Computer Security -...

8/31/17

1

ComputerSecurity

Prof.TudorDumitrașAssistantProfessor,ECEUniversityofMaryland,CollegePark

ENEE657

AboutMe

TudorDumitrașOffice:AVW3425Email:[email protected]:http://ter.ps/enee657

2

8/31/17

2

MyBackground•  Ph.D.atCarnegieMellonUniversity–  Researchindistributedsystemsandfault-tolerantmiddleware

• WorkedatSymantecResearchLabs–  BuiltWINEplaVormforsecurityanalyWcs

• Usedforsharingreal-worldsecuritytelemetrywithacademicresearchers

• Oneoftheearly‘threatintelligence’plaVorms

•  JoinedUMDfaculty

•  Data-drivensecurity(measurements,machinelearning,malware)–  Focusonsolvingsecurityproblemswithdataanalysistechniques

3

WINE

ENEE657inaNutshell

• ENEE657isagraduate-levelsecuritycourse–  Learnbyreading,explaininganddoing–  Projectoriented:developtoadegreethatwouldmeritpublicaKoninoneoftheworkshopsassociatedwiththeUSENIXSecuritySymposium2018

• Aimstoprepareyouforresearchinsecurity–  Notatutorialorcomprehensivecourseonthesetopics–  Instead,exploringarangeoftopicstoillustratesomeofthecurrentresearchchallenges

–  Targetedatstudentswhowanttoconductresearchintheareaorwhoaremoregenerallyinterestedinsecurityordistributedsystems

4

8/31/17

3

WhoCanYouTrust?

WorkstaWon

O/S

ApplicaWon NFSServer

O/S

ServerNetworkchannel

RequestIwonderwhatTudor’sSSNis…

Keyboard/displaychannel

• Whereistherequest“from”?–  Theuser?TheworkstaWon?TheapplicaWon?Thenetworkchannel?Alloftheabove?

– Whichoftheseactorsdoyoutrust? 5

KenThompson

ACMTuringAward,19836

8/31/17

4

“ReflecKonsonTrusKngTrust”

• Whatsojwarecanwetrust?

• Example:anyoperaWngsystemincludesaprogramcheckingwhetherusersareallowedtologin–  "login"or"su"inUnix–  IstheloginbinaryfromWindows/MacOS/Ubuntu/etc.trustworthy?–  Doesitsendyourpasswordtosomeone?–  Doesithavebackdoorfora“special”remoteuser?

• Can'ttrustthebinary,sochecksourcecodeorwriteyourown,recompile

• Doesthissolveproblem?7

“ReflecKonsonTrusKngTrust”–cont’d

• Whowrotethecompiler?

• Compilerlooksforsourcecodethatlooksliketheloginprocess,insertsbackdoorintoit

• Ok,inspectthesourcecodeofthecompiler…Looksgood?Recompilethecompiler!

• Doesthissolvetheproblem?

8

8/31/17

5


• TheUNIXloginprogramiscompiledbyaCcompiler–  TheCcompilerwasalsocompiledbyan(older)Ccompiler

• Aside:howdoesthecompilerhandlespecialcharacters?…c=next();if(c!='\\')

return(c);c=next();if(c=='\\')

return('\\');if(c=='n')

return('\n');if(c=='v')

return(11);…

…c=next();if(c!='\\')

return(c);c=next();if(c=='\\')

return('\\');if(c=='n')

return('\n');if(c=='v')

return('\v');…

WhenaddinganewspecialcharactertotheClanguage,mustspecifythecharactercode

Infutureversionsofthecompiler:usethespecialcharacter

9


• ThecompileriswrineninC…compiler(S){if(match(S,"login-pattern")){

compile(login-backdoor)

return

}

if(match(S,"compiler-pattern")){

compile(compiler-backdoor)

return

}

..../*compileasusual*/

}

Infutureversionsofthecompiler:thebackdoornolongerappearsinthesourcecode

10

8/31/17

6

“Themoralisobvious.Youcan'ttrustcodethat

youdidnottotallycreateyourself.(Especially

codefromcompaniesthatemploypeoplelikeme.)”


