© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

Slides:



Advertisements
Similar presentations
Random Number Generation Graham Netherton Logan Stelly.
Advertisements

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Race Conditions. Isolated & Non-Isolated Processes Isolated: Do not share state with other processes –The output of process is unaffected by run of other.
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Pseudorandom Number Generators
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Building Secure Software Chapter 9 Race Conditions.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Computer Security CS 426 Lecture 3
15-853Page :Algorithms in the Real World Generating Random and Pseudorandom Numbers.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Security and Random Number Generators
Cryptography and Network Security (CS435)
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Cryptographic Foibles COEN 225 Secure Coding. False Assumptions Fresh from the press:  RAM retains memory after shutdown  Retention boosted by cold.
Section 3.1: Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Pseudo-random generators Random Number Generating There are three types of generators table look-up generators hardware generators algorithmic (software)
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Lecture 16 Page 1 CS 236 Online Secure Programming, Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 7 – Confidentiality Using Symmetric Encryption.
Chapter 7 Confidentiality Using Symmetric Encryption.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.
Network Security Lecture 18 Presented by: Dr. Munam Ali Shah.
PRNGs Pseudo-random number generation. Randomness and Cryptography Randomness and pseudo-randomness are useful in cryptography: –To generate random and.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Applying Cryptography.
Wireless and Mobile Security
Fall 2006CS 395: Computer Security1 Confidentiality Using Symmetric Encryption.
Session ID: Session Classification: Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security.
Lecture 14 Page 1 CS 136, Fall 2014 Secure Programming, Continued Computer Security Peter Reiher December 4, 2014.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Race conditions and synchronization issues Exploiting UNIX.
Chapter 7 – Confidentiality Using Symmetric Encryption.
Host and Application Security Lesson 9: Vulnerabilities, part 1.
Access Control. Many models Traditional Unix model Windows model Role-based access control (SE Linux)‏ Access control for confidentiality (Bell-La Padula.
Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Cryptography CSS 329 Lecture 13:SSL.
Key Wrap Algorithm.
Lecture 14 Page 1 CS 136, Spring 2016 Secure Programming, Continued Computer Security Peter Reiher May 17, 2016.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
Cryptographic Hash Function
CSC 110 – Fluency in Information Technology Chapter 20: The random function and Chaos Dr. Curry Guinn.
A cryptographically secure pseudorandom number generator for Julia
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Cryptography and Network Security Chapter 7
Outline Using cryptography in networks IPSec SSL and TLS.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Outline Introduction Principles for secure software
Generating Random and Pseudorandom Numbers
Generating Random and Pseudorandom Numbers
Pseudorandom Numbers Network Security.
Race Condition Vulnerability
Presentation transcript:

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues

2 SY32 Secure Computing, Lecture 15 Outline Randomness Issues Randomness Issues Flaws of traditional PRNGs Flaws of traditional PRNGs Cryptographically-strong PRNGs Cryptographically-strong PRNGs Entropy collection Entropy collection Timing Issues Timing Issues Race conditions Race conditions Time of check, time of use (TOC-TOU) Time of check, time of use (TOC-TOU)

3 SY32 Secure Computing, Lecture 15 Random Number Generation Computers, being deterministic, are not good at generating random numbers Computers, being deterministic, are not good at generating random numbers So-called ‘random number generators’ (RNGs) are, in fact, pseudo-random number generators (PRNGs) So-called ‘random number generators’ (RNGs) are, in fact, pseudo-random number generators (PRNGs) Common example: linear congruential algorithm Common example: linear congruential algorithm PRNGs are seeded with input data PRNGs are seeded with input data Allows for reproducibility where necessary; a given seed always produces same output sequence Allows for reproducibility where necessary; a given seed always produces same output sequence Seeds are typically 32-bit integers Seeds are typically 32-bit integers

4 SY32 Secure Computing, Lecture 15 Attacks Against PRNGs Cryptanalytic attack Cryptanalytic attack Discovery of internal state Discovery of internal state Observe enough output values and we can figure out how generator was seeded Observe enough output values and we can figure out how generator was seeded Knowledge of seed allows us to predict output Knowledge of seed allows us to predict output Easier than you might think!... Easier than you might think!...

5 SY32 Secure Computing, Lecture 15 Cigital’s Internet Poker Exploit Our cards We can’t see other players’ cards… …but we can compute what they will be!

6 SY32 Secure Computing, Lecture 15 Cigital’s Internet Poker Exploit Flawed PRNG used for deck shuffling Flawed PRNG used for deck shuffling Non-cryptographic algorithm Non-cryptographic algorithm 32-bit seed, so 52! (about ) possible shuffles reduces to around 4 billion 32-bit seed, so 52! (about ) possible shuffles reduces to around 4 billion PRNG seed chosen poorly PRNG seed chosen poorly Milliseconds since midnight on system clock used, so 4 billion shuffles reduces to 86,400,000 Milliseconds since midnight on system clock used, so 4 billion shuffles reduces to 86,400,000 If we can sync closely to server’s clock, we can reduce this figure significantly… If we can sync closely to server’s clock, we can reduce this figure significantly…

7 SY32 Secure Computing, Lecture 15 Synchronise clock & hit Shuffle button Program calculates shuffle, and predicts other players’ hands! Specify your 2 cards and first 3 from ‘flop’

