Professional Documents
Culture Documents
2
What is Security?
Security requirements
Threat model
Cost of security
3
4
What is security?
Protect assets (e.g., data and communication) from
unauthorized actions
5
What is security?
Protect assets (e.g., data and communication) from
unauthorized actions
Attackers = entities attempt to do unauthorized actions
Attacker may
• Eavesdrop
• Manipulate
• Denial of service
• …
6
Security requirements
Properties that the protection should achieve
可得性、可⽤性
7
Confidentiality (保密性)
Confidentiality is protection from unauthorized disclosure
Eavesdropping on messages violates confidentiality
Eve/Mallory
A->B: here are the midterm
exam questions.
Unencrypted channel
Alice Bob
Internet or other comm. networks 8
Trivia! Alice, Bob, and Eve
Alice and Bob are two commonly used placeholder
names in the security field.
http://billatnapier.com/desig n_tips240.htm
9
Integrity (完整性)
Integrity is protection from unauthorized changes
Modification of messages violates integrity
10
Availability (可⽤性)
Availability ensures intended users can access service
Denial of Service violates availability
11
Exercise: which security
requirement is violated?
12
Memcrashed:
DDoS amplification using memcached
Mar. 2018: memcached amplification DDoS against Github at 1.3Tbps
Sep. 2016: Mirai IoT botnets caused DDoS at 620Gbps
Mar. 2013: DNS amplification against Spamhaus at 300Gbps
13
Exercise: which security
requirement is violated?
14
KRACK: Key Reinstallation
Attack against WPA2
A security flaw in the WPA2 protocol
Attacker can trick victim to reinstall an already-in-use key
Key reuse breaks the security guarantee
Not as bad as it sounds…
• TLS (transport layer security) can mitigate this attack
• The attacker must be local and proactive
https://www.krackattacks.com
M. Vanhoef and F. Piessens, “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2,” in ACM CCS, 2017.
https://www.eff.org/deeplinks/2017/10/krack-vulnerability-what-you-need-know 15
Exercise: which security
requirement is violated?
16
Meltdown and Spectre
Cache side-channel attacks that exploit CPU hardware
implementations (speculative execution) to leak data
Spectre takes advantage of CPU's branch prediction
Meltdown leverages out-of-order execution
https://meltdownattack.com/
https://www.kb.cert.org/vuls/id/584653 17
Exercise: which security
requirement is violated?
18
Exercise: which security
requirement is violated?
19
Other security requirements
Authorization (䱇奚)
Access control (㶸《䱾ⵖ)
Accountability (〳娝顑䚍)
Auditability (〳珮呍䚍)
Authenticity (Ꙥⴽ䚍)
Non-repudiation (♶〳や钢䚍)
Anonymity (⼣そ)
Privacy (ꦡ猙)
…
20
齡銴䙦랃⨞ⵌ忹宐♶怪
Wrong question!
100%㸞狡䨾剤余乹㻜♳僽⨞♶ⵌ涸
捀➊랃
• 갸皿剤ꣳ
• 佪腋宠
• 劢濼涸余乹 (zero-day attacks)
• ꨈ⟃䱍䱾涸㔔稇 (㥶⢪欽罏涸⢪欽倰䒭)
21
The system is 100% secure
22
⢿㶩
The [system] provides [security requirement] against
[Threat Model] under [Assumption]
System = ATM䲿妵禺窡
Security requirement= 魨⟨钢阮
Threat model = 书ⵌ䲿妵⽓⚛✥鑑pin焺
Assumption = ⢪欽罏尝䪾pin焺㻨㖈⽓晚㤛♳䧴僽
欽欰傈殹pin焺
23
ざ椚涸threat model䖎ꅾ銴
24
Threat model
Assumptions about the adversary
• Remember, we can’t fight against every possible attack.
25
Threat model
Define by attacker’s capability, knowledge, and resource
Capability – what can the attacker do?
• E.g., passive vs. active
Knowledge – what does the attacker know?
• E.g., insider vs. outsider
Resource – how much resource does the attacker have?
