Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.

Slides:



Advertisements
Similar presentations
InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Advertisements

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Security Through the Lens of Failure J. Alex Halderman.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
Analysis of an Electronic Voting System
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 The Sony CD DRM Debacle A case study of digital rights management.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Chapter 3 (Part 1) Network Security
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Data Security.
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Information Systems Security Computer System Life Cycle Security.
1 J. Alex Halderman Legal Challenges in Security Research J. Alex Halderman Center for Information Technology Policy Department of Computer Science Princeton.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Module 14: Configuring Server Security Compliance
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Module 5: Configuring Internet Explorer and Supporting Applications.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Chapter 3 Installing and Learning Software. 2Practical PC 5 th Edition Chapter 3 Getting Started In this Chapter, you will learn: − What is in an application.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Chap1: Is there a Security Problem in Computing?.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Wireless and Mobile Security
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Electronic Voting: Danger and Opportunity
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Information Systems Security
Securing Network Servers
Chapter 3 Installing and Learning Software
Secure Software Confidentiality Integrity Data Security Authentication
Putting It All Together
Putting It All Together
Implementing Client Security on Windows 2000 and Windows XP Level 150
Presentation transcript:

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman

2 CD DRM 2003, 2005 SDMI 2001 CSS 1999 AACS 2007 Diebold 2003, 2006 What’s the common “thread”?

J. Alex Halderman3 Nontraditional Environments Problem Platform Package

J. Alex Halderman4 Security IntuitionSecurity Intuition Breakdown Underestimate Similarity Underestimate Difference Underestimate Risk

J. Alex Halderman5 Spectacular Failures Cascading Irreparable Collateral damage

J. Alex Halderman6 Nontraditional Environments Intuition Breakdowns Spectacular Failures

J. Alex Halderman7 Disaster Investigation

J. Alex Halderman8 Questions What about these environments makes failures especially severe? Are there patterns to the design and implementation mistakes behind them? Where are such failures likely to occur in the future? What tools and techniques can we use to prevent them?

J. Alex Halderman9 Outline 1. A Model for Security Failures 2. Failures in CD-DRM Systems 3. Failures in E-Voting Systems 4. Predicting Future Disasters 5. Remedies and Defensive Strategies

J. Alex Halderman10 CD DRM st Generation:Passive protection nd Generation:Active protection rd Generation:Weak passive + Aggressive active [H02] [H03] [HF05]

J. Alex Halderman11 Nontraditional Problem Restrict use (Untrusted device) Compatibility (Legacy format) All DRM: No known solution provides traditional security guarantees

J. Alex Halderman12 Nontraditional Package Drivers Ripper/copier Application Protection driver Normal CD OS Protection driver Autorun # CD Marked “Protected”  Audio CDHybrid CD

J. Alex Halderman13 A Spectacular Failure Failure in depth Installer → Patch → Uninstaller Mass exposure Millions of computers vulnerable Difficult repairs Most users unaware they’re at risk High costs Lawsuits, recalls, lost sales

J. Alex Halderman14 SunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs First4Internet

J. Alex Halderman15 Rootkit Magic prefix: $sys$ Files Processes Registry keys Hidden DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it [HF06]

J. Alex Halderman16 Rootkit Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it Attack: Privilege escalation Mistake: Hides arbitrary objects $sys$virus.exe [HF06]

J. Alex Halderman17 Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  13+ MB installed before EULA screen Everyone: Full Control Runs with administrator privileges next time CD is inserted

J. Alex Halderman18 Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  Sony releases patch…but, patch calls potentially booby trapped code [HF06] How do users know they need to patch? Vulnerable even if refused installation

J. Alex Halderman19 Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access “HTTP GET /XCP.dat” Web page calls ActiveX control CodeSupport.Uninstall(“ Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls UnInstall_xcp() User obtains single-use code for uninstallation web page 1. [HF06]

