195 Class Note for CSE 543 with Professor McDaniel at PSU
195 Class Note for CSE 543 with Professor McDaniel at PSU
Popular in Course
Popular in Department
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
verified elite notetaker
This 70 page Class Notes was uploaded by an elite notetaker on Friday February 6, 2015. The Class Notes belongs to a course at Pennsylvania State University taught by a professor in Fall. Since its upload, it has received 13 views.
Reviews for 195 Class Note for CSE 543 with Professor McDaniel at PSU
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/06/15
Systems and Internet InfrastructureSecurity CSE543 lntmduetion to CQmpthIF and Newark Sammy Meduleg Natwglrk Security Professor Patrick McDaniel Fall 2008 PENNSTATE Networking Fundamentally about transmitting information between two devices Direct communication is now possible between any two devices anywhere just about v v gt Lots of abstraction involved l l K K gt Lots of network components 39 39L gt Standard protocols lt gt Wired and wireless 39 4 5 gt Works In protection enVIronment A f a What about ensuring security 95554 7 li itmduotipn m meputar and Namm Security PENNSTATE Network Security 3 39 Every machine is connected gt What is trust model of the network quotOn 17 5mm nabudy 1mm you rrua39og 39 39 Not just limited to dogs as users gt What other dogs are out there CSE54S r Ir39iUCHZiLmtiw39i to Corruguter and Network Security PENNSTAT Exploiting the network g The Internet is extremely vulnerable to attack gt it is a huge open system gt which adheres to the endtoend principle smart endpoints dumb network CSE543 Introduction to Computer and Network Security E2E Argument PENNEGL Clark et al discussed a property of good systems that says features should be placed as close to resources as possible gt In communication this means that we want the middle of the network to be simple and the endpoints to be smart eg do everything you can at the endpoints 39 Dumb minimal network gt This is the guiding principle of IP Internet gt Q Does this have an effect on security Note this is a departure from the early networks which smart network dumb terminals CSE543 Introduction to Computer and Network Security PENNSTATE Security Problems in the TCPIP Protocol Suite Bellovin s observations about the security problems of the IP protocols gt Not really a study of how IP is misused eg IP addresses for authentication but really what is inherently bad about the way in which IP is setup A really really nice overview of the basic ways in which security and the IP design is at odds CSE543 Introduction to Computer and Network Security I S Sequence number prediction PENNJQT W TCPIP uses a threeway handshake to establish a connection I c gt s QC 2 S gt C QsackQC where sequence number Q5 is nonce 3 C gt S ackQS then send data 2 However assume the bad guy does not hear msg 2 if he can guess Q5 then he can get S to accept whatever data it wants useful if doing P authentication eg rsh CSE543 Introduction to Computer and Network Security PENNSTAT Sequence Number Prediction fixes a The only way you really x this problem to stop making the sequence numbers predictable gt Randomize them you can use DES or some other mechanism to generate them randomly gt There is an entire sub eld devoted to the creation and management of randomness in OSes Also you could look for inconsistencies in timing information gt Assumption the adversary has different timing than gt OK maybe helpful but far from de nitive CSE543 Introduction to Computer and Network Security PENNSTAT Routing Manipulation g RIP routing information protocol gt Distance vector routing protocol used for local network gt Routers exchange reachability and distance vectors for all the subnetworks within a typically small domain gt Use vectors to decide which is best noti cation of changes is propagated quickly So the big problem is that you receive vast amounts of data that a router uses to form the routing table gt So just forge that and the game is up gt Manipulate paths DOS hijack connections etc Solutions CSE543 Introduction to Computer and Network Security PENNSTATE Internet Control Message Protocol ICMP is used as a control plane for IP messages gt Ping connectivity probe gt Destination Unreachable error noti cation gt Timetolive exceeded error noti cation These are used for good purposes and are largely indispensable tools for network management and control gt Error noti cation codes can be used to reset connections without any Solution verifysanity