CPEN341 Chap2 Attacks Security Services

Cybersecurity
- Attacks and Security Services -

Outline
• Types of Attacks
• Network Attacks
• Hijacking
• Security services and Framework
UOB - Fall 2021-22 CPEN341 - C. Mokbel 2

Outline
• Network Attacks
• Hijacking

Types of Attacks
• Attacks can target:
– Hardware
– Network
– System
– Applications
– Users themselves
• An attacker can be an insider or an outsider

Types of Attacks
• Hardware attacks
– Observation attacks
• Side-channel analyses (SCA) uses physical
measurements such as timing, power consumption
or electromagnetic emissions to compromise
standard cryptosystems
– Perturbation attacks
• Modification of physical parameters (power
glitches, clock glitches, laser pulses, electromagnetic
pulses, …) to obtain incorrect behavior
• Chip dependent attack
Types of attacks
• Hardware attacks (cont.)
– Hardware targeted software attacks e.g.:
• Rowhammer attack to flip memory bits while
reading or writing another cell
• Perturbation generated in multicore using the
Dynamic Voltage and Frequency Scaling (DVFS)

Types of Attacks
• Network threats
– Attacks against Domain Name System (DNS)
• Denial of Service by flooding the service by a huge
number of queries
• Poisoning or spoofing DNS cache
– Attacks against Border Gateway Protocol
(BGP)
• Forge a false BGP response in order to hijack
further traffic
• BGP (routing information) is geostrategic to help
identifying and understanding attacks
Types of Attacks
• Network threats (cont.)
– Encryption by default and mass surveillance
attacks
• Google search
– Man in the middle
– Denial of Service

Types of Attacks
• System and Applications attacks
– Malicious software (malware)
• Damages, destroys or denial service to systems
• Includes
– Viruses: propagate with human help
– Worms: self-propagating malware
– Torjan horses: malware claiming benign purpose
– Logic bombs: malicious code placed in sfw and triggered by
attacker
– Backdoors: gidden bypass of system authentication
– Denial of Service: attackers fleed service making it unavailable
– Buffer overflow
– Timing attack: explores contents of Web browser’s cache to
create malicious cookie
Types of Attacks
• Human factor
– Social engineering and pishing
• Convincing users to perform an action
• Pishing aims at obtaining sensitive information
– Lack of awareness and users’ erros
– Manipulating users and public opinion
• Publishing fake news

Outline
• Network Attacks
• Hijacking

Network Attacks
• IP Spoofing Attack
(Source: Wikipedia)

Network Attacks
• Denial of Service Attack (DoS)
• Distributed DoS (DDoS)
(Source: Wikipedia)

Network Attacks
• Man-in-the-Middle Attack
– ARP cache poisoning
– DNS Spoofing
– Session Hijacking

Network Attacks
• ARP Cache Poisoning

Network Attacks
• DNS Spoofing
– Man in the middle
• Intercept communications between users and DNS
and spoof a wrong reply to as to redirect to a
different/malicious IP address
– DNS server compromise
• Hijacking the DNS server and configure it to return
malicious IP address

Network Attacks
• DNS Spoofing

Network Attacks
• Session Hijacking
– Stealing the session token (Cookie) by e.g.
• Inflict user’s device with a malware
• Cross-site scripting attack by uploading a script into
a webpage that forces computer to send session
cookie to the server

Outline
• Network Attacks
• Hijacking

Hijacking
• Hijacking aims at taking control of a target
machine
• Examples
– Buffer overflow
– Integer overflow

Buffer Overflow
• Practically every worm unleashed on the
Internet has exploited buffer overflow
vulnerability
– Since Morris worm
– A large percentage of CERT advisories are
about buffer overflow
– Modern compilers inject additional code to
protect against buffer overflow but this is
resource consuming
Buffer Overflow
https://nvd.nist.gov/vuln/search/statistics

Buffer Overflow

Buffer Overflow
• 2 ways to allocate memory in a C program:
– static: memory is allocated on the stack
– dynamic: memory is allocated on the heap upon
runtime
• Buffer overflow occurs when data is written
into the memory allocated on the stack with
a size that exceeds the allocated memory

Buffer Overflow
• Assumptions: Stack
– Stack grows down
• Intel, Sparc, Motorola
– Stack pointer points
to last address on the
stack Heap
Data
Executable Code

Buffer Overflow
• Example of a small program:
void my_fct (int a, int b) {
char buf1[10];
char buf2[15];
}
int main() {
my_fct(3, 4);
}
Buffer Overflow
• Stack Frame
pushl $2 Function Parameters
pushl $1 Return Address

call my_fct
Saved Frame Pointer
pushl %ebp
movl %esp, Local variable
%ebp
subl
UOB - Fall 2021-22 $28, %esp
CPEN341 - C. Mokbel 27
Buffer Overflow
Top of the
stack
16 12 4 4 4 4
buff2 buff1 sfp ret a b

Buffer Overflow
• How this can be a source of problems?
• Consider the following example:
void my_fct (int a, int b) {
char buf1[12];
char buf2[16];
*(buf1+16) += 8;
}
int main() {
int i = 0;
my_fct(3, 4);
i = 1;
printf (“%d\n”, i);
}
• What is printed?
Buffer Overflow
• How an attacker would use buffer overflow to
hijack the execution of a program?
– All NULL bytes shall be removed from the character
buffer to overflow
• E.g. using xor
– Overwrite the ret address to redirect execution:
• Some code injected in the buffer
• To some library function
– Metasploit.org
– Trial and error to know where the buffer starts
Buffer Overflow
• Forking or Spawning a shell
– Generate the attack code:
char shellcode[] =
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89”
“\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”
“\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff”
“\xff\xff/bin/sh”;
• Get the attack code to execute
– Fill the buffer with the shell code followed by the address of the
beginning of the code
• Address of the beginning of the code is difficult to find
• Adding NOP instructions (0x90) will increase your chance

Buffer Overflow
• Unsafe functions
– strcpy(char *dst, const char *src)
– strcat(char *dst, const char *src)
– gets(char *s)
– scanf(const char *fct, …)
– …
• Safe functions
– strncpy(), strncat(), …
Buffer Overflow
• Example how to find buffer overflows:
– Run software (e.g. webserver) on local machine
– Issue malformed requests (ending with a
sequence of symbols, e.g. $$$$$$$)
– If it crashes search in the core dump for the
symbols

Integer Overflow
• Integers have maximum values and when
reached it round up
void func( char *buf1, char *buf2, unsigned int len1, unsigned int len2) {
char tempStr[512];
if (len1 + len2 > 512) {return -1} // length check
memcpy(tempStr, buf1, len1); // cat buffers
memcpy(tempStr+len1, buf2, len2);
do-something(tempStr); // do stuff
}
• If len1=0x80 and len2=0xffffff80

– len1+len2 = 0
– Buffer overflow at second memcpy
Integer Overflow

Outline
• Network Attacks
• Hijacking

Security Tools and Services
Services: Confidentiality,
Authentication, Integrity,
Digital Signature, …
Protocols: TLS, SSL, SSH,

S/Mime, …
Architectures
Tools: Firewalls, IDS,

Antivirus, Cryptography, …

Security Services
• Confidentiality: unintended parties cannot
access the data
• Authentication: the user is the one who
claims to be
• Integrity: data are not altered
• Digital signature: like authentication, in
addition only the sender can issue such data

Security Framework
• A cybersecurity framework is a series of
best practices and references an
organization can follow to manage its
cybersecurity risks
– A framework aims at reducing the exposure to
vulnerabilities

Framework example
• Zachman Framework for Enterprise Architecture
and Information Systems Architecture
– an enterprise ontology
– provides a formal and structured way of viewing and
defining an enterprise
– It is not a methodology and does not imply any specific
method or process for collecting, managing, or using
the information that it describes

Zachman Framework Example

Risk Management
• IT risk model
Risk = Threat * Vulnerability * Asset
• Updated IT risk model
Risk = ((Threat *
Vulnerability)/CounterMeasure) *
Plan (what,
AssetValueAtRisk when, how)
Assess
Monitor
(Identify
and
and
Report
Analyze
Handle (Mitigate
the risk)

Risk Management
ENISA
Cybersecurity Framework
• Benefits of defining a framework
– Managing practices
– Defining an order and better organizing the
sector
– Going from tools to architecture/policy to
strategy/governance

