introduction to information security · introduction to information security 0368-3065, spring 2015...
TRANSCRIPT
1
Introduction to Information Security0368-3065, Spring 2015
Lecture 9:Low-level platform attacks,
Trusted platform,TCP/IP security (1/2)
Eran TromerSlides credit:
Dan Boneh, StanfordItamar Gilad and Nir Krakowsky and Avishai Wool, Tel Aviv University
Steve Weiss, PrivateCore
22
Boot sequence / virtualization
• BIOS– CIH (1998): CIH virus corrupts system BIOS– Heasman (2007):
• System Management Mode (SMM) “rootkit” via EFIinvisible to OS and VMM
– Sacco, Ortega (2009): infect BIOS LZH decompressor• OS loading
– Master Boot Record / Boot Sector• Virtualization: Subvirt, Blue Pill
33
Hardware implants
• Malware in firmware, persists across OS reinstall– Hard disks– Keyboard controllers– PCI/PCIe cards
• Direct Memory Access (DMA) by PCI/PCIe cards and Firewire/Thunderbolt peripherals– Countermeasure: IOMMU (e.g., Intel VT-D)
– Countermeasure: Software Guard Extensions (SGX) encrypts memory
All practical and used (leaked “ANT” catalog of the National Security Agency)See talk by Steve Weiss at Black Hat 2014 https://www.youtube.com/watch?v=edNkIc6L9Qo
44
SMM attack
55
Hard disk firmware attack
66
PXIe card attack
• Intelligent Network Adapter
• Boots independently of host
• Exfiltrates data over network
77
Physical memory extraction
• Memory bus analyzer• Freeze the state of volatile DRAM and read it on a different
machine– Cold boot attack (literally freeze)– Keep power using capacitor
88
DRAM memory bus analyzers
9
Trusted Platformsvia
Trusted Computing Architecture
10
BackgroundTCG consortium. Founded in 1999 as TCPA. Main players (promoters): (>200 members)
AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun
Goals: Hardware protected (encrypted) storage:Only “authorized” software can decrypt data e.g.: protecting key for decrypting file system
Secure boot: method to “authorize” software
Attestation: Prove to remote server what software is running on my machine.
11
TCG: changes to PC
Extra hardware: TPM Trusted Platform Module (TPM) chip Single 33MhZ clock.
TPM Chip vendors: (~.3$) Atmel, Infineon, National, STMicro Intel D875GRH motherboard
Software changes: BIOS, EFI (UEFI) OS and Apps
12
TPMs in the real world
TPMs widely available on laptops, desktops and some servers
Software using TPMs:
File/disk encryption: BitLocker, IBM, HP, Softex
Attestation for enterprise login: Cognizance, Wave
Client-side single sign on: IBM, Utimaco, Wave
TPM Basics
What the TPM does
How to use it
13
14
Components on TPM chip
I/O
Crypto Engine:RSA, SHA-1, HMAC, RNG
Non Volatile Storage
(> 1280 bytes)PCR Registers(≥16 registers)
OtherJunk
RSA: 1024, 2048 bit modulusSHA-1: Outputs 20 byte digest
LPCbus
API calls
15
Non-volatile storage1. Endorsement Key (EK) (2048-bit RSA)
Created at manufacturing time. Cannot be changed. Used for “attestation” (described later)
2. Storage Root Key (SRK) (2048-bit RSA)
Used for implementing encrypted storage Created after running
TPM_TakeOwnership( OwnerPassword, … ) Can be cleared later with TPM_ForceClear from BIOS
3. OwnerPassword (160 bits) and persistent flags
Private EK, SRK, and OwnerPwd never leave the TPM
16
PCR: the heart of the matter
PCR: Platform Configuration Registers Lots of PCR registers on chip (at least 16) Register contents: 20-byte SHA-1 digest (+junk)
Updating PCR #n :
TPM_Extend(n,D): PCR[n] ← SHA-1 ( PCR[n] || D )
TPM_PcrRead(n): returns value(PCR(n))
PCRs initialized to default value (e.g. 0) at boot time TPM can be told to restore PCR values in NVRAM via
TPM_SaveState and TPM_Startup(ST_STATE)for system suspend/resume
17
Using PCRs during the boot process
BIOS boot block executes Calls TPM_Startup (ST_CLEAR) to initialize PCRs to 0 Calls PCR_Extend( n, <BIOS code> ) Then loads and runs BIOS post boot code
BIOS executes: Calls PCR_Extend( n, <MBR code> ) Then runs MBR (master boot record), e.g. GRUB.