check sources and content gt CMP returned packets CSE543 Introduction to Computer and Network Security PENNSTAT The ping of death g In I996 someone discovered that many operating systems routers etc could be crashrebooted by sending a single malformed packet gt It turns out that you can send a lP packet larger than 65535 2396 it would crash the system gt The real reason lies in the way fragmentation works It allows somebody to send a packet bigger than lP allows Which blows up most xed buffer size implementations and dumps core blue screen of death etc gt Note this is not really ICMP speci c but easy try it ping 1 65510 yourhostipaddress This was a popular pastime of early hackers PENNSTAT Address Resolution Protocol a Protocol used to map IP address onto the physical layer addresses MAC ARP request who has xxxx 2 ARP response me Policy last one in wins Used to forward packets on the appropriate interfaces by network devices eg bridges QWhy would you want to spoof an IP address CSE543 Introduction to Computer and Network Security PENNSTAT ARP poisoning n W Attack replace good entries with your own Leads to gt Session hijacking gt Maninthemiddle attacks gt Denial of service etc Lots of other ways to abuse ARP Nobody has really come up with a good solution gt Except smart bridges routers that keep track of MACS However some not worried gt If adversary is in your perimeter you are in big trouble gt You should never should validate the source of each pack CSE543 Introduction to Computer and Network Security PENNSTAT Other flawed protocolsservices g Finger user identity my advisor hated this gt host gives up who is logged in existence of identities PSUlocal Presentations gt finger megan Login megan Name Megan Smith Directory Usersmegan Shell binbash Last login Mon 23 Aug 1319 EDT on console No Mail No Plan PSUlocal Presentations gt This is horrible in a distributed environment gt Privacy gt Lots of information to start a compromise of the user CSE543 Introduction to Computer and Network Security Page 14 POPSMTPFTP Post of ce protocol mail retrieval gt Passwords passed in the clear duh gt Solution SSL SSH Kerberos Simple mail transport protocol SMTP email gt Nothing authenticated SPAM gt Nothing hidden eavesdropping gt Solution your guess is as good as mine File Transfer protocol le retrieval gt Passwords passed in the clear duh gt Solution SSL SSH Kerberos CSE543 Introduction to Computer and Network Security Page 15 PENNSTAT DNS The domain name system DNS maps between IP address I2 I 3 and domain and host names adacsepsuedu gt How it works the root servers redirect you to the top level domains TLD DNS servers which redirect you to the appropriate subdomain and recursiver gt Note there are l3 root servers that contain the TLDs for org edu and country speci c registries fr ch adaosep 30203 6 30 CSE543 Introduction to Computer and Network Security DNS Vulnerabilities Nothing is authenticated so really the game is over gt You can not really trust what you hear gt But many applications are doing just that gt Spoo ng of DNS is really dangerous Moreover DNS is a catalog of resources gt Zonetransfers allow bulk acquisition of DNS data gt and hence provide a map for attacking the network Lots of opportunity to abuse the system gt Relies heavily on caching for ef ciency cache pollution gt Once something is wrong it can remain that way in caches for a long time eg it takes a long time flush gt Data may be corrupted before it gets to authoritative server CSE543 Introduction to Computer and Network Security PENNSTATE E A standardbased IETF solution to security in DNS gt Prevents data spoo ng and corruption gt Public key based solution to verifying DNS data gt Authenticates Elle gait view go gookmarks Iools Help Communication between servers 2m 0 QSECREGLNL Q 0 DNS data A Secure zones in nl Public keys a bootstrap for PKI mpuhncm Current status of the secure nl zones CSE543 Introduction to Computer and Network Security Page 18 PENNSTATE DNSseC Mechanisms g TSIG transaction signatures protect DNS operations gt Zone loads some server to server requests master gt slave etc gt Timestamped signed responses for dynamic requests gt A misnomer it currently uses shared secrets for TSIG HMAC or do real signatures using public key cryptography SIGO a public key equivalent ofTSlG gt Works similarly but with public keys gt Not as popular as TSIG being evaluated Note these mechanisms assume clock sync NTP CSE543 Introduction to Computer and Network Security PENNSTAT DNSseC Mechanisms