EPFL Computer Security (COM-301) Adversarial Thinking Lecture Notes PDF

Computer Security (COM-301) Adversarial thinking Attacks and defenses Carmela Troncoso SPRING Lab carmela.troncoso@epf...

Computer Security (COM-301) Adversarial thinking Attacks and defenses Carmela Troncoso SPRING Lab [email protected] Some slides/ideas adapted from: Emiliano de Cristofaro, Gianluca Stringhini, George Danezis 1 Structure of the lecture Why studying attacks is so important? How are attacks developed? Adversarial thinking process Examples on real world systems Which attacks should you worry about? Reasoning process: what can go wrong? what not to do? Example attacks on software 2 2 Computer Security (COM-301) Adversarial thinking Reasoning as an adversary Carmela Troncoso SPRING Lab [email protected] Some slides/ideas adapted from: Emiliano de Cristofaro, Gianluca Stringhini, George Danezis 3 Why do we study attacks? Deeper Understanding of Defense Very good attackers make very good defenders (and vice versa – find many attacks) Mediocre attackers, make extremely poor defenders (find some attacks…) Job opportunity: Penetration testing (pentesting) is a major industry Try to bypass controls to establish the security quality of a system Nowadays also privacy! Companies need to work with data, and need to make sure that no inferences can be made. They require knowledge to test how well the algorithms they deploy sanitize their data 4 In computer security the study of attacks (besides a lot of fun) is the path to better understand threats on systems in order to build better defences. Besides, from a practical perspective, being a good attacker gives high chances to find a job. Traditional attacks are on systems and software (so-called pentesting). As systems cannot be perfectly secure (as we have seen and we will continue seeing in the next lectures) companies hire adversaries to try to find vulnerabilities. This does not guarantee security (“the universe of bad things” is too big to explore exhaustively) but it helps lowering the risk of attacks by eliminating low-hanging fruits. Nowadays, not only security attackers are in demand. As privacy becomes more important, both claimed by society (users) and regulation, industry becomes more interested on hiring knowledge related to the evaluation of algorithms to guarantee privacy. Why do we study attacks? Deeper Understanding of Defense Very good attackers make very good defenders (and vice versa – find many attacks) Mediocre attackers, make extremely poor defenders (find some attacks…) Job opportunity: Penetration testing (pentesting) is a major industry Try to bypass controls to establish the security quality of a system Does lack of found attacks guarantee that the system is secure? No! we can never be sure we have explored the complete attack space Related concepts: fail safe principle, sanitization 5 But remember that not finding attacks is not a guarantee of security. The attack surface is large ant we cannot guarantee that we have tried all possible attacks. Recall: fail safe: because we do not know what can go wrong, if something fails go to a state you know is safe. sanitization: do not try to avoid all the bad things, only allow known good things in your system. Why do we study attacks? Deeper Understanding of Defense Very good attackers make very good defenders (and vice versa – find many attacks) Mediocre attackers, make extremely poor defenders (find some attacks…) Job opportunity: Penetration testing (pentesting) is a major industry Try to bypass controls to establish the security quality of a system Remember you cannot freely hack around Ethics, law, and regulations 6 How are attacks developed? 7 Attacks (typically) do not happen by chance. It is not that one day one wakes up and has an illumination or an apple falls on your head à la Newton. Attacks are discovered by studying systems in systematic ways that enable adversaries to explore many angles where there can be a vulnerability. Remember from Lecture 1.1, that a vulnerability is “a specific weakness that could be exploited by adversaries with interest in a lot of different assets” The security engineering process The security engineering process (weeks 1 and 2) 1. Define a security policy (principals, assets, properties) and a threat model. Atta cks can exploit: Mi s identified principals, assets, or properties Ca pa bilities beyond what is considered in threat model 2. Define security mechanisms that support the policy given the threat model. Attack ca n exploit: Des ign weaknesses i n the security mechanisms 3. Build an implementation that supports / embodies the mechanisms. Attack ca n exploit: Implementation or operation problems that allow you to s ubvert the mechanisms 8 During the first lecture, we established the steps that a security engineer needs to take in order to secure a system: At a very, very, high level: - Decide what to protect from whom - Decide how to protect it - Implement the protections The attack engineering process “inverse” approach – exploits flaws in the security engineering process 1. Define a security policy (principals, assets, properties) and a threat model. Adversary can exploit Misidentified principals, assets, or properties Capabilities beyond what is considered in threat model (more access or more computational/algorithmic capabilities) 2. Define security