[PPT] - Introduction to Computer Security David Brumley dbrumley@cmu.edu PowerPoint Presentation

SLIDE 1

Introduction to Computer Security

David Brumley dbrumley@cmu.edu

Carnegie Mellon University

SLIDE 2

Today: Overview

Course Staff
Trusting Trust
Course Overview
Example Applications
Course Mechanics
CMU CTF Team

2

SLIDE 3

You will find at least one error

n each set of slides. :)

3

SLIDE 4

4

David Brumley

B.A. Math UNC 1998
M.S. CS Stanford 2003
Ph.D. CS CMU 2008
Computer security
fficer, Stanford

University, 1998-2002

Assistant Professor,

CMU, Jan 2009

SLIDE 5

Current Research Thrusts

Automatic Exploit Generation

– AEG and Mayhem

Scalable Malware Analysis

– BitShred

Binary code analysis

– Decompilation

Vetting whole systems

5

SLIDE 6

Trust

Trusting

6

SLIDE 7

Do you trust his Software?

7

Photo from http://culturadigitalbau.wikispaces.com/ file/view/thompson.c1997.102634882.lg.jpg/212982274/thompson.c1997.102634882.lg.jpg

SLIDE 8

Ken Thompson Co-Creator of UNIX and C Turing Award: 1983

8

SLIDE 9

9

Compiler

011001001111010 FIX mak login.c

SLIDE 10

10

Compiler

011001001111010

... if(program == “login”) add-login-backdoor(); if(program == “compiler”) add-compiler-backdoor();

FIX mak login.c

SLIDE 11

Ken Thompson Co-Creator of UNIX and C Turing Award: 1983

11

SLIDE 12

Would you trust Mother Teresa’s software?

12

SLIDE 13

13

Would you trust Mother Teresa’s software?

SLIDE 14

14

Surely cryptographers code must be secure?

Ron Rivest Adi Shamir Len Adleman

Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm

SLIDE 15

Perfect Cryptography Exists!

We’re no better off guessing what an encrypted message contains given the ciphertext.

Claude Shannon

15

SLIDE 16

But implementations may still leak...

16

message decrypt(ciphertext c, private_key k){ plaintext m; if(k == 1) m = time t1 decryption ops; return m; if(k == 2) m = time t2 decryption ops; return m; if(k == 3) m = time t3 decryption ops; return m; .... }

SLIDE 17

17

Isn’t this networking?

Routers run an

perating system,

which hackers now target

SLIDE 18

Even GPS systems run

Webservers
FTP servers
Network time daemons

18

SLIDE 19

19

Security is many things

SLIDE 20

This Class: Introduction to the Four Research Cornerstones of Security

20

Software Security Network Security OS Security Cryptography

SLIDE 21

21

Course Topics

Intro to Computer Security

Software Security

Control Flow Hijack Execution Safety Information Flow

Cryptography

Goals

f

Crypto Stream Ciphers Block Ciphers Asymmetric Crypto Authentication/Integrity

OS Security

Common Defenses Authorization Security Architectures

Network Security

Web Security Denial

f

Service Protocols Intrusion Detection

Your job: become conversant in these topics

SLIDE 22

Software Security

22

SLIDE 23

Control Flow Hijacks

23

shellcode (aka payload) padding &buf computation + control

Allow attacker ability to run arbitrary code

– Install malware – Steal secrets – Send spam

SLIDE 24

24

SLIDE 25

25

SLIDE 26

26

SLIDE 27

Software Security

Recognize and exploit vulnerabilities

– Format string – Buffer overflow – Gist of other control flow hijacks, e.g., heap overflow

Understand defenses in theory and practice

– ASLR – DEP – Canaries – Know the limitations!

