Courses/Computer Science/CPSC 526.F2015/Lecture Notes

From wiki.ucalgary.ca
< Courses‎ | Computer Science‎ | CPSC 526.F2015
Revision as of 17:56, 19 November 2015 by Locasto (talk | contribs) (Dec 3: Web Security 2: Gruyere)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

September 8: Intro and Overview

  • Course policies, grading, etc. (Course Outline, Description, Syllabus)
  • Concepts / Organization

With some background in security concepts and principles, we set security challenges and problems into a networked environment. Basic crypto primitives become building blocks of systems whose major focus is authentication and protecting the confidentiality and integrity of communications channels. This major topic is complemented with a variety of security mechanisms that attempt to provide C-I-A in other ways (e.g., firewalls, IDS, authentication systems & standards).

  • Topics (i.e., knowledge & skills I want you to know by the end of the semester)
    • common networking tools
    • bit-level agility (packet crafting)
    • working knowledge of common applied crypto
    • authentication and secure protocols (design and major examples)
    • network security application domains: routing security, web security
    • network security mechanisms: firewalls, IDS, etc.
  • Semester Highlights
    • EDURange
    • ScapyHunt
    • PGP key signing party
    • web application hacking (Google Gruyere)
    • build a VPN
    • build a CA
    • network introspection


Right now:

  • Write your "Question of the Day": this is one question about network security that you want answered by the end of the semester
    • include your real name
    • include a psuedonym if you wish

September 10: Important Concepts, Basic Threats and Adversaries

Today, we will briefly discuss some security concepts and then dive into a reminder and refresher of some basic Unix networking tools. Our goal is to get two computers, Alice and Bob, to exchange traffic.

Questions of the Day:

Results of Poll: out of 25 votes as of 10:15am, 19 people have not taken CPSC 418 or are taking it concurrently. We will dedicate the opening weeks of tutorials to providing a high-level overview of basic crypto concepts and terminology as well as an introduction to some crypto libraries.

September 15: Intro to the Deception Surface: Setting up a Network From Scratch

We will start with a QoD that leads us back to a discussion of basic network security threats and concepts. It also leads us toward the topic of the "deception surface": the collection of protocols and network state that networked computers and application rely on to accomplish their communication -- but these protocols are also, by their very nature, open to manipulation.

slides: https://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Fall/intro-concepts.pdf

Sept 17: Setting up a network from scratch (cont)

Setting up and configuring network interfaces in Linux, discussion of IP addresses, netmasks, routing, relationship of ARP

demonstrate ICMP messages between Alice and Bob in a hub/broadcast environment vs. a switched environment

Sept 22: Attacking the Deception Surface: ARP attacks

building blocks for arp spoofing and arp poisoning

Sept 24: Network Recon: Understanding the State of Alice, Bob, and Everyone in Between (Scanning, Sniffing, etc.)

Today I want to discuss the concepts and tradeoffs involved in scanning the network for other hosts. We will also explore the relationship between scanning and sniffing. Sniffing can be seen as one form of passive scanning.

Neither scanning nor sniffing is inherently "bad"; both good guys and bad guys can undertake scanning and sniffing at various times and for various purposes.

  • penetration testing
  • network auditing (any rogue or forgotten hosts?)
  • reconnaissance, host and service enumeration
  • listening for unwanted traffic, data exfiltration
  • listening for unencrypted traffic, authentication tokens
  • listening for communication flows (traffic analysis)

Sniffing (i.e., listening) complements scanning (i.e., actively probing). Sniffing will only sample the network, and provide only a partial view of who is talking during the sampling period. Scanning allows you to attempt to contact and enumerate hosts and open ports, but hosts are under no obligation to respond to your probes. Thus, sniffing and scanning complement each other, but even together may not provide a complete picture of the network.

The "Big Picture" concept for today is that you'll often be asked some form of the question "how good is this tool?"; evaluating the power and limitations of tools, frameworks, techniques, mechanisms, algorithms, etc. entails an understanding how how they work, how they might fail, etc.

Class Activities

Today we will play a bit with traceroute and nmap.

We've already spent 1.5 weeks on the "who am I" question. Here are some other questions

  • Where am I? Where are you? What are you (running)?

We can seek to answer these questions with:

  • netstat (what services am I offering to the world? local broadcast? local machine?)
  • iptables (what communication flows or packets is my kernel actually blocking for me? How? What is 'stealth mode'?)
  • traceroute (where are you in relation to me? How do I anticipate this affecting the flow of packets between us?)
  • nmap (what services are you running (that I can see?))
  • tcpdump (how does nmap actually work? what is scanning, after all? what does a scan produce, and what are the expected replies?)

For example, how far away from scanme.nmap.org are we? http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Winter/files/traceroute-nmap.org

Scan Activity

Pick a partner. One of you is Alice, the other is Bob.

Have Bob list his open ports:

  netstat -lptun

Have Bob list his firewall rules:

  iptables -L   //for Linux, for Windows, see [netsh http://windowsitpro.com/windows-server/top-10-windows-firewall-netsh-commands] for Mac, see ipfw or pfctl

Have Bob start up tcpdump:

  tcpdump -i eth1 -n

Have Alice nmap Bob with

  nmap -sS -sV -O -n --reason --traceroute bob.ip.addr.ess 

What packets does Bob see? What ports does Alice see? If Bob flushes his firewall:

  iptables --flush

does this change the scan results?

Reflections

For the past two weeks, we've looked at the (inherent!) weaknesses of the basic network fabric and low-level services/protocols --- the so-called deception surface. We made the point that these weaknesses are also strengths in terms of providing low-configuration connectivity and plug-and-talk type communication. The Internet probably wouldn't have taken off if participants had to sign complex multilateral treaties and do complex cryptographic dances simply to bind an IP address to a MAC address.

While countermeasures exist to detect many basic forms of layer2 and layer3 spoofing, poisoning, and flooding attacks and there are authentication protocols to provide basic network access control, our experience has shown us the need for a combination or composition of functionality that (a) provides connectivity and (b) protects the confidentiality, integrity, and availability of such channels. To this end, we will examine the role cryptography plays in network security over most of the rest of the semester.

However, it is worth noting that even with good crypto, and even with simple countermeasures for protecting against ARP flooding, ARP poisoning, DHCP hijacking, DNS poisoning, DoS, etc., many networks still have an ill-defined "edge" and many often have open doors; for example, management interfaces that may be accessible on a public-facing IP via telnet (perhaps on a "hidden/undocumented" port, or available via port-knocking). BYOD also makes the definition of "your" network quite fuzzy. Networks are also composed of more than just desktop computers and servers. See the links below for efforts that provide scanners, a census of the internet, network topology information, and search engines.

Links

Reading

Sept 29: Network Recon: Scanning + Sniffing

In this session, we will continue observing what various probes to the network actually look like. We will also begin to take a look at the topic of firewalls.

Agenda

  • Announcements, dump eth1, consider the ethics of this
  • Selected questions of the day
    • Octavissi: What is a backdoor and how does it work?
    • T3AA8: How can we tie network security into virus and malware [the course?]
    • John: How does IP sniffing and IP spoofing affect a network? Can ethical hacking prevent that?
    • [anon]: How can we detect intrusions and find the breach?
  • Current events:
  • Scanning and sniffing, plus firewalls
    • netcat
    • netstat
    • iptables
    • tcpdump, Wireshark
    • nmap

Homework

Read Chapter 23 in your textbook. For class on Thursday, read this paper:

and write 1 paragraph summarizing it and 1 paragraph taking a position on the question of whether it is ethical to listen to network traffic, with, e.g., tcpdump. Be prepared to discuss your position on Thursday.

Oct 1: Ethics of Network Traffic Sniffing

Today we will discuss the ethics of listening to network traffic.

Oct 6: Firewalls

Today we will consider the topic of firewalls


class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited watch traffic in wireshark / tcpdump

References

Oct 8: Firewalls (cont.)

We'll talk about some terminology, firewall policy interpretation, various kinds of firewall architecture, and play with some iptables rule sets.

We began by reviewing the table of contents for the Wiley Hacker, 1st edition book http://www.wilyhacker.com/1e and thinking about how it reflects the state of the growing Internet and nascent topic of network security in the early 1990's. We then tried to put together some basic iptables rules for:

http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Fall/tasks.txt

Issues Involved in Firewalls

  • semantics of rule interpretation (order: first, last, best match)
  • Scaling
    • how do you handle scaling of 1000's of rules?
    • how much does the firewall slow down traffic processing? What kind of hardware do you need for a network edge?
  • How are rule conflicts handled / detected / resolved
    • how is this done in a distributed environment?

Current Events

Oct 13: A Motivating Threat: Internet Worms

The topic of Internet worms is a good way to transition from our consideration of the lack of security in basic network protocols along with the capabilities and limitations of firewalls to a more nuanced view of network security. To a certain extent, worms illustrate how firewalls can sometimes be effective (if a worm signature is precise enough), but they also illustrate the problem of network security being reliant on endpoint (i.e., node) security.

QoD

  • What is the relation between all elements in network to provide security? The big picture, elements and relations between them and weak points and bottlenecks, what to improve and how? [pg 22, Stallings. But we must also recognize the cost to our other values of implementing 'complete' security -Ed.]
  • How secure is peer-to-peer file sharing ?
  • Is there a way to secure a network such that the only possible attack left is social engineering (i.e., no software penetration can be successful)
  • Can you envisage any circumstances wherein a network is completely secure? (and that connects to an outside network)?


Current Events

Links

Oct 15: No lecture

Oct 20: Introduction to Authentication

This week, we begin our discussion of the topic of authentication by considering the topic of challenge-response protocols. We started by looking at HTTP Basic authentication and Unix login-based authentication.

Something you know, something you have, something you are

QotD

  • How can you be sure that the person you are talking to is who they say they are, if you've never met them before in person (Online verification / Chain of Trust)

Read

  • Textbook, Chapter 9
  • Textbook, Chapter 10

Supplemental Readings

Oct 22: Password-based Authentication Lulz

  • Storing passwords
  • Lamport's Hash

Top 25 passwords listed at http://us.cnn.com/2012/10/25/tech/web/worst-passwords-2012/index.html?hpt=hp_bn5

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12. trustno1
  13. 1234567

...

Incidents

Oct 27: Authentication Protocol Basics

Oct 29: Protocol Pitfalls

Protocol Fails Exercise

Nov 3. Protocol Pitfalls (cont)

Nov 5: Crypto Fails and Subversion

Lots of Lulz today. A review of poor crypto and implementation mistakes, and allegations of backdoors.

Links

Nov 10: Email Security

SMTP Refresher, PEM, S/MIME

Sender Policy Framework, Domain Keys, Anti-spam

PGP


Nov 12: No Class (Reading Week)

Nov 17: PGP Key Signing Party

Example:

   gpg --keyserver pool.sks-keyservers.net --send-keys 0x1B5CD0EF

(you may wish to use another key server)

Nov 19: Spam (Guest Lecture by Prof. Aycock)

Guest lecture given by Prof. John Aycock

Nov 24: SSH

An overview of the SSH protocol and software.

Nov 26: IPsec (Modes, Key Agreement, Operation, Applications)

What is IPsec? Terminology, Modes of operation; tunneling, touch on some key agreement concepts

Happy (real) Thanksgiving!

Dec 1: Web Security 1: Authentication and Privacy Challenges

Dec 3: Web Security 2: Gruyere

Bring your computers to class today; Prof. Locasto will give a guided tour of the Google Gruyere exercise, and you'll all play along.

Make sure to bring along your laptop and log on to the wireless network before/as class begins.

NB: some of the Gruyere exercises work better with older browsers (i.e., some of the attacks that are demonstrated no longer work in "modern" browsers)

Reading

Please glance through this ahead of time:

The Google Browser Security Handbook https://code.google.com/p/browsersec/

Dec 8: LangSec and USRI

Today we will start with the USRI.

To finish up the semester, we'll touch on the growing research area of LangSec, which can be seen as the basis of a "science of insecurity".

Time permitting, we'll try to bat cleanup on the remaining questions of the day.

  • Concept
  • Foolings NIDS
    • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham HTML
  "The problem with this technique is that a passive network monitor cannot accurately predict 
  whether a given machine on the network is even going to see a packet, let alone process it 
  in the expected manner. A number of issues exist which make the actual meaning of a packet 
  captured by an IDS ambiguous."
    • Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich USENIX paperhtml
  • Certificate Parsing
  • Confusing PHY Layer

Misc

certificate pinning, PKI, Kerberos, EKE, Dolev Yao paper Advanced Password-based Authentication