Post on 07-Jun-2020
8/31/17
1
ComputerSecurity
Prof.TudorDumitrașAssistantProfessor,ECEUniversityofMaryland,CollegePark
ENEE657
AboutMe
TudorDumitrașOffice:AVW3425Email:tdumitra@umiacs.umd.eduCourseWebsite:http://ter.ps/enee657
2
8/31/17
2
MyBackground• Ph.D.atCarnegieMellonUniversity– Researchindistributedsystemsandfault-tolerantmiddleware
• WorkedatSymantecResearchLabs– BuiltWINEplaVormforsecurityanalyWcs
• Usedforsharingreal-worldsecuritytelemetrywithacademicresearchers
• Oneoftheearly‘threatintelligence’plaVorms
• JoinedUMDfaculty
• Data-drivensecurity(measurements,machinelearning,malware)– Focusonsolvingsecurityproblemswithdataanalysistechniques
3
WINE
ENEE657inaNutshell
• ENEE657isagraduate-levelsecuritycourse– Learnbyreading,explaininganddoing– Projectoriented:developtoadegreethatwouldmeritpublicaKoninoneoftheworkshopsassociatedwiththeUSENIXSecuritySymposium2018
• Aimstoprepareyouforresearchinsecurity– Notatutorialorcomprehensivecourseonthesetopics– Instead,exploringarangeoftopicstoillustratesomeofthecurrentresearchchallenges
– Targetedatstudentswhowanttoconductresearchintheareaorwhoaremoregenerallyinterestedinsecurityordistributedsystems
4
8/31/17
3
WhoCanYouTrust?
WorkstaWon
O/S
ApplicaWon NFSServer
O/S
ServerNetworkchannel
RequestIwonderwhatTudor’sSSNis…
Keyboard/displaychannel
• Whereistherequest“from”?– Theuser?TheworkstaWon?TheapplicaWon?Thenetworkchannel?Alloftheabove?
– Whichoftheseactorsdoyoutrust? 5
KenThompson
ACMTuringAward,19836
8/31/17
4
“ReflecKonsonTrusKngTrust”
• Whatsojwarecanwetrust?
• Example:anyoperaWngsystemincludesaprogramcheckingwhetherusersareallowedtologin– "login"or"su"inUnix– IstheloginbinaryfromWindows/MacOS/Ubuntu/etc.trustworthy?– Doesitsendyourpasswordtosomeone?– Doesithavebackdoorfora“special”remoteuser?
• Can'ttrustthebinary,sochecksourcecodeorwriteyourown,recompile
• Doesthissolveproblem?7
“ReflecKonsonTrusKngTrust”–cont’d
• Whowrotethecompiler?
• Compilerlooksforsourcecodethatlooksliketheloginprocess,insertsbackdoorintoit
• Ok,inspectthesourcecodeofthecompiler…Looksgood?Recompilethecompiler!
• Doesthissolvetheproblem?
8
8/31/17
5
“ReflecKonsonTrusKngTrust”–cont’d
• TheUNIXloginprogramiscompiledbyaCcompiler– TheCcompilerwasalsocompiledbyan(older)Ccompiler
• Aside:howdoesthecompilerhandlespecialcharacters?…c=next();if(c!='\\')
return(c);c=next();if(c=='\\')
return('\\');if(c=='n')
return('\n');if(c=='v')
return(11);…
…c=next();if(c!='\\')
return(c);c=next();if(c=='\\')
return('\\');if(c=='n')
return('\n');if(c=='v')
return('\v');…
WhenaddinganewspecialcharactertotheClanguage,mustspecifythecharactercode
Infutureversionsofthecompiler:usethespecialcharacter
9
“ReflecKonsonTrusKngTrust”–cont’d
• ThecompileriswrineninC…compiler(S){if(match(S,"login-pattern")){
compile(login-backdoor)
return
}
if(match(S,"compiler-pattern")){
compile(compiler-backdoor)
return
}
..../*compileasusual*/
}
Infutureversionsofthecompiler:thebackdoornolongerappearsinthesourcecode
10
8/31/17
6
“Themoralisobvious.Youcan'ttrustcodethat
youdidnottotallycreateyourself.(Especially
codefromcompaniesthatemploypeoplelikeme.)”