J. Alex Halderman20 Control accepts arbitrary URL Remote code not authenticated Control not removed after use Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access Attack: Remote code execution Mistakes: “HTTP GET /XCP.dat” Server sony-bmg.com XCP.dat Client CodeSupport.ocx Rookie mistakes Victim visits attacker’s web page CodeSupport.Uninstall(“ Client executes code from Evil.dat with user’s privileges 3. “HTTP GET /Evil.dat” Server attacker.com Evil.dat “Oops!... I did it again” [HF06]

J. Alex Halderman21 Environmental Effects Technology phase change Risks appear unexpectedly DRM problem → inherent conflict Deliberately subvert control of PC Lack of transparency Problems more difficult to detect Conflicting incentives Choose risky DRM over user security Politics

J. Alex Halderman22 Intuition Breakdown Nearly all parties underestimated security risks: Vendors Sony Users Experts “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business Vendors Sony Users Experts Destroyed by rookie security mistakes Didn’t know music CDs could hurt them Didn’t discover rootkit for six months

J. Alex Halderman23 Outline 1. A Model for Security Failures 2. Failures in CD-DRM Systems 3. Failures in E-Voting Systems 4. Predicting Future Disasters 5. Remedies and Defensive Strategies

J. Alex Halderman24 Diebold DREs

J. Alex Halderman25 Nontraditional Package

J. Alex Halderman26 Nontraditional Platform

J. Alex Halderman27 Nontraditional Problem Paperless DREs: No known solution provides traditional security guarantees Voting…  Securely  Secretly  Accessibly  Quickly  Cheaply

J. Alex Halderman28 A Spectacular Failure Failures in depth Code insertion routes, physical security Mass exposure Millions of votes at risk Difficult repairs Some attacks not patchable High costs Many states likely to replace machines

J. Alex Halderman29 Inserting Code Bootloader WinCE Kernel BallotStation FBOOT.NB0 Bootloader NK.BIN WinCE Kernel INSTALL.INS BallotStation (Internal Flash or EPROM) (Internal Flash) [FHF07] EXPLORER.GLB

J. Alex Halderman30 Inserting Code WinCE Kernel BallotStation Bootloader (Flash) [FHF07] Failure in Depth: Boot into Explorer Insecure firmware updater ROM replacement

J. Alex Halderman31 [FHF07] Stealing Votes WinCE Kernel BallotStationStuffer

J. Alex Halderman32 [FHF07] Stealing Votes Kernel BallotStation Primary Vote RecordBackup Vote Record Audit Log Primary Vote RecordBackup Vote Record Audit Log Stuffer

J. Alex Halderman33 Viral Propagation [FHF07] Reboot

J. Alex Halderman34 [FHF07]

J. Alex Halderman35 Physical Security [FHF07]

J. Alex Halderman36 Physical Security Failure in Depth: Same key used everywhere Widely available Secret disclosed on web site Lock easy to pick [FHF07]

J. Alex Halderman37 Environmental Effects Technology phase change Risks appear unexpectedly Difficulty of the problem Confusing threat model, circular reasoning Lack of transparency Basic errors persist for years Security treated as a PR problem Conflicting incentives Officials choose efficiency over security Politics

J. Alex Halderman38 Intuition Breakdown Nearly all parties underestimated security risks: Vendor Officials Experts Vendor Officials Experts Planned security by obscurity Vastly underinvested in security design Many surprised by severity of problems Underestimated similarity to PCs Didn’t understand threat model CAs Lacked institutional competence to see risks

J. Alex Halderman39 Outline 1. A Model for Security Failures 2. Failures in CD-DRM Systems 3. Failures in E-Voting Systems 4. Predicting Future Disasters 5. Remedies and Defensive Strategies

J. Alex Halderman40 Learning from Failures My Past Work CD DRM E-Voting Related Work Past Voting Studies CSS, SDMI, HDCP, DTV WEP, GSM, RFID Work in Progress AACS Other voting systems Future Work (Predicted failures)

