Guest Lecture on Security 1 Security Nicholas Weaver ICSI.
-
Upload
collin-day -
Category
Documents
-
view
221 -
download
0
Transcript of Guest Lecture on Security 1 Security Nicholas Weaver ICSI.
1
Guest Lecture on Security
Security
Nicholas Weaver
ICSI
2
Guest Lecture on Security
Who Am I?• Finished Berkeley last October• Now a postdoctoral researcher at ICSI• Research area: security
– Mostly the worm problem: How attackers can compromise all vulnerable systems of a given time?
– What can we do to prevent, detect, analyze, respond, tolerate, and recover from worm attacks?
• Bias towards enterprise-level defenses
• Secondary interest: Computer Architecture– Field Programmable Gate Arrays: General-purpose
custom chips
3
Guest Lecture on Security
Talk outline• Why Security is Interesting and Hard• The Authentication Problem:
– “Are you X”?– Cryptography to perform authentication and integrity– The problem of the human element
• The Worm Problem:– Attacking all machines at the same time– The Tragedy of the Commons:
• Security is often limited by economic considerations
• Analyzing a recent worm attack: Slammer• Analyzing a recent worm attack: Witty• (if time): The OODA Loop
4
Guest Lecture on Security
Why Security is Hard
• Security is one of the hardest areas in Computer Science (and in general)– Therefore, its possibly the most enjoyable area!
• Adversarial Nature– The adversary is often not constrained by the same
rules• Instead, constrained by his (or her or their) intent, skill, and
resources
– The attacker has an easier job!
• Real-World Messyness– Humans are often the weakest link
5
Guest Lecture on Security
Adversaries:• L337 SKR1P7 K1DD13Z
– “So you are describing 16 year olds who are trying to take down the Internet as a hobby?”“No, it’s their social life”
– Paraphrased from a Clive Thompson article on virus writers
– Attack targets of opportunity
• Insiders– Often trusted individuals, often in it for the money
• Terrorists– None to date, but the potential exists
• Nation-State opponents
6
Guest Lecture on Security
Need to model an adversary:Evil Twins
• We need to protect against what can be done, not just what has been done– Thus we need to model an adversary who’s as capable
and creative as possible• But if we can model someone more creative then ourselves, we
could become that person
• Solution: Evil Twin– What would your evil twin do to accomplish X?
• With various levels of resources, tolerance for risk, goals, etc…
– There is a formal version of this process, Red Teaming
7
Guest Lecture on Security
The Attacker has an Easier Job
• The attacker needs to find just ONE weakness– The defender must defend all that the attacker could use– Attackers often use known vulnerabilities
• And only needs to know one• While the defender must have patched all
• The attacker is not constrained by rules– A little bribery, a little break-in, CDs in the parking lot, eh, why
not?• A janitor has physical access to a large host of computers
– Use the physical world to influence the electronic world• Or vice-versa
• The attack can become democratic…– Once someone releases a toolkit or exploit, every L337 K1DD107 can use it.
8
Guest Lecture on Security
Example:How to “Take Down” an ISP
• The attacker’s problem: He doesn’t like “ISP X”, and wishes to cause a complete shutdown– He could be working for a competitor
• Route BGP updates into OSPF– BGP is used for Internet routing between ISPs– OSPF is an internal protocol used internally to an ISP
• Updates are O(n2) on all routers in the institution– Break into a machine room
Gain root on a routerRedirect the external BGP feed into the internal OSPF feed
• Observation: If a router’s CPU goes to a steadly 100%, the router will crash
– Now all the ISPs routers will crash– According to Avi Freedman, this has happened before
9
Guest Lecture on Security
Reflections onthis attack
• Physical access is helpful but not necessary– Physical access -> easy root
• How good is every machine room your systems are in?• The attacker reportedly got caught on camera
– Can get root in other ways• Root a sysadmin’s machine and then sniff his passwords
– Happened at UC Berkeley to compromise argus (the CS department login server) and also instructional sun systems
• Attack abused intended functionality– Every router in the ISP trusts the other routers– OSPF information rarely changes, so a computationally complex update is
acceptable• Attack abused weak engineering
– Why should routers crash when the CPU goes to 100%?• Attacker needed a motive
– Otherwise, why bother?
10
Guest Lecture on Security
The Authentication Problem
• Authentication: “I am Nick Weaver”– How do I prove to you that I am who I am?