mechanisms that support the policy given the threat model. Adversary can exploit Design weaknesses/flaws in the security mechanisms 3. Build an implementation that supports / embodies the mechanisms. Adversary can exploit Implementation or operation problems that allow you to subvert the mechanisms 9 The attack engineering process exploits weaknesses introduced during the security engineering process due to carelessness, lack of knowledge, or errors. What can go wrong when creating the security policy: - Forgetting principal, assets, or properties. If any of this is not considered, there may be a valuable asset whose security is not protected from a particular principal. What can go wrong when deciding the threat model: - Underestimation of the adversary. One thinks that the adversary has less computational power than in reality (e.g., does not have enough resources to perform denial of service), or one assumes that he knows no algorithm that can break the security policy (e.g., infer secret assets to break confidentiality, compute a hash collision to break integrity). The attack engineering process Exploiting misidentified assets in the security policy EXAMPLE 1 – EXTRACTING KEYS FROM HARDWARE SECURE M ODULES (HSM S) HSMs implement PKCS#11 standard for interoperability Create a new key using a substring of an API to create a new key from the secret key: existing key. Given bits_length and offset, it uses bits_length of the secret key from position offset How would you exploit this function? https://randomoracle.wordpres s.com/2015 /08 /13/ safenet-h sm-key-extraction-vu lnerab ility-part-i / 10 An HSM is a CPU secured physically. That is, it can hold cryptographic keys that cannot be extracted by observing the device, or measuring the device characteristics (power consumption, computation timing, etc.) Part of their security comes from having a strict API to interact with them. Following economy of mechanism, HSMs can only be accessed through a small set of functions. One of the functions available is “Extract key from key”. On input offset and key length it internally generates a key of the designated length using length bits of the secret key of the HSM starting at position offset. The attack engineering process Exploiting misidentified assets in the security policy PKCS#11 considers the full key an asset to protect, but not bytes of the key Create a new key using a substring of an EXAMPLE 1 – EXTRACTING KEYS FROM HARDWARE existing key. SECURE M ODULES (HSM S) Assume a strong key exists in the HSM Ask HSM to derive a new key of length 1 byte at offset 0 Use new key to do an operation, say HMAC on a known input (allowed by the HSM) Brute force the key (input known, output known, key only 1 byte) Repeat with keys at different offsets → Full key recovery! https://randomoracle.wordpres s.com/2015 /08 /13/ safenet-h sm-key-extraction-vu lnerab ility-part-i / 11 This allows a strategic adversary to create small keys (e.g., of size one byte), and ask the HSM to do operations with this key. As the key to this operation has only 2^8 bits, it is possible to find using exhausting search. By asking for different offsets, the adversary can eventually recover the fill key. The attack engineering process In both cases the adversary had remote access to functionality that was not Exploiting unforeseen access capabilities foreseen by the threat model EXAMPLE 2 – FROM CABLE TO THE A IR Engine Control Units (ECU) control the vehicle ECU connected to GSM/WiFi give a remote adversary access to the CAN bus and all the (safety) functions of the vehicle EXAMPLE 3 – IOT DEVICES ARE A WEAK LINK IoT weakly protected devices connected to internet MadIoT - manipulation of demand via IoT (Princeton U.) – hackers can compromise the Smart Grid with ~100K devices https://www.forbes.com/sites/andygreen berg/2 013/ 07/2 4/hackers-revea l-nasty-ne w-car-attacks-wit h-me-behind-t he-wheel-vi deo/# 4b536 af4228c https://www.wired.com/2015/07/h ackers-remotely-kil l-jeep-h ighw ay/ 12 https://www.ft.com/content/2c17ff5e-4f02-11e8-ac41-759eee1efb74 In a car, all instructions are given to different parts using the CAN bus. The CAN bus was never secured, because it was always assumed that an adversary would need physical access to the vehicle in order to read/write from this bus. As electronics advanced, the bus was connected to the Engine Control Unit, but it was still hard to access because one would also need physical access to the vehicle to interact with the ECU. In modern vehicles, however, the ECU is now connected to the internet (via WiFi or GSM) to enable remote updates of the vehicle firmware, or infotainment. As a result, now remote adversaries have access to the most critical part of the vehicle. Hackers have demonstrated that indeed the can gain access and get full control of the vehicle and perform any function: brake, steer, or change sensor readings to make drivers believe their vehicle is not working. A similar thing happens with Electrical centrals and the power grid. Centrals and distribution centers count with very strong protections. They are typically not connected to the internet, and if they do they have very strong firewalls. Similarly, modifying electricity consumption from traditional infrastructure is hard. One has to have physical access to appliances to switch them on. Other devices connected (computers) are also somehow protected. But nowadays we have (million) more devices connected, the Internet of Things. They are small and many times badly protected because their manufacturers are not well- trained. For instance, many of them still have admin:admin as one of the authorized login/password. Researchers at Princeton University showed that, by accessing these devices, which in turn are connected to the power grit, they can create arbitrary electricity demands that can even bring down the whole grid. The attack engineering process Exploiting unforeseen capabilities EXAMPLE 3 – UNILATERAL USER AUTHENTICATION IN GSM Fake BTS! When GSM was designed antennas (Base Transceiver Stations - BTS) were difficult to implement and expensive to build. Thus, operators decided that the network did not need to authenticate! Nowadays, commodity hardware can be used to fake a base station and perform a man in the middle (eavesdrop, impersonate,…)! 13 https://wildfire.blazeinfosec.com/practical-attacks-against-gsm-networks-part-1/ Another example of unprotected infrastructure due to underestimating the capabilities of the adversary is the GSM network. When it was created, it was assumed that creating an antenna had prohibitive cost both in materials and know-how. Thus, when running the protocol to connect phones to the network, the antennas do not authenticate. Nowadays, however, we have commodity Software Defined Radio boards that can easily be programmed to impersonate an antenna. As there is no authentication, it is easy to spoof a network base station and trick mobile phones into connecting to your antenna instead of a real one. The attack engineering process Exploiting unforeseen computational/algorithmic capabilities EXAMPLE 4 – THE MACHINE LEARNING REVOLUTION The power of inference at your fingertips! Apparently irrelevant information becomes critical for the security of the system Learn to break better and faster! Machine learning eases attacks, as it simplifies their implementation through substituting complex modeling tasks by data collection 14 Regarding computation/algorithmic capabilities, we have many examples. On the capabilities side we have the greater capabilities of state agencies (e.g., NSA) to brute-force RSA long keys. One reason why the internet is changing to longer keys (2048) and mainly Diffie Hellman exchange, as we will see in the network security lecture. On the algorithmic side, the most paradigmatic example nowadays is the use of machine learning to turn algorithm design into a data-driven problem. Adversaries do not need to think about clever algorithms to infer secret information, or to find ways to fool a detector, but just a lot of data to create a machine learning model that does it for them. The attack engineering process Exploiting unforeseen computational/algorithmic capabilities THE MACHINE LEARNING REVOLUTION : ALSO WORKS FOR THE GOOD GUYS!! Improved malware detection EXAMPLE 3 – THE MACHINE LEARNING REVOLUTION Predicting zero days (unknown vulnerabilities) The power of inference at your fingertips! Apparently irrelevant information becomes Identifying critical for the vulnerable devices security of the system Automated Learn to break better andlog analysis faster! 15 It must also be said that machine learning has also improved the situation from the defender point of view: - Improve malware detection by being able to process many more features than template- based detectors (see lecture on Malware) - Improve our capability to detect configurations that are vulnerable (hard to enumerate, but modelable if you have enough data). - Improve our capability to find malicious complex patterns in logs, even when adversaries try to hide their actions The attack engineering process “inverse” approach – exploits flaws in the security engineering process 1. Define a security policy (principals, assets, properties) and a threat model. Adversary can exploit Misidentified principals, assets, or properties Capabilities beyond what is considered in threat model (access or computational/algorithmic) 2. Define security mechanisms that support the policy given the threat model. Adversary can exploit Design weaknesses/flaws in the security mechanisms 3. Build an implementation that supports / embodies the mechanisms. Adversary can exploit Implementation or operation problems that allow you to subvert the mechanisms 16 A second way of breaking the policy is to inspect the security mechanism to find vulnerabilities that can be exploited. As we have seen in the lecture there are many decisions to be taken when designing architectures and protocols. It is not hard to make mistakes that open the door to attacks. The attack engineering process Exploiting security mechanisms design weaknesses In both cases the algorithms were secret, but researchers reverse engineered them. Once the algorithms were known researchers identified vulnerabilities that allowed them to decrypt and read messages, and even recover the key. EXAMPLE 1 – WEAK CRYPTOGRAPHIC PRIMITIVES Tesla – Key Fob algorithm to start the car allows to recover key in seconds (with pre-computation) GSM – A5/1 and A5/2 weak allow ciphertext only attacks Can be real time by FPGA parallel computation! Security by obscurity is a bad idea

EPFL Computer Security (COM-301) Adversarial Thinking Lecture Notes PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue