EECS 122 Introduction to Computer Networks Network Security Computer Science Division Department of Electrical Engineering and Computer Sciences University of California Berkeley Berkeley CA 94720 1776 Katz Stoica F04 Motivation Internet currently used for important services Financial transactions medical records Used in near future for even more critical services 911 VoIP surgical operations energy system control transportation system control Networks more open than ever before Global ubiquitous Internet wireless Malicious Users Selfish users want more network resources than you Malicious users would hurt you even if it doesn t get them more network resources Katz Stoica F04 2 Network Security Problems Host Compromise Attacker gains control of a host Denial of Service Attacker prevents legitimate users from gaining service Attack can be both E g host compromise that provides resources for denial of service Katz Stoica F04 3 Host Compromise One of earliest major Internet security incidents Internet Worm 1988 compromised almost every BSD derived machine on Internet Today estimated that a single worm could compromise 10M hosts in 5 min Attacker gains control of a host Reads data Erases data Compromises another host Launches denial of service attack on another host Katz Stoica F04 4 Definitions Worm Replicates itself Usually relies on stack overflow attack Virus Program that attaches itself to another usually trusted program Trojan horse Program that allows a hacker a back door Usually relies on user exploitation Katz Stoica F04 5 Host Compromise Stack Overflow Typical code has many bugs because those bugs are not triggered by common input Network code is vulnerable because it accepts input from the network Network code that runs with high privileges i e as root is especially dangerous E g web server Katz Stoica F04 6 Example What is wrong here Copy a variable length user name from a packet define MAXNAMELEN 64 int offset OFFSET USERNAME char username MAXNAMELEN int name len name len packet offset memcpy username packet offset 1 name len 0 34 packet name len name Katz Stoica F04 7 Example Stack void foo packet define MAXNAMELEN 64 int offset OFFSET USERNAME char username MAXNAMELEN int name len name len packet offset memcpy username packet offset 1 name len X X 4 X 8 foo return address offset username X 72 X 76 name len Katz Stoica F04 8 Example Stack void foo packet define MAXNAMELEN 64 int offset OFFSET USERNAME char username MAXNAMELEN int name len name len packet offset memcpy username packet offset 1 name len X X 4 X 8 foo return address offset username X 72 X 76 name len Katz Stoica F04 9 Effect of Stack Overflow Write into part of the stack or heap Write arbitrary code to part of memory Cause program execution to jump to arbitrary code Worm Probes host for vulnerable software Sends bogus input Attacker can do anything that the privileges of the buggy program allows Launches copy of itself on compromised host Spread at exponential rate 10M hosts in 5 minutes Katz Stoica F04 10 Worm Spreading Epidemic Models f e K t T 1 1 e K t T f fraction of hosts infected K rate at which one host can compromise others T start time of the attack f 1 T t Katz Stoica F04 11 Worm Examples Morris worm 1988 Code Red 2001 MS Slammer January 2003 MS Blaster August 2003 Worm History Site http en wikipedia org wiki Notable computer viruses and worms Latest listing at http enterprisesecurity symantec com article cfm articleid 2420 Katz Stoica F04 12 Morris Worm 1988 Infect multiple types of machines Sun 3 and VAX Spread using a Sendmail bug Attack multiple security holes including Buffer overflow in fingerd Debugging routines in Sendmail Password cracking Intend to be benign but it had a bug Fixed probability that the worm wouldn t quit after re infecting a machine number of worm on a host built up rendering the machine unusable Katz Stoica F04 13 Code Red Worm 2001 Attempts to connect to TCP port 80 on a randomly chosen host If successful the attacking host sends a crafted HTTP GET request to the victim attempting to exploit a buffer overflow See http www cert org advisories CA 2001 19 html Worm bug all copies of the worm use the same random generator to scan new hosts DoS attack on those hosts Slow to infect new hosts 2nd gen Code Red fixed this bug Result it spread much faster Katz Stoica F04 14 MS SQL Slammer January 2003 Uses UDP port 1434 to exploit a buffer overflow in MS SQL server See http www cert org advisories CA 2003 04 html Effect Generate massive amounts of network packets Brought down 5 of the 13 Internet root name servers Others Worm only spreads as an in memory process it never writes itself to the hard drive Solution close UDP port on firewall and reboot Katz Stoica F04 15 MS SQL Slammer January 2003 xx From http www f secure com v descs mssqlm shtml Katz Stoica F04 16 MS SQL Slammer January 2003 xx From http www f secure com v descs mssqlm shtml Katz Stoica F04 17 MS Blaster August 2003 Exploit a buffer overflow vulnerability of the RPC Remote Procedure Call service Scan a random IP range to look for vulnerable systems on TCP port 135 Open TCP port 4444 system shell which could allow an attacker to execute commands on the system Generated DoS attack on windowsupdate com for certain versions of Windows See http www cert org advisories CA 2003 20 html Katz Stoica F04 18 Hall of Shame Software that have had many stack overflow bugs BIND most popular DNS server RPC Remote Procedure Call used for NFS NFS Network File System widely used at UCB Sendmail most popular UNIX mail delivery software IIS Windows web server SNMP Simple Network Management Protocol used to manage routers and other network devices Katz Stoica F04 19 Potential Solutions Don t write buggy software It s not like people try to write buggy software Type safe Languages Unrestricted memory access of C C contributes to problem Use Java Perl or Python instead OS architecture Compartmentalize programs better so one compromise doesn t compromise the entire system E g DNS server doesn t need total system access Firewalls Katz Stoica F04 20 Firewall Security device whose goal is to prevent computers from outside to gain control to inside machines Hardware or software Attacker Firewall Internet Katz Stoica F04 21 Firewall cont d Restrict traffic between Internet and devices machines behind it based on Source address and port number Payload Stateful analysis of data Examples of rules Block any external packets not for port 80
View Full Document
Unlocking...