Introduction to Computer Security

David Brumley
dbrumley@cmu.edu
Carnegie Mellon University
 Today: Overview
Course Staff
Trusting Trust
Course Overview
Example Applications
Course Mechanics
CMU CTF Team

2
You will find
at least one error
on each set of slides. :)

3
David Brumley
B.A. Math UNC 1998
M.S. CS Stanford 2003
Ph.D. CS CMU 2008

Computer security
officer, Stanford
University, 1998-2002
Assistant Professor,
CMU, Jan 2009

4
 Current Research Thrusts
Automatic Exploit Generation
AEG and Mayhem

Scalable Malware Analysis

BitShred

Binary code analysis

Decompilation

Vetting whole systems

5
Trusting

Trust

6
 Do you trust his
Software?

Photo from http://culturadigitalbau.wikispaces.com/

file/view/thompson.c1997.102634882.lg.jpg/212982274/thompson.c1997.102634882.lg.jpg 7
 Ken Thompson
Co-Creator of
UNIX and C
Turing Award: 1983

8
Compiler

011001001111010
9
 Compiler

...
if(program == login)
add-login-backdoor();
if(program == compiler) 011001001111010
add-compiler-backdoor(); 10
 Ken Thompson
Co-Creator of
UNIX and C
Turing Award: 1983

11
Would you trust
Mother Teresas
software?

12
Would you trust
Mother Teresas
software?

13
 Adi Shamir Len Adleman
Ron Rivest

Surely cryptographers code must be

secure?
Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm 14
Perfect Cryptography Exists!
Were no better off
guessing what an
encrypted message
contains given the
ciphertext.
- Claude Shannon

15
But implementations may still leak...

message decrypt(ciphertext c, private_key k){

plaintext m;
if(k == 1) m = time t1 decryption ops; return m;
if(k == 2) m = time t2 decryption ops; return m;
if(k == 3) m = time t3 decryption ops; return m;
....
}

16
Isnt this networking?
Routers run an
operating system,
which hackers now
target

17
Even GPS systems run
Webservers
FTP servers
Network time daemons

18
Security is many
things

19
 This Class: Introduction to the Four
Research Cornerstones of Security
Software Security Network Security

OS Security Cryptography

20
 Course Topics
Control Flow Hijack
Software Security Execution Safety
Information Flow

Goals of Crypto
Stream Ciphers
Cryptography Block Ciphers
Asymmetric Crypto

Intro to Computer Security Authentication/Integrity

Common Defenses
OS Security Authorization
Security Architectures

Web Security
Denial of Service
Network Security
Protocols
Intrusion Detection

Your job: become conversant in these topics

21
Software Security

22
 Control Flow Hijacks

shellcode (aka payload) padding &buf

computation + control

Allow attacker ability to run arbitrary code

Install malware
Steal secrets
Send spam

23
24
25
26
 Software Security
Recognize and exploit vulnerabilities
Format string
Buffer overflow
Gist of other control flow hijacks, e.g., heap overflow

Understand defenses in theory and practice

ASLR
DEP
Canaries
Know the limitations!

27
Cryptography

28
 Everyday Cryptography

ATMs
On-line banking
SSH
Kerberos
 Public Channel
M

Alice Bob

Adversary Eve:
A very clever person
 Public Channel
M

Alice Bob

Adversary Eve:
A very clever person

Cryptographys Goals:
Data Privacy
Data Integrity
Data Authenticity
 Public Channel
M

Alice Bob

Adversary Eve:
Cryptonium A very clever person
Pipe
 Public Channel
M

Alice Bob

Adversary Eve:
Cryptonium A very clever person
Pipe
Cryptographys Goals:
Privacy
Integrity
Authenticity
34
 Goals
Understand and believe you should never,
ever invent your own algorithm

Basic construction

Basic pitfalls

35
OS Security

36
 Requested Approved
Operation Operation

Reference
Principal Object
Monitor
Source Guard Resource

Authentication Authorization

In security, we isolate reasoning

about the guard
37
 Authentication Principles

Reference monitors
Authorization
Access control lists
OS Security
Auditing

Virtual Machines
Security Architectures
Software Fault Isolation

38
 OS Goals
Know Lampsons gold standard
Authorization
Authentication
Audit

Know currently used security architectures

39
Network Security

40
 XSS

Stored XSS
Reflected XSS

SQL Injection

Defense

Sanitization
Stored procedures
Bots
Denial of Service Attacks
CDN
Web Security
Basic syntax

Kerberos Comments
Protocols Network Security Probes
BGP
CSRF

Stateful
Attack
Stateless Intrusion Detection Defense
Base Rate
Referer Validation
Custom Header
Token validation

41
 XSS

Stored XSS
Reflected XSS

SQL Injection

Defense

Sanitization
Stored procedures
Bots
Denial of Service Attacks
CDN
Web Security
Basic syntax

Kerberos Comments
Protocols Network Security Probes
BGP
CSRF

Stateful
Attack
Stateless Intrusion Detection Defense
Base Rate
Referer Validation
Custom Header
Token validation

42
 XSS

Stored XSS
Reflected XSS

SQL Injection

Defense

Sanitization
Stored procedures
Bots
Denial of Service Attacks
CDN
Web Security
Basic syntax

Kerberos Comments
Protocols Network Security Probes
BGP
CSRF

Stateful
Attack
Stateless Intrusion Detection Defense
Base Rate
Referer Validation
Custom Header
Token validation

43
 Networking Goals
Understand the base rate fallacy and its
application to IDS

Be able to recognize and perform basic web

attacks

State what a DDoS is, and how CDNs

mitigate their effect

44
Course Mechanics

45
 Basics
Pre-req:
Basic UNIX development (gcc, gdb, etc.)
15-213 or similar is recommended

Read all papers before lecture

Read
Underline
Question
Review

Course website:
http://www.ece.cmu.edu/~dbrumley/courses/18487-f13

46
 Workload
3 homework assignments

3 exams, keep highest 2 grades

The Coolest Bug day.