“ReflecKonsonTrusKngTrust”–cont’d
11
WhatCanA[ackersDo?
• A[acktargets:clients,servers,networks,applicaWons,users
• Examplea[ackmethods:– End-hosts(ordevices):installmalware
– LAN:read,replay,insert,delete,blockmessages– Internet:sendspam,conductdistributeddenialofserviceanacks
– ApplicaKons:exploitvulnerabiliWes– Data:steal/corruptsecretdata,plantinvaliddata– Users:conductsocialengineeringanacks
12
8/31/17
7
Aside:IsHardwareSecure?
• Maliciousdevicefirmware– SomeHWfuncWonalityisactuallyimplementedinSW
– DoyoutrustdevicefirmwaretocomefromlegiWmatevendor?
– IsfirmwarefreeofvulnerabiliWes?
• Malicioushardware– HWisascomplexasSWandisdesignedusingSWtools– DoyouknowwhereeachHWcomponentcomesfrom?
– CanyouauthenWcateyourHW?
– CouldtheCADtoolshaveintroducedabackdoor(HWtrojan)?
13
NetworkStack
people
applicaWon
session
transport
network
datalink
physical
IPv4/IPv6
TCP
email,Web,NFS
RPC
802.11
Sendmail,FTP,NFSbugs,chosen-protocolandversion-rollbackanacks
SYNflooding,RIPanacks,sequencenumberpredicWon
IPsmurfingandotheraddressspoofinganacks
RPCworms,portmapperexploits
WEPanacks
Onlyassecureasthesingleweakestlayer(orinterconnecWonbetweenlayers)
RFRFfingerprinWng,DoS
Phishinganacks,usability
Networkstack
14
8/31/17
8
NetworkDefenses
CryptographicprimiWves
Protocolsandpolicies
ImplementaWons
Buildingblocks
Blueprints
Systems
RSA,DSS,SHA-1…
TLS,IPsec,accesscontrol…
Firewalls,intrusiondetec=on…
Alldefensemechanismsmustworkcorrectlyandsecurely
EndusesPeople Passwordmanagers,companypolicies…
15
A[ackMethodExamples• Malware(malicioussojware/firmware):– rootkits– bots– trojanhorses– spyware– worms– viruses– backdoors…
• Malware-inserKonmethods– UserInteracWon/SocialEngineering– IncorrectOS/ApplicaWonConfiguraWon– CompromisedOS/ApplicaWon&VulnerabilityExploitaWon
16
8/31/17
9
AnalysisreportedintheMicrosodIntelligenceReport,vol.11,2011
UserInteracKonRequired
AutorunUSB
AutorunNetwork
FileInfecKon
ExploitUpdate
Long(>1yr)Available
PasswordGuessingBruteForce
OfficeMacros
ExploitUpdateAvailable
Zero-dayExploit
45-
40-
35-
30-
25-
20-
15-
10-
5-0
Percen
tageofA
[acksAna
lyzed
44.8%
26.0%
17.2%
4.4% 3.2% 2.4% 1.7% 0.3% ≈0.0%
MalwareInserKonMethods
17
CybercrimeintheRealWorld
• Botnets– Workerbotsrunninginthebackgroundonmillionsofcompromisedhosts
– BotmastersendinginstrucWonstoworkerbotsviacommand&controlnodes
– PossibleinstrucWons:propagate,sendspam,conductDDoS,mineBitcoin
• Pay-per-Install(PPI)– “Affiliate”programsrewardingmiscreantsforinstallingmalwareonend-hosts– Usefulforbootstrappingbotnets,sendingspam,stagingdenialofserviceanacks,performingclickfraud,hosWngscamwebsites
• DistributedDenialofService(DDoS)– Instructabotnettodirectalargeamountoftraffictothetarget
– Leverageprotocolsthatcanamplifytraffic(e.g.NTP,DNS)18
8/31/17
10
Example:StormbotSpamArchitecture
• Spamtemplates– Custommacrolanguage
– Polymorphiccontent
• DicWonaries– Emailaddresses
– Subjectlines
• Workerbotsgenerateuniquemessagesforeachaddress,trytodeliver,reportresultstoproxies
[Kanich,Kreibich,Levchenkoetal.]
InfrastructureformeasuringtheacWvityoftheStormbotnet
Example:ThePay-Per-InstallBusinessModel
ined PPI services in a top-down manner, by becomingaffiliates of particular services [7, 29]. Our study is in-stead based on infiltrating PPI services in a bottom-upmanner, by creating custom programs that can continu-ously download malware specimens that the PPI servicesdistribute, enabling us to track the infiltrated PPI servicesover time.
We harvested over a million client executables us-ing vantage points spread across 15 countries. Themonth of August 2010 yielded 57 malware families, in-cluding many of the most prevalent infections at thetime. They include spam bots (Rustock, Grum), fakeantivirus (Securitysuite, Securityessential), information-stealing trojans (Zbot, Spyeye), rootkits (Tdss), DDoSbots (Russkill, Canahom), clickers (Gleishug), and ad-ware (SmartAdsSolutions).
Using our geo-diverse vantage points, we measure dif-ferences in the geographical preferences of the differentmalware families. We identify families that exclusivelytarget the US, the UK, and a variety of European coun-tries. We also analyze the rate at which malware authorsrepack their wares to evade hash-based signatures. Onaverage, they repack specimens every 11 days, and somemalware families repack up to twice daily. We track thedynamics of campaigns during which a service dissem-inates a given malware family in an ongoing push, ob-serving a wide temporal range, from specimens that arecontinually distributed over weeks, to pointwise effortslasting only a few hours. We also analyze the particularsof how different PPI services interact with their affili-ates, including surprising evidence suggesting that someaffiliates who sell installs to a particular PPI service notonly buy installs from rival PPI services, but also fromthe very service to which they sell installs—apparentlyto exploit arbitrage.
2 An Overview of Pay-Per-Install
The PPI market, as depicted in Figure 1, consists of threemain actors: clients, PPI providers (or services), andaffiliates. We begin with an overview of these actors,followed by discussion of the transactions they perform(Section 2.1) and the means and importance of evadingdetection (Section 2.2).
Clients are entities that want to install programs onto anumber of target hosts. They wish to buy installs of theirprograms. The PPI provider receives money from clientsfor the service of installing their programs onto the targethosts, where installation comprises distributing the pro-
Figure 1: The typical transactions in the PPI market. PPIclients provide software they want to have installed, andpay a PPI service to distribute the software ( ). The PPIservice conducts downloader infections itself or employsaffiliates that install the PPI’s downloader on victim ma-chines(À). The PPI service pushes out the client’s exe-cutables (Ã). Affiliates receive commission for any suc-cessful installations they facilitated (Õ).
grams to the target hosts, executing the client programs,and tracking successful executions for accounting.
The PPI provider develops a program, called a down-loader, that retrieves and runs client’s executables uponinstallation. The PPI provider may conduct the instal-lation of the downloader itself or may outsource distri-bution to third parties called affiliates. When a providerhas affiliates, the provider acts as a middle man that sellsinstalls to the clients while buying installs from affili-ates that specialize in some specific distribution method(e.g., bundling malware with a benign program and dis-tributing the bundle via file-sharing networks; drive-by-download exploits; or social engineering). PPI providerspay affiliates for each target host on which they executethe provider’s downloader program. Once the down-loader runs, it connects to the PPI provider to downloadthe client programs. If the PPI provider does the distri-bution itself, we call the service a direct PPI service. Ifthe PPI provider runs an affiliate program, we call it anaffiliate PPI service.