11

WhatCanA[ackersDo?

• A[acktargets:clients,servers,networks,applicaWons,users

• Examplea[ackmethods:–  End-hosts(ordevices):installmalware

–  LAN:read,replay,insert,delete,blockmessages–  Internet:sendspam,conductdistributeddenialofserviceanacks

–  ApplicaKons:exploitvulnerabiliWes–  Data:steal/corruptsecretdata,plantinvaliddata–  Users:conductsocialengineeringanacks

12

8/31/17

7

Aside:IsHardwareSecure?

• Maliciousdevicefirmware–  SomeHWfuncWonalityisactuallyimplementedinSW

–  DoyoutrustdevicefirmwaretocomefromlegiWmatevendor?

–  IsfirmwarefreeofvulnerabiliWes?

• Malicioushardware–  HWisascomplexasSWandisdesignedusingSWtools–  DoyouknowwhereeachHWcomponentcomesfrom?

–  CanyouauthenWcateyourHW?

–  CouldtheCADtoolshaveintroducedabackdoor(HWtrojan)?

13

NetworkStack

people

applicaWon

session

transport

network

datalink

physical

IPv4/IPv6

TCP

email,Web,NFS

RPC

802.11

Sendmail,FTP,NFSbugs,chosen-protocolandversion-rollbackanacks

SYNflooding,RIPanacks,sequencenumberpredicWon

IPsmurfingandotheraddressspoofinganacks

RPCworms,portmapperexploits

WEPanacks

Onlyassecureasthesingleweakestlayer(orinterconnecWonbetweenlayers)

RFRFfingerprinWng,DoS

Phishinganacks,usability

Networkstack

14

8/31/17

8

NetworkDefenses

CryptographicprimiWves

Protocolsandpolicies

ImplementaWons

Buildingblocks

Blueprints

Systems

RSA,DSS,SHA-1…

TLS,IPsec,accesscontrol…

Firewalls,intrusiondetec=on…

Alldefensemechanismsmustworkcorrectlyandsecurely

EndusesPeople Passwordmanagers,companypolicies…

15

A[ackMethodExamples• Malware(malicioussojware/firmware):–  rootkits–  bots–  trojanhorses–  spyware–  worms–  viruses–  backdoors…

• Malware-inserKonmethods–  UserInteracWon/SocialEngineering–  IncorrectOS/ApplicaWonConfiguraWon–  CompromisedOS/ApplicaWon&VulnerabilityExploitaWon

16

8/31/17

9

AnalysisreportedintheMicrosodIntelligenceReport,vol.11,2011

UserInteracKonRequired

AutorunUSB

AutorunNetwork

FileInfecKon

ExploitUpdate

Long(>1yr)Available

PasswordGuessingBruteForce

OfficeMacros

ExploitUpdateAvailable

Zero-dayExploit

45-

40-

35-

30-

25-

20-

15-

10-

5-0

Percen

tageofA

[acksAna

lyzed

44.8%

26.0%

17.2%

4.4% 3.2% 2.4% 1.7% 0.3% ≈0.0%

MalwareInserKonMethods

17

CybercrimeintheRealWorld

• Botnets– Workerbotsrunninginthebackgroundonmillionsofcompromisedhosts

–  BotmastersendinginstrucWonstoworkerbotsviacommand&controlnodes

–  PossibleinstrucWons:propagate,sendspam,conductDDoS,mineBitcoin

• Pay-per-Install(PPI)–  “Affiliate”programsrewardingmiscreantsforinstallingmalwareonend-hosts–  Usefulforbootstrappingbotnets,sendingspam,stagingdenialofserviceanacks,performingclickfraud,hosWngscamwebsites

• DistributedDenialofService(DDoS)–  Instructabotnettodirectalargeamountoftraffictothetarget

–  Leverageprotocolsthatcanamplifytraffic(e.g.NTP,DNS)18

8/31/17

10

Example:StormbotSpamArchitecture

• Spamtemplates–  Custommacrolanguage

–  Polymorphiccontent

• DicWonaries–  Emailaddresses

–  Subjectlines

• Workerbotsgenerateuniquemessagesforeachaddress,trytodeliver,reportresultstoproxies

[Kanich,Kreibich,Levchenkoetal.]

