Resumo para o exame PDF

Preview

Summary

Resumo com todos os tópicos da disciplina...

Description

CIA Confidentiality – absence of disclosure of data by non-authorized parties Main properties/attributes: Security mechanisms: Privacy Access control Segregation of privileges Encryption Stealth Steganography Authorization Confinement Integrity – absence of invalid system or data modifications by non-authorized parties Main properties/attributes: Security mechanisms: Authenticity – integrity of content and origin Encryption Non-repudiation – same, but verifiable by others Authentication Repudiation Identification Availability – readiness of the system to provide its service Security mechanisms: Crypto puzzles Fault tolerant replication

How do security mechanisms work? Prevention Prevent the attack from succeeding Very intrusive Easy management

Detection Important for unpredictable attacks Complex management Not much intrusive

Recovery Restitution of the state before the attack Tolerance to attacks

Vulnerability – Characteristic of a system that makes it susceptible to attacks Attack – Actions that lead to the violation of a security attribute, often by exploiting vulnerabilities Threat – Combination of actor, motive and vulnerability Risk – Possibility of security being broken – Risk = (level of) Threat x (level of) Vulnerability x Impact] Defense – Set of policies and security mechanisms aimed at: Reducing the vulnerability of a system Detecting attacks as quickly as possible past or current Reducing the risk of a system

Threats/Attack effects Disclosure – unauthorized access Deception – acceptance of false information Disruption – prevention of correct operation Hijacking – taking control

Vulnerabilities topics In the identification of objects (in the use of names) Be aware of the problem Do not perform security validations based on names, file extensions or URLs Whenever possible reduce names to their canonical form Accept only what is valid (reject all the rest)

In the interface between services (Applications/Services and Protocols)

Wrong assumption/perception regarding the behavior of other applications/services/protocols Covert channels

Inside the services (using PHP - Code Injection; using SQL - SQL Injection; using JavaScript – XSS; using C Overflows) Using PHP Eval Injection

Shell Injection Local File Inclusion

Remote File Injection Cross-Site Scripting (XSS) - Solutions Encode the outputs - Replace symbols interpreted by HTML, so that code is no longer interpreted as code (e.g. replace < by <) Reduce the amount of HTML symbols to the essential - Test what is accepted (do not test what is not accepted) Use (good) encoding libraries Cookies Used by the web applications for authenticating, tracking, and maintaining specific information about users (e.g., site preferences, contents of shopping carts). Data may be sensitive. Types of cookies Session cookies - Stored only for the duration of a web-session Persistent cookies - Remain stored until they expire Cookie ownership - Once a cookie is saved on your computer, only the website that created the cookie can read it Privacy risks/attacks Cookies are used to track individual user behavior Cookies are used to track viewers of individual web-sites by third parties Security risks/attacks Users change cookies before continuing to browse Users read the content of cookies Session hijacking by stealing the cookie or guessing its content Vulnerabilities/poor practices Poor/no encryption of cookies (shopping cart encoded in cookie) Relying only on cookie for authentication (cookie is “sniffed” from the net; cookie is stolen by impersonating a website) Stack Overflow – Protections Non-executable stack - Enforce a memory policy on the stack memory region that disallows execution. However, does not protect if attack code is placed outside the stack (Return-to-libc/Return-oriented programming)

Randomization - Randomizing the memory layout will prevent the attacker from knowing where any code is (ASLR Address Space Layout Randomization). However, implementations typically will not randomize everything Stack canaries - Detect buffer overflow before execution of malicious code. Small integer, random value, placed just before stack return pointer. If changed canary value is changed, stop execution.

Security Architecture Security infrastructure - All entities (people, tools, objects, etc.) contributing to security All security components created (or existing) Inventory of resources - Databases, networks, applications, operating systems. Identification of the owner of each resource Definition of roles/responsibilities o Policy approval authority o Security Team  Group responsible for the continuous security tasks (Risk analysis, people awareness, enforcement and implementation of security products)  Local security responsibility agents (distribution)  Roles of the other users Specifications Policies - Define acceptable behavior (~constitution) o Must be supported by specific procedures o Should be realistic and enforceable o Should define responsibilities o Should set for the long term - the procedures and practices must be constantly updated but policies should be kept for long periods o Should be simple and short - Many policies vs a single policy; facilitate reading and understanding; facilitate dissemination Procedures - Plans, process, or methods on how to do/enforce policies (~laws) o Written and approved plans o Explain how to apply/enforce the policy o Dependent on the physical infrastructure o Limited scope of action o Consistency with the other procedures is facilitated by the consistency of policy o The required update effort is smaller than that for the policies Practices - Agreed rules in order to facilitate communication (~regulations) o Establish rules that facilitate the work o Do not add degrees of security o Do not confuse them with policies:  Example policy: All users have a single unique userid  Example of a practice: The composition of the identifier of each user (userid) is formed by the initials of his name Policy implementation mechanisms Software/hardware mechanisms People-oriented mechanisms Documentation - The documentation of the entire infrastructure is of extreme importance Raises awareness Clarifies responsibilities of each stakeholder Reduces delays in the application of measures Broadens the base of support to the security project (administration) Risk Analysis Quantitative vs. Qualitative Results

o Value of information o Costs per threat o Probability of the threat o Recommendations and safeguards Solutions o Risk reduction (our job) o Risk transfer (insurance) o Living with risk

Development cycle Waterfall model

Agile development

Security practices Inception practices: at the start of the Agile project o Risk Assessment o Requirements Definition o Incident Response Iteration practices: should be performed in every release o Threat Assessment

o Code Review o Design Review Regular practices: on multiple sprints during the project o Dynamic Security Testing o Fuzz Testing (misuse)

Threat Modeling

DFD Decompose application into its main components – Identify each component and function using Data Flow Diagrams (DFD) or equivalent in UML; Define borders between security regions (Component interaction, who can access what, what is it exposed to) STRIDE (Threat Identification – for each element of the DFD) S: Spoofing identity - Users, servers; passwords, DNS T: Tampering with data - Direct data modification (file system, network, database, etc.); Improper authorization R: Repudiation - Action repudiation (sent, received, signature, etc.) I: Information Disclosure - Privacy breach, data leak D: Denial of Service E: Elevation of privilege - Becoming root, through a Trojan DREAD (Threat Classification – for each vulnerability) Vulnerabilities rated 1-10 scale for each category: D – Damage potential o How serious is the damage, if it exists? o Priority elevation = 10 R – Reproducibility o How hard it is to reproduce the attack? o Random occurring vulnerabilities are hard to reproduce. E – Exploitability o How much work is it to launch the attack? o Script kiddies = 10; Experts = 5; Unlimited resources = 1 A – Affected users o How many people will be affected by the attack? o 91-100% = 10; 0-10% = 1 D – Discoverability o How probable is it of being discovered? o Internet = 10; Locked in a vault = 1 Relevance of the vulnerability = average of all categories

IEEE Center for Secure Design recommendations 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Earn or give, but never assume trust Use authentication that cannot be bypassed or tampered Authorize after you authenticate Strictly separate data and control instructions All data must be explicitly validated Use cryptography correctly Identify sensitive data and how to handle it Always consider the users Understand how external components affect attack surface Be flexible when considering future objects and actors

Common Weakness Enumeration (CWE) List of weaknesses are often easy to find and exploit Compiled with a data-driven approach that uses Common Vulnerabilities and Exposures (CVE) data Uses a scoring formula to determine the level of prevalence and danger for each weakness based on Common Vulnerability Scoring System (CVSS) scores for the CVE Community resource - Can be used by software developers, testers, customers, project managers and security researchers and educators

Certification For operating systems o  Evaluation: Design analysis Test analysis Final review  Evaluation done by independent evaluators  Assigns a class: C1, C2, B1, B2, B3, A1  Problems: Focused heavily on confidentiality, disregarding other security properties Narrow scope: mainly military operating systems Based on the documentation, no access to the source code Long evaluation time Evaluation mixes assurance with functionality o ITSEC - UK, France, Germany, Nederland’s  Functionality and assurance are evaluated separately  Applicable to systems and applications (TOE – Target of Evaluation)  Problems: No validation that security requirements make sense Inconsistency in evaluations (not as well defined as in TCSEC) For computer networks o Network Interpretation (US) For cryptography o FIPS 140 (US)

For applications o ITSEC o  Parts:



CC documentation Evaluation methodology of CC (CEM) National schemas (country specific): evaluators selection, certification attributions, interaction between evaluators and vendors, etc. CC Methodology (CEM) Functional requirements Assurance requirements Evaluation Assurance Levels (EALs) (e.g. Java Smart Card has an EAL=5+ - maximum is 7)

