Introduction to Computer Security

Transcription

1 Introduction to Computer Security Instructor: Mahadevan Gomathisankaran CSCE 4550/5550, Fall 2009 Lecture 7 1

2 Projects Groups Max 3 persons Topics Cryptography Network Security Program Security Operating System Security Types Analysis Implementation CSCE 4550/5550, Fall 2009 Lecture 7 2

3 Projects Reports Should be comprehensive Introduce the problem and your results (solution/analysis) Survey the existing approaches/solutions Provide analysis/implementation Compare your analysis/implementation Conclude Due on 12/04/09 5 PM Presentations Last 2 classes 15 minutes per group CSCE 4550/5550, Fall 2009 Lecture 7 3

4 Info Sharing Model Source: William Stallings, Cryptography and N/w Security, 4 th ed. CSCE 4550/5550, Fall 2009 Lecture 7 4

5 Network Layers Layered Model: Each layer uses only the layer directly below it Benefit: Different issues to address at different levels of abstraction OSI Model Data Unit Layer Function Example (Internet) Host Layers Data 7. Application Network process to application HTTP, FTP, SMTP ( ) 6. Presentation Data representation and encryption 5. Session Interhost communication Media Layers Segment 4. Transport End-to-end connections and reliability Packet 3. Network Path determination and logical addressing TCP, UDP IP (Internet Protocol) Frame 2. Data Link Physical addressing Transmission media (ethernet, token ring, Bit 1. Physical Media, signal and binary ) transmission CSCE 4550/5550, Fall 2009 Lecture 7 5

6 Link Layer Topology Bus Ring Hub/Concentrator Or Crossbar/switch Star Tree CSCE 4550/5550, Fall 2009 Lecture 7 6

7 Link Layer Issues Contention: More than one party wants to transmit over a single medium at the same time Possible resolution strategies Time-division multiplexing Examples: Multiple voice calls on a T1, call-in concentrator Round-robin access Example: Token ring Collision detection Different re-transmit strategies (e.g., exponential backoff) Ethernet both hub/concentrator and wireless CSCE 4550/5550, Fall 2009 Lecture 7 7

8 Link Layer Ethernet Original Ethernet bus topology: Shared medium All systems on a LAN see all traffic Usually ignore all but to them (based on MAC addr) However: Interfaces can be put into promiscuous mode Ethernet evolution 1: Hubs Star topology, but all traffic still to all hosts Ethernet evolution 2: Switches star/tree topology Switch remembers which MAC addresses are connected to which ports, and sends traffic only to addressed host CSCE 4550/5550, Fall 2009 Lecture 7 8

9 Networking Layers Source: Wikipedia CSCE 4550/5550, Fall 2009 Lecture 7 9

10 IPv4 Packet Vers: 4 IHL ToS Total Length ID (for fragmentation) Flags Fragment Offset TTL Protocol Header Checksum IP Source Address IP Destination Address Options (usually empty) Data CSCE 4550/5550, Fall 2009 Lecture 7 10

11 IP Layer Network (IP) layer concerned with addressing and routing Current version of IP protocol: IPv4 Addresses are 32-bit values IP addresses are for interfaces, not computers Given as 4 bytes in dotted notation (e.g., ) CSCE 4550/5550, Fall 2009 Lecture 7 11

12 IP Layer IPv4 Addresses divided into network and host parts Class Octet Range N/w ID Host ID # of N/ws # of Hosts A 0xxxxxxx a b.c.d B 10xxxxxx a.b c.d C 110xxxxx a.b.c d Class C example: is net addr, 48 is host addr Hosts w/same network addrcan talk directly to each other (LAN) Net address notations: Subnet mask: / Net addr bitcount: /24 See with /sbin/ifconfig in Unix/Linux ; ipconfig in Windows Private Addresses Start End No. of addresses 24-bit Block (/8 prefix, 1 x A) ,777, bit Block (/12 prefix, 16 x B) ,048, bit Block (/16 prefix, 256 x C) ,536 Next generation IP: IPv6 Addresses are 128-bit values huge address space CSCE 4550/5550, Fall 2009 Lecture 7 12

13 Address Resolution Problem: Ethernet works on MAC addresses (doesn t understand IP) IP works on IP addresses (doesn t understand Ethernet) How do we get a packet to the right host on a LAN/subnet? Answer: The Address Resolution Protocol (ARP) Example: Host wants to send to But! Only knows IP address, not MAC address So: Broadcasts an ARP message on Ethernet saying Who has ? responds with I have My MAC is 00:02:2d:9a:27:72 Now sends over Ethernet to this MAC CSCE 4550/5550, Fall 2009 Lecture 7 13

14 ARP Performance: Hosts keep an ARP Table of known IP address <-> MAC mappings Doesn t have to ask if MAC address known Updates table with each I have a.b.c.d message Expires mappings regularly (in case IP moves) In Windows: arp a [root@host ~]# arp -n Address HWtype HWaddress Flags Mask Iface ether 00:D0:B7:BA:A6:D2 C eth ether 00:08:20:30:37:FC C eth ether 00:02:B3:B5:20:23 C eth ether 00:D0:B7:93:14:E4 C eth0 ARP spoofing: To sniff on a switched Ethernet Attacker (on same LAN) sends out I have a.b.c.d messages for target machine (or all machines!) Packets then sent to the attacker rather than the destination (which could be the gateway router) Attacker can then forward packets so no disruption just monitoring CSCE 4550/5550, Fall 2009 Lecture 7 14

