CS155 Computer Security Course Overview PDF
Document Details
Uploaded by SleekBongos4857
Stanford University
Dan Boneh
Tags
Summary
This document is for a Computer Security course, CS155, at Stanford. It provides an overview of the course, including administrative details, course goals, and examples of various computer security issues and attacks.
Full Transcript
CS155 Computer Security Course overview Dan Boneh Admin Course web site: https://cs155.Stanford.edu Profs: Dan Boneh and Zakir Durumeric Three programming projects (pairs) and two written homeworks Project #1 posted on Wednesday. Please...
CS155 Computer Security Course overview Dan Boneh Admin Course web site: https://cs155.Stanford.edu Profs: Dan Boneh and Zakir Durumeric Three programming projects (pairs) and two written homeworks Project #1 posted on Wednesday. Please attend first section! Use EdDiscussions and Gradescope Automatic 72 hour extension Dan Boneh The computer security problem Lots of buggy software Money can be made from finding and exploiting vulns. 1. Marketplace for exploits (gaining a foothold) 2. Marketplace for malware (post compromise) 3. Strong economic and political motivation for using both current state of computer security Dan Boneh Top 10 products by total number of distinct vulnerabilities in 2023 Product name Vendor # vulnerabilities Android Google 1422 Microsoft Server Microsoft 2059 Fedora Fedora Project 540 Windows 11 Microsoft 1004 Debian Linux Debian 487 MacOS Apple 418 Chrome Google 296 iPhone OS Apple 269 source: https://www.cvedetails.com/top-50-products.php?year=2023 Dan Boneh Distribution of exploits used in attacks Java Android Browser Office Source: Kaspersky Security Bulletin 2021 Dan Boneh A global problem Top 10 countries by share of attacked users: Source: Kaspersky Security Bulletin 2021 Dan Boneh Goals for this course Understand exploit techniques – Learn to defend and prevent common exploits Understand the available security tools Learn to architect secure systems Dan Boneh This course Part 1: basics (architecting for security) Securing apps, OS, and legacy code: sandboxing, access control, and security testing Part 2: Web security (defending against a web attacker) Building robust web sites, understand the browser security model Part 3: network security (defending against a network attacker) Monitoring and architecting secure networks. Part 4: securing mobile and cloud applications, hardware features Dan Boneh Don’t try this at home ! Dan Boneh Introduction What motivates attackers? … economics Dan Boneh Why compromise end user machines? 1. Steal user credentials keylog for banking passwords, corporate passwords, gaming pwds Example: SilentBanker (and many like it) User requests login page Malware injects Bank sends login page Javascript needed to log in Bank When user submits information, also sent to attacker Similar mechanism used by Zbot, and others Adversary-in-the-Browser (AITB) Dan Boneh Lots of financial malware records banking passwords via keylogger spread via spam email and hacked web sites maintains access to PC for future installs Source: Kaspersky Security Bulletin 2021 Dan Boneh Similar attacks on mobile devices Example: FinSpy. Works on iOS and Android (and Windows) once installed: collects contacts, call history, geolocation, texts, messages in encrypted chat apps, … How installed? – Android pre-2017: links in SMS / links in E-mail – iOS and Android post 2017: physical access Dan Boneh Why own machines: 2. Ransomware a worldwide problem Worm spreads via a vuln. in SMB (port 445) Apr. 14, 2017: Eternalblue vuln. released by ShadowBrokers May 12, 2017: Worm detected (3 weeks to weaponize) Dan Boneh WannaCry ransomware Dan Boneh Why own machines: 3. Bitcoin Mining # affected users Examples: 1. Trojan.Win32.Miner.bbb 2. Trojan.Win32.Miner.ays 3. Trojan.JS.Miner.m 4. Trojan.Win32.Miner.gen Source: Kaspersky Security Bulletin 2021 Dan Boneh More devastating: server-side attacks (1) Data theft: credit card numbers, intellectual property – Example: Equifax (July 2017), ≈ 143M “customer” data impacted Exploited known vulnerability in Apache Struts (RCE) – Many many similar attacks since 2000 (2) Political motivation: – Election: attack on DNC (2015), – Ukraine attacks (2014: election, 2015,2016: power grid, 2017: NotPetya, … ) (3) Infect visiting users Dan Boneh Result: many server-side Breaches Typical attack steps: – Reconnaissance – Foothold: initial breach Security tools available to – Internal reconnaissance try and stop each step (kill chain) – Lateral movement will discuss tools during course – Data extraction … but no complete solution – Exfiltration Dan Boneh Case study 1: SolarWinds Orion (2020) SolarWinds Orion: set of monitoring tools used by many orgs. one infected DLL What happened? SolarWinds.Orion.Core.DLL Customer 1 orion sunburst SolarWinds ⋮ Orion malware software orion Customer 18000 update Attack (Feb. 20, 2020): attacker corrupts SolarWinds software update process Large number of infected orgs … not detected until Dec. 2020. Dan Boneh Sunspot: malware injection How did attacker corrupt the SolarWinds build process? taskhostsvc.exe runs on SolarWinds build system: – monitors for processes running MsBuild.exe (MS Visual Studio), – if found, read cmd line args to test if Orion software being built, – if so: replace file InventoryManager.cs with malware version (store original version in InventoryManager.bk) when MsBuild.exe exits, restore original file … no trace left How can an org like SolarWinds detect/prevent this ??? Dan Boneh The fallout … Large number of orgs and govt systems exposed for many months More generally: a supply chain attack Software, hardware, or service supplier is compromised ⟹ many compromised customers Many examples of this in the past (e.g., Target 2013, … ) Defenses? Dan Boneh Case study 2: typo squatting pip: The package installer for Python Usage: python –m pip install ‘SomePackage>=2.3’ # specify min version By default, installs from PyPI: The Python Package Index (at pypi.org) PyPI hosts over 300,000 projects Security considerations? Dan Boneh Security considerations: dependencies Every package you install creates a dependence: Package maintainer can inject code into your environment Supply chain attack: attack on package maintainer ⟹ compromise dependent projects Many examples: https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/ Dan Boneh A recent example: xz Utils An open source compression utility on Github Feb. 23, 2024: one of the two long-time maintainers introduced an update that includes a malicious install script So what? sshd has a dependency on xz Utils … ⇒ enables remote access into servers running sshd Fortunately, this was caught before wide deployment Dan Boneh Security considerations: typo-squatting The risk: malware package with a similar name to a popular package ⟹ unsuspecting developers install the wrong package Examples: urllib3: a package to parse URLs. Malware package: urlib3 python-nmap: net scanning package. Malware package: nmap-python From 2017-2020: 40 examples on PyPI of malware typo-sqautting packages [Meyers-Tozer’2020] Dan Boneh Case study 3: Large Language Models Every new technology brings new avenues for attacks Example: attacking LLMs via prompt injection I’ll fine-tune a model to respond to incoming what could go wrong? emails using my previous email responses incoming email automated response mail server Dan Boneh Prompt injection attacks LLMs can be vulnerable to adversarial inputs ⇒ an adversarial incoming email can cause LLM to send back its training data (private emails) hidden instructions An example: image-based prompt injection Source: https://arxiv.org/pdf/2307.10490v4.pdf Dan Boneh Introduction The Marketplace for Exploits Dan Boneh Marketplace for Exploits Option 1: bug bounty programs (many) Google Vulnerability Reward Program: up to $31,337 https://bughunters.google.com/ Microsoft Bounty Program: up to $100K Apple Bug Bounty program: up to $200K Stanford bug bounty program: up to $1K Pwn2Own competition: $15K Dan Boneh Google’s bug bounty program https://bughunters.google.com/ Dan Boneh Marketplace for Exploits Option 1: bug bounty programs (many) Google Vulnerability Reward Program: up to $31,337 Microsoft Bounty Program: up to $100K Apple Bug Bounty program: up to $200K Stanford bug bounty program: up to $1K Pwn2Own competition: $15K Option 2: Zerodium: up to $2M for iOS, $2.5M for Android (since 2019) … many others Dan Boneh Marketplace for Exploits RCE: remote code execution LPE: local privilege escalation SBX: sandbox escape Source: Zerodium payouts Dan Boneh Marketplace for Exploits RCE: remote code execution LPE: local privilege escalation SBX: sandbox escape Source: Zerodium payouts Dan Boneh Why buy 0days? https://zerodium.com/faq.html Dan Boneh Ken Thompson’s clever Trojan Turing award lecture (CACM Aug. 1984) What code can we trust? Dan Boneh What code can we trust? Can we trust the “login” program in a Linux distribution? (e.g. Ubuntu) No! the login program may have a backdoor ⇾ records my password as I type it Solution: recompile login program from source code Can we trust the login source code? No! but we can inspect the code, then recompile Dan Boneh Can we trust the compiler? No! Example malicious compiler code: compile(s) { if (match(s, “login-program”)) { compile(“login-backdoor”); return } } Dan Boneh What to do? Solution: inspect compiler source code, then recompile the compiler Problem: C compiler is itself written in C, compiles itself What if compiler binary has a backdoor? Dan Boneh Thompson’s clever backdoor Attack step 1: change compiler source code: compile(s) { if (match(s, “login-program”)) { compile(“login-backdoor”); return } if (match(s, “compiler-program”)) { (*) compile(“compiler-backdoor”); return } } Dan Boneh Thompson’s clever backdoor Attack step 2: Compile modified compiler ⇒ compiler binary Restore compiler source to original state Now: inspecting compiler source reveals nothing unusual … but compiling compiler gives a corrupt compiler binary Complication: compiler-backdoor needs to include all of (*) Dan Boneh What can we trust? I order a laptop by mail. When it arrives, what can I trust on it? Applications and/or operating system may be backdoored ⇒ solution: reinstall OS and applications How to reinstall? Can’t trust OS to reinstall the OS. ⇒ Boot Tails from a USB drive (Debian) Need to trust pre-boot BIOS, UEFI code. Can we trust it? ⇒ No! (e.g. ShadowHammer operation in 2018) Can we trust the motherboard? Software updates? Dan Boneh So, what can we trust? Sadly, nothing … anything can be compromised but then we can’t make progress Trusted Computing Base (TCB) Assume some minimal part of the system is not compromised Then build a secure environment on top of that will see how during the course. Dan Boneh Next lecture: control hijacking vulnerabilities THE END Dan Boneh
