What is Security?

Cryptography and Network Security

Cryptography

What is Security?

1 Security is
a state of being free from fear or danger.
(danger in the form of attacks)

2 Security is
OAkin
ensuring that “all desired assurances” are met

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Security in the Digital World

1 Systems that deal with information in the form of bits

2 Any digital information system is a set of processes that
manipulate bits/data-items
3 What are some “desired assurances?”
4 Where do we start?
1 Information system processes should be correct (bug free).
OAkin
2 Computers that execute processes should be “secure”
(Computer Security)
3 Interactions between processes should be “secure” (Network
Security)

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Active and Passive Approaches

1 Active approaches: (identify, and evade/isolate/neutralize

attacks)
What is the result of an attack?
Modern tools: AI (ML, pattern recognition/matching),
hypervisors, some cryptography, good programming practices
···
Impractical to identify every source of threat / danger.
OAkin Unending evolutionary arms race between attacks and defenses.
2 Passive approaches:
check if we are meeting our goals

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Passive Approaches

1 Check correctness of information system processes

System State-Transition Models
2 Check that computer security goals are met
Dynamic access control models (BLP, HRU, etc.)
3 Check that communication security goals are met
OAkin
Confidentiality, privacy, integrity, authenticity, non-repudiability

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Active vs Passive

1 Active approaches are based on attack models (constantly

evolving model of attacks)
2 Passive approaches based on system models (what the system
must do; it does not change if the system is implemented in
Linux or Windows, or Python or C#)
3 Indirectly active approaches also attempt to guarantee
“desired assurances”
OAkin
They operate under the premise that deviation of system from
normalcy is due to attacks.
4 We need both. Why?

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Active Measures for Home Safety

1 install a Schlage deadbolt on your door

2 a sophisticated home security system monitored by ADT
3 get a Doberman Pinscher.

OAkin

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Basis for Security

1 Any feeling of security that results from such steps stems from

1 some assumptions: the integrity of Schlage lock / monitoring

system / your guard dog, etc.
2 a good strategy to make use of the assumptions to design and
deploy a security solution.
2 How reasonable are the assumptions?
OAkin
3 Is the design correct? Was the deployment done properly?
(Can you think of things that can go wrong?)

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Shaky Basis :(

1 Not practical to objectively quantify the strength of

assumptions.
1 A Schlage lock may not pose too much of a problem for expert
lock-pickers.
2 anyone may have had the opportunity to make a copy of the
key
3 or hack into a database maintained by Schlage to get the
OAkin specifications for a key for the lock, or bribe an employee, · · ·
2 Difficult to assess correctness of deployment/design

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Active Measures for Computer/Network Security

1 Good intrusion detection systems

2 Explicit strategies for blocking access (firewalls, password
protection)
3 smart security professionals in the blue team
4 Lot of investment in detecting/removing bugs
5
OAkin good process isolation to contain attacks (containers, VMs)
6 Do these measures also rely on a shaky basis?

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Network Security

1 How do you secure a network?

1 Like the Internet
2 We only want to secure interactions over a network
3 We are not trying to provide physical security
2 We want to secure different types of interactions over a
OAkin network

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Secure Interactions

1 Two types of interactions

1 Unicast (single sender, single receiver)
2 Broadcast (single sender, multiple receiver)
3 (What about Multicast? We will not worry about that in this
course)
2 Secure Interactions? in general, receiver of a message (over
the network) should be confident of
OAkin
1 integrity : the message was not modified in transit,
2 origin : who sent the message? and
3 privacy (only for unicast) : no one else except the sender is
privy to the contents of the message

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Where does Cryptography come in?

1 Cryptography is a toolbox with sophisticated tools

1 Cryptography provides some highly reliable assumptions
(strength of cryptographic primitives)
2 and some cool strategies (cryptographic protocols)
2 We will use the assumptions and strategies to provide a solid
OAkin basis for securing interactions.

