User:Curos

CS 155 Network Security Notes 04.12.2007

Has decryption code and encrypted body. Solution: Build signature on descrption code Encrypted virus that ships with many decryption engines 96 different encryption engines Solution: Build signature on all encryption engines Slightly reencode the virus, randomize somehow. Use a random decoding algorithm. Solution: Emulate virus and scan memory for signature on the stack. Entire virus code changes after each infection
 * Types of Viruses that defeat signature detection
 * Encrypted Virus
 * Oligomorphic Virus
 * Memorial Virus
 * Polymorphic (1998)
 * Metamorphic Virus

Carries source code with it. Injects junk code in itself and recompiles itself metamorphosis by changing register allocation. Switches registers around. Injects jump after every instruction. Geometry method protects against this by looking at the structure of   the flow graph.
 * Apparition Virus
 * Vecha Virus
 * Zperm

No complete detection possible. Impossibility result. Fred Cohen (87) put forth claim that no perfect detector exists. Proof: Let A be a virus detector where A(F) outputs yes if virus present, no if not
 * Conclusion

Virus P in file F:   Run A(F) If "yes", exit otherwise, spread

Run A on File F:   Always produces incorrect result

If A(F)="yes" then answer is wrong because F is benign

If A(F)="no" then answer is wrong because F spreads

CS 155 Network Security Notes 04.17.2007

Users (rows) and the files(columns) they want access to Complex to individualize, so groups of users or roles
 * View access control as matrix


 * Access Control Lists (Slice along columns)
 * Capability Systems (Slice along rows)

Every process has numeric user id and one or more group ids. The system stores the user who owns the file and the group the file is in. Permissions also stored for user, group and other. `ls -l` shows: user group other owner and group drwx rwx  rwx   stevetan  users
 * Unix Security

Execute a directory means use files in that directory Bypass: convince root process to do your bidding `find /tmp -atime +3 -exec rm -f -- {} \;` Find files that are three days are older and execute rm on it. Braces get replaced by the file name. `--` prevents path from being parsed as option. Problem: You can use a symbolic link to a file or directory you don't  own. Each process has real and effective uid/gid. 'Real' is user who has real and effective uid/gid. 'Effective' is owner/group of file, used in access checks.
 * Time-of-check-to-time-of-use bug (TOCTTOU bug)
 * Clearing old files in /tmp
 * setuid problems

Needed to run with root privileges because of pseudo-terminal (pty) device - to own terminal you're typing in. Also needed to write tmp and wtmp to record usesrs. Had feature to log terminal session. Problem: If you have root privileges, then the output to file can be   written anywhere. So have to make sure that the user also has the right prvileges. Solution: system call `access` checks permission with real uid instead of effective uid. BUT: Another TOCTTOU bug. access is a potential secuirty hole!
 * xterm

SSH 1.1.12 login program runs as root because needs to bind to TCP 1024 and read client private key (for host authentication). Also needs to read configuration file ~/.ssh/config and record server keys ~/.ssh/known_hosts
 * SSH configuration files

Plan: do setuid root and do root actions, then drop all permissions. Problem: ptrace bug. Dropping the privileges allowed user to "debug" SSH: use the prvileged port to connect to anywhere, read secret host key from memory, overwite local user name to get privileges of other user. Fix: restructured ssh into 3 processes and communicated kind of like network

Should restrict certain signals (eg SIGALARM might mean something to a  process) Ptrace is a very powerful tool, that can modify memory of a   process, so recommendation is to not let a process ptrace a more privelaged process. Disable setuid if executing a process thats being ptraced
 * When can you send a signal and do a ptrace

A ptraces B   A run su user A, for now turns into root B runs su root B turns into root A can get root shell from process B
 * Old su linux bug

You can hardlink a file you don't have access to and then other user can never remove that file.

Multi-user time sharing system. Fortran compiler keeps statistics. /sysx/fort records to /sysx/stat. Gave compiler "home files license" or "root" access. Problem: have fort executable compile/output to directory/file of choice.
 * The Confused Deputy (Norm Hardy)

For each process store a list of objects it can access.
 * Capabilities

Invoke a method on object if you had that capability. If you acquired object then you have that object's capability.
 * Hydra

Pure capability system referred to as "keys" for short. Can grant keys to others. To create a new key, had to have a prvileged operation. No distinction between memory and disk memory. Everything persistent. So don't have to worry about memory. No dynamic memory.
 * KeyKOS
 * Single-level store

One kernel per process. Each file was its own system. A separate process for each file. To read a file, you would need to have the capability. Fault isolated because only can exploit that one section and not the whole file system. Made some functions extremely slow; fork, namei, pipes Pass capabilities around in a string with encrypted check value
 * KeyNIX: UNIX on KeyKOS
 * Self-Authenticating Capability - AMOEBA

The CPU is optimized for common code and not for context switches. Requires alot of Inter-process communication. Capability programming never took off. Capabilities are an OS concept of the future and they always will be.
 * Limitations of capabilities