27

SLIDE 28

Cryptography

28

SLIDE 29

Everyday Cryptography

ATM’s
On-line banking
SSH
Kerberos

SLIDE 30

Alice Bob

M

Public Channel Adversary Eve: A very clever person

SLIDE 31

Alice Bob

M

Public Channel Adversary Eve: A very clever person

Cryptography’s Goals:

– Data Privacy – Data Integrity – Data Authenticity

SLIDE 32

Alice Bob

M

Public Channel Adversary Eve: A very clever person

Cryptonium Pipe

SLIDE 33

Alice Bob

M

Public Channel Adversary Eve: A very clever person

Cryptonium Pipe

Cryptography’s Goals:

– Privacy – Integrity – Authenticity

SLIDE 34

34

SLIDE 35

Goals

Understand and believe you should never,

ever invent your own algorithm

Basic construction
Basic pitfalls

35

SLIDE 36

OS Security

36

SLIDE 37

37

Principal Reference Monitor Object Requested Operation Approved Operation

Source Guard Resource

Authentication Authorization

In security, we isolate reasoning about the guard

SLIDE 38

38

OS Security

Authentication

Principles

Authorization

Reference monitors Access control lists

Auditing Security Architectures

Virtual Machines Software Fault Isolation

SLIDE 39

OS Goals

Know Lampson’s “gold” standard

– Authorization – Authentication – Audit

Know currently used security architectures

39

SLIDE 40

Network Security

40

SLIDE 41

41

Network Security

Web Security

XSS

Stored XSS Reflected XSS

SQL Injection

Defense Sanitization Stored procedures Attacks Basic syntax Comments Probes

CSRF

Attack Defense Referer Validation Custom Header Token validation

Intrusion Detection

Stateful Stateless Base Rate

Protocols

Kerberos BGP

Denial

f

Service

Bots CDN

SLIDE 42

42

Network Security

Web Security

XSS

Stored XSS Reflected XSS

SQL Injection

Defense Sanitization Stored procedures Attacks Basic syntax Comments Probes

CSRF

Attack Defense Referer Validation Custom Header Token validation

Intrusion Detection

Stateful Stateless Base Rate

Protocols

Kerberos BGP

Denial

f

Service

Bots CDN

SLIDE 43

43

Network Security

Web Security

XSS

Stored XSS Reflected XSS

SQL Injection

Defense Sanitization Stored procedures Attacks Basic syntax Comments Probes

CSRF

Attack Defense Referer Validation Custom Header Token validation

Intrusion Detection

Stateful Stateless Base Rate

Protocols

Kerberos BGP

Denial

f

Service

Bots CDN

SLIDE 44

Networking Goals

Understand the base rate fallacy and it’s

application to IDS

Be able to recognize and perform basic web

attacks

State what a DDoS is, and how CDN’s

mitigate their effect

44

SLIDE 45

Course Mechanics

45

SLIDE 46

Basics

Pre-req:

– Basic UNIX development (gcc, gdb, etc.) – 15-213 or similar is recommended

Read all papers before lecture

– Read – Underline – Question – Review

Course website:

http://www.ece.cmu.edu/~dbrumley/courses/18487-f13

46

SLIDE 47

Workload

3 homework assignments
3 exams, keep highest 2 grades
The Coolest Bug day.

47

SLIDE 48

The Coolest Bug

Describe a classic old bug, or a new zero-day
Provide an 5 minute tutorial on the bug.
Present to the class.
Class votes (via a limited number of tokens) on

best.

Encourage finding your own zero-days.

48

SLIDE 49

1996

49

#1 Song: The Macarena Spice Girls Play Olympics Windows 95 Reigned

SLIDE 50

50

Ping of Death!

SLIDE 51

51

ICMP and IP Packets

IP Packet Max IP packet size = 65535 octets (216 – 1) (RFC 791) 20 for typical header 8 for ICMP header 65507 for data (65535-20-8) To process ICMP, I need to handle up to 65507 octets

http://jobtrakr.com/2011/11/16/so-you-want-to-be-a-manager/

SLIDE 52

52

ICMP and IP Packets

IP Packet Max IP packet size = 65535 octets (216 – 1) (RFC 791) 20 for typical header 8 for ICMP header 65507 for data (65535-20-8) To process ICMP, I need to handle up to 65507 octets

