Guest Lecture on Security 1 Security Nicholas Weaver ICSI.

1

Guest Lecture on Security

Security

Nicholas Weaver

ICSI

2


Who Am I?• Finished Berkeley last October• Now a postdoctoral researcher at ICSI• Research area: security

– Mostly the worm problem: How attackers can compromise all vulnerable systems of a given time?

– What can we do to prevent, detect, analyze, respond, tolerate, and recover from worm attacks?

• Bias towards enterprise-level defenses

• Secondary interest: Computer Architecture– Field Programmable Gate Arrays: General-purpose

custom chips

3


Talk outline• Why Security is Interesting and Hard• The Authentication Problem:

– “Are you X”?– Cryptography to perform authentication and integrity– The problem of the human element

• The Worm Problem:– Attacking all machines at the same time– The Tragedy of the Commons:

• Security is often limited by economic considerations

• Analyzing a recent worm attack: Slammer• Analyzing a recent worm attack: Witty• (if time): The OODA Loop

4


Why Security is Hard

• Security is one of the hardest areas in Computer Science (and in general)– Therefore, its possibly the most enjoyable area!

• Adversarial Nature– The adversary is often not constrained by the same

rules• Instead, constrained by his (or her or their) intent, skill, and

resources

– The attacker has an easier job!

• Real-World Messyness– Humans are often the weakest link

5


Adversaries:• L337 SKR1P7 K1DD13Z

– “So you are describing 16 year olds who are trying to take down the Internet as a hobby?”“No, it’s their social life”

– Paraphrased from a Clive Thompson article on virus writers

– Attack targets of opportunity

• Insiders– Often trusted individuals, often in it for the money

• Terrorists– None to date, but the potential exists

• Nation-State opponents

6


Need to model an adversary:Evil Twins

• We need to protect against what can be done, not just what has been done– Thus we need to model an adversary who’s as capable

and creative as possible• But if we can model someone more creative then ourselves, we

could become that person

• Solution: Evil Twin– What would your evil twin do to accomplish X?

• With various levels of resources, tolerance for risk, goals, etc…

– There is a formal version of this process, Red Teaming

7


The Attacker has an Easier Job

• The attacker needs to find just ONE weakness– The defender must defend all that the attacker could use– Attackers often use known vulnerabilities

• And only needs to know one• While the defender must have patched all

• The attacker is not constrained by rules– A little bribery, a little break-in, CDs in the parking lot, eh, why

not?• A janitor has physical access to a large host of computers

– Use the physical world to influence the electronic world• Or vice-versa

• The attack can become democratic…– Once someone releases a toolkit or exploit, every L337 K1DD107 can use it.

8


Example:How to “Take Down” an ISP

• The attacker’s problem: He doesn’t like “ISP X”, and wishes to cause a complete shutdown– He could be working for a competitor

• Route BGP updates into OSPF– BGP is used for Internet routing between ISPs– OSPF is an internal protocol used internally to an ISP

• Updates are O(n2) on all routers in the institution– Break into a machine room

Gain root on a routerRedirect the external BGP feed into the internal OSPF feed

• Observation: If a router’s CPU goes to a steadly 100%, the router will crash

– Now all the ISPs routers will crash– According to Avi Freedman, this has happened before

9


Reflections onthis attack

• Physical access is helpful but not necessary– Physical access -> easy root

• How good is every machine room your systems are in?• The attacker reportedly got caught on camera

– Can get root in other ways• Root a sysadmin’s machine and then sniff his passwords

– Happened at UC Berkeley to compromise argus (the CS department login server) and also instructional sun systems

• Attack abused intended functionality– Every router in the ISP trusts the other routers– OSPF information rarely changes, so a computationally complex update is

acceptable• Attack abused weak engineering

– Why should routers crash when the CPU goes to 100%?• Attacker needed a motive

– Otherwise, why bother?

10


The Authentication Problem

• Authentication: “I am Nick Weaver”– How do I prove to you that I am who I am?

• Authorization: “Because I am Nick Weaver, I’m allowed into Soda Hall”– Given what you know of me, what am I allowed to do?– Why airlines are happy to check IDs:

• Tickets are not supposed to be resold

• Intent: “I’m just here to give a lecture”– Really hard to answer from the above

• Why a national ID card doesn’t work well at detecting terrorists

11


Common Properties ofAuthentication

• Authentication is usually transitive from some more trusted source: You know I am Nick Weaver because…– Ion Stoica introduced me

– My CA drivers liscence says that I’m me

– Everyone else in soda hall calls me “Nick”…

• Authentication usually involves a property or secret– I know this random magic number/password

• Thus anyone who can steal it can masquerade as me

– I have this grinning face, and fingerprints• Which matches the ID card created by the trusted entity

– I carry this cryptographic-doohicky which spits out numbers• Or all of the above

12


CryptographicAuthentication

• Needham and Schoeder “Using Encryption for Authentication in Large Networks of Computers”

• Basic assumptions:– There exists a trusted server (or group of servers) which can

authenticate each individual

– ALL communication can be monitored by an attacker

– The attacker does NOT control any end-hosts

• Goals of the work:– Show how to use both public and private key cryptography to

mutually authenticate two parties• Generate a key which only the two parties know

• This key can then be used to provide confidentiality and integrity

13


Basic Primitives• Three parties: A, B, and S

– A and B can both authenticate with the Authentication Server• KA

– A secret key known only to A• KXY

– A secret key known to both X and Y• Iai

– A random value (nonce) which is used only once• E(K,M) → cyphertext

D(K, E(K,M)) → M– Encryption assumed to provides both confidentiality and integrity

• PKA, SKA– A public/private key corresponding to A– Public key cryptography is asymmetric– D(SKA, E(PKA, M)) → M

• A message encrypted with a public key can only be decrypted with the private key– D(PKA, E(SKA, M)) → M

• A message encrypted with the private key could only have been created by someone who knows the private key (signing)

14


Both Integrity ANDSecrecy are key

• With just secrecy, an attacker might still be able to change messages:– EG, the XOR cypher:

A random key K, as long as the message, is XORed with the message

• Secrecy is 100%– Unless the evesdropper knows the random key (or the key is

reused), the secrecy is 100%

• The integrity is nonexistant:– Attacker knows that the message is “don’t do anything”

– He replaces the message M with M “don’t do anything” “attack at dawn”

15


Authenticating a Channel Between A and B

• We need to generate a Kab such that:– Anyone with either Sa or Sb can determine the key

• Mutual authentication– Nobody else can

• A → S: E(Kas, (B, Ia1))• S → A: E(Kas, (Kab, Ia1, E(Kbs, Kab))• A → B: E(Kbs, Kab) • Now A and B share a key

– Unfortunatly, S knows this key, but S has to be trusted anyway

• B → A: E(Kab, Ib)• A → B: E(Kab, Ib – 1)

– Exchanging the Nonce keeps someone from replaying the communication to B

16


Authenticating a Channel with Public Key Cryptography

• A→S: A, B• S→A: E(SKs, (PKb, B))

– S signs B’s key and returns it to A

• A→B: E(PKb, Ia)• B→S: B, A• S→B: E(SKs, PKa)

– S signs A’s key and returns it to B

• B→A: E(PKa, (Ia, Ib))• A→B: E(PKb, (Ib, Kab))• Public key advantage: Now S doesn’t know Kab

– BUT S could still cause problems (eg, send the wrong public key for B)

17


Only Three Major Innovations After the Paper was Written

• Have the authentication server sign A and B’s keys– PKI (Public Key Infrastructure), aka Verisign– Now the central authority is completely “offline”

• A and B just exchange signed keys

• Have everyone sign other people’s keys– PGP “Web of Trust”– No central authority, instead trust is transitive and aggregated from other

players

• Imprinting protocols– SSH– Key is transferred on the first communication

• Vulnerable to an initial man-in-the-middle, but not subsequent MitM attacks

• All three new techniques can’t perform timestamps– Still need a trusted intermediary if we wish to perfrom time-guarenteed

signatures

18


But Crypto Isn’t TheHard Part…

• It’s the users & usage– Anyone who can grab A’s secret (SKA) can masquerade as A

• Sidechannel/Timing Attacks– Observing secondary properties of encryption (eg, time to encrypt

a message with a public key) can help determine the key• Keyloggers/Trojans

– All the crypto in the world doesn’t allow you to connect using a compromised workstation

• User Bribing/Tricking– “Run this attachment or your account will be shut down” email– phishing: Email tricking users into entering their passwords– “I’m with the phone company, what is your voice mail password?”– “I’ll give you a candy bar if you tell me your password”

• User Coercion: “Rubber Hose Cryptanalysis”

19


What Are Computer Worms?

