Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Transcription

1 Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de Source: William Stallings and Lawrie Brown 1

2 Overview Malicious software Virus Types Virus countermeasures Effectiveness of Malware Detection Denial of Service Attacks Distributed Denial of Service Attacks Denial of Service Attack Defence 2

3 Malicious Software Programs exploiting system vulnerabilities Known as malicious software or malware program fragments that need a host program e.g. viruses, logic bombs, and backdoors independent self-contained programs e.g. worms, bots replicating or not Sophisticated threat to computer systems 3

4 Malware Terminology A non-strict categorisation (lack of universal definition): Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot 4

5 Virus Types 5

6 Viruses Piece of software that infects programs modifying them to include a copy of the virus so it executes secretly when host program is run Specific to operating system and hardware taking advantage of their details and weaknesses Phases of typical virus: Dormant: Propagation: Triggering: Execution: Idle state, eventually waiting for some events to start (e.g. presence of a program, file,.. ) Virus copies itself to other programs Activation of the designed malicious function Execution of intended malicious function 6

7 Virus Structure Components: Infection mechanism: Meant that enables virus spreading and replication Trigger: event that makes payload activate Payload: what it does, malicious or benign (beside spreading) Can be prepended / postpended / embedded to a program When infected program invoked, executes virus code then original program code Avoidance of virus: Block initial infection (difficult/in general impossible) Block propagation (with access controls) 7

8 Virus Structure 8

9 Compression Virus Increased size of infected program easily reveals virus Therefore use compression, such that infected program keeps original size CV is virus P 1 is infected program Invocation of P 1 invokes CV: 1. Each uninfected file P 2 found is compressed to P 2, where P 2 = P 2 - CV 2. Copy virus and append it to P 2 3. Uncompress P 1 4. Execute P 1 9

10 Virus Classification Boot sector Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. File infector Infects files that the operating system or shell consider to be executable Macro virus Infects files with macro code that is interpreted by an application Encrypted virus Creates a random encryption key, stored with the virus, and encrypts the remainder of the virus Stealth virus Hides modification by virus, e.g. keep original file size, return original program if scan detected Polymorphic virus mutates with every infection to thwart detection by signature Metamorphic virus May change their behavior as well as their appearance 10

11 Virus Countermeasures 11

12 Virus Countermeasures Prevention - ideal solution but difficult Realistically need: Detection: Once the infection has occurred, determine that it has occurred and locate the virus Identification: Identify the specific virus that has infected a program. Removal: Remove all traces of the virus from the infected program and restore it to its original state If detect but can t identify or remove, must discard and replace infected program 12

13 Anti-Virus Evolution Virus & antivirus tech have both evolved Early viruses simple code, easily removed As become more complex, so must the countermeasures Generations I. Signature scanners II. Heuristics Code fragment associated with virus, e.g. encryption key III. Identify actions IV. Combination packages 13

14 Generic Decryption Runs executable files through generic decryption (GD) scanner: CPU emulator to interpret instructions Virus scanner to check known virus signatures Emulation control module Control interpretation of target code and execution Periodic interruption to apply virus scanner on instructions Example: Virus encrypts its payload Issue is long to interpret and scan Tradeoff chance of detection vs time delay 14

15 Digital Immune System 1. Monitor based on Heuristic/Signature to detect suspicious program 2. Encrypts and forward suspicious program to central analysis 3. Monitor and run suscpicious program in a save environment 4. Send prescription to identify and remove virus to administrative machine and users 7. Send antivirus update to protect from detected virus 15

16 Effectiveness of Malware Detection 16

17 Effectiveness of Intrusion/Malware Detection True negative If detection system (DS) is given a normal traffic/data then it classifies the traffic/data as harmless P(~A ~I): Probability of no alert given there is no attack False-positive DS sends an alert A given there is no attack I P(A ~I): Probability of false-positive, where ~ denotes negation True positive If DS is given an attack then it sends an alert P(A I): Probability of alert given there is an attack False-negative IDS sends no alert given there is an attack P(~A I): Probability of false-negative Issue Low false-positive and false-negative probability is not sufficient for effectiveness of DS, because of base rate fallacy Need additionally: P(I A): Prob. of attack given that there is an alert should be high P(~I ~A): Prob. of no attack given that there is no alert should be high 17

