 23

Defenses

So What to Do?

2012-12-10

CS34 Defenses Defenses

slide-23
SLIDE 23

Defenses

Strong Passwords

Choose long, strong passwords Breaking news 12/10/12: Windows NTLM passwords cracked at 350 billion/second! (That’s billion with a “b”, folks.) But be sensible: evite.com doesn’t need same security as your bank

17 / 23

Strong Passwords

Choose long, strong passwords Breaking news 12/10/12: Windows NTLM passwords cracked at 350 billion/second! (That’s billion with a “b”, folks.) But be sensible: evite.com doesn’t need same security as your bank

2012-12-10

CS34 Defenses Strong Passwords

Also, don’t share passwords across sites unless you’re willing to change a bunch when a site gets cracked.

slide-24
SLIDE 24

Defenses

Password Changing

Many sites require periodic password changes (e.g., monthly or quarterly)

Class Exercise

What attacks does this protect against?

Class Exercise

When asked to change your password, what do you tend to pick?

18 / 23

Password Changing

Many sites require periodic password changes (e.g., monthly or quarterly)

Class Exercise

What attacks does this protect against?

Class Exercise

When asked to change your password, what do you tend to pick?

2012-12-10

CS34 Defenses Password Changing

slide-25
SLIDE 25

Defenses

Logging and Monitoring

Keep track of what’s going on Report unusual events Tune filters to suppress false positives Important: keep logs somewhere harder to crack

19 / 23

Logging and Monitoring

Keep track of what’s going on Report unusual events Tune filters to suppress false positives Important: keep logs somewhere harder to crack

2012-12-10

CS34 Defenses Logging and Monitoring

Intruders love to clean their tracks from the logs. HMC CS sends all logs on “watcher”: runs no other services, doesn’t allow normal logins, isn’t easily visible to outside world.

slide-26
SLIDE 26

Defenses

Firewalls

Don’t let attacker get there in the first place

◮ Block network ports not in use ◮ Restrict access to known IP addresses usually internal) ◮ Prohibit known attackers (all of China?) ◮ Block IPs that launch attacks

20 / 23

Firewalls

Don’t let attacker get there in the first place ◮ Block network ports not in use ◮ Restrict access to known IP addresses usually internal) ◮ Prohibit known attackers (all of China?) ◮ Block IPs that launch attacks

2012-12-10

CS34 Defenses Firewalls

slide-27
SLIDE 27

Defenses

Virus Scanners

Most malware is built from standard kits ⇒ Has detectable signature (checksum) ⇒ Scan incoming files for known-bad checksums Problems:

◮ Assumes database of malware (requires updating) ◮ Potentially CPU-intensive ◮ Malware authors can disguise things

Class Exercise

Sample disguise: encrypt entire program with key unique to this

  • instance. Why might that not work? How might you defend against

the defenses?

21 / 23

Virus Scanners

Most malware is built from standard kits ⇒ Has detectable signature (checksum) ⇒ Scan incoming files for known-bad checksums Problems: ◮ Assumes database of malware (requires updating) ◮ Potentially CPU-intensive ◮ Malware authors can disguise things

Class Exercise

Sample disguise: encrypt entire program with key unique to this
  • instance. Why might that not work? How might you defend against
the defenses?

2012-12-10

CS34 Defenses Virus Scanners

The decryption code must be in the clear. But it doesn’t have to be the same everywhere; there are many ways to accomplish a goal, and dummy instructions can be inserted. It’s a permanent arms race. . .

slide-28
SLIDE 28

Defenses

Integrity Checking

Don’t try to detect the malware Instead, spot changes in legitimate files . . . or sign programs when received from manufacturer

Class Exercise

What are the weaknesses in this approach?

22 / 23

Integrity Checking

Don’t try to detect the malware Instead, spot changes in legitimate files . . . or sign programs when received from manufacturer

Class Exercise

What are the weaknesses in this approach?

2012-12-10

CS34 Defenses Integrity Checking

Weaknesses: many files change legitimately. Bad guy can modify record of file checksums, so it must be protected.

slide-29
SLIDE 29

Defenses

Sandboxing (Jailing)

Run outside software (or even inside stuff) inside protected environment Prevent unexpected activity (writing files, network connections) Problem: hard to define what’s good and bad

23 / 23

Sandboxing (Jailing)

Run outside software (or even inside stuff) inside protected environment Prevent unexpected activity (writing files, network connections) Problem: hard to define what’s good and bad

2012-12-10

CS34 Defenses Sandboxing (Jailing)