1、June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-1,Chapter 23: Vulnerability Analysis,Background Penetration Studies Example Vulnerabilities Classification Frameworks Theory of Penetration Analysis,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-2
2、,Overview,What is a vulnerability? Penetration studies Flaw Hypothesis Methodology Examples Vulnerability examples Classification schemes RISOS, PA, NRL Taxonomy, Aslams Model Theory of penetration analysis Examples,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-3,Definit
3、ions,Vulnerability, security flaw: failure of security policies, procedures, and controls that allow a subject to commit an action that violates the security policy Subject is called an attacker Using the failure to violate the policy is exploiting the vulnerability or breaking in,June 1, 2004,Compu
4、ter Security: Art and Science 2004 Matt Bishop,Slide #23-4,Formal Verification,Mathematically verifying that a system satisfies certain constraints Preconditions state assumptions about the system Postconditions are result of applying system operations to preconditions, inputs Required: postconditio
5、ns satisfy constraints,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-5,Penetration Testing,Testing to verify that a system satisfies certain constraints Hypothesis stating system characteristics, environment, and state relevant to vulnerability Result is compromised syst
6、em state Apply tests to try to move system from state in hypothesis to compromised system state,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-6,Notes,Penetration testing is a testing technique, not a verification technique It can prove the presence of vulnerabilities, bu
7、t not the absence of vulnerabilities For formal verification to prove absence, proof and preconditions must include all external factors Realistically, formal verification proves absence of flaws within a particular program, design, or environment and not the absence of flaws in a computer system (t
8、hink incorrect configurations, etc.),June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-7,Penetration Studies,Test for evaluating the strengths and effectiveness of all security controls on system Also called tiger team attack or red team attack Goal: violate site security po
9、licy Not a replacement for careful design, implementation, and structured testing Tests system in toto, once it is in place Includes procedural, operational controls as well as technological ones,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-8,Goals,Attempt to violate sp
10、ecific constraints in security and/or integrity policy Implies metric for determining success Must be well-defined Example: subsystem designed to allow owner to require others to give password before accessing file (i.e., password protect files) Goal: test this control Metric: did testers get access
11、 either without a password or by gaining unauthorized access to a password?,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-9,Goals,Find some number of vulnerabilities, or vulnerabilities within a period of time If vulnerabilities categorized and studied, can draw conclusi
12、ons about care taken in design, implementation, and operation Otherwise, list helpful in closing holes but not more Example: vendor gets confidential documents, 30 days later publishes them on web Goal: obtain access to such a file; you have 30 days Alternate goal: gain access to files; no time limi
13、t (a Trojan horse would give access for over 30 days),June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-10,Layering of Tests,External attacker with no knowledge of system Locate system, learn enough to be able to access it External attacker with access to system Can log in,
14、or access network servers Often try to expand level of access Internal attacker with access to system Testers are authorized users with restricted accounts (like ordinary users) Typical goal is to gain unauthorized privileges or information,June 1, 2004,Computer Security: Art and Science 2004 Matt B
15、ishop,Slide #23-11,Layering of Tests (cont),Studies conducted from attackers point of view Environment is that in which attacker would function If information about a particular layer irrelevant, layer can be skipped Example: penetration testing during design, development skips layer 1 Example: pene
16、tration test on system with guest account usually skips layer 2,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-12,Methodology,Usefulness of penetration study comes from documentation, conclusions Indicates whether flaws are endemic or not It does not come from success or
17、failure of attempted penetration Degree of penetrations success also a factor In some situations, obtaining access to unprivileged account may be less successful than obtaining access to privileged account,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-13,Flaw Hypothesis
18、Methodology,Information gathering Become familiar with systems functioning Flaw hypothesis Draw on knowledge to hypothesize vulnerabilities Flaw testing Test them out Flaw generalization Generalize vulnerability to find others like it (maybe) Flaw elimination Testers eliminate the flaw (usually not
19、included),June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-14,Information Gathering,Devise model of system and/or components Look for discrepancies in components Consider interfaces among components Need to know system well (or learn quickly!) Design documents, manuals help
20、 Unclear specifications often misinterpreted, or interpreted differently by different people Look at how system manages privileged users,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-15,Flaw Hypothesizing,Examine policies, procedures May be inconsistencies to exploit May
21、 be consistent, but inconsistent with design or implementation May not be followed Examine implementations Use models of vulnerabilities to help locate potential problems Use manuals; try exceeding limits and restrictions; try omitting steps in procedures,June 1, 2004,Computer Security: Art and Scie
22、nce 2004 Matt Bishop,Slide #23-16,Flaw Hypothesizing (cont),Identify structures, mechanisms controlling system These are what attackers will use Environment in which they work, and were built, may have introduced errors Throughout, draw on knowledge of other systems with similarities Which means the
23、y may have similar vulnerabilities Result is list of possible flaws,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-17,Flaw Testing,Figure out order to test potential flaws Priority is function of goals Example: to find major design or implementation problems, focus on pot
24、ential system critical flaws Example: to find vulnerability to outside attackers, focus on external access protocols and programs Figure out how to test potential flaws Best way: demonstrate from the analysis Common when flaw arises from faulty spec, design, or operation Otherwise, must try to explo
25、it it,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-18,Flaw Testing (cont),Design test to be least intrusive as possible Must understand exactly why flaw might arise Procedure Back up system Verify system configured to allow exploit Take notes of requirements for detecti
26、ng flaw Verify existence of flaw May or may not require exploiting the flaw Make test as simple as possible, but success must be convincing Must be able to repeat test successfully,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-19,Flaw Generalization,As tests succeed, cla
27、sses of flaws emerge Example: programs read input into buffer on stack, leading to buffer overflow attack; others copy command line arguments into buffer on stack these are vulnerable too Sometimes two different flaws may combine for devastating attack Example: flaw 1 gives external attacker access
28、to unprivileged account on system; second flaw allows any user on that system to gain full privileges any external attacker can get full privileges,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-20,Flaw Elimination,Usually not included as testers are not best folks to fix
29、 this Designers and implementers are Requires understanding of context, details of flaw including environment, and possibly exploit Design flaw uncovered during development can be corrected and parts of implementation redone Dont need to know how exploit works Design flaw uncovered at production sit
30、e may not be corrected fast enough to prevent exploitation So need to know how exploit works,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-21,Michigan Terminal System,General-purpose OS running on IBM 360, 370 systems Class exercise: gain access to terminal control struc
31、tures Had approval and support of center staff Began with authorized account (level 3),June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-22,Step 1: Information Gathering,Learn details of systems control flow and supervisor When program ran, memory split into segments 0-4: su
32、pervisor, system programs, system state Protected by hardware mechanisms 5: system work area, process-specific information including privilege level Process should not be able to alter this 6 on: user process information Process can alter these Focus on segment 5,June 1, 2004,Computer Security: Art
33、and Science 2004 Matt Bishop,Slide #23-23,Step 2: Information Gathering,Segment 5 protected by virtual memory protection system System mode: process can access, alter data in segment 5, and issue calls to supervisor User mode: segment 5 not present in process address space (and so cant be modified)
34、Run in user mode when user code being executed User code issues system call, which in turn issues supervisor call,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-24,How to Make a Supervisor Call,System code checks parameters to ensure supervisor accesses authorized locatio
35、ns only Parameters passed as list of addresses (X, X+1, X+2) constructed in user segment Address of list (X) passed via register,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-25,Step 3: Flaw Hypothesis,Consider switch from user to system mode System mode requires supervi
36、sor privileges Found: a parameter could point to another element in parameter list Below: address in location X+1 is that of parameter at X+2 Means: system or supervisor procedure could alter parameters address after checking validity of old address,June 1, 2004,Computer Security: Art and Science 20
37、04 Matt Bishop,Slide #23-26,Step 4: Flaw Testing,Find a system routine that: Used this calling convention; Took at least 2 parameters and altered 1 Could be made to change parameter to any value (such as an address in segment 5) Chose line input routine Returns line number, length of line, line read
38、 Setup: Set address for storing line number to be address of line length,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-27,Step 5: Execution,System routine validated all parameter addresses All were indeed in user segment Supervisor read input line Line length set to valu
39、e to be written into segment 5 Line number stored in parameter list Line number was set to be address in segment 5 When line read, line length written into location address of which was in parameter list So it overwrote value in segment 5,June 1, 2004,Computer Security: Art and Science 2004 Matt Bis
40、hop,Slide #23-28,Step 6: Flaw Generalization,Could not overwrite anything in segments 0-4 Protected by hardware Testers realized that privilege level in segment 5 controlled ability to issue supervisor calls (as opposed to system calls) And one such call turned off hardware protection for segments 0
41、-4 Effect: this flaw allowed attackers to alter anything in memory, thereby completely controlling computer,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-29,Burroughs B6700,System architecture: based on strict file typing Entities: ordinary users, privileged users, privi
42、leged programs, OS tasks Ordinary users tightly restricted Other 3 can access file data without restriction but constrained from compromising integrity of system No assemblers; compilers output executable code Data files, executable files have different types Only compilers can produce executables W
43、riting to executable or its attributes changes its type to data Class exercise: obtain status of privileged user,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-30,Step 1: Information Gathering,System had tape drives Writing file to tape preserved file contents Header reco
44、rd indicates file attributes including type Data could be copied from one tape to another If you change data, its still data,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-31,Step 2: Flaw Hypothesis,System cannot detect change to executable file if that file is altered of
45、f-line,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-32,Step 3: Flaw Testing,Write small program to change type of any file from data to executable Compiled, but could not be used yet as it would alter file attributes, making target a data file Write this to tape Write a
46、 small utility to copy contents of tape 1 to tape 2 Utility also changes header record of contents to indicate file was a compiler (and so could output executables),June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-33,Creating the Compiler,Run copy program As header record c
47、opied, type becomes “compiler” Reinstall program as a new compiler Write new subroutine, compile it normally, and change machine code to give privileges to anyone calling it (this makes it data, of course) Now use new compiler to change its type from data to executable Write third program to call th
48、is Now you have privileges,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-34,Corporate Computer System,Goal: determine whether corporate security measures were effective in keeping external attackers from accessing system Testers focused on policies and procedures Both te
49、chnical and non-technical,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-35,Step 1: Information Gathering,Searched Internet Got names of employees, officials Got telephone number of local branch, and from them got copy of annual report Constructed much of the companys org
50、anization from this data Including list of some projects on which individuals were working,June 1, 2004,Computer Security: Art and Science 2004 Matt Bishop,Slide #23-36,Step 2: Get Telephone Directory,Corporate directory would give more needed information about structure Tester impersonated new empl
51、oyee Learned two numbers needed to have something delivered off-site: employee number of person requesting shipment, and employees Cost Center number Testers called secretary of executive they knew most about One impersonated an employee, got executives employee number Another impersonated auditor, got Cost Center number Had corporate directory sent to off-site “subcontractor”,