15 ARP - Defenses Static ARP tables Sensitive subnets should use static ARP tables Mappings don t expire Mappings are hard-coded to be genuine by the administrator Not perfect: MAC address spoofing still possible! Use higher layer information DHCP snooping Possible future directions: A better solution is still an unresolved research issue Some suggest authenticated ARP Uses digital signatures (PK Crypto), so slow and ARP needs to be very low overhead! CSCE 4550/5550, Fall 2009 Lecture 7 15

16 Subnet to Subnet Comm Router lives on multiple subnets Local address on each Can be more than 2 NICs / subnets Routing tables say what goes where See with /sbin/route in Linux/Unix See with route print in Windows Sample simplified host routing table: Destination Gateway Genmask Iface eth eth0 Sample simplified router routing table: Destination Gateway Genmask Iface eth eth eth /23 subnet Router /24 subnet CSCE 4550/5550, Fall 2009 Lecture 7 16

17 Threats to Network Protocol Flaws Human related errors Eg. TCP connection TCP Connection Eve guesses Seq. # c 1. Seq. # C 2. Seq. # C + Seq. # S 3. Seq. # S Client Server CSCE 4550/5550, Fall 2009 Lecture 7 17

18 Threats to Network Impersonation Instead of taking the risk of physical attack, pretend to be a legal n/w user Guessing Use previous comm. Info Paralyze authentication system Choose a non-authenticated target Choose a target w/ well known authentication info CSCE 4550/5550, Fall 2009 Lecture 7 18

19 Threats to Network Threats to Authentication Guessing: Default passwords Eavesdropping / Wiretapping Password length Some OSs bypass password comparison if buffer is full Non-existent authentication Unix.rlogin for trusted users and.rhosts for trusted hosts Well-known Authentication SNMP (System N/w Management Protocol) attacks to its community string CSCE 4550/5550, Fall 2009 Lecture 7 19

20 Threats to Network Trusted authentication.rhosts,.rlogin, /etc/hosts/equiv files for trusted hosts Spoofing: An attacker pretends to be one legal party in n/w communication. 3 types: Masquerade: Host pretends to be another. Eg: URL confusion, Phishing, overwrite websites Session Hijacking: Intercept and continue a session already initiated by a legal user. Man-in-the-Middle Attack: Start from the beginning: initiate a session and listen to and even fabricate new messages illegally CSCE 4550/5550, Fall 2009 Lecture 7 20

21 Threats to Network Alice Key Server Bob MIM SYMMETRICAL 1. Alice asks key server for a secret key to communicate with Bob 2. Key server sends a key to Alice and Bob. 3. MIM intercepts this key and decrypts every further communication ASYMMETRICAL 1. MIM intercepts Alice s key request for Bob s public key. 2. MIM sends Alice his (not Bob s) public key 3. Alice sends every message to Bob by encrypting MIM s public key 4. MIM can decrypt every message coming from Alice 5. MIM encrypts decrypted messages with Bob s public key and sends them to Bob CSCE 4550/5550, Fall 2009 Lecture 7 21

22 Threats to Network Message Confidentiality Threats Misdelivery Exposure Traffic flow analysis Message Integrity Threats Falsification of messages Noise Format failures Mis-formed packets Protocol failures and implementation flaws CSCE 4550/5550, Fall 2009 Lecture 7 22

23 Threats to Network Server Vulnerabilities Web Site defacement Ability to view source code Buffer overflow Application Code Errors Change price to be paid by simply playing w/ address line Server-side include: Manipulate the fact that web pages can be arranged to call a function automatically. Execute telnet CSCE 4550/5550, Fall 2009 Lecture 7 23

24 Threats to Network Denial of Service (Source: Wikipedia) 1. Consumption of computational resources, such as bandwidth, disk space, or processor time 2. Disruption of configuration information, such as routing information. 3. Disruption of state information, such as unsolicited resetting of TCP sessions. 4. Disruption of physical network components. 5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. CSCE 4550/5550, Fall 2009 Lecture 7 24

25 Threats to Network Denial of Service Connection flooding: Make use of Internet protocols Echo-Chargen: Chargen is a stream of packets to test n/w cap. Sample attack: Generate packets in host X w/ echo packets as destin. host Y (or X) to create indefinite (self) loop Ping of Death: Saturate the destin. Host s bandwidth cap. Smurf: Broadcasting ping attack as is coming from a legal n/w host CSCE 4550/5550, Fall 2009 Lecture 7 25

26 Threats to Network Syn Flood: Based on TCP 1. SYN 2. SYN + ACK Source 3. ACK Destination SYN_RECV queue Source sends many SYN requests but never sends corresponding ACKs to fill up SYN_RECV queue of destination. Teardrop: Play w/ the IP datagram fragments length. CSCE 4550/5550, Fall 2009 Lecture 7 26

27 Threats to Network Traffic Redirection: Attack on routers DNS (Domain Name Server): Play w/ resolving domain name Distributed DoS: Malicious party attacks to n/w w/ Trojan on multiple targets, i.e. zombies Threats in Active (Mobile) Code: Mobile code is the code executed by the client Cookies: data object stored in memory to remember user Scripts: Initiate actions on the server directly GCI (Common Gateway Interface) scripts and ASP (Active Server Pages) Autoexec by Type: Executable code under innocent extension Bots: Malicious code controlled remotely CSCE 4550/5550, Fall 2009 Lecture 7 27