a Securing the DNS records Each domain signs their zone with a private key Public keys published via DNS Indirectly signed by parent zones Ideally you only need a selfsigned root and follow keys down the hierarchy V V V V CSE543 Introduction to Computer and Network Security PENNSTAT DNSsec Challenges E Incremental deployability gt Everyone has DNS can t assume a flag day Resource imbalances gt Some devices can t afford real authentication Cultural gt Most people don t have any strong reason to have secure DNS not justi ed in most environments gt Lots of transitive trust assumptions you have no idea how the middlemen do business Take away DNSsec will be deployed but it is unclear whether it will be used appropriatelywidely CSE543 Introduction to Computer and Network Security PENNSTAT Communications Security g Harden the communication against maIintent CSE543 Introduction to Computer and Network Security PENNSTAT Communications Security g A host wants to establish a secure channel to remote hosts over an untrusted network gt Not Login endusers may not even be aware that protections in place gt Remote hosts may be internal or external The protection service must gt Authenticate the endpoints each other gt Negotiate what security is necessary and how gt Establish a secure channel gt Process the traf c between the end points CSE543 Introduction to Computer and Network Security Page 23 PENNSTATE IPsec not IP ec 3 Host level protection service gt lPlayer security below TCPUDP gt Defacto standard for host level security gt Developed by the IETF over many years gt Now available in most operating systems EgAvailable in XP OS X Linux BSD gt Implements a wide range of protocols and cryptographic algorithms Provides gt Confidentiality integrity authenticity replay protection DOS protection Virilmdimlimi m C ompuler and Nelwml PENNSTAT lPsec and the IP protocol stack IPsec puts the two main HTTP FTP SMTP protocols In between IP and the other protocols gt AH authentication header gt ESP encapsulating security payload Tunnel vs transport gt Key managementauthentication gt Policy Other function provided by external protocols and architectures CSE543 Introduction to Computer and Network Security PENNSTATE Tunneling g IP over IP gt Networklevel packets are encapsulated gt Allows traf c to avoid rewalls I 1P laye CSE543 Introduction to Computer and Network Security Page 26 PENNSTAT IPseo Protocol Suite E Policy Con guration Key Packet Managent Management Processing Istanwaj noogsn a ng Sys ELM Slee m w Ea load Internef Rio mi In nii Q a i in C LR Lao L CSE543 Introduction to Computer and Network Security Page 27 PENNSTAT Internet Key Exchange IKE a Built on of ISAKMP framework Two phase protocol used to establish parameters and keys for session gt Phase authenticate peers establish secure channel gt Phase 2 negotiate parameters establish a security association SA The details are unimaginably complex The SA de nes algorithms keys and policy used to secure the session CSE543 Introduction to Computer and Network Security PENNSTATE IPseC Packet Handling Bump n W Protocol Stack CSE543 Introduction to Computer and Network Security PENNSTAT Authentication Header AH g Authenticity and integrity gt via HMAC gt over IP headers and data Advantage the authenticity of data and IP header information is protected gt it gets a little complicated with mutable elds which are supposed to be altered by network as packet traverses the network gt some elds a immutable and are protected Con dentiality of data is not preserved Replay protection via AH sequence numbers gt note that this replicates some features of TCP good CSE543 Introduction to Computer and Network Security IPseo AH Packet Format swigT AH Header Format Next Header Length Reserved Security Parameter Index Authentication Data variable number of 32bit words CSE543 Introduction to Computer and Network Security Page 31 Authentication Header AH PENNE Modi cations to the packet format Payload Payload AH Packet El Authenticated Iii Encrypted CSE543 Introduction to Computer and Network Security PENNSTA39IE lPsec Authentication a SPI spy identi es the security association for this packet Type of crypto checksum how large it is and how it is computed Really the policy for the packet Authentication data Hash of packet contents include lP header as as speci ed by SPI Treat transient elds TTL header checksum as zero Keyed MD5 Hash is default MDS Hash S 7tl Key Headers and data being sent Key PENNSTAT Encapsulating Security Payload ESP Con dentiality