SLIDE 1
CS 161: Computer Security
http://inst.eecs.berkeley.edu/~cs161/
January 16, 2017
- Prof. Raluca Ada Popa
ROOM FIRE CODE
And a team of a talented TAs
Head TAs: Keyhan and Won
CS 161: Computer Security http://inst.eecs.berkeley.edu/~cs161/ - - PowerPoint PPT Presentation
CS 161: Computer Security http://inst.eecs.berkeley.edu/~cs161/ - - PowerPoint PPT Presentation
CS 161: Computer Security http://inst.eecs.berkeley.edu/~cs161/ January 16, 2017 ROOM FIRE CODE Prof. Raluca Ada Popa And a team of a talented TAs Head TAs: Keyhan and Won and talented readers Jianan Lu Kijung Kim Katharine Jiang Kate
SLIDE 2
SLIDE 3
and talented readers
Jianan Lu Kijung Kim Katharine Jiang Kate Xu Denis Li Audrey Ku Kevin Ma David Niu Billy Zhao Anusha Syed Riku Miyao
SLIDE 4
What is Computer Security?
Detects or prevents unwanted use of computer systems or data
SLIDE 5
Why security?
SLIDE 6
SLIDE 7
Why should you care?
- to-day life
Millions of compromised computers, millions of stolen passwords, stolen money
SLIDE 8
It is important for our
physical safety and safety of our possessions confidentiality of data/ privacy functionality
SLIDE 9
Safety
Adversaries can affect our safety by tampering with pacemakers, planes, cars
SLIDE 10
Privacy/confidentiality
Adversaries get access to medical, financial, personal user data, or sensitive corporate data Pretty much any major company collecting user data has been hacked 140 million records breached (containing SSN, names, credit cards)
SLIDE 11
Computer Science 161 Fall 2016 Popa and Weaver
Can aff s economy
X
SLIDE 12
SLIDE 13
Learn About Security Make a Difference
SLIDE 14
Computer security is not only important but it is
FUN!
- You are playing a game: can you stop the attacker?
- Beautiful blend of analytical thinking (math) and
engineering (build systems)
SLIDE 15
Computer security is varied
Cryptography Network security Operating systems security Web security Database security Distributed systems security Machine learning and security Security usability
It has room for many skills
Big challenge: many of you the expertise in those areas Provides a glimpse of these disciplines Tell us what concepts you need more background in
SLIDE 16
Logistics
SLIDE 17
Course Structure
Absorb material presented in lectures and section
Lecture will be webcasted
3 course projects (24% total)
Done individually or in small groups
~4 homeworks (16% total)
Done individually
Two midterms (30%) A comprehensive final exam (30%)
SLIDE 18
Textbooks
No required textbook. If you want extra reading: Optional: Introduction to Computer Security, Goodrich & Tamassia Optional: The Craft of System Security, Smith & Marchesini
SLIDE 19
Class Policies
Late homework: no credit Late project: -10% if < 24 hrs, -20% < 48 hrs,
- 40% < 72 hrs, no credit
hrs Never read or share solutions, code, etc. with someone else, nor read past materials: work on your own (unless assignment states otherwise). If lecture materials available prior to lecture, use to answer questions during class Participate in Piazza
Send course-related questions/comments, or ask in
- ffice hours. No
scale.
SLIDE 20
Ethics
We will be looking for plagiarism, both manually and using advanced software; we can identify copy even if not exact, including from old material or submissions We will apply severe penalties including reporting to Student Conduct office
SLIDE 21
THREAT MODELS
SLIDE 22
Threat models
Cannot protect against all possible attackers High-level goal is risk management
Much of the effort concerns raising the bar and trading off resources
How to prudently spend your time & money?
Key notion of threat model: what you are defending against
Determines which defenses are worthwhile
SLIDE 23
Threats have evolved
l
Spam, pharmaceuticals, credit card theft, identity theft
SLIDE 24
Threats have evolved
Attackers have become more sophisticated; arms race between attackers and defenders fuels rapid innovation in malware
but not all security is an arms race, there are definite solutions to certain settings
Many attacks aim for profit and are facilitated by a well-
SLIDE 25
Threats have evolved
l
Spam, pharmaceuticals, credit card theft, click fraud Government actors: Stuxnet, Flame, Aurora, Sony Private activism: Anonymous, Wikileaks
SLIDE 26
SLIDE 27
SLIDE 28
SLIDE 29
SLIDE 30
Lesson
To protect computer systems, you must know your enemy defenses that are good enough to stop the
SLIDE 31
2 CLASSICAL EXPLOITS
SLIDE 32
Epic Hack: Internet worm
The first Internet worm, Morris worm A grad student experimented (in the lab) with self-spreading malware It got out.
SLIDE 33
Epic Hack: Internet worm
The first Internet worm A grad student experimented (in the lab) with self-spreading malware It got out And took down the Internet
SLIDE 34
Epic Hack: Internet worm
The first Internet worm A grad student experimented (in the lab) with self-spreading malware It got out. And took down the Internet. There is a lesson here.
SLIDE 35
Epic Hack: Sarah Palin
Guy wants to mess with Tries logging into her Yahoo Mail
SLIDE 36
Epic Hack: Sarah Palin
SLIDE 37
Epic Hack: Sarah Palin
SLIDE 38
Epic Hack: Sarah Palin
SLIDE 39
Epic Hack: Sarah Palin
SLIDE 40
Epic Hack: Sarah Palin
SLIDE 41
Epic Hack: Sarah Palin
SLIDE 42
Epic Hack: Sarah Palin
Sentenced to 1 year in federal prison Lesson: your system is only as secure as the weakest link.
