01 - Introduction.pdf

Full Transcript

Computer Security
Introduction to Security (192.019)
Security & Privacy Research Unit (192-06)
Marco Squarcina, Mauro Tempesta https://secpriv.wien

Introduction to Security // Computer Security
What is Computer Security?

Prevention of damage to, protection of, and restoration of computers,
electronic communications systems, electronic communications services,
wire communication, and electronic communication, including information
contained therein, to ensure its availability, integrity, authentication,
confidentiality, and nonrepudiation.

National Institute of Standards and Technology (NIST)
https://csrc.nist.gov/glossary/term/computer_security

Introduction to Security // Computer Security 2
Key Security Concepts
Confidentiality: sensitive information is not disclosed to unauthorized entities
:

=
P ri

Integrity
be can't
change data
○ Data: data -foreign
has not been modified in an unauthorized or undetected manner
○ System: the system performs its intended function in an unimpaired manner
prevent malists things from happening
=

when they do
Availability
or
recoverquickly
○ Data: data stored on the system can be accessed by authorized users
○ System: the system works promptly and service is not denied to authorized users

Introduction to Security // Computer Security 3
Security is a Complicated Beast!
Intended functionality
○ If the user provides
○ Then the system does
Possibly infinite number
of inputs / actions
Security
○ If an attacker performs
○ Then the system does not do

Security properties are
in general undecidable!

Introduction to Security // Computer Security 5
 Security Vulnerabilities knot only technical)

Default / weak
passwordsseceret Insecure users
Code injection
data that
relying
on a
management
nacker puts ,
thats not really a secret
weak password policy,
Can be interpreted lack of Multi-Ecator
like code
Weakness in an information system, authentication....

Usage of insecure system security procedures, internal
libraries controls, or implementation that could be Broken access
control
outdated , in secure exploited or triggered by a threat actor allows unathorized
users access

Memory safety Security
violations Missing / improper misconfigurations
buffer overflow
usage of cryptography
weak encryption

Introduction to Security // Computer Security 6
Threats & Attacks
A threat is any circumstance or event with the potential to compromise the security
of the system
○ Internal: risks posed by actors having authorized access to the system
○ External: risks posed by actors not authorized to access the system

An attack is a concrete attempt of exploiting the vulnerabilities of a system in order
to compromise its security
○ Passive: attempt to obtain information by observing the operations of the system
○ Active: attempt to alter system resources or affect their operation

Introduction to Security // Computer Security 7
Legislation in Austria
Austrian’s criminal code (Strafgesetzbuch) includes various articles about attacks against
computer systems:
○ §118a: Illegal access to a computer system
○ §119, §119a: Interception of confidential data or communications
○ §126a: Data corruption
○ §126b: Disruption of IT systems
○ §126c: Abuse of computer programs and login data
○ §148a: Online fraud
Violations are punished with fines up to 360 Tagessätze or sentences up to 5 years

https://www.oesterreich.gv.at/themen/onlinesicherheit_internet_und_neue_medien/internet_und_handy___sicher_durch_die_
digitale_welt/3/Seite.1720213.html

Introduction to Security // Computer Security 9
A Brief History of Hacking and
(Computer) Security

Introduction to Security // Computer Security 10
The World’s First “Hack” (1903)
Demo by G. Marconi and J. Flemming about the
HABOHO

recently developed, purportedly secure wireless
telegraph at the Royal Accademy of Science
(London)

British magician N. Maskelyne forged obscene
messages during the demo, disproving the
incorrect security claims

Introduction to Security // Computer Security 11
The Cryptobombs (1938-1945)
rotor machine
Oct. 1938: M. Rejewski, H. Zygalski and J. Rózycki develop the
6 of them made

bomba kryptologiczna, used to break early Enigma machines
○ Dec. 1938: Two new rotors are added to Enigma, introducing a
tenfold increase in the attack’s complexity
added extra 2 rotors -
to crack it

