Geekly Articles each Day
📜 ⬆️ ⬇️

MIT course "Computer Systems Security". Lecture 5: "Where Security Errors Come From", Part 1

Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems". Nikolai Zeldovich, James Mykens. year 2014


Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.

Lecture 1: "Introduction: threat models" Part 1 / Part 2 / Part 3
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3
Lecture 3: "Buffer overflow: exploits and protection" Part 1 / Part 2 / Part 3
Lecture 4: "Separation of privileges" Part 1 / Part 2 / Part 3
Lecture 5: "Where Security Errors Come From" Part 1 / Part 2

Professor Nikolai Zeldovich: Good afternoon, I want to introduce you to our guest from the company iSec Partners, who will tell you about the security of computer systems in the real world.
')
Paul Yang: good afternoon, my name is Paul Yang, I graduated from MIT in 2004, received a master's degree in engineering and computer science and until 2010 I worked at Oracle. Now I work as a technical director at iSec Partners. Previously, I did not even know that such companies exist. Our company is engaged in computer security consulting, penetration testing (pentesting), network security, we study hacker programs, find various vulnerabilities and eliminate them.



I decided to tell you about it, because I know that many students of your specialization want to make a career in the security of computer systems. The plan of today's lecture is as follows:


Let's see what the researchers think about vulnerabilities. I want you to fully understand where the vulnerability came from, after you discovered it. That is, you must find what caused it. It is important to understand how vulnerabilities affect a system and how it interacts with its other components.

So let's start by looking at what security mistakes are. But before we start talking about it, we first define what the very concept of security means.

Ivan Arch said: "The system is safe if it behaves exactly as intended and does nothing else." Systems are becoming more and more complex. If we are talking about operating systems, who can say what they are exactly intended for and what specifically allow to do?

Therefore, it is necessary to study all possible types of attacks. Knowing what attacks exist, you can develop key security goals. Therefore, the first steps in the field of security should be the definition of a security model and the definition of a threat model.

As an example, consider how the TSA Transport Security Administration defines a threat model. The purpose of ensuring the security of Logan International Airport is to prevent the entry of prohibited items, such as shaving foam, onto the aircraft. The threat model consists of two points:


How can you carry prohibited items past security? How do you try to attack their security system? You can bring them where there is no check, using the privileges of a VIP-passenger, hide them among other things or use the service of other airlines to deliver prohibited things to the airport.

I have always been shocked by the fact that in Logan, luggage arriving from other airports does not show through on monitors. That is, you can send a prohibited substance or an object from another airport, it will fly to Logan, and there you will receive it. Thus, airports with a less strict security system are threats to Logan’s advanced security system, and nothing can be done about it. Therefore, the critical point of building a threat model is understanding what you are specifically speaking against. I note that many engineers do not care.

Engineers create security bugs and find them. The goal of engineers is to find as many flaws as possible and minimize the possibility of damage to the system.

The approach to achieving this goal should be very careful - it is necessary to capture the attention of all the parameters of the security system, or at least find elements that are easily accessible to criminals.

Ways to achieve the goal are to study the source code, use the tools for debugging the application and engineering. In addition, the necessary money for the tools and staff.

Typically, software developers are concerned about the functionality and capabilities of their product, rather than its security. Everyone buys software because of its capabilities, and not because of its security. Therefore, security always remains in second place and developers start to take care of it only after the product suffers from intruders. Usually, engineers see only a small part of the "mosaic", they do not pay attention to the technical details. Can you answer the question how many lines of code does Linux 2.6.32, Windows NT4, and Adobe Acrobat contain?

The correct answers in the order of listing programs - from 8 to 12.6 million lines, 11-12 million and 15 million. Indeed, everyone is usually surprised that Acrobat contains more lines of software code than “Linux” and “Windows”. Thus, even software that we consider simple is extremely complex in reality.

The following categories of people are interested in security issues:


I selected only 6 categories, but probably more of them. Consider what interests the first category of people - criminals.



