Courses/Computer Science/CPSC 525.F2014/Lecture Notes

From wiki.ucalgary.ca
< Courses‎ | Computer Science‎ | CPSC 525.F2014
Revision as of 22:20, 24 November 2014 by Locasto (talk | contribs) (Nov 24: Countermeasures: Isolation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

September 8: Introduction

Today we briefly covered the course outline, structure, topics, and policies. We also talked about the efficacy of some "basic hygiene" security advice and recent security headlines.

Slides

Notes/Links from Class Discussion

Readings

Videos

September 10: Ethics and the Security Mindset

In this session, we will discuss some ethical frameworks, point out some important related legislation, and discuss some example areas, like ethics review for research and issues surrounding "responsible" disclosure.

Slides

Vulnerability Disclosure

  1. http://seclists.org/dailydave/2010/q2/58
  2. CERT's stance: http://www.cert.org/kb/vul_disclosure.html
  3. http://seclists.org/bugtraq/1996/May/0
  4. http://seclists.org/fulldisclosure/2002/Jul/7
  5. https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
  6. http://isc.sans.edu/diary.html?storyid=6820&rss
  7. http://arstechnica.com/science/2012/06/controversial-h5n1-bird-flu-papers-published-fuels-fears-of-airborne-mutations/

Readings

September 15: Foundations of Protection

In this session, we will consider some of the foundational concepts of computer security, including protection, access control, and the limits of such mechanisms. We will also take a look at some very common expressions of these concepts.

Notes

We started by discussing some of the past readings on mindset and ethics. We then considered tips for how to approach reading an academic paper.

Here are a collection of classic security papers:

  • Security
  • C-I-A
    • C
    • I
    • A
  • Protection
  • Isolation
  • Reference monitor
  • Subject
  • Object
  • Assurance

Readings

  • The Craft of System Security: 1.1 The Standard Rubric
  • The Craft of System Security: 1.2 The Matrix
  • The Craft of System Security: 1.3 Other Views
  • The Craft of System Security: 1.4 Safe States and the Access Control Matrix
  • The Craft of System Security: 1.5 Other Hard Problems
  • The Craft of System Security: 1.6 Takehome Message
  • Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24 PDF
  • "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)

September 17: Guest Lecture by Prof. Aycock

Today will be a guest lecture from our resident expert on malware, ethics, reverse engineering games, and programming languages.

September 22: Access Control

In this session, we will consider some basic access control concepts and terminology. We spent time looking at the concept of a TCB and we went through the HRU paper.

Readings

The readings for today reinforce some of the foundations of protection by illustrating how they were mapped to the design of an early multi-user system, Multics, that took protection and security quite seriously. You can see remnants or echos of these ideas in other commodity computing systems (e.g., x86 segments and privilege rings).

September 24: Authentication and Security Architecture

In this session, we will continue our discussion of access control wrt authentication and then we will consider some security design principles. It will help motivate our discussion of security architecture and the application of the Saltzer-Schroeder principles. We will begin by considering a case study of the security mechanisms present in the Linux kernel.


Notes


Slides

Case Study: the set of "security" mechanisms present in the Linux OS.

Readings

  • Some Thoughts on Security After Ten Years of qmail 1.0, DJB, CSAW 2007 PDF

September 29: No Class, CMSS/ISPIA Workshop

No class today, but you are all encouraged / invited to attend a cybersecurity workshop at the UofC downtown campus.

I will give the talk I prepared when we begin to discuss LangSec.

Oct 1: Security Architecture

We will continue our discussion of protection mechanisms with a look at some of the security features of the Linux system, among others.

This collection brings up the question of defense in depth: how much do we need? How can you be sure of the quality of your TCB?

Class Discussion: Some Thoughts on Security After Ten Years of qmail 1.0

Oct 6: Security Models: Bell-LaPadula, Biba, Chinese Wall, Clark-Wilson

In this session, we will pick up with a more detailed examination of four security models.

