Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1
Find X X X is 5 There it is
My Security Axioms 3 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative
Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 4
Ken Thompson Born Feb 4, 1943 Notable Work: –B Programming Language –UNIX –Plan 9 –Popularized regular expressions 1983: Turing Award (joint with Ritchie) for UNIX and work in OS 1999: US National Medal of Technology 1999: First IEEE Tsutomu Kanai Award 5
A Self-Reproducing Program 6 main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c" ;
When Executed main(){printf(f,34,f,34,10);} 7 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); char *f= char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
When Executed main(){printf(f,34,f,34,10);} 8 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 ascii is a quote (“) char *f=“ char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
When Executed main(){printf(f,34,f,34,10);} 9 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
When Executed main(){printf(f,34,f,34,10);} 10 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 is a quote char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
When Executed main(){printf(f,34,f,34,10);} 11 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 is a quote char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”; main() {printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
When Executed main(){printf(f,34,f,34,10);} 12 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 10 is newline char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”; main() {printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
Note This program can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. 13 main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c" ;
The C Compiler The C compiler (cc) is written in C Special characters, such as newlines, quotes, etc., are escaped with backslashes. This is called a “character escape sequence” 14 c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); if(c == ‘\\’) return ‘\\’; // Will return “\\” if(c == ‘n’) return ‘\n’ etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); if(c == ‘\\’) return ‘\\’; // Will return “\\” if(c == ‘n’) return ‘\n’ etc.
Adding a New Escape Sequence The C compiler (cc) is written in C How do we add a new escape sequence? –Not yet valid C until added to compiler –But compiling modified compiler will not work because not valid C 15 c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return ‘\v’; /// INVALID! etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return ‘\v’; /// INVALID! etc.
What you do Solution: Encode in current valid C ‘\v’ is ASCII c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return 11; // Works etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return 11; // Works etc.
Checkpoint Can make a program that prints itself out Can change the semantics of a compiler 17
How a compiler works 18 Source Code get(s); compile(s); get(s); compile(s); Executable Code Source Language Compiler Target Language
Trojaning Login 19 ‘login’ get(s); compile(s); if(s == ‘login’) compile(backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); Trojaned ‘login’ Trojaned ‘login’ Compiler
Trojaning Compiler 20 ‘cc’ get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); Trojaned ‘cc’ Trojaned ‘cc’ Compiler
Using Trojaned Compiler 21 get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); Trojaned ‘cc’ Trojaned ‘cc’ Compiler ‘cc’ source ‘login’ source Source trojaned exec ‘cc’ trojaned exec ‘login’
Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 22
“Regularly Install Patches” − Computer Security Wisdom B Buggy Program P Patched New Program Patches Help Security
Patches Can Help Attackers − Evil David Evil David
Evil David’s Timeline T1 Gets Patch Attack Unpatched Users Delayed Patch Attack T2 Use Patch to Reverse Engineer Bug Evil David
Asia gets P Patch Delay N. America gets patched version P [Gkantsidis et al 06]
Evil David’s Timeline T1 Gets Patch Attack Unpatched Users T2 Reverse Engineer Bug I can reverse engineer the patched bug and create an exploit in minutes Minutes
Intuition Particular Input BadGood Trigger Bug program