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

A Useful Perspective

1 Trust and Trust-Amplification

2 Assumptions = trust
3 Strategies = trust amplification
4 For example, trust in lock and key can be amplified to realize
trust in all contents of a home
5 Loosely speaking,
1 assumption = integrity of key & lock = integrity of
OAkin
cryptographic key and cryptographic primitive
2 strategy = whatever we do to use the lock = cryptographic
protocols
6 The essence of cryptography: trust in a small amount of
data (cryptographic key) can be amplified to realize
trust in an unlimited amount of data-items

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Cryptography

1 Literal meaning: secret writing

2 Modern cryptography is so much more. Deals with
1 construction of cryptographic primitives (tools),
2 quantitative analysis of the strengths of cryptographic
primitives, and
3 protocols to effectively utilize the tools1.
3 The tools/primitives are deterministic cryptographic
algorithms.
1 encryption/decryption algorithms (like DES, AES, RSA),
hashing algorithms (like MD5SUM, SHA-1, SHA-2, SHA-3),
OAkin
2

and
3 digital signature algorithms (like DSA, RSA).
4 The tools serve as building blocks for constructing
cryptographic protocols
1
This is our main focus
Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Cryptographic Algorithms

1 Two broad categories:

1 Symmetric: composed of repetitive simple operations on small
bit-strings — operations like bit-wise logical operations,
addition, and rotation / permutation of bits.
2 Asymmetric: composed of modular addition and multiplication
operations involving large numbers.
2 Symmetric algorithms traditionally used for encryption and
decryption: both encryption and decryption use the same key.
OAkin
3 Asymmetric algorithms use two different keys — a private key,
and a public key.
4 Hashing algorithms do not use secret keys; constructed very
similar to symmetric algorithms

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Symmetric Algorithms

1 Symmetric Encryption/Decryption:
1 a pair of functions C = E(P, K ) and P = D(C, K )
2 strength depends only on the length of the key
2 Hash Functions:
1 d = H(M);
2 d is a fixed size digest (or hash or image) and
OAkin 3 M is a message (or pre-image) of any size.
4 strength depends only on the size of the digest

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Asymmetric Algorithms

1 Key pair generation:

1 Randomly choose private key R
2 U = fkeygen(R) is the public key
2 Encryption/decryption
1 C = Et(P, U) Encryption (uses public key of intended receiver
of the message)
2 P = Dt(C, R) Decryption (receiver of message uses his/her
private key to decrypt)
3
OAkin
Signing/Verification
1 Σ = fSign (M, R) (signer uses private key to compute signature)
2 b = fver (M, U, Σ) (verifier checks that message and public key
are consistent with signature.
3 b is TRUE/FALSE)

Dan Boneh
 What is Security?
Cryptography and Network Security
Cryptography

Scope of This Course

1 Symmetric Cryptography
1 Symmetric encryption/decryption
2 Hashing
2 Asymmetric Cryptography
1 Encryption/Decryption
2 Signatures
3 Key Distribution/Establishment
4 Identify types of Internet interactions to be secured
OAkin
5 Interactions in different layers - MAC, Network, Transport,
Application
6 Network security protocols
7 Some active security mechanisms not based on cryptography

Dan Boneh
 Control Hijacking

Control Hijacking:
Defenses
Dan Boneh
 Recap: control hijacking attacks
Stack smashing: overwrite return address or function pointer
Heap spraying: reliably exploit a heap overflow
Use after free: attacker writes to freed control structure,
which then gets used by victim program
Integer overflows
Format string vulnerabilities

⋮ Dan Boneh
 The mistake: mixing data and control
• An ancient design flaw:
– enables anyone to inject control signals

• 1971: AT&T learns never to mix control and data

Dan Boneh
 Control hijacking attacks
The problem: mixing data with control flow in memory

local ret
SFP arguments
variables addr

stack frame
data overwrites
return address

Later we will see that mixing data and code is also the
reason for XSS, a common web vulnerability
Dan Boneh
 Preventing hijacking attacks
1. Fix bugs:
– Audit software
• Automated tools: Coverity, Infer, … (more on this next week)
– Rewrite software in a type safe languange (Java, Go, Rust)
• Difficult for existing (legacy) code …

