Security. Principles of Security Design. Morris Worm [Robert Morris, Jr] Trojan Horse [Ken Thompson] Stack Smashing.

Size: px

Start display at page:

Download "Security. Principles of Security Design. Morris Worm [Robert Morris, Jr] Trojan Horse [Ken Thompson] Stack Smashing."

Anne Rogers
6 years ago
Views:

Principles of Security Design Ensure: secrecy, integrity, availability Security CSCI 334 Stephen Freund Least Privilege [Saltzer

inserts Trojan horse code to steal passwords when source code for login program is compiled B.

attack Recompiling doesn't help Morris Worm [Robert Morris, Jr] that spreads across Internet and "lives forever" Find new

$org/wiki/robert_tappan_morris Stack Smashing void readname(file *socket) { char str[512]; fgets(socket, str); Stack Smashing void$

readname(file *socket) { char str[512]; fgets(socket, str); Send name "asd3242398csedh1" Overwrite past end of str Replace RA

1 Principles of Security Design Ensure: secrecy, integrity, availability Security CSCI 334 Stephen Freund Least Privilege [Saltzer & Schroeder 75] Small Trusted Computing Base (TCB) Trojan Horse [Ken Thompson] Create compiler binary that: A. inserts Trojan horse code to steal passwords when source code for login program is compiled B. inserts code to do (A) and (B) whenever source code for compiler is compiled Source code for login and compiler have no signs of attack Recompiling doesn't help Morris Worm [Robert Morris, Jr] that spreads across Internet and "lives forever" Find new computers on Internet Break into them Copy source code, compile it, start running it, and hide tracks. Breaking in: password guessing buffer overrun in fingerd bug in sendmail Stack Smashing void readname(file *socket) { char str[512]; fgets(socket, str); Stack Smashing void readname(file *socket) { char str[512]; fgets(socket, str); Send name "asd csedh1" Overwrite past end of str Replace RA with address of code to perform malicious operation str control link socket return address Send name "asd csedh1" Overwrite past end of str Replace RA with address of code to perform malicious operation evil code control link socket return address 1

2 Context Has Changed TCB Connections Sys Admins Vendors Delivery Update freq. Small Isolated Skilled Few Physical Seldom Update size Executables Whole Large Apps Sensitive Data Local HD Huge Pervasive Net You and Me Many Electronic Constant Small parts , scripts, Active/X, Javascript, plugins, Pretty much everywhere Stakes are High Personal privacy, identity theft, ransom-ware GoogleDocs Phishing Many major companies/organizations attacked in last two years JCPenny, Target, HomeDepot, Anthem, IRS, Ashley Madison, Tesla, power utilities Orange is the New Black Episodes Virus in Chinese Takeout Menu PDF Stakes are High Attacks against business, news, govt. agencies by governments and other entities, 28- Sony, Anonymous: RIA/MPAA, ISIS, PRISM: NSA breaches Google, Facebook, Apple, Stuxnet. North Korea missile program. 216 US Election, 217 French Election "Operation Aurora", South Ossetia War, 28 Georgia systematically hacked news / radio before attacking How to Prevent Attacks From Active Content Attach Social Stigma Educate Users Disable active content, disconnect from Web Virus Scanning Code Signing Virus Scanning Virus Known Virus Definition Patterns Norton Antivirus: antivirus/ Virus Scanner match found ok 2

3 Code Signing (But first Public-Key Crypto) Code Signing Shilo's private key M Encrypt E(M,priv) (certified program) Used in certificates too (eg: X.59) E(M,priv) M Steve's Inbox Signature Checking Shilo's public key # M Decrypt Does M match M'? yes: Shilo signed the code no: Shilo did not sign the code M'=D(#,pub) How to Prevent Attacks Attach Social Stigma Educate Users Disable active content, disconnect from Web Virus Scanning Code Signing Language-Based Least Privilege Sandbox Security Model Virtual Machine Sandbox applet Virtual Machine Sandbox security manager runtime library security policy files printer monitor Granting Privileges to Principals Local security policy file: java.policy grant CodeBase " { permission java.io.filepermission "/home/data" "read", "write" Scoping applet network Type system grant CodeBase " { permission java.io.filepermission "/tmp" "read", "write" 3

4 Security Manager Methods checkread checkwrite checklisten checkconnect Run-time system calls these methods prior to every resource access. Stack Inspection Permission depends on: calling method (based on principals) all methods above it on stack void open(string s) { SecurityManager.checkRead(); LocalClass.f() LocalClass.g() open("log") Stack Inspection Stack Inspection Permission depends on: calling method (based on principals) all methods above it on stack LocalClass.f() LocalClass.g() Permission depends on: calling method (based on principals) all methods above it on stack SomeApplet.run() SomeApplet.sneaky() Two Basic principals: SYSTEM UNTRUSTED open("log") Two Basic principals: SYSTEM UNTRUSTED open("/etc/passwd") Stack Inspection (Example 2) Stack Inspection (Example 2) Applet.run() { loadfont("times") open("times") Applet.run() { loadfont("times") open("times") public Font loadfont(string s) { setpriviledged(); input.open(s); 4

5 Stack Inspection (Example 2) Stack Inspection (Example 2) Applet.run() { 1 loadfont("times") open("times") public Font loadfont(string s) { setpriviledged(); input.open(s); Applet.run() { showdialog("passwd") showdialog("passwd") 1 loadfont("passwd") open("passwd") Type Safety: Verifier Java Compiler Bytecode Java Bytecodes Java: Bytecode: Verify types for bytecodes Does stack top have two integers? YES! Does field i exist for object on stack? Java Bytecodes Coming Soon to JavaScript: WebAssembly! Proof-Carrying Code Java: Java Compiler Bytecode Bytecode: safety proof S 3 =int::int::α S 4 =int::α proof checker S 4 =int::a::β A has field "int i" S 5 =β YES! 5

6 Java Bytecodes "Proof:" S=[] S=A::[] S=int::A::[] S=int::int::A::[] S=int::A::[] S=[] R =A R 1 =int R =A R 1 =int R =A R 1 =int R =A R 1 =int R =A R 1 =int R =A R 1 =int Post-Mortem Audit logs Look for anomalous behavior Reconstruct failures, prevent in future OpenSSL attack (214?) buffer overrun divulged information from server no audit log --- can't tell who was actually hacked 6

The Java Language Implementation

CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual