E-voting analysis 2. Identify the assets / goals of the system 2(a) • Confidentiality (can’t steal data) Token • No one knows for whom any given voter voted (except for the voter) o Mickey Mouse 1 2(b) o Donald Duck • Integrity (can’t modify data) BDF o Minnie Mouse • Every voter’s vote counted once Voter Poll worker 2(c) • No voter’s vote changed • Availability (system stays up) Encrypted disk • Everyone has the ability to cast their vote 3 • Usability (no undue burden on users) • Easy for the voter to vote (correct language, good UI) • Easy for the tabulator to count votes Tabulator
E-voting analysis 2. Identify the assets / goals of the system 2(a) • Confidentiality (can’t steal data) Token • No one knows for whom any given voter voted (except for the voter) o Mickey Mouse 1 2(b) o Donald Duck • Integrity (can’t modify data) BDF o Minnie Mouse • Every voter’s vote counted once Voter Poll worker 2(c) • No voter’s vote changed • Availability (system stays up) Encrypted disk • Everyone has the ability to cast their vote 3 • Usability (no undue burden on users) • Easy for the voter to vote (correct language, good UI) • Easy for the tabulator to count votes Tabulator
E-voting analysis 2. Identify the assets / goals of the system 2(a) • Confidentiality (can’t steal data) Token • No one knows for whom any given voter voted (except for the voter) o Mickey Mouse 1 2(b) o Donald Duck • Integrity (can’t modify data) BDF o Minnie Mouse • Every voter’s vote counted once Voter Poll worker 2(c) • No voter’s vote changed • Availability (system stays up) Encrypted disk • Everyone has the ability to cast their vote 3 • Usability (no undue burden on users) • Easy for the voter to vote (correct language, good UI) • Easy for the tabulator to count votes Tabulator
E-voting analysis 2. Identify the assets / goals of the system 2(a) • Confidentiality (can’t steal data) Token • No one knows for whom any given voter voted (except for the voter) o Mickey Mouse 1 2(b) o Donald Duck • Integrity (can’t modify data) BDF o Minnie Mouse • Every voter’s vote counted once Voter Poll worker 2(c) • No voter’s vote changed • Availability (system stays up) Encrypted disk • Everyone has the ability to cast their vote 3 • Usability (no undue burden on users) • Easy for the voter to vote (correct language, good UI) • Easy for the tabulator to count votes Tabulator
E-voting analysis 2. Identify the assets / goals of the system 2(a) • Confidentiality (can’t steal data) Token • No one knows for whom any given voter voted (except for the voter) o Mickey Mouse 1 2(b) o Donald Duck • Integrity (can’t modify data) BDF o Minnie Mouse • Every voter’s vote counted once Voter Poll worker 2(c) • No voter’s vote changed • Availability (system stays up) Encrypted disk • Everyone has the ability to cast their vote 3 • Usability (no undue burden on users) • Easy for the voter to vote (correct language, good UI) • Easy for the tabulator to count votes Tabulator
E-voting analysis 3. Identify the adversaries and threats 2(a) Poll worker could Token set BDF to print Voter could attempt to o Mickey Mouse 1 2(b) “Mickey Mouse” generate their own o Donald Duck but record as tokens & get ≥ 2 votes BDF Token o Minnie Mouse “Minnie Mouse” Voter Poll worker 2(c) Someone with access to the Someone with Encrypted file store machine : Because there is no access to the disk or end-to-end verification that a network : Read who 3 vote was counted, modifying voted for whom. the software could result in Writing could change complete control the outcome altogether Tabulator
E-voting analysis 4. Identify the vulnerabilities • Ballot definition files are not authenticated 2(a) • How do we know they’re from the election board? Token • Can redefine “Candidate A” as “Candidate B” Not a theoretical system: • Viruses o Mickey Mouse 1 2(b) o Donald Duck • Smartcards are not authenticated Diebold AccuVote-TS BDF o Minnie Mouse • How do we know they’re not user-generated? Voter Poll Used in 37 states at time of study • Possible to make your own and vote multiple times. worker 2(c) • Specific software vulnerabilities • Every machine has the same encryption key! Encrypted file store • Break one, and they all fall Optional reading “Analysis of an Electronic Voting System” 3 • Votes are shipped unencrypted! Kohno et al. • Votes are stored in the order cast • If one can view the data unencrypted, this violates our confidentiality goal Tabulator
E-voting analysis 4. Identify the vulnerabilities • Ballot definition files are not authenticated 2(a) • How do we know they’re from the election board? Token • Can redefine “Candidate A” as “Candidate B” • Viruses o Mickey Mouse 1 2(b) o Donald Duck • Smartcards are not authenticated BDF o Minnie Mouse • How do we know they’re not user-generated? Voter Poll • Possible to make your own and vote multiple times. worker 2(c) • Specific software vulnerabilities • Every machine has the same encryption key! Encrypted file store • Break one, and they all fall 3 • Votes are shipped unencrypted! • Votes are stored in the order cast • If one can view the data unencrypted, this violates our confidentiality goal Tabulator
Analyzing security Takeaway points • Analyzing security requires a whole-systems view • Hardware, software, users, economics, …. • Security is only as strong as the weakest link • May have been difficult to break into the building • But if the data is sent unencrypted… • Securing a system can be difficult • Interdisciplinary (software, hardware, UI design) • Humans are in the loop • Security through obscurity does not work • Especially for high-value assets • It’s only a matter of time until someone finds out