SLIDE 43
Epic Hack: Sarah Palin
Aftermath: in 2012, someone hacks Mitt
SLIDE 44
Epic Hack: Sarah Palin
Aftermath: in 2012, someone hacks Mitt Lesson: old attacks remain relevant
SLIDE 45
Memory safety
SLIDE 46
SLIDE 47
SLIDE 48
SLIDE 49
#2 #293 3 HRE RE- THR THR 850 50 19 1930 AL ALI CE CE SM SM I TH TH CO COACH CH SP SPECI CI AL L I NSTR NSTRUX: X: NO NONE
SLIDE 50
SLIDE 51
#2 #293 3 HRE RE- THR THR 850 50 19 1930 AL ALI CE CE SM SM I THHH THHHHHH HHHHH HHHH HH HHACH CH SP SPECI CI AL L I NSTR NSTRUX: X: NO NONE
How could Alice exploit this? Find a partner and talk it through.
SLIDE 52
SLIDE 53
#2 #293 3 HRE RE- THR THR 850 50 19 1930 AL ALI CE CE SM SM I TH TH FI FI RST ST SP SPECI CI AL L I NSTR NSTRUX: X: NO NONE
SLIDE 54
#2 #293 3 HRE RE- THR THR 850 50 19 1930 AL ALI CE CE SM SM I TH TH FI FI RST ST SP SPECI CI AL L I NSTR NSTRUX: X: GI GI VE PA PAX E EXTR TRA CHA CHAM PA PAGNE NE.
SLIDE 55
char nam e[ 20] ; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
SLIDE 56
char nam e[ 20] ; char i nst r ux[ 80] = " none" ; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
SLIDE 57
char nam e[ 20] ; char i nst r ux[ 80] = " none" ; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
Memory unsafe code Reading data in name past 20 characters starts overlapping instrux because name and instrux are stored next to each
- ther in memory
SLIDE 58
char l i ne[ 512] ; char com m and[ ] = " / usr / bi n/ f i nger " ; voi d m ai n( ) { . . . get s( l i ne) ; . . . execv( com m and, . . . ) ; }
SLIDE 59
char nam e[ 20] ; i nt ( * f npt r ) ( ) ; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
SLIDE 60
char nam e[ 20] ; i nt seat i nf i r st cl ass = 0; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
SLIDE 61
char nam e[ 20] ; i nt aut hent i cat ed = 0; voi d vul ner abl e( ) { . . . get s( nam e) ; . . . }
SLIDE 62
Linux (32-bit) process memory layout
Reserved for Kernel user stack shared libraries run time heap static data segment text segment (program) unused
- 0xC0000000
- 0x40000000
- 0x08048000
$esp brk Loaded from exec
- 0x00000000
- 0xFFFFFFFF
SLIDE 63
Stack Frame
user stack shared libraries run time heap static data segment text segment (program) unused
- 0xC0000000
- 0x40000000
- 0x08048000
- 0x00000000
arguments return address stack frame pointer exception handlers local variables callee saved registers
T
- previous stack
frame pointer T
- the point at which
this function was called
Frame corresponding to function invocation
SLIDE 64
Code Injection
SLIDE 65
m ai n( ) { f ( ) ; } f ( ) { i nt x; g( ) ; } g( ) { char buf [ 80] ; get s( buf ) ; }
0xFFFF0000
ret
main()
ret x
f()
ret buf
g()
Stack (return addresses and local variables)
SLIDE 66
m ai n( ) { f ( ) ; } f ( ) { i nt x; g( ) ; }
0xFFFF0000
ret
main()
ret x
f()
ret buf
g()
g( ) { char buf [ 80] ; get s( buf ) ; }
Stack (return addresses and local variables)
SLIDE 67
Basic Stack Exploit
Overwriting the return address allows an attacker to redirect the flow of program control. Instead of crashing, this can allow arbitrary code to be executed. Example: attacker chooses malicious shellcode ), compiles to bytes, includes this in the input to the program so it will get stored in memory somewhere, then overwrites return address to point to it.
SLIDE 68
SLIDE 69
voi d vul ner abl e( ) { char buf [ 64] ; . . . get s( buf ) ; . . . }
SLIDE 70
voi d saf e( ) { char buf [ 64] ; . . . f get s( buf , 64, st di n) ; . . . }
SLIDE 71
voi d saf er ( ) { char buf [ 64] ; . . . f get s( buf , si zeof buf , st di n) ; . . . }
SLIDE 72
voi d vul ner abl e( i nt l en, char * dat a) { char buf [ 64] ; i f ( l en > 64) r et ur n; m em cpy( buf , dat a, l en) ; }
m em cpy( voi d * dst , const voi d * sr c, si ze_t n) ; Attack: attacker supplies negative len, which becomes large value when cast to size_t
SLIDE 73
voi d saf e( si ze_t l en, char * dat a) { char buf [ 64] ; i f ( l en > 64) r et ur n; m em cpy( buf , dat a, l en) ; }
Fix:
SLIDE 74
voi d f ( si ze_t l en, char * dat a) { char * buf = m al l oc( l en+2) ; i f ( buf == N U LL) r et ur n; m em cpy( buf , dat a, l en) ; buf [ l en] = ' \ n' ; buf [ l en+1] = ' \ 0' ; }
Vulnerable! If l en = 0xf f f f f f f f , allocates only 1 byte Is it safe? Talk to your partner.
SLIDE 75