[PPT] - On Computer Systems (In)Security Vinod Ganapathy PowerPoint Presentation

SLIDE 1

On Computer Systems (In)Security

Vinod Ganapathy

vg@csa.iisc.ernet.in Associate Professor/CSA/IISc

SLIDE 2

My goal today

To convince you that:

1. Computer systems are difficult to secure

2 Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 3

My goal today

To convince you that:

1. Computer systems are difficult to secure
2. Computer systems security is a fruitful

research area

3 Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 4

My goal today

To convince you that:

1. Computer systems are difficult to secure
2. Computer systems security is a fruitful

research area

3. You need to apply to the CSA/IISc Ph.D.

program and work on these problems 

4 Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 5

Vinod Ganapathy - CSA Undergraduate Symposium 5

SLIDE 6

Vinod Ganapathy - CSA Undergraduate Symposium 6

There a re no solutions,

nly

problems

“There are no solutions, only problems.”

SLIDE 7

Layered computer system design

Modern computer systems are built using layers of abstraction

7

Memory I/O devices CPU

Hardware

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 8

Layered computer system design

Modern computer systems are built using layers of abstraction

8

Memory I/O devices CPU

Hardware Operating System

Syscalls

Process List Kernel Code

IDT …

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 9

Layered computer system design

Modern computer systems are built using layers of abstraction

9

Memory I/O devices CPU

Hardware Operating System

Syscalls

Process List Kernel Code

IDT …

Utilities & Libraries

ls, ps, & bash utilities libc gcc …

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 10

Layered computer system design

Modern computer systems are built using layers of abstraction

10

User app

Memory I/O devices CPU

Hardware Operating System

Syscalls

Process List Kernel Code

IDT …

User app

Utilities & Libraries

ls, ps, & bash utilities libc gcc …

…

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 11

Fundamental principle in security

11

User app

Memory I/O devices CPU

Hardware Operating System

Syscalls

Process List Kernel Code

IDT …

User app

Utilities & Libraries

ls, ps, & bash utilities libc gcc …

…

The lower you go, the more control you have

Least control Most control

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 12

12

User app

Hardware Operating System Utilities & Libraries

Example: Malware detection

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 13

13

User app

Hardware Operating System

Malware detector

Utilities & Libraries

Example: Malware detection

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 14

14

User app

Hardware Operating System

Malware detector

Utilities & Libraries

Example: Malware detection

cat ps ls

…

TCB Trusted Layer

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 15

15

User app

Hardware Operating System

Malware detector

Utilities & Libraries

But utilities may be compromised!

cat ps ls

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 16

16

User app

Hardware Operating System

Malware detector

Utilities & Libraries

But utilities may be compromised!

cat ps ls

1 1

Show me file contents

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 17

17

User app

Hardware Operating System

Malware detector

Utilities & Libraries

But utilities may be compromised!

cat ps ls

2 1

Show me file contents

2 Fake, benign

content

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 18

18

User app

Hardware Operating System

Malware detector

Utilities & Libraries

Solution: Query the OS

System call API

1 1

Query with syscall

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 19

19

User app

Hardware Operating System

Malware detector

Utilities & Libraries

Solution: Query the OS

System call API

1 2

Query with syscall OS reads file

2

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 20

20

User app

Hardware Operating System

Malware detector

Utilities & Libraries

Solution: Query the OS

System call API

1 2 3

Query with syscall OS reads file Returns true file content

3

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 21

21

User app

Hardware Operating System

Malware detector

Utilities & Libraries

OS detects malicious utilities too

System call API

A B

cat

cat file Read file

A B

diff vs ?

A B

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 22

22

User app

Hardware Operating System

Malware detector

Utilities & Libraries

What if the OS is malicious?

System call API

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 23

23

Hardware Operating System

Malware detector

Utilities & Libraries

Rootkit = Malware that infects OS

System call API

Rootkits hide malware from detectors  Long-term stealth

…

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 24

How does an OS get infected?

Exploits of kernel vulnerabilities:

– Injecting malicious code by exploiting a memory error in the kernel

Privilege escalation attacks:

– Exploit a root process and use resulting administrative privileges to update the kernel

Social engineering attacks:

– Trick user into installing fake kernel updates

Defeated via signature verification of kernel updates
Trivial to perform prior to the Windows Vista OS

Vinod Ganapathy - CSA Undergraduate Symposium 24

SLIDE 25

How prevalent are rootkits?

2010 Microsoft report: 7% of all infections

from client machines due to rootkits[1]

2016 HummingBad Android rootkit:[2]

– Up to 85 million Android devices infected? – Earns malware authors $300,000 each week through fraudulent mobile advertisements

Used in many high-profile incidents:

– Torpig and Storm botnets – Sony BMG (2005), Greek wiretapping (2004/5)

25

[1] Microsoft Malware Protection Center, “Some Observations on Rootkits,” January 2010, https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits [2] CheckPoint Software, “From HummingBad to Worse,” July 2016, http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 26

26

User app

Hardware Operating System

Malware detector

Utilities & Libraries

How can we detect rootkits?

