security
play

Security 1 Recap: Protection Protection Prevent - PowerPoint PPT Presentation

Mar 28, 2024 •328 likes •575 views

Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses Protection domains Class hierarchy: root can to everything a normal user can do + alpha Access control matrix Domains (Users)

  1. Security 1

  2. Recap: Protection • Protection – Prevent unintended/unauthorized accesses • Protection domains – Class hierarchy: root can to everything a normal user can do + alpha • Access control matrix – Domains (Users)   Resources (Objects) – Resource oriented: Access control list – Domain oriented: Capability list 2

  3. Recap: Security • Stack and buffer overflow – Failure to check bounds on inputs, arguments – Write past arguments on the stack into the return address on stack – Unauthorized user or privilege escalation 3

  4. Recap: Code with Buffer Overflow #define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[BUFFER SIZE]; strcpy(buffer,arg1); ... } int main(int argc, char *argv[]) { process_args(argv[1]); ... } • What is wrong in this code? 4

  5. Recap: The Attack: Buffer Overflow Before After executing strcpy(buffer, arg1 ) the crafted string containing the illegitimate code 5

  6. Outline • Stack overflow defense • Some recent security bugs 6

  7. 7 Slide from Dr. Vitaly Shmatikov (Cornell)

  8. 8 Slide from Dr. Vitaly Shmatikov (Cornell)

  9. 9 Slide from Dr. Vitaly Shmatikov (Cornell)

  10. 10 Slide from Dr. Vitaly Shmatikov (Cornell)

  11. Goto Fail Bug iOS 7.0.6 Data Security Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact : An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description : Secure Transport failed to validate the authenticity of the connection . This issue was addressed by restoring missing validation steps. 11

  12. Goto Fail Bug err = 0 . . . hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; MISTAKE! THIS LINE SHOULD NOT BE HERE if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(...); // This code must be executed . . . fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); Return err; 12

  13. Heartbleed Bug • Synopsis – Due to a bug in OpenSSL (popular s/w for encrypted communication), web server’s internal memory can be dumped remotely 13

  14. Heartbleed Bug Image source: xkcd.com 14

  15. Heartbleed Bug Image source: xkcd.com 15

  16. Heartbleed Bug struct { HeartbeatMessageType type; Heartbeat uint16 payload_length; req. message opaque payload[HeartbeatMessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage int tls1_process_heartbeat(SSL *s) Heartbeat { Response function ... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload ); // payload = recv_packet.payload_length pl = p; ... if (hbtype == TLS1_HB_REQUEST) { ... buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); ... 16

  17. Shellshock Bug • Synopsis – You can remotely execute arbitrary programs on a server running a web server by simply sending a specially crafted http request. – Example curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ • The problem – Fail to check the validity of a function definition before executing it For detailed explanation: security.stackexchange.com 17

  18. Virtual Machines Disclaimer: some slides are adopted from book authors’ slides with permission 18

  19. Roadmap • CPU management • Memory management • Disk management • Network and security • Virtual machine 19

  20. Cloud Computing Image Source: http://btstrategy.com/wp-new/2013/10/18/is-everything-really-going-to-the-cloud-advice-for-business-owners/ 20

  21. Cloud Computing 21

  22. Virtual Machines • Enabling technology of cloud computing • Basic idea: Provide machine abstractions 22

  23. Virtual Machines • Benefits – Can run multiple OSes , each in its own virtual machine – Can copy a VM image and run it on a different machine – Can create a snapshot of the state and restore it later – Can create a customized VM with specific OS version and libraries to avoid version dependency problems – More efficient resource utilization is possible • Downsides ? – Overhead – Interference 23

  24. History • Late 1960s – IBM introduced first full VMM on mainframes • Late 1990s – Xen was developed for Intel PCs • Mid 2000s – Hardware support was introduced (e.g.,Intel VT-x) – Widely adopted in data centers. 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Application Heartbeats Henry Hoffmann, Jonathan Eastep, Marco Santambrogio, Jason Miller, Anant

Application Heartbeats Henry Hoffmann, Jonathan Eastep, Marco Santambrogio, Jason Miller, Anant

Application Heartbeats Henry Hoffmann, Jonathan Eastep, Marco Santambrogio, Jason Miller, Anant Agarwal CSAIL Massachusetts Institute of Technology Cambridge, MA 02139 http://groups.csail.mit.edu/carbon/heartbeats Outline

375 views • 22 slides
EnviroTrack: Middleware system designed for object tracking . An Innovative and Simple

EnviroTrack: Middleware system designed for object tracking . An Innovative and Simple

1.Overview 1)What is EnviroTrack: EnviroTrack: Middleware system designed for object tracking . An Innovative and Simple Mideleware 2)Features: System for Object-Tracking Export a novel logical address space in which external

228 views • 5 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Migrating from Nagios to Prometheus Runtastic Infrastructure Base Virtualization Core DBs

Migrating from Nagios to Prometheus Runtastic Infrastructure Base Virtualization Core DBs

NOV 07, 2019 Migrating from Nagios to Prometheus Runtastic Infrastructure Base Virtualization Core DBs Technologies Linux (Ubuntu) Linux KVM Physical Really a lot open source OpenNebula Hybrid SDN (Cisco) 3600 CPU Cores Big Chef

620 views • 37 slides
Heartbleed Presented by Duc Tran Agenda Background TLS OpenSSL TLS

Heartbleed Presented by Duc Tran Agenda Background TLS OpenSSL TLS

Heartbleed Presented by Duc Tran Agenda Background TLS OpenSSL TLS Heartbeat Extension The Hearbleed Bug Whos Vulnerable Demo Why its bad Protections Background What is Transport

562 views • 17 slides
STORM AND LOW-LATENCY PROCESSING www.inf.ed.ac.uk Low latency processing Similar to data

STORM AND LOW-LATENCY PROCESSING www.inf.ed.ac.uk Low latency processing Similar to data

STORM AND LOW-LATENCY PROCESSING www.inf.ed.ac.uk Low latency processing Similar to data stream processing, but with a twist Data is streaming into the system (from a database, or a network stream, or an HDFS file, or ) We want to

573 views • 31 slides
aCT: an introduction 1 History NorduGrid model was built on philosophy of ARC-CE and

aCT: an introduction 1 History NorduGrid model was built on philosophy of ARC-CE and

aCT: an introduction 1 History NorduGrid model was built on philosophy of ARC-CE and distributed storage No local storage - data staging on WN is too inefficient No middleware or network connectivity on WN Everything

393 views • 16 slides
Failure Detection and Propagation in HPC systems George Bosilca 1 , Aurlien Bouteiller 1 , Amina

Failure Detection and Propagation in HPC systems George Bosilca 1 , Aurlien Bouteiller 1 , Amina

Failure Detection and Propagation in HPC systems George Bosilca 1 , Aurlien Bouteiller 1 , Amina Guermouche 1 , Thomas Hrault 1 , Yves Robert 1 , 2 , Pierre Sens 3 and Jack Dongarra 1 , 4 1 . University Tennessee Knoxville 2 . ENS Lyon, France 3

644 views • 48 slides

More recommend