Computer Security: Computer Science with Attackers

1

Computer Security: Computer Science with

Attackers

Usable Privacy and SecurityFall 2009

As told by David Brumley

2

Find X

3

4

X

X is 5There it

is

3

My Security AxiomsI. Attackers Get Lucky

Defenders Do Not

II. Attackers are Creative

4

Agenda• Examples of Axioms,

(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA

• How to argue security

5

Ken Thompson• Born Feb 4, 1943• Notable Work:– B Programming Language– UNIX– Plan 9– Popularized regular expressions

• 1983: Turing Award (joint with Ritchie) for UNIX and work in OS

• 1999: US National Medal of Technology

• 1999: First IEEE Tsutomu Kanai Award

6

A Self-Reproducing Program

main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

7

When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}

%c” ,34,f,34,10);

char *f=

char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

8


%c” ,34,f,34,10);// 34 ascii is a quote (“)

char *f=“


9


%c” ,34,f,34,10);

char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c


10


%c” ,34,f,34,10);// 34 is a quote

char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”


11


%c” ,34,f,34,10);// 34 is a quote

char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}


12


%c” ,34,f,34,10);// 10 is newline

char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}


13

Note• This program can contain an arbitrary

amount of excess baggage that will be reproduced along with the main algorithm.

main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";

14

The C Compiler• The C compiler (cc) is written in C• Special characters, such as newlines,

quotes, etc., are escaped with backslashes. This is called a “character escape sequence”c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();if(c == ‘\\’) return ‘\\’; // Will return “\\”if(c == ‘n’) return ‘\n’etc.

15

Adding a New Escape Sequence

• The C compiler (cc) is written in C• How do we add a new escape

sequence?– Not yet valid C until added to compiler– But compiling modified compiler will not

work because not valid Cc = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return ‘\v’; /// INVALID!etc.

16

What you do• Solution: Encode in current valid C• ‘\v’ is ASCII 11

c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return 11; // Worksetc.

17

Checkpoint• Can make a program that prints itself

out• Can change the semantics of a compiler

18

How a compiler works

Source Code get(s);compile(s);

ExecutableCode

Source Language Compiler

TargetLanguage

19

Trojaning Login

‘login’get(s);compile(s);if(s == ‘login’) compile(backdoor);

Trojaned‘login’

Compiler

20

Trojaning Compiler

‘cc’

get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);

Trojaned‘cc’

Compiler

21

Using Trojaned Compiler

get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);

Trojaned‘cc’

Compiler

‘cc’ source

‘login’ source

Source

trojaned exec

‘cc’

trojaned exec

‘login’

22




“Regularly Install Patches”− Computer Security Wisdom

BBuggy Program

PPatched New Program

Patches Help Security

Patches Can Help Attackers− Evil David

Evil David

Evil David’s Timeline

T1

Gets Patch

Attack Unpatched Users

Delayed PatchAttack

T2

Use Patch to Reverse Engineer Bug

Evil David

Asia gets P

Patch Delay

N. Americagets patched version P

[Gkantsidis et al 06]

Evil David’s Timeline

T1

Gets Patch

Attack Unpatched UsersT2

Reverse Engineer Bug

I can reverse engineer the patched bug and create an

exploit in

minutes

Minutes

IntuitionParticula

rInput

Bad Good

Trigger Bug

program

Intuition

BBuggy Program

Exploit

Bad Good

program

Intuition

BBuggy Program

PPatched ProgramBad Good

program

Patch leaks:1) Where2) How to exploit

AutomaticPatch-Based Exploit Generation

Step 1: Get

B P Bad Good

program

Step 2:Diff B & P

Step 3:Automatically CalculateExploit

Step 1: Get

B P Bad Good

program

Step 2:Diff B & P

Step 3:Automatically CalculateExploit

Profit!

AutomaticPatch-Based Exploit Generation

IE6 Bug Example• All integers unsigned

32-bits• All arithmetic mod 232

• B is binary codeif input % 2==0

read input

s := input + 3 s := input + 2

ptr := realloc(ptr, s)

TF

B

IE6 Bug Example

if input % 2==0

read input



TF

B input = 232-2

232-2 % 2 == 0

s := 0 (232-2 + 2 % 232)

ptr := realloc(ptr,0)

Using ptr is a problem

IE6 Bug ExampleWanted:

s > input

Integer Overflow when:

¬(s > input)

if input % 2==0

read input



TF

B

if input % 2==0

read input



TF

Bif input % 2==0

read input


if s > input

TF

P


TF

Error

Patch

if input % 2==0

read input


if s > input

TF

P


TF

Error

Patch

if input % 2==0

read input



TF

B

Exploits for B are inputs that fail new safety condition check in P

(s > input) = false

Result OverviewASPNet_Filter Information Disclosure 29 sec

GDI Hijack Control 135 sec

PNG Hijack Control 131 sec

IE COMCTL32 (B) Hijack Control 456 sec

IGMP Denial of Service 186 sec

• No public exploit for 3 out of 5• Exploit unique for other 2

Does Automatic Patch-Based Exploit Generation Always Work?NO!

However, in security attackers get lucky, defenders do not

Current Delayed Patch Distribution Insecure

40

Intermission

41




42

RSA Cryptosystem• Invented in 1978 by Rivest, Shamir, and

Adleman

• RSA is widely used – Apache+mod_SSL (https)– stunnel (Secure TCP/IP servers)– sNFS (Secure NFS)– bind (name service)– ssh (secure shell)

• We believe RSA is secure

RSA Algorithm• RSA Initialization:

– pick prime p (secret)– pick prime q (secret)– Let N = pq (N is public)– pick e (public)– Find d s.t. d*e = 1 mod (p-

1)(q-1) (private)

• RSA encryption of m: calculate me mod N = c

• RSA decryption of c: calculate cd mod N = m

• p = 61, q = 53• N = 3233• e = 17• d = 2753

• Suppose m = 123• c = 12317 mod 3233 =

855• m = 8552753 mod 3233

= 123

44

Why is RSA Secure• Step 1: define “security”• Step 2: Show that RSA meets definition

45

Step 1: Define Security

Public Parameters– N = pq (N is public)– e (public)

Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,

private)RSA Problem:

Given N,e, me mod N, compute m

RSA is secure if the RSA problemcannot be solved efficiently

46

Step 2: Show RSA Meets Definition

Public Parameters– N = pq (N is public)– e (public)

Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,

private)

RSA Problem:Given N,e, me mod N, compute m

Fact: we do not know RSA is secure

47

2 Ways to Break RSARSA Problem:


FactoringAlgorithm

PublicNe

Privatepqd

Fact: if we can factor, we can break RSA

Given me, we can decrypt just like those who know d

48

2 Ways to Break RSARSA Problem:


RootsPublicme mod

Nm

Fact: if we can take roots modulo N, we can break

RSA

49

Arguing Security• Define what is public and private• Define protocol–What bad guy gets to see–What bad guy cannot see

• Show that any run of the protocol the bad guy– cannot see what he is not suppose to– cannot efficiently compute what he is not

suppose to

50

I. Attackers Get Lucky Defenders Do Not

51

NP Complete (i.e., it could be difficult)

is Insufficient

Problem DomainHard Instances

Probability of picking a hard instance is low

52

We believe RSA is hard on average

Problem Domain

assumeciphertexts are easy to decrypt Random ciphertext c

53

We believe RSA is hard on average

Problem Domain

assumeciphertexts are easy to decrypt Random ciphertext c

Can move instance

(homomorphism)

54


Breaking RSA in Practice• RSA decryption: gd mod N = m

– d is private decryption exponent, N is public modulus

• Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N)

• Goal: learn factors of N.

56

Suppose I implement RSA as:

if (d == 1) sleep(1) decrypt(c)if(d == 2) sleep(2) decrypt(c)if(d==3) sleep(3) decrypt(c)

Time to decrypt leaks key

RSA Decryption Time Variance

• Causes for decryption time variation:–Which multiplication algorithm is used.• OpenSSL uses both basic mult. and Karatsuba

mult.– Number of steps during a modular

reduction• modular reduction goal: given u, compute u mod

q• Occasional extra steps in OpenSSL’s reduction

alg.

• There are MANY:–multiplications by input c–modular reductions by factor q (and p)

Reduction Timing Dependency

• Modular reduction: given u, compute u mod q.– OpenSSL uses Montgomery

reductions [M’85] .

• Time variance in Montgomery reduction:– One extra step at end of reduction

algorithmwith probability

Pr[extra step] (c mod q) [S’00]

2q

Pr[extra step] (c mod q) 2q

Value c

Decryption Time

q 2q p

Multiplication Timing Dependency

• Two algorithms in OpenSSL:– Karatsuba (fast): Multiplying two numbers

of equal length– Normal (slow): Multiplying two numbers of

different length

• To calc xc mod q OpenSSL does:– When x is the same length as (c mod q),

use Karatsuba mult.– Otherwise, use Normal mult.

Multiplication Summary

c < q

Decryption Time

q

Normal MultiplicationKaratsuba Multiplication

cc > q

Data Dependency Summary

• Decryption value c < q–Montgomery effect: longer decryption time–Multiplication effect: shorter decryption

time

• Decryption value c > q–Montgomery effect: shorter decryption time–Multiplication effect: longer decryption time

Opposite effects! But one will always dominate

Timing Attack

High Level Attack:1) Suppose g=q for the top i-1 bits, and 0 elsewhere.

2) ghi = g, but with the ith bit 1. Then g < ghi Goal: decide if g<q<ghi or g<ghi<q

3) Sample decryption time for g and ghi:t1 = DecryptTime(g)t2 = DecryptTime(ghi)

4) If |t1 - t2| is large bit i is 0 (g < q < ghi)

else bit i is 1 (g < ghi < q)don’t

straddle q

large vs. small creates 0-1 gap

g and ghi straddle q

Timing Attack Details• We know what is “large” and “small” from attack on

previous bits.

• Decrypting just c does not work because of sliding windows– Decrypt a neighborhood of values near g– Will increase diff. between large and small values

larger 0-1 gap• Only need to recover 1/2 bits of q [C’97] • Attack requires only 2 hours, about 1.4 million queries

The Zero-One Gap

Zero-one gap

How does this work with SSL?

How do we get the server to decrypt our c?

Normal SSL Decryption

Regular Client SSL Server 1. ClientHello

2. ServerHello (send public key)

3. ClientKeyExchange (re mod N)

Result: Encrypted with computed shared master secret

Attack SSL Decryption

Attack Client SSL Server

1. ClientHello

2. ServerHello (send public key)

3. Record time t1 Send guess g or ghi

4. Alert

5. Record time t2 Compute t2 –t1

Attack requires accurate clock

• Attack measures 0.05% time difference between g and ghi– Only 0.001 seconds on a P4

• We use the CPU cycle counter as fine-resolution clock– “rdtsc” instruction on Intel– “%tick” register on UltraSparc

Attack extract RSA private keyin OpenSSL

Montgomery reductionsDominates

Multiplication routine dominates

zero-one gap

Attack extract RSA private key

Montgomery reductionsDominates

Multiplication routine dominates

zero-one gap

72

Timing channels fell outside RSA security game

RSA Problem:Given N,e, me mod N, compute m

73


Defenders Do Not


74

Good GuyBad Guy

VS

Good Guy vs. Bad Guy

75

Good Guy vs. Many Bad Guys

Good Guy

VS

Bad Guys

76

What if they are powerful?

Good Guy

VS

77

My WorkI. Securing the entire

software lifecycle

Developer

Writing Debugging Releasing

Updating

Designing

User

VerifyingInstallingRunning

Exploiting

79

My WorkI. Securing the entire

software lifecycleII. Allowing everyone to reason about the security of the code

they execute

BAP: Binary Code Analysis Platform

• Binary code is everywhere• Security of the code you run

(not just the code compiled)

Formal Methods Compilers

ProgrammingLanguages

Usability Algorithm

Design

82


Defenders Do Not


83

Thoughts?

84

That is all I have for today.

Documents

Computer Security: Computer Science with Attackers