Intuition B Buggy Program Exploit BadGood program
Intuition B Buggy Program P Patched Program BadGood program Patch leaks: 1) Where 2) How to exploit
Automatic Patch-Based Exploit Generation Step 1: Get BP BadGood program Step 2: Diff B & P Step 3: Automatically Calculate Exploit
Step 1: Get BP BadGood program Step 2: Diff B & P Step 3: Automatically Calculate Exploit Profit! Automatic Patch-Based Exploit Generation
IE6 Bug Example All integers unsigned 32-bits All arithmetic mod 2 32 B is binary code if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B
IE6 Bug Example if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B input = % 2 == 0 s := 0 ( % 2 32 ) ptr := realloc(ptr,0) Using ptr is a problem
IE6 Bug Example Wanted: s > input Integer Overflow when: ¬(s > input) if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B
if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B if input % 2==0 read input s := input + 3s := input + 2 if s > input TF P ptr := realloc(ptr, s) T F Error Patch
if input % 2==0 read input s := input + 3s := input + 2 if s > input TF P ptr := realloc(ptr, s) T F Error Patch if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B Exploits for B are inputs that fail new safety condition check in P (s > input) = false
Result Overview ASPNet_FilterInformation Disclosure29 sec GDIHijack Control135 sec PNGHijack Control131 sec IE COMCTL32 (B)Hijack Control456 sec IGMPDenial of Service186 sec No public exploit for 3 out of 5 Exploit unique for other 2
Does Automatic Patch-Based Exploit Generation Always Work? NO! However, in security attackers get lucky, defenders do not Current Delayed Patch Distribution Insecure
Intermission 40
Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 41
RSA Cryptosystem Invented in 1978 by Rivest, Shamir, and Adleman RSA is widely used –Apache+mod_SSL (https) –stunnel (Secure TCP/IP servers) –sNFS (Secure NFS) –bind (name service) –ssh (secure shell) We believe RSA is secure 42
RSA Algorithm RSA Initialization: –pick prime p (secret) –pick prime q (secret) –Let N = pq (N is public) –pick e (public) –Find d s.t. d*e = 1 mod (p- 1)(q-1) (private) RSA encryption of m: calculate m e mod N = c RSA decryption of c: calculate c d mod N = m p = 61, q = 53 N = 3233 e = 17 d = 2753 Suppose m = 123 c = mod 3233 = 855 m = mod 3233 = 123
Why is RSA Secure Step 1: define “security” Step 2: Show that RSA meets definition 44
Step 1: Define Security 45 Public Parameters –N = pq (N is public) –e (public) Private Parameters –p (secret) –q (secret) –d (derived from e, p, and q, private) RSA Problem: Given N,e, m e mod N, compute m RSA is secure if the RSA problem cannot be solved efficiently
Step 2: Show RSA Meets Definition 46 Public Parameters –N = pq (N is public) –e (public) Private Parameters –p (secret) –q (secret) –d (derived from e, p, and q, private) RSA Problem: Given N,e, m e mod N, compute m Fact: we do not know RSA is secure
2 Ways to Break RSA 47 RSA Problem: Given N,e, m e mod N, compute m Factoring Algorithm Public N e Private p q d Fact: if we can factor, we can break RSA Given m e, we can decrypt just like those who know d
2 Ways to Break RSA 48 RSA Problem: Given N,e, m e mod N, compute m Roots Public m e mod N m Fact: if we can take roots modulo N, we can break RSA
Arguing Security Define what is public and private Define protocol –What bad guy gets to see –What bad guy cannot see Show that any run of the protocol the bad guy –cannot see what he is not suppose to –cannot efficiently compute what he is not suppose to 49
50 I. Attackers Get Lucky Defenders Do Not
NP Complete (i.e., it could be difficult) is Insufficient 51 Problem Domain Hard Instances Probability of picking a hard instance is low
We believe RSA is hard on average 52 Problem Domain assume ciphertexts are easy to decrypt Random ciphertext c
We believe RSA is hard on average 53 Problem Domain assume ciphertexts are easy to decrypt Random ciphertext c Can move instance (homomorphism)
54 II. Attackers are Creative
Breaking RSA in Practice RSA decryption: g d mod N = m –d is private decryption exponent, N is public modulus Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = g d1 mod q 2. m2 = g d2 mod p 3. combine m1 and m2 to yield m (mod N) Goal: learn factors of N.