Slides


Readings

Oct 8: Role-based Access Control

code session:

as eye in terminal 1:

 954  cat /etc/passwd
 955  clear
 956  man groupadd
 957  man usermod
 958  clear
 959  ls
 960  clear
 961  cd 525
 962  mkdir 525
 963  clear
 964  w
 965  cat /etc/passwd
 966  id
 967  file /sbin/nologin 
 968  cat /etc/shadow
 969  ll /etc/passwd
 970  sudo su
 971  clear
 972  cat /etc/passwd
 973  man useradd
 974  clear
 975  cd 525
 976  ls
 977  echo "secret" > password.txt
 978  ll
 979  groups
 980  cat /etc/group
 981  cat /etc/group | grep sauron
 982  man groupadd
 983  sudo groupadd hacker
 984  cat /etc/group | grep hacker
 985  ll /etc/group
 986  clear
 987  usermod -a -G hacker alice
 988  sudo usermod -a -G hacker alice
 989  sudo usermod -a -G hacker bob
 990  sudo usermod -a -G hacker tim
 991  sudo usermod -a -G hacker jim
 992  sudo usermod -a -G hacker george
 993  sudo usermod -a -G hacker eye
 994  ll
 995  chmod 660 password.txt 
 996  ll
 997  man chgrp
 998  chgrp hacker password.txt 
 999  id
1000  exit
1001  id
1002  newgrp 535
1003  clear
1004  cd 525
1005  ls
1006  ll
1007  chgrp hacker password.txt 
1008  ll
1009  pwd
1010  clear
1011  cd ACLs/
1012  ll
1013  getfacl src.c 
1014  man setfacl

as eye in terminal 2:

1001  groups
1002  cat /etc/group
1003  cat /etc/groups
1004  cat /etc/group
1005  clear
1006  getfacl 
1007  ls
1008  getfacl file.out 
1009  setfacl
1010  man setfacl
1011  clear
1012  useradd alice
1013  sudo useradd alice
1014  cat /etc/passwd
1015  clear
1016  sudo useradd bob
1017  sudo useradd charlie
1018  sudo useradd tim
1019  sudo useradd jim
1020  sudo useradd jerry
1021  sudo useradd george
1022  cat /etc/passwd
1023  clear
1024  man usermod
1025  groups alice
1026  cat /etc/passwd
1027  cat /etc/group
1028  cat /etc/passwd
1029  cat /etc/group
1030  clear
1031  man su
1032  su -l alice
1033  sudo su
1034  clear
1035  cd 525
1036  ls
1037  mkdir ACLs
1038  cd ACLs/
1039  ls
1040  echo "source code" > src.c
1041  ll
1042  setfacl -m "u:501:rw" src.c 
1043  getfacl src.c
1044  sudo su


as root:

 842  cat /etc/shadow
 843  exit
 844  passwd alice
 845  exit
 846  su alice
 847  exit
 848  su alice

Oct 15: Code Injection

Key Ideas:

  • conceptual difference between the protection that read(2) offers vs. 'cat'ing an arbitrary file.
  • recognizing or distinguishing between "good" and "bad"
  • with 40 years of fundamentally sound security models and access controls, why do our principals still get attacked successfully?
    • there is no reference monitor for network or file input
  • what kinds of threats violate the C-I-A of our principals (i.e., programs?)
  • Code injection attacks are one type of threat that (1) inject code into a principal's data areas and (2) transfer control to that injected data; it usually co-opts the existing (broken) logic of the principal to accomplish these two goals

Links From Class

Cute GPG Bug

 echo -en "\xa3\x01\x5b\xff" > gpg.exp
 hexdump -C gpg.exp 
 gpg --decrypt gpg.exp 


Stuff to Watch

Oct 20: Code Injection (cont) and Intro to Weird Machines

  1. SPC vs. CIA grid
    1. Protecting Against Code Injection is about Protecting the Integrity of Computation
  2. Continue stack injection example.
  3. Preview of Mitigation Mechanisms (next time)

Function Call Activation Records

Disabling Countermeasures

pause: countermeasures like nx bit, non-executable stack, canaries, etc.

  • compiling programs with fno-stack-protector
  • turning off ASLR: as root, `echo 0 > /proc/sys/kernel/randomize_va_space'
  • marking executables as needing executable data areas: `execstack -s a.out'

Makefile: link

victim.c : link

template payload file (full of NOPs): link

A run of this example with the payload2 file:

(gdb) r payload2
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/eye/SISMAT/3.9/vx payload2
Breakpoint 1, 0x080484ca in do_work ()
(gdb) x/32x $esp
0xbffff8d0:	0x000000c2	0x00006ff4	0x008551dc	0x00000000
0xbffff8e0:	0xbffff980	0x080497ec	0xbffff8f8	0x08048384
0xbffff8f0:	0x00000005	0x080497ec	0xbffff928	0x0804855f
0xbffff900:	0xbffffb5d	0x080482a3	0x00857ce0	0x00856ff4
0xbffff910:	0x080485a0	0x08048410	0x080485ab	0x00000000
0xbffff920:	0x080485a0	0x00000000	0xbffff9a8	0x006dad36
0xbffff930:	0x00000002	0xbffff9d4	0xbffff9e0	0x001113d0
0xbffff940:	0x08048410	0xffffffff	0x006c0fc4	0x080482a3
(gdb) c
Continuing.
Breakpoint 2, 0x0804853c in do_work ()
(gdb) x/32x $esp
0xbffff8d0:	0x0804a008	0x08048654	0x008551dc	0x00000000
0xbffff8e0:	0xbffff980	0x90909090	0x90909090	0x90909090
0xbffff8f0:	0x4066c031	0x4366db31	0x90cc80cd	0xbffff8ec
0xbffff900:	0x90909090	0x9090cc90	0x90909090	0x90909090
0xbffff910:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffff920:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffff930:	0x90909090	0x90909090	0xbfff9090	0x001113d0
0xbffff940:	0x08048410	0xffffffff	0x006c0fc4	0x080482a3
(gdb) c
Continuing.
Program exited with code 01.
(gdb) 

Note that 'exiting with code 01' is precisely the effect we wish to achieve (that was the system call invocation we programmed into our shellcode).

Videos

Readings

  • USENIX ;login: articles in the December "Security" issue: http://www.usenix.org/publications/login/2011-12/index.html
  • Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation. Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, and Anna Shubina. USENIX ;login: vol. 36, no. 6, pp. 13--21 December 2011. Paper

Oct 22: Basics of Heap Attacks

Stack-based buffer overflows on modern commodity systems are "dead", apparently. But that's OK: there are plenty of other juicy targets in the address space besides saved return addresses on the stack.

A simple example targeting heap pointers in dynamically allocated data structures. More advanced techniques involve heap spraying and overcoming ASLR.

Oct 27: Countermeasures

How do we maintain the Integrity of Processing? Countermeasures to code injection attacks typically focus on either disrupting the injection of code or the transfer of control to it.

Attempts to characterize exploits typically focus on scanning incoming traffic or file data for signs of "executable" code, such as NOPs sleds or other artifacts (i.e., high frequency of valid x86 machine instructions).

History/Papers


Techniques

libsafe/libverify

hardware return address shadow stack

ASLR, Stack randomization

Propolice / StackGuard / Stack Canaries

Control Flow Integrity

Instruction Set Randomization

Oct 29: CounterCountermeasures

return-to-libc. ROP.

Polymorphism. Encoding. English Shellcode.

Papers

Here is a list of papers I've mentioned in class

Nov 3: LangSec: A Theory of Insecurity

Intro to LangSec.

In this session, we will touch on several ideas related to langsec, particularly the principle that: a thing is not what it is named, but rather a thing is what can be done to it (recall the Gostack game!). This principle connects with Langsec because we often try to create systems that recognize a thing either by its label, some of its content, or by what it does, or by what happens to it. We used the Gostak game to motivate this discussion earlier, but now we pick it up in full, having seen some of the basics of exploit attack and defense.

We really start our discussion of LangSec itself by asking the questions "Why do things break?" and "Why do things continue to break?"

We considered a few reasons why things seem to break beyond convenient excuses like lazy programmers and "dangerous" languages, including complexity and composition as hidden by abstraction.

Slides

Presentation


Readings

Nov 5: LangSec Foundations: Certificate Manipulation

LangSec, inasmuch as it relates to the core Computer Science concept of language recognition, cuts across many different areas of computer security from defense against code injection attacks to scanning for malware in network streams.

Seeds of LangSec exist in many papers (cited on this wiki), but its recent formulation and statement can be traced to Sassaman and Patterson's work on X509 certificate manipulation.

Slogans

http://www.langsec.org/occupy/

Video

Towards a formal theory of computer insecurity: a language-theoretic approach

Reading

  • The Halting Problems of Network Stack Insecurity by Len Sassaman, Meredith L. Patterson, Sergey Bratus, and Anna Shubina Paper (click through the PDF link to download)


Nov 10: No Class (reading days)

Nov 12: Langsec Foundations

Weird Machines and LangSec as such were recently crystalized and articulated by Sassaman, Patterson, Bratus, and Shubina, but it has foundations in the research work of others as well.


Readings

  • Thomas Dullien and Halvar Flake "Exploitation and State Machines" PDF
  • F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
  • A Language-Based Approach to Security. Fred B. Schneider, Greg Morrisett, and Robert Harper
  • Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation. Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, and Anna Shubina. USENIX ;login: vol. 36, no. 6, pp. 13--21 December 2011. Paper
  • Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software PDF
  • Vigilante "Vigilante: End-to-End Containment of Internet Worms"
  • Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005. pdf
  • Daniela Oliveira and Jedidiah R. Crandall. Holographic Vulnerability Studies: Vulnerabilities as Fractures in Interpretation as Information Flows Across Abstraction Boundaries. In the Proceedings of the New Security Paradigms Workshop (NSPW 2012). Bertinoro, Italy. pdf

Nov 17: Langsec Applications: Confusing the PHY Layer

Class Stuff:

  • RATS demo
  • pointer to clang
  • essay specification

This session is a case study of Goodspeed's recent work in "Remotely Exploiting the PHY Layer".

Notes/Links

Readings

Nov 19: Langsec Applications: Intrusion Detection

In this session, we will consider the common security subfield of intrusion detection, and how langsec (as an explanation of insecurity) fouls many of the good intentions we have when we attempt to detect malicious content in network traffic or machine actions. If defense is predicated on detection, and detection is predicated on recognition -- we are in quite a pickle if we're trying to detect arbitrary computational constructs.

Langsec Principle: Alice and Bob are talking, but whomever is listening is highly confused.

Notes

  • We looked at a paper (Handley et al.) and a couple of small demonstrations of this principle in action, like:
  • looking at Snort rules
  • disassembling network packets captured via tcpdump with udcli

Readings

  • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham HTML
  "The problem with this technique is that a passive network monitor cannot accurately predict 
  whether a given machine on the network is even going to see a packet, let alone process it 
  in the expected manner. A number of issues exist which make the actual meaning of a packet 
  captured by an IDS ambiguous."
  • Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich USENIX paperhtml

Related Work

Nov 24: Countermeasures: Isolation

If signature based detection fails, and if DEP+ASLR isn't enough, and LangSec makes recognition of bad inputs hard, what is left?

The magic of "sandboxing".

Reference monitors.

Virtualization.

systrace. jail. janus. NaCL. SecVisor.

hype and virtue

...

Sandboxing / Policy Enforcement

  1. XFI: Software Guards for System Address Spaces
  2. "Vx32: Lightweight User-level Sandboxing on the x86" (USENIX ATC 2008)
  3. "Native Client: A Sandbox for Portable, Untrusted x86 Native Code" (Oakland 2009)
  4. "Hardware Enforcement of Application Security Policies Using Tagged Memory" (OSDI 2008)
  5. "Make Least Privilege a Right (Not a Privilege)" (HotOS 2005)
  6. "Improving Host Security with System Call Policies" by Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003. PDF
  7. Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010
  8. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes (SOSP 2007)
  9. F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
  10. https://www.cs.princeton.edu/~appel/papers/memerr.pdf

Virtualization, Monitoring, Inspection

  1. "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
  2. Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. html
  3. VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. PDF
  4. Efficient Monitoring of Untrusted Kernel-Mode Execution (NDSS 2011)
  5. "A Virtual Machine Introspection Architecture for Intrusion Detection" (NDSS 2003)
  6. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-­‐Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.

Nov 26: Countermeasures: Isolation (cont)

Dec 1: Formal Methods

Dec 3: Security Evaluation (plus USRI)

Topics

  • CC / Orange Books
  • STIGS
  • FIPS

Tools

Summary

  • Security policies and protection mechanisms for a computing system
  • design principles of protection systems
  • authentication and authorization
  • reference monitors
  • security architecture of popular platforms
  • formal modeling of protection systems
  • discretionary access control
  • safety analysis
  • information flow control
  • integrity
  • role-based access control
  • Legal and ethical considerations will be introduced.