wh what t abou out t th the e sof oftw twar are e
play

Wh What t abou out t th the e sof oftw twar are? e? How - PowerPoint PPT Presentation

Jul 19, 2023 •21 likes •351 views

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen Moti

  1. Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen

  2. Moti tivati tion on Security can go wrong on many levels • human factor • organisational issues • authentication solutions • communication protocols • security protocols • cryptography • software • incl. the software implementing the 4 aspects above • hardware • ... Erik Poll Radboud University Nijmegen 2

  3. Moti tivati tion on Security can go wrong on many levels • hu huma man n fac actor tor • organisational issues • authentication solutions • communication protocols • security protocols cryptography • • so softwar are e • incl. the software implementing the 4 aspects above • hardware • ... Erik Poll Radboud University Nijmegen 3

  4. So Softw twar are e (i (in)securi )security ty Software is major source of security problems Software is not the Achilles’ heel of ICT security, but the Achilles’ body Any piece of software that an attacker can provide malicious input to is a risk Regrettable tendency to see this as unavoidable fact of life, with as ‘solutions’ 1. regularly patch the software 2. prevent the bad guys from getting access • air gaps, separate physical networks, secure communication tunnels (eg TLS or IPSEC) but: won’t any reasonably compentent attacker be able to get inside these TLS tunnels? Erik Poll Radboud University Nijmegen 4

  5. La LangSec ngSec (La Langua nguage-theor theoretic etic securit curity) y) Instructive insights into root causes, and bad vs good practices, when it comes to software security. Starting point: note the common pattern in attacks on software incl. buffer overflows, format string attacks, integer overflow, OS command injection, path traversal attacks, SQL injection, HTML injection, XSS, CSRF, database command injection, database function injection, PHP file name injection, LDAP injection, ShellShock, HeartBleed, FREAK, ... 1. attacker crafts some malicious input 2. software goes off the rails processing this, unintentionally providing the attacker weird functionality Like social engineering or hypnosis as attack vector on humans? Erik Poll Radboud University Nijmegen 5

  6. Moral al: : Pr Proce cess ssing ng input put is d s dan anger erous us! Processing involves 1) parsing/lexing 2) interpreting/executing Eg interpreting a string as filename, URL, or email address This relies on some language/format/protocol 1) relies on syntax 2) on semantics Insecure processing of inputs exposes strange functionality that the attacker can abuse & possibly even program. Erik Poll Radboud University Nijmegen 6

  7. Fal allac acy y of clas assi sica cal input put val alidation? tion? Classical input validation: filter or encode harmful characters or, slightly better: only let through harmless characters But: 1. Which characters are harmful (or required!) depends on the language or format. You need context to decide which characters are dangerous. 2. Not only presence of funny characters can cause problems, but als the absence of other characters, or input fields that are too long or too short, ... The proper solution: parse the entire input before any processing Erik Poll Radboud University Nijmegen 7

  8. Tower er of Babel el The Web involves many ny and comple mplex languages & formats HTTP(S), HTML, CSS, javascript, Flash, cookies & FSOs, Ajax & XML, ActiveX, jpeg, mpeg, mp4, png, gif, SilverLight, URLs/URIs, X509 certificates, email addresses, TCP/IP (IPv4 or IPv6), file names, directories, OS commands, SQL, LDAP, JSP, PHP, ASCII, Unicode, UTF-8, ... Erik Poll Radboud University Nijmegen 8

  9. Sam ample e problems lems • Exploits with zero-width fields in JPEG images • Code Red worm exploiting incorrect treatment of ASCII and Unicode chararacters • Different browsers interpreting X509 certificates with multiple Common Names differently • ANS.1 attacks in X509 certificates null terminator in ANS.1 BER encoded string in an X509 Common Name • PKCS#10-tunneled SQL injection SQL command inside a BMPString , UTF8String or UniversalString used as PKCS#10 Subject Name • .... Erik Poll Radboud University Nijmegen 9