The Goals of CMSC 414 In order to achieve security, we must: Be able to eliminate bugs and design flaws and/or make them harder to exploit. Be able to think like attackers. Develop a foundation for deeply understanding the systems we use and build. Software Hardware Protocols Users Law Economics
Software security • Security is a form of dependability • Does the code do “what it should” • To this end, we follow the software lifecycle • Distinguishing factor: an active, malicious attacker • Attack model • The developer is trusted • But the attacker can provide any inputs Malformed strings - Malformed packets - etc. - What harm could an attacker possibly cause?
screensaver --prompt=“Don’t unlock plz” Don't unlock plz Locked by dml press ctrl-c to logout
screensaver --prompt=“Don’t unlock pretty plz” Don't unlock pretty plz Locked by dml press ctrl-c to logout
screensaver --prompt=“Don’t unlock plz ␠␠␠ \ ␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠ ” Don't unlock plz Locked by dml press ctrl-c to logout
screensaver —prompt=“Under maintenance;\ Do not interrupt ␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠ \ ␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠␠ ” Under maintenance; Do not interrupt Locked by dml press ctrl-c to logout
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Target host (victim)
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host (victim)
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host Sensing the outside world • QR codes (to link w/ malware) (victim) • sound recordings
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host Sensing the outside world • QR codes (to link w/ malware) (victim) • sound recordings Third-party libraries
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host Sensing the outside world • QR codes (to link w/ malware) (victim) • sound recordings Third-party libraries Future code updates
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host Sensing the outside world • QR codes (to link w/ malware) (victim) • sound recordings Third-party libraries Future code updates Goal: Correct operation despite malicious inputs
Most (interesting) software takes input Direct user interaction • command line interface (stdin) • user opens a document Network communication • emails Target • various protocols host Sensing the outside world • QR codes (to link w/ malware) (victim) • sound recordings Third-party libraries Future code updates Others… Goal: Correct operation despite malicious inputs
We’re going to focus on C C is consistently in wide use http://www.tiobe.com
We’re going to focus on C Many mission critical systems are written in C • Most kernels & OS utilities • fingerd • X windows server • Many high-performance servers • Microsoft IIS • Microsoft SQL server • Many embedded systems • Mars rover • But the techniques apply more broadly • Wiibrew:“Twilight Hack” exploits buffer overflow when saving the name of Link’s horse, Epona
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 1999 2000 2001 2002 2003 • Morris worm • Propagated across machines (too aggressively, thanks to a bug) • One way it propagated was a buffer overflow attack against a vulnerable version of fingerd on VAXes • Sent a special string to the finger daemon, which caused it to execute code that created a new worm copy • Didn’t check OS: caused Suns running BSD to crash • End result: $10-100M in damages, probation, community service
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 1999 2000 2001 2002 2003 • Morris worm • Propagated across machines (too aggressively, thanks to a bug) • One way it propagated was a buffer overflow attack against a vulnerable version of fingerd on VAXes • Sent a special string to the finger daemon, which caused it to execute code that created a new worm copy • Didn’t check OS: caused Suns running BSD to crash • End result: $10-100M in damages, probation, community service (Robert Morris is now a professor at MIT)
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 1999 2000 2001 2002 2003 • CodeRed • Exploited an overflow in the MS-IIS server • 300,000 machines infected in 14 hours
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 1999 2000 2001 2002 2003 • CodeRed • Exploited an overflow in the MS-IIS server • 300,000 machines infected in 14 hours
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 1999 2000 2001 2002 2003 • SQL Slammer • Exploited an overflow in the MS-SQL server • 75,000 machines infected in 10 minutes
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 2008 2009 2010 2011 2012 • Conficker worm • Exploited an overflow in Windows RPC • ~10 million machines infected
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 2008 2009 2010 2011 2012 • Stuxnet • Exploited several overflows nobody had at the time known about (“zero-day”) • Windows print spooler service • Windows LNK shortcut display • Windows task scheduler • Also exploited the same Windows RPC overflow as Conficker • Impact: legitimized cyber warfare ( more on this later )
We’re going to focus on C A breeding ground for buffer overflow attacks 1988 2008 2009 2010 2011 2012 • Flame • Same print spooler and LNK overflows as Stuxnet • Cyber-espionage virus
GHOST : glibc vulnerability introduced in 2000, only just announced last year
syslogd bug in Mac OS X & iOS • syslog: message logging infrastructure • Useful: one process issues the log messages, syslogd handles storing/disseminating them
syslogd bug in Mac OS X & iOS • syslog: message logging infrastructure • Useful: one process issues the log messages, syslogd handles storing/disseminating them
Array of int ’s
Array of int ’s Had this many int ’s
Array of int ’s Want this many int ’s
Takes bytes as 2nd arg Array of int ’s Want this many int ’s
Takes bytes as 2nd arg Array of int ’s Want this many int ’s How many bytes should global.lockdown_session_fds be?
