SecurityEngineering

ChesterRebeiroIITMadras

Examplesmo<vatedfromProf.NickolaiZeldovichlectures;partofMITOpencourseWork

SecurityEngineering:WhatisitAbout?

Buildingsystemsthatworkevenwithadversaries

2

Whatdoesitinvolve?

•  Securitygoals•  Securitypolicy•  SecurityMechanism•  Threatassump<ons

3

ThreatAssump<ons•  Assump<onsabouttheaNacker

–  IstheaNackerallpowerful?(Theore<cal;verydifficulttoachieveinprac<ce)

– WhatcantheaNackerdo?(guesskeywords;sniffkeystrokes;co-residesonthesamemachine)

–  Isagovernmentanadversary?(Snowdenrevela<ons;hardwaretrojans;mayneedmoreassuranceaboutthehardware)

–  InsideraNackers (knowledgeoftheen<resystemarchitecture,securitypoliciesleaked)

4

SecurityGoalsAnysecuritysystemmustaddressthefollowinggoals•  Confiden<ality

keepdatasecretexcepttoauthorizedusers

•  Integrity–  preventunauthorizedusersfrommakingmodifica<ons–  Preventauthorizedusersfrommakingimpropermodifica<ons

•  Availabilityofdatatounauthorizedusers–  HandleDenialofService,lossduetonaturaldisasters,equipmentfailure

5

eg.Moodle,facebook

Whatdoesitinvolve?

•  Securitygoals•  Securitypolicy•  SecurityMechanism•  Threatassump<ons

6

SecurityPolicy•  Documentthatoutlinestherules,laws,andprac<cessothat

securitygoalsareachieved.•  Highlevelstatementsgenerallysignedbythecompany’sCEO

–  Doesnotgointothetechnicaldetailsofhowsecuritygoalsareachieved

7

SecurityPolicyforanITLaboratory•  ForaLabsecurity•  Thisistakenfrom

hNps://www.sans.org/security-resources/policies/server-security/pdf/lab-security-policy

•  Notethehighlevellanguage,succentstatements,andnodetailsabouthowthethepolicyisimplemented

8

9

10

11

12

Whatdoesitinvolve?

•  Securitygoals•  Securitypolicy•  SecurityMechanism

Implementa<onaspectsforthepolicy.(involvescode,crypto,protocols,standards,…)

•  Threatassump<ons

13

What’stheBigDealaboutSecurityEngineering?

•  Asecuritysystemshould– Allowauthorizedusersaccesstoaresource– Disallowallotherusersaccesstotheresource(inspiteofusershavingsupremepower,accesstosourcecode,etc.)(weakestlinkma-ers)

14

eg.MoodleAssignmentsubmissionsshouldbeaccessibletoallTAsàthisiseasilyachievedAssignmentsubmissionsshouldnotbeaccessibletoanyonebuttheTasànotthateasy!

Whatcangowrong?

Therecanbemistakesineachofthese•  Securitypolicy•  SecurityMechanism

•  Threatassump<ons

15

MessingupSecurityPolicies

16hNps://en.wikipedia.org/wiki/Sarah_Palin_email_hack

ForgotPasswordSecurityQues:ons

MessingupSecurityPolicies

17

Whenforgotpasswordsendsa“ResetPassword”toabackupemailaddress

hNps://www.theverge.com/2012/8/6/3224597/mat-honan-hacked-apple-icloud-google-twiNer

Inaspanofonehour•  Googleaccountdeleted•  TwiNeraccountcompromised•  AppleIDbrokeninto•  Remotelyerasedalldataon

iPhone,iPad,andMacBook

Hacked!•  DaisyChainedAccounts

18

AmazonAccount

iPhoneAccount

GoogleAccount

TwiNerAccount

Theul<mateobjec<veofthehacker

Thelast4digitsofthecreditcardiPhonethoughtthiswasprivateinforma<onAmazonthoughtthiswaspublicinforma<on

SoyouthinkyouaresafewithSMSOTP?

19

HowtoAvoidPolicyMistakes?

•  Couldbeconserva<ve–  eg.Nowaytorecoverpassword(brutal!!!)

•  Needtothinkhard•  Needtothinkoftheen<resystem

–  Difficultespeciallyfordistributedsystems

•  Formallyverifyifyourpolicyiscomplete– Wouldneedamathema<calrepresenta<onofthepolicy

20

ThreatAssump<ons(Whatcangowrong?)