authenticity and integrity gt via encryption and HMAC gt over IP payload data Advantage the security manipulations are done solely on user data gt TCP packet is fully secured gt simpli es processing I Use nul encryption to get authenticityintegrity only Note that the TCP ports are hidden when encrypted gt good better security less is known about traf c gt bad impossible for FW to ltertraf c based on port CSE543 Introduction to Computer and Network Security IPseo ESP Packet Format WEST Pv4 ESP Packet Format Unencr pted ESP Header Format DES MD5 ESP Format Security Parameters Index SPI Initialization Vector optional Replay Prevention Field incrementing count Payload Data with padding Authentication checksum CSE543 Introduction to Computer and Network Security Page 35 PENNSTAT Enoapsulating Security Payload g Modi cations to packet format Payload Payload ESP Trailer lll El ESP Packet Authenticated Ill Encrypted CSE543 Introduction to Computer and Network Security Page 36 PENNSTATE Practical Issues and Limitations g lPsec implementations gt Often not compatible ungh gt Large footprint resource poor devices are in trouble New standards to simplify egJFK IKE2 gt Slow to adopt new technologies Issues gt lPsec tries to be everything for everybody at all times Massive complicated and unwieldy gt Policy infrastructure has not emerged gt Largescale management tools are limited eg CISCO gt Often not used securely common preshared keys CSE543 Introduction to Computer and Network Security Page 37 Isolation Countermeasure to physically separate the devices environment from malintent Network Isolation VPNs PENNE Idea I want to create a collection of hosts which operate in a coordinated way gt Eg a virtual security perimeter over physical network gt Hosts work as if they are isolated from malicious hosts SolutionVirtual Private Networks gt Create virtual network topology over physical network gt Use communications security protocol suites to secure virtual links tunneling gt Manage networks as if they are physically separate gt Hosts can route traf c to regular networks splittunneling CSE543 Introduction to Computer and Network Security Page 39 PENNSTAT VPN Example RWTelecommuter g network edge Physical Link Logical Link IPsec CSE543 Introduction to Computer and Network Security VPN Example Hub and Spoke PENNE network edge Physical Link Logical Link IPsec CSE543 Introduction to Computer and Network Security VPN Example Mesh PENNSTAT Physical Link Logical Link IPsec network edge Virtual LANs VLANs VPNs build with hardware gt No encryption none needed wire based isolation VV Switches increasingly supportVLANs Allows networks to be reorganized without rewiring V Example usage two departments in same hallway b Each of ce is associated with department gt Con guring the network switch gives physical isolation gt Note often used to ensure QoS CSE543 Introduction to Computer and Network Security Page 43 PENNSTAT Aside Malware g Malware software that exhibits malicious behavior typically manifest on user system gt virus selfreplicating code typically transferring by shared media lesystems email etc gt worm self propagating program that travels over the network The behaviors are as wide ranging as imagination gt backdoor hidden entry point into system that allows quick access to elevated privileges gt rootkit system replacement that hides adversary behavior gt key logger program that monitors records and potentially transmits keyboard input to adversary CSE543 Introduction to Computer and Network Security Page 44 PENNSTAT IN A worm is a selfpropagating program As relevant to this discussion Exploits some vulnerability on a target host 2 often imbeds itself into a host 3 Searches for other vulnerable hosts 4 Goto I QWhy do we care CSE543 Introduction to Computer and Network Security Page 46 PENNSTAT The Danger g What makes worms so dangerous is that infection grows at an exponential rate gt A simple model 3 search is the time it takes to nd vulnerable host iinfect is the time is take to infect a host gt Assume that t0 is the worm outbreak the number of hosts at tj is 21Si gt For example if si I what is it at time t32 CSE543 Introduction to Computer and Network Security Page 47 The result 5uuuuuuuuu 39 45uuuuuuuu 4uuuuuuuuu 35uuuuuuuu 3uuuuuuuuu 25uuuuuuuu 2uuuuuuuuu 15uuuuuuuu 1uuuuuuuuu 5nuuuuuuu CSE543 Intr duction to Computer and Network Security Page 48 PENNSTAT The Morris Worm g Robert Morris a 23 doctoral student from Cornell gt Wrote a small 99 line program gt November 3rd I988 gt Simply disabled the Internet How it did it gt Reads etcpassword they tries the obvious choices and dictionary usrdict words gt Used oca etchostsequiv rhosts forward to identify hosts that are related Tries cracked passwords at related hosts if necessary Uses whatever services are available to compromise other hosts gt Scanned oca interfaces for network information CSE543 Introduction to Computer and Network Security Page 49 Code Red PENN Anatomy of a worm Maiffret good reading Exploited a Microsoft IIS webserver vulnerability gt A vanilla buffer overflow allows adversary to run code gt Scans for vulnerabilities over random IP addresses gt Sometimes would deface the served website July l6th200 outbreak gt Cva contained bad randomness xed lPs searched gt CRv2 xed the randomness added DDOS of wwwwhitehousegov Turned itself off and on on lst and l6th of month gt August 4 Code Red ll Different code base same exploit CSE543 Introduction to Computer and Network Security Page 50 PENNSTAT Worms and infection a The effectiveness of a worm is determined by how good it is at identifying vulnerable machines gt Morris used local information at the host gt Code Red used what Multivector worms use lots of ways to infect gt Eg network DFS partitions email drive by downloads gt Another worm Nimda did this Lots of scanning strategies gt Signpost scanning using local information eg Morris gt Random lP good but waste a lot of time scanning dark or unreachable addresses eg Code Red gt Local scanning biased randomness gt Permutation scanning instance is given part of IP space CSE543 Introduction to Computer and Network Security Page 51 PENNSTAT Other scanning strategies g The doomsday worm a flash worm gt Create a hit list of all vulnerable hosts Staniford et al argue this is feasible Would contain a 48MB list gt Do the infect and split approach gt Use a zeroday vulnerability Result saturate the Internet is less than 30 seconds CSE543 Introduction to Computer and Network Security PENNSTATE Worms Defense Strategies g Auto patch your systems most if not all large worm outbreaks have exploited known vulnerabilities with patches Heterogeneity use more than one vendor for your networks Shield Ross provides ltering for known vulnerabilities such that they are protected immediately analog to virus scanning Network Traffic Filtering look for unnecessary or unusual communication patterns then drop them on the floor gt This is the dominant method getting sophisticated Arbor Networks PENNSTATE Denial of SerVIoe Intentional prevention of access to valued resource gt CPU memory disk system resources gt DNS print queues NIS services gt Web server database media server applications This is an attack on availability delity Note launching DOS attacks is easy Note preventing DOS attacks is hard gt Mitigation the path most frequently traveled CSE543 Introduction to Computer and Network Security PENNSTATE Canonical common DOS Request Flood 3 Attack request flooding gt Overwhelm some resource with legitimate requests gt egwebserver phone system Note unintentional flood is called a flash crowd Example SMURF Attacks PENN This is one of the deadliest and simplest of the DOS attacks called a naturally amplified attack gt Send a large number PING packet networks on the broadcast IP addresses eg 92 6827254 Set the source packet IP address to be your victim V V All hosts will reflexiver respond to the ping at your victim V and it will be crushed under the load Fraggle UDP based SMURF V Broadcast CSE543 Introduction to Computer and Network Security Page 56 PENNSTAT Distributed denial of service a DDOS Network oriented attacks aimed at preventing access to network host or service gt Saturate the target s network with traf c gt Consume all network resources eg SYN gt Overload a service with requests Use expensive requests eg sign this data gt Can be extremely costly egAmazon Result servicehostnetwork is unavailable Frequently distributed via other attack Note IP is often hidden spoofed CSE543 Introduction to Computer and Network Security DDOS generalized by Mirkovio PENN Send a stream of packetsrequestswhatever gt many PINGS HTML requests Send a few malformed packets gt causing failures or expensive error handling gt lowrate packet dropping TCP congestion control b ping ofdeath Abuse legitimate access gt Compromise servicehost gt Use its legitimate access rights to consume the rights for domain eg local network gt Eg Firstyear graduate student runs a recursive le operation on root of NFS partition CSE543 