system security - te.ugm.ac.idte.ugm.ac.id/~wibirama/tif206/02/week14/security-presentation.pdf ·...
TRANSCRIPT
Security: why it’s very important Internet is now part our everyday life Important data transfer through internet Some people choose to be a bad people, take benefit from the others Therefore: system security, particularly internet security, is very important
aspect to be studied, even for non-IT student. How to learn:
understand how important security is know how security is threaten if itʼs possible, know how to do security threat (but youʼre not supposed
to use it for any illegal usage in real-life) know how to solve always do any important transaction with careful consideration
Protect ourselves, be aware to security threats
Today’s Discussion
The Security Problem
Program Threats
System and Network Threats
Cryptography as a Security Tool
SSL Implementation
Firewalling to Protect Systems and Networks
Video demo
The Security Problem
Security must consider external environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to break security
Attack can be accidental or intentional (malicious)
Easier to protect against accidental than malicious misuse
Security Violations Categories
Breach of confidentiality : unauthorized reading of data (CC fraud) Breach of integrity : unauthorized modification of data Breach of availability : unauthorized destruction of data (defacement) Theft of service : unauthorized use of resource Denial of service : preventing legitimate use of system
Methods Masquerading (breach authentication) Replay attack (malicious repeat of valid data transmission)
Message modification (privilege escalation, asking username or password using email, sent by ʻfakeʼ administrator)
Man-in-the-middle attack (ex. session hijacking)
Security Measure Levels Security must occur at four levels to be effective:
Physical: securing the computer or terminal access Human
social engineering phishing (kilkbca.com case, imitate klikbca.com) dumpster diving (digging the thrashed data, phonebook, etc.)
Operating System: protect the system from accidental security breaches
Network : data travels over shared lines like the internet, wireless connections, or dial-up lines. Data interception is as harmful as breaking into the computer
Program Threats Writing program to change the behavior of ʻprocessʼ Trojan Horse
Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed
by other users Spyware : stealing information from the target
Trap Door Created by the developer Specific user identifier or password that circumvents normal security
procedures Could be included in a compiler
Logic Bomb Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow The most common security attack Exploits a bug in a program (overflow either the stack or memory buffers)
Stack or Buffer Overflow Bug observation :
Choose a program that uses system-wide privilege (example: network daemon, web server daemon, database server daemon)
Vulnerability searching: studying program manual, examining the code, trial and error, getting information from security forum, etc.
Writing program to do the following: Overflow an input field / command-line argument / input buffer until it
writes into the stack. Overwrite the current return address on the stack with the address of
the exploit code Write a simple set of code for the next space in the stack that includes
the commands that the attacker wishes to execute -- for instances: release a shell.
Result: executing shell using root privileges.
C Program with Buffer-overflow Condition#include <stdio.h>
#define BUFFER SIZE 10
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
What’s happened if I execute this program in linux?
Let see...
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0;
}
Goal of buffer overflow:Replace the return address in the stack frame, so that it now points to the code segment containingthe attacking program
What program will be attacked/overflowed?The one that uses system-wide privileges (example: network-daemon, always run on rootprivilege
ModifiedShell-code
Attacked Stack Frame
Before attack After attack
./mybuff <modified shell code+NO_OP+address of modified shell code>
Program Threats (Cont.)
Viruses Self-replicating and infect other programs Code fragment embedded in legitimate program Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro
Visual Basic Macro to reformat hard driveSub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
Program Threats (Cont.) Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses File Boot Macro Source code Polymorphic Encrypted Stealth Tunneling Multipartite Armored
System and Network Threats Program threat - use a breakdown in the protection mechanisms of a
system to attack a program System and network threats: involves the misuse of service and network
connections, ex.: network attack is used to launch program, or vice versa Worms – use spawn mechanism to attack system
Internet worm Exploited UNIX networking features (remote access) and bugs in finger
and sendmail programs Grappling hook program uploaded main worm program (see next picture)
Port scanning Automated attempt to connect to a range of ports on one or a range of IP
addresses (ex.: nmap or nessus)
Denial of Service Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once
Cryptography as a Security Tool When a computer is connected in the network, it receives bits from wire
with no immediate way to know what machine or application sent those bits.
Security manner: From the sender side: the message can be sent to unintended
computer in the network. How to ʻprotectʼ the message sent across the network?
From the receiver side: the message / request can be sent with fake or falsified IP address of the sender. How to decide whether OS can grant request when it cannot trust the named source of request?