InfrastructureformeasuringtheacWvityoftheStormbotnet

Example:ThePay-Per-InstallBusinessModel

ined PPI services in a top-down manner, by becomingaffiliates of particular services [7, 29]. Our study is in-stead based on infiltrating PPI services in a bottom-upmanner, by creating custom programs that can continu-ously download malware specimens that the PPI servicesdistribute, enabling us to track the infiltrated PPI servicesover time.

We harvested over a million client executables us-ing vantage points spread across 15 countries. Themonth of August 2010 yielded 57 malware families, in-cluding many of the most prevalent infections at thetime. They include spam bots (Rustock, Grum), fakeantivirus (Securitysuite, Securityessential), information-stealing trojans (Zbot, Spyeye), rootkits (Tdss), DDoSbots (Russkill, Canahom), clickers (Gleishug), and ad-ware (SmartAdsSolutions).

Using our geo-diverse vantage points, we measure dif-ferences in the geographical preferences of the differentmalware families. We identify families that exclusivelytarget the US, the UK, and a variety of European coun-tries. We also analyze the rate at which malware authorsrepack their wares to evade hash-based signatures. Onaverage, they repack specimens every 11 days, and somemalware families repack up to twice daily. We track thedynamics of campaigns during which a service dissem-inates a given malware family in an ongoing push, ob-serving a wide temporal range, from specimens that arecontinually distributed over weeks, to pointwise effortslasting only a few hours. We also analyze the particularsof how different PPI services interact with their affili-ates, including surprising evidence suggesting that someaffiliates who sell installs to a particular PPI service notonly buy installs from rival PPI services, but also fromthe very service to which they sell installs—apparentlyto exploit arbitrage.

2 An Overview of Pay-Per-Install

The PPI market, as depicted in Figure 1, consists of threemain actors: clients, PPI providers (or services), andaffiliates. We begin with an overview of these actors,followed by discussion of the transactions they perform(Section 2.1) and the means and importance of evadingdetection (Section 2.2).

Clients are entities that want to install programs onto anumber of target hosts. They wish to buy installs of theirprograms. The PPI provider receives money from clientsfor the service of installing their programs onto the targethosts, where installation comprises distributing the pro-

Figure 1: The typical transactions in the PPI market. PPIclients provide software they want to have installed, andpay a PPI service to distribute the software ( ). The PPIservice conducts downloader infections itself or employsaffiliates that install the PPI’s downloader on victim ma-chines(À). The PPI service pushes out the client’s exe-cutables (Ã). Affiliates receive commission for any suc-cessful installations they facilitated (Õ).

grams to the target hosts, executing the client programs,and tracking successful executions for accounting.

The PPI provider develops a program, called a down-loader, that retrieves and runs client’s executables uponinstallation. The PPI provider may conduct the instal-lation of the downloader itself or may outsource distri-bution to third parties called affiliates. When a providerhas affiliates, the provider acts as a middle man that sellsinstalls to the clients while buying installs from affili-ates that specialize in some specific distribution method(e.g., bundling malware with a benign program and dis-tributing the bundle via file-sharing networks; drive-by-download exploits; or social engineering). PPI providerspay affiliates for each target host on which they executethe provider’s downloader program. Once the down-loader runs, it connects to the PPI provider to downloadthe client programs. If the PPI provider does the distri-bution itself, we call the service a direct PPI service. Ifthe PPI provider runs an affiliate program, we call it anaffiliate PPI service.

