EE 122: Network SecurityMotivationNetwork Security ProblemsOther Forms of SecurityHost CompromiseDefinitionsHost Compromise: Stack SmashExampleEffect of Stack SmashHall of ShameSolutionFirewallsHost Compromise: User ExploitationUser ExploitationSolutionsDenial of ServiceSYN AttackAffect on VictimOther Denial-of-Service AttacksDealing with AttackIncomplete SolutionsIdentifying Attacking MachinesSummaryEE 122: Network SecurityKevin LaiDecember 2, [email protected] 2MotivationInternet currently used for important services-financial transactions, medical recordsCould be used in the future for critical services-911, surgical operations, energy system control, transportation system controlNetworks more open than ever before-global, ubiquitous Internet, wirelessMalicious Users-selfish users: want more network resources than you-malicious users: would hurt you even if it doesn’t get them more network [email protected] 3Network Security ProblemsHost Compromise-attacker gains control of a hostDenial-of-Service-attacker prevents legitimate users from gaining serviceAttack can be both-e.g., host compromise that provides resources for denial-of-serviceOther forms of attack-less common today because these two are so [email protected] 4Other Forms of SecurityPrevent malicious users from-reading transmitted data (privacy)-pretending to be someone else (authentication)-doing something without permission (authorization)-modifying transmitted data (integrity)-claiming they did not send a message (nonrepudiation)Detect-a compromise by a malicious user (intrusion detection)[email protected] 5Host CompromiseOne of earliest major Internet security incidents-Internet Worm (1988): compromised almost every BSD-derived machine on InternetToday: estimated that a single worm could compromise 10M hosts in < 15 minAttacker gains control of a host-reads data-erases data-compromises another host-launches denial-of-service attack on another [email protected] 6DefinitionsTrojan-relies on user interaction to activate-usually relies on user exploitationWorm-replicates itself-usually relies on stack smash attackVirus-worm that attaches itself to another [email protected] 7Host Compromise: Stack Smashtypical code has many bugs because those bugs are not triggered by common inputnetwork code is vulnerable because it accepts input from the networknetwork code that runs with high privileges (i.e., as root) is especially dangerous-e.g., web [email protected] 8Examplewhat is wrong here:// Copy a variable length user name from a packet#define MAXNAMELEN 64char username[MAXNAMELEN];int offset = OFFSET_USERNAME;int name_len;name_len = packet[offset];memcpy(&username, packet[offset + 1], name_len);[email protected] 9Effect of Stack SmashWrite into part of the stack or heap-write arbitrary code to part of memory-cause program execution to jump to arbitrary codeStack Smashing Worm-probes host for vulnerable software-sends bogus input-attacker can do anything that the privileges of the buggy program allows•launches copy of itself on compromised host-rinse, repeat at exponential rate-10M hosts in < 15 [email protected] 10Hall of ShameSoftware that have had many stack smash bugs:-BIND (most popular DNS server)-RPC (Remote Procedure Call, used for NFS)•NFS (Network File System), widely used at UCB-sendmail (most popular UNIX mail delivery software)-IIS (Windows web server)-SNMP (Simple Network Management Protocol, used to manage routers and other network devices)[email protected] 11SolutionDon’t write buggy software-it’s not like people try to write buggy softwareType-safe Languages-unrestricted memory access of C/C++ contributes to problem-use Java, Perl, or Python insteadOS architecture-compartmentalize programs better, so one compromise doesn’t compromise the entire system-e.g., DNS server doesn’t need total system access-e.g., web server probably doesn’t need to complete write access[email protected] 12FirewallsGateway machine that blocks out certain data, e.g.,-any external packets not for port 80-any external packets with an internal IP address•ingress filtering-any email with an attachmentProperties-easier to deploy firewall than secure all internal hosts-doesn’t prevent user exploitation-tradeoff between availability of services (firewall passes more ports on more machines) and security•if firewall is too restrictive, users will find way around it, thus compromising security•e.g., have all services use port [email protected] 13Host Compromise: User ExploitationSome security architectures rely on the user to decide if a potentially dangerous action should be taken, e.g., -run code downloaded from the Internet•“Do you accept content from Microsoft?”-run code attached to email•“subject: You’ve got to see this!”-allow a macro in a data file to be run•“Here is the latest version of the document.”[email protected] 14User ExploitationUsers are not good at making this decision-Which of the following is the real name Microsoft uses when you download code from them?•Microsoft•Microsoft, Inc.•Microsoft CorporationTypical email attack-Attacker sends email to some initial victims-Reading the email / running its attachment / viewing its attachment opens the hole-Worm/trojan/virus mails itself to everyone in address [email protected] 15SolutionsOS architectureDon’t ask the users questions which they don’t know how to answer anywaySeparate code and data-viewing data should not launch attackBe very careful about installing new [email protected] 16Denial of ServiceHuge problem in current Internet -Yahoo!, Amazon, eBay, CNN, Microsoft attacked in 2001-12,000 attacks on 2,000 organizations in 3 weeks-some more that 600,000 packets/second•more than 192Mb/s-almost all attacks launched from compromised hostsGeneral Form-prevent legitimate users from gaining service by overloading or crashing a server-e.g., spam, SYN [email protected] 17SYN AttackCompromised hosts send TCP SYN packets to target-sent at max rate with random spoofed source address•spoofing: use a different source IP address than own•random spoofing allows one host to pretend to be manyVictim receives many SYN packets-sends SYN+ACK back to spoofed IP addresses-holds some memory until 3-way
View Full Document