Introduction to Computer and Network Security Page 58 The canonical DDOS attack PENN adversary Zombies PENNSTATE Adversary Network a zombies PENNSTATE What would motivate someone DDOS Reachability n 399 500mm 1359 GlubalWeb m gt An axe to grind gt Curiosity script kiddies as gt Blackmail gt Information warfare Timezone o c Copyright 2mg Matrix mammal www matrixmmyslems mm GMT 131124 1400 1600 1300 2000 2200 Tan 0200 0400 0600 0300 1000 EST jan249AM 11AM 1PM 3PM 5PM 7PM 9PM 11PMjan253AM 5AM Internet is an open system gt Packets not authenticated probably can t be Would not solve the problem just move it rewall CSE543 Introduction to Computer and Network Security Page 61 Why is DDOS possible PENN f Interdependence services dependent on each other gt EgWeb depends on TCP and DNS which depends on routing and congestion control Limited resources or rather resource imbalances gt Many times it takes few resources on the client side to consume lots of resources on the server side gt Eg SYN packets consume lots of internal resources You tell me as said by Mirkovic et al gt Intelligence and resources not coIocated gt No accountability gt Control is distributed DDOS and the E2E IN W E2E a simpli ed versionWe should design the network such that all the intelligence is at the edges gt So that the network can be more robust and scalable gt Many think is the main reason why the Internet works Downside gt Also no real ability to police the traf ccontent gt So many security solutions break this E2E by cracking open packets eg application level rewalls gt DDOS is real because of this CSE543 Introduction to Computer and Network Security PENNSTAT Q An easy fix a How do you solve distributed denial of service CSE543 Introduction to Computer and Network Security Simple DDOS Mitigation IngressEgress Filtering b Helps spoofed sources not much else Better Security gt Limit availability of zombies not feasible b Prevent compromise viruses Quality of Service Guarantees QOS b Pre or dynamically allocate bandwidth b Eg diffserv RSVP b Helps where such things are available Content replication gt Eg CDS b Useful for static content ceEsi r imam and Network Seauiit l DOS Prevention Reverse Turing Tests PENN 39 Turing test measures whether a human can tell the difference between a human or computer AI 39 Reverse Turning tests measures whether a user on the internet is a person a bot whatever 39 CAPTCHA completer automated public Turing test to tell computers and humans apart gt contorted image humans can read computers can t gt image processing pressing SOA making these harder S Imam 39 Notezoften used not just for DOS prevention but for protecting freequot services email accounts PENNSWE DOS Prevention Puzzles g 39 Make the solver present evidence of work done gt If work is proven then process request gt Note only useful if request processing signi cantly more work than Puzzle design gt Must be hard to solve gt Easy toVerify 39 Canonical Example gt Puzzle given all but kbits of r and hr where h is a cryptographic hash function gt Solution Invert hr gt QzAssume you are given all but 20 bits how hard would it be to solve the puzzle Pushback Initially detect the DDOS gt Use local algorithm lDesque processing gt Flag the sourcestypeslinks of DDOS traf c Pushback on upstream routers gt Contact upstream routers using PB protocol gt Indicate some ltering rules based on observed Repeat as necessary towards sources gt Eventually all enough sources will be ltered QWhat is the limitation here rm mi lunwiumpmainjHaw i Traceback Routers forward packet data to source gt Include packets and previous hop gt At low frequency l20000 Targets reconstruct path to source IP unreliable gt Use perhop data to look at gt Statistics say that the path will be exposed Enact standard gt Add lters at routers along the path R1 R2 R8 reinrmmnmwiumpmaanjHaw i DDOS Reality None of the protoco oriented solutions have really seen any adoption gt too many untrusting illinformed mutually suspicious parties must play together well hint human nature gt solution have many remaining challenges Real Solution gt Large ISP police there ingressegress points very carefully gt Watch for DDOS attacks and lter appropriately eg BGP routing tricks blacklisting whitelisting gt Products in existing that coordinate view from many points in the network to identify upswings in gt Interestingly this is the same way they deal with worms CSE543 Introduction to Computer and Network Security Page 70
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'