2. Platform defenses: prevent attack code execution Transform:

Complete Breach
3. Harden executable to detect control hijacking
– Halt process and report when exploit detected Denial of service
– StackGuard, ShadowStack, Memory tagging, …
Dan Boneh
Control Hijacking

Platform Defenses

Dan Boneh
 Marking memory as non-execute (DEP)
Prevent attack code execution by marking stack and heap as non-executable

• NX-bit on AMD64, XD-bit on Intel x86 (2005), XN-bit on ARM

– disable execution: an attribute bit in every Page Table Entry (PTE)
• Deployment:
– All major operating systems
• Windows DEP: since XP SP2 (2004)
– Visual Studio: /NXCompat[:NO]
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Can be easily bypassed using Return Oriented Programming (ROP)
Dan Boneh
Examples: DEP controls in Windows

DEP terminating a program

Dan Boneh
 Attack: Return Oriented Programming (ROP)
Control hijacking without injecting code:

stack libc.so

args
ret-addr exec()
sfp printf()

local buf “/bin/sh”

Dan Boneh
 ROP: in more detail
To run /bin/sh we must direct stdin and stdout to the socket:
dup2(s, 0) // map stdin to socket
dup2(s, 1) // map stdout to socket
execve("/bin/sh", 0, 0);

execve("/bin/sh") dup2(s, 0) dup2(s, 1)

Gadgets in victim code: ret ret ret

Stack (set by attacker): overflow-str 0x408400 0x408500 0x408300

ret-addr
Stack pointer moves up on pop
Dan Boneh
 ROP: in even more detail
dup2(s,0) implemented as a sequence of gadgets in victim code:

0x408100 0x408200 0x408300 0x408400

5f pop rdi 5e pop rsi pop rax syscall
c3 ret c3 ret ret ret

Stack (by attacker):

overflow-str 0x408100 s 0x408200 0 0x408300 33 0x408400
ret-addr (rdi ⟵ s) (rsi ⟵ 0) (rax ⟵ 33)
syscall #33
Dan Boneh
 What to do?? Randomization
• ASLR: (Address Space Layout Randomization)
– Randomly shift location of all code in process memory
⇒ Attacker cannot jump directly to exec function
– Deployment: (/DynamicBase)
• Windows 7: 8 bits of randomness for DLLs
– aligned to 64K page in a 16MB region ⇒ 256 choices
• Windows 8: 24 bits of randomness on 64-bit processors
• Other randomization ideas (not used in practice):
– Sys-call randomization: randomize sys-call id’s
– Instruction Set Randomization (ISR) Dan Boneh
 ASLR Example
Booting twice loads libraries into different locations:

Note: everything in process memory must be randomly shifted

stack, heap, shared libs, base image
• Win 8 Force ASLR: ensures all loaded modules use ASLR Dan Boneh
 A very different idea: kBouncer (2012)

kBouncer
pop rdi pop rsi pop rax syscall kernel
ret ret ret ret

Observation: abnormal execution sequence

• ret returns to an address that does not follow a call

Idea: before a syscall, check that every prior ret is not abnormal
• How: use Intel’s Last Branch Recording (LBR)

Dan Boneh
 A very different idea: kBouncer

kBouncer
pop rdi pop rsi pop rax syscall kernel
ret ret ret ret

Inte’s Last Branch Recording (LBR):

• store 16 last executed branches in a set of on-chip registers (MSR)
• read using rdmsr instruction from privileged mode
kBouncer: before entering kernel, verify that last 16 rets are normal
• Requires no app. code changes, and minimal overhead
• Limitations: attacker can ensure 16 calls prior to syscall are valid
Dan Boneh
Control Hijacking Defenses

Hardening the
executable
Dan Boneh
 Run time checking: StackGuard
• Many run-time checking techniques …
– we only discuss methods relevant to overflow protection

• Solution 1: StackGuard
– Run time tests for stack integrity.
– Embed “canaries” in stack frames and verify their integrity
prior to function return.
Frame 2 Frame 1
top
local canary sfp ret str local canary sfp ret str of
stack
Dan Boneh
 Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To corrupt, attacker must learn current random string.

