Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1."— Presentation transcript:

1 Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1

2 Find X 2 3 4 X X is 5 There it is

3 My Security Axioms 3 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative

4 Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 4

5 Ken Thompson Born Feb 4, 1943 Notable Work: –B Programming Language –UNIX –Plan 9 –Popularized regular expressions 1983: Turing Award (joint with Ritchie) for UNIX and work in OS 1999: US National Medal of Technology 1999: First IEEE Tsutomu Kanai Award 5

6 A Self-Reproducing Program 6 main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c" ;

7 When Executed main(){printf(f,34,f,34,10);} 7 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); char *f= char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

8 When Executed main(){printf(f,34,f,34,10);} 8 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 ascii is a quote (“) char *f=“ char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

9 When Executed main(){printf(f,34,f,34,10);} 9 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

10 When Executed main(){printf(f,34,f,34,10);} 10 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 is a quote char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c” char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

11 When Executed main(){printf(f,34,f,34,10);} 11 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 34 is a quote char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”; main() {printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

12 When Executed main(){printf(f,34,f,34,10);} 12 printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”,34,f,34,10); // 10 is newline char *f=“ char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”; main() {printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

13 Note This program can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. 13 main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c" ;

14 The C Compiler The C compiler (cc) is written in C Special characters, such as newlines, quotes, etc., are escaped with backslashes. This is called a “character escape sequence” 14 c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); if(c == ‘\\’) return ‘\\’; // Will return “\\” if(c == ‘n’) return ‘\n’ etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); if(c == ‘\\’) return ‘\\’; // Will return “\\” if(c == ‘n’) return ‘\n’ etc.

15 Adding a New Escape Sequence The C compiler (cc) is written in C How do we add a new escape sequence? –Not yet valid C until added to compiler –But compiling modified compiler will not work because not valid C 15 c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return ‘\v’; /// INVALID! etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return ‘\v’; /// INVALID! etc.

16 What you do Solution: Encode in current valid C ‘\v’ is ASCII 11 16 c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return 11; // Works etc. c = next(); if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c; c = next(); … if(c == ‘v’) return 11; // Works etc.

17 Checkpoint Can make a program that prints itself out Can change the semantics of a compiler 17

18 How a compiler works 18 Source Code get(s); compile(s); get(s); compile(s); Executable Code Source Language Compiler Target Language

19 Trojaning Login 19 ‘login’ get(s); compile(s); if(s == ‘login’) compile(backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); Trojaned ‘login’ Trojaned ‘login’ Compiler

20 Trojaning Compiler 20 ‘cc’ get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); Trojaned ‘cc’ Trojaned ‘cc’ Compiler

21 Using Trojaned Compiler 21 get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); get(s); compile(s); if(s == ‘login’) compile(backdoor); if(s == ‘cc’) compile(cc-backdoor); Trojaned ‘cc’ Trojaned ‘cc’ Compiler ‘cc’ source ‘login’ source Source trojaned exec ‘cc’ trojaned exec ‘login’

22 Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 22

23 “Regularly Install Patches” − Computer Security Wisdom B Buggy Program P Patched New Program Patches Help Security

24 Patches Can Help Attackers − Evil David Evil David

25 Evil David’s Timeline T1 Gets Patch Attack Unpatched Users Delayed Patch Attack T2 Use Patch to Reverse Engineer Bug Evil David

26 Asia gets P Patch Delay N. America gets patched version P [Gkantsidis et al 06]

27 Evil David’s Timeline T1 Gets Patch Attack Unpatched Users T2 Reverse Engineer Bug I can reverse engineer the patched bug and create an exploit in minutes Minutes

28 Intuition Particular Input BadGood Trigger Bug program

29 Intuition B Buggy Program Exploit BadGood program

30 Intuition B Buggy Program P Patched Program BadGood program Patch leaks: 1) Where 2) How to exploit

31 Automatic Patch-Based Exploit Generation Step 1: Get BP BadGood program Step 2: Diff B & P Step 3: Automatically Calculate Exploit

32 Step 1: Get BP BadGood program Step 2: Diff B & P Step 3: Automatically Calculate Exploit Profit! Automatic Patch-Based Exploit Generation

33 IE6 Bug Example All integers unsigned 32-bits All arithmetic mod 2 32 B is binary code if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B