Their goal is resources, with the help of which you can take possession of other people's money (botnet, CC # s, spamming of "letters of happiness") and at the same time do not fall behind bars. To achieve the goal, they use the latest hacker exploits that exploit software vulnerabilities. They do not need data access privileges, but simply steal them using the vulnerabilities left by the developers. Most often, the objects of attack are credit cards and everything connected with them. Therefore, criminals get access to other people's money using money, buying data from hackers, or using the Black Box testing method. This method of testing "software" on the functional specifications and requirements, without using the internal structure of the code or access to the database. In this case, the source code is disassembled into components, which allows to detect gaps in program protection.



This technique allows you to get into the database of credit cards, "hacking" payment systems of various stores.

The next category is voluntary security researchers, a certain kind of hackers.



Their goal is to make the public aware of them, to be printed about them in newspapers, and friends to respect or admire them. Their occupation does not require thoroughness, no one will shame you if you have not found vulnerabilities or ways to overcome it. They gain access to security systems through amateur tools and casual relationships with engineers working in large security companies or developing software, and lawyers are often the source of information.

The third category most useful in security is penetration testers (pentesters).



The point of their work is to ensure the safety of customers and users of the software. They find the vulnerabilities that criminals want to exploit before they are discovered by criminals, and help developers eliminate these vulnerabilities.

The thoroughness of their work consists in covering all the details and nuances of the system, in finding unprotected public places and vulnerabilities that are subject to the greatest interference, not corrected or hacked.

To do this work, they need access to developers, access to the source code, and all sorts of permissions.

Next come the governments of different countries. Security worries them in terms of attacks, espionage and the protection of their own country from such actions of the enemy. They are supported by reliable exploits that can detect and exploit vulnerabilities, and they use money, talent, and the time they can buy for money to gain access to security systems.

The last but one group is hacktivists. These are anonymous hackers, their activity is a mixture of hacking and protest, aimed against the infringement of the right to freely exchange any information. These are socially-oriented hackers, usually hacking systems not for the sake of their enrichment.



Their goal is to do “something good”, in their understanding of the word, and not to go to jail for it. Sometimes I agree with what they do, sometimes not.

They use the most advanced exploits and penetrate security systems thanks to their own talent and a wide variety of “goals” to apply their skills. They exploit all possible vulnerabilities, and if they can steal credit card numbers, they will steal them.

The last group is representatives of science. This is an interesting area of ​​activity in which Professor Nikolai Zeldovich works. It explores the long-term features and functional problems of programs. People of science find common flaws and other common problems, such as errors in the use of firewalls or encryption, trying to make the software more secure. Usually they have enough time and talent for their research, and the thoroughness of their work is ensured by the depth of their approach.

They gain access to security systems through the creation of new things and the Black Box. There is a difference between theoretical developments and their implementation in practice, but for the most part they act in the same way as national governments, that is, they are engaged in very ambitious projects.

All of these groups of people use similar techniques and look for the same thing: vulnerable systems. If they have access, they review the source code, use interviews with engineers, or perform testing in a controlled environment. If they don’t have access, they test the Black Box, do the fuzzing technology (for example, enter random data and watch how the system reacts), do a technical copy of Reverse Engineering (using binary code files) and do social engineering.

Fuzzing is subject to many complex software systems, for example, the same Acrobat Reader - this checks the possibility of buffer overflow with the help of specially created bulk documents in .pdf format. Such a document is “driven” into “Acrobat” to check whether it is capable of causing a system crash.

Social engineering is the easiest and fastest way to find security problems by hacking social media accounts.

So let's dive into the subject of the lecture and look at the vulnerabilities we are looking for.



Engineers often make mistakes about how systems should work and how they will work after creation. An example of a catastrophic software error leading to the death of people is a program for a Therac-25 radiation therapy device. The incorrect operation of the security system of the apparatus led to the fact that at least 6 people received huge doses of radiation, two people fatal. I will tell you about this in general, without mentioning the details and principles of operation of this irradiator.