J. Alex Halderman41 AACS [Work in progress] Title KeyVolume KeyProcessing KeyDevice Key February 11 February 24 January 13 January 12 Title KeyVolume KeyProcessing KeyDevice Key Potential disaster (analyze game theory) Solid crypto, Rookie coding errors Revokable Arms Race Interesting lessons on incentives, politics, law DRM as nontraditional security problem 09 f d 74 e3 5b d c bd 09 f d 74 e3 5b d c be 09 f d 74 e3 5b d c bf ? 09 f d 74 e3 5b d c c1 09 f d 74 e3 5b d c c2 09 f d 74 e3 5b d c c3

J. Alex Halderman42 Other Voting Systems [Work in progress]

J. Alex Halderman43 Predicting Failures Nontraditional Environment + Technology Phase Change +

J. Alex Halderman44 Future Failures?

J. Alex Halderman45 Future Failures?

J. Alex Halderman46 Future Failures?

J. Alex Halderman47 Future Failures?

J. Alex Halderman48 Outline 1. A Model for Security Failures 2. Failures in CD-DRM Systems 3. Failures in E-Voting Systems 4. Predicting Future Disasters 5. Remedies and Defensive Strategies

J. Alex Halderman49 Defensive Approach New IntuitionsNew TechnologiesNew Policies

J. Alex Halderman50 General Lessons Security disasters occur where security research isn’t involved  New intuitions, partnerships, transparency Problems that resist rigorous security analysis are prone to major failures  Research ways to transform problems Failures have higher externalities where producer and user incentives misalign  Where appropriate, add liability

J. Alex Halderman51 Remedies: DRM New intuition DRM as a risk to client security New policies Mandatory transparency (DMCA reform, installation disclosure) Liability for aggressive, dangerous techniques (change maker incentives)

J. Alex Halderman52 Remedies: E-Voting New intuitions Voting machines and PCs share vulnerabilities No software should be trusted to count votes New policies Improved transparency, certification processes Liability for insecurity: fix at vendor’s cost? (change maker incentives) Software independence

J. Alex Halderman53 New Technologies [CHF07] Machine-assisted auditing 1. Initial count (untrusted) 2. Recount machine commits to each ballot Ballo t 3. Humans check sample by hand

J. Alex Halderman54 C := H(…) New Technologies [HW07] Harvested verifiable challenges 1. Collect fresh data from varied sources 2. Hash data to form “challenge” 3. Anyone can verify challenge was valid ?

J. Alex Halderman55 Contributions 1. New model for security failures Analysis of past failures from the literature Predictions for future failures Policy implications 2. Analysis of failures in DRM systems Inherent limitations of CD copy protection [H03,H04] Client security failures from Sony CD DRM [HF06] Coming AACS arms race* 3. Analysis of failures in e-voting systems Diebold AccuVote TS and TSx [FHF07] AVC Advantage* 4. Technological remedies Machine-assisted election auditing [CHF07] Harvesting verifiable challenges [HW07] Privacy management for mobile devices [HWF05]

J. Alex Halderman56 References H03 J. A. Halderman. “Evaluating New Copy-Prevention Techniques for Audio CDs.” DRM H04 J. A. Halderman. “Analysis of the MediaMax CD3 Copy-Prevention System.” HWF04 J. A. Halderman, B. Waters, and E. Felten. “Privacy Management for Portable Recording Devices.” WPES HF06 J. A. Halderman and E. Felten. “Lessons from the Sony CD DRM Episode.” USENIX Security FHF07 A. Feldman, J. A. Halderman, and E. Felten. “Security Analysis of the Diebold AccuVote-TS Voting Machine.” In submission, CHF07 J. Calandrino, J. A. Halderman, and E. Felten. “Machine-Assisted Election Auditing.” In submission, HW07 J. A. Halderman and B. Waters. “Harvesting Verifiable Challenges from Oblivious Online Sources.” In submission, 2007.

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.