computer security: computer science with attackers usable privacy and security fall 2009 as told by...
Post on 19-Dec-2015
232 views
TRANSCRIPT
1
Computer Security: Computer Science with
Attackers
Usable Privacy and SecurityFall 2009
As told by David Brumley
4
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
5
Ken Thompson• Born Feb 4, 1943• Notable Work:– B Programming Language– UNIX– Plan 9– Popularized regular expressions
• 1983: Turing Award (joint with Ritchie) for UNIX and work in OS
• 1999: US National Medal of Technology
• 1999: First IEEE Tsutomu Kanai Award
6
A Self-Reproducing Program
main(){printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
7
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
8
When Executed main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34,10);// 34 ascii is a quote (“)
char *f=“
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
9
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
10
When Executed main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34,10);
// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
11
When Executed main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34,10);
// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
12
When Executed main(){printf(f,34,f,34,10);}
printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” ,34,f,34,10);
// 10 is newline
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
13
Note• This program can contain an arbitrary
amount of excess baggage that will be reproduced along with the main algorithm.
main(){printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
14
The C Compiler• The C compiler (cc) is written in C• Special characters, such as newlines,
quotes, etc., are escaped with backslashes. This is called a “character escape sequence”c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();if(c == ‘\\’) return ‘\\’; // Will return “\\”if(c == ‘n’) return ‘\n’etc.
15
Adding a New Escape Sequence
• The C compiler (cc) is written in C• How do we add a new escape
sequence?– Not yet valid C until added to compiler– But compiling modified compiler will not
work because not valid Cc = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return ‘\v’; /// INVALID!etc.
16
What you do• Solution: Encode in current valid C• ‘\v’ is ASCII 11
c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return 11; // Worksetc.
18
How a compiler works
Source Codeget(s);
compile(s);Executable
Code
Source Language Compiler
TargetLanguage
19
Trojaning Login
‘login’
get(s);compile(s);if(s == ‘login’) compile(backdoor);
Trojaned‘login’
Compiler
20
Trojaning Compiler
‘cc’
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
21
Using Trojaned Compiler
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
‘cc’ source
‘login’ source
Source
trojaned exec
‘cc’
trojaned exec
‘login’
22
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
“Regularly Install Patches”− Computer Security Wisdom
BBuggy Program
PPatched New Program
Patches Help Security
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched Users
Delayed PatchAttack
T2
Use Patch to Reverse Engineer Bug
Evil David
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched UsersT2
Reverse Engineer Bug
I can reverse engineer the patched bug and create an
exploit in
minutes
Minutes
AutomaticPatch-Based Exploit Generation
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
Profit!
AutomaticPatch-Based Exploit Generation
IE6 Bug Example• All integers unsigned
32-bits• All arithmetic mod 232
• B is binary code
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
IE6 Bug Example
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B input = 232-2
232-2 % 2 == 0
s := 0 (232-2 + 2 % 232)
ptr := realloc(ptr,0)
Using ptr is a problem
IE6 Bug ExampleWanted:
s > input
Integer Overflow when:
¬(s > input)
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
Bif input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
if input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
Exploits for B are inputs that fail new safety condition check in P
(s > input) = false
Result OverviewASPNet_Filter Information Disclosure 29 sec
GDI Hijack Control 135 sec
PNG Hijack Control 131 sec
IE COMCTL32 (B) Hijack Control 456 sec
IGMP Denial of Service 186 sec
• No public exploit for 3 out of 5• Exploit unique for other 2
Does Automatic Patch-Based Exploit Generation Always Work?
NO!