Broadest security tool available Source and destination of messages cannot be trusted without
cryptography Means to constrain potential senders (sources) and / or receivers
(destinations) of messages Based on secrets (keys):
Receiver can verify messages using keys Sender can encode messages, only certain computer with keys can
decode
Encryption
From the sender perspective: constraining possible receiver Encryption algorithm consists of
Set of K keys Set of M Messages Set of C ciphertexts (encrypted messages) An encryption function E : K → (M→C). That is, for each k ∈ K, E(k) is a
function for generating ciphertexts from messages Both E and E(k) for any k should be efficiently computable functions
A decryption function D : K → (C → M). That is, for each k ∈ K, D(k) is a function for generating messages from ciphertexts Both D and D(k) for any k should be efficiently computable functions
Two kinds of encryption: symmetric and asymmetric Symmetric: same key is used to encrypt and decrypt, therefore
E(k) can be derived from D(k) and vice versa Asymmetric: different encryption and decryption key
Asymmetric Encryption
Public-key encryption based on each user having two keys: public key – published key used to encrypt data private key – key known only to individual user used to decrypt data
Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme Most common is RSA block cipher Efficient algorithm for testing whether or not a number is prime
RSA Asymmetric Cryptography
encryption and decryption key is computed from defined algorithm
message: 69ciphered: 62 public key ke = k5, 91
private key kd = k29, 91
Modulus based algorithm7mod3 = 18mod3 = 2
9mod2 = ......?11mod4 = ..... ?
Cryptography (Cont.)
Note symmetric cryptography based on transformations, asymmetric based on mathematical functions Asymmetric much more compute intensive Typically not used for large data encryption Much faster to compute symmetric algorithm Only for small data, ex: authentication
Other examples: digital signature, SSL, etc. (*more, you can refer to page 644 in file: security-updated.pdf )
More about cryptography theory and its mathematical implementation, join “Teori Penyandian” course with Bu Sri Suning Kusumawardhani.
Encryption Example - SSL Insertion of cryptography at one layer of the ISO network model (the
transport layer)
SSL – Secure Socket Layer
Cryptographic protocol that limits two computers to only exchange messages with each other Very complicated, with many variations
Used between web servers and browsers for secure communication (credit card numbers transaction, email, etc)
The server is verified with a certificate assuring client is talking to correct server
Asymmetric cryptography used to establish a secure session key (symmetric encryption) for bulk of communication during session
Communication between each computer then uses symmetric key cryptography
Firewalling to Protect Systems and Networks
A network firewall is placed between trusted and untrusted hosts The firewall limits network access between these two security
domains
Can be tunneled or spoofed Tunneling allows disallowed protocol to travel within allowed
protocol (i.e., telnet inside of HTTP) Firewall rules typically based on host name or IP address which
can be spoofed
Personal firewall is software layer on given host Can monitor / limit traffic to and from the host
Application proxy firewall understands application protocol and can control them (i.e., SMTP)
System-call firewall monitors all important system calls and apply rules to them (i.e., this program can execute that system call)
DEMO 1: TUNNELING
Some firewall block site that potentially harmful or take a large of bandwidth consumption
In this part, I will demonstrate you how to bypass firewall by tunneling. Note that this demonstration is for educational purpose only. I will not be responsible for any misuse of this demonstration.
In this tutorial, a blockage of firewall is represented by a blocking policy from our proxy server. Site blocked: http://wibirama.com (this is my blog, actually)
What is tunneling?
Tunneling (also called port forwarding) is a method to bypass a blocked/restricted TCP application connection through another allowed TCP application. Example: bypassing a blocked HTTP (port: 80) connection through SSH (port:22) connection (SSH = Secure Shell, similar as telnet but itʼs encrypted)
In this demonstration, a remote computer is used as a proxy to connect to http://wibirama.com. We use port 22 from our terminal to access remote computer, and use that computer to browse the internet
Scenario I will connect to remote machine : ilab.te.ugm.ac.id using SSH client
application. Normally, SSH application (port:22) is not blocked as itʼs usually only used by network administrator.
The remote machine acts like SSH server, with bind address: 127.0.0.1:1080
The browser in laptop accesses the targeted server (wibirama.com), but it firstly jumps to the remote machine.
DEMO 2: Sniffing using Wireshark Wireshark: network analyzer software for Windows, Linux, and Mac. You
can download it for free: http://wireshark.org/
It can ʻsniffʼ data and extract TCP stream, which is transferred between all connected clients and gateway server.
All data, including, username, password, your personal information, credit card number will be easily revealed if they are not encrypted
Wireless network is easy to be sniffed
DEMO 2: Sniffing using Wireshark Sniffing username and password from FTP connection FTP server on local network: 192.168.0.105
FTP client on local network: 192.168.0.106 If you are on a wireless network, you should be able to “stand”
between the client and the server, then use wireshark to extract information (remember man-in-the-middle attack)
There are so many aspects in network security to be learned. If you
want to find more, you can do ‘googling’ by this keyword:
Certified Ethical Hacker
Useful resource (1)
http://www.securityfocus.com/