In general, both reputable and not-so-reputable enti-ties use PPI services. In this paper we focus on the useof PPI services as a distribution mechanism for malware,e.g., bots, trojans, fake AV software, and spyware. To

1.  PPIclientsprovidesojwaretheywantinstalled

2.  ThePPIservicefindsaffiliatesabletoprovidethisservice

3.  ThePPIservicepushestheclient’sexecutable

4.  TheaffiliatesreceivecommissionforsuccessfulinstallaWons

[Cabalero,Grier,Kreibich,Paxson]

8/31/17

11

Example:DDoSA[ackonSpamhaus

• Spamhausprovidesdataonspam-relatedacWviWes

•  InMarch2013,itwastargetedbyamassiveDDoSanack–  85–120Gbpsonaverage,over4days–  300Gbpspeak

• Anackmechanism–  AnackersendsqueryforlargeDNSrecordtoseveralopenDNSresolvers

–  SpoofsIPaddress,sothatrepliesaresenttothetarget

–  request<<reply => trafficisamplified21

Adversary

~100KopenDNSresolvers

`Anycast

A[acktraffic...

DesirableSecurityProperKes

• AuthenWcity• ConfidenWality•  Integrity• Availability• Accountabilityandnon-repudiaWon• Accesscontrol• Privacy…

22

8/31/17

12

CorrectnessversusSecurity

• Systemcorrectness:systemsaWsfiesspecificaWon–  Forreasonableinput,getreasonableoutput

• Systemsecurity:systemproperWespreservedinfaceofanack–  Forunreasonableinput,outputnotcompletelydisastrous

• Maindifference:intelligentadversarytryingtosubvertsystemandtoevadedefensivetechniques

23

ENEE657InANutshell

• CourseobjecWves–  Understanda[acksanddefensesindistributedsystems• TocreateeffecWvesecuritymechanisms,youmustunderstandthecapabiliWesofreal-worlda[ackers

–  Prepareyoutocollaboratewithsecurityresearchers• Learnhowtodiscusssecuritytopicsintelligently• Gainthoroughgroundinginthetechniquesfordefendingagainstanacksondistributedsystemsandnetworks

• WhatENEE657isnot–  Acourseoncryptography–  AcourseontheoreWcalsecurity

24

8/31/17

13

ENEE657CourseContent•  Topics–  DesignandimplementaWonofprotecKonmechanisms

• VulnerabilityexploitsanddefensesagainstexploitaWon•  PrivilegeseparaWon• Confinement•  TrustandreputaWon• …

–  SecurityanalyWcs(e.g.measureeffecWvenessofdefenses,infermaliciousacWvity)• Cybercrimemeasurements(spam,zero-dayanacks)• Cyberconflict•  PredicWngsecurityevents• …

•  Thisisasystems-orientedcourse–  Semester-longproject:substanWalprogrammingcomponent–  Projectgoal:depthandqualityadequateforpublicaKoninaworkshopassociatedwithUSENIXSecurity

25

ThisisaGraduateCourse

•  LearningthematerialinthiscourserequiresparWcipaWon–  Thisisnotasit-back-and-listenkindofcourse–  Understandingtheassignedreadingsisrequiredforunderstandingthetopics–  In-classdiscussionsarepartofyourgrade

• YouareresponsibleforholdingupyourendoftheeducaWonalbargain–  Iexpectyoutoanendclassesandtocompletereadingassignments–  Iexpectyoutotrythingsoutforyourself–  Iexpectyoutoknowhowtofindresearchliteratureonsecuritytopics• TherequiredreadingsprovidestarWngpoints

–  IexpectyoutomanageyourWme•  Ingeneraltherewillbeassignmentsduebeforeeachlecture

26

8/31/17

14

Homeworks

• Twohomeworkstorefreshbackgroundmaterial–  Bufferoverflow–  DataanalyWcs

• Firsthomework– WillintroducethematerialonWednesday

–  HomeworkwillbedueonSeptember6th

27

ReadingAssignments•  Readings:1-2papersbeforeeachlecture–  Notlightreading–somepapersrequireseveralreadingstounderstand–  Checkcoursewebpage(sWllinflux)fornextreadingsandlinkstopapers