18 Conditional Probability Intuitive understanding: Probability conditioned on some event Effect of condition removes some outcomes from sample space Example: P(sum is 8 one dice even): Prob. of getting sum of 8 on a roll of 2 dice, given that at least one dice is even Reasoning: One dice even other dice must be even, too Successful outcomes: (2,6), (4,4), (6,2) Number of outcomes where one dice is even: 36 (#events, where both faces odd) = 36 3*3 = 27 P(sum is 8 one dice even) = 3/27 = 1/9 18

19 Conditional Probability Bayes theorem: Let Ω be event space, i.e. set of all possible events Let A, B Ω be events P(A B) is prob. of event A given event B (i.e. A conditioned on B) Bayes theorem: P( A B) P( A B) P( B) Review example: A: Event sum of 8 in two dice throw B: Event at least one dice even P(AᴧB): Prob. sum of 8 and at least one dice even P(A B): Prob. sum of 8 given that one dice even (3/ 36) P( A B) (27 / 36)

20 Stochastic Independency Events A, B are stochastic independent if P(AᴧB) = P(A) * P(B) Therefore P(A B) = P(A) and P(B A) = P(B) I.e. the appearance of event A is not effected by the appearance or disappearance of event B Example Probability of throwing a 6 in a dice throw is independent of the result of the throws in the past Probability of winning lotto, is independent of the numbers you picked 20

21 Application of Bayes Theorem Definition Given: Pair wise stochastic independent events E 1, E 2,.., E n Union of events E 1,.., E n covers all possible outcomes, i.e. E 1.. E n = Ω and P(E 1.. E n ) = 1 For any event A: Using Bayes theorem: n i i E i P E A P A P 1 ) ( ) ( ) ( n i i i i i i i i E P E A P E P E A P A P E P E A P A E P 1 ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( 21

22 Application of Bayes Theorem Example Transmission of sequences of 1 and 0 What is probability that 1/0 was sent given that 1/0 was received? Events: S 1 : 1 is sent S 0 : 0 is sent R 1 : 1 is received R 0 : 0 is received Probabilities: P(S 1 ) = p P(S 0 ) = 1 p P(R 0 S 1 ) = p a P(R 1 S 0 ) = p b Prob. That 1 is sent given 0 is received P( S 1 R 0 p ) a P( R 0 p p (1 a S 1 P( R ) P( S p p )(1 b 0 1 p) S1) P( S1) ) P( R S 0 0 ) P( S 0 ) R 0 *S 0 R 0 *S 1 22

23 Base Rate Fallacy Example for DS: Assume accuracy of DS is 87%, i.e. P(A I) = 0.87 (prob. of true positive) P(~A ~I) = 0.87 (prob. true negative) Probability of an attack is 1%, i.e. P(I) = 0.01 (base rate) What is the probability that there is no attack, given that there is an alert, i.e. P(~I A)? P(~ I A) P( A ~ I) P(~ I) P( A I) P( I) P( A ~ I) P(~ I) 0.13* * * (effect of Note: P(~I) = 1 P(I) for any event I P(~I A) = 1 - P(I A) for any events I, A low base rate) 23

24 Bots Program taking over other computers to launch hard to trace attacks If coordinated form a botnet Characteristics: Remote control facility via IRC/HTTP etc Spreading mechanism attack software, vulnerability, scanning strategy 24

25 Denial of Service Attacks 25

26 Denial of Service Denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space Attack target: Network bandwidth Overload network capacity System resources Crash network handling software Application resources Overload capabilities of server 26

27 Classic Denial of Service Attacks Attack on Network bandwidth: Can use simple flooding ping From higher capacity link to lower Causing loss of traffic Source of flood traffic easily identified 27

28 Classic Denial of Service Attacks 28

29 Source Address Spoofing Use forged source addresses (source address spoofing) Given sufficient privilege to raw sockets Generate large volumes of packets directed at target with different, random, source addresses Advantage Responses are scattered across Internet, instead of being reflected to the attacker Real source is much harder to identify 29