• E.g., script kiddies vs. government-funded groups
26
尝剤涯く涸⼯귭
– Cost of Security
Security comes with a price
• 涮ㄤ笞隌涸䧭劥
• 禺窡佪腋꣮⡜
• ⢪欽罏䫵䚐
27
尝剤涯く涸⼯귭
– Cost of Security
〳腋涸余乹鸏랃㢵䙦랃鳵
尝鳵岁⡎〳⟃湈ꆀ䲿⼮余乹䧭⸆涸ꨈ䏞
㹁纏♧⦐ざ椚涸threat model (㥶呏亙risk䱖䎸)
㊥欽Ⱏ❧须彂⿻儘⥜酢䊺濼♧菛䚍涸怪峯
• Sharing intel to help timely fixes
• Many exploit kits for known attacks; even script kiddies
can cause great damage.
䪾礶⸂佞㖈劢濼涸ꆚ㼩䚍涸余乹
28
㸞䚍《对倴剓䓳涸橇眏
Security is only as strong as the weakest link
User
Data
Web/App
Network
Software
Hardware
Attack: Find one Defense: Need to
place to penetrate secure every place
29
Defense in depth
Examples
• Two-factor authentication
• Anti-virus + firewall + IDS
30
Security mindset:
Exercise Think about how to make it fail instead of
how to make it work!
31
NSLab Introduction
32
Landscape of Security Research
33
NSLab㖈⨞➊랃
Mitigation to
Unknown
Threats
IoT security
Theme 2: Protecting
critical infrastructures DDoS attack
from future threats and defense
Automated
預防未知攻擊 bug finding
Best Known
Security
Theme 1: Bridge the Practices
gap between current
Web security
and best practice
Measurement
弭平資安落差
Current
Security
Practices
34
DDoS Attack & Defense
35
Denial of Service (꣖倬剪余乹)
雊⢪欽罏搂岁⢪欽䟝銴涸剪
ꆚ㼩〳欽䚍(availability)涸余乹
36
꣖倬剪余乹䌢鋅䩛岁
㣐ꆀ嶋罳Ⱏ欽涸须彂e.g. bandwidth, CPU,
memory
37
ⴕ侕䒭꣖倬剪余乹
(Distributed Denial of Service)
㢵倴♧⦐余乹⢵彂
䲿넞余乹䓽䏞꣮⡜㋲♧⢵彂鄄⩏庠涸괐ꦖ
38
Botnet-driven DDoS
Botnet = 媛㾏笪騟
control flood
Botmaster
Victim
Bots
39
Why DoS/DDoS?
䛌㑵⹗程
㉂噠畹昰
鱲獵搋럊
佟屛爚㪮
㼬余乹
鸏珏余乹湱㼩矦㋲剤佪⿶ꨈ⟃狡
• Botnet for hire (botnet as a service)
• Many tools available
• Flash crowds vs. attacks
40
http://map.norsecorp.com/
41
DDoS余乹㣐✲鎹
Mar. 2013: DNS amplification against Spamhaus at 300Gbps
Mar. 2015: “Great Cannon” browser-based DDoS against GitHub
Sep. 2016: Mirai IoT botnets caused DDoS at 620Gbps
Oct. 2016: Mirai IoT botnets attacked critical Internet
infrastructure (Dyn DNS service provider), taking down GitHub,
Twitter, Reddit, Netflix, Airbnb, etc.
Mar. 2018: memcached amplification DDoS against Github at
1.3Tbps
DDoS attacks grow in volume, frequency and sophistication!
42
How to DoS?
Resource exhaustion (Bandwidth, CPU, memory)
• Flooding hosts
• Flooding infrastructure
• Low-rate attacks exploiting protocol/algorithm
specification
System crashed via implementation vulnerabilities
• E.g., Ping of Death
43
Recent trends of DDoS
Amplification attack
IoT-based botnets
Browser-based DDoS attack
DDoS attacking Internet infrastructures
44
DDoS Amplification
50-100x traffic!
IP: 10.0.0.1
45
Amplification Factor
Memcached: 51,200x
Rossow, Christian. "Amplification hell: Revisiting network protocols for DDoS abuse." Symposium on
Network and Distributed System Security (NDSS). 2014.
47
“Great Cannon” browser-based DDoS
DDoS Attack Targets Popular Anti-censorship Projects on Github
3 days into attack since Thursday March 26, 2015
Malicious JavaScript executed when users outside China visited
sites with Baidu’s user tracking code
Load https://github.com/greatfire/ and https://github.com/cn-
nytimes/ every two seconds
http://insight-labs.org/?p=1682
http://www.wsj.com/articles/u-s-coding-website-github-hit-with-cyberattack-1427638940
48
“Great Cannon” browser-based
DDoS
https://citizenlab.org /2015/04/chinas-great-cannon/
49
How to mitigate DDoS
硬碰硬比誰資源多?