47
 The Coolest Bug
Describe a classic old bug, or a new zero-day

Provide an 5 minute tutorial on the bug.

Present to the class.

Class votes (via a limited number of tokens) on

best.

Encourage finding your own zero-days.

48
 1996

#1 Song: The Macarena Spice Girls Play Olympics Windows 95 Reigned

49
Ping of Death!

50
 ICMP and IP Packets
Max IP packet size = 65535 octets (216 1)
(RFC 791)

IP
Packet

20 for 8 for 65507 for data

typical header ICMP header (65535-20-8)

To process ICMP, I need to

handle up to 65507 octets

51
http://jobtrakr.com/2011/11/16/so-you-want-to-be-a-manager/
 ICMP and IP Packets
Max IP packet size = 65535 octets (216 1)
(RFC 791)

IP
Packet

20 for 8 for 65507 for data

typical header ICMP header (65535-20-8)

To process ICMP, I need to

handle up to 65507 octets

52
http://jobtrakr.com/2011/11/16/so-you-want-to-be-a-manager/
 IP Fragmentation
One 4000 byte packet
with Maximum ... length ID fragflag offset ...
4000 x 0 0
Transmission Unit
(MTU) of 1500
1480 octet data
Gets fragmented in
3 packets ... length ID fragflag offset ...
1500 x 1 0
packet len < MTU

... length ID fragflag offset ...

1500 x 1 185
offset = 1480/8

... length ID fragflag offset ...

1040 x 0 370
53
 ping of death

Attacker Victim
2. Victim reassembles fragments
into one big packet

3. Victim copies large packet,

exceeds buffer bounds,
crashes

54
A few ICMPv6 packets with router advertisements requests can cause a
denial-of-service vulnerability reminiscent of the famous "Ping of Death".
Its a good illustration of how much we still do not know about the
stability of IPv6. We continue to recommend turning off IPv6 on
workstations if your network is not engineered for its use.
55
A few ICMPv6 packets with router advertisements requests can cause a
denial-of-service vulnerability reminiscent of the famous "Ping of Death".
Its a good illustration of how much we still do not know about the
stability of IPv6. We continue to recommend turning off IPv6 on
workstations if your network is not engineered for its use.
56
 Basic Mechanics
Grading based on:
3 homeworks (35%)
Highest 2 out of 3 tests (30% each)
Participation and coolest bug (5%)

No late days except under exceptional circumstances.

I guarantee at least the following:

90-100%: A
80-89%: B
70-79%: C
60-69%: D
< 59%: F

57
 Obey the law
Do not be a nuisance
Dont cheat, copy others
work, let others copy, etc.

58
 One note
My wife will have a baby boy sometime this
semester. This may affect the course.

Image credits: http://onyx-ii.com/srcstore/scripts/store/item.cfm?Item_Number=BE-STXLW-CD

59
Capture the Flag

60
CMU Capture the Flag Team
61
 Red Team Blue Team
Vulnerability Discovery Intrusion detection
Exploitation Hot-patching
Network mapping Firewalls
Web security Work-arounds

62
63
64
10,000 Students in 2,000 teams

Size of circle proportional to number of teams

65
66
67
Example Network Forensics

68
 PicoCTF
10,000 students

600 teams solving advanced problems

ROP attacks
Breaking incorrect use of modern crypto

Identified the best of the best

I learned more in one week than the last two years in CS courses.

If you get an A, you may be eligible to

help with PicoCTF 2014
69
Questions?

70
END
 Information Flow

e.g., password e.g., dictionary

High In Low In

Program
OK to mix NO mixing!

High Out Low Out

72
 Information Flow

Data Dependence Control Dependence Side Channel

Assignment if-then-else Timing

73
 Information Flow Goals
What is safe and unsafe information flow?

How is it calculated?

Know the non-interference information flow

property.

74
 Execution Safety
Trapped Errors Untrapped Errors
halts computation can go unnoticed until
immediately (possibly much) later

ex: ex:
divide by zero buffer overflow
dereference (R/W) writing an integer into
an illegal address an array of strings

75
76
 Safe Languages
A safe language has no Untrapped Errors
untrapped errors.
can go unnoticed until
(possibly much) later
untyped typed
ex:
buffer overflow
dynamically statically writing a string into an
checked checked integer
typechecking

77
 Execution Safety Goals
State what type safety means.

Read typing inference rules.

Give examples of differences between type

safety and security.

State control flow integrity

Give examples of vulnerabilities protected by CFI
Give examples of vulnerabilities not protected by CFI

78