30 SYN Flooding Attack on system resources: Attacks ability of a server to respond to future connection requests (e.g. TCP request) Overflowing tables used to manage them (e.g. TCP table) Thus future connection requests from legitimate users fail 30

31 TCP Connection Handshake Client: Initiate request for TCP by sending SYN package Server: Records details about request in a TCP connection table and respond with SYN-ACK package Client: If SYN-ACK received, then sends ACK to server (connection established) Server: If client s ACK received, then marks the connection as established If connection established then transfer data 31

32 SYN Flooding Attack Attacker: Generate several SYN connection requests with spoofed source addresses Server: Records details for each request and sends SYN-ACK to source addresses Address valid: Client refuse connection by sending RST (reset) Server removes connection details from TCP table Address invalid: Server gets no answer and resend SYN- ACK several time 32

33 SYN Flooding Attack Attacker often uses either random source addresses or that of an overloaded server to block return of (most) reset packets Advantage: Has much lower traffic volume Attacker can be on a much lower capacity link 33

34 Types of Flooding Attacks Classified based on network protocol used ICMP Flood uses ICMP packets, e.g. echo request (used by ping) typically allowed through UDP Flood alternative uses UDP packets to some port TCP SYN Flood use TCP SYN (connection request) packets but for volume attack 34

35 Distributed Denial of Service Attacks 35

36 Distributed Denial of Service Attacks Have limited volume if single source used multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack Often compromised PC s / workstations zombies with backdoor programs installed forming a botnet e.g. Tribe Flood Network (TFN), TFN2K 36

37 DDoS Control Hierarchy Attack architecture: Handler controls large number of agents Takes attacker s commands Execute commands and forwards them to agents Infected computers (zombies) notifies itself at handler Reduces communication overhead for attacker 37

38 DDos Attack: Real Example Low Orbit Ion Cannon (LOIC): Establish TCP connections to port 80 of target (alternatively UDP) Sends data strings (e.g. invalid HTTP requests) to target Distributed attack can be coordinated over twitter/irc to synchronise attack time and target 38

39 Reflection Attacks Use normal behavior of network Attacker sends packet with spoofed source address of a target to a server Server response is directed at target If sends many requests to multiple servers, response can flood target Various protocols e.g. UDP or TCP/SYN Ideally want response larger than request Prevention If source of spoofed packets are blocked e.g. ISP knows valid IP ranges of its clients and could block addresses out of the range 39

40 Reflection Attack with Amplification Cause several responses by intermediaries for each packet sent E.g. sent a request to a broadcast address, then all clients in that networks replies to the target Cause intermediaries to response with larger package sizes than the package size of the request E.g. make use that DNS responses can be large 40

41 DNS Amplification Attacks Use DNS requests with spoofed source address being the target Exploit DNS behavior to convert a small request to a much larger response 60 byte request to byte response Attacker sends requests to multiple well connected servers, which flood target Need only moderate flow of request packets DNS servers will also be loaded 41

42 Denial of Service Attack Defence 42

43 DoS Attack Defenses High traffic volumes may be legitimate result of high publicity, e.g. slash-dotted or to a very popular site, e.g. Olympics etc Or legitimate traffic created by an attacker Three lines of defense against (D)DoS: Attack prevention and preemption Attack detection and filtering Attack source traceback and identification 43

44 Attack Prevention Block spoofed source addresses on routers as close to source as possible Rate controls in upstream distribution nets on specific packets types, e.g. some ICMP, some UDP, TCP/SYN Use modified TCP connection handling Use SYN cookies (as sequence number) when table full Server encrypts connection information in SYN-cookie and sends it as server s sequence number y to client, i.e. no need to save information in a table If client sends ACK back then it sends y+1 back, thus server can verify y Timestamp t Max segment size m Enc(server IP/port, client IP/port, t) Or selective or random drop when table full Manage application attacks with puzzles to distinguish legitimate human requests Mirror and replicate servers when high-performance and reliability required 44