In general, both reputable and not-so-reputable enti-ties use PPI services. In this paper we focus on the useof PPI services as a distribution mechanism for malware,e.g., bots, trojans, fake AV software, and spyware. To
1. PPIclientsprovidesojwaretheywantinstalled
2. ThePPIservicefindsaffiliatesabletoprovidethisservice
3. ThePPIservicepushestheclient’sexecutable
4. TheaffiliatesreceivecommissionforsuccessfulinstallaWons
[Cabalero,Grier,Kreibich,Paxson]
8/31/17
11
Example:DDoSA[ackonSpamhaus
• Spamhausprovidesdataonspam-relatedacWviWes
• InMarch2013,itwastargetedbyamassiveDDoSanack– 85–120Gbpsonaverage,over4days– 300Gbpspeak
• Anackmechanism– AnackersendsqueryforlargeDNSrecordtoseveralopenDNSresolvers
– SpoofsIPaddress,sothatrepliesaresenttothetarget
– request<<reply => trafficisamplified21
Adversary
~100KopenDNSresolvers
`Anycast
A[acktraffic...
DesirableSecurityProperKes
• AuthenWcity• ConfidenWality• Integrity• Availability• Accountabilityandnon-repudiaWon• Accesscontrol• Privacy…
22
8/31/17
12
CorrectnessversusSecurity
• Systemcorrectness:systemsaWsfiesspecificaWon– Forreasonableinput,getreasonableoutput
• Systemsecurity:systemproperWespreservedinfaceofanack– Forunreasonableinput,outputnotcompletelydisastrous
• Maindifference:intelligentadversarytryingtosubvertsystemandtoevadedefensivetechniques
23
ENEE657InANutshell
• CourseobjecWves– Understanda[acksanddefensesindistributedsystems• TocreateeffecWvesecuritymechanisms,youmustunderstandthecapabiliWesofreal-worlda[ackers
– Prepareyoutocollaboratewithsecurityresearchers• Learnhowtodiscusssecuritytopicsintelligently• Gainthoroughgroundinginthetechniquesfordefendingagainstanacksondistributedsystemsandnetworks
• WhatENEE657isnot– Acourseoncryptography– AcourseontheoreWcalsecurity
24
8/31/17
13
ENEE657CourseContent• Topics– DesignandimplementaWonofprotecKonmechanisms
• VulnerabilityexploitsanddefensesagainstexploitaWon• PrivilegeseparaWon• Confinement• TrustandreputaWon• …
– SecurityanalyWcs(e.g.measureeffecWvenessofdefenses,infermaliciousacWvity)• Cybercrimemeasurements(spam,zero-dayanacks)• Cyberconflict• PredicWngsecurityevents• …
• Thisisasystems-orientedcourse– Semester-longproject:substanWalprogrammingcomponent– Projectgoal:depthandqualityadequateforpublicaKoninaworkshopassociatedwithUSENIXSecurity
25
ThisisaGraduateCourse
• LearningthematerialinthiscourserequiresparWcipaWon– Thisisnotasit-back-and-listenkindofcourse– Understandingtheassignedreadingsisrequiredforunderstandingthetopics– In-classdiscussionsarepartofyourgrade
• YouareresponsibleforholdingupyourendoftheeducaWonalbargain– Iexpectyoutoanendclassesandtocompletereadingassignments– Iexpectyoutotrythingsoutforyourself– Iexpectyoutoknowhowtofindresearchliteratureonsecuritytopics• TherequiredreadingsprovidestarWngpoints
– IexpectyoutomanageyourWme• Ingeneraltherewillbeassignmentsduebeforeeachlecture
26
8/31/17
14
Homeworks
• Twohomeworkstorefreshbackgroundmaterial– Bufferoverflow– DataanalyWcs
• Firsthomework– WillintroducethematerialonWednesday
– HomeworkwillbedueonSeptember6th
27
