=========== CS 5600 Lecture 10 [Hour 2] ==================== Security ========= Q What is security? How it is different from protection? -- Protection is an internal problem Security is an external problem, it takes into consideration the external environment in which system operates. Security voilation may be ------------------------- -- accidental (such as a bug that may alter the behavior of a program) These violations are easy to detect. -- malicious These violations are intentional and are well disguised making them hard to detect. Classes of security attacks: ---------------------------- -- Breach of confidentiality: This type of violation involves unauthorized reading of data or information theft. -- Breach of integrity: It involves unauthorized modification of data. -- Breach of availability: It involves unauthorized deletion of data. -- Theft of service: Unauthorized access to resources. -- Denial of service: Prevents legitimate users from accessing the resources. Mechanisms for attack: ---------------------- -- Masquerading: Attacker pretends to be some one else. Once the attacker gains access he can use resources that were normally denied to him or he can escalate his privileges. -- Replay attack: Record a transaction between two communicating parties and later replay it for some other purpose. -- Man in the middle attack: Attacker sits in the data flow of communication. He pretends to be a receiver to sender and sender to the receiver. -- Session hijacking: Attacker intercepts an active communication and tries to gain access to information and services in the system. Security Measures: ------------------ -- Physical: Secured access to machines, physical security. -- Human: password protection etc -- Operating system: Protection from accidental or intentional breaches (e.g. stack overflow attack). -- Network: Protection from attacks like DOS etc. Program Threats: ---------------- -- Trojan Horse: piece of software that misuses its environment. Variation of Torjan Horse: -- login emulator -- spyware -- Trap Door: A hole in the software system that only the programmer knows and only he is capable of using it. -- Logic Bomb: A variation of trap door, in which a particular piece of code is invoked when a predefined set of parameters are met. -- Stack and buffer overflow: Stack and overflow attack is performed by: -- Overflow command line, or input buffer or input field till it writes into the stack. -- Overwrite the current return address on the stack, such that it points to address of the malicious code. -- Write a simple set of code, that includes the commands that attacker wished to execute. an example of stack overflow attack using C: #define BUFFER_SIZE 256 int main(int argc, char **argv) { char buff[BUFFER_SIZE]; strcpy(buffer,argv[1]); } The above piece of code works properly as long as the size of string passed to program is less than BUFFER_SIZE - 1 (one byte is kept for '\0'). However, if the size of string is more than or equal to BUFFER_SIZE, strcpy() will over write the memory until it encounters a '\0' or the program crashes. Use of buffer overflow to compromise integrity of the system: ------------------------------------------------------------- Layout of a typical stack frame ------------------------------- bottom +--------------------------------+ | | return address | | | | | |--------------------------------| | | saved frame pointer | | | | | |--------------------------------| | | . | grows | | . | | | . | | | . | | |--------------------------------| | | automatic variables | | | | | |--------------------------------| | | parameters | V | | top +--------------------------------+ Given above layout a cracker can execute buffer overflow attack by overwriting the return address. The cracker first writes the code that he wants to be executed, for example consider the code below: int main() { execvp("/bin/bash","/bin/bash",0); return 0; } The programmer then compiles the code and produces an assembly code which is modified to reduce the code size so it can fit in the code stack segment. This code is compiled to binary format. The cracker include enough NO-Operation in the binary to fill the gap b/w the starting point of buffer and return address. The attack is complete when the cracker gives the constructed binary sequence to the program. Prevention: An extra bit is added in page table entry that specifies that a stack data is not to be executed. Formal methods (such as model checking) are being employed to find the buffer overflows in the legacy "C" code. Virus ----- Self-replicating code that attaches itself to other programs. It spreads through emails, macros in word and xls documents etc. Vectors for attack ------------------ -- File: Appends itself to file such that its code is executed first and then the control is transferred to original code. -- Boot: Affects the boot sectors, is executed each time a system is booted. -- Macro: Written in some high level language like VB. -- Source code: Modifies the source to spread the virus to other files. -- Polymorphic: Changes each time it is installed to avoid the detection by any anti-virus. -- Encrypted: First decrypts and then executes. -- Stealth: Avoids detection by modifying system. -- Tunneling: Avoids detection by anti-virus by installing itself in interrupt handlers. -- Multipartite: Affects multiple parts of a system. -- Armored: Hard to unravel by anti-virus software.