1 Final Review Session Collin Jackson CS 155 Spring 2006.
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of 1 Final Review Session Collin Jackson CS 155 Spring 2006.
2
Final Details
Open book, open notes, closed laptopMain final (recommended) 7-10 PM on Tuesday, June 13 Gates B01
Alternate final 3:30-6:30 PM on Monday, June 12 Gates B03
Study suggestions: Previous finals available on course webpage Reading, slides, lectures, homework Email [email protected] with
questions
5
Attack A: Cookie Theft
Attack C: Login Snooping
Most common issues were race conditions or attack differs from specification in some detailMostly full credit given for attacks where idea was there.
Part 1: Attacks
Attack B: Silent Transfer
Attack D: Profile Worm
zoobar.orglink
emailzoobar.org
formbadguy.com
stanford.eduredirect
badguy.comzoobar.orgform
zoobar.org
7
Attack C: Login Snooping
Part 2: Defenses
Attack B: Request ForgeryOk:
authentication cookieEasy to circumvent:
userid or hash(userid)
Ok:Add quotes around value
Easy to circumvent:Blacklist dangerous strings
8
Part 2: More XSS Tests
index.php Profile
</textarea><script>…</script> Exploitable? Depends on (optional)
login CSRF defenseusers.php Profile <img onload=…> User </script><script>…<script>
transfer.php Recipient <script>…</script> Exploitable? Depends on transfer CSRF
defense
9
Part 2: Grading
Key ideas: Preferred approach is escaping Alternate approach is whitelisting Blacklisting is easy to get wrong
Grades released sometime this weekendIf you feel your project was misgraded Contact TAs Reserve right to regrade entire project
11
SQL Syntax
Four basic commands (plus many others) INSERT INTO [table] ([column], …) VALUES ([value], …)
SELECT [column], … FROM [table] WHERE [condition]
UPDATE [table] SET [column]=[value], … WHERE [condition]
DELETE FROM [table] WHERE [condition]
Strings delimited with 'Statements separated with ;Comments start with --
12
Attack Characteristics
Victim site builds query using concatenationUser data not validated String may appear where integer
expected"SELECT * FROM UserTable WHERE id=" + $_POST["userid"] Breaks out of quoted string“SELECT Password FROM UserTable WHERE Username='" + $_POST["username"] + "'";
13
Crafting an attack
Spider site and look for input fieldsPut ' in each field and look for errorsTry to determine the structure of the query Guess and observe results Error messages can be helpful
Construct malicious attack query, e.g. Return sensitive data from other rows
or tables Modify passwords file to give attacker
access
14
Example Question
Site form allows lookup by integer id:<input name=id><input type=submit>
Fix this query: "SELECT * FROM UserTable WHERE id=“ + Request["id"];
Best: Parameterized SQLcmd.CommandText = "SELECT * FROM UserTable WHERE id=@id";
cmd.Parameters.Add("@id",Request["id"]);
cmd.ExecuteReader();
Okay: Escaping functions provided by language Must always use right one, compose in right
orderOkay: Casting to numerical data type
15
Bad Defense: Manual Blacklist
Check input for dangerous characters Replace with harmless equivalents, or Die without executing query
Hard to get right Easy to forget unusual corner cases Alternate character encodings
Escape handling may depend on db server software May not match developer expectation If server software changes, code is vulnerable
16
Bad Defense: Authentication
Developer says:“Only administrators can view the vulnerable page and the admin already has full database access. Therefore, SQL injection is not a problem.”Is this exploitable?
Problem: Malicious content elsewhere can exploit site’s trust in the user to allow access to vulnerable page<img src="/admin/lookupuser.php?id='; UPDATE Person SET Password='x' WHERE username='admin">
18
Access Control Example
Alice can read and write the file x, read the file y, and an execute the file zBob can read x, read and write y, and cannot access z
Write a ACL and capability list
20
Capability list
Alice: File x: read, write File y: read File z: executeBob: File x: read File y: read, write
21
Comparison
Q: Which access control mechanism is better at containing a Trojan horse virus?
Capability model allows capability owner to reduce capability inherited by processTrojan horse process can be run without write access to file y (for example)Can this stop all Trojans?