Cybersecurity Frameworks
• Several frameworks exist:
– ISO/IEC 27001 & 27002 (formerly ISO 17799)
– NIST SP 800-53: Security and Privacy Controls for
Federal Information Systems and Organizations
– NIST SP 800-39: Risk Management Framework
– Sherwood Applied Business Security Architecture
(SABSA)
– Feb 2014: NIST Cybersecurity Framework (CSF)
– …

NIST Cybersecurity Framework
• “Framework for improving critical
infrastructure cybersecurity”
• Voluntary and risk based
• Technology neutral

Risk
Framing
Risk Risk
Monitoring Assessment
Risk
Response

• It provides a common taxonomy and mechanism
for organizations to:
– Describe their current cybersecurity status
– Describe their target state
– Identify and prioritize opportunities for improvement
– Assess progress
– Communicate internally and externally about risks

• Three parts
– Core
• 5 functions
• 23 categories
• 108 subcategories
– Implementation tiers
• 4 tiers describing the degree to which the cybersecurity risk
management exhibit the characteristics defined in the CSF
– Profile
• Alignment of organizational requirements and objectives, risk
appetite, and resources against the desired outcomes of the
Framework Core

NIST CSF Core
- A set of activities, outcomes, and
informative references
- Providing the detailed guidance for
developing individual organizational
Profiles

NIST CSF Core
• Five functions:
– Identify
• Develop an organizational understanding to managing cybersecurity risk to systems,
people, assets, data, and capabilities.
– Protect
• Outline appropriate safeguards to ensure delivery of critical infrastructure services.
– Detect
• Define the appropriate activities to identify the occurrence of a cybersecurity event.
– Respond
• Include appropriate activities to take action regarding a detected cybersecurity event.
– Recover
• Identify appropriate activities to maintain plans for resilience and to restore any
capabilities or services that were impaired due to a cybersecurity event.

NIST CSF Core
• 23 categories:
– Divide functions into groups of cybersecurity outcomes
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Identify Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Identify Management and Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Protect Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
Detect Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Response Planning RS.RP
Communications RS.CO
Respond Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
Recover Improvements RC.IM
Communications RC.CO

NIST CSF Core
• Subcategories are deepest level of abstraction
Function Category ID
Asset Management ID.AM ID.BE-1: The organization’s role in
Business Environment ID.BE
the supply chain is identified and
Governance ID.GV
Identify Risk Assessment ID.RA communicated
Risk Management Strategy ID.RM ID.BE-2: The organization’s place
Supply Chain Risk Management ID.SC in critical infrastructure and its
Identify Management and Access Control PR.AC
Awareness and Training PR.AT
industry sector is identified and
Data Security PR.DS communicated
Protect Information Protection Processes & Procedures PR.IP ID.BE-3: Priorities for
Maintenance PR.MA organizational mission, objectives,
Protective Technology PR.PT
Anomalies and Events DE.AE and activities are established and
Detect Security Continuous Monitoring DE.CM communicated
Detection Processes DE.DP ID.BE-4: Dependencies and critical
Response Planning RS.RP
functions for delivery of critical
Communications RS.CO
Respond Analysis RS.AN services are established
Mitigation RS.MI ID.BE-5: Resilience requirements to
Improvements RS.IM support delivery of critical services
Recovery Planning RC.RP
Recover Improvements RC.IM
are established for all operating
Communications RC.CO states (e.g. under duress/attack,
during recovery, normal operations)
NIST CSF Tiers
• Characterize an organization’s practices over a range
– from Partial (Tier 1) to Adaptive (Tier 4)
• Partial: risks are managed in an ad hoc manner
• Risk Informed: Risk management practices are approved by
management but may not be established as organizational-wide
policy.
• Repeatable: Risk management practices are formally approved and
expressed as policy
• Adaptive: The organization adapts its cybersecurity practices based
on lessons learned and predictive indicators derived from previous
and current cybersecurity activities
– Reflect a progression from informal, reactive responses to
approaches that are agile and risk-informed
NIST CSF Tiers

NIST CSF Profiles
• Represent the outcomes based on business needs that an
organization has selected from the Framework Categories
and Subcategories
• Aligning standards, guidelines, and practices to the
Framework Core in a particular implementation
scenario
• “Current” profile → “Target” profile
• Comparison of Profiles may reveal gaps to be addressed
to meet cybersecurity risk management objectives.

