1st unit of information security

INFORMATION SECURITY

T.Bhaskar

SCCE,KARIM NAGAR

BackgroundInformation Security requirements have changed in recent timestraditionally provided by physical and administrative mechanismscomputer use requires automated tools to protect files and other stored informationuse of networks and communications links requires measures to protect data during transmission

15 July 2010 2Information Security,T.Bhaskar

DefinitionsComputer Security - generic name for the collection of tools designed to protect data and to thwart hackers

Network Security - measures to protect data during their transmission

Internet Security - measures to protect data during their transmission over a collection of interconnected networks


Aim of Courseour focus is on Internet Security

consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information


15 July 2010 Information Security,T.Bhaskar 5

sender receiver

Information security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, disruption.

IntranetExtranetInternet

IntranetExtranetInternet

What’s the problem?

Information over the Internet is Free, Available, Unencrypted, and Untrusted.

Not desirable for many Applications Electronic Commerce Software Products Financial Services Corporate Data Healthcare Subscriptions Legal Information



Threats Vulnerabilities

Security Risks Security Controls

Security Requirements

Asset Values and Potential Impacts

Assets

Protect against

exploit

expose

met by

reduce

indicate increase have

increase

increase

indicate

Services, Mechanisms, Attacksneed systematic way to define requirements

consider three aspects of information security: security attack security mechanism security service

consider in reverse order


Security Service is something that enhances the security of the

data processing systems and the information transfers of an organization

intended to counter security attacks make use of one or more security mechanisms

to provide the service replicate functions normally associated with

physical documents eg have signatures, dates; need protection from

disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed


Security Mechanisma mechanism that is designed to detect, prevent, or recover from a security attack

no single mechanism that will support all functions required

however one particular element underlies many of the security mechanisms in use: cryptographic techniques

hence our focus on this area


Security Attackany action that compromises the security of information owned by an organization

information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems

have a wide range of attacks

can focus of generic types of attacks

note: often threat & attack mean same


OSI Security ArchitectureITU-T X.800 Security Architecture for OSI

defines a systematic way of defining and providing security requirements

for us it provides a useful, if abstract, overview of concepts we will study


Security ServicesX.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfersRFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resourcesX.800 defines it in 5 major categories


Security Services (X.800)Authentication - assurance that the communicating entity is the one claimedAccess Control - prevention of the unauthorized use of a resourceData Confidentiality –protection of data from unauthorized disclosureData Integrity - assurance that data received is as sent by an authorized entityNon-Repudiation - protection against denial by one of the parties in a communication


Security Mechanisms (X.800)specific security mechanisms: encipherment, digital signatures, access

controls, data integrity, authentication exchange, traffic padding, routing control, notarization

pervasive security mechanisms: trusted functionality, security labels, event

detection, security audit trails, security recovery


Security Mechanisms

Three basic building blocks are used:

• Encryption is used to provide confidentiality, can provide authentication and integrity protection• Digital signatures are used to provide authentication, integrity protection, and non-repudiation• Checksums / hash algorithms are used to provide integrity protection, can provide authentication

One or more security mechanisms are combined to provide a security service


Classify Security Attacks aspassive attacks - eavesdropping on, or monitoring of, transmissions to: obtain message contents, or monitor traffic flows

active attacks – modification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service


(a) Normal flow

Information source

Information destination

(b) Interruption

(d) Modification (e) Fabrication

(c) Interception

Security Attacks


Threats

Passive Threats Active Threats

Release of message contents

Masquerade Replay

Traffic analysis

Modification of message contents

Denial of service


• Hashing

• Message Authentication Code

Algorithms

• Encryption

• Digital Signature


Security Environment / Components

• Services

• Mechanisms

• Algorithms


Services, Mechanisms, Algorithms

A typical security protocol provides one or more services

SSLServices (in security protocol)

Signatures Encryption Hashing Mechanisms

MD5SHA1DEARSARSADSA

• Services are built from mechanisms

• Mechanisms are implemented using algorithms

Algorithms


Service EnciphermentDigital

Signature Access control

Data integrity

Authenticationexchange

Trafficpadding

Routingcontrol Notarization

Peer entity authentication Y Y YData origin authentication Y YAccess control YConfidentiality Y YTraffic flow confidentiality Y Y YData integrity Y Y YNonrepudiation Y Y YAvailability Y Y

Relationship between Security Services and MechanismsMechanism


Model for Network Security


Model for Network Securityusing this model requires us to: design a suitable algorithm for the security

transformation generate the secret information (keys) used by

the algorithm develop methods to distribute and share the

secret information specify a protocol enabling the principals to use

the transformation and secret information for a security service


Model for Network Access Security


Model for Network Access Security

using this model requires us to: select appropriate gatekeeper functions to

identify users implement security controls to ensure only

authorised users access designated information or resources

trusted computer systems can be used to implement this model


Summaryhave considered: computer, network, internet security def’s security services, mechanisms, attacks X.800 standard models for network (access) security


Internet standards and RFCsInternet standards and RFCs

The Internet society Internet Architecture Board (IAB)Defines overall architecture of internet

& provides guidence direction to IETF Internet Engineering Task Force (IETF)It is development arm of internetResponsible for maintaining the work

groupsIdentifies the problems & proposes

solutions


Internet Engineering Steering Group (IESG)

Technical management of IETF activities

Responsible for internet standard process


Internet RFC Publication ProcessInternet RFC Publication Process


Standardization process1.RFC is to be stable and understandable.