10 times more would be needed

1940: Deployment of the British bombe developed by A. Turing,
G. Welchmann and H. Keen, based on the polish one

1942: Construction of an improved bombe by the US Navy
supporting the new 4-rotor Enigma machines used from 1941

Introduction to Security // Computer Security 12
Phreaking (1960s - 1970s)
Culture of people who experimented with public
telephone networks to understand their inner workings

Gained strong popularity with the reverse engineering
of the routing techniques for long-distance calls
○ AT&T’s automated switches used in-band signaling to
transmit commands (end of a call, dialing a number)
○ A tone of 2600 Hz indicated that the call was over, while
retaining an open carrier line
Call a toll-free number in the target area
Send the command to end the call and start a new one
New call is started without being charged!

Introduction to Security // Computer Security 13
The First Malware Appears (1970s)
Creeper (1971) is acknowledged as the first malware
software in history (B. Thomas, R. Tomlinson)
○ Spreaded over the 28 computers connected to ARPANET I’M THE CREEPER :
CATCH ME IF YOU CAN!
that were running the TENEX operating systems
○ Printed a message to the console of infected systems,
no actual harm was caused
printing files +
stop >
-

move to another TENEX system
just jumping ,
no replicating
Reaper (1972) is the first anti-malware software in history
○ Spreaded using the same technique as Creeper
○ Deleted Creeper from the infected system and, after some time,
deleted itself

Introduction to Security // Computer Security 14
First Break-ins into Computer Systems (1970s - 1980s)
K. Mitnick (1979) broke into the Ark, the computer system used
by DEC to develop the operating system RSTS/E
○ Sentenced in 1988 (one year in prison + 3 years probation) for
having copied the DEC’s software

A group of teenagers (the 414s) broke into multiple high-profile
computer systems between 1982 and 1983
○ Exploited common / default passwords
○ Triggered the development of laws specific to computer fraud in
the US

Introduction to Security // Computer Security 15
First Legislation Against Computer Fraud (1980s - 1990s)
US Congress passes the Computer Fraud and Abuse Act (1986)
○ Breaking into computer systems is prosecuted as a crime

UK Parlament passes the Computer Misuse Act 1990
○ Reaction to the acquittal of S. Gold and R. Schifreen, who
managed to access the mailbox of the Duke of Edinburgh
Discovered via shoulder surfing the credentials of a British
Telecom’s engineer (UN: 22222222, PW: 1234)
Conviction under the Forgery and Counterfeiting Act 1981
Court of Appeal overruled the sentence due to inappropriate forgery
charges and lack of material gain

Introduction to Security // Computer Security 16
The Growing Costs of Malware (1980s - 2000s)
The Morris worm (1988) was the first to attract the attention of
mainstream media
○ Exploited wake passwords, vulnerabilities in sendmail and finger
○ A couple thousand computers infected, estimated economic impact
between $100,000 and $10,000,000

AIDS (1989) is the first known ransomware
○ Hid all directories and encrypted all filenames after
the 90th reboot of the computer
○ A floppy disk reversing the changes was shipped
upon payment of a ransom

Introduction to Security // Computer Security 17
The Growing Costs of Malware (1980s - 2000s)
Melissa (1999) is to date the fastest macro virus to
spread via e-mail
○ Upon opening the infected file, the virus sent itself to
the first 50 contacts of Microsoft Outlook
○ Modified the template file Normal.dot to infect other
document files

~100k computers infected on the first day
○ Slow-downs due to the huge e-mail traffic,
companies closed their networks
○ Estimated damages of $80 million

Introduction to Security // Computer Security 18
The Growing Costs of Malware (1980s - 2000s)
ILOVEYOU (2000) is a worm that infected over 10 million
Windows PC via e-mail within a few days
○ Contained in an attachment whose name contained two
extensions “.TXT.vbs”, the second one was often hidden
○ After execution, the worm spreads itself via Microsoft
Outlook, randomly overwrites local files, and downloads a
trojan to steal the user’s passwords