  10. Lan angS gSec ec an anti ti- patterns (don’ts) 1. Complex input languages (aka formats, protocols) • length fields in data packets are notorious source of problems 2. Unclearly defined input languages 3. Hand-written parser code which • mixes parsing & interpretation • incrementally parses parts of input, in a piecemeal fashion Aka a shotgun parser All this results in • lots of chances for an attacker to trigger weird behaviour • possibly using parser differentials , ie. differences between implementation of the same language Erik Poll Radboud University Nijmegen 10

  11. LangSec best practices (do’s) 1. precisely & clearly defined input languages, Eg with regular expression or EBNF grammar 2. keep the input language as simple as possible So that ideally equivalence of parsers is decidable. So that you give minimal processing power to attacker. 3. generate parsers 4. complete parsing before processing working with parsed information, not still-to-be-parsed byte sequences or strings 5. for legacy software: put a generated parser in front, to ensure correct & complete parsing before processing? • effectively a language-specific firewall/IPS/IDS 6. use understanding of language for testing, esp. fuzzing Erik Poll Radboud University Nijmegen 11

  12. Erik Poll Radboud University Nijmegen 12

  13. So Some exa xamples mples Payments, GSM, DNP3, TLS

  14. Uninte ntentional ntional ca case se st study: y: co contact tactles ess paymen ents ts • Correctly formatted RFID traffic can crash contactless payment terminals [MSc thesis Jordi van Breekel, 2014] • dual-contact bank cards of two banks misconfigured to accept certain commands over the contactless interface that meant for the contact interface only 14

  15. Case se study: udy: GS GSM GSM is a extremely rich & complicated protocol 15

  16. SMS SM S me messa ssage e fie ields lds Field size Message Type Indicator 2 bit Reject Duplicates 1 bit Validity Period Format 2 bit User Data Header Indicator 1 bit Reply Path 1 bit Message Reference integer Destination Address 2-12 byte Protocol Identifier 1 byte Data Coding Scheme (CDS) 1 byte Validity Period 1 byte/7 bytes User Data Length (UDL) integer User Data depends on CDS and UDL 16

  17. Let’s fuzz! i.e. sending randomly generated, malformed GSM traffic to phones (using a USRP with OpenBTS software) weird traffic [Mulliner et al, SMS of Death ] [Fabian van den Broek, Brinio Hond, Arturo Cedillo Torres , Security Testing of GSM Implementations , Essos 2014] 17

  18. Ca Case se st study: y: GSM SM protoc tocol ol fuzz zzing ng Weird functionality in GSM standard and phones 18

  19. Ca Case se st study: y: GSM SM protoc tocol ol fuzz zzing ng Weird functionality in GSM standard and phones • eg possibility to send faxes (!?) you have a fax! Only way to get rid if this icon; reboot the phone 19

  20. Ca Case se st study: y: GSM SM protoc tocol ol fuzz zzing ng Malformed SMS text messages showing raw memory contents, rather than content of the text message name of Mobile Soccer game shows up inside text message 20

  21. Case Ca se st study: y: GSM SM protoc tocol ol fuzz zzing ng • Lots of success to DoS phones: phones crash, disconnect from the network, or stop accepting calls • Requiring reboot or battery removal to restart, to accept calls again, or to remove weird icons • After reboot, the network would redeliver the SMS if no acknowledgement was sent before crashing, re-crashing phone But: not all our SMS messages could be sent over real network • Surprisingly little correlation between problems and phone brands & firmware versions • how many implementation of the GSM stack does Nokia have? • The scary part: what would happen if we fuzz base stations? (For the Alliander folks here: is CDMA any better?) 21

  22. Ca Case se st study: y: DN DNP3 P3 Robus project by Adam Crain and Christ Sistrunk • wrote a dedicated fuzzer for DNP3 SA • extension of DNP3 with Secure Authentication • revealed > 30 vulnerabilities in products of over a dozen of vendors More info at automatak.com/robus or langsec.org/dnp3 22

  23. Ca Case se st study: y: TLS Many protocols have state • messages are expected to arrive in a particular order • implementations have to keep track of this • by implementing a protocol state machine As well as fuzzing with strange messages we can now also try strange sequences of messages • ie fuzzing the order rather than the content of messages, in different orders than the ‘happy flow’ Using state machine learning we can even automatically infer the protocol state machine by black box testing 23

  24. TLS.. ... accor ording ding to NSS SS implementa lementation tion Comforting to see it is so simple! 24

  25. TLS.. ... accor ording ding to Gn GnuTL TLS 25

  26. TLS.. ... accor ording ding to Op OpenS enSSL SL 26

  27. TLS.. ... accor ording ding to Java a Se Secur ure e So Socket et Ex Exensi sion on 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 9 Lecture 9 2. B inary R epresentation Arrays 3. H ardw are and S oftw are 4.

Lecture 9 Lecture 9 2. B inary R epresentation Arrays 3. H ardw are and S oftw are 4.

1. Introduction Lecture 9 Lecture 9 2. B inary R epresentation Arrays 3. H ardw are and S oftw are 4. H igh Level Languages 5. S tandard input and output For the last two lectures we have looked at 6. Operators, expression

251 views • 3 slides
Lecture 11 Lecture 11 Strings 2. B inary R epresentation 3. H ardw are and S oftw are

Lecture 11 Lecture 11 Strings 2. B inary R epresentation 3. H ardw are and S oftw are

1. Introduction Lecture 11 Lecture 11 Strings 2. B inary R epresentation 3. H ardw are and S oftw are 4. H igh Level Languages We have already come across strings 5. S tandard input and output e.g. puts(Hello); 6.

73 views • 3 slides
Capability Presentation Abou out t Us s Scinnovation Consultants Pvt. Ltd. stands for

Capability Presentation Abou out t Us s Scinnovation Consultants Pvt. Ltd. stands for

S c S c a l i n g I n n o v a t i o n Capability Presentation Abou out t Us s Scinnovation Consultants Pvt. Ltd. stands for Scaling Innovation Born in 2005 with a mission to contribute Innovators of all kinds in commercializing and

334 views • 12 slides
ABOUT TRAINER ABOU 2 My Name Is Is Vikra kram, m, I I Am A A Full - Time T rader, T

ABOUT TRAINER ABOU 2 My Name Is Is Vikra kram, m, I I Am A A Full - Time T rader, T

ABOUT TRAINER ABOU 2 My Name Is Is Vikra kram, m, I I Am A A Full - Time T rader, T rainer, Y ouT uber and Fou ounder of Tradi ding ng educati tiona nal blog pivotc tcall. ll.co com m and a YouT ube c channel called pivo

149 views • 11 slides
Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health. h. ROADMAP FOR TODAY - How Illinois Outpatient Laws Can (and Should) Break Our Inpatient Cycles - Incorporating Advance Directives Into

608 views • 35 slides
Abou t U s We are a digital agency with a fresh and unique approach. We believe in working as

Abou t U s We are a digital agency with a fresh and unique approach. We believe in working as

Abou t U s We are a digital agency with a fresh and unique approach. We believe in working as strategic partners and not as vendors. We decide on the platforms to be used based on what works best for your business. Most importantly, our clients

359 views • 16 slides
Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc October 15, 2019 Introduction Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product & Privacy

295 views • 25 slides
Abou out t OM OMICS S Gr Grou oup OMICS Group International is an amalgamation of

Abou out t OM OMICS S Gr Grou oup OMICS Group International is an amalgamation of

Abou out t OM OMICS S Gr Grou oup OMICS Group International is an amalgamation of Open Access publications and worldwide international science conferences and events. Established in the year 2007 with the sole aim of making the

316 views • 29 slides
Logistics Crafted to Fit Your Needs ABOU ABOUT T US US VORTEX Worldwide Logistics is an

Logistics Crafted to Fit Your Needs ABOU ABOUT T US US VORTEX Worldwide Logistics is an

Logistics Crafted to Fit Your Needs ABOU ABOUT T US US VORTEX Worldwide Logistics is an established, full-service provider of global transportation and logistics services, operating under a carefully crafted network of worldwide partners.

403 views • 9 slides
Stenting for Intracranial Atherosclerosis: Who, When, and How Alex Abou-Chebl, MD, FSVIN Stroke

Stenting for Intracranial Atherosclerosis: Who, When, and How Alex Abou-Chebl, MD, FSVIN Stroke

Stenting for Intracranial Atherosclerosis: Who, When, and How Alex Abou-Chebl, MD, FSVIN Stroke Medical Director Baptist Health Louisville Disclosure Statement of Financial Interest Within the past 12 months, I or my spouse/partner have had a

926 views • 23 slides
Design Development Digital Marketing Content Abou t U s We are a digital agency with a

Design Development Digital Marketing Content Abou t U s We are a digital agency with a

Design Development Digital Marketing Content Abou t U s We are a digital agency with a fresh and unique approach. We believe in working as strategic partners and not as vendors. We decide on the platforms to be used based on what works

315 views • 17 slides
Smart City- Sewer System Monitoring for Better Characterization and Management O. ABBAS, Y. ABOU

Smart City- Sewer System Monitoring for Better Characterization and Management O. ABBAS, Y. ABOU

Smart City- Sewer System Monitoring for Better Characterization and Management O. ABBAS, Y. ABOU RJEILY, I. SHAHROUR Laboratory of Civil Engineering and geo-Environment (LGCgE) Lille 1 University, France 13th IWA Specialized Conference on Small

468 views • 29 slides
Illinois Trans anspor porta tation tion Needs Needs About ILEPI Abou t ILEPI The

Illinois Trans anspor porta tation tion Needs Needs About ILEPI Abou t ILEPI The

Mary Craighead, AICP Illinois Trans anspor porta tation tion Needs Needs About ILEPI Abou t ILEPI The Illinois Economic Policy Institute is a nonprofit research organization out of La Grange, IL RELEASED OVER ANALYTICS & FOCUS

691 views • 32 slides
E-Health Solutions Lina Abou Mrad MBA, PMP E-Health Director - MOPH Health Insight 6 2 nd

E-Health Solutions Lina Abou Mrad MBA, PMP E-Health Director - MOPH Health Insight 6 2 nd

Track & Trace E-Health Solutions Lina Abou Mrad MBA, PMP E-Health Director - MOPH Health Insight 6 2 nd June 2016 LE ROYAL HOTEL- DBAYEH Background The Ministry of Public Health has been working several years ago on the reform of

472 views • 24 slides
Harmonic properties of some automatics flows Pierre Liardet (Joint work with Isabelle Abou)

Harmonic properties of some automatics flows Pierre Liardet (Joint work with Isabelle Abou)

Journ ees Num eration Prague, Mai 26-30, 2008 Harmonic properties of some automatics flows Pierre Liardet (Joint work with Isabelle Abou) Universit e de Provence Laboratoire dAnalyse, Topologie et Probabilit e UMR-CNRS 6632

376 views • 23 slides
In partnership with Why study at Univ iversity of Amsterdam? Abou out t th the Univ

In partnership with Why study at Univ iversity of Amsterdam? Abou out t th the Univ

In partnership with Why study at Univ iversity of Amsterdam? Abou out t th the Univ iversity of of Amsterdam ONCAMPUS Programmes es Univ iversity Lif Life Ho How to o Apply Rankings and Education System Ranked h overall, making

265 views • 26 slides
Spatial Data Science Methods for Improving Models Andy Eschbacher Data Scientist @MrEPhysics

Spatial Data Science Methods for Improving Models Andy Eschbacher Data Scientist @MrEPhysics

2019 Spatial Data Science Methods for Improving Models Andy Eschbacher Data Scientist @MrEPhysics CARTO 2019 Overview of Spatial Data CARTO 2019 Points on a map The most common way we see spatial data: Lat/Lng/Attributes Map by

1.16k views • 95 slides
Structural Induction Jason Filippou CMSC250 @ UMCP 07-05-2016 Jason Filippou (CMSC250 @ UMCP)

Structural Induction Jason Filippou CMSC250 @ UMCP 07-05-2016 Jason Filippou (CMSC250 @ UMCP)

Structural Induction Jason Filippou CMSC250 @ UMCP 07-05-2016 Jason Filippou (CMSC250 @ UMCP) Structural Induction 07-05-2016 1 / 26 Outline 1 Recursively defined structures 2 Proofs Binary Trees Sets Jason Filippou (CMSC250 @ UMCP)

854 views • 52 slides
your computer audio (VoIP) or use your telephone and dial USA Toll Free 1-866-740-1260 Access

your computer audio (VoIP) or use your telephone and dial USA Toll Free 1-866-740-1260 Access

Webinar will begin at 10:00 a.m. For audio you may connect via your computer audio (VoIP) or use your telephone and dial USA Toll Free 1-866-740-1260 Access Code: 2315112 THIS PROJECT WAS SUPPORTED, IN PART BY GRANT NUMBER 90MPPG0019-02-00

259 views • 8 slides
Presenting your work - Ti k Z & Tricks Micha Skrzypczak Powered by Beamer i k Z Presenting

Presenting your work - Ti k Z & Tricks Micha Skrzypczak Powered by Beamer i k Z Presenting

Presenting your work - Ti k Z & Tricks Micha Skrzypczak Powered by Beamer i k Z Presenting your work - Ti k Z & Tricks Micha Skrzypczak r Disclaimer: Im not an expert. . . s Powered by Beamer i k Z Part I: Content Narrative

2.1k views • 141 slides
Hypothesis Testing Appendix James J. Heckman University of Chicago Econ 312 Spring 2019 A

Hypothesis Testing Appendix James J. Heckman University of Chicago Econ 312 Spring 2019 A

Hypothesis Testing Appendix James J. Heckman University of Chicago Econ 312 Spring 2019 A Further results on Bayesian vs. Classical Testing (The phenomenon shows up even when we dont have .) Point mass placed at 0 ; 0

983 views • 33 slides
Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian

Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian

Hypo contact Anna Fino Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian structures Sasaki-Einstein structures Hypo structures -Einstein structures Hypo-contact structures Classification

1.22k views • 91 slides
TECHNISCHE UNIVERSIT AT WIEN Entropy method for hypocoercive & non-symmetric

TECHNISCHE UNIVERSIT AT WIEN Entropy method for hypocoercive & non-symmetric

TECHNISCHE UNIVERSIT AT WIEN Entropy method for hypocoercive & non-symmetric Fokker-Planck equations with linear drift Anton ARNOLD with Jan Erb; Franz Achleitner Trieste, May 2017 Anton ARNOLD (TU Vienna) hypocoercive

802 views • 61 slides
On Evolution Equations Having Tahar Haddad and Chems Hypomonotonicities of Opposite Sign Eddine

On Evolution Equations Having Tahar Haddad and Chems Hypomonotonicities of Opposite Sign Eddine

On Evolution Equations Having Hypo- monotonicities of Opposite Sign On Evolution Equations Having Tahar Haddad and Chems Hypomonotonicities of Opposite Sign Eddine Arroud Introduction Preliminaries Tahar Haddad and Chems Eddine Arroud

1.32k views • 67 slides

More recommend