Exam-1R-4393

Purpose

Exam Question Topics

1. security mechanism
2. defense against buffer overflow
3. Worms
4. Private key systems
5. How to mount buffer overflow attack / > challenges
6. defense technique against buffer > overflow
7. malware general question
8. early cryptography
9. x.800
10. x.800
11. encryption
12. defense against buffer overflow
13. botnet
14. security control
15. security asset we attack
16. defense against Buffer overflow
17. Viruses
18. Challenges of Buffer overflow attack
19. defense against Buffer Overflow
20. x.800
21. security lifecycle
22. buffer overflow / Structure of Memory
23. Network Attacks
24. X.800

Buffer Overflow

Overview

• Buffer overflow is an attack technique used to try and rewrite parts of the victim system’s memory in hopes of taking control of some part of the system
• Typically the attacker wishes to overwrite the return address of some function, so that they can set a pointer to their own malicious code
  • Depending on the priviledges of said function, the attacker might gain root priviledge at which point your system is compromised.
• First used in 1988 by Morris using the “fingerd” UNIX command

Defenses

Compile Time Defenses

• In modern high level languages, they hide pointers, and vulnerable functions which prevent you from leaving vulnerabilities open
• Warn about unsafe functions such as strcpy, a function that isn’t input size truncated

Runtime Defenses

• The OS can add an NX Bit to pages of memory, that denote if code should be executed from said page. If a BO attack were to land in one of these pages, their execution calls would be ignored
• Similar to NX Bit, the OS can block all attempts of execution from the Stack, because no known function will ever need to execute in the stack.
• Randomize the memory location of common libraries so that the attacker cannot predict where these return codes are placed
• Translate all unsafe functions into their safer counterpart where possible
• StackGuard
  • Embed “canaries” in stack which can be checked to ensure inputs are not overeaching, however is not impervious, and has a performance hit

Challenges

The most challenging part of Buffer Overflow attack is finding the starting address of your malicious code

• Methods such as the NOP Sled make finding this first address location easier

X.800

• Purpose
  • provides a general description of secruity services and related mechanisms

The Five Services

• Authentication
• Access Control
• Confidentiality
• Integrity
• Non-Repudiation

Noteworthy X.800 Definitions

Malware

Worms

• Programs that seek out more machines to infect
• Exploit software vulnerabilities
• Can be spread through network connections, email links, or shared media devices
• First known implementation in Xerox Palo Alto Labs in 1980s

Slammer (Sapphire)

• In late January 2003, a worm exploiting buffer overflow in Microsoft’s SQL server
• Chooses random IP, and attempts to send a copy of itself to the machine using MS-SQL port 1434

Viruses

• Piece of software that infects programs
  1. modifies them to include a copy of the virus
  2. replicated and goes on to infect other content
  3. easily spread through network enviroments

Virus Componenets

• Infection Mechanism
  • Means by which a virus spreads
• Trigger / Logic Bomb
  • Event that determines when the payload is activated
• Payload
  • What the virus does
• Phases of the Virus
  1. Dormant
     • not all viruses have this stage
  2. Triggering
     • virus is activated, caused by system events
  3. Propogation
     • places a copy of itself into other programs
  4. Execution
     • Some function is performed

Botnet

• A Botnet is a network of bot programs that can be controlled remotely
• Used as a platform to mount various types of attacks
  • spam and click fraud
  • DDoS
  • Phising
  • Launching playform for worms
• Life cycle of a bot
  1. Exploit a vulnerability to exec a small program
  2. shellcode downloads actual bot
  3. bot diables firewall and antivirus
  4. bot locates and joins botmaster’s server
  5. Botmaster can now issue commands to bots

History of Botnet

• Earliest forms of bots for DDoS purposes developed in early 90s
• Early 2000s saw botnets that had detection evasion, code obfuscation, and more propogation vectors

Network Attacks

• Denial-of-Service DoS
  • goal of overloading a server of victim machine to deny access to some service
  • Distributed Denial-of-Service
    • DDoS has the same goals as DoS, but is more resilient to defenses as the attacker is coming from many machines, so narrowing down on the culprit is much more difficult.
  • Could be sourced from an army of zombie bots
  • Examples
    • Smurf
    • SYN flood
    • UDP flood
    • HTTP request flood

Cryptography

Terminology

• Encryption
  • process of encoding a message from sender to recipient or information that is stored in a computer so that its meaning is not understandable to others
• Decryption
  • reverse encryption process
• Cryptology
  • Research and study of cryptographic systems
• Cryptography
  • the practice and studdy of secret writing
• Crypanalysis
  • the study of cryptographic schemes to discover weeaknesses to defeat their purpose
• Ron Rivest Character Roles
  • Alice: The message sender
  • Bob: The message recipient
  • Carol, Dave, etc.: additional communication parties
  • Eve: A passive eavesdropper
  • Mallory: an active, malicious attacker
  • Trudy: an Intruder
  • Trent: A trusted third part arbitrator

Early Ciphers

• Substitution
  • each letter in the message is swapped out for another such as in the Caesar cipher
  • Randomized mapping from each letter to another letter
  • both methods have the problem of not changing the distribution of letters in the message, so using statistical analysis can be cracked.

Keys

• Secret / Private Keys
  • Secret key is known only to the sender and receiver
    • Implies that the sender and receiver have a secure method to share the key
  • Depends heavily on the secrecy of the key, not the secrecy of the encryption algorithm
• Public Keys
  • Public key used for encryption and private key used for decryption
  • Because the key is public, we don’t require a secure channel between sender and receiver for key transmission

Steganography

• While Cryptography refers to hidden meaning, Steganography refers to hidden messages.
• Could hide a message in some text that you read in a special manner, or a picture where the colors represent some message

Security Definitions

Security Control Life cylce / Stages

1. Threats
2. Policy
3. Specification
   • requirement analysis
   • statement of desired functionality
4. Design
   • how system will meet specification
5. Implementation
   • programs/systems that carry out design
6. Operation
   • Cost / benefit analysis
   • Risk analysis
   • Laws and customs