$15 billions of estimated damages and costs for worm
removal worldwide

Introduction to Security // Computer Security 19
Computer Security Today

Introduction to Security // Computer Security 20
Current Landscape

Cybercrime ranked as the 8th Worldwide cybercrime Average ransom
most severe global threat costs (estimate) payments (Q2 2023)
(World Economic Forum, $8.15 trillion (2023) $740,144
Global Risk Report 2023) $13.82 trillion (2028)

Introduction to Security // Computer Security 21
Commercialization - Bug Bounty Programs
Reward programs for security researchers where vulnerabilities
are reported to the software developer / system owner
○ Possibly via an intermediate platform (e.g., HackerOne, ZDI)
○ Security fixes can be produced before the vulnerability is exploited

Most of large tech companies run their own program
○ Google: up to $1M for persistent, zero-click vulns on Pixel devices
$12M paid for rewards in 2022
○ Microsoft: up to $100K for Windows vulnerabilities
○ Apple: up to $1M for persistent, zero-click vulns on Apple products
○ Meta: up to $300K for remote code execution on mobile apps

Introduction to Security // Computer Security 23
Commercialization - Gray / Black Markets
Gray markets: exploits are sold only to ”selected
institutions” (e.g., governments in Europe / North
America)
○ Infringments of such policies are not uncommon

Black markets: platforms on the Dark Web where
cybercriminals (and other entities) buy exploits
○ Payments over privacy-preserving systems (e.g.,
cryptocurrencies)

Higher payouts, but security of users and systems
remains at risk!

Introduction to Security // Computer Security 24
Threat Actors (aka Attackers)
Cybercriminals
○ Infiltrate systems for monetary gain
○ Supported by criminal infrastructure providers
supplying tools and services to carry out attacks (e.g.,
botnets for distributed DoS attacks)

Ideologues
○ Inspired by political and social issues
○ Hacktivists perform attacks to spread their message /
draw attention on a specific topic
○ Terrorists seek to spread terror

Introduction to Security // Computer Security 25
Ethical Hacking

Introduction to Security // Computer Security 28
Ethical Hacking
Ethical hackers (white-hat hackers) are security experts who aim to identify security
vulnerabilities of a system with the owner’s consent
○ Attacks should not cause any harm to the system and its users
○ Identified vulnerabilities must be kept confidential (responsible disclosure)
○ Actionable solutions are possibly proposed

Introduction to Security // Computer Security 30
Responsible Disclosure
Coordinated disclosure model for security vulnerabilities
○ Discoverer gets in touch with the responsible parties to report the vulnerability
○ Responsible parties have a certain number of days (negotiable) to remedy the issue
○ Vulnerability is revealed to the public only after the deadline (or after the release of the
fix, if sooner),
○ Typical deadlines: 90 days (Google Project Zero), 120 days (ZDI)

Advantages
○ Developers have sufficient time to fix the problem and ship updated software
○ Problems are (most of the times) actually fixed!

Introduction to Security // Computer Security 32
Security Vulnerabilities

Introduction to Security // Computer Security 33
CVE - Identifiers for Security Vulnerabilities
Common Vulnerabilities and Exposures: identifiers for public vulnerabilities
Kada je poznate ranjivosti
dodoto moze bilo lo da predlozi

The format is CVE-[4 Digit Year]-[Sequential Identifier], e.g., CVE-2022-31629
CVEs are assigned one or more CWEs (Common Weakness Enumeration)
Categories (eg 121 = stack-based
buffer overfeom)
CVEs are issued by CVE Numbering Authorities (CNAs)
○ MITRE is the primary CNA
○ Companies such as Oracle are CNAs and assign CVEs to their own products
○ Some CNAs can assign CVEs to programs outside the scope of other CNAs (e.g., Talos)
○ 364 CNAs, 3 in Austria

Introduction to Security // Computer Security 34
CVE - Identifiers for Security Vulnerabilities
Problems? Many. Some examples…
○ CNAs have different policies: known vulns affecting EOL products may not receive CVEs
Bug Vulnerability misclassifying
○ Bug vs Vuln: Third-party CNAs may issue bogus CVEs (https://lwn.net/Articles/944209/)
○ Coverage: CVEs are not well-suited for some software types, e.g., SaaS (Software as a
Service) subscription-based software
○ Reputation damage? Historically, more CVEs = less secure. Now things are changing…

Introduction to Security // Computer Security 35
CVSS
How bad is a vulnerability? CVSS to the rescue!