34 IE6 Bug Example if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B input = 2 32 -2 2 32 -2 % 2 == 0 s := 0 (2 32 -2 + 2 % 2 32 ) ptr := realloc(ptr,0) Using ptr is a problem

35 IE6 Bug Example Wanted: s > input Integer Overflow when: ¬(s > input) if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B

36 if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B if input % 2==0 read input s := input + 3s := input + 2 if s > input TF P ptr := realloc(ptr, s) T F Error Patch

37 if input % 2==0 read input s := input + 3s := input + 2 if s > input TF P ptr := realloc(ptr, s) T F Error Patch if input % 2==0 read input s := input + 3s := input + 2 ptr := realloc(ptr, s) TF B Exploits for B are inputs that fail new safety condition check in P (s > input) = false

38 Result Overview ASPNet_FilterInformation Disclosure29 sec GDIHijack Control135 sec PNGHijack Control131 sec IE COMCTL32 (B)Hijack Control456 sec IGMPDenial of Service186 sec No public exploit for 3 out of 5 Exploit unique for other 2

39 Does Automatic Patch-Based Exploit Generation Always Work? NO! However, in security attackers get lucky, defenders do not Current Delayed Patch Distribution Insecure

40 Intermission 40

41 Agenda Examples of Axioms, (aka, how to think like an attacker) –Example I: Ken Thompson –Example II: APEG –Example III: RSA How to argue security 41

42 RSA Cryptosystem Invented in 1978 by Rivest, Shamir, and Adleman RSA is widely used –Apache+mod_SSL (https) –stunnel (Secure TCP/IP servers) –sNFS (Secure NFS) –bind (name service) –ssh (secure shell) We believe RSA is secure 42

43 RSA Algorithm RSA Initialization: –pick prime p (secret) –pick prime q (secret) –Let N = pq (N is public) –pick e (public) –Find d s.t. d*e = 1 mod (p- 1)(q-1) (private) RSA encryption of m: calculate m e mod N = c RSA decryption of c: calculate c d mod N = m p = 61, q = 53 N = 3233 e = 17 d = 2753 Suppose m = 123 c = 123 17 mod 3233 = 855 m = 855 2753 mod 3233 = 123

44 Why is RSA Secure Step 1: define “security” Step 2: Show that RSA meets definition 44

45 Step 1: Define Security 45 Public Parameters –N = pq (N is public) –e (public) Private Parameters –p (secret) –q (secret) –d (derived from e, p, and q, private) RSA Problem: Given N,e, m e mod N, compute m RSA is secure if the RSA problem cannot be solved efficiently

46 Step 2: Show RSA Meets Definition 46 Public Parameters –N = pq (N is public) –e (public) Private Parameters –p (secret) –q (secret) –d (derived from e, p, and q, private) RSA Problem: Given N,e, m e mod N, compute m Fact: we do not know RSA is secure

47 2 Ways to Break RSA 47 RSA Problem: Given N,e, m e mod N, compute m Factoring Algorithm Public N e Private p q d Fact: if we can factor, we can break RSA Given m e, we can decrypt just like those who know d

48 2 Ways to Break RSA 48 RSA Problem: Given N,e, m e mod N, compute m Roots Public m e mod N m Fact: if we can take roots modulo N, we can break RSA

49 Arguing Security Define what is public and private Define protocol –What bad guy gets to see –What bad guy cannot see Show that any run of the protocol the bad guy –cannot see what he is not suppose to –cannot efficiently compute what he is not suppose to 49

50 50 I. Attackers Get Lucky Defenders Do Not

51 NP Complete (i.e., it could be difficult) is Insufficient 51 Problem Domain Hard Instances Probability of picking a hard instance is low

52 We believe RSA is hard on average 52 Problem Domain assume ciphertexts are easy to decrypt Random ciphertext c

53 We believe RSA is hard on average 53 Problem Domain assume ciphertexts are easy to decrypt Random ciphertext c Can move instance (homomorphism)

54 54 II. Attackers are Creative

55 Breaking RSA in Practice RSA decryption: g d mod N = m –d is private decryption exponent, N is public modulus Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = g d1 mod q 2. m2 = g d2 mod p 3. combine m1 and m2 to yield m (mod N) Goal: learn factors of N.