• Terminator canary: Canary = {0, newline, linefeed, EOF}

– String functions will not copy beyond terminator.
– Attacker cannot use string functions to corrupt stack.
Dan Boneh
 StackGuard (Cont.)

• StackGuard implemented as a GCC patch

– Program must be recompiled

• Minimal performance effects: 8% for Apache

Dan Boneh
StackGuard enhancement: ProPolice
• ProPolice - since gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.

String args
Growth ret addr Protects pointer args and local
SFP pointers from a buffer overflow

CANARY
Stack local string buffers
Growth local non-buffer variables pointers, but no arrays
copy of pointer args Dan Boneh
 MS Visual Studio /GS [since 2003]
Compiler /GS option:
– Combination of ProPolice and Random canary.
– If cookie mismatch, default behavior is to call _exit(3)
Function prolog: Function epilog:
sub esp, 8 // allocate 8 bytes for cookie mov ecx, DWORD PTR [esp+8]
mov eax, DWORD PTR ___security_cookie xor ecx, esp
xor eax, esp // xor cookie with current esp call @__security_check_cookie@4
mov DWORD PTR [esp+8], eax // save in stack add esp, 8

Enhanced /GS in Visual Studio 2010:

– /GS protection added to all functions, unless can be proven unnecessary
Dan Boneh
 Evading /GS with exception handlers
• When exception is thrown, dispatcher walks up exception list
until handler is found (else use default handler)

After overflow: handler points to attacker’s code

exception triggered ⇒ control hijack
Main point: exception is triggered before canary is checked
0xffffffff
SEH frame SEH frame

ptr to high
next handler buf next
next handler next handler mem
attack code
Dan Boneh
 Defenses: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list

• /SEHOP: platform defense (since win vista SP1)

– Observation: SEH attacks typically corrupt the “next” entry in SEH list.
– SEHOP: add a dummy record at top of SEH list
– When exception occurs, dispatcher walks up list and verifies dummy
record is there. If not, terminates process.

Dan Boneh
 Summary: Canaries are not full proof
• Canaries are an important defense tool, but do not prevent all
control hijacking attacks:
– Some stack smashing attacks leave canaries unchanged: how?
– Heap-based attacks still possible
– Integer overflow attacks still possible
– /GS by itself does not prevent Exception Handling attacks
(also need SAFESEH and SEHOP)

Dan Boneh
 Even worse: canary extraction
A common design for crash recovery:
• When process crashes, restart automatically (for availability)
• Often canary is unchanged (reason: relaunch using fork)
local
Danger:
⋯ buffer
AC A N A R Y
ret
addr
crash

• canary extraction local ret

byte by byte
⋯ buffer
BC A N A R Y
addr
crash

local ret
⋯ buffer C A N A R Y
addr
No crash

local ret
⋯ buffer C A N A R Y
addr
No crash
Dan Boneh
Similarly: extract ASLR randomness
A common design for crash recovery:
• When process crashes, restart automatically (for availability)
• Often canary is unchanged (reason: relaunch using fork)
local ret
Danger: ⋯ buffer
AC A N A R Y
addr
crash
Extract ret-addr to
local ret
de-randomize
code location
⋯ buffer BC A N A R Y
addr
crash

local ret
Extract stack ⋯ buffer C A N A R Y
addr
No crash
function pointers to local ret
de-randomize heap ⋯ buffer C A N A R Y
addr
No crash
Dan Boneh
 More methods: Shadow Stack
Shadow Stack: keep a copy of the stack in memory
• On call: push ret-address to shadow stack on call
• On ret: check that top of shadow stack is equal to
ret-address on stack. Crash if not.
• Security: memory corruption should not corrupt shadow stack

Shadow stack using Intel CET: (supported in Windows 10, 2020)

• New register SSP: shadow stack pointer
• Shadow stack pages marked by a new “shadow stack” attribute:
only “call” and “ret” can read/write these pages
Dan Boneh
ARM Memory Tagging Extension (MTE)
Idea: (1) every 64-bit memory pointer P has a 4-bit “tag” (in top byte)
(2) every 16-byte user memory region R has a 4-bit “tag”

