0x1A Great Papers in Computer SecurityCourse LogisticsGradingPrerequisitesWhat This Course is Not About“Best Hits” CourseStart Thinking About a ProjectA Few Project IdeasC. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade (DISCEX 1999)Famous Internet Worms… And The Band Marches OnWhy Are We Insecure?Memory ExploitsStack BuffersWhat If Buffer Is Overstuffed?Executing Attack CodeBasic Stack Code InjectionStack Corruption: General ViewAttack #1: Return AddressCause: No Range CheckingDoes Range Checking Help?Misuse of strncpy in htpasswd “Fix”Function Pointer OverflowAttack #2: Pointer VariablesOff-By-One OverflowAttack #3: Frame PointerRun-Time Checking: StackGuardStackGuard ImplementationDefeating StackGuardProPolice / SSPWhat Can Still Be Overwritten?Litchfield’s AttackSafe Exception HandlingWhen SafeSEH Is IncompletePointGuardNormal Pointer DereferencePointGuard DereferencePointGuard IssuesS. Chen et al. Non-Control-Data Attacks Are Realistic Threats (USENIX Security 2005)Non-Control TargetsExample: Web Server SecurityExploiting Null HTTP Heap OverflowNull HTTP CGI-BIN ExploitAnother Web Server: GHTTPDSSH Authentication CodeReducing Lifetime of Critical DataTwo’s ComplementInteger OverflowM. Dowd Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (IBM X-Force report 2008)ActionScript ExploitProcessing SWF Scene Records (1)Processing SWF Scene Records (2)ActionScript Virtual Machine (AVM2)AVM2 VerifierRelevant Verifier CodeExecuting Invalid OpcodesBreaking AVM2 VerifierSlide 58Further Complicationsslide 10x1A Great Papers inComputer SecurityVitaly ShmatikovCS 380Shttp://www.cs.utexas.edu/~shmat/courses/cs380s/slide 2Course LogisticsLectures: Tuesday and Thursday, 2-3:15pmInstructor: Vitaly Shmatikov•Office: CSA 1.114•Office hours: Tuesday, 3:30-4:30pm (after class)•Open door policy – don’t hesitate to stop by!TA: Martin Georgiev•Office hours: Wednesday 1:30-3pm, PAI 5.33No textbook; we will read a fair number of research papersWatch the course website for lecture notes, assignments, and reference materialsslide 3GradingHomeworks: 40% (4 homeworks, 10% each)•Homework problems will be based on research papersMidterm: 15%Project: 45%•Computer security is a contact sport – the best way to understand it is to get your hands dirty•Projects can be done individually or in small teams•Project proposal due September 20•You can find a list of potential project ideas on the course website, but don’t hesitate to propose your ownslide 4PrerequisitesBasic understanding of operating systems and memory management•At the level of an undergraduate OS courseSome familiarity with cryptography is helpful•Cryptographic hash functions, public-key and symmetric cryptosystemsUndergraduate course in complexity and/or theory of computationAsk if you are not sure whether you are qualified to take this courseslide 5What This Course is Not AboutNot a comprehensive course on computer securityNot a course on cryptography•We will cover some crypto when talking about cryptographic protocols and privacyNot a seminar course•We will read and understand state-of-the-art research papers, but you’ll also have to do some actual work Focus on several specific research areas•Mixture of theory and systems (very unusual!)You have a lot of leeway in picking your projectslide 6“Best Hits” Course26 selected papers•Somewhat arbitrary – a reflection of personal taste•Complete list on the website•Will also discuss follow-up and related workGoal: give you a taste of what research in computer security is likeWide variety of topics•Memory attacks and defenses, secure information flow, understanding Internet-wide worms and viruses, designing and breaking cryptographic protocols, anonymity and privacy, side-channel attacks…slide 7Start Thinking About a ProjectA few ideas are on the course websiteMany ways to go about it•Build a tool that improves software security–Analysis, verification, attack detection, attack containment•Apply an existing tool to a real-world system•Demonstrate feasibility of some attack•Do a substantial theoretical study•Invent something of your ownStart forming teams and thinking about potential topics early on!slide 8A Few Project IdeasSecurity of cloud computing (Amazon EC2, etc.)Errors in security logic of Web applicationsUnintended leakages and covert channelsAnonymous communication schemesPrivacy issues in networked consumer devicesSecurity of Android APIsWireless routing, authentication, localizationSecurity for voice-over-IPChoose something that interests you!slide 9C. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade(DISCEX 1999)slide 10Famous Internet WormsMorris worm (1988): overflow in fingerd•6,000 machines infected (10% of existing Internet)CodeRed (2001): overflow in MS-IIS server•300,000 machines infected in 14 hoursSQL Slammer (2003): overflow in MS-SQL server•75,000 machines infected in 10 minutes (!!)Sasser (2004): overflow in Windows LSASS•Around 500,000 machines infectedResponsible for user authentication in Windowsslide 11… And The Band Marches OnConficker (2008-09): overflow in Windows RPC•Around 10 million machines infected (estimates vary)Stuxnet (2009-10): several zero-day overflows + same Windows RPC overflow as Conficker •Windows print spooler service–Also exploited by Flame (announced in 2012)•Windows LNK shortcut display•Windows task schedulerslide 12Why Are We Insecure? 126 CERT security advisories (2000-2004)Of these, 87 are memory corruption vulnerabilities73 are in applications providing remote services•13 in HTTP servers, 7 in database services, 6 in remote login services, 4 in mail services, 3 in FTP servicesMost exploits involve illegitimate control transfers•Jumps to injected attack code, return-to-libc, etc.•Therefore, most defenses focus on control-flow securityBut exploits can also target configurations, user data and decision-making values[Chen et al. 2005]slide 13Buffer is a data storage area inside computer memory (stack or heap)•Intended to hold pre-defined amount of data•If executable code is supplied as “data”, victim’s machine may be fooled into
View Full Document