In DAC, can pass access along at your discretion. Can pass secret to friend who passes on to enemy. Military likes MAC.
 * Discretionary Access Control Systems (DAC) vs Mandatory Access Control (MAC)

Access requests and outputs are decisions on these requests. A security level is a classification and category-set. Eg   classified/top secret and nuclear info/cryptography. Must have classification to do actions. Secret files can never be written to   lesser unsecret levels. It must be the case that the file being read is being dominated by one that can be written. No read up. No write down.
 * Bell-Lapadula Model
 * Security level

Can be anything, disk read, cache miss Solution: No sharing. CS 155 Network Security Notes 04.19.2007
 * Covert channels

How to confine untrusted code?

Biba integrity model

DoD Orange Book

Limitations of Orange Book

Common Criteria

LOMAC Uses integrity system, but doesn't care too much about covert channels

Flask Security Architecture Military attempt to make security system Prototyped in fluke and then integrated into SElinux Policy and mechanism separated

...

Enforce policy on system calls Problem: Symbolic links problem
 * Protecting your system, w/o changing the OS
 * firewall
 * chroot
 * System call interposition

Protect code within an application. Then can safely use "unsafe" code. Cross-address-space/context-switch calls are expensive. Can ensure determinism. Every component has its own fault domain so if it messes up, it doesn't mess up the whole system. Just set the top bits...
 * Sandboxing code
 * Segment matching
 * Address sandboxing

CS 155 Network Security Notes 04.20.2007 Problem Session

protocol (http), username, password, hostname, port, path, query (?id=4), fragment (#heading1) very similar to URI %0A = newline %20 or + = space %2b = +
 * URLs
 * Special character encodings

Stop 8:08 CS 155 Network Security Notes 04.24.2007

want communication security and cryptography can help
 * Cryptography

Using a shared Key Message M and key K  M is plaintext Encrypt(K, M) -> C ciphertext Decrypt(K, C) -> M
 * Symmetric Encryption

XOR message with K and decrypt by XOR with K  Advantage: Information theoretically secure Disadvantage: K must be as long as M
 * One-time pad

Encrypt one bit at a time with pseudo-random stream. Similar to  one-time pad but isn't   Encrypt in chunks 64 bit, 128 bit
 * Types of Encryption
 * Stream ciphers
 * Block cipher

Second byte of RC4 is 0 twice expected probability Bad to use many related keys Should discard first 256 bytes of RC4 output
 * RC4 security hole

Know c1, know c2 and know c2's M then can get m = c1 XOR c2 XOR m2 Never reuse keys with stream cipher
 * Bad use of stream cipher

Message is divided into blocks and each block is encrypted separately. Attacker will know repeat plaintext blocks. Sees same block again.
 * ECB (Electronic Codebook)

Use initialization vector and then xor with previous block. So unique each time.
 * CBC (Cipher-block chaining)

attacker can tamper message Encryption does not guarantee integrity Solution: Message authentication codes
 * Integrity Problem

Hash arbitrary length input to fixed size output
 * Cryptographic hashes

Better to encrypt and then MAC then encrypt Mac and message together.
 * Order of Encryption and Macs

Need opposite key to decrypt CS 155 Network Security Notes 04.26.200
 * Public key Encryption

Web Security

Firewall IDS Application firewall (WAF)

Prevents common web attacks. At a high web server level instead of the link layer Denial of Service Web server attack Worms
 * Web Application firewalls
 * Common attacks

Common fields include domain name, expiration data and secure (use SSL to send this cookie only)
 * Cookies

Browser can only store 20 cookies/site and 3kb/cookie
 * Browser limitation on cookies

Like OS and using different threads. Shouldn't interact with each other. Two origins are the same iff domain name, port and protocol are the same.
 * Same Origin Principle

Cross site scripting SQL injection HTTP splitting Broken session management Insecure storage - store credit card data in clear
 * Web Application Vulnerabilities

CS 155 Network Security Notes 05.01.2007

CS 155 Network Security Notes 05.03.2007

User Authentication

typically done over SSL 1) humans are terrible at generating passwords;      low entropy secrets ~2^23 words    2) compromise password file on website 3) Phishing
 * Password based authentication
 * Problems

Don't store in clear Benefit for using slow hash functions because dictionary attack can be  used Attacker must hash for each salt Make server do secret salt and brute force authentication
 * How to store passwords
 * Store Hash(pwd) MD5 SHA1
 * Public Salt with hash
 * Pepper (secret salt)

Microsoft's Passport cookie used for authentication is compromised Phishing attacks
 * Single sign on service
 * Problems

Phishing URLS Phishing using VoIP, a phone call with emulation of voice system Check SSL certificates IE has Extended Validation Certificates which shows the name of the certificate in the address bar and a green bar Picture in picture attacks. Simulate what they should see in picture. IE7 now disables the disabling of the toolbar Man in the middle toolkits available to exploit one-time passwords
 * Phishing Solutions
 * Other attacks