However, in security attackers get lucky, defenders do not
Current Delayed Patch Distribution Insecure
41
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
42
RSA Cryptosystem• Invented in 1978 by Rivest, Shamir, and
Adleman
• RSA is widely used – Apache+mod_SSL (https)– stunnel (Secure TCP/IP servers)– sNFS (Secure NFS)– bind (name service)– ssh (secure shell)
• We believe RSA is secure
RSA Algorithm
• RSA Initialization:– pick prime p (secret)– pick prime q (secret)– Let N = pq (N is public)– pick e (public)– Find d s.t. d*e = 1 mod (p-
1)(q-1) (private)
• RSA encryption of m: calculate me mod N = c
• RSA decryption of c: calculate cd mod N = m
• p = 61, q = 53• N = 3233• e = 17• d = 2753
• Suppose m = 123• c = 12317 mod 3233 =
855• m = 8552753 mod 3233
= 123
45
Step 1: Define Security
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)
RSA Problem:Given N,e, me mod N, compute m
RSA is secure if the RSA problemcannot be solved efficiently
46
Step 2: Show RSA Meets Definition
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)
RSA Problem:Given N,e, me mod N, compute m
Fact: we do not know RSA is secure
47
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
FactoringAlgorithm
PublicNe
Privatepqd
Fact: if we can factor, we can break RSA
Given me, we can decrypt just like those who know d
48
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
RootsPublicme mod
Nm
Fact: if we can take roots modulo N, we can break
RSA
49
Arguing Security• Define what is public and private• Define protocol–What bad guy gets to see–What bad guy cannot see
• Show that any run of the protocol the bad guy– cannot see what he is not suppose to– cannot efficiently compute what he is not
suppose to
51
NP Complete (i.e., it could be difficult)
is Insufficient
Problem Domain
Hard Instances
Probability of picking a hard instance is low
52
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
53
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
Can move instance
(homomorphism)
Breaking RSA in Practice• RSA decryption: gd mod N = m
– d is private decryption exponent, N is public modulus
• Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N)
• Goal: learn factors of N.
56
Suppose I implement RSA as:
if (d == 1) sleep(1) decrypt(c)if(d == 2) sleep(2) decrypt(c)if(d==3) sleep(3) decrypt(c)
Time to decrypt leaks key
RSA Decryption Time Variance
• Causes for decryption time variation:–Which multiplication algorithm is used.• OpenSSL uses both basic mult. and Karatsuba
mult.– Number of steps during a modular
reduction• modular reduction goal: given u, compute u mod
q• Occasional extra steps in OpenSSL’s reduction
alg.
• There are MANY:–multiplications by input c–modular reductions by factor q (and p)
Reduction Timing Dependency
• Modular reduction: given u, compute u mod q.
– OpenSSL uses Montgomery reductions [M’85] .
• Time variance in Montgomery reduction:– One extra step at end of reduction
algorithmwith probability
Pr[extra step] (c mod q) [S’00]
2q
Multiplication Timing Dependency
• Two algorithms in OpenSSL:– Karatsuba (fast): Multiplying two numbers
of equal length– Normal (slow): Multiplying two numbers of
different length
• To calc xc mod q OpenSSL does:– When x is the same length as (c mod q),
use Karatsuba mult.– Otherwise, use Normal mult.
Data Dependency Summary
• Decryption value c < q–Montgomery effect: longer decryption time–Multiplication effect: shorter decryption
time
• Decryption value c > q–Montgomery effect: shorter decryption time–Multiplication effect: longer decryption time
Opposite effects! But one will always dominate
Timing Attack
High Level Attack:1) Suppose g=q for the top i-1 bits, and 0 elsewhere.
2) ghi = g, but with the ith bit 1. Then g < ghi
Goal: decide if g<q<ghi or g<ghi<q
3) Sample decryption time for g and ghi:t1 = DecryptTime(g)t2 = DecryptTime(ghi)
4) If |t1 - t2| is large bit i is 0 (g < q < ghi)
else bit i is 1 (g < ghi < q)
don’t straddle q
large vs. small creates 0-1 gap
g and ghi straddle q
Timing Attack Details• We know what is “large” and “small” from attack on
previous bits.
• Decrypting just c does not work because of sliding windows– Decrypt a neighborhood of values near g– Will increase diff. between large and small values
larger 0-1 gap
• Only need to recover 1/2 bits of q [C’97]
• Attack requires only 2 hours, about 1.4 million queries
Normal SSL Decryption
Regular Client SSL Server 1. ClientHello
2. ServerHello (send public key)
3. ClientKeyExchange (re mod N)
Result: Encrypted with computed shared master secret
Attack SSL Decryption
Attack Client SSL Server
1. ClientHello
2. ServerHello (send public key)
3. Record time t1 Send guess g or ghi
4. Alert
5. Record time t2 Compute t2 –t1
Attack requires accurate clock
• Attack measures 0.05% time difference between g and ghi
– Only 0.001 seconds on a P4
• We use the CPU cycle counter as fine-resolution clock– “rdtsc” instruction on Intel– “%tick” register on UltraSparc
Attack extract RSA private keyin OpenSSL
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
Attack extract RSA private key
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
79
My Work
I. Securing the entire software lifecycle
II. Allowing everyone to reason about the security of the code
they execute
BAP: Binary Code Analysis Platform
• Binary code is everywhere• Security of the code you run
(not just the code compiled)