8 SY32 Secure Computing, Lecture 15 Success!

9 A More Serious Scenario SSL uses randomly-generated session key to perform symmetric encryption of data SSL uses randomly-generated session key to perform symmetric encryption of data Public key cryptography is used to exchange session key securely Public key cryptography is used to exchange session key securely No need to break that encryption if we can predict what the session key should be! No need to break that encryption if we can predict what the session key should be! 1996: Netscape : Netscape 1.1 PRNG seed could be determined from time of day and process IDs PRNG seed could be determined from time of day and process IDs

10 SY32 Secure Computing, Lecture 15 Better PRNGs Cryptographic PRNGs produce numbers that are hard to predict, even when attacker has full knowledge of the algorithm Cryptographic PRNGs produce numbers that are hard to predict, even when attacker has full knowledge of the algorithm Typical techniques Typical techniques Encrypt a secret counter with a secret key Encrypt a secret counter with a secret key Compute MD5 or SHA-1 hash of secret counter Compute MD5 or SHA-1 hash of secret counter Critical dependence on seed quality Critical dependence on seed quality

11 SY32 Secure Computing, Lecture 15 Entropy Collection Entropy of a seed measures its randomness; the more entropy we have, the better the seed Entropy of a seed measures its randomness; the more entropy we have, the better the seed Sources of entropy: Sources of entropy: Radioactive decay (needs special hardware) Radioactive decay (needs special hardware) Images of chaotic processes: Images of chaotic processes: Keyboard and mouse events Keyboard and mouse events Events internal to OS (e.g., thread timing) Events internal to OS (e.g., thread timing)

12 SY32 Secure Computing, Lecture 15 Practical Sources of Randomness Windows Windows CryptGenRandom call from Win32 API CryptGenRandom call from Win32 API Entropy gathered from huge range of sources, including time, CPU counters, interrupt info, PID, paging info… Entropy gathered from huge range of sources, including time, CPU counters, interrupt info, PID, paging info… RNGCryptoServiceProvider class in.NET RNGCryptoServiceProvider class in.NET Linux Linux Standard devices, which we open & read like files Standard devices, which we open & read like files /dev/random (processed entropy) /dev/random (processed entropy) /dev/urandom (pseudo-random numbers) /dev/urandom (pseudo-random numbers)

13 SY32 Secure Computing, Lecture 15 Race Conditions Common problem in multithreaded apps, or apps where multiple processes share resources Common problem in multithreaded apps, or apps where multiple processes share resources Very difficult to detect and fix Very difficult to detect and fix Application will not be robust… Application will not be robust… …and there could be security problems …and there could be security problems

14 SY32 Secure Computing, Lecture 15 Exploiting a Race Condition Attacker ‘races’ to invalidate an assumption made by programmer in the interval between operations Attacker ‘races’ to invalidate an assumption made by programmer in the interval between operations If attacker wins, program will behave incorrectly If attacker wins, program will behave incorrectly Period during which violating the assumption leads to incorrect behaviour is window of vulnerability Period during which violating the assumption leads to incorrect behaviour is window of vulnerability

15 SY32 Secure Computing, Lecture 15 Time Of Check, Time Of Use Special class of RC involving file access—often abbreviated to TOC-TOU Special class of RC involving file access—often abbreviated to TOC-TOU Window of vulnerability occurs between check on some file property and use of the file Window of vulnerability occurs between check on some file property and use of the file More of a problem for UNIX than for Windows More of a problem for UNIX than for Windows System calls such as access use pathnames rather than a filehandle… System calls such as access use pathnames rather than a filehandle… …and a pathname can be made to reference a different file within window of vulnerability! …and a pathname can be made to reference a different file within window of vulnerability!

16 SY32 Secure Computing, Lecture 15 Canonical TOC-TOU Example A program is running ‘setuid root’ A program is running ‘setuid root’ Grants program the privileges of root, regardless of the user executing it Grants program the privileges of root, regardless of the user executing it Program must write to a file owned by user running the program… Program must write to a file owned by user running the program… …so program must take care not to write to that file unless actual user is permitted to do so …so program must take care not to write to that file unless actual user is permitted to do so

17 SY32 Secure Computing, Lecture 15 Canonical TOC-TOU Attack FILE* outfile;... if (access(filename, W_OK) == 0) { outfile = fopen(filename, "wb+"); writeDataTo(outfile); } else { fprintf(stderr, "Not permitted to open %s\n", filename); exit(1); } Check whether real UID has write permission Open file for writing Window of vulnerability

18 SY32 Secure Computing, Lecture 15 How The Attack Works $ touch dummy $ ln –s dummy symlink $ rm symlink; ln –s /etc/passwd symlink Creates a zero-length, dummy file with attacker’s permissions Creates a symbolic link pointing to the dummy file Within window of vulnerability: Link now points to /etc/passwd, but program thinks it is attacker’s file; password file is overwritten! Preparation:

19 SY32 Secure Computing, Lecture 15 Summary When generating pseudo-random numbers: When generating pseudo-random numbers: Use a cryptographically-strong PRNG Use a cryptographically-strong PRNG Collect enough entropy to provide a good seed Collect enough entropy to provide a good seed Watch out for race conditions in multithreaded or multi-process applications Watch out for race conditions in multithreaded or multi-process applications Beware of TOC-TOU problems with file access Beware of TOC-TOU problems with file access Avoid system calls that use filenames, if possible; file could change after you start dealing with it! Avoid system calls that use filenames, if possible; file could change after you start dealing with it!