SystemsSec 2016W Lecture 11

From Soma-notes
Revision as of 00:27, 22 February 2016 by Willforrest (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Sample Midterm Questions

  • What properties should a secure OS have? Why?
  • Why are production operating systems not constructed like ones designed for security first? Be specific
  • To what extent are security tools (for attack and defense) hard to use? Are these difficulties inherent to the technology or are other factors in play? Give examples from your personal experience.
  • Describe three threat models and explain what entities these threat models apply to.


Midterm Layout

  • Expect each question to be a small essay, that draws upon the information acquired through class, and through the readings to form a conclusion.
  • Expect 3-5 questions on the midterm.
  • This exam will be closed book. Email Anil if writing this midterm via computer is important to you.


Model of a standard attack

   Let us look at a standard attack. An attacker will do the following:
  • Identify a target: An attacker will select a system or individual to attack
  • Surveillance: An attacker will study the target.
  • Get access ("The Attack"): An attacker at some point will access or breach the system.
  • Accomplish his goal: An attacker will gather what he came for (credit cards, passwords, bank transfer etc)
  • Cover his tracks: An attacker will not want to be identified. They will try to destroy system logs, and any evidence that could point to the attack ever happening. In this sense, the news only reports failed attacks, as the intrusion was detected.

Example attack Surveillance

Let's say we are attacking an Ubuntu machine.

How do we monitor what's happening?

  • IP addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. An attacker will not do this more then absolutely necessary
  • Monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
    • This can be done by Wireshark
  • Physical Surveillance:
    • Personnel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.
    • Forums: Have they posted about bugs or net problems?
    • Wireless network: can they eavesdrop on a signal?

What we really want to know in Surveillance step: What code is running on the server.

Example attack

There's a tool called nmap which can figure out what operating system you're running. Let's say it is running WordPress (wahoo, it has known vulnerabilities), and we know the exact version. There are packaged tools like metaexploit which easily help you make the attack.

The next step? Set up the same WordPress version, and test the exploit on our own systems. We don't want to be caught on a failed attempt. We can engineer the exploit to do it's intended goal, and test it's success, without fear of detection.

If we are not detected, this brings us to another type of attack:

  • Advanced Persistent Threats: Breaking in, and modifying the system to infiltrate as needed.

As we can see it takes a fair bit of work to infiltrate a target. So why do we protection? The end result is if someone doesn't want to be caught, they need another machine. Or many.

  • The most common threat scenario:
    • Being attacked, but you are not the target!
    • Targets become very broad: Anyone with windows, anyone with an RBC account etc.
    • Surveillance becomes less needed if you infect a trusted system.

Recently, some attackers stop at surveillance. They develop the exploits and keep them; in order to sell the vulnerability (not the exploit) or blackmail. Governments now keep exploit stacks.

Countermeasures

  • We can't stop surveillence, but we can mitigate it. This is the purpose of firewalls, they reduce infomation that can be obtained from the outside.
  • Having a custom OS would be very ideal, an attacker can't practice against a copy of your system. Live and noisy attacks become the only method of attacker. And the system targeted can attempt up it's security in response, or move data.
  • Under ideal conditions, the reference monitor of a system cannot be broken into. An attacker has to deal with the reference monitor's restrictions. They have to attack people and use the methods they would use to edit data. As a result, every user is a possible attacker. The access of every user, including root, must be limited.
  • Preventing an attacker from achieving their goals and covering their tracks are the most reliant countermeasures.
    • Logs that can't be tampered with by being placed on another system, or uneditable.
    • Information being withheld to even users
  • One problem. We can't make a perfect reference monitor.
    • The rest of the semester, we'll talk about the failure of reference monitor.

Tools

  • NMAP: A tool designed to identify system and their versions, by analyzing the responses. Each system implements networks slightly differently, and this tool has a small database to compare to.