Lec.

43 Class Review
There are too many topics in computer security

Final reschedule:

This class is just an introduction to some topics

Wen. 5/13 12pm-2pm, H389. (bring a jacket)

Hopefully, it shows the basic ideas and make

everyone more aware security related issues

No objections and 15+ like the new time

I give you some sample exam questions

Malware, Security Model, Security Auditing

Close book and notes, but you can have a Twopage cheat-sheet

Database security, web security, cloud security,

mobile security, penetration test, etc.

E.g., all attacks and defenses, important definitions, ideas,

methods

The textbook has some coverage on related issues

What is Computer Security?

The security of a system/application/protocol is
relative to
A set of desired properties, e.g., CIA
Different people with different goals may define different
requirements, confidentiality, integrity, availability, etc.
E.g., only admin can delete a file, no outside remote login

Overview of Computer Security

These concepts covers almost all existing aspects
Components of Computer security: CIA
Threats, vulnerabilities, and Attacks
Policies and mechanisms
The role of trust

An adversary with specific capabilities

E.g., standard file access permissions in Linux and Windows
are not effective against an adversary who can boot from a
CD everything then is readable to them

Assurance

A sniffer of all wireless traffic

Human Issues

A global traffic monitor

Operational Issues

Basic Components: CIA

Basic security issues

Confidentiality

Security Requirements: what we want

Keeping data and resources hidden

It is not easy to define clearly

E.g., secret messages, secret agents or locations

clients does not know what they want!

Integrity

Security Attacks: what go wrong

Data integrity (integrity)

Millions of types of attacks: scripts exploit vul.

Origin integrity (authentication)

Security Services: what can help us

Availability

Basic weapons we have: email filters

Enabling access to data and resources

Security Mechanisms: what implement service

Build a defense system to defeat specific attacks

A Simple Model for Network Security

5

(1) Confidentiality

Tools for Confidentiality

C1: Encryption:
the transformation of information using a secret, called
an encryption key,

Confidentiality is the avoidance of the

unauthorized disclosure of information.

so that the transformed information can only be read

using another secret, called the decryption key (which
may be the same as the encryption key).

confidentiality involves the protection of data,

providing access for those who are allowed to
see it,

Communication
channel

Sender

while disallowing others from learning anything

about its content (or activity)

encr
ypt

Recipient

d
dec
rypt

ciphertext

plaintext

plaintext

shared
secret
key

Attacker
(eavesdropping)

shared
secret
key

Tools for Confidentiality

Tools for Confidentiality

C3: Authentication:

C2: Access control:

the determination of identity or role that someone has.

This determination can be done in a number of different
ways, but it is usually based on a combination of

rules and policies that limit access to

confidential information to those people and/or
systems with a need to know
This need to know may be determined by identity,
such as a persons name or a computers serial
number,
or by a role that a person has, such as being a
manager or a computer security specialist.

something the person has (like a smart card or a radio key

for storing secret keys),
something the person knows (like a password),
something the person is (like a human with a fingerprint)
Something the person does (dynamic biometics)

Your files on wiliki I cannot read

Contents released by Wikileaks in 2010

human with fingers

and eyes

Bradley E. Manning, one of 3 millions people have accesses

password=ucIb()w1V
mother=Jones
pet=Caesar

Something you are

Something you know

Over-reaction after 9/11

radio token with

secret keys
Something you have

Tools for Confidentiality

10

(2) Integrity

C4: Authorization:
the determination if a person or system is allowed
access to resources, based on an access control policy.
Such authorizations should prevent an attacker from
tricking the system into letting him have access to
protected resources. E.g., MAC address

Integrity: the property that information has not

be altered in an unauthorized way

Tools:
Backups: the periodic archiving of data.

C5: Physical security:

the establishment of physical barriers to limit access to

protected resources
The most common method
Such barriers include locks on cabinets and doors,
the placement of computers in windowless rooms,
the use of sound dampening materials,
the construction of buildings or rooms with walls
incorporating copper meshes (called Faraday cages) so that
electromagnetic signals cannot enter or exit the enclosure.
11

Checksums: the computation of a function that

maps the contents of a file to a numerical value.
A checksum function depends on the entire contents of a
file and is designed in a way that even a small change to
the input file (such as flipping a single bit) is highly likely
to result in a different output value.

Data correcting codes: methods for storing data in

such a way that small changes can be easily
detected and automatically corrected
Secure Hash functions/MACs

12

(3) Availability

Other Security Concepts: A.A.A.

Availability: the property that information is

accessible and modifiable in a timely fashion by

those authorized to do so.

