CS 161 Computer Security

Similar documents
CS 161 Computer Security

Detecting Attacks, Part 1

CSE 565 Computer Security Fall 2018

C1: Define Security Requirements

Denial-of-Service (DoS) & Web Attacks

Architecture. Steven M. Bellovin October 31,

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CS 161 Computer Security

CS 161 Computer Security

CS Review. Prof. Clarkson Spring 2017

CS 161 Computer Security


2. INTRUDER DETECTION SYSTEMS

CS 161 Computer Security

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Denial-of-Service, con t / Web Security

Application vulnerabilities and defences

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CIT 480: Securing Computer Systems

UMSSIA INTRUSION DETECTION

CSCE 813 Internet Security Case Study II: XSS

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Intrusion Detection Systems

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Network Security: Firewall, VPN, IDS/IPS, SIEM

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Finding Vulnerabilities in Web Applications

CIS 4360 Secure Computer Systems XSS

Network Intrusion Detection Systems. Beyond packet filtering

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Detecting Attacks, cont.

6.033 Spring 2015! Lecture #24. Combating network adversaries! DDoS attacks! Intrusion Detection

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

Web Security: Vulnerabilities & Attacks

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Architecture. Steven M. Bellovin October 27,

CS Review. Prof. Clarkson Spring 2016

REMINDER course evaluations are online

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Reliably Determining the Outcome of Computer Network Attacks

Detecting Attacks, Part 2

Web Servers and Security

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Web Servers and Security

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Introduction Challenges with using ML Guidelines for using ML Conclusions

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

John Coggeshall Copyright 2006, Zend Technologies Inc.

ITEC 350: Introduction To Computer Networking Midterm Exam #2 Key. Fall 2008

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

WEB SECURITY: XSS & CSRF

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

SOURCEFIRE 3D SYSTEM RELEASE NOTES

AMP-Based Flow Collection. Greg Virgin - RedJack

Basic Concepts in Intrusion Detection

Network Intrusion Detection: Capabilities & Limitations

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Ken Hines, Ph.D GraniteEdge Networks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cyber security tips and self-assessment for business

Copyright

EasyCrypt passes an independent security audit

NET 311 INFORMATION SECURITY

Reduce Your Network's Attack Surface

Firewalls, Tunnels, and Network Intrusion Detection

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

SentinelOne Technical Brief

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Achieving High Survivability in Distributed Systems through Automated Response

CS 161 Computer Security

CE Advanced Network Security

Project 2: Web Security

Aguascalientes Local Chapter. Kickoff

CSE 127 Computer Security

Authors: Mark Handley, Vern Paxson, Christian Kreibich

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Securing Internet Communication: TLS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Application Security. Philippe Bogaerts

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Transcription:

Paxson Spring 2017 CS 161 Computer Security Discussion 12 Week of April 24, 2017 Question 1 Detection strategies (20 min) Suppose you are responsible for detecting attacks on the UC Berkeley network, and can employ host-based monitoring (a HIDS) that can inspect the keystrokes that users enter during their shell sessions. One particular attack you are concerned with is malicious modification or deletion of files in the directory /usr/oski/config/. (a) One method of detection is called signature matching. This involves looking for particular well-defined patterns in traffic that are known to represent malicious activity. Give a couple of examples of signatures you can use to detect these attacks. What are some limitations of this approach? Solution: Example signatures: 1. Look for the string /usr/oski/config/ in requests 2. Look for rm -rf 3. Wait until a particular attack occurs. Afterwards, look for the same packets as occurred during that attack. Problems with this approach: 1. It is prone to false positives, as it lacks context. It could be that access to /usr/oski/config occurs frequently for benign reasons, and without ensuing modifications. Similarly, users might often use rm -rf to manipulate directories other than the one you re observing. 2. It can be prone to false negatives or evasion. For example, an attacker could issue cd /usr/oski; cd config followed by rm -f -r. and easily evade detection. 3. If you only create signatures based on known (= previously seen) attacks, then the approach is purely reactive; if you re looking for a threat unique to your site, you cannot inoculate yourself from it until you have suffered it. On the other hand, (1) if the threat is one faced by other sites, they might have written signatures for it after having experienced it, and (2) one can adapt signature technology to write vulnerability signatures (signatures that match a known potential problem, rather than a known specific attack), which can be proactive. Page 1 of 5