• Self replicating network programs– Exploit vulnerabilities to infect remote machines

– Victim machines continue to propagate the infection

• Three main stages– Detect new targets

– Attempt to infect new targets

– Activate the code on the victim machine

• My work focuses on autonomous worms– No human intervention required

Network

Network

20


Why are computer wormsproblematic?

• They attack monocultures:– All systems running the same (program/OS/configuration)

• Monocultures can be VERY large: all of NT4/Win2K/WinXP/Win2K3 form a monoculture

– “Write once, 0wn everything”

• They are very fast:– Defenses to worms must be automatic

• They get nearly everywhere:– Worms are particularly good at penetrating firewalls

• They are democratic:– Someone can write a toolkit, and now everyone can use it

21


How to 0wn the Internet• The theory and practice of very fast worms...

– Circa Summer 2002

• Code Red v2:– First recent autonomous worm

• Code Red II:– Added backdoor– Local subnet preference to exploit firewalls

• Once it penetrates, it quickly infests the LAN

• Nimda:– Mixed mode behavior

• Injected itself into .html files• Attacked Code Red IIs backdoor

– Firewall crossing

22


Nimda: ComplexityMakes an Effective Worm

• Nimda was a Mutt: it mixed various features together– Net result was far more effective than the individual

components

• Nimda was very large– ~100 kB of code!

• The net result was a very wide spread– Modes interacted synergistically

23


Nimda: Active Modes

• Web Server:– Unicode, directory traversal, and Code Red II:

• All, through special path, allow access to a command shell• Use shell to transfer over the worm

• Open file shares:– Attempt to search and mount local directories– Write worm as a .dll in every directory

• Buggy Microsoft Office would execute .dll if an office document is opened in that directory

• Scanning is biased for local addresses– Take advantage of firewall penetrations

24


Nimda: Firewall Penetrations

• Email mode:– Respond to mail messages with infection attempt

• Buggy outlook copies would automatically execute (mail worm)

• Users would execute (mail virus)

• Web Client mode:– Write javascript to execute worm in all .html pages discovered

• Buggy explorer would automatically run the worm

• High rate of succes not necessary– Goal is to get a foothold in the firewall, not to spread everywhere

25


Nimda: Results

• Using multiple exploits helped it considerably– Patching is a problem...

Patching 4 applications is an even bigger problem• Patches from 3-4 separate sources

• It waltzed through firewalls– A single penetration, and voila...

– Effective synergy between multiple exploits

26


How to 0wn the Internet:Theoretical Worms

• Warhol Worm– How to spread in 15 minutes– Faster random scanning

• 100 scans/s/worm rather than ~10 scans/s/worm

– Hitlisting• Start on ~1000 machines rather

than 1• Exponentials actually start slowly

– Permutation scanning• Efficiently divide the address space

• Flash worm– Complete hitlist, spreads in <30 seconds

27


Worms and the Tragedy of the Commons

• For scanning worms, there is a simple blocking technique:– Limit outbound scanning on all systems to <1 scan/minute

• Virus Throttle/Worm containment

• However, this requires universal deployment– With only 50% deployment, it is equivelent to simply removing ½

the machines• Slowing the worm by only 50%• And it only protects others!

• Thus it is useless on the Internet!– Why pay your money to protect your neighbor?

• Egress filtering: blocking the exit of spoofed packets from a network, is far from universally deployed and costs effectively nothing!

• But it can be useful in an enterprise

28


More Recent Worms: Slammer

• Self-propagating UDP packet– Infected ~75K machines

in 10 minutes!

• Full scanning rate in ~3 minutes– >55 Million IPs/s

• Initial doubling rate was about every 8.5 seconds– Local saturations

occur in <1 minute

• <1 minute to mount a defense of the Internet

29


Slammer: SimplicityMakes an Effective Worm

• Slammer was a single packet UDP worm– Cleanup from buffer overflow– Get API pointers

• Code borrowed from published exploit

– Create socket & packet– Seed PRNG with getTickCount()– While 1

• Increment PRNG– 3 bugs in the code

• Send self to PRNG address

• 404 bytes total• Worldwide Spread in 10 minutes

– Peak scanning in ~3 minutes• >55 million packets/second

– >75000 compromised machines

Header

Oflow

API

Socket

Seed

PRNG

Sendto

30


Why Was Slammer Fast: A Bandwidth-Limited Scanner

• Code Red's scanner is latency-limited– In many threads: send SYN to random address,

wait for response or timeout– Code Red ~6 scans/second,

• population doubles about every 40 minutes

• Every Slammer copy sent infectious packets at maximum rate– 1 Mb upload bandwidth 280 scans/second– 100 Mb upload bandwidth 28,000 scans/second

• Slammer was NOT self-congesting– Every packet sent did useful work!

31


What Failed due to Slammer:LOTS!

• Some edge devices failed due to load– Several UCB switches needed resetting after infected machines were

removed

– Flow-based devices failed hard:• Every packet was a new flow!

• Many sites connectivity disrupted by outgoing traffic– Often with only a few infected machines

• Need to deploy fairness/bandwidth capping

• Some critical systems are not well isolated from the Internet, saw disruptions due to traffic/infection– Bellevue WA 911 system, BofA ATM system, airline reservation systems,

a nuclear powerplant control system...

– Almost all failures due to the traffic load on local networks, or actual infections

32


More Recent Worms:Witty

• Yet Another Single Packet UDP worm (177 instructions)– But with some significant twists....

• Attacked an IDS system– If the IDS received a UDP packet with source port 4000 it would

be interpretedas a ICQ packet

– This analyzer had a stackoverflow vulnerability

• Malicious payload– Send out 20000 packets– Overwrite a random block on disk– Repeat process until the system crashes

• Short timeline– <48 hours between vulnerability disclosure

and worm releaseFrom Moore and Shannon’s analysis (caida.org)

33


More On Witty• The attacker hitlisted/seeded the worm

– ~110 “bots” (previously compromised machines) ran a program to distribute the worm

• The attacker was malicious– And knew how to be malicious and

still spread• The attacker was motivated

– He worked very fast– He probably tested– He had to have a reason

From Moore and Shannon’s analysis (caida.org)

34


The Problem: How to Model Adversarial Decision Making

• Multiple competing individuals or groups– Sysadmins vs Hackers

– Business Competition

– Opponents on the battlefield

• How do they think and act?– Need a way of describing how the decision making

process occurs• Using this, develop mechanisms to attack the decision making

process of an opponent

35


Colonel John R. Boyd’s OODA “Loop”

Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.

Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.

From “The Essence of Winning and Losing,” John R. Boyd, January 1996.

Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.

Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.

From “The Essence of Winning and Losing,” John R. Boyd, January 1996.

FeedForward

Observations Decision(Hypothesis)

Action(Test)

CulturalTraditions

GeneticHeritage

NewInformation Previous

Experience

Analyses &Synthesis

FeedForward

FeedForward

ImplicitGuidance& Control

ImplicitGuidance& Control

UnfoldingInteraction

WithEnvironmentUnfolding

InteractionWith

Environment Feedback

Feedback

OutsideInformation

UnfoldingCircumstances

Observe Orient Decide Act

From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission

36


What is the OODA Loop?

• The OODA (Observe, Orient, Decide, Act) cycle was designed as a semi-formal model of adversarial decision making– Originally designed to represent strategic and tactical decision-making

• Implicit shortcuts are critical in human-based systems

– Really a complex nest of feedback loops– Every participant or group has its own OODA loop

• The fastest, accurate OODA loop usually wins• Attack the opponent’s decision making process

– Avoid/confuse/manipulate the opponent’s observation/detection• Stealthy worms

– Take advantage of errors in orientation/analysis– Move faster than the opponent’s reaction time

• Why autonomous worms outrace “human-in-the-loop” systems• Reactive worm defenses need fully-automated, prescripted paths in the

defensive OODA loops

37


AutomatedOODA Loops

• Since both the worms and worm-defense routines are automatic while a fast worm is spreading, the OODA loops are much simpler

– Orientation and decision making are combined• No implicit paths, everything is now explicit

– The OODA loops are shaped by the designer’s goals, objectives, and skills

• This represents an entirely new security problem

PassiveLocalActive

AutomaticDecisionMaking

Actions

Observe Orient/Decide Act

CommunicationControl

Information Control

Feedback

Interaction withEnvironment

38


(Backup Slide) Why the 0 in 0wn?

• It is L33T– Textual substitution

“cipher” in the hacker community

– Adopted by early chat room/hacker community to avoid stupid keyword filters

• Image Copyright 2000 by Fred Gallagher and Rodney Caston– www.megatokyo.com

Guest Lecture on Security 1 Security Nicholas Weaver ICSI.

Documents

Transcript of Guest Lecture on Security 1 Security Nicholas Weaver ICSI.