Smart Device Security: From Threats to Mitigation Strategies

Transcription

1 Smart Device Security: From Threats to Mitigation Strategies Mustaque Ahamad Georgia Tech Information Security Center Georgia Institute of Technology

2

3 Major Cyber Security Threats Malware Botnets VoIP and mobile devices Cyber warfare Cyber crime economy Cyber physical systems

4 Malware Primer (Prof. Wenke Lee, Paul Royal) mal ware (māl'wâr') n. 1. A malicious third-party software agent; In the past, mostly for fun Now, for profit and political gain: 2. The vehicle by which criminal and/or statesponsored organizations facilitate illicit online activities.

5 Malware Propagation Spring User reports that USAToday.com intermittently blocked by web security service - What happened? USAToday.com ad network compromised Visitors served malicious javascript bundled with ad for Roxio Creator 2009 Automatically directed users to Rogue AV website through malicious traffic distribution system - Neither clicking nor hovering over ad required to activate code

6 Propagation Cont d Summer Executive receives with PDF attachment s subject, recipient s ethnicity compels him to view attachment PDF contains embedded, malicious Flash movie which exploits Acrobat Reader s flash interpreter, compromises the system and phones home to controller - Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player - Vulnerability traced back to bug reported to Adobe in December 2008

7 Malware Advancements Novel obfuscations easily evade AV Example: Project ZeroPack Proof-of-Concept obfuscation tool Makes malware appear benign to AV tools Developed for DefCon 16 s Race to Zero contest ZeroPack

8 Malware Clouds (i.e., Botnets) Waledac P2P-over-HTTP spamming botnet - Believed to have ties to the creators of Storm Propagates via social engineering - Uses geo-location, temporally relevant events (e.g., bomb blast in <your city>, July 4 th fireworks videos) to make attacks more compelling

9 Botnets Cont d Conficker - Worm/botnet hybrid - Propagates via software vulnerabilities, portable media, network shares with weak passwords - Can be used to place other malware on the compromised system Activity - March 2009: Appearance of Conficker C Introduced P2P file sharing mechanism April 2009: Downloaded additional malware Waledac, Spyware Protect 2009

10 Malware Analysis Static Analysis - Attempts to understand what a malware instance would do if executed Dynamic Analysis - Attempts to understand what a program does when executed - Different granularities - Fine-grained (e.g., automated unpacking) - Coarse-grained (e.g., system call tracing)

11 Security Analysis of a VoIP Phone (Dacosta & Giffin) VoIP phones are as popular as ever Vulnerabilities in these phones has obvious widespread implications Not much research has been conducted on these phones, so our results should be of interest to many people.

12 Our approach Download SIP firmware from Cisco Load firmware in the IP Phone Network and vulnerabilities scans Fuzz testing Disassembly and static binary analysis of firmware files Understand system architecture Run exploits against the phone

13 The target: Cisco IP Phone 7960G using SIP firmware

14 Some features SCCP, SIP, and MGCP support Directory services (LDAP3 support) XML services G.711 and G.729a audio compression H.323 and Microsoft NetMeeting compatibility DHCP, NTP, TFTP clients EIA/TIA RS-232 port Switch port

15 GHI PQRS JKL TUV 7960 CISCO IP PHONE messages services directories settings Experimental testbed Cisco IP Phone 7960G SIP 8.2 Firmware (P ) 1 2 ABC DEF 6 MNO i 7 8 * 0 OPER 9 WXYZ # Test/Attack PC SIP Proxy Server (OpenSER) Switch 100 Mbps Test/Attack PC

16 SIP Firmware File Name Size Description OS79XX.TXT 14 bytes Contains the universal application loader image name P0S loads P bin P sbn 461 bytes 129,240 bytes 129,644 bytes Contains the universal application loader and application image names. Non-secure universal application loader for upgrades from pre-5.x images Secure (digitally signed) universal application loader for upgrades from pre-5.x.images P0S sb2 785,338 bytes Application firmware image

17 Loading Firmware

18 Vulnerability scanning Nmap results

19 Nessus scan

20 Fuzzing tools PROTOS Test-Suite: c07-sip 4527 SIP INVITE test messages ASTEROID 395 MB crafted messages (invites, cancels, byes, refers, option, registers, subscribes, notifies) SIP Forum Test Framework (SFTF) Ohrwurm RTP fuzzed stream

21 Fuzzing test results No abnormal behavior was notice during the tests The IP Phone has been highly audited with fuzzing and vulnerability scan tools Is the IP Phone secure? Limitations of this approach

22 Firmware disassembly - Processor type?

23 ARM Processor ARM / Thumb mode instruction set

24 Firmware disassembly IDA Pro

25 Manual disassembly

26 Disassembly Methodology Understand code constructs C code, C runtime library linked in. Understand and locate data entry points. Follow control and data flow forwards from entry points. Identify vulnerabilities based on processing of untrusted data.

27 Firmware stacks

28 Findings Monolithic operating system (RTOS) No separation of privileges between tasks Developed using C language No defense mechanisms against reverse engineering (obfuscation, encryption, etc.)

29 Findings Common software vulnerabilities Heap overflow (rogue SIP proxy) Stack overflow (rogue DNS server) Stack overflow (SIP INVITE message) Probably more vulnerabilities, only part of the firmware image has been analyzed

30 Controlling execution remotely Controlling the IP Phone execution remotely Writing xxxx in the PC register (Thumb mode)

31 Lessons Better coding and code auditing practices Redefine architecture MMU usage should take advantage of privilege separation Use pre-existing and well maintained OS (i.e. Embedded Linux, Windows CE) Use of security tools appropriate for embedded systems (i.e. StackGuard)

32 Conclusions Cisco IP Phone 7960G is robust against manual attacks such as fuzzing. Static binary analysis revealed several classic software flaws ( memory overflows ). It is possible to find and exploit vulnerabilities in embedded systems using similar techniques used on general purpose OSs. The challenges will decrease as hardware resources and services in embedded systems increase

33 Security Threats to Smart Devices Networked devices are easy targets of cyber criminals Accessing sensitive data (medical devices), fraudulent use and disruption Smart devices will support complex functions that can have vulnerabilities Safety critical systems rely on smart devices Converged communication, transportation, healthcare etc.

34 Security Challenges Threat modeling is a must (do not count on physical security MBTA study) Resource constraints may limit the effectiveness of traditional security solutions Patching and remediation presents new challenges

35 Research Directions Design principles for secure systems Build security in & reduce complexity Least privilege, fail-safe default etc. Understanding the threat model Isolation is good Hardware support for protection Virtualization Use security tools and techniques Program analysis (Jon Giffin) Provably secure protocols (Sasha Boldyreva) Prepare for security compromises Revocation, remediation etc.