Partial solution to phishing attacks where both server and client must have password. They compare themselves and only get key to talk to each other if passwords are the same.CS 155 Network Security Notes 05.08.2007
 * PAKE Password Authentication Key Exchange

ARP tables kept on computer. Where is 128.12.61.2? See all packets going over network. 802.11b still does this Sends packets only to machines that are listening on that network. Fixes promiscuous mode, however can do ARP spoofing get incorrect ARP entry into other peoples ARP tables. send a bunch of packets to old routers that then die redirect packets, can affect routers routing tables used between ISPs, no secure binding between ips setup competing DHCP server user datagram protocol. Provides checksum on whole packet and demultiplexing. transmission control protocol. provides flow control and congestion control. TCP is supposed to be reliable, so retransmits bad assumption. Must be able to guess SEQ to use, can guess and predict based on real interaction RST from real client, so can flood server with SYN packets Send NULL data to both client and server and drive WINDOW up Inject data as needed and an ACK storm occurs as everyone is  transmitting wrong window section. represented as resource records name - domain name TTL - time to live in seconds class - usually internet type - type of record rdata - data dependent on type A - Internet Address NS - name server MX - mail exchanger dig www.stanford.edu stores name given address dig +norec www.stanford.edu @a.root-servers.net Can fake glue records CS 155 Network Security Notes 05.10.2007
 * IP
 * Medium Access Control (MAC)
 * Address Resolution Protocol (ARP)
 * Promiscuous mode
 * Ethernet switches
 * Attacks
 * ARP spoofing
 * MAC table overflow
 * ICMP redirect abuse
 * BGP routing protocol abuse
 * DHCP abuse
 * UDP
 * TCP
 * Access control based on IP
 * Spoofing IP
 * Desynchronize TCP connection
 * Domain name sytem (DNS) Port 53
 * DNS RR types
 * PTR record
 * Glue Records

well known ports below 600 priveleged ports < 1024 (proof they are root) /etc/services has well known ports NFS - if can guess file handle, can read write entire filesystem Portmap - another layer of indirection for port numbers. Can make network requests appear to be from localhost FTP - client can specify third machine for bounc attack YP/NIS - serves password file separate network into zones (finances and SS#'s) topology ip source/destination, protocol, TCP flags, ICMP message type packets that don't originate from in local network (spoofing) block forged outgoing packets block incoming packets with SYN flag (that means someone on the  internal network is running server) Eg. Send two packets, second one for restricted port, but since allowed first, will allow second (connection established) then when reassemble packets, it goes to bad port allow flows that have already existed translates private IP address to public policies for specific protocols FTP, http, etc. Can examine more in-depth new IP protocol, embed one IP packet in another IP packet avoids replays with sequence numbers pad packets so don't know how big files you are sending Change TTL field. and exploit fragmentation. So some packets don't even make it through CS 155 Network Security Notes 05.10.2007
 * Port usage
 * Insecure network services
 * Firewall
 * packet filtering
 * block forgeries
 * egress filtering
 * Disallowing servers
 * Complications from fragmentation
 * keeping state in firewall
 * NAT
 * application level proxies
 * IPsec
 * Intrusion detection
 * Subterfuge attacks
 * Kerberos

Denial of Service attacks. Make stuff not work. Take out infrastructure with little work. technique of using small number of packets
 * DoS
 * Amplification
 * Amplifications due to bugs
 * Amplification due to bot-net

NAV - reserve bandwidth for NAC seconds. So keep reserving. Doesn't work since most cards don't follow NAV standard
 * 80211b Network

Deauth packet is a "I'm done using wireless slot, someone else use" Can send deauth packets on behalf of others.
 * Dauthentication bug

Send ICMP to gateway with many computers and broadcast and make ICMP echo go to target.
 * SMURF attack

Similar to SMURF attack. EDNS response is much bigger. x40 amplification
 * DNS Amplification

Too much SYN to store Detect SYN floods with backscatter
 * SYN Flood

Have client store info. Only start connection once client echos back
 * SYN-cookies


 * Take out a site's DNS server

CS 155 Network Security Notes 05.10.2007
 * Puzzles

Worms CS 155 Network Security Notes 05.22.2007

Surf Anonymously

All users go through anonymizer Anonymizer knows who you are Traffic Analysis can determine things Protocol issues (http not meant to keep your privacy and anonymizer may  fail certain things)
 * How to surf anonymously
 * Anonymizer

aka onion routing Use multiple onion routers. Pick random route each time. Onion levels of encryption. Include return onion for server to respond. This protocol is too high latency No forward secrecy
 * Mix Nets

TOR Network is stateful onion routing (a circuit-based method) CS 155 Network Security Notes 05.24.2007
 * TOR Network

Initialization vector to change cipher text each time
 * Cryptographic file systems