The software of this medical device provided for two modes of use of the irradiator. The first, X-Ray image , the mode of scattering of electrons, in which radiation exposure was minimal, did not involve the use of a protective focusing screen. The second mode, Radiation Treatment, provided a powerful irradiation regime in which the sore spot was subjected to a directed 25 MeV radiation beam. For this, a protective focusing screen was placed between the patient and the radiator.

The next slide shows what the program code that controls the protective screen looked like. You see that in one line were single-byte data telling whether or not to install a protective screen in place. If this value was 1, the screen was set; if it was 0, the screen was removed. The problem was that inside the program, when entering a parameter equal to 0, for example, if the doctor manually adjusted the radiation power to 0, the radiation value was divided by 0. Since the division by 0 is an invalid operation, a buffer overflow occurred, the program crashed and radiation power automatically took the maximum possible value in the absence of a protective screen.

Here, the developers used the erroneous assumption that in the Radiation Treatment mode, the parameter of using the protective screen will always take a non-zero value, a buffer overflow will never occur and the program will never fail. As a result of this incorrect assumption, people died, because they received a fatal radiation burn during a screenless session in Radiation Treatment mode.



Upon learning of this case, my classmate said: "I have concluded for myself that I will never write medical software."

Wrong prerequisites for software development can do a lot of harm, for example, the amazon.com account system.

This online store allows the following:


What wrong prerequisites allowed to create this vicious chain? Incorrect security policies, expressed in the first and fourth paragraphs. Hence the conclusion: the components affecting your system are often beyond your attention (Facebook, Amazon, Apple). Therefore, an attacker can capture your credit card data through an account on amazon.com using the capabilities of these three independent systems. This can be considered a complete threat model.

Therefore, answer the question: is your password to your personal mailbox stronger or weaker than the password you use for online banking?

I see how many people raised their hands. And now raise those who have a password for banking operations stronger than the password from the mail. I see that there are more. And this is wrong.

People believe that online banking is a serious matter, and a stronger password is needed here. But they forget that access to the payment account is carried out through an electronic mailbox. It is the mail that should have the most reliable password, and not vice versa.

If you want to become an engineer who develops computer systems, you need to think like a security researcher thinks:


The last point helps to design the system in such a way that even if the system crashes, your kernel will be protected.

Managing memory is difficult.



As an example, I will give you a simplified scheme for establishing a secure communication protocol:


Technically, this protocol looks like this:


At the same time, Bob analyzes the data sent by Alice:



View the length of the data and its location in the buffer. He then prepares the answer for Alice, adding 2 bytes to the length of Alice’s request, copies the new length of Alice’s request to the response and sends it back to her:



Do you see any problem here? Where is the vulnerability here?



She is enclosed in the second and fourth lines of Bob's answer. The size of the data transmitted by the user may not match the actual size of the data. The TSL uses the SSL encryption protocol . About 60% of servers available on the Internet work this way. Bob, that is, the server, never checks the actual length of the data received. Due to the fact that the server adds 2 bytes, the user can read about 64 KB of server memory data, including private keys.

Now that we have found this error, how can I fix it? The more people know about it, the more information is leaked. Therefore, as soon as information about vulnerability is revealed, it will be immediately used. So, to protect the need to correct the situation as soon as possible.

Sometimes companies turn to us and say that they have discovered such a vulnerability and how it can be fixed. We answer them: “No, you just need to change the encryption keys immediately.” Therefore, it is imperative to monitor differences arising in Open SSL during data exchange.

From this we can conclude that it is not too smart to use the keys of the TSL security level protocols for equipment that is constantly exposed to external influences, and that fundamental protocols have security problems.

I will note that the largest state funds and organizations dealing with security issues often consider the consequences of the zero-day threat, that is, the threat of vulnerability, for which elimination there are no patches.

And now we will consider a question of unexpected, unforeseen interaction. This is what allows attackers to receive money in several unexpected ways.