CVEs are assigned a severity score using the
Common Vulnerability Scoring System
CVSS v.4.0, released on November 2023
https://www.first.org/cvss/calculator/4.0
(but v.3.1 is still dominant)
4 severity levels
○ Low (0.1-3.9) Medium (4.0-6.9)
○ High (7.0-8.9) Critical (9.0-10.0)

Problems? The scoring is subjective and certain categories are ambiguous
CVEs are defined by the CNAs, but different organizations can re-analyze the issue and assign a different
CVE Numbering Authorities
score. Many discrepancies between the scoring assigned by the CNA and those by the NIST NVD
National VulnerabilityDatabase
maintained by the National
Institute of Standards and Technology

Introduction to Security // Computer Security 36
Example of a CVE/CVSS (CVE-2014-0160)
Heartbleed
The (1) TLS [...] implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat
Extension packets, which allows remote attackers to obtain sensitive information from process memory via
crafted packets that trigger a buffer over-read, as demonstrated by reading private keys [...]

source https://xkcd.com/1354/

Introduction to Security // Computer Security 40
Example of a CVE/CVSS (CVE-2014-0160)
Heartbleed
The (1) TLS [...] implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat
Extension packets, which allows remote attackers to obtain sensitive information from process memory via
crafted packets that trigger a buffer over-read, as demonstrated by reading private keys [...]

CVSS v4.0 Score: 8.7 / High

Introduction to Security // Computer Security 42
Security Awareness

Introduction to Security // Computer Security 45
 simplicity
open design
comparmentalization
Minimum exposure
Least privelege
min trust , max Trustmorthiness

Fail-safe default
Security Principles complete
mediation

defense in depth

traceability
generating secure secrets

usability

Introduction to Security // Computer Security 52
1 Simplicity

Keep it simple stupid (KISS principle)
— Kelly Johnson

Most systems work best if they are kept simple rather than made complicated
○ Simple solutions are easier to understand, analyze, and review
○ Simple solutions are less likely to contain flaws
Occam’s razor applied in the context of system design
simplest is the correct
one
usually one

Introduction to Security // Computer Security 53
2Open Design

The security of a system should not depend on the secrecy of its
protection mechanisms
>
- allows public to find mistakes
earns publics trust if good
“No security through obscurity” (Kerckhoffs’ principle in cryptography)
Mpak Hejachoct
,

○ Today’s de-facto cryptographic mechanisms all developed with open design
Security not throug hiding the design and implementation

Security should depend only on possession of secrets (e.g., passwords, keys)
○ Impossible to maintain secrecy of a system that should be distributed
○ Securing a door does not rely on attacker’s ignorance to operating a door, but on
possession of the key and security of lock mechanism

Introduction to Security // Computer Security 54
3Comparmentalization

Organize resources into isolated groups (compartments) of similar needs

Isolation prevents attacks or errors in a compartment to propagate to the others
○ Communication between compartments, if required, happens over controlled channels

Compartmentalization at different levels:
○ Memory space (user vs. kernel space; memory separation between processes)
○ Separation of data from code
○ Modularization of software
○ Virtual machines
○ Network zones

Introduction to Security // Computer Security 55
4 Minimum Exposure

Minimize the attack surface a system presents to an adversary

Reduce external interfaces to a minimum ne mora sue da bude otuorenc
Korisniku vei samo neophodno
○ Expose only necessary services to the network
,

cyaptk
Limit amount of information that can help an adversary
○ Do not provide information about the software versions upon
errors
Minimize the window of opportunity for attacks blokirati na
sumniju
○ Limit the number of failed password attempts before
blocking an account