NIST CSF Profiles
• Example profiles can be found:
https://www.nist.gov/system/files/documents/itl/discussion-
draft_illustrative-examples-082813.pdf
– Examples for Threat Mitigation:
1. Mitigating cybersecurity intrusions
2. Malware
3. Mitigating insider threats
(See document in class)

CPEN341 Chap2 Attacks Security Services

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPEN341 Chap2 Attacks Security Services

Uploaded by

Copyright:

Available Formats

Cybersecurity

- Attacks and Security Services -

UOB - Fall 2021-22 CPEN341 - C. Mokbel 2

UOB - Fall 2021-22 CPEN341 - C. Mokbel 3

UOB - Fall 2021-22 CPEN341 - C. Mokbel 4

UOB - Fall 2021-22 CPEN341 - C. Mokbel 6

UOB - Fall 2021-22 CPEN341 - C. Mokbel 8

UOB - Fall 2021-22 CPEN341 - C. Mokbel 10

UOB - Fall 2021-22 CPEN341 - C. Mokbel 11

UOB - Fall 2021-22 CPEN341 - C. Mokbel 12

UOB - Fall 2021-22 CPEN341 - C. Mokbel 13

UOB - Fall 2021-22 CPEN341 - C. Mokbel 14

UOB - Fall 2021-22 CPEN341 - C. Mokbel 15

UOB - Fall 2021-22 CPEN341 - C. Mokbel 16

UOB - Fall 2021-22 CPEN341 - C. Mokbel 17

UOB - Fall 2021-22 CPEN341 - C. Mokbel 18

UOB - Fall 2021-22 CPEN341 - C. Mokbel 19

UOB - Fall 2021-22 CPEN341 - C. Mokbel 20

UOB - Fall 2021-22 CPEN341 - C. Mokbel 22

UOB - Fall 2021-22 CPEN341 - C. Mokbel 23

UOB - Fall 2021-22 CPEN341 - C. Mokbel 24

UOB - Fall 2021-22 CPEN341 - C. Mokbel 25

pushl $2 Function Parameters

pushl $1 Return Address

buff2 buff1 sfp ret a b

UOB - Fall 2021-22 CPEN341 - C. Mokbel 28

UOB - Fall 2021-22 CPEN341 - C. Mokbel 31

UOB - Fall 2021-22 CPEN341 - C. Mokbel 33

• If len1=0x80 and len2=0xffffff80

UOB - Fall 2021-22 CPEN341 - C. Mokbel 35

UOB - Fall 2021-22 CPEN341 - C. Mokbel 36

Protocols: TLS, SSL, SSH,

Tools: Firewalls, IDS,

UOB - Fall 2021-22 CPEN341 - C. Mokbel 37

UOB - Fall 2021-22 CPEN341 - C. Mokbel 38

UOB - Fall 2021-22 CPEN341 - C. Mokbel 39

UOB - Fall 2021-22 CPEN341 - C. Mokbel 40

UOB - Fall 2021-22 CPEN341 - C. Mokbel 41

UOB - Fall 2021-22 CPEN341 - C. Mokbel 42

UOB - Fall 2021-22 CPEN341 - C. Mokbel 44

UOB - Fall 2021-22 CPEN341 - C. Mokbel 45

UOB - Fall 2021-22 CPEN341 - C. Mokbel 46

UOB - Fall 2021-22 CPEN341 - C. Mokbel 47

UOB - Fall 2021-22 CPEN341 - C. Mokbel 48

UOB - Fall 2021-22 CPEN341 - C. Mokbel 49

UOB - Fall 2021-22 CPEN341 - C. Mokbel 50

UOB - Fall 2021-22 CPEN341 - C. Mokbel 51

UOB - Fall 2021-22 CPEN341 - C. Mokbel 52

UOB - Fall 2021-22 CPEN341 - C. Mokbel 55

UOB - Fall 2021-22 CPEN341 - C. Mokbel 56

UOB - Fall 2021-22 CPEN341 - C. Mokbel 57

You might also like