• Authorization: “Because I am Nick Weaver, I’m allowed into Soda Hall”– Given what you know of me, what am I allowed to do?– Why airlines are happy to check IDs:
• Tickets are not supposed to be resold
• Intent: “I’m just here to give a lecture”– Really hard to answer from the above
• Why a national ID card doesn’t work well at detecting terrorists
11
Guest Lecture on Security
Common Properties ofAuthentication
• Authentication is usually transitive from some more trusted source: You know I am Nick Weaver because…– Ion Stoica introduced me
– My CA drivers liscence says that I’m me
– Everyone else in soda hall calls me “Nick”…
• Authentication usually involves a property or secret– I know this random magic number/password
• Thus anyone who can steal it can masquerade as me
– I have this grinning face, and fingerprints• Which matches the ID card created by the trusted entity
– I carry this cryptographic-doohicky which spits out numbers• Or all of the above
12
Guest Lecture on Security
CryptographicAuthentication
• Needham and Schoeder “Using Encryption for Authentication in Large Networks of Computers”
• Basic assumptions:– There exists a trusted server (or group of servers) which can
authenticate each individual
– ALL communication can be monitored by an attacker
– The attacker does NOT control any end-hosts
• Goals of the work:– Show how to use both public and private key cryptography to
mutually authenticate two parties• Generate a key which only the two parties know
• This key can then be used to provide confidentiality and integrity
13
Guest Lecture on Security
Basic Primitives• Three parties: A, B, and S
– A and B can both authenticate with the Authentication Server• KA
– A secret key known only to A• KXY
– A secret key known to both X and Y• Iai
– A random value (nonce) which is used only once• E(K,M) → cyphertext
D(K, E(K,M)) → M– Encryption assumed to provides both confidentiality and integrity
• PKA, SKA– A public/private key corresponding to A– Public key cryptography is asymmetric– D(SKA, E(PKA, M)) → M
• A message encrypted with a public key can only be decrypted with the private key– D(PKA, E(SKA, M)) → M
• A message encrypted with the private key could only have been created by someone who knows the private key (signing)
14
Guest Lecture on Security
Both Integrity ANDSecrecy are key
• With just secrecy, an attacker might still be able to change messages:– EG, the XOR cypher:
A random key K, as long as the message, is XORed with the message
• Secrecy is 100%– Unless the evesdropper knows the random key (or the key is
reused), the secrecy is 100%
• The integrity is nonexistant:– Attacker knows that the message is “don’t do anything”
– He replaces the message M with M “don’t do anything” “attack at dawn”
15
Guest Lecture on Security
Authenticating a Channel Between A and B
• We need to generate a Kab such that:– Anyone with either Sa or Sb can determine the key
• Mutual authentication– Nobody else can
• A → S: E(Kas, (B, Ia1))• S → A: E(Kas, (Kab, Ia1, E(Kbs, Kab))• A → B: E(Kbs, Kab) • Now A and B share a key
– Unfortunatly, S knows this key, but S has to be trusted anyway
• B → A: E(Kab, Ib)• A → B: E(Kab, Ib – 1)
– Exchanging the Nonce keeps someone from replaying the communication to B
16
Guest Lecture on Security
Authenticating a Channel with Public Key Cryptography
• A→S: A, B• S→A: E(SKs, (PKb, B))
– S signs B’s key and returns it to A
• A→B: E(PKb, Ia)• B→S: B, A• S→B: E(SKs, PKa)
– S signs A’s key and returns it to B
• B→A: E(PKa, (Ia, Ib))• A→B: E(PKb, (Ib, Kab))• Public key advantage: Now S doesn’t know Kab
– BUT S could still cause problems (eg, send the wrong public key for B)
17
Guest Lecture on Security
Only Three Major Innovations After the Paper was Written
• Have the authentication server sign A and B’s keys– PKI (Public Key Infrastructure), aka Verisign– Now the central authority is completely “offline”
• A and B just exchange signed keys
• Have everyone sign other people’s keys– PGP “Web of Trust”– No central authority, instead trust is transitive and aggregated from other
players
• Imprinting protocols– SSH– Key is transferred on the first communication
• Vulnerable to an initial man-in-the-middle, but not subsequent MitM attacks
• All three new techniques can’t perform timestamps– Still need a trusted intermediary if we wish to perfrom time-guarenteed
signatures
18
Guest Lecture on Security
But Crypto Isn’t TheHard Part…
• It’s the users & usage– Anyone who can grab A’s secret (SKA) can masquerade as A
• Sidechannel/Timing Attacks– Observing secondary properties of encryption (eg, time to encrypt
a message with a public key) can help determine the key• Keyloggers/Trojans
– All the crypto in the world doesn’t allow you to connect using a compromised workstation
• User Bribing/Tricking– “Run this attachment or your account will be shut down” email– phishing: Email tricking users into entering their passwords– “I’m with the phone company, what is your voice mail password?”– “I’ll give you a candy bar if you tell me your password”
• User Coercion: “Rubber Hose Cryptanalysis”
19
Guest Lecture on Security
What Are Computer Worms?
• Self replicating network programs– Exploit vulnerabilities to infect remote machines
– Victim machines continue to propagate the infection
• Three main stages– Detect new targets
– Attempt to infect new targets
– Activate the code on the victim machine
• My work focuses on autonomous worms– No human intervention required
Network
Network
20
Guest Lecture on Security
Why are computer wormsproblematic?
• They attack monocultures:– All systems running the same (program/OS/configuration)
• Monocultures can be VERY large: all of NT4/Win2K/WinXP/Win2K3 form a monoculture
– “Write once, 0wn everything”
• They are very fast:– Defenses to worms must be automatic
• They get nearly everywhere:– Worms are particularly good at penetrating firewalls
• They are democratic:– Someone can write a toolkit, and now everyone can use it
21
Guest Lecture on Security
How to 0wn the Internet• The theory and practice of very fast worms...
– Circa Summer 2002
• Code Red v2:– First recent autonomous worm
• Code Red II:– Added backdoor– Local subnet preference to exploit firewalls
• Once it penetrates, it quickly infests the LAN
• Nimda:– Mixed mode behavior
• Injected itself into .html files• Attacked Code Red IIs backdoor
– Firewall crossing
22
Guest Lecture on Security
Nimda: ComplexityMakes an Effective Worm
• Nimda was a Mutt: it mixed various features together– Net result was far more effective than the individual
components
• Nimda was very large– ~100 kB of code!
• The net result was a very wide spread– Modes interacted synergistically
23
Guest Lecture on Security
Nimda: Active Modes
• Web Server:– Unicode, directory traversal, and Code Red II:
• All, through special path, allow access to a command shell• Use shell to transfer over the worm
• Open file shares:– Attempt to search and mount local directories– Write worm as a .dll in every directory
• Buggy Microsoft Office would execute .dll if an office document is opened in that directory
• Scanning is biased for local addresses– Take advantage of firewall penetrations
24
Guest Lecture on Security
Nimda: Firewall Penetrations
• Email mode:– Respond to mail messages with infection attempt
• Buggy outlook copies would automatically execute (mail worm)
• Users would execute (mail virus)
• Web Client mode:– Write javascript to execute worm in all .html pages discovered
• Buggy explorer would automatically run the worm
• High rate of succes not necessary– Goal is to get a foothold in the firewall, not to spread everywhere
25
Guest Lecture on Security
Nimda: Results
• Using multiple exploits helped it considerably– Patching is a problem...
Patching 4 applications is an even bigger problem• Patches from 3-4 separate sources
• It waltzed through firewalls– A single penetration, and voila...
– Effective synergy between multiple exploits
26
Guest Lecture on Security
How to 0wn the Internet:Theoretical Worms
• Warhol Worm– How to spread in 15 minutes– Faster random scanning
• 100 scans/s/worm rather than ~10 scans/s/worm
– Hitlisting• Start on ~1000 machines rather
than 1• Exponentials actually start slowly
– Permutation scanning• Efficiently divide the address space
• Flash worm– Complete hitlist, spreads in <30 seconds
27
Guest Lecture on Security
Worms and the Tragedy of the Commons
• For scanning worms, there is a simple blocking technique:– Limit outbound scanning on all systems to <1 scan/minute
• Virus Throttle/Worm containment
• However, this requires universal deployment– With only 50% deployment, it is equivelent to simply removing ½
the machines• Slowing the worm by only 50%• And it only protects others!
• Thus it is useless on the Internet!– Why pay your money to protect your neighbor?
• Egress filtering: blocking the exit of spoofed packets from a network, is far from universally deployed and costs effectively nothing!
• But it can be useful in an enterprise
28
Guest Lecture on Security
More Recent Worms: Slammer
• Self-propagating UDP packet– Infected ~75K machines
in 10 minutes!
• Full scanning rate in ~3 minutes– >55 Million IPs/s
• Initial doubling rate was about every 8.5 seconds– Local saturations
occur in <1 minute
• <1 minute to mount a defense of the Internet
29
Guest Lecture on Security
Slammer: SimplicityMakes an Effective Worm
• Slammer was a single packet UDP worm– Cleanup from buffer overflow– Get API pointers
• Code borrowed from published exploit
– Create socket & packet– Seed PRNG with getTickCount()– While 1
• Increment PRNG– 3 bugs in the code
• Send self to PRNG address
• 404 bytes total• Worldwide Spread in 10 minutes
– Peak scanning in ~3 minutes• >55 million packets/second
– >75000 compromised machines
Header
Oflow
API
Socket
Seed
PRNG
Sendto
30
Guest Lecture on Security
Why Was Slammer Fast: A Bandwidth-Limited Scanner
• Code Red's scanner is latency-limited– In many threads: send SYN to random address,
wait for response or timeout– Code Red ~6 scans/second,
• population doubles about every 40 minutes
• Every Slammer copy sent infectious packets at maximum rate– 1 Mb upload bandwidth 280 scans/second– 100 Mb upload bandwidth 28,000 scans/second
• Slammer was NOT self-congesting– Every packet sent did useful work!
31
Guest Lecture on Security
What Failed due to Slammer:LOTS!
• Some edge devices failed due to load– Several UCB switches needed resetting after infected machines were
removed
– Flow-based devices failed hard:• Every packet was a new flow!
• Many sites connectivity disrupted by outgoing traffic– Often with only a few infected machines
• Need to deploy fairness/bandwidth capping
• Some critical systems are not well isolated from the Internet, saw disruptions due to traffic/infection– Bellevue WA 911 system, BofA ATM system, airline reservation systems,
a nuclear powerplant control system...
– Almost all failures due to the traffic load on local networks, or actual infections
32
Guest Lecture on Security
More Recent Worms:Witty
• Yet Another Single Packet UDP worm (177 instructions)– But with some significant twists....
• Attacked an IDS system– If the IDS received a UDP packet with source port 4000 it would
be interpretedas a ICQ packet
– This analyzer had a stackoverflow vulnerability
• Malicious payload– Send out 20000 packets– Overwrite a random block on disk– Repeat process until the system crashes
• Short timeline– <48 hours between vulnerability disclosure
and worm releaseFrom Moore and Shannon’s analysis (caida.org)
33
Guest Lecture on Security
More On Witty• The attacker hitlisted/seeded the worm
– ~110 “bots” (previously compromised machines) ran a program to distribute the worm
• The attacker was malicious– And knew how to be malicious and
still spread• The attacker was motivated
– He worked very fast– He probably tested– He had to have a reason
From Moore and Shannon’s analysis (caida.org)
34
Guest Lecture on Security
The Problem: How to Model Adversarial Decision Making
• Multiple competing individuals or groups– Sysadmins vs Hackers
– Business Competition
– Opponents on the battlefield
• How do they think and act?– Need a way of describing how the decision making
process occurs• Using this, develop mechanisms to attack the decision making
process of an opponent
35
Guest Lecture on Security
Colonel John R. Boyd’s OODA “Loop”
Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.
Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.
From “The Essence of Winning and Losing,” John R. Boyd, January 1996.
Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.
Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.
From “The Essence of Winning and Losing,” John R. Boyd, January 1996.
FeedForward
Observations Decision(Hypothesis)
Action(Test)
CulturalTraditions
GeneticHeritage
NewInformation Previous
Experience
Analyses &Synthesis
FeedForward
FeedForward
ImplicitGuidance& Control
ImplicitGuidance& Control
UnfoldingInteraction
WithEnvironmentUnfolding
InteractionWith
Environment Feedback
Feedback
OutsideInformation
UnfoldingCircumstances
Observe Orient Decide Act
From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission
36
Guest Lecture on Security
What is the OODA Loop?
• The OODA (Observe, Orient, Decide, Act) cycle was designed as a semi-formal model of adversarial decision making– Originally designed to represent strategic and tactical decision-making
• Implicit shortcuts are critical in human-based systems
– Really a complex nest of feedback loops– Every participant or group has its own OODA loop
• The fastest, accurate OODA loop usually wins• Attack the opponent’s decision making process
– Avoid/confuse/manipulate the opponent’s observation/detection• Stealthy worms
– Take advantage of errors in orientation/analysis– Move faster than the opponent’s reaction time
• Why autonomous worms outrace “human-in-the-loop” systems• Reactive worm defenses need fully-automated, prescripted paths in the
defensive OODA loops
37
Guest Lecture on Security
AutomatedOODA Loops
• Since both the worms and worm-defense routines are automatic while a fast worm is spreading, the OODA loops are much simpler
– Orientation and decision making are combined• No implicit paths, everything is now explicit
– The OODA loops are shaped by the designer’s goals, objectives, and skills
• This represents an entirely new security problem
PassiveLocalActive
AutomaticDecisionMaking
Actions
Observe Orient/Decide Act
CommunicationControl
Information Control
Feedback
Interaction withEnvironment
38
Guest Lecture on Security
(Backup Slide) Why the 0 in 0wn?
• It is L33T– Textual substitution
“cipher” in the hacker community
– Adopted by early chat room/hacker community to avoid stupid keyword filters
• Image Copyright 2000 by Fred Gallagher and Rodney Caston– www.megatokyo.com