Takes bytes as 2nd arg Array of int ’s Want this many int ’s How many bytes should global.lockdown_session_fds be? global.lockdown_session_count + 1 * sizeof(int)
Takes bytes as 2nd arg Array of int ’s Want this many int ’s How many bytes should global.lockdown_session_fds be? global.lockdown_session_count + 1 * sizeof(int) (global.lockdown_session_count + 1) * sizeof(int)
syslogd bug in Mac OS X & iOS • syslog: message logging infrastructure • Useful: one process issues the log messages, syslogd handles storing/disseminating them Buffer too small
syslogd bug in Mac OS X & iOS • syslog: message logging infrastructure • Useful: one process issues the log messages, syslogd handles storing/disseminating them Buffer too small Writes beyond the buffer
Buffer overflows are prevalent Significant percent of all vulnerabilities 16 12 8 4 0 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015 Data from the National Vulnerability Database
Buffer overflows are prevalent Total number of buffer overflow vulnerabilities 1000 750 500 250 0 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015 Data from the National Vulnerability Database
Buffer overflows are impactful This class MITRE's top-25 most dangerous software errors (from 2011)
Buffer overflows are impactful This class E-voting MITRE's top-25 most dangerous software errors (from 2011)
Buffer overflows are impactful Later This class Later E-voting Later MITRE's top-25 most dangerous software errors (from 2011)
Our goals • Understand how these attacks work, and how to defend against them • These require knowledge about: • The compiler • The OS • The architecture Analyzing security requires a whole-systems view
Memory layout
Refresher • How is program data laid out in memory? • What does the stack look like? • What effect does calling (and returning from) a function have on memory? • We are focusing on the Linux process model • Similar to other operating systems
All programs are stored in memory 4G 0
All programs are stored in memory 0xffffffff 4G 0x00000000 0
All programs are stored in memory 0xffffffff 4G The process’s view of memory is that it owns all of it 0x00000000 0
All programs are stored in memory 0xffffffff 4G The process’s view In reality, these are of memory is that virtual addresses ; it owns all of it the OS/CPU map them to physical addresses 0x00000000 0
The instructions themselves are in memory 0xffffffff 4G Text 0x00000000 0
The instructions themselves are in memory 0xffffffff 4G ... 0x4c2 sub $0x224,%esp 0x4c1 push %ecx 0x4bf mov %esp,%ebp 0x4be push %ebp ... Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Init’d data static const int y=10; Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Uninit’d data static int x; Init’d data static const int y=10; Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G cmdline & env Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Set when cmdline & env process starts Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Set when cmdline & env process starts int f() { Stack int x; … Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Set when cmdline & env process starts int f() { Stack int x; … Heap malloc(sizeof(long)); Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
Data’s location depends on how it’s created 0xffffffff 4G Set when cmdline & env process starts int f() { Stack int x; … Runtime Heap malloc(sizeof(long)); Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0x00000000 0
We are going to focus on runtime attacks Stack and heap grow in opposite directions 0x00000000 0xffffffff Heap Stack
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap Stack
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap Stack Stack pointer
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 1 Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 1 Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 2 1 Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 2 1 Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 push 2 pointer push 3
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 push 2 pointer push 3 return
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 push 2 pointer push 3 return
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack { apportioned by the OS; Stack push 1 push 2 managed in-process pointer push 3 by malloc return
We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack { apportioned by the OS; Stack push 1 push 2 managed in-process pointer push 3 by malloc return Focusing on the stack for now
Recommend
More recommend