Processor ensures that: if P is used to read R then tags are equal

– otherwise: hardware exception

Tags are created using new HW instructions:

• LDG, STG: load and store tag to a memory region (use by malloc and free)
• ADDG, SUBG: pointer arithmetic on an address preserving tags

Dan Boneh
Tags prevent buffer overflows and use after free
tags (4 bits): 8 BE BE BE 7 7 5 5
Example:
p p+48
16 bytes

(1) char *p = new char(40); // p = 0x B000 6FFF FFF5 1240 (*p tagged as B)
(2) p[50] = ’a’; // B≠7 ⟹ tag mismatch exception (buffer overflow)
(3) delete [] p; // memory is re-tagged from B to E
(4) p[7] = ‘a’; // B≠E ⟹ tag mismatch exception (use after free)

Note: out of bounds access to p[44] at (2) will not be caught.

Dan Boneh
Control Hijacking Defenses

Control Flow
Integrity (CFI)
Dan Boneh
 Control flow integrity (CFI) [ABEL’05, …]

Ultimate Goal: ensure control flows as specified by code’s flow graph

void HandshakeHandler(Session *s, char *pkt) {

...
s->hdlr(s, pkt)
}
Compile time: build list of possible call targets for s->hdlr
Run time: before call, check that s->hdlr value is on list

Coarse CFI: ensure that every indirect call and indirect branch
leads to a valid function entry point or branch target
Dan Boneh
Coarse CFI: Control Flow Guard (CFG) (Windows 10)

Coarse CFI:
• Protects indirect calls by checking against a bitmask of all valid
function entry points in executable

ensures target is
the entry point of a
function

Dan Boneh
Coarse CFI using EndBranch (Intel) and BTI (ARM)
New instruction EndBranch (Intel) and BTI (ARM):
⦚
• After an indirect JMP or CALL: call eax
the next instruction in the
instruction stream must be EndBranch
⦚
• If not, then trigger a #CP fault EndBranch
and halt execution
⦚
• Ensures an indirect JMP or CALL can only go add ebp, 4
to a valid target address ⇒ no func. ptr. hijack
⦚
(compiler inserts EndBranch at valid locations)
Dan Boneh
 CFG, EndBranch, BTI: limitations
Poor man’s version of CFI:
• Protects
• Doindirect calls byattacker
not prevent checking from
againstcausing
a bitmask of all valid
function entryto
a jump points in executable
a valid wrong function
• Hard to build accurate control
ensures target is
flow graph statically the entry point of a
function

Dan Boneh
 An example
void HandshakeHandler(Session *s, char *pkt) {
s->hdlr = &LoginHandler;
... Buffer overflow over Session struct ... Attacker controls
} handler

void LoginHandler(Session *s, char *pkt) {

bool auth = CheckCredentials(pkt);
s->dhandler = &DataHandler;
} Static
CFI: attacker can call
DataHandler to
void DataHandler(Session *s, char *pkt); bypass authentication
Dan Boneh
 Cryptographic Control Flow Integrity (CCFI)
(ARM PAC - pointer authentication)
Threat model: attacker can read/write anywhere in memory,
program should not deviate from its control flow graph

CCFI approach: Every time a jump address is written/copied anywhere in memory:

compute 64-bit AES-MAC and append to address
On heap: tag = AES(k, (jump-address, 0 ll source-address) )
on stack: tag = AES(k, (jump-address, 1 ll stack-frame) )

Before following address, verify AES-MAC and crash if invalid

Where to store key k? In xmm registers (not memory)

Dan Boneh
 Back to the example
void HandshakeHandler(Session *s, char *pkt) {
s->hdlr = &LoginHandler;
... Buffer overflow in Session struct ... Attacker controls
} handler

void LoginHandler(Session *s, char *pkt) { CCFI: Attacker cannot

bool auth = CheckCredentials(pkt); create a valid MAC for
DataHandler address
s->dhandler = &DataHandler;
}

void DataHandler(Session *s, char *pkt);

Dan Boneh
THE END

Dan Boneh