Introduction to Security // Computer Security 56
b Least Privilege
-

Any component (and user) of a system should operate using the
least set of privileges necessary to complete its job
ako im nije potrebro-ne dobijaju informaciju
Compromised processes / users cannot misuse privileges they do not have!
○ Delegation of tasks to sufficiently privileged processes
Requires careful design of programs to avoid “confused deputy attacks”
program daje ovlasienije kome

Examples ne treba -
> osoba
Jobija inform

○ User accounts vs. guest accounts vs. administrative accounts
○ Android permission framework

Introduction to Security // Computer Security 57
6 Minimum Trust, Maximum Trustworthiness
Minimizing trust: minimize the expectations about the system
○ This can result in complete loss of trust into a system
Maximizing trustworthiness: turn the assumptions into validated properties
○ Rigorously prove that system behaves only in expected manner
○ Enforce controls that prove the correctness of the assumptions

Example: program processing user input
○ Never trust the user input! (minimize trust)
○ Always validate and filter user input! (maximize trustworthiness)
ne veruj informacijama
alı problema siguro
-

ako produ kroz sekjuriti bez
su verodostoje

Introduction to Security // Computer Security 58
 Use Fail-Safe Defaults subject is
7 unless a
given
explicit access to an
object ,

it should be denied access

The system should start in a secure state and return
to a secure state in the event of a failure

System designed to prevent unsafe/insecure consequences of the system's failure
○ Requires that system starts in a secure state

Important in access control
○ Identify conditions under which access is granted
○ If conditions are verifiable and fulfilled, grant access (allowlisting)
○ Otherwise, access is denied by default!

Introduction to Security // Computer Security 59
 tupeta Heypana parta ,
Koja
>
- roMall)e acotama
y Kotauking ga
-

,

8 Complete Mediation in paspeme

Access to every security-relevant object must be monitored and controlled

include everything
The access control mechanism encompasses all security-relevant objects, is
operational in any system state, and cannot be circumvented
3aouazHo
↳
To mitigate attacks at layers below the access control mechanisms, data should
additionally be protected in transit and storage (e.g., using encryption)
○ Booting a different operating system from a USB stick to circumvent access control
○ Sniffing network traffic to get access to data

Introduction to Security // Computer Security 60
9Defense in Depth uzbo9mubo
↑

Build redundant security mechanisms whenever feasible

If one mechanism fails, the others should prevent the threat
○ Number of security layers depends on cost-benefit analysis: performance requirements,
usability aspects, administrative overhead, etc.

Many examples in real and digital world
○ Credit card and PIN shipped in different letters
○ Airplanes with redundant engines
○ Two-factor authentication

Introduction to Security // Computer Security 61
10Traceability

The system must trace all security-relevant events

Typically implemented through logging
○ Logs must be protected to prevent adversaries from removing their traces
Important for accountability
○ Link actions to a subject that can be held responsible
Might contradict privacy requirements
○ Possible solution: usage of pseudonyms in logs, link to true identities stored separately

Introduction to Security // Computer Security 62
Ih Generating secure secrets

Maximize the entropy of secrets
measures level
of
information of

suprise randomness
Shannon entropy is often used to measure the unpredictability of a secret (e.g.,
cryptographic key, password)
○ Higher entropy means that secrets are harder to find using brute force attacks, dictionary
attacks or guessing
○ Entropy helps keeping secrets secret

Introduction to Security // Computer Security 63
 Usability
12

Design usable security mechanisms

Security mechanisms should be easy to use
○ The harder to use a security mechanism is, the more likely it is that users (or
developers/admins) will apply it incorrectly
Security mechanisms should not interfere with typical usage
○ Otherwise users will tend to deactivate the security mechanism entirely

Introduction to Security // Computer Security 64