software and web security deel 1 deel 1
play

Software and Web Security deel 1 deel 1 sws1 About this course: - PDF document

1 Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t Peter Schwabe S h b Pol van Aubel Ko Stoffelen Ko Stoffelen sws1 2 About this course: topics & goals g Standard


  1. 1 Software and Web Security deel 1 deel 1 sws1

  2. About this course: people • Erik Poll P t Peter Schwabe S h b • Pol van Aubel • • Ko Stoffelen Ko Stoffelen sws1 2

  3. About this course: topics & goals g • Standard ways in which software can be exploited – understanding how such attacks work d t di h h tt k k – understanding what makes these attacks possible – doing some attacks in practice doing some attacks in practice • Root cause analysis: why are things so easy to hack? • This involves understanding – programming languages, compilers, and operating systems, programming languages compilers and operating systems and the abstractions that they provide – the languages, representations, and interpretations involved – the potential for trouble – in the form of software vulnerabilities - that all this introduces sws1 3

  4. Software and Web Security - part 1 & 2 y • part 1 – security problems in machine code, it bl i hi d compiled from C(++) sources (as usual), running on standard CPU and operating system running on standard CPU and operating system • part 2 – security problems in software for the web, using web browsers and web applications using web browsers and web applications, and typically some back-end database. sws1 4

  5. Prerequisites • Imperatief Programmeren – we won’t use C++, but C – biggest change: using printf instead of >> ? gg g g p • Processoren – what is the functionality that a typical CPU offers, on which we what is the functionality that a typical CPU offers on which we have to run our software written in higher-level languages? sws1 5

  6. Lectures & lab sessions • 8 lectures and 6 lab sessions • Lab sessions Tuesdays 8:45-10:30 in terminal room HG00.075 • Course material will be on http://www.cs.ru.nl/~erikpoll/sws1 sws1 6

  7. Lab exercises Weekly lab session with weekly programming/hacking exercise • • Exercises to be done in pairs Exercises to be done in pairs • Doing the exercises is obligatory to take part in the exam; • Exercises will be lightly graded to provide feedback, with nsi-regeling : you can have only one exercise niet-serieus-ingeleverd • But beware: exercises of one week will build on knowledge & skills from the previous week • Also: turning up for the lab sesions might be crucial to sort out Also: turning up for the lab sesions might be crucial to sort out practical problems (with C, gcc, Linux, ...) Eg coming Tuesday at 8:45: a demo of the Linux command line, university servers, ... sws1 7

  8. Lab exercises We use • C C as programming language, not C++ i l t C++ • Linux from the command line aka shell • the compiler gcc the compiler gcc So no fancy graphical user interfaces (GUIs) for the operating system (OS) or the compiler Why? • GUIs are nice but hide what OS and compiler are doing GUIs are nice, but hide what OS and compiler are doing • the command line is clumsy at first, – using commands instead of pointing & clicking using commands instead of pointing & clicking but gives great power – we can write shell scripts: programs that interact with the OS sws1 8

  9. Caveat: you are our guinea pigs y g g • This course is new - to you, to us & the world... Most universities won’t teach this material in the first year M t i iti ’t t h thi t i l i th fi t • There are lots of things involved: understanding compilers and operating systems, C, pointers, memory management, Linux, the command line Makefiles scripting command line, Makefiles, scripting, ... • So please ask if things are not clear! sws1 9

  10. 10 Intro sws1

  11. Fairy tales: a problem... y Many discussions of security begin with Alice and Bob Eve Alice Bob Problem: how can Alice communicate securely with Bob, when Eve can modify or eavesdrop on the communication? sws1 11

  12. This is an i interesting problem, i bl but it is not the but it is not the biggest problem sws1 12

  13. Fairy tales... a bit more realistic y How can Alice’s computer communicate securely with Bob’s computer when Eve can modify or eavesdrop on the communication? But... even if Alice can trust Bob, can she trust his computer? sws1 13