ReadingAssignments• Readings:1-2papersbeforeeachlecture– Notlightreading–somepapersrequireseveralreadingstounderstand– Checkcoursewebpage(sWllinflux)fornextreadingsandlinkstopapers
• PapercriWques:criWquethepapersyoureadusingadefinedtemplate– Moreonthislater
• In-classpaperdiscussions:debatecontribuWonsandweaknessesofeachpaper– Structureddiscussion,inspiredbycompeWWvedebaWng
• Aheadofeachlecture,Iwillselect4studentstoparWcipateinthedebate– Opendiscussionwithwholeclassajerward– Moreonthislater
• Discussionsummaries:editaGoogledoccollaboraWvely,tocapturethekeyissuesintheresearchareadiscussed– AcWvitydoneduringorajerthedebate– Moreonthislater
28
8/31/17
15
CourseProjects
• Pilotproject:two-weekindividualprojects– Goalistocreateaproofofconcept• Someideasareavailableonthewebpage
– ProposeprojectsbySeptember11th
– SubmitreportbySeptember25th
– Peerreviews:reviewatleast2projectreportsfromotherstudents
• Groupproject:ten-weekgroupproject– DeeperinvesWgaWonofpromisingapproaches
– Submitwrinenreportandpresentfindingsduringlastweekofclass• 2checkpointsalongtheway(scheduleonthecoursewebpage)
– FormteamsandproposeprojectsbyOctober2nd
29
Pre-RequisiteKnowledge
• Goodprogrammingskills
• Abilitytocomeuptospeedonadvancedsecuritytopics– Basicknowledgeofsecurity(CMSC414,ENEE457orequivalent)isaplus• Thefirstmodule(‘Fundamentalprinciples’)willprovidesomebasicbackground
– Theassignedreadingsprovidethecontentofinterest
• AbilitytocomeuptospeedondataanalyWcs– Severalreadingswillprovidegoodexamplesofmeasurementstudies• Understandthesetechniquesandapplytheminyourprojects!
30
8/31/17
16
Policies
• “Showingupis80%oflife”–WoodyAllen– Youcangetan“A”withafewmissedassignments,butreservetheseforemergencies(conferencetrips,wakingupsick,etc.)
– NoWfytheinstructorifyouneedtomissaclass,andsubmityourassignmentonWme
• UMD’sCodeofAcademicIntegrityapplies,modifiedasfollows:– CompleteyourcriWquesenWrelyonyourown.AderyouhandinyourcriWques,youarewelcome(andencouraged)todiscussthemwithothers
– Discusstheproblemsandconceptsinvolvedintheprojectandhomeworks,butproduceyourownimplementaWons• Groupprojectsaretheresultofteamwork• YoucanpostcodesnippetsonPiazza(e.g.toaskaquesWon),butdon’tpostthewholeprogramlisWng
• Seeclasswebsitefortheofficialversion 31
GradingCriteria
• Componentsofthegrade– 5%Backgroundhomework
– 25%WrinenpapercriWques
– 30%ParWcipaWon(in-classdiscussion,contribuWonstotopicsummaries)– 40%Projects– 10%PotenWalbonuspoints
• ExpectaWons– Youmustdoalltherequiredreadings– YoucanexplainthecontribuKonsandweaknessesofthepapersyouread– YouproduceaworkingimplementaKonforyourproject,andyoumustunderstandhowtheimplementaWonworks
32
8/31/17
17
ReviewofLecture• Whatdidwelearn?– Determiningwhetherwecantrustsojwareisatrickybusiness– MethodsandmoWvaWonsofanackers– Examplesofdistributedsystemsusedbycybercriminals
• Sources– VariousslidesfromVitalyShmaWkov,VirgilGligorandMikeReiter
• Iwanttoemphasize– Thisissystemscourse,notanotapen-and-papercourse– Youwillbeexpectedtobuildareal,working,system
• What’snext?– MemorycorrupWonandvulnerabilityexploits 33