22
Bell-La Padula Model
User Cleared for Wants to accessRea
dWrit
e
PaulTOPSECRET, {A,
C}SECRET, {C}
RobinCONFIDENTIAL,
{B}SECRET, {B}
SammiTOPSECRET, {A,
C}CONFIDENTIAL,
{A}
AnnaCONFIDENTIAL,
{C}CONFIDENTIAL,
{B}
TOPSECRET > SECRET > CONFIDENTIALA ≠ B ≠ C
23
Bell-La Padula Model
User Cleared for Wants to accessRea
dWrit
e
PaulTOPSECRET, {A,
C}SECRET, {C}
RobinCONFIDENTIAL,
{B}SECRET, {B}
SammiTOPSECRET, {A,
C}CONFIDENTIAL,
{A}
AnnaCONFIDENTIAL,
{C}CONFIDENTIAL,
{B}
TOPSECRET > SECRET > CONFIDENTIALA ≠ B ≠ C
24
Bell-La Padula Model
User Cleared for Wants to accessRea
dWrit
e
PaulTOPSECRET, {A,
C}SECRET, {C}
RobinCONFIDENTIAL,
{B}SECRET, {B}
SammiTOPSECRET, {A,
C}CONFIDENTIAL,
{A}
AnnaCONFIDENTIAL,
{C}CONFIDENTIAL,
{B}
TOPSECRET > SECRET > CONFIDENTIALA ≠ B ≠ C
25
Bell-La Padula Model
User Cleared for Wants to accessRea
dWrit
e
PaulTOPSECRET, {A,
C}SECRET, {C}
RobinCONFIDENTIAL,
{B}SECRET, {B}
SammiTOPSECRET, {A,
C}CONFIDENTIAL,
{A}
AnnaCONFIDENTIAL,
{C}CONFIDENTIAL,
{B}
TOPSECRET > SECRET > CONFIDENTIALA ≠ B ≠ C
26
Bell-La Padula Model
User Cleared for Wants to accessRea
dWrit
e
PaulTOPSECRET, {A,
C}SECRET, {C}
RobinCONFIDENTIAL,
{B}SECRET, {B}
SammiTOPSECRET, {A,
C}CONFIDENTIAL,
{A}
AnnaCONFIDENTIAL,
{C}CONFIDENTIAL,
{B}
TOPSECRET > SECRET > CONFIDENTIALA ≠ B ≠ C
27
Biba Policy
How would a virus spread if: The virus were places in the system
at system low (the compartment which all other compartments dominate)Could only infect lowest compartment
The virus were places in the system at system high (the compartment which dominates all other compartments)Could infect all other compartments
28
Effective user id (EUID)
Each process has three Ids (+ more under Linux) Real user ID (RUID)
same as the user ID of parent (unless changed) used to determine which user started the process
Effective user ID (EUID)
from set user ID bit on the file being executed, or sys call
determines the permissions for process file access and port binding
Saved user ID (SUID)
So previous EUID can be restoredReal group ID, effective group ID, used similarly
29
Example
Program BOwner 33
SetUID
Program COwner 18
User 25RUID 25EUID 25SUID 25
…;fork( );exec( );
…;…;i=getruid()setuid(i);…;…;
RUID 25EUID 18SUID 25
RUID 25EUID 25SUID 18
If program C was owner 0 (root), could change ids to anything…
31
Updating PCR
TPM_Extend(n,D): PCR[n] SHA-1 ( PCR[n] || D )
TPM_PcrRead(n): returns value(PCR(n)) TPM_SaveState and TPM_Startup(ST_STATE)
Encrypted storage TPM_TakeOwnership( OwnerPassword, … ) TPM_CreateWrapKey
TPM_Seal(keyhandle, KeyAuth, PcrValues, data)
TPM_Unseal only when PCR matches blob PCR
TPM Functions
32
Attestation: TPM_Quote (some) Arguments:
keyhandle: which AIK key to sign with
KeyAuth: Password for using key `keyhandle’
PCR List: Which PCRs to sign.
Challenge: 20-byte challenge from remote server
Prevents replay of old signatures.
Userdata: additional data to include in sig.
Returns signed data and signature.
TPM Functions
33
Data encrypted by TPM_Seal (usually AES key) Only key not hidden inside TPM
Storage Root Key (SRK): certifies wrap keys Created by TPM_TakeOwnership
Wrap keys: encrypts data with TPM_Seal Created by TPM_CreateWrapKey
Attestation Identity Key (AIK) for use with TPM_Quote Creation details “not important”
Endorsement key (EK) for endorsing AIK Certificate issued once for TPM by vendor
TPM Keys
36
Example Question
The Earlybird worm signature generation system only finds worm signatures that consist of a consecutive sequence of characters. Give an example of a vulnerability that a worm can exploit that cannot be detected using such signatures.
37
Follow up
Suppose Earlybird was able to generate signatures that contain wild cards (for example, "script/*.cgi"). Give an example of a vulnerability that a worm can exploit that cannot be detected using such signatures.