EECS 122: Introduction to Computer Networks Network SecurityMotivationNetwork Security ProblemsHost CompromiseDefinitionsHost Compromise: Stack OverflowExampleSlide 8Slide 9Effect of Stack OverflowWorm Spreading Epidemic ModelsWorm ExamplesMorris Worm (1988)Code Red Worm (2001)MS SQL Slammer (January 2003)Slide 16MS SQL Slammer (January 2003)MS Blaster (August 2003)Hall of ShamePotential SolutionsFirewallFirewall (cont’d)Firewalls: PropertiesHost Compromise: User ExploitationUser ExploitationSolutionsDenial of ServiceEffect on VictimSYN Attack (Recap: 3-Way Handshaking)SYN AttackSolution: SYN CookiesDealing with AttacksIncomplete SolutionsIdentifying and Stop Attacking MachinesSummaryWhat You Need to KnowSecurity RequirementsCryptographic AlgorithmsPublic-Key Cryptography: RSA (Rivest, Shamir, Adleman)Generating Public and Private KeysRSA Encryption and DecryptionPropertiesPublic Key Infrastructure (PKI)PKI PropertiesComponents of a PKIDigital CertificateCertification AuthorityRegistration AuthorityCertificate RepositorySlide 61ExampleExampleCertificate RevocationWhat You Need To KnowKatz, Stoica F04EECS 122: Introduction to Computer Networks Network SecurityComputer Science DivisionDepartment of Electrical Engineering and Computer SciencesUniversity of California, BerkeleyBerkeley, CA 94720-17762Katz, Stoica F04MotivationInternet currently used for important services-Financial transactions, medical recordsUsed in near future for even more critical services-911 (VoIP), surgical operations, energy system control, transportation system controlNetworks more open than ever before-Global, ubiquitous Internet, wirelessMalicious Users-Selfish users: want more network resources than you-Malicious users: would hurt you even if it doesn’t get them more network resources3Katz, Stoica F04Network Security ProblemsHost Compromise-Attacker gains control of a hostDenial-of-Service-Attacker prevents legitimate users from gaining serviceAttack can be both-E.g., host compromise that provides resources for denial-of-service4Katz, Stoica F04Host CompromiseOne of earliest major Internet security incidents-Internet Worm (1988): compromised almost every BSD-derived machine on InternetToday: estimated that a single worm could compromise 10M hosts in < 5 minAttacker gains control of a host-Reads data-Erases data-Compromises another host-Launches denial-of-service attack on another host5Katz, Stoica F04DefinitionsWorm-Replicates itself-Usually relies on stack overflow attackVirus-Program that attaches itself to another (usually trusted) programTrojan horse-Program that allows a hacker a “back door” -Usually relies on user exploitation6Katz, Stoica F04Host Compromise: Stack OverflowTypical code has many bugs because those bugs are not triggered by common inputNetwork code is vulnerable because it accepts input from the networkNetwork code that runs with high privileges (i.e., as root) is especially dangerous-E.g., web server7Katz, Stoica F04ExampleWhat is wrong here?// Copy a variable length user name from a packet#define MAXNAMELEN 64int offset = OFFSET_USERNAME;char username[MAXNAMELEN];int name_len;name_len = packet[offset]; memcpy(&username, packet[offset + 1], name_len);name_lenname0 43packet8Katz, Stoica F04Examplevoid foo(packet) { #define MAXNAMELEN 64 int offset = OFFSET_USERNAME; char username[MAXNAMELEN]; int name_len; name_len = packet[offset]; memcpy(&username, packet[offset + 1],name_len); …}“foo” return addressusernameoffsetname_lenStackXX-4X-8X-72X-769Katz, Stoica F04Examplevoid foo(packet) { #define MAXNAMELEN 64 int offset = OFFSET_USERNAME; char username[MAXNAMELEN]; int name_len; name_len = packet[offset]; memcpy(&username, packet[offset + 1],name_len); …}“foo” return addressusernameoffsetname_lenStackXX-4X-8X-72X-7610Katz, Stoica F04Effect of Stack OverflowWrite into part of the stack or heap-Write arbitrary code to part of memory-Cause program execution to jump to arbitrary codeWorm-Probes host for vulnerable software-Sends bogus input-Attacker can do anything that the privileges of the buggy program allows•Launches copy of itself on compromised host-Spread at exponential rate-10M hosts in < 5 minutes11Katz, Stoica F04Worm SpreadingEpidemic Modelsf = (e K(t-T) – 1) / (1+ e K(t-T) )f – fraction of hosts infectedK – rate at which one host can compromise othersT – start time of the attackTft112Katz, Stoica F04Worm ExamplesMorris worm (1988)Code Red (2001)MS Slammer (January 2003)MS Blaster (August 2003)Worm History Site: http://en.wikipedia.org/wiki/Notable_computer_viruses_and_wormsLatest listing at: http://enterprisesecurity.symantec.com/article.cfm?articleid=242013Katz, Stoica F04Morris Worm (1988)Infect multiple types of machines (Sun 3 and VAX)-Spread using a Sendmail bugAttack multiple security holes including -Buffer overflow in fingerd-Debugging routines in Sendmail-Password crackingIntend to be benign but it had a bug-Fixed probability that the worm wouldn’t quit after re-infecting a machine number of worm on a host built up rendering the machine unusable14Katz, Stoica F04Code Red Worm (2001)Attempts to connect to TCP port 80 on a randomly chosen hostIf successful, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflowSee http://www.cert.org/advisories/CA-2001-19.html Worm “bug”: all copies of the worm use the same random generator to scan new hosts-DoS attack on those hosts-Slow to infect new hosts 2nd gen Code Red fixed this bug!-Result: it spread much faster15Katz, Stoica F04MS SQL Slammer (January 2003)Uses UDP port 1434 to exploit a buffer overflow in MS SQL server -See http://www.cert.org/advisories/CA-2003-04.htmlEffect-Generate massive amounts of network packets -Brought down 5 of the 13 Internet root name serversOthers-Worm only spreads as an in-memory process: it never writes itself to the hard drive •Solution: close UDP port on firewall and reboot16Katz, Stoica F04MS SQL Slammer (January 2003)xx(From http://www.f-secure.com/v-descs/mssqlm.shtml)17Katz, Stoica F04MS SQL Slammer (January 2003)xx(From http://www.f-secure.com/v-descs/mssqlm.shtml)18Katz, Stoica F04MS Blaster (August 2003)Exploit a buffer overflow vulnerability of the RPC (Remote Procedure Call) serviceScan a random IP range to look for vulnerable systems on
View Full Document
Unlocking...