Suppose I implement RSA as: if (d == 1) sleep(1) decrypt(c) if(d == 2) sleep(2) decrypt(c) if(d==3) sleep(3) decrypt(c) 56 Time to decrypt leaks key
RSA Decryption Time Variance Causes for decryption time variation: –Which multiplication algorithm is used. OpenSSL uses both basic mult. and Karatsuba mult. –Number of steps during a modular reduction modular reduction goal: given u, compute u mod q Occasional extra steps in OpenSSL’s reduction alg. There are MANY: –multiplications by input c –modular reductions by factor q (and p)
Reduction Timing Dependency Modular reduction: given u, compute u mod q. –OpenSSL uses Montgomery reductions [M’85]. Time variance in Montgomery reduction: –One extra step at end of reduction algorithm with probability Pr[extra step] (c mod q) [S’00] 2q
Pr[extra step] (c mod q) 2q Value c Decryption Time q 2q p
Multiplication Timing Dependency Two algorithms in OpenSSL: –Karatsuba (fast): Multiplying two numbers of equal length –Normal (slow): Multiplying two numbers of different length To calc x c mod q OpenSSL does: –When x is the same length as (c mod q), use Karatsuba mult. –Otherwise, use Normal mult.
Multiplication Summary c < q Decryption Time q Normal Multiplication Karatsuba Multiplication c c > q
Data Dependency Summary Decryption value c < q –Montgomery effect: longer decryption time –Multiplication effect: shorter decryption time Decryption value c > q –Montgomery effect: shorter decryption time –Multiplication effect: longer decryption time Opposite effects! But one will always dominate
Timing Attack High Level Attack: 1)Suppose g=q for the top i-1 bits, and 0 elsewhere. 2)g hi = g, but with the i th bit 1. Then g < g hi Goal: decide if g<q<g hi or g<g hi <q 3)Sample decryption time for g and g hi : t 1 = DecryptTime(g) t 2 = DecryptTime(g hi ) 4)If |t 1 - t 2 | is large bit i is 0 (g < q < g hi ) else bit i is 1 (g < g hi < q) don’t straddle q large vs. small creates 0-1 gap g and g hi straddle q
Timing Attack Details We know what is “large” and “small” from attack on previous bits. Decrypting just c does not work because of sliding windows –Decrypt a neighborhood of values near g –Will increase diff. between large and small values larger 0-1 gap Only need to recover 1/2 bits of q [C’97] Attack requires only 2 hours, about 1.4 million queries
The Zero-One Gap Zero-one gap
How does this work with SSL? How do we get the server to decrypt our c?
Normal SSL Decryption Regular ClientSSL Server 1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (r e mod N) Result: Encrypted with computed shared master secret
Attack SSL Decryption Attack ClientSSL Server 1. ClientHello 2. ServerHello (send public key) 3. Record time t 1 Send guess g or g hi 4. Alert 5. Record time t 2 Compute t 2 –t 1
Attack requires accurate clock Attack measures 0.05% time difference between g and g hi –Only seconds on a P4 We use the CPU cycle counter as fine- resolution clock –“rdtsc” instruction on Intel –“%tick” register on UltraSparc
Attack extract RSA private key in OpenSSL Montgomery reductions Dominates Multiplication routine dominates zero-one gap
Attack extract RSA private key Montgomery reductions Dominates Multiplication routine dominates zero-one gap
Timing channels fell outside RSA security game 72 RSA Problem: Given N,e, m e mod N, compute m
My Security Axioms 73 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative
74 Good Guy Bad Guy VS Good Guy vs. Bad Guy
Good Guy vs. Many Bad Guys 75 Good Guy VS Bad Guys
What if they are powerful? 76 Good Guy VS
My Work 77 I. Securing the entire software lifecycle
Developer WritingDebuggingReleasing Updating Designing User VerifyingInstallingRunning Exploiting
My Work 79 I. Securing the entire software lifecycle II. Allowing everyone to reason about the security of the code they execute
BAP: Binary Code Analysis Platform Binary code is everywhere Security of the code you run (not just the code compiled)
Formal Methods Compilers Programming Languages Usability Algorithm Design
My Security Axioms 82 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative
Thoughts? 83
That is all I have for today. 84