Notes

Session 06 Modern Offensive and Defensive Solutions

Security of Information Systems (SIS)

Departamentul de Calculatoare

November 2, 2018

1 / 45

Attack and Defense Notes

I attack: exploit vulnerabilities I defense: prevent attacks, make attacks difficult, confine attacks I attacker needs to find one security hole I defender has to protect all security holes I attacker invests time I defense mechanisms incur overhead

2 / 45

Attacker Perspective and Mindset Notes

I find one vulnerability and build from that I look for something that is valuable I do reconnaisance, look for weak spots I create an attack chain I use every trick in the book I start from existing knowledge

3 / 45

Defender Perspective and Mindset Notes

I protect all entry points I users are vulnerable, as well as technology I use multiple defensive layers I monitor, be proactive I discipline, best practices are worth more than skills I invest more on valuable targets

4 / 45 Attacker Pros/Cons Notes

I apart from ethical hackers, security researchers, it’s a shady business I you may not need skills, just a weak target and a database of attack vectors I you may get caught I you only need to find one spot I possible great gains I little time for fame (annonymous) I the Internet gives you tons of targets I but many targets give little more than fun

5 / 45

Defender Pros/Cons Notes

I less resources (time) than an attacker I must think of everything I is being paid constructively I you have a purpose: keep the system running I it never ends

6 / 45

Honeypots Notes

I baits I a system appearing as vulnerable but closely monitored I deflect, change attention and collect attacker information

7 / 45

Evolution of Application Security Notes

I buffer overflows I shellcodes I memory protection (DEP, WX)ˆ I memory randomization I canaries I code reuse I CFI (Control Flow Integrity) I memory safety, safe programming languages I static and dynamic analysis I hardware enhanced security

9 / 45 Fine-grained ASLR Notes

I https://dl.acm.org/citation.cfm?id=2498135 I issue with ASLR: memory disclosure / information leak I one address leaked reveals all information I do it at page level I one leak may lead to other leaks that are chained together

10 / 45

SafeStack Notes

I https://clang.llvm.org/docs/SafeStack.html I part of the Code Pointer Integrity project: http://dslab.epfl.ch/proj/cpi/ I moves sensitive information (such as return addresses) on a safe stack, leaving problematic ones on the unsafe stack I reduced overhead, protects against stack buffer overflows I microStache: https://www.springerprofessional.de/en/ microstache-a-lightweight-execution-context-for-in-process-safe-/ 16103742

11 / 45

Address Sanitizer Notes

I ASan I https: //research.google.com/pubs/archive/37752.pdf I https://github.com/google/sanitizers/ I instruments code I only useful in development I detects out-of-bounds bugs, memory leaks

12 / 45

CFI/CPI Notes

I https://dl.acm.org/citation.cfm?id=1102165 I https://www.usenix.org/node/186160 I http://dslab.epfl.ch/proj/cpi/ I coarse-grained CFI vs fine-grained CFI I Control Flow Integrity, Code Pointer Integrity I protect against control flow hijack attacks I CPI is weaker than CFI but more practical (reduced overhead) I CPI protects all code pointers, data based attacks may still happen I CPS (Code Pointer Separation) is a weaker yet more practical for of CPI

13 / 45 Shellcodes Notes

I difficult to inject due to DEP, small buffers and input validation I preliminary parts of the attack may remap memory region I shellcode may do stack pivoting and then load another shellcode I alphanumeric shellcodes: still need a binary address to bootstrap

14 / 45

Code Reuse Notes

I bypass DEP by using existing pieces of code I code gadgets I used in ROP (Return-Oriented Programming) and JOP (Jump-Oriented programming)

15 / 45

Return-Oriented Programming Notes

I gadgets ending in ret I may be chained together to form an attack I Turing-complete languge I http://www.suse.de/~krahmer/no-nx.pdf I https://dl.acm.org/citation.cfm?id=2133377 I most common way of creating runtime attack vectors I JOP: https://dl.acm.org/citation.cfm?id=1966919 I gadgets end up in an indirect branch not a ret

16 / 45

Anti-ROP Defense Notes

I prevent atacks I SafeStack I CFI/CPI, ASan I Microsoft CFG, RFG I detect attacks I Microsoft EMET (Enhanced Mitigation Experience Toolkit), ProcessMitigations module

17 / 45 Data-Oriented Attacks Notes

I https://www.usenix.org/node/190963 I https://huhong-nus.github.io/advanced-DOP/ I overwrites data, not code pointers I bypasses CFI

18 / 45

Evolution of OS Security Notes

I traditional main goals: functionality and reduced overhead I recent focus on OS security: plethora of devices and use cases I malware may easily take place among legitimate applications I kernel exploits become more common I OS virtualization, reduce TCB to hypervisor I include hardware-enforced security features

20 / 45

Mandatory Access Control Notes

I opposed to Discretionary Access Control, where owner controls permissions I system-imposed settings I increased, centralized security I difficult to configure and maintain I rigid, non-elastic I Bell-LaPadula Model: http: //csrc.nist.gov/publications/history/bell76.pdf I SELinux, TrustedBSD, Mandatory Integrity Control

21 / 45

Role-Based Access Control Notes

I https: //ieeexplore.ieee.org/abstract/document/485845 I https://dl.acm.org/citation.cfm?id=266751 I aggregate permissions into roles I role assignment, role authorization, permission authorization I useful in organizations

22 / 45 Sandboxing Notes

I assume application may be malware I reduce potential damage I confine access to a minimal set of allowed actions I typically implemented at sandbox level (kernel enforced) I iOS sandboxing, Linux seccomp

23 / 45

Application Signing Notes

I ensure application is validated I used by application stores and repositories: GooglePlay, Apple AppStore I device may not run non-signed apps

24 / 45 iOS Jekyll Apps Notes

I https: //www.usenix.org/conference/usenixsecurity13/ technical-sessions/presentation/wang_tielei I apparently legimitate iOS app I bypasses Apple vetting I obfuscates calls to private libraries (part of the same address space, fixed from iOS 7) I once installed turns out to be malware I exfiltrates private data, exploits vulnerabilities

25 / 45

Jailreaking/Rooting Notes

I https://dl.acm.org/citation.cfm?id=3196527 I get root access on a device I close to full control I requires a critical vulnerability that gets root access I tethered (requires re-jailbreaking after reboot) cs non-tethered I essential for security researchers

26 / 45 Hardware-centric Attacks Notes

I side channels I undocumented hardware features I imperfect hardware features that leak information I proprietary features that get exploited I hardware is part of TCB, reveals kernel memory

27 / 45

Sidechannel Attacks Notes

I do not exploit vulnerabilities in applications or kernel code I mostly use features such as

28 / 45 x86 Instruction Fuzzing Notes

I https://www.blackhat.com/docs/us-17/thursday/ us-17-Domas-Breaking-The-x86-Instruction-Set-wp. pdf I https://github.com/xoreaxeaxeax/sandsifter I https://i.blackhat.com/us-18/Thu-August-9/ us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs. pdf I instruction of length N is placed at the end of the page I creates a fuzzer for the x86 instruction set I found glitches, hidden instructions

29 / 45

IME Notes

I Intel Management Engine I AMD Secure Techonology I hardware features and highly proprietary firmware I https://www.theverge.com/2018/1/3/16844630/ intel-processor-security-flaw-bug-kernel-windows-linux I user space app could access kernel space memory access I accused of being a backdoor to the system

30 / 45 rowhammer Attack Notes

I https://users.ece.cmu.edu/~yoonguk/papers/ kim-isca14.pdf I https://www.vusec.net/projects/drammer/ I https://googleprojectzero.blogspot.com/2015/03/ exploiting-dram-rowhammer-bug-to-gain.html I https://www.blackhat.com/docs/us-15/materials/ us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges. pdf I hardware fault in DRAM chips I constant bit flip pattern in certain rows can cause a flip in another row (not belonging to the current process) I may be exploited to get root access

31 / 45

Spectre and Meltdown Notes

I https://meltdownattack.com I https://www.usenix.org/system/files/conference/ usenixsecurity18/sec18-lipp.pdf I application may access data from another application I Meltdown exploits a hardware race condition allowing an unprivileged process to read privileged data I Spectre does a side channel attack on speculative execution features of modern CPUs I hardware fixes by Intel, software solutions

32 / 45

KPTI Notes

I Kernel Page Table Isolation I https://lwn.net/Articles/741878/ I place kernel in separate address space I mitigation against hardware-centric attacks

33 / 45

Hypervisor Attacks Notes

I https://dl.acm.org/citation.cfm?id=2484406 I attack/compromise hypervisor, get control of VMs I may exploit a vulnerability in the hypercall interface or may exploit a hardware bug I hyperjacking

34 / 45 Evolution of Web Security Notes

I path traversals, misconfigurations I injections I XSS I misconfiguration I unsafe communication I application/language bugs

36 / 45

Secure Communication Notes

I provide secure communication between client and server I HTTPS everywhere I Secure Cookie I strong encryption, strong protocols

37 / 45

Attacks on Security Protocols Notes

I https://tools.ietf.org/html/rfc7457 I https://www.mitls.org/pages/attacks I flaws in protocol logic I cryptographic design flaws I implementation flaws

38 / 45

Connection Downgrade Notes

I part of man-in-the-middle attack I negociate a connection with weaker protocol features than the current one I ideally drop HTTPS alltogether I POODLE (Padding Oracle On Downgraded Legacy Encryption) I https://www.openssl.org/~bodo/ssl-poodle.pdf

39 / 45 Advanced Injection Attacks Notes

I LDAP, XPath injection I blind SQL injection: content-based and time-based I https://www.owasp.org/images/7/74/Advanced_SQL_ Injection.ppt I https://nvisium.com/blog/2015/06/17/ advanced-sql-injection.html

40 / 45

Language Bugs Notes

I bugs/vulnerabilities in frameworks I bugs/vulnerabilities in web modules or languate interpreter

41 / 45

Modern Offensive and Defensive Techniques Notes

I attacks focus on low-level aspects of a system: hide features, exploit hardware, side channels, protocol design I assume better/improved applications but imperfect system/protocol/configuration design I defense takes more time and incurs significant overhead I battle rages on

43 / 45

Keywords Notes

I honeypot I Jekyll apps I fine-grained ASLR I jailbreak, rooting I SafeStack I side channel attacks I AddressSanitizer I IME attack I CFI/CPI I Meltdown, Spectre I code reuse I KPTI I ROP, JOP I rowhammer I data-oriented attacks I connection downgrade I MAC, RBAC I POODLE I sandboxing I blind SQL injection

44 / 45 Resources Notes

I see URLs accross slides

45 / 45

Notes

Notes

Notes