Notes
Session 06 Modern Offensive and Defensive Solutions
Security of Information Systems (SIS)
Departamentul de Calculatoare
November 2, 2018
1 / 45
Attack and Defense Notes
I attack: exploit vulnerabilities I defense: prevent attacks, make attacks difficult, confine attacks I attacker needs to find one security hole I defender has to protect all security holes I attacker invests time I defense mechanisms incur overhead
2 / 45
Attacker Perspective and Mindset Notes
I find one vulnerability and build from that I look for something that is valuable I do reconnaisance, look for weak spots I create an attack chain I use every trick in the book I start from existing knowledge
3 / 45
Defender Perspective and Mindset Notes
I protect all entry points I users are vulnerable, as well as technology I use multiple defensive layers I monitor, be proactive I discipline, best practices are worth more than skills I invest more on valuable targets
4 / 45 Attacker Pros/Cons Notes
I apart from ethical hackers, security researchers, it’s a shady business I you may not need skills, just a weak target and a database of attack vectors I you may get caught I you only need to find one spot I possible great gains I little time for fame (annonymous) I the Internet gives you tons of targets I but many targets give little more than fun
5 / 45
Defender Pros/Cons Notes
I less resources (time) than an attacker I must think of everything I is being paid constructively I you have a purpose: keep the system running I it never ends
6 / 45
Honeypots Notes
I baits I a system appearing as vulnerable but closely monitored I deflect, change attention and collect attacker information
7 / 45
Evolution of Application Security Notes
I buffer overflows I shellcodes I memory protection (DEP, WX)ˆ I memory randomization I canaries I code reuse I CFI (Control Flow Integrity) I memory safety, safe programming languages I static and dynamic analysis I hardware enhanced security
9 / 45 Fine-grained ASLR Notes
I https://dl.acm.org/citation.cfm?id=2498135 I issue with ASLR: memory disclosure / information leak I one address leaked reveals all information I do it at page level I one leak may lead to other leaks that are chained together
10 / 45
SafeStack Notes
I https://clang.llvm.org/docs/SafeStack.html I part of the Code Pointer Integrity project: http://dslab.epfl.ch/proj/cpi/ I moves sensitive information (such as return addresses) on a safe stack, leaving problematic ones on the unsafe stack I reduced overhead, protects against stack buffer overflows I microStache: https://www.springerprofessional.de/en/ microstache-a-lightweight-execution-context-for-in-process-safe-/ 16103742
11 / 45
Address Sanitizer Notes
I ASan I https: //research.google.com/pubs/archive/37752.pdf I https://github.com/google/sanitizers/ I instruments code I only useful in development I detects out-of-bounds bugs, memory leaks
12 / 45
CFI/CPI Notes
I https://dl.acm.org/citation.cfm?id=1102165 I https://www.usenix.org/node/186160 I http://dslab.epfl.ch/proj/cpi/ I coarse-grained CFI vs fine-grained CFI I Control Flow Integrity, Code Pointer Integrity I protect against control flow hijack attacks I CPI is weaker than CFI but more practical (reduced overhead) I CPI protects all code pointers, data based attacks may still happen I CPS (Code Pointer Separation) is a weaker yet more practical for of CPI
13 / 45 Shellcodes Notes
I difficult to inject due to DEP, small buffers and input validation I preliminary parts of the attack may remap memory region I shellcode may do stack pivoting and then load another shellcode I alphanumeric shellcodes: still need a binary address to bootstrap
14 / 45
Code Reuse Notes
I bypass DEP by using existing pieces of code I code gadgets I used in ROP (Return-Oriented Programming) and JOP (Jump-Oriented programming)
15 / 45
Return-Oriented Programming Notes
I gadgets ending in ret I may be chained together to form an attack I Turing-complete languge I http://www.suse.de/~krahmer/no-nx.pdf I https://dl.acm.org/citation.cfm?id=2133377 I most common way of creating runtime attack vectors I JOP: https://dl.acm.org/citation.cfm?id=1966919 I gadgets end up in an indirect branch not a ret
16 / 45
Anti-ROP Defense Notes
I prevent atacks I SafeStack I CFI/CPI, ASan I Microsoft CFG, RFG I detect attacks I Microsoft EMET (Enhanced Mitigation Experience Toolkit), ProcessMitigations module
17 / 45 Data-Oriented Attacks Notes
I https://www.usenix.org/node/190963 I https://huhong-nus.github.io/advanced-DOP/ I overwrites data, not code pointers I bypasses CFI
18 / 45
Evolution of OS Security Notes
I traditional main goals: functionality and reduced overhead I recent focus on OS security: plethora of devices and use cases I malware may easily take place among legitimate applications I kernel exploits become more common I OS virtualization, reduce TCB to hypervisor I include hardware-enforced security features
20 / 45
Mandatory Access Control Notes
I opposed to Discretionary Access Control, where owner controls permissions I system-imposed settings I increased, centralized security I difficult to configure and maintain I rigid, non-elastic I Bell-LaPadula Model: http: //csrc.nist.gov/publications/history/bell76.pdf I SELinux, TrustedBSD, Mandatory Integrity Control
21 / 45
Role-Based Access Control Notes
I https: //ieeexplore.ieee.org/abstract/document/485845 I https://dl.acm.org/citation.cfm?id=266751 I aggregate permissions into roles I role assignment, role authorization, permission authorization I useful in organizations
22 / 45 Sandboxing Notes
I assume application may be malware I reduce potential damage I confine access to a minimal set of allowed actions I typically implemented at sandbox level (kernel enforced) I iOS sandboxing, Linux seccomp
23 / 45
Application Signing Notes
I ensure application is validated I used by application stores and repositories: GooglePlay, Apple AppStore I device may not run non-signed apps
24 / 45 iOS Jekyll Apps Notes
I https: //www.usenix.org/conference/usenixsecurity13/ technical-sessions/presentation/wang_tielei I apparently legimitate iOS app I bypasses Apple vetting I obfuscates calls to private libraries (part of the same address space, fixed from iOS 7) I once installed turns out to be malware I exfiltrates private data, exploits vulnerabilities
25 / 45
Jailreaking/Rooting Notes
I https://dl.acm.org/citation.cfm?id=3196527 I get root access on a device I close to full control I requires a critical vulnerability that gets root access I tethered (requires re-jailbreaking after reboot) cs non-tethered I essential for security researchers
26 / 45 Hardware-centric Attacks Notes
I side channels I undocumented hardware features I imperfect hardware features that leak information I proprietary features that get exploited I hardware is part of TCB, reveals kernel memory
27 / 45
Sidechannel Attacks Notes
I do not exploit vulnerabilities in applications or kernel code I mostly use features such as
28 / 45 x86 Instruction Fuzzing Notes
I https://www.blackhat.com/docs/us-17/thursday/ us-17-Domas-Breaking-The-x86-Instruction-Set-wp. pdf I https://github.com/xoreaxeaxeax/sandsifter I https://i.blackhat.com/us-18/Thu-August-9/ us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs. pdf I instruction of length N is placed at the end of the page I creates a fuzzer for the x86 instruction set I found glitches, hidden instructions
29 / 45
IME Notes
I Intel Management Engine I AMD Secure Techonology I hardware features and highly proprietary firmware I https://www.theverge.com/2018/1/3/16844630/ intel-processor-security-flaw-bug-kernel-windows-linux I user space app could access kernel space memory access I accused of being a backdoor to the system
30 / 45 rowhammer Attack Notes
I https://users.ece.cmu.edu/~yoonguk/papers/ kim-isca14.pdf I https://www.vusec.net/projects/drammer/ I https://googleprojectzero.blogspot.com/2015/03/ exploiting-dram-rowhammer-bug-to-gain.html I https://www.blackhat.com/docs/us-15/materials/ us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges. pdf I hardware fault in DRAM chips I constant bit flip pattern in certain rows can cause a flip in another row (not belonging to the current process) I may be exploited to get root access
31 / 45
Spectre and Meltdown Notes
I https://meltdownattack.com I https://www.usenix.org/system/files/conference/ usenixsecurity18/sec18-lipp.pdf I application may access data from another application I Meltdown exploits a hardware race condition allowing an unprivileged process to read privileged data I Spectre does a side channel attack on speculative execution features of modern CPUs I hardware fixes by Intel, software solutions
32 / 45
KPTI Notes
I Kernel Page Table Isolation I https://lwn.net/Articles/741878/ I place kernel in separate address space I mitigation against hardware-centric attacks
33 / 45
Hypervisor Attacks Notes
I https://dl.acm.org/citation.cfm?id=2484406 I attack/compromise hypervisor, get control of VMs I may exploit a vulnerability in the hypercall interface or may exploit a hardware bug I hyperjacking
34 / 45 Evolution of Web Security Notes
I path traversals, misconfigurations I injections I XSS I misconfiguration I unsafe communication I application/language bugs
36 / 45
Secure Communication Notes
I provide secure communication between client and server I HTTPS everywhere I Secure Cookie I strong encryption, strong protocols
37 / 45
Attacks on Security Protocols Notes
I https://tools.ietf.org/html/rfc7457 I https://www.mitls.org/pages/attacks I flaws in protocol logic I cryptographic design flaws I implementation flaws
38 / 45
Connection Downgrade Notes
I part of man-in-the-middle attack I negociate a connection with weaker protocol features than the current one I ideally drop HTTPS alltogether I POODLE (Padding Oracle On Downgraded Legacy Encryption) I https://www.openssl.org/~bodo/ssl-poodle.pdf
39 / 45 Advanced Injection Attacks Notes
I LDAP, XPath injection I blind SQL injection: content-based and time-based I https://www.owasp.org/images/7/74/Advanced_SQL_ Injection.ppt I https://nvisium.com/blog/2015/06/17/ advanced-sql-injection.html
40 / 45
Language Bugs Notes
I bugs/vulnerabilities in frameworks I bugs/vulnerabilities in web modules or languate interpreter
41 / 45
Modern Offensive and Defensive Techniques Notes
I attacks focus on low-level aspects of a system: hide features, exploit hardware, side channels, protocol design I assume better/improved applications but imperfect system/protocol/configuration design I defense takes more time and incurs significant overhead I battle rages on
43 / 45
Keywords Notes
I honeypot I Jekyll apps I fine-grained ASLR I jailbreak, rooting I SafeStack I side channel attacks I AddressSanitizer I IME attack I CFI/CPI I Meltdown, Spectre I code reuse I KPTI I ROP, JOP I rowhammer I data-oriented attacks I connection downgrade I MAC, RBAC I POODLE I sandboxing I blind SQL injection
44 / 45 Resources Notes
I see URLs accross slides
45 / 45
Notes
Notes
Notes