#1Internet SecurityInternet Security#2PL Fencing Day• Friday Dec 4 (unless it rains) @ 4:30pm• Darden Courtyard; no experience necessary•I provide gear•I provide lesson#3PS5 Due Tomorrow• The “automated testing” is a favor, not a necessity– PS5 is still due even if it is down (email me)•If you're taking the course for three credits and want to try an optimizer, email me– I'll provide you with a compiler#4One-Slide Summary•Physical security and operating system security are of critical importance and must be understood.• Key issues in internet security, including buffer overruns, virus detection, spam filtering, SQL code-injection attacks, and cross-site scripting can all be understood in terms of lexing and parsing.#5High-Level Lecture Today!#6Lecture Outline• Physical Security•Operating System Security– Privileges•Viruses and Scanning•Side Channel and Non-Control Data Attacks•Spam and Filtering•SQL Injection Attacks#7Physical Security• It is generally accepted that anyone with physical access to a machine (i.e., anyone who can open the case) can compromise that entire machine. •Given physical access ...– How would I read your personal files?– How would I leave a backdoor (rootkit) for myself?– How would I log in as you?•Ignore networked filesystems for now ...#8• Them: Important user, NT box, lost admin password, sad, sad, sad.•Me: No problem, change password with magic linux disk, offline NT password editor.•Them: No, no, no. Never work. NT secure. Get real.•Me: Watch. (reboot)• Them: Gasp! This floppy is dangerous! Where did you get it?• Me: Internet. Been around forever.• Them: How do we keep students from using this?• Me: Can't. Migrate. Linux. Mac.• Them: No, no, no. Just make NT safe.• Me: Can't. NT inherently unsafe.•Them: Must be safe. NT good. We have never seen problems.•Me: You just saw one now.•Them: No, no, no. NT good. Win2k better.• Me: Win2k is NT. Same thing. Should I give this floppy to a student?• Them: No, no, no. Give here.• Me: Whatever. What do you want me to do?• Them: Change admin password.• Me: Fine. To what?• Them: "p-a-s-s-w-o-r-d"•Me: No, no, no.#9A Fairy Tale? Not Quite.#10Hey You! Get Off Of My Lawn!• Must keep people out of the server room ...•Heavy-weight physical security measures are often skipped entirely •They are “not worth it” to the people involved•Social engineering#11Corporate Espionage• In 1999, Fortune 1000 companies lost more than $45 billion to corporate espionage•Office card keys (“no drafting”) and dumpster-diving prevention are two Top Five ways to defeat espionage• Social engineering awareness is much more important, however!#12Death By Heat Lamps?• Sophisticated physical attacks are possible– S. Govindavajhala and A. Appel: Using Memory Errors to Attack a Virtual Machine. IEEE Symposium on Security and Privacy, 2003•They write a Java program that can break out of the Java Virtual Machine if a single bit error occurs in memory ...– Shine lamp on memory!•For the rest of this talk I'll assume physical security.#13Is Unix Any Better?• No; if you have physical access to a unix machine you can get root access. – Linux example: reboot, wait for GRUB/LILO, ask for the bootloader prompt, and type: linux init=/bin/bash•One solution: store important files on encrypted (sub-)filesystem– Either requires frequent password entry or stores password in memory– This is only secure if no malicious programs run– Thus: we still need operating system security!#14Unix Security Model• All files in Unix filesystems have permissions–-rwxr-xr-x 1 root root 735004 2008-01-15 09:29 /bin/bash•Three levels: user, group, others•Exception: a special root user can change the permissions on any file (and thus do anything)•Passwords must be stored for login to work•Password file stores hashes:– smt6k:SASHTBDJKdsa4:510:511:Sean Talts:/home/smt6k:/bin/bash– eas2h:p3612PZBAx37ne:511:513:Elizabeth Soechting:/home/eas2h:/bin/bash– dsn9m:aw73sXHaI3dn348:512:514:David Noble:/home/dsn9m:/bin/bash#15Trojan Horses• root is convenient ... but also dangerous!• Suppose you are running out of disk space and are hunting around for files to remove– Evil user makes evil files called “ls” and “dir”– These trojan horses email your password to Microsoft and then list the files– You may never know you've been tricked!• This single concept accounts for the vast majority of windows vulnerabilities– Pre-Vista you were always “root”, so if I could get you to click on some evil program I send over the network, I could take over your computer.#16Detecting Malicious Programs• So we need to detect viruses / trojans / worms• This is done by lexing (no, really)• A virus or trojan typically leaves most of the program unchanged (to avoid suspicion) and tacks on a special payload for dirty work•Make one regular expression for each payload– Called the virus signature•Scan (lex) programs with union of regexps– A virus database file is basically just a .lex file and each new version has some new “tokens”#17Escalation• One key problem with this approach is that you must constantly update your database of virus signatures in response to new virus inventions#18Does This Work?• Assume we've solved the update problem.• What could go wrong with searching for exact code sequences?#19Stealth• Any change to the virus defeats the signature• Beware: self-modifying virus!•Encryption with a new key per file– payload = decrypt module + encrypted virus code•Polymorphic Virus: new decrypt per file– payload = unique decrypt + encrypted virus code•Metamorphic Virus: rewrite each time– Basically: insert no-ops, “optimize” virus, etc. – Win32/Smile is >14000 lines of ASM, 90% of which is metamorphic engine ... and was out in 2002#20Virus Scanners In Practice• Offline: unix servers scan win32 attachments– Basically just like PA2• Online: scan every file before it is executed– Requires OS support: register a callback whenever a program or DLL is loaded (why require OS support?)– Or whenever a file is opened in general– This is very slow (cf. games)•Viruses need privileges (e.g., read and write other files), so one defense is to not have those privileges ...#21My Secret Identity• If you know another user's password, you can become that user (i.e., substitute its userid for yours ---
View Full Document