56 Suppose I implement RSA as: if (d == 1) sleep(1) decrypt(c) if(d == 2) sleep(2) decrypt(c) if(d==3) sleep(3) decrypt(c) 56 Time to decrypt leaks key

57 RSA Decryption Time Variance Causes for decryption time variation: –Which multiplication algorithm is used. OpenSSL uses both basic mult. and Karatsuba mult. –Number of steps during a modular reduction modular reduction goal: given u, compute u mod q Occasional extra steps in OpenSSL’s reduction alg. There are MANY: –multiplications by input c –modular reductions by factor q (and p)

58 Reduction Timing Dependency Modular reduction: given u, compute u mod q. –OpenSSL uses Montgomery reductions [M’85]. Time variance in Montgomery reduction: –One extra step at end of reduction algorithm with probability Pr[extra step]  (c mod q) [S’00] 2q

59 Pr[extra step]  (c mod q) 2q Value c Decryption Time q 2q p

60 Multiplication Timing Dependency Two algorithms in OpenSSL: –Karatsuba (fast): Multiplying two numbers of equal length –Normal (slow): Multiplying two numbers of different length To calc x  c mod q OpenSSL does: –When x is the same length as (c mod q), use Karatsuba mult. –Otherwise, use Normal mult.

61 Multiplication Summary c < q Decryption Time q Normal Multiplication Karatsuba Multiplication c c > q

62 Data Dependency Summary Decryption value c < q –Montgomery effect: longer decryption time –Multiplication effect: shorter decryption time Decryption value c > q –Montgomery effect: shorter decryption time –Multiplication effect: longer decryption time Opposite effects! But one will always dominate

63 Timing Attack High Level Attack: 1)Suppose g=q for the top i-1 bits, and 0 elsewhere. 2)g hi = g, but with the i th bit 1. Then g < g hi Goal: decide if g<q<g hi or g<g hi <q 3)Sample decryption time for g and g hi : t 1 = DecryptTime(g) t 2 = DecryptTime(g hi ) 4)If |t 1 - t 2 | is large   bit i is 0 (g < q < g hi ) else   bit i is 1 (g < g hi < q) don’t straddle q large vs. small creates 0-1 gap g and g hi straddle q

64 Timing Attack Details We know what is “large” and “small” from attack on previous bits. Decrypting just c does not work because of sliding windows –Decrypt a neighborhood of values near g –Will increase diff. between large and small values  larger 0-1 gap Only need to recover 1/2 bits of q [C’97] Attack requires only 2 hours, about 1.4 million queries

65 The Zero-One Gap Zero-one gap

66 How does this work with SSL? How do we get the server to decrypt our c?

67 Normal SSL Decryption Regular ClientSSL Server 1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (r e mod N) Result: Encrypted with computed shared master secret

68 Attack SSL Decryption Attack ClientSSL Server 1. ClientHello 2. ServerHello (send public key) 3. Record time t 1 Send guess g or g hi 4. Alert 5. Record time t 2 Compute t 2 –t 1

69 Attack requires accurate clock Attack measures 0.05% time difference between g and g hi –Only 0.001 seconds on a P4 We use the CPU cycle counter as fine- resolution clock –“rdtsc” instruction on Intel –“%tick” register on UltraSparc

70 Attack extract RSA private key in OpenSSL Montgomery reductions Dominates Multiplication routine dominates zero-one gap

71 Attack extract RSA private key Montgomery reductions Dominates Multiplication routine dominates zero-one gap

72 Timing channels fell outside RSA security game 72 RSA Problem: Given N,e, m e mod N, compute m

73 My Security Axioms 73 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative

74 74 Good Guy Bad Guy VS Good Guy vs. Bad Guy

75 Good Guy vs. Many Bad Guys 75 Good Guy VS Bad Guys

76 What if they are powerful? 76 Good Guy VS

77 My Work 77 I. Securing the entire software lifecycle

78 Developer WritingDebuggingReleasing Updating Designing User VerifyingInstallingRunning Exploiting

79 My Work 79 I. Securing the entire software lifecycle II. Allowing everyone to reason about the security of the code they execute

80 BAP: Binary Code Analysis Platform Binary code is everywhere Security of the code you run (not just the code compiled)

81 Formal Methods Compilers Programming Languages Usability Algorithm Design

82 My Security Axioms 82 I. Attackers Get Lucky Defenders Do Not II. Attackers are Creative

83 Thoughts? 83

84 That is all I have for today. 84

Download ppt "Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 3 Encryption Algorithms & Systems (Part B)

Chapter 3 Encryption Algorithms & Systems (Part B)
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.

Similar presentations

Ads by Google