MBR executes: Calls PCR_Extend( n, <OS loader code, config> ) Then runs OS loader
… and so on
18
Boot process with TPM
BIOS boot block
BIOS MBR
TPM
Hardware
Root of trust in integrity measurement
Root of trust in integrity reporting
measuring
Extend PCR
• After boot, PCRs contain hash chain of booted software• Reliable summary of the current platform, assuming:
• Every step correctly “measures” the next one (and in particular has no vulnerabilities that circumvent measurement)
• The BIOS boot block is not compromised• The PCR initialized to 0 and is modified only by extending it• Collision resistance of SHA-1
ApplicationOSOS
loader
19
Example: Trusted GRUB (IBM’05)
What PCR # to use and what to measure specified in GRUB config file
20
Using PCR values after boot
Application 1: encrypted (a.k.a sealed) storage.
Step 1: TPM_TakeOwnership( OwnerPassword, … ) Creates 2048-bit RSA Storage Root Key (SRK) on TPM Cannot run TPM_TakeOwnership again without OwnerPwd:Ownership Enabled Flag ← False
Done once by IT department or laptop owner.
(optional) Step 2: TPM_CreateWrapKey / TPM_LoadKey Create more RSA keys on TPM protected by SRK Each key identified by 32-bit keyhandle
21
Protected Storage
Main Step: Encrypt data using RSA key on TPM
TPM_Seal (some) Arguments:
keyhandle: which TPM key to encrypt with
KeyAuth: Password for using key `keyhandle’
PcrValues: PCRs to embed in encrypted blob
data block: at most 256 bytes (2048 bits) Used to encrypt symmetric key (e.g. AES)
Returns encrypted blob.
Main point: blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail othrewise
22
Protected Storage
Embedding PCR values in blob ensures that only certain apps can decrypt data. e.g.: Messing with MBR or OS kernel will
change PCR values.
23
Sealed storage: applicationsLock software on machine: OS and apps sealed with MBR’s PCR. Any changes to MBR (to load other OS) will prevent
locked software from loading. Prevents tampering and reverse engineering
Web server: seal server’s SSL private key Goal: only unmodified Apache can access SSL key Problem: updates to Apache or Apache config
General problem with software upgrades/patches:Upgrade process must re-seal all blobs with new PCRs
24
Security?Resetting TPM after boot Attacker can disable TPM until after boot, then extend
PCRs arbitrarily(one-byte change to boot block) [Kauer 07]
Software attack: send TPM_Init on LPC bus allows calling TPM_Startup again (to reset PCRs)
Simple hardware attack: use a wire to connect TPM reset pin to ground
Once PCRs are reset, they can be extended to reflect a fake configuration.
Rollback attack on encrypted blobs undo security patches
25
Better root of trustLate launch: securely load OS/VMM,even on a potentially-compromised machineDRTM – Dynamic Root of Trust MeasurementNew CPU instruction:Intel TXT: SENTER AMD: SKINITAtomically does: Reset CPU. Reset PCR 17 to 0. Load given Secure Loader (SL) code into I-cache Extend PCR 17 with SL Jump to SL
BIOS boot loader is no longer root of trustAvoids TPM_Init attack: TPM_Init sets PCR 17 to
26
Protecting code on an untrusted platform
Can we run sensitive code on a potentially-compromised platform, without rebooting/replacing it? Many ways to read and corrupt code!
Secure enclave using hardware Possible with SENTER/SKINIT but cumbersome
(Flicker project) Intel Software Guard Extensions (SGX) ARM TrustZone
Cryptography Fully-homomorphic encryption encryption Succinct zero-knowledge proofs (SNARKs) and
Proof-Carrying Data
Attestation
27
28
Attestation: what it doesGoal: prove to remote party what software is running on my machine.
Good applications: Bank allows money transfer only if customer’s
machine runs “up-to-date” OS patches. Enterprise allows laptop to connect to its network only
if laptop runs “authorized” software Quake players can join a Quake network only if their
Quake client is unmodified.
DRM: MusicStore sells content for authorized players only.
30
Attestation: how it works
Step 2: sign PCR values (after boot)
Call TPM_Quote (some) Arguments:
keyhandle: which AIK key to sign with
KeyAuth: Password for using key `keyhandle’
PCR List: Which PCRs to sign.
Data Challenge string from remote server (prevents replay of
old signatures)
Additional user data to sign
Returns signed data and signature.