• 防禦小型攻擊ok
• 面對大型攻擊,就算是Google 也不保證撐得住
http://www.ithome.com.tw/news/90246
50
How to mitigate DDoS
CAPTCHAs擋bot-based DDoS ?
• CAPTCHAs可以外包,有時還會擋人類
• 要先成功建立連線
• Cloud幫忙插CAPTCHAs有隱私問題
51
How to mitigate DDoS
防火牆把攻擊流量過濾掉就好啦~??
• 如何準確分辨誰是好人誰是壞人
• 有時打到家門口再過濾已經來不及了
• 防火牆本身也是bottleneck
52
General DDoS Defense Strategies
1. Overprovisioning/replication
• 硬碰硬,比誰資源多;分散攻擊力道
2. Traffic differentiation
• 分辨“好與壞”,移除惡意的連線
3. Fair sharing Many mitigation
mechanisms combine
• 公平分配資源,不讓壞人佔便宜 two or more strategies
4. Source identification and takedown
• 從源頭根除
53
Practical and Privacy-aware
Cloud-based DDoS Mitigation
Su-Chin Lin, Wei-Ning Chen, Hsu-Chun Hsiao, “Challenges in Realizing Privacy-
aware Cloud-based DDoS Mitigation Mechanism,” in USENIX Security Symposium
Poster Session, August 2018.
Su-Chin Lin, Po-Wei Huang, Hsin-Yi Wang, Hsu-Chun Hsiao, “DAMUP: Practical and
Privacy-aware Cloud-based DDoS Mitigation,” in IEEE/IFIP Workshop on Security
for Emerging Distributed Network Technologies (DISSECT), April 2018.
Cloud-based DDoS Mitigation Service
By changing BGP or DNS of web server, the traffic is
redirected to the provider as a middle-man
Some provide Content Delivery Network (CDN)
service to achieve diversion of traffic
55
Without Cloud-based DDoS Mitigation
Naked Victim
Server
User
example.com
Adversary
56
With Cloud-based DDoS Mitigation
User
Reverse
cloudProxy Victim Server
example.com
How to identify malicious traffic,
particularly, non-volumetric
Adversary DDoS attacks, if the traffic is
encrypted?
57
HTTPS Private Key Sharing
Inspect the payload to filter malicious traffic
Modify the content (reCAPTCHA, PoW)
Add cookies to track the client
58
Privacy Concern of HTTPS Private
Key Sharing
Compromised cloud could expose users’ sensitive
data
• 2017: Cloudbleed bug allows an attacker to access out-
of-bound memory region, which may contain cookies,
passwords, private keys, etc.
59
Goal: Practical & Privacy-
preserving DDoS Mitigation
Privacy-preserving
User
Cloud Server
Adversary
60
Our Work: DAMUP is also a cloud-
based architecture
User
DAMUP Server
Cloud
Adversary
61
For better privacy, no shared key
is required
No shared key required
User
DAMUP Server
Cloud
Adversary
62
A gateway is introduced to block
direct access to server Server
User
DAMUP
Cloud
Adversary Gateway
63
Protocol Flow
Server
The server verifies the identity
User
Not under DDoS attack DAMUP
Cloud
Gateway
64
Protocol Flow
Server
User
DAMUP
Cloud
65
How to embed the token such that cloud
can see it but won’t break privacy?
Embed the secure token in the URL
https://secure-token.example.com
TLS extension: Server Name Indication (SNI)
66
Secure Token
Server
https://token.example.com/
User
DAMUP
Cloud
Adversary Gateway
67
Secure Token
Privacy-preserving
• Not breaking end-to-end encryption
Customized policy defined by the server
Misuse prevention
• Token expiration time
• Traffic limit
68
Secure Token Format
https://john123456-ln5njba-er….wd2.example.com
The maximum entropy in label name is 40 bytes
Client_id (10 bytes)
Expiration timestamp (4 bytes)
Separators (2 byte)
HMAC (20 bytes)
• E.g. truncate HMAC-SHA256
69
Modification on The Server Side
DNS record (*.example.com)
Wildcard certificate (*.example.com)
70
Prototype Implementation: When
NOT Under DDoS Attack
Both user and adversary can reach the site
https://www.protected-website.csie.org https://www.protected-website.csie.org
User Adversary
71
When NOT Under DDoS Attack
Benign users acquire a secure token
72
When Under DDoS Attack
Only users with valid secure token can reach the site
https://john123456-ln42jxq-
https://www.protected-website.csie.org
zt4xfr2cjhwv3mwu3nj00x0i0s3y3it4.protected-website.csie.org
User Adversary
73
Mitigation Capability
74
Latency
About 9% extra overhead for downloading images
75
IoT Security
76
Internet of Things
Any consumer device with computation and connectivity
allows users to monitor and control remotely
Device Status
Air
conditioner
OFF
ON
Temperatur
e
30
28
TV OFF
Lock LOCKED
Camera OFF
77
Growth of IoT
15000
11197
10000 8381
6382
5000
0
2016 2017 2018 2020
Source: Gartner
78
Why should we care about IoT
security?
