Introduction ============ Administrivia Lectures will be MW11-12:30, in 1-190. Each lecture will cover a paper in systems security (except today). Preliminary paper list posted online, may change a bit. If you are interested in specific topics or papers, send us email. Read the paper before lecture, and submit by 10PM the night before: Answer to a short homework question (link from schedule page). Your own question about the paper (will try to answer in lecture). [ Submission site will be up soon. ] Will discuss the paper in class. Interrupt, ask questions, point out mistakes. Two quizzes during regular lecture time slot. No "final exam" during finals week; second quiz near end-of-term. Assignments: 5-6 labs + final project. Labs will look like real-world systems, in some respects: Many interacting parts written in different languages. Will look at/write x86 asm, C, Python, Javascript, .. Lab 1 out today: buffer overflows. Start early. Next week, tutorials on how to get started with lab 1. During office hours; rooms and hours will be posted on web site. Final project at the end of the course (groups of 3-4 people). Presentations during the last week of class. Think of projects you'd like to work on as you're reading papers. OK to combine with other class projects or your own research. Two co-lecturers: Nickolai, Frans. Four TAs: Jelle, Patrick, Sergio, Jonas. Sign up for Piazza (link on course web site). Use it to ask questions about labs, see what others are stuck on, etc. We will post any important announcements there. Warning about security work/research on MITnet (and in general). Know the rules: http://ist.mit.edu/services/athena/olh/rules. You will learn how to attack systems, so that you know how to defend them. Just because something is technically possible, doesn't mean it's legal. Ask course staff for advice if in doubt. What is security? Achieving some goal in the presence of an adversary. Many systems are connected to the internet, which has adversaries. Thus, design of many systems might need to address security. i.e., will the system work when there's an adversary? High-level plan for thinking about security: Policy: the goal you want to achieve. e.g. only Alice should read file F. Common goals: confidentiality, integrity, availability. Threat model: assumptions about what the attacker could do. e.g. can guess passwords, cannot physically grab file server. Better to err on the side of assuming attacker can do something. Mechanism: knobs that your system provides to help uphold policy. e.g. user accounts, passwords, file permissions, encryption. Resulting goal: no way for adversary within threat model to violate policy. Note that goal has nothing to say about mechanism. Why is security hard? Negative goal. Need to guarantee policy, assuming the threat model. Difficult to think of all possible ways that attacker might break in. Realistic threat models are open-ended (almost negative models). Contrast: easy to check whether a positive goal is upheld, e.g., Alice can actually read file F. Weakest link matters. Iterative process: design, update threat model as necessary, etc. What's the point if we can't achieve perfect security? For every system, its security rests on some assumptions (threat model). If assumptions are violated, security guarantees may be broken. In every paper we will read, something could lead to security compromise. Doesn't necessarily mean the system is not useful: depends on context. Important to understand what a system can do, and what a system cannot. In reality, must manage security risk vs benefit. More secure systems means less risk (or consequence) of some compromises. Insecure system may require manual auditing to check for attacks, etc. Higher cost of attack means more adversaries will be deterred. Better security often makes new functionality practical and safe. Suppose you want to run some application on your system. Large companies sometimes prohibit users from installing software that hasn't been approved on their desktops, partly due to security. Javascript in the browser is isolated, making it ok (for the most part) to run new code/applications without manual inspection/approval. (or virtual machines, or Native Client, or better OS isolation mechanisms) Similarly, VPNs make it practical to mitigate risk of allowing employees to connect to a corporate network from anywhere on the Internet. What goes wrong #1: problems with the policy. Example: Fairfax County, VA school system. [ Ref: http://catless.ncl.ac.uk/Risks/26.02.html#subj7.1 ] Student can access only his/her own files in the school system. Superintendent has access to everyone's files. Teachers can add new students to their class. Teachers can change password of students in their class. What's the worst