System call API

Hypervisor (a.k.a. Virtual Machine Monitor)

Ask for help from the layers below

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 27

27

User app

Hardware Operating System

Malware detector

Utilities & Libraries

How low can we go?

Hypervisor

[Bluepill, Subvert]

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 28

28

User app

Operating System

Malware detector

Utilities & Libraries

How low can we go?

Hardware [Stuxnet, Trojaned ICs] ???

TCB

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 29

Example 1: Linux Adore rootkit

int main() {

pen(…)

... return(0) }

sys_open(...) { ... } sys_open System call table

29

OS kernel User app

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 30

Example 1: Linux Adore rootkit

int main() {

pen(…)

... return(0) }

sys_open(...) { ... } evil_open(...) { malicious(); sys_open(...) } evil_open System call table

30

OS kernel User app

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 31

Example 1: Linux Adore rootkit

int main() {

pen(…)

... return(0) }

sys_open(...) { ... } evil_open(...) { malicious(); sys_open(...) } evil_open System call table

31

OS kernel User app

Vinod Ganapathy - CSA Undergraduate Symposium

Violated: Function pointer values in system call table should not change

SLIDE 32

Example 2: Windows Fu rootkit

run_list next_task run_list next_task run_list next_task

all-tasks: Used for process accounting run-list: Used by the scheduler to select processes for execution

Process A Process B Process C

32

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 33

Example 2: Windows Fu rootkit

run_list next_task run_list next_task run_list next_task run_list next_task

all-tasks: Used for process accounting run-list: Used by the scheduler to select processes for execution

Hidden process Process A Process B Process C

33

Vinod Ganapathy - CSA Undergraduate Symposium

SLIDE 34

Example 2: Windows Fu rootkit

run_list next_task run_list next_task run_list next_task run_list next_task

all-tasks: Used for process accounting run-list: Used by the scheduler to select processes for execution

Hidden process Process A Process B Process C

34

Vinod Ganapathy - CSA Undergraduate Symposium

Violated: run-list ⊆ all-tasks

SLIDE 35

Next up? Rootkits on IoT devices!

35

SLIDE 36

Example: Smart phone rootkits

Vinod Ganapathy - CSA Undergraduate Symposium 36

Snoop on private phone conversations Track user location using GPS Email sensitive documents to attacker Stealthily enable camera and microphone Exhaust the battery Enable world-wide DDoS attacks [October 2016]

SLIDE 37

How can devices be misused?

1. Malicious end-users can leverage

sensors to exfiltrate or infiltrate unauthorized data

2. Malicious apps on devices can achieve

similar goals even if end-user is benign

37

SLIDE 38

Government or corporate office

Problem: Sensitive documents and

meetings can be ex-filtrated using the camera, microphone and storage media

Current solution: Physical security scans,

device isolation

38

Faraday cages

SLIDE 39

Challenge: Bring your own device

39

SLIDE 40

Classroom and exam setting

40

SLIDE 41

Classroom and exam setting

Problem: Personal devices can be used

to infiltrate unauthorized information

41

[Financial Crypto 2014] [NY Times July 2012]

SLIDE 42

Classroom and exam setting

Current solution: Deterrence via rules and
threats. Invigilation to ensure compliance

42

SLIDE 43

Challenge: Assistive devices

Students may wish to use devices for

legitimate reasons:

– Smart glass or contacts for vision correction – Bluetooth-enabled hearing aids – Smart watches to monitor time

43

SLIDE 44

Other social settings

Restaurants, conferences, gym locker

rooms, private homes, …

Problems:

– Recording private conversations – Pictures of individuals taken and posted to social networks without their consent – Pictures and videos of otherwise private locations, e.g., private homes

44

SLIDE 45

Other social settings

Current solutions: Informal enforcement
Challenge: Social isolation 

45

“For the first time ever this place, Feast, in NYC just asked that I remove Google Glass because customers have complained of privacy concerns […] I left”

SLIDE 46

 Early example of

sensory malware

[CCS 2011]

Use accelerometer

and record keystroke press vibrations

Up to 80% accuracy

in word recovery

Malicious apps exploiting sensors

46

Sensory malware

SLIDE 47

Malicious apps exploiting sensors

47

Attacks have now been demonstrated

using every imaginable sensor

Attack accuracy will improve with each

generation of devices and sensors

[NDSS 2011] [NDSS 2013] [USENIX Security 2014]

Sensory malware

SLIDE 48

So what’s the takeaway?

48

SLIDE 49

Vinod Ganapathy - CSA Undergraduate Symposium 49

There a re no solutions,

nly

problems

“There are no solutions, only problems.” OK, I lied.

SLIDE 50

So what’s the takeaway?

50

All the problems that I told you about today

have solutions.

But not perfect ones -- can never be!
Computer systems security is a game of cat-

and-mouse -- it always has been!

SLIDE 51

So what’s the takeaway?

51

Computer systems security is rich, vibrant

area of research

You can get involved and make a difference

SLIDE 52

URL: http://www.csa.iisc.ernet.in/~vg Email: vg@csa.iisc.ernet.in

52