79
Greater Impact:
Cyber attack -> Physical attack
80
Greater Impact:
Cyber attack -> Physical attack
Self-driving car vs. adversarial examples in ML
https://spectrum.ieee.org/cars-that-
think/transportation/sensors/slight-street-sign-modifications-can-fool-
machine-learning-algorithms
81
Greater Impact:
Cyber attack -> Physical attack
Implantable medical devices
Medical equipment
82
Greater Impact:
Cyber attack -> Physical attack
83
Larger Scale:
Pervasive Privacy Breach
84
Larger Scale:
Pervasive Privacy Breach
Internet-connected toys to spy on children
Recover passwords using motion sensor or
accelerometer on phone/wearable
85
Larger Scale: Mirai IoT Malware
Infected ~1 million IoT devices
• Simple tech: Scan IPv4 space & try 62 default passwords
• Vulnerable devices hacked in 6 mins after going online
Launched largest DDoS in history
• Sep 2016: DDoS at 620Gbps
• Oct 2016: attacked Dyn DNS service provider, taking down GitHub, Twitter,
Reddit, Netflix, Airbnb, etc.
86
We have seen that in IoT…
Old security issues linger (and worsen)
• Weak passwords
• Unpatched devices
• Privacy breach
• …
New security issues emerge
• Greater impact: Cyber attack affects physical world
• Larger scale: Billions of public accessible devices
• …
87
Why challenging to secure IoT?
IoT devices are often cheap
• Not enough resource to run advanced protection
• However, security comes at a price!
Lack of interface
• Hard to update or check status
Too many types of devices
• No universal solution for all devices
Devices actuate based on untrusted input
• Collect – analyze – actuate
88
Example: Automation Service Providers
Connect Devices via Automation Rules
89
Automation Service Providers Connect
Devices via Automation Rules
Over 400 applications and
devices are supported
Over 19 millions rules are
created
Around 600 million rules
executed monthly
90
Automation Service Providers Connect
Devices via Automation Rules
The user submits rules to the
cloud, and authorizes cloud to
access his/her devices If temperature reaches 25C then turn on fan
If TV is on then turn on light
If door is locked then turn off camera
91
What Can The Cloud See?
92
Why Encryption is Not Enough?
93
Previous Work Assumes IoT
Automation Services are Trusted
Issues with misconfigured authorization protocols
• Fernandes et al. [1] explore over-privilege problems in
IFTTT
Issues with misconfigured automation rules
• Milijana et al. [2] check if information can flow from a
more restricted trigger to a less restricted action.
• Our previous work on exploiting chained automation
rules
94
Basic Idea of Our Solution:
Sending Fake Triggers
Time
Ground Truth
Of Trigger
Event
Ideal Cloud
View
!
Probability = "
95
Preserve User’s Intent using Two
Non-Colluding Service Providers
Time
……
Cancel out duplicate actions
96
Another Point of View
1, 0, 0, 1, 0, 0, 0, 0 Ground Truth
0, 1, 0, 1, 1, 1, 0, 0 Random Bits
XOR
(One of the clouds’ view)
97
Advanced Encoding Random Our work Future work
Comparison Encryption
Schemes (e.g.,
Trigger state,
Action state,
Server
98
Limitations of Our Scheme
Need at least two non-colluding service providers
• Users need to authorize more clouds to access their
devices; perhaps worse when clouds have weak security
or are actively malicious
Communication overhead and delayed action
• In practice, communication between cloud and devices
may be delayed due to network latency.
• How long should a device wait before performing an
action?
Cloud 1 in
our scheme
Cloud 2 in
our scheme
No privacy
Time
99