  14. Reality & the bigger problem y Alice’s computer is communicating with some other computer on the internet on the internet Alice’s possibly malicious input computer computer how can we prevent Alice’s computer from being hacked , when it communicates with some other computer? p NB solving the first problem - securing the communication - does not help here! sws1 14

  15. Why is this a problem? Why can’t we solve it? y y • Why can PCs, laptops, tablets, smartphones, web-sites, servers, routers printers smartcards cars ATMs routers, printers, smartcards, cars, ATMs .... be hacked? be hacked? – Easily & frequently Because there is software inside! • Software is the most complex artifact mankind has ever created • The good news: software is incredibly powerful & flexible, and shaping the world • • The bad news: The bad news: we are not (yet?) capable of producing software without bugs • By sending malicious input to software, attackers can try to exploit such bugs sws1 15

  16. From simple attacks to malware • You can exploit vulnerabilities in software – to simply crash a program t i l h – to reveal or corrupt some data on that computer – to interfere with services offer by that computer to interfere with services offer by that computer • To do more interesting damage, you want to get some software running on your victim’s computer . malware = software with some malicious intent malware = software with some malicious intent NB here the power & flexibility of software is used against us.. sws1 16

  17. 17 A brief history of malware sws1

  18. pre-history of hacking y g In 1950s, Joe Engressia showed the telephone network could be hacked by phone phreaking: ld b h k d b h h ki ie. whistling at right frequencies http://www.youtube.com/watch?v=vVZm7I1CTBs p y In 1970s, before founding Apple together with Steve Jobs, Steve Wozniak sold Blue Boxes for phone phreaking at university St W i k ld Bl B f h h ki t i it sws1 18

  19. (Aside: a modern variant is hacking phones via SMS) Using an USRP (Universal Software Radio Peripheral) we can send malicious SMS messages via GSM to attack your phone sws1 19

  20. history of malware y • 1982: First computer virus spread via floppy disks Hi h Highschool student Rick Scrent wrote the Elk Cloner, h l t d t Ri k S t t th Elk Cl a computer virus for Apple II that spread via floppy disk • 1988. First internet worm, the Morris worm, University student Robert Morris wrote a program that could replicate itself over the internet Unintentionally it crashed 10% of the internet over the internet. Unintentionally, it crashed 10% of the internet. This led to the first conviction under the 1986 US Computer Fraud and Abuse Act. • late 1990/early 2000s: many more viruses and worms – Email viruses: I Love You Kournikova Email viruses: I Love You, Kournikova, ... – Worms: Slammer, Nimda, .. Later viruses also spread via XSS on social networking websites sws1 20

  21. Slammer Worm (Jan 2003) ( ) Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Ni h l Nicholas Weaver W 21

  22. Slammer Worm (Jan 2003) ( ) Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Ni h l Nicholas Weaver W 22

  23. malware: worms, viruses,Trojans j The only goal of early malware was to spread (and crash things). • worm – piece of software that can spreads automonously i f f h d l • virus – require some user interaction to spread eg clicking an email attachment eg clicking an email attachment • Trojan – apparently benign program with hidden malicious functionality so the victim will willingly install it Modern malware is much more versatile, so the distinction between viruses and worms is no longer so interesting – or indeed clear. i d i l i t ti i d d l Eg is spreading an XSS worm just by looking at a webpage user interaction? Some modern malware is not meant to spread, eg. targetted attacks on one person, by a PDF attachment sent by email or via linkedin sws1 23

  24. history of malware: turning professional y g After hacking for “fun” (if massive DoS attacks can be consider “fun”) hackers went underground and turned professional h k t d d d t d f i l Malware evolved to do more interesting - and profitable – things Malware evolved to do more interesting and profitable things besides crashing things, eg. • stealing user data (usernames & passwords, credit card no’s, ...) • sending spam, eg for phishing • interfering with internet transactions (eg internet banking) • • infecting other computers infecting other computers • new business models for making money: adware, scareware, or ransomware • creating botnets, large collections of infected computers (bots), that can then be used for all of the above sws1 24

  25. 25 example scareware sws1

Recommend


More recommend