that could happen if student gets teacher's password? Student adds the superintendent to the compromised teacher's class. Changes the superintendent's password, since they're a student in class. Logs in as superintendent and gets access to all files. Policy amounts to: teachers can do anything. Example: Sarah Palin's email account. [ Ref: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack ] Yahoo email accounts have a username, password, and security questions. User can log in by supplying username and password. If user forgets password, can reset by answering security Qs. Security questions can sometimes be easier to guess than password. Some adversary guessed Sarah Palin's high school, birthday, etc. Policy amounts to: can log in with either password or security Qs. (no way to enforce "Only if user forgets password, then ...") Example: Mat Honan's accounts at Amazon, Apple, Google, etc. [ Ref: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ ] Gmail password reset: send a verification link to a backup email address. Google helpfully prints part of the backup email address. Mat Honan's backup address was his Apple @me.com account. Apple password reset: need billing address, last 4 digits of credit card. Address can be easy, but how to get 4 digits of user's credit card number? Amazon: can add a credit card to an account, no password required. Amazon password reset: provide any one of user's credit card numbers. Amazon: will not print credit card numbers.. But will print last 4 digits! How to solve? Think hard about implications of policy statements. Some policy checking tools can automate this process. Automation requires higher-level goal (e.g. no way for student to do X). What goes wrong #2: problems with threat model / assumptions. Example: human factors not accounted for. Phishing attacks. User gets email asking to renew email account, transfer money, or ... Tech support gets call from convincing-sounding user to reset password. "Rubberhose cryptanalysis". Example: all SSL certificate CAs are fully trusted. To connect to an SSL-enabled web site, web browser verifies certificate. Certificate is a combination of server's host name and cryptographic key, signed by some trusted certificate authority (CA). Long list (hundreds) of certificate authorities trusted by most browsers. If any CA is compromised, adversary can intercept SSL connections with a "fake" certificate for any server host name. In 2011, two CAs were compromised, issued fake certs for many domains (google, yahoo, tor, ...), apparently used in Iran (?). [ Ref: http://en.wikipedia.org/wiki/DigiNotar ] [ Ref: http://en.wikipedia.org/wiki/Comodo_Group ] In 2012, a CA inadvertently issued a root certificate valid for any domain. [ Ref: http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html ] Example: assuming good randomness for cryptography. Need high-quality randomness to generate the keys that can't be guessed. Problem: embedded devices, virtual machines may not have much randomness. As a result, many keys are similar or susceptible to guessing attacks. [ https://factorable.net/weakkeys12.extended.pdf ] Example: subverting military OS security. In the 80's, military encouraged research into secure OS'es. One unexpected way in which OS'es were compromised: adversary gained access to development systems, modified OS code. Example: subverting firewalls. Adversaries can connect to an unsecured wireless behind firewall Adversaries can trick user behind firewall to disable firewall Might suffice just to click on link http://firewall/?action=disable Or maybe buy an ad on CNN.com pointing to that URL (effectively)? Example: machines disconnected from the Internet are secure? Stuxnet worm spread via specially-constructed files on USB drives. How to solve? Think hard (unfortunately). Simpler, more general threat models. Better designs may eliminate / lessen reliance on certain assumptions. E.g., alternative trust models that don't have fully-trusted CAs. E.g., authentication mechanisms that aren't susceptible to phishing. What goes wrong #3: problems with the mechanism -- bugs. Bugs in the security mechanism (e.g., OS kernel) lead to vulnerabilities. If application is enforcing security, app-level bugs lead to vulnerabilities. Example: PayMaxx W2 form disclosure. [ Ref: http://www.thinkcomputer.com/corporate/whitepapers/identitycrisis.pdf ] Web site designed to allow users to download their tax forms online. Login page asks for username and password. If username and password OK, redirected to new page. Link to print W2 form was of the form: http://paymaxx.com/print.cgi?id=91281 Turns out 91281 was the user's ID; print.cgi did not require password Can fetch any user's W2 form by going directly to the print.cgi URL Possibly a wrong threat model: doesn't match the real world? System is secure if adversary browses the web site through browser System not secure if adversary synthesizes new URLs on their own Hard to say if developers had wrong threat model, or buggy mechanism.. Example: Moxie's SSL certificate name checking bug Null byte vs. length-encoding. Example: Debian PRNG weakness. Debian shipped with a library called OpenSSL for cryptography. Used to generate secret keys (for signing or encrypting things later). Secret key generated by gathering some random numbers. Developer accidentally "optimized away" part of random number generator. No-one noticed for a while, because could still generate secret keys. Problem: many secret keys were identical, and not so secret as a result. Example: bugs in sandbox (NaCl, Javascript). Allows adversary to escape isolation, do operations they weren't supposed to. Example: buffer overflows (see below). Case study: buffer overflows. Consider a web server. Often times, the web server's code is responsible for security. E.g., checking which URLs can be accessed, checking SSL client certs, .. Thus, bugs in the server's code can lead to security compromises. What's the threat model, policy? Assume that adversary can connect to web server, supply any inputs. Policy is a bit loose: only perform operations intended by programmer? E.g., don't want adversary to steal data, bypass checks, install backdoors. Consider the following example code from, say, a web server: void read_req(void) { char buf[128]; int i; gets(buf); i = atoi(buf); } What does the compiler generate in terms of memory layout? x86 stack: Stack grows down. %esp points to the last (bottom-most) valid thing on the stack. %ebp points to the caller's %esp value. +------------------+ entry %ebp ----> | .. prev frame .. | | | | | +------------------+ entry %esp ----> | return address | +------------------+ new %ebp ------> | saved %ebp | +------------------+ | buf[127] | | ... | | buf[0] | +------------------+ new %esp ------> | i | +------------------+ Caller's code (say, main): call read_req read_req's code: push %ebp mov %esp -> %ebp sub 168, %esp # stack vars, etc ... mov %ebp -> %esp pop %ebp ret How does the adversary take advantage of this code? Supply long input, overwrite data on stack past buffer. Interesting bit of data: return address, gets used by 'ret'. Can set return address to the buffer itself, include some code in there. How does the adversary know the address of the buffer? What if one machine has twice as much memory? Luckily for adversary, virtual memory makes things more deterministic. For a given OS and program, addresses will often be the same. What happens if stack grows up, instead of down? Look at the stack frame for gets. What can the adversary do once they are executing code? Use any privileges of the process. Often leverage overflow to gain easier access into system. Originally on Unix, run shell /bin/sh (thus, "shell code"). If the process is running as root or Administrator, can do anything. Even if not, can still send spam, read files (web server, database), .. Can attack other machines behind a firewall. Why would programmers write such code? Legacy code, wasn't exposed to the internet. Programmers were not thinking about security. Many standard functions used to be unsafe (strcpy, gets, sprintf). Even safe versions have gotchas (strncpy does not null-terminate). More generally, any memory errors can translate into a vulnerability. Using memory after it has been deallocated (use-after-free). If writing, overwrite new data structure, e.g. function ptr. If reading, might call a corrupted function pointer. Freeing the same memory twice (double-free). Might cause malloc to later return the same memory twice. Decrementing the stack ptr past the end of stack, into some other memory. [ http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf ] Might not even need to overwrite a return address or function pointer. Can suffice to read sensitive data like an encryption key. Can suffice to change some bits (e.g. int isLoggedIn, int isRoot). How to avoid mechanism problems? Reduce the amount of security-critical code. Don't rely on the entire application to enforce security. Lab 2. Avoid bugs in security-critical code. E.g., don't use gets(), use fgets() which can limit buffer length. Use common, well-tested security mechanisms ("Economy of mechanism"). Audit these common security mechanisms (lots of incentive to do so). Avoid developing new, one-off mechanisms that may have bugs. Good mechanism supports many uses, policies (more incentive to audit). Examples of common mechanisms: - OS-level access control (but, could often be better) - network firewalls (but, could often be better) - cryptography, cryptographic protocols.