•  PapercriWques:criWquethepapersyoureadusingadefinedtemplate–  Moreonthislater

•  In-classpaperdiscussions:debatecontribuWonsandweaknessesofeachpaper–  Structureddiscussion,inspiredbycompeWWvedebaWng

•  Aheadofeachlecture,Iwillselect4studentstoparWcipateinthedebate–  Opendiscussionwithwholeclassajerward–  Moreonthislater

•  Discussionsummaries:editaGoogledoccollaboraWvely,tocapturethekeyissuesintheresearchareadiscussed–  AcWvitydoneduringorajerthedebate–  Moreonthislater

28

8/31/17

15

CourseProjects

• Pilotproject:two-weekindividualprojects–  Goalistocreateaproofofconcept• Someideasareavailableonthewebpage

–  ProposeprojectsbySeptember11th

–  SubmitreportbySeptember25th

–  Peerreviews:reviewatleast2projectreportsfromotherstudents

• Groupproject:ten-weekgroupproject–  DeeperinvesWgaWonofpromisingapproaches

–  Submitwrinenreportandpresentfindingsduringlastweekofclass• 2checkpointsalongtheway(scheduleonthecoursewebpage)

–  FormteamsandproposeprojectsbyOctober2nd

29

Pre-RequisiteKnowledge

• Goodprogrammingskills

• Abilitytocomeuptospeedonadvancedsecuritytopics–  Basicknowledgeofsecurity(CMSC414,ENEE457orequivalent)isaplus• Thefirstmodule(‘Fundamentalprinciples’)willprovidesomebasicbackground

–  Theassignedreadingsprovidethecontentofinterest

• AbilitytocomeuptospeedondataanalyWcs–  Severalreadingswillprovidegoodexamplesofmeasurementstudies• Understandthesetechniquesandapplytheminyourprojects!

30

8/31/17

16

Policies

•  “Showingupis80%oflife”–WoodyAllen–  Youcangetan“A”withafewmissedassignments,butreservetheseforemergencies(conferencetrips,wakingupsick,etc.)

–  NoWfytheinstructorifyouneedtomissaclass,andsubmityourassignmentonWme

• UMD’sCodeofAcademicIntegrityapplies,modifiedasfollows:–  CompleteyourcriWquesenWrelyonyourown.AderyouhandinyourcriWques,youarewelcome(andencouraged)todiscussthemwithothers

–  Discusstheproblemsandconceptsinvolvedintheprojectandhomeworks,butproduceyourownimplementaWons• Groupprojectsaretheresultofteamwork• YoucanpostcodesnippetsonPiazza(e.g.toaskaquesWon),butdon’tpostthewholeprogramlisWng

• Seeclasswebsitefortheofficialversion 31

GradingCriteria

• Componentsofthegrade–  5%Backgroundhomework

–  25%WrinenpapercriWques

–  30%ParWcipaWon(in-classdiscussion,contribuWonstotopicsummaries)–  40%Projects–  10%PotenWalbonuspoints

• ExpectaWons–  Youmustdoalltherequiredreadings–  YoucanexplainthecontribuKonsandweaknessesofthepapersyouread–  YouproduceaworkingimplementaKonforyourproject,andyoumustunderstandhowtheimplementaWonworks

32

8/31/17

17

ReviewofLecture• Whatdidwelearn?–  Determiningwhetherwecantrustsojwareisatrickybusiness– MethodsandmoWvaWonsofanackers–  Examplesofdistributedsystemsusedbycybercriminals

• Sources–  VariousslidesfromVitalyShmaWkov,VirgilGligorandMikeReiter

•  Iwanttoemphasize–  Thisissystemscourse,notanotapen-and-papercourse–  Youwillbeexpectedtobuildareal,working,system

• What’snext?– MemorycorrupWonandvulnerabilityexploits 33

Computer Security -...

Documents

Transcript of Computer Security -...