http://jobtrakr.com/2011/11/16/so-you-want-to-be-a-manager/

SLIDE 53

IP Fragmentation

One 4000 byte packet with Maximum Transmission Unit (MTU) of 1500

53

... length 4000 ID x fragflag

ffset

... ... length 1500 ID x fragflag 1

ffset

... ... length 1040 ID x fragflag

ffset

370 ... ... length 1500 ID x fragflag 1

ffset

185 ... packet len < MTU 1480 octet data

ffset = 1480/8

Gets fragmented in 3 packets

SLIDE 54

ping of death

54

Attacker Victim

2. Victim reassembles fragments

into one big packet

3. Victim copies large packet,

exceeds buffer bounds, crashes

SLIDE 55

“A few ICMPv6 packets with router advertisements requests can cause a denial-of-service vulnerability reminiscent of the famous "Ping of Death". It’s a good illustration of how much we still do not know about the stability of IPv6. We continue to recommend turning off IPv6 on workstations if your network is not engineered for its use.”

55

SLIDE 56

“A few ICMPv6 packets with router advertisements requests can cause a denial-of-service vulnerability reminiscent of the famous "Ping of Death". It’s a good illustration of how much we still do not know about the stability of IPv6. We continue to recommend turning off IPv6 on workstations if your network is not engineered for its use.”

56

SLIDE 57

Basic Mechanics

Grading based on:

– 3 homeworks (35%) – Highest 2 out of 3 tests (30% each) – Participation and coolest bug (5%)

No late days except under exceptional circumstances.
I guarantee at least the following:

– 90-100%: A – 80-89%: B – 70-79%: C – 60-69%: D – < 59%: F

57

SLIDE 58

Obey the law
Do not be a nuisance
Don’t cheat, copy others

work, let others copy, etc.

58

SLIDE 59

One note

My wife will have a baby boy sometime this

semester. This may affect the course.

59

Image credits: http://onyx-ii.com/srcstore/scripts/store/item.cfm?Item_Number=BE-STXLW-CD

SLIDE 60

Capture the Flag

60

SLIDE 61

61

CMU Capture the Flag Team

SLIDE 62

62

Red Team

Vulnerability Discovery
Exploitation
Network mapping
Web security

Blue Team

Intrusion detection
Hot-patching
Firewalls
Work-arounds

SLIDE 63

63

SLIDE 64

64

SLIDE 65

10,000 Students in 2,000 teams

65

Size of circle proportional to number of teams

SLIDE 66

66

SLIDE 67

67

SLIDE 68

Example Network Forensics

68

SLIDE 69

PicoCTF

10,000 students
600 teams solving advanced problems

– ROP attacks – Breaking incorrect use of modern crypto

Identified the best of the best

“I learned more in one week than the last two years in CS courses.”

69

If you get an A, you may be eligible to help with PicoCTF 2014

SLIDE 70

70

Questions?

SLIDE 71

END

SLIDE 72

Information Flow

72

Program High In Low In High Out Low Out

OK to mix NO mixing!

e.g., password e.g., dictionary

SLIDE 73

73

Information Flow

Data Dependence

Assignment

Control Dependence

if-then-else

Side Channel

Timing

SLIDE 74

Information Flow Goals

What is safe and unsafe information flow?
How is it calculated?
Know the non-interference information flow

property.

74

SLIDE 75

Execution Safety

Trapped Errors

halts computation immediately ex:

divide by zero
dereference (R/W)

an illegal address

Untrapped Errors

can go unnoticed until (possibly much) later ex:

buffer overflow
writing an integer into

an array of strings

75

SLIDE 76

76

SLIDE 77

Safe Languages

Untrapped Errors

can go unnoticed until (possibly much) later ex:

buffer overflow
writing a string into an

integer

77

A safe language has no untrapped errors.

untyped typed statically checked dynamically checked

“typechecking”

SLIDE 78

Execution Safety Goals

State what type safety means.
Read typing inference rules.
Give examples of differences between type

safety and security.

State control flow integrity

– Give examples of vulnerabilities protected by CFI – Give examples of vulnerabilities not protected by CFI

78