32
TCP/IP security
BackboneISP ISP
Internet Infrastructure
Local and interdomain routing TCP/IP for routing and messaging BGP for routing announcements
DNS (Domain Name System DNS) Find IP address from domain name
33
TCP/IP Packets
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
IP Header
dataTCPIPETH ETF
Link (Ethernet)Header
Link (Ethernet)Trailer
segment
packet
frame
message
34
35
Inside a LAN: Layer 2 issues - ARP
35
Addressing in Layer 2 / Layer 3
Layer 3 (IP) IP Address 32 bits long
Layer 2 (MAC) MAC address 48 bits long
How to translate from IP address to MAC address?“Layer 2.5” protocol : ARP
36
ARP (Address Resolution Protocol)
ARP request – broadcast to all stations on LAN Computer A asks the network, "Who has this IP address?“
37
ARP(2)
ARP reply Computer B tells Computer A, "I have that IP. My Physical Address
is [whatever it is].“
38
Cache Table
Every computer stores the translations it knows in a “cache”
To view: “arp –a”
39
ARP Poisoning
To avoid making an ARP request before sending every IP packet, each host has a local cache.Another trick to avoid excessive ARP requests, is that every host will send a broadcast ARP reply when it comes online / every interval, to let everyone know its MAC address (known as “Gratuitous ARP”)Most implementations are state-less by design, and will happily store ARP replies even if they didn’t issue a request (for reasons stated above)Result – everyone on the local network can impersonate any other host, by sending a malicious ARP reply in their name.
ARP Poisoning
Simplicity also leads to insecurity No Authentication ARP provides no way to verify that the responding device is
really who it says it is Stateless protocol
Attacks Denial of Service (DoS)
Hacker can easily associate an operationally significant IP address to a false MAC address
Man-in-the-Middle Intercept network traffic between two devices in your network
41
Man-In-The-Middle: poison #1
42
Man-In-The-Middle: poison #2
43
Man-In-The-Middle: success!
44
Promiscuous mode
Normally, the network card will listen to every incoming packet, and discard any packet whose destination MAC address is not its own.When someone is running a sniffer, they’ll want to capture as much information as possible about the network.Network cards can support this by going into what’s called “Promiscuous mode” – where every packet received is sent to the OS for further processing.
Detecting Promiscuous Hosts
We want to detect if someone on our network is using a sniffer in promiscuous mode.
The trick –Send out a ping request with the wrong destination MAC address, but the right IP target (or broadcast).Regular hosts will discard the packet, but anyone in promiscuous mode will reply, since the IP target was valid
Layer 3 issues - IP
47
Internet Protocol
Connectionless Unreliable Best effort
Notes: src and dest ports
not parts of IP header
IP
Version Header LengthType of Service
Total LengthIdentification
Flags
Time to LiveProtocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
Fragment Offset
48
IP Routing
Typical route uses several hopsIP: no ordering or delivery guarantees
Meg
Tom
ISP
Office gateway
121.42.33.12132.14.11.51
SourceDestination
Packet
121.42.33.12
121.42.33.1
132.14.11.51
132.14.11.1
49
IP Protocol Functions (Summary)
Routing IP host knows location of router (gateway) IP gateway must know route to other networks
Fragmentation and reassembly If max-packet-size less than the user-data-size
Error reporting ICMP packet to source if packet is dropped
TTL field: decremented after every hop Packet dropped if TTL=0. Prevents infinite loops.
50
Basic IP tools
51
“IP spoofing”:no src IP authentication
Client is trusted to embed correct source IP Easy to override using raw sockets SCAPY, libnet: tools for formatting raw packets with
arbitrary IP headers
Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP
Implications: Anonymous DoS attacks Anonymous infection attacks (e.g. slammer worm)
52
53
Routing Vulnerabilities
53
Interdomain Routing
connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)
OSPF
BGP
Autonomous System (AS)
earthlink.net Stanford.edu
54
Routing Vulnerabilities
Routing protocols:
OSPF: used for routing within an AS
BGP: routing between ASs Attacker can cause entire Internet to send traffic
for a victim IP to attacker’s address. Some examples:
2008: YouTube IP address space redirected to Pakistan (censorship done wrong…)
2010: Chinese IP publishes 37,000 prefixes covering many many major websites
55
Whois: IP/Domain/AS information
56
BGP example [D. Wetherall]
3 4
6 57
1
8 27
7
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 56 5
5
5
57
BGP Security Issues
BGP path attestations are un-authenticated Attacker can inject advertisements for arbitrary routes Advertisement will propagate everywhere Used for DoS, spam, and eavesdropping
Human error problems: Mistakes quickly propagate to the entire Internet
Not quite as bad it as it could be because BGP operators are a “closed club” with selective acceptance and some internal sanctions.
58