Computer Systems Security: Winter 2018 Assignment 3: Difference between revisions

From Soma-notes
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 13: Line 13:


# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256.  Then compare it to the hash available from the main distribution website.  To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.)  For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes.  The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail.  Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised.  #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256.  Then compare it to the hash available from the main distribution website.  To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.)  For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes.  The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail.  Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised.  #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
# There are many possible answers for this question.  Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list.  Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list.  For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms.  That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft).  With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time.  An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).
# Both intrusion detection systems and anti-malware systems can detect malware.  IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior).  Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code.  They also can apply the signatures to behavior observed in sandboxed environments.
# The key reasons for sticking with signature-based IDSs are 1) no training time (unlike anomaly detection) 2) minimal setup time (unlike specifcation-based systems) 3) can be tuned to work well in standardized benchmarks 4) clear business model (subscriptions for signature updates) 5) reputation for low false positives (although this is often not true in practice unless you tune the signature set).
# Insider attacks are potentially more damaging because insiders have access and understand the systems.  Thus, they know what steps to take in order to achieve their objectives.  For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.
# As long as it is an honest answer you should get full marks for this one!
Intrusion detection systems
2.    General potential attacks
3.    Overflowing memory 

4.    Why not have a business operating system that has a very restrictive environment
5.    Network hacking such as DNS servers and access points
6.    How certificate authorities are used in network security
7.    How signature work
8.    Mechanism of attack
9.    The concept of Anomaly based intrusion detection systems
10.Malwares and low-level system security 

11.Threat modeling in general
12.Encryption
13.Firewall
14.Web security
15.How sandboxes on browsers work
16.TCP wrappers
17.TLS certificates 

18.Code injections / SQL injections
19.Understanding the prevention techniques required to take to ensure the highest level of security 

20.UNIX permissions 

21.The description of the multi-dimensional array
22.How modelling the behaviour of a process' system calls makes a good intrusion detection system

23.The inner workings of the OSI model, how DNS works, how various network attacks can be mitigated, and where the future of networking is headed
24.The biology portion 

25.Linux stuff
26.The differences between sandboxing and containers 

27.How machine learning can be used for intrusion detection
28.Public keys
29.The difference between regular anti-malware systems and signature based intrusion detection systems
30.The concept of Meltdown and Sceptre
31.The passwd concept
32.The backdoor
33.The term BSD jails 

34.The parts about VPN/DNS/DNSSEC and understanding how traffic flows between these components

Latest revision as of 14:06, 4 April 2018

Due: March 26, 2018 by the start of class.

Questions

  1. [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.
  2. [2] Describe an attack (and associated context) that could be detected using an anomaly-based intrusion detection system but would normally be missed by both specification and signature-based intrusion detection systems.
  3. [2] How are intrusion detection system similar to anti-malware systems? How can they be different?
  4. [1] What is one significant reason that most currently used intrusion detection systems use signatures rather than other approaches?
  5. [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.
  6. [1] What is a concept from this class that you find confusing or hard to understand? Please explain briefly the difficulty you are having.

Solutions

  1. Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [1] for the Ubuntu server hashes. The Ubuntu Verify ISO Howto explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
  2. There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).
  3. Both intrusion detection systems and anti-malware systems can detect malware. IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior). Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code. They also can apply the signatures to behavior observed in sandboxed environments.
  4. The key reasons for sticking with signature-based IDSs are 1) no training time (unlike anomaly detection) 2) minimal setup time (unlike specifcation-based systems) 3) can be tuned to work well in standardized benchmarks 4) clear business model (subscriptions for signature updates) 5) reputation for low false positives (although this is often not true in practice unless you tune the signature set).
  5. Insider attacks are potentially more damaging because insiders have access and understand the systems. Thus, they know what steps to take in order to achieve their objectives. For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.
  6. As long as it is an honest answer you should get full marks for this one!

Intrusion detection systems

2. General potential attacks

3. Overflowing memory 


4. Why not have a business operating system that has a very restrictive environment

5. Network hacking such as DNS servers and access points

6. How certificate authorities are used in network security

7. How signature work

8. Mechanism of attack

9. The concept of Anomaly based intrusion detection systems

10.Malwares and low-level system security 


11.Threat modeling in general

12.Encryption

13.Firewall

14.Web security

15.How sandboxes on browsers work

16.TCP wrappers

17.TLS certificates 


18.Code injections / SQL injections

19.Understanding the prevention techniques required to take to ensure the highest level of security 


20.UNIX permissions 


21.The description of the multi-dimensional array

22.How modelling the behaviour of a process' system calls makes a good intrusion detection system


23.The inner workings of the OSI model, how DNS works, how various network attacks can be mitigated, and where the future of networking is headed

24.The biology portion 


25.Linux stuff

26.The differences between sandboxing and containers 


27.How machine learning can be used for intrusion detection

28.Public keys

29.The difference between regular anti-malware systems and signature based intrusion detection systems

30.The concept of Meltdown and Sceptre

31.The passwd concept

32.The backdoor

33.The term BSD jails 


34.The parts about VPN/DNS/DNSSEC and understanding how traffic flows between these components