(b) Another approach is to search for behaviors. Instead of looking for known attacks, the detector might use knowledge of the system to look for suspicious sets of actions. Give two examples of host-based behavioral detection. Be specific as to how your examples differ from signature matching that looks for known attacks. What are some problems with this approach? Solution: Examples: 1. Look for changes to files in /usr/oski/config/ after multiple attempts at logging in as root. Here, rather than looking for a specific attack we re looking for a pattern associated with likely-attack activity. 2. Don t even look for attacks; look for related suspicious activity indicative of a compromise. For example, look for login sessions that immediately issue rm commands, based on knowledge that benign users don t start off their sessions by removing files, but those who want to mess with Oski very well might. This approach can potentially detect a wide range of compromises for which the attacker obtains login access to the target system. Issues: 1. Relies on the assumption that benign users will very rarely exhibit the behavior we key off of. 2. While potentially more general than signature matching, can still miss a wide range of attacks that don t happen to include (or for which the attacker consciously avoids including) the behavior for which we monitor. (c) Suppose now we aim to detect modifications to any files in /usr/oski/config/ using the following procedure. Each night, we run a cron job that checksums all of the files in the directory using a cryptographically strong hash like SHA256. We then compare the hashes against the previously stored ones and alert on any differences. (This scheme is known as Tripwire. ) Discuss issues with false positives and false negatives. Solution: False positives can occur any time that the files are changed for a legitimate purpose. Given a single change to a file, false negatives should not be a direct problem: due to the properties of a hash function like SHA256, if an attacker makes any modification to a file, the hash will change; they will not be able to find any alternative value for the file that yields the same hash. However, if the attacker gains administrative privileges then they could modify the OS to return the old content of the file whenever the nightly job runs; or Discussion 12 Page 2 of 5 CS 161 SP 17

modify the nightly job directly to always report nothing has changed; or modify the stored hashes to reflect the new content of the file. In addition, if the attacker makes a change to the file to their benefit, but then changes the file back prior to the run of the nightly job, then they will escape detection (false negative). (d) Continuing the previous scenario, suppose the attacker was able to subvert the operating system. Can you think of a procedure (which might be expensive in terms of labor) by which an operator could still detect the modified files? Solution: Here s one approach that has been used in practice. The hashes aren t stored locally but instead on a remote system (which prevents the attacker from tampering with them). When the operator wants to check a file system, they shut down the suspect machine and remove the disk, mounting it on a separate system (with a presumably trustworthy OS) for comparison. Alternatively, the operator could insert a boot disk into the suspect machine and boot off of read-only media (assuming the attacker cannot alter the low-level boot sequence) and use that alternative OS for the validation procedure. Another approach used in practice is for the security analyst to copy a selfcontained environment providing key system diagnosis tools over to the compromised system. This is unsound if the modified OS detects its presence and subverts its operation, but often can provide benefit in practice because the subverted kernel in fact does not particularly look for it; the approach hinges on the assumption that rootkits exclusively mess with the installed toolchain and do not bother with such custom environments. The busybox environment, for example, provides numerous tools that replace classic targets for subversion, such as ls, ps, find, grep, mount, ifconfig, and many more. Question 2 Detecting Web Attacks (15 min) At this year s annual Grasses For The Masses home & garden convention, in beautiful Fairfax California, the startup Lazer Lawns which specializes in producing so-juicylooking-you-just-wanna-eat-it artificial turf experienced a live SQL injection attack from the audience while showcasing their new high-end collection of silver-ionized heatrepellent blades what a disaster! After firing the organizer of the event and hiring a CS161-educated security expert, Grasses For The Masses now plans to install a NIDS that watches the free WiFi next year. Moreover, Lazer Lawns has learned the hard way to make sure they have a HIDS 1 protecting their assets. As a potential advisor to either Grasses For The Masses or Lazer Lawns, consider the some 1 Given they have to demo their software in many different environments, they ve learned that they shouldn t rely on being able to employ a NIDS, hence their emphasis on using a HIDS. Discussion 12 Page 3 of 5 CS 161 SP 17