•  Thehumanfactor(can’tassumehumanswon’tfallpreytothese)

21

ThreatAssump<ons(Whatcangowrong?)

•  Threatmodelchangewith<me

22

Kerberos,inventedin1980s,usedDESwith56bitkeysforencryp<on

Kerberos,inventedin1990s,s:llusedDESwith56bitkeysforencryp<on

56bitkeyspreNysafeinthe80s.

56bitkeyscannotbeprac<callybrokeninthe90sinasingleday(withspecializedhardware)

1980s 1990s

DESwentobsolete,butnobodythoughtofchangingKerberos

ThreatAssump<ons(Whatcangowrong?)

•  Isthegovernmentanadversary?

23

Hardwarebackdoors

Cannotassumeyourhardwareissafe

DoyouneedtoWorryaboutClonedHardware?

ThreatAssump<ons(whatcangowrong?)

24

•  Trustedpar:esmaygetcompromised

•  Example:DigiNotar(aDutchCer<fyingAuthority)compromisedin2011.–  Issuedfraudulentcer<ficates

whichwereusedtoconductman-in-the-middleaNacksagainstGoogle,Yahoo,Mozilla,andmanyotherservices

–  Targeted300,000gmailusers–  SuspectedtobeworkofaGovernment

ThreatAssump<ons(Whatcangowrong?)

•  Improperuseofcrypto

25

•  Supposetheprimegenera<onforRSAwasfaulty–  Sothat,primesgeneratedwerealwaysfromasmallsubset–  Then,RSAcanbebroken

•  PairwiseGCDofoveramillionRSAmoduliicollectedfromtheInternetshowedthat–  2in1000haveacommonprimefactor

RonwasWrong,Whitisright,2012

ThreatAssump<ons(Whatcangowrong?)

•  Insiderscannotbetrusted1980shadaninsiderinser<ngbackdoorsinasecureOSusedformilitaryapplica<onstheaNackercouldgetaccesstothesystemthroughthebackdoor

26

ThreatAssump<ons(whatcanbedone?)

•  BeNerunderstandingofpossibleweaknesses•  Adaptwith<me•  Moreencompassingthreatmodels•  Physicallyunclonablefunc<ons•  Developedinhouse

27

SecurityMechanisms(Whatcangowrong?)

•  DuetoProgrammers–  Forget–  Don’tknow–  Onlylookforfunc<onal

correctness

•  ProgrammingLanguages–  Donotinherentlydocertainchecks

28

NumberofPasswordANempts

29

WebsitestypicallyhaveNpassworda-emptsbeforeyouraccountisblockedPasswordsarenotverydifficulttocrack(seeJohntheRipper:hNp://www.openwall.com/john/)combinedwiththefactthatmanypeoplearenotverysmartatsenngpasswords(oneofthemostfamouspasswordsispassword)(hNp://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using)Whathappensiftheprogrammerforgetstodothecountcheck?Disasterany<me

NumberofPasswordANemptsApple’siCloudpassword-guessingratelimitsTheiCloudhasmanyservicesandmanyAPIs.Oneserviceforgottoimplementlimi<ngtheno.ofpasswordtrials.Adversarycouldtryinfinite<mes

30hNps://github.com/hackappcom/ibrute

MissingAccessControlChecks

Ci<bankdatabreachin2011

31

Ci<’sLoginPageEntersusernameandpasswordLOGIN

Webpage2TheURLcontainstheaccountnumberoftheuser

Changetheaccountnumberinthispageandyouwillgetanotheruser’saccountdetails

hNp://www.ny<mes.com/2011/06/14/technology/14security.html

SeedingtheRandomNumberGenerator

•  RandomnumbersgeneratedbyPRSG•  PRSGneedstobefedanini<alvaluecalledseed.•  Iftheseedareequal,therandomnumbersgeneratedarethe

same.

32

BitcoinThep•  Randomnumbersusedtogeneratesecretkeysandmake

Bitcointransac<ons•  IfanaNackerstealstherandomnumber,bitcoinsarestolen•  Android’sJavaSecureRandomAPIforgottoseedthePRSGin

certaincases.Seedwasini<alizedto0.Randomnumberscanbethenpredicted,keyscanthenbestolen

33hNps://bitcoin.org/en/alert/2013-08-11-android

ProgramBugsThatCanbeExploited(MostCommonVulnerability)

34

•  Buffer overflows –  In the stack –  In the heap –  Return-to-libc attacks

•  Double frees •  Integer overflows •  Format string bugs