In 2014, cybercriminals managed to create add-ons for the Yahoo browser, which using a botnet infected users' computers with malware. They used specific errors of Java-scripts that allow installing 6 types of malicious code on computers.

One of the vulnerabilities was that incorrectly isolated user input data was executed by the browser as java-scripts that redirected users to a set of malicious programs called Magnitude through the XSS vulnerability. This Magnitude used the latest zero-day vulnerabilities at Yahoo , which caused the virus to infect 27000 computers per hour from December 30, 2013 to January 3, 2014. In this case, the use of a botnet was very effective.

The solution to the problem was the mechanism for disabling the execution of java-scripts on the browser page and the introduction of the “click-to-play” function in the Chrome browser.

Another type of attack uses the principle of Confused Deputy - this is a suspicious trust of applications to the received data. Under this definition falls quite a wide range of security issues. This type of vulnerability is called Cross-Site Request Forgery (abbreviated as CSRF or XSRF ), which means “cross-site request forgery”. Faking an authorization request forces you to do what you were not going to do.

Security researchers from Microsoft and people of science have considered the possibility of making free purchases on the Internet. This feature appears when using a third party acting as a payment system with the cashier service Cashier as a Service . You know many sites that offer to make a payment through “foo ...”, you click on such a link, and you are redirected to the payment system site.

Three people are involved in the purchase process: the seller, the CaaS payment system provider and the buyer cheater. Relations between the three parties pass through the user. The next slide shows the scheme of such a purchase.



You contact the owner of the online store and say you want to buy the book. He answers to you that for this you need to pay $ 10 to his payment service CaaS for operation 123. You call the “cashier” and say: “that's $ 10 for TxID: 123”. CaaS informs the store: "payment made." The store says, “OK.” The transaction is complete.

Does anyone see how you can attack this billing system? What is the vulnerability? That's right, there is no evidence that the amount of the payment made coincides with the cost of the goods! If you pay attention to operations 3 and 4, you will see that there is no information about what amount was actually transferred. The next slide shows how you can make a virtually free purchase using a system vulnerability - instead of $ 10, the buyer transfers only $ 1, and the transaction is still considered confirmed.



The wrong premise in this scheme is that the seller believes that something is linking the payment amount with the transaction, but in reality it does not. The solution to this problem may be one thing: read the paper, check every operation, because many things can and do not happen correctly.

Even more instances of unanticipated interaction arise when managing passwords.
The number of successful user password attacks is constantly growing due to an increase in computing abilities of computers, an increase in computing speed and the use of a large number of real passwords for hacker user dictionaries. This does not mean that users use passwords like “aaaaaa” or “aaaaab”, but often different users use the same passwords. There is a situation when a large number of cracked passwords allows hackers to create more voluminous dictionaries for hacker software, which, in turn, contributes to cracking even more passwords. Here there is a feedback, and the technique of password cracking is constantly being improved.

Two-step authorization is good, but it is not used everywhere. On the Internet, there are still hundreds of applications that do not use this approach. You can generate a really strong password, but not use it everywhere. You need to create a strong, unique password for each site you work with. Password managers can create really strong passwords. Some browsers' plugins are a good way to ensure security, allowing the user to manage login and password generation.

Browser extensions themselves are interesting things.



, , . Cloud To Butt Plus Chrome . .

, , , java- Flash-player , . . www.isecpartners.com , , , .

, -, - . «» .

, , Google , . . , . : «, $10000»! , -, . , , . , Chrome 2014 , .

, . , :


. , ? . 1password LastPass Mask Me ? .

1password , «» HTTP . , .

LastPass , Mask Me , 1password . , , , .

, , . These include:


HTTP HTTPS . , . SSL stripping «» .

, https:// example.com http:// example.com . , . Mask Me , , , .

33:35

Continued:

MIT course "Computer Systems Security". 5: « », 2


Full version of the course is available here .

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Source: https://habr.com/ru/post/418213/

More articles:


All Articles