2.RFC is technically competent

3.The specification must enjoy the public support significantly

4.It is to be useful some part of Internet

5.It may have mutiple, independent and interoperable implementations with operational experiences



BUFFER OVERFLOW Topics to be Discussed……

• What is it?...• How it Works…• Different Types • Illustrating Examples• Conclusion


IntroductionMost deadly weapon on the Internet.

Try to gain partial or complete control over target computer by creating a back door entry.

Enable the attacker to execute a malicious code on target system.

Gives root or super access to attacker.


How it Works…Due to casual or careless programmingPoor Memory Management Mismanagement of system variables,

pointers and temporary data. -by application developers.

THE OVERALL PROCESS:-1. Identify a vulnerable application.2. Inject the malicious code.3. Execute the code.


An Example to Illustrate..• Server - Services or daemons running on it• Serve clients by providing access –services

and materials• The services run on predefined ports on the

host;

these provide clients information on how a service can be reached to the client.

• These applications running on host have access to parts of system like “System variables and System Files”.


Types of headaches…Stack Overflows

Format String Overflows

Heap Overflows

Integer Overflows


STACK OVERFLOW:-The attacker takes over the authorization and privileges of a remote system

Consists of three basic steps

1.Finding a VULNERABLE application: study the source code of application test it against various types and sizes of inputs

or manually check for input validation errors


Continued… 2.Injecting the Malicious Code:-

-plant the errant and malicious code within the buffer memory.

-this can be done in two methods as explained below


• Explicitly Injecting:- -sends an errant command as input or as an

argument. -stored in temporary buffer, waiting to be

executed. -once lethal string injected, capable of

executing any set of instructions.• Using existing malicious code:- -system has necessary malicious code

present in some part of the buffer memory . -simply use existing malicious commands.


3. Executing the malicious Code:- -after injecting the code into memory buffer the attacker

has then to discover a way to execute it. -shift the control flow of the application using manipulation. -manipulation is done in many ways by overflowing the

buffer of application. Stack-Smashing:- -separate activation record for every function is created

on the stack when a function is invoked. -activation record carries a return address -manipulating address to point to address where malicious

code is present after function has exited.


Activation Record:-

Attack Code

Return Address

Local Variables

Buffer Space


3. Function Pointer Magic:-

A variable that serves as a pointer to a function type is called a function pointer.

Recognize the function pointers

By overflowing an adjacent buffer, manipulate FP to point to the attack code.


Format String Overflows:-Subvert many vulnerable applicationsThese can be executed remotely or locallyExploit a lack of validation in handling and functioning of format strings.In C programs, a large variety of C header files to access std functions printf(), sprintf(), fprintf(), etcPrintf(“&d”,a);

--“&d” represents the decimal data type that is expected to follow

--“a” represents the parameter whose data type is decimal


Consequences:-

-Format string buffer overflows can be misused very easily by attackers to execute malicious code

-To gain access to confidential data

Another example to illustrate• printf(“&s”,input_string);• the first variable ,”&s”, format string ,would imply that

data of the string type is to be expected as second variable.• Suppose an attacker were to enter a string that contained

%s as input for the second parameter.


Through the attacker’s manipulated input,the vulnerable application will now expect yet another string parameter as input.

If a malicious format string is injected in the application, the attacker can fool user into waiting for one more input.

At this point the malicious code can be used to exploit the application.


An example program:-#include<stdio.h>#include<conio.h>void main(){clrscr();int input=2;printf("ABCdef\n\n%n",&input);printf("value of var:%d",input);getch();}


Output Vs outputExpected output:

ABCdefValue of var: 2

• Real output: ABCdef Value of var: 8

LOCAL ATTACK DNS spoofing

Information Security,T.Bhaskar 49

HOST DNSserverX.localdomain.it

10.1.1.50

MITM

10.1.1.1

If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server

15 July 2010

MAN IN THE MIDDLE ATTACK EXAMPLE

Modification of the public key exchanged by server and client. (eg SSH1)

Information Security,T.Bhaskar 50

Server Client

MITM

start

KEY(rsa) KEY(rsa)

Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY

MEskey(M)

D(E(M))

D(E(M))

15 July 2010

1st unit of information security

Documents

security of information

information security

security attacks

security labels

adequate security

security serviceis

security servicesx

specific security mechanisms