prevalent web attacks: XSS (both reflected and stored) and SQL injection. (a) For each attack, devise one or more concrete strategies based on signature, behavioral, anomaly, or specification-based detection. Include a discussion of false positives and false negatives. Solution: XSS. In order to detect reflected XSS, one can look for <script> tags in the URL of HTTP GET requests. Since there exist a multitude of different encodings and syntactic variations (as well as other contexts in which a reply will be interpreted as JavaScript), this signature-based scheme is particularly vulnerable to evasion and may exhibit a high number of false negatives. In principle, one could detect stored XSS by inspecting the body of HTTP POST requests for script content (that is, detect the injected script when it is uploaded, rather than when the server subsequently sends it to the victim). Again, one might scan for <script> tags, with the same considerations as above likewise applying. Also in principle one can detect reflected XSS by looking for substrings in HTTP requests that reappear in HTTP replies. This approach however may have significant false positives, depending on the structure of the web service. SQL injection. One might consider employing specification-based detection, where the specification requires only a constrained set of characters (which do not include any SQL meta-characters) from appearing in requests that the server receives. The effectiveness of this approach will depend on whether the specification is viable, i.e., doesn t rule out any legitimate traffic that the server needs to support. It also depends on the ability to correctly identify the constrained set and whether it indeed suffices to prevent an attacker from constructing a successful SQL injection. (b) Explain whether a network-based or host-based deployment approach makes more sense for your devised detection strategy (or if it doesn t really matter). Does the deployment angle have an effect on your detection rates? Solution: In each attack scenario, if Lazer Lawns employs HTTPS it makes more sense to deploy as a HIDS because the NIDS at Grasses For The Masses will not have the private key to decrypt and inspect the HTTP traffic. In addition, a HIDS will not face as many issues regarding evasion threats as a NIDS, because it analyzes information right at the potential victim. In some cases, a HIDS can leverage a richer understanding of the application data. For example, a database could parse an SQL query and provide the resulting Abstract Syntax Tree (AST) to a detection module that determines whether continuing is safe. This approach also has the advantage of avoiding ambiguities Discussion 12 Page 4 of 5 CS 161 SP 17

at the network level, such as the retransmission-based evasion we looked at in lecture. Question 3 Detection Tradeoffs (15 min) Suppose that S is a network-based intrusion detector that works by passively analyzing individual UDP and TCP packets. Suppose that A is a host-based intrusion detector that is a component of the browser that processes and analyzes individual URLs before they are loaded by the browser. Suppose S has false positive rate S P and false negative rate S N, and A has false positive rate A P and false negative rate A N. Your company decides to build a hybrid scheme for detecting malicious URLs. The hybrid scheme works by combining scheme S and scheme A, running both in parallel on the same traffic. The combination could be done in one of two ways. Scheme H E would generate an alert if for a given network connection either scheme S or scheme A generates an alert. Scheme H B would generate an alert if both scheme S and scheme A generate an alert for the same connection. (Assume that there is only one URL in each network connection.) (a) Assuming that decisions made by S and A are well-modeled as independent processes, and ignoring any concerns regarding evasion, what can you say about the false positives and false negatives of H B and H E? In terms of S P, S N, A P, A N, what are the false positive and false negative rates for H B and H E? (b) If deploying the hybrid scheme in a new environment, is one of H E and H B clearly better? If so, which one, and why? If not, what environment parameters would help determine whether H E or H B is better? Solution: (a) The key insight here is that alarms by H B will be a subset of the alarms generated by H E. Since H B will generate fewer alarms for non-malicious activities, it will have less false positives. On the other hand, because it generates fewer alarms, it will likely miss more malicious activity, leading to more false negatives. The false positive rate for H E would be S P + A P S P A P, and for H B would be S P A P. Similarly, the false negative rate for H E would be S N A N and for H B would be S N + A N S N A N (b) In the absence of more data, particularly the cost of false positives and false negatives, as well as the rate of malicious and non-malicious activity, it is impossible to make a definitive decision. Increasing the cost of false positives, and the rate of non-malicious activity, favors scheme H B. Increasing the cost of false negatives, and the rate of malicious activity, favors scheme H E. Discussion 12 Page 5 of 5 CS 161 SP 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback