Notes Session 06 Modern Offensive and Defensive Solutions Security of Information Systems (SIS) Departamentul de Calculatoare November 2, 2018 1 / 45 Attack and Defense Notes I attack: exploit vulnerabilities I defense: prevent attacks, make attacks difficult, confine attacks I attacker needs to find one security hole I defender has to protect all security holes I attacker invests time I defense mechanisms incur overhead 2 / 45 Attacker Perspective and Mindset Notes I find one vulnerability and build from that I look for something that is valuable I do reconnaisance, look for weak spots I create an attack chain I use every trick in the book I start from existing knowledge 3 / 45 Defender Perspective and Mindset Notes I protect all entry points I users are vulnerable, as well as technology I use multiple defensive layers I monitor, be proactive I discipline, best practices are worth more than skills I invest more on valuable targets 4 / 45 Attacker Pros/Cons Notes I apart from ethical hackers, security researchers, it's a shady business I you may not need skills, just a weak target and a database of attack vectors I you may get caught I you only need to find one spot I possible great gains I little time for fame (annonymous) I the Internet gives you tons of targets I but many targets give little more than fun 5 / 45 Defender Pros/Cons Notes I less resources (time) than an attacker I must think of everything I is being paid constructively I you have a purpose: keep the system running I it never ends 6 / 45 Honeypots Notes I baits I a system appearing as vulnerable but closely monitored I deflect, change attention and collect attacker information 7 / 45 Evolution of Application Security Notes I buffer overflows I shellcodes I memory protection (DEP, WX)^ I memory randomization I canaries I code reuse I CFI (Control Flow Integrity) I memory safety, safe programming languages I static and dynamic analysis I hardware enhanced security 9 / 45 Fine-grained ASLR Notes I https://dl.acm.org/citation.cfm?id=2498135 I issue with ASLR: memory disclosure / information leak I one address leaked reveals all information I do it at page level I one leak may lead to other leaks that are chained together 10 / 45 SafeStack Notes I https://clang.llvm.org/docs/SafeStack.html I part of the Code Pointer Integrity project: http://dslab.epfl.ch/proj/cpi/ I moves sensitive information (such as return addresses) on a safe stack, leaving problematic ones on the unsafe stack I reduced overhead, protects against stack buffer overflows I microStache: https://www.springerprofessional.de/en/ microstache-a-lightweight-execution-context-for-in-process-safe-/ 16103742 11 / 45 Address Sanitizer Notes I ASan I https: //research.google.com/pubs/archive/37752.pdf I https://github.com/google/sanitizers/ I instruments code I only useful in development I detects out-of-bounds bugs, memory leaks 12 / 45 CFI/CPI Notes I https://dl.acm.org/citation.cfm?id=1102165 I https://www.usenix.org/node/186160 I http://dslab.epfl.ch/proj/cpi/ I coarse-grained CFI vs fine-grained CFI I Control Flow Integrity, Code Pointer Integrity I protect against control flow hijack attacks I CPI is weaker than CFI but more practical (reduced overhead) I CPI protects all code pointers, data based attacks may still happen I CPS (Code Pointer Separation) is a weaker yet more practical for of CPI 13 / 45 Shellcodes Notes I difficult to inject due to DEP, small buffers and input validation I preliminary parts of the attack may remap memory region I shellcode may do stack pivoting and then load another shellcode I alphanumeric shellcodes: still need a binary address to bootstrap 14 / 45 Code Reuse Notes I bypass DEP by using existing pieces of code I code gadgets I used in ROP (Return-Oriented Programming) and JOP (Jump-Oriented programming) 15 / 45 Return-Oriented Programming Notes I gadgets ending in ret I may be chained together to form an attack I Turing-complete languge I http://www.suse.de/~krahmer/no-nx.pdf I https://dl.acm.org/citation.cfm?id=2133377 I most common way of creating runtime attack vectors I JOP: https://dl.acm.org/citation.cfm?id=1966919 I gadgets end up in an indirect branch not a ret 16 / 45 Anti-ROP Defense Notes I prevent atacks I SafeStack I CFI/CPI, ASan I Microsoft CFG, RFG I detect attacks I Microsoft EMET (Enhanced Mitigation Experience Toolkit), ProcessMitigations module 17 / 45 Data-Oriented Attacks Notes I https://www.usenix.org/node/190963 I https://huhong-nus.github.io/advanced-DOP/ I overwrites data, not code pointers I bypasses CFI 18 / 45 Evolution of OS Security Notes I traditional main goals: functionality and reduced overhead I recent focus on OS security: plethora of devices and use cases I malware may easily take place among legitimate applications I kernel exploits become more common I OS virtualization, reduce TCB to hypervisor I include hardware-enforced security features 20 / 45 Mandatory Access Control Notes I opposed to Discretionary Access Control, where owner controls permissions I system-imposed settings I increased, centralized security I difficult to configure and maintain I rigid, non-elastic I Bell-LaPadula Model: http: //csrc.nist.gov/publications/history/bell76.pdf I SELinux, TrustedBSD, Mandatory Integrity Control 21 / 45 Role-Based Access Control Notes I https: //ieeexplore.ieee.org/abstract/document/485845 I https://dl.acm.org/citation.cfm?id=266751 I aggregate permissions into roles I role assignment, role authorization, permission authorization I useful in organizations 22 / 45 Sandboxing Notes I assume application may be malware I reduce potential damage I confine access to a minimal set of allowed actions I typically implemented at sandbox level (kernel enforced) I iOS sandboxing, Linux seccomp 23 / 45 Application Signing Notes I ensure application is validated I used by application stores and repositories: GooglePlay, Apple AppStore I device may not run non-signed apps 24 / 45 iOS Jekyll Apps Notes I https: //www.usenix.org/conference/usenixsecurity13/ technical-sessions/presentation/wang_tielei I apparently legimitate iOS app I bypasses Apple vetting I obfuscates calls to private libraries (part of the same address space, fixed from iOS 7) I once installed turns out to be malware I exfiltrates private data, exploits vulnerabilities 25 / 45 Jailreaking/Rooting Notes I https://dl.acm.org/citation.cfm?id=3196527 I get root access on a device I close to full control I requires a critical vulnerability that gets root access I tethered (requires re-jailbreaking after reboot) cs non-tethered I essential for security researchers 26 / 45 Hardware-centric Attacks Notes I side channels I undocumented hardware features I imperfect hardware features that leak information I proprietary features that get exploited I hardware is part of TCB, reveals kernel memory 27 / 45 Sidechannel Attacks Notes I do not exploit vulnerabilities in applications or kernel code I mostly use features such as 28 / 45 x86 Instruction Fuzzing Notes I https://www.blackhat.com/docs/us-17/thursday/ us-17-Domas-Breaking-The-x86-Instruction-Set-wp. pdf I https://github.com/xoreaxeaxeax/sandsifter I https://i.blackhat.com/us-18/Thu-August-9/ us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs. pdf I instruction of length N is placed at the end of the page I creates a fuzzer for the x86 instruction set I found glitches, hidden instructions 29 / 45 IME Notes I Intel Management Engine I AMD Secure Techonology I hardware features and highly proprietary firmware I https://www.theverge.com/2018/1/3/16844630/ intel-processor-security-flaw-bug-kernel-windows-linux I user space app could access kernel space memory access I accused of being a backdoor to the system 30 / 45 rowhammer Attack Notes I https://users.ece.cmu.edu/~yoonguk/papers/ kim-isca14.pdf I https://www.vusec.net/projects/drammer/ I https://googleprojectzero.blogspot.com/2015/03/ exploiting-dram-rowhammer-bug-to-gain.html I https://www.blackhat.com/docs/us-15/materials/ us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges. pdf I hardware fault in DRAM chips I constant bit flip pattern in certain rows can cause a flip in another row (not belonging to the current process) I may be exploited to get root access 31 / 45 Spectre and Meltdown Notes I https://meltdownattack.com I https://www.usenix.org/system/files/conference/ usenixsecurity18/sec18-lipp.pdf I application may access data from another application I Meltdown exploits a hardware race condition allowing an unprivileged process to read privileged data I Spectre does a side channel attack on speculative execution features of modern CPUs I hardware fixes by Intel, software solutions 32 / 45 KPTI Notes I Kernel Page Table Isolation I https://lwn.net/Articles/741878/ I place kernel in separate address space I mitigation against hardware-centric attacks 33 / 45 Hypervisor Attacks Notes I https://dl.acm.org/citation.cfm?id=2484406 I attack/compromise hypervisor, get control of VMs I may exploit a vulnerability in the hypercall interface or may exploit a hardware bug I hyperjacking 34 / 45 Evolution of Web Security Notes I path traversals, misconfigurations I injections I XSS I misconfiguration I unsafe communication I application/language bugs 36 / 45 Secure Communication Notes I provide secure communication between client and server I HTTPS everywhere I Secure Cookie I strong encryption, strong protocols 37 / 45 Attacks on Security Protocols Notes I https://tools.ietf.org/html/rfc7457 I https://www.mitls.org/pages/attacks I flaws in protocol logic I cryptographic design