Functional Requirements Product/system behavior definition regarding security 11 classes divided in families that containcomponents Components have: Requirements definition Dependencies from other requirements Requirements hierarchy Predefined classes: Audit (FAU) Cryptography Support (FCS) Communications (FCO) User Data Protection (FDP) Identification and Authentication (FIA) Security Management (FMT) Privacy (FPR) Protection of the TOE Security Functions (FPT) Resource Utilization (FRU) TOE Access (FTA) Trusted Path/Channels (FTP)



Assurance Requirements Establish confidence in the security features Correction of the implementation Fulfillment of the security objectives 10 classes 1 – Evaluation of PPs 1 – Evaluation of STs 1 – Maintenance of Assurance 7 – Product assurances Assurance classes: Development o TOE design, Functional specifications, … Delivery and Operation Configuration Product Documentation Life cycle o Delivery, Flaw remediation, … Testing o Depth, coverage, … Vulnerability analysis

Types of evaluation Protection Profile (PP) - product independent Security Target (ST) - specific for each product

Protection Profile (generic) Introduction Description of the class/family of target products, a.k.a. Target of Evaluation (TOE) Description of the execution environment Assumptions regarding the system operation Threatened resources Security policy of the target organization Security objectives Product/system objectives Environment objectives Security requirements Functional Assurance Rational Interconnects the previous points

Security Target (specific) Introduction TOE description Description of the execution environment Assumptions regarding the system operation Threatened resources Security policy of the target organization Security objectives Product/system objectives Environment objectives Security requirements Functional Assurance TOE specification Security mechanisms Description on how to assure security PP Claims How the PP objectives /requirements are fulfilled Rational

Derived from the assurance requisites

1. Physical (Ethernet, FDDI, B8ZS, V.35, V.24, RJ45 2. Data Link (PPP, FDDI, ATM, IEEE 802.5/ 802.2, IEEE 802.3/802.2, HDLC, Frame Relay) 3. Network (IP, IPX, AppleTalk DDP 4. Transport (TCP, UDP, SPX) 5. Session (NFS, NetBios names, RPC, SQL) 6. Presentation (ASCII, EBCDIC, JPEG, MPEG, GIF, PICT, TIFF 7. Application (HTTP, FTP, SNMP, NFS, Telnet

Passive attacks Information disclosure – Darth read contents of message from Bob to Alice Traffic analysis – Darth observes pattern of messages from Bob to Alice Active attacks Impersonation – Messages received by Alice from Darth that appear to be from Bob Replay – Darth capture message from Bob to Alice and later replay message to Alice Tampering – Darth modifies message from Bob to Alice Denial of service – Darth disrupts service provided by server

Hub - Sends signals, and sends them everywhere Switch - Sends frames and only sends them where they need to go Router - Has MAC address too. Looks at the IP address from the incoming packet and forwards it Network addresses MAC (Medium Access Control) address (layer 2) o Address of NIC (Network Interface Card) o Unique identifier with 48 bits o The first 24 identify the manufacturer IP (Internet Protocol) address (layer 3) o IPv4 address has 32 bits  Usually represented as 4 separate decimal numbers - 131.159.15.24 o IPv6 address has 128 bits  Represented as 8 groups of 4 hex digits (16 bits) - 2001:4ca0:2001:0013:0250:56ff:feba:37ac

Address Resolution Protocol (ARP) - Layer 3 Protocol (Network) ARP query - Who has the IP 192.168.0.40? Answer to 192.168.0.20 ARP reply - 192.168.0.40 is at 00:0e:81:10:19:FC ARP caches o Stores previous answers o When the answers are too old, they are removed

Hubs (Layer 1)

Threat: Sniffers Usually network adapters operate in a non-promiscuous mode o Network adapters only listen to what is sent to their MAC Sniffers work in a mode o Read all frames, with any MAC Some sniffer tools: Tcpdump, Wireshark (Ethereal), Snort Identifying sniffers (AntiSniff tool) Latency Method Send high volume of packets to target Compare time needed to answer to 1 packet vs n packets DNS Method Detect large volume of reverse lookup DNS queries from Tcpdump, Wireshark running at sniffer machine OS-specific Method Sends packets to target system which certain operating systems respond to (e.g. Windows in promiscuous model always responds to MAC = ff:00:00:00:00:00) Preventing Sniffing Solutions: Prevent the use of network adapters in promiscuous mode Use of switches (but…) Prevent effectiveness of sniffing: Use of encryption One-time passwords (e.g. SecurID, S/Key)

Switches (Layer 2)

Switches only send the data to the destination address A table with the MAC in each of the ports is constructed When a frame reaches the switch: o Searches for the port where the device with that MAC is at o Sends the frame to that port Switches operate in Layer 2 (Data Link) Switches reduce the sniffing problem o The network adapter only sees what is meant for it ARP Vulnerabilities o o

An attacker sends a non-requested ARP message with a false correspondence IP-MAC address ARP messages are in no way signed, so it is easy to falsify a message from any given MAC

MAC Flooding The attacker sends several, unsolicited ARP messages o Each ARP message is sent with a different MAC When the table is filled up: o Some switches stop accepting new connections (DoS) o Most switches revert to a Hub mode: allowing standard sniffing attacks to work again! Preventive Measures Don’t trust Layer 2 isolation Use tools like arpwatch o Monitor the ARP to IP translation o Alert the system administration Use of switches with fixed tables o Loss of flexibility

Routers (Layer 3)

Routers support the indirect delivery of IP datagrams Routing tables are used A datagram can usually be sent: o Directly to the final destination o To the next router in the direction of the destination o To the default router IP spoofing IP Packets are not authenticated Attacker can change the source address of IP packets  unsecure to base access control on IP addresses Attacker car replay, delay, reorder, modify, or inject IP packets Users have little to no guarantee concerning the routing path taken by the packets: Information leak threat, packet integrity threat, DoS threat Route update security An attacker might corrupt the routing tables by sending routing-update messages ICMP redirect packets Intra-domain o RIPv1 and IGRP do not have authentication Inter-domain o BGP also does not have authentication; based on policy DoS, Man-in-the-Middle attacks are possible

Transport Layer (Layer 4) TCP/IP Handshake

Explores the de-synchronization between 2 hosts o De-synchronization: data segments sent are out of the sliding window, so they are discarded by the receiver o Receiver generates many ACK packets: TCP ACK storm  That can be used to detect the de-synchronization o Attacker can create data segments with correct numbers, in sync Forging the de-synchronization: o During the creation of a TCP/IP connection o Reseting an already established connection Practicability: o The attacker must be in the middle of the communication – Man-in-the-middle attack

Protection: o Random generation of the ISN (initial sequence number)  Useful if attacker doesn’t observe the packets o Avoid any host-based authentication based on the IP address o Firewalls  Filter/discard data segments with source-routing  Use IP masquerading (NAT) for unsecure connection nodes o Protection at the IP level or higher (IPsec, TLS, SSH, etc.)

DoS attack: SYN flooding Consists of overloading a host with incomplete TCP/IP connection requests o X  A: SYN o A  X: SYN+ACK o X  A: ACK  Missing! Typically the attacker uses IP spoofing o Forging one or more unused IP addresses  Often TCP is insensitive (when in the SYN_RECVD state) to ICMP error messages: “host unreachable” or “port unreachable”  Easy to temporarily block o Forging random IP addresses  Less powerful attack  Harder to block Explored vulnerabilities o No authentication in the SYN segments o The server needs to reserve more resources that the client/attacker Impact on the attacked machine o Storage of the connection requests until they are eliminated by timeout  TCP connection in the SYN_RECVD state o The amount of connection requests per port are limited:  The subsequent requests are discarded  Correct requests may be discarded due to the existence of false connection requests Solutions: o No definite solution for IPv4 o Modifying TCP for the servers  Bigger request queues, lower timeouts  Random Drop  SYN cookies ISN is sent ciphered in the SYN+ACK (cookie) and returned in the ACK The server retains no information o Cooperation with firewalls  Relay or semi-gateway o Attack detectors ICMP (Internet Control Message Protocol) Mandatory in all IP networks Used to send and receive the error messages from IP Broadcast Any packet with a destination address ending with .255 in a network with a 255.255.255.0 netmask is sent to all the machines in that network Equally works in networks with different dimensions ICMP Smurf attack (DoS)

DoS: exploiting flaws Protocols have flaws at the impleme...