Tools:
Physical protections: infrastructure meant to keep
information available even in the event of physical
challenges. bomb-proof building

Authenticity

Computational redundancies: computers and storage

devices that serve as fallbacks in the case of
failures. Backup servers
Assurance

Anonymity

Sometimes, it is the hard to achieve in practice:

e.g., network Distributed Denial Of Service Attack
13

14

Assurance

Authenticity

Assurance refers to how trust is provided and managed

in computer systems

Trust management depends on:

Policies, which specify behavioral expectations that people or
systems have for themselves and others.

E.g., the designers of an online music system may specify

policies that describe how users can access and copy songs.

Permissions, which describe the behaviors that are allowed

by the agents that interact with a person or system.

E.g., an online music store may provide permissions for limited

access and copying to people who have purchased certain songs.

Protections, which describe mechanisms put in place to

Authenticity is the ability to determine that

statements, policies, and permissions issued by

persons or systems are genuine.

Primary tool:
digital signatures. These are cryptographic
computations that allow a person or system to
commit to the authenticity of their documents in a
unique way that achieves nonrepudiation,
which is the property that authentic statements
issued by some person or system cannot be denied.

enforce permissions and polices.

an online music store would build in protections to prevent people

from unauthorized access and copying of its songs.
15

16

Anonymity (or privacy)

Classes of Threats

Anonymity: the property that certain records or

transactions not to be attributable to any individual.

Disclosure

Tools:

Deception

Aggregation: the combining of data from many

individuals so that disclosed sums or averages cannot be
tied to any individual. ballot box
Mixing: the intertwining of transactions, info, or comm.
in a way that cannot be traced to any individual.
Proxies: trusted agents that are willing to engage in
actions for an individual in a way that cannot be traced
back to that person.
Pseudonyms: fictional identities that can fill in for real
identities in communications and transactions, but are
otherwise known only to a trusted entity.
17

Snooping: wiretapping
Modification, spoofing, repudiation of origin, denial
of receipt

Disruption
Physical attacks, DoS, DDoS

Usurpation
To take over without authority bot
Modification, spoofing, delay

18

Threats and Attacks

Threats and Attacks

Eavesdropping: the interception of information

intended for someone else during its
transmission over a communication channel.
Passive attack: your employer watch your web traffic

Alteration: unauthorized modification of

information.
Example: the man-in-the-middle attack, where a
network stream is intercepted, modified, and
retransmitted
Active attack, e.g., hotel wireless service? VPN
Sender

Alice

plaintext M

Bob

encr
ypt

Communication
channel

Recipient

decr
ypt

plaintext M

shared
shared
ciphertext
C
C secret
secret ciphertext
key
key

Eve

19

Threats and Attacks

Attacker
(intercepting)

20

Threats and Attacks

Denial-of-service: the interruption or

degradation of a data service or information
access.
Example: email spam to simply fill up Alices queue
and slow down an email server

Masquerading: the fabrication of information

that is purported to be from someone who is
not actually the author
Phishing email, fake phone calls

From: Alice
(really is from Eve)

Alice
21

Threats and Attacks

22

Threats and Attacks

Repudiation: the denial of a commitment or

data receipt.
This involves an attempt to back out of a contract
or a protocol that requires the different parties
to provide receipts acknowledging that data has
been received.

Correlation and traceback: the integration of

multiple data sources and information flows to
determine the source of a particular data
stream or piece of information
IP address, OS parameter, User parameter,
traffic type/time/volume,

Bob
23

24

Security Attacks Summary 1

Security Attacks Summary 2

Passive threats

Active threats

Release of
message contents

Traffic analysis

Masquerade

Steve Jobs contacts with

Cingular a lot in 2007
iPhone service!

eavesdropping, monitoring transmissions

Replay

Modification
of message
contents

Denial of
Service (DOS)

modification of the data stream

25

Policies and Mechanisms

26

Policies and Mechanisms

Mechanisms enforce policies. They may be

Policy says what is allowed and is not allowed

technical, in which controls in the computer enforce the policy;

e.g., the requirement that a user supply a password to
authenticate herself before using the computer

This defines security for a system

Policy: may be expressed in

procedural, in which controls outside the system enforce the

policy; e.g., firing someone for ringing in a disk containing a
game program obtained from an untrusted source

natural language, which is usually imprecise but

easy to understand; no remote login
mathematics, which is usually precise but hard
to understand;

The composition problem requires checking for inconsistencies

among policies.
E.g., one policy allows students and faculty access to the data, and the
other allows only faculty access to the data, then they must be resolved

policy languages, which look like some form of

programming language and try to balance
precision with ease of understanding, e.g.,
PolicyMaker

Composition of policies
If policies conflict, discrepancies may create security
vulnerabilities: which rule to follow?

(IP_addr == xxx) & (clearance == secret)

One rule: All traffic from IP1 is allowed

Mechanisms enforce policies

27

Goals of Security

Another rule: traffic with an authentication tag is allowed28

Trust and Assumptions

Underlie all aspects of security

Prevention is ideal
Prevent attackers from violating security policy
E.g., Intrusion Prevention Systems (IPSs), really?

Policies must

Detection occurs after someone violates the policy

Detect attackers violation of security policy
Know what have got by the attacker
E.g., Intrusion Detection Systems (IDSs)

Unambiguously partition system states:

secure or unsecure

Correctly capture security requirements

a web site has to be available, but if the security policy does
not mention availability, the definition of security is
inappropriate for the site.

Mechanisms

Recovery means that the system continues to

function correctly

Assumed to enforce policy

cryptography does not assure availability, so using
cryptography in the above situation wont work

Stop attack, assess and repair damage

Continue to function correctly even if attack
succeeds
E.g., Power grid

Support mechanisms must work correctly

29

rely on supporting infrastructure, such as compilers, libraries,

the hardware, and networks to work correctly
30

Types of Mechanisms

Types of Mechanisms

A reachable state is one that the computer can

enter
A secure state is a state defined as allowed by the
security policy.
The left figure shows a secure system
all reachable states are in the set of secure states. The system
can never enter (reach) a non-secure state, but there are secure
states that the system cannot reach.

The middle figure shows a precise system

all reachable states are secure, and all secure states are
reachable. Only the non-secure states are unreachable.

secure

insecure

precise

set of reachable states

The right figure shows a broad system.

set of secure states

Some non-secure states are reachable. This system is also not

secure.
31

32

Assurance

Assurance is a measure of how well the system

meets its requirements, or how much you can trust
the system to do what it is supposed to do
It does not say what the system is to do

Operational Issues
A secure system can be breached by improper operation
E.g., when accounts with no passwords are created

Cost-Benefit Analysis
Is it cheaper to prevent or recover?

Specification

Airport full-body scanner, $180k plastic explosive?

From requirements analysis: what the system must do

to meet those requirements
Statement of desired functionality

http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html

How about use 1% of $10 billions for intelligence?

Risk Analysis: what happens if the data and resources

are compromised? 80-year-old lady or 1-year-old baby
What should we protect? How much?

Design a system meets the specification

Implementation

Laws and Customs

actual coding of the modules and software components

Programs/systems that carry out design
33

Are desired security measures illegal?

Will people do them? use of urine specimens to
determine identity

Human Issues

34

Tying Together: loop

Organizational Problems: the key here is that those

responsible for security have the power to enforce
security. Often not true: admin vs. security officer

Threats
Policy
Specification

Financial benefits: security indirect income

Body-scanner companies

Design

People problems

Implementation

Outsiders and insiders

Operation

insiders account for 80-90% of all security problems

Social engineering
Phishing email or phone calls

35

36

Compromise

recording

Work
factor

Psychological
acceptability

Economy
of

mechanism

Economy of mechanism

10
Security
Principles

mechanism

the notion of simplicity is especially important in

the security domain

Complete
mediation

(1975)

Least
common

This principle stresses simplicity in the design

and implementation of security measures.

Fail-safe
defaults

since a simple security framework facilitates its

understanding by developers and users and
enables the efficient development and verification
of enforcement methods for it.

Open
design

Separation

Least
privilege

of
privilege

37

Fail-safe defaults

38

Complete mediation

This principle states that the default

configuration of a system should have a

The idea behind this principle is that every

access to a resource must be checked for
compliance with a protection scheme

conservative protection scheme

E.g., when adding a new user to an operating
system, the default group of the user should have
minimal access rights to files and services.
Unfortunately, OSs and applications often have
default options that favor usability over security

we should be wary of performance improvement

techniques that save the results of previous
authorization checks,
since permissions can change over time.

E.g., an online banking web site should require

users to sign on again after a certain amount of
time has passed, say, 15 minutes

Historically, web browsers that allow the execution of

code downloaded from the web server.

UH portal has the same feature

39

Open design

40

Separation of privilege

the security architecture and design of a

system should be made publicly available

multiple conditions should be required to achieve

access to restricted resources or have a
program perform some action

Security should rely only on keeping cryptographic

keys secret
Open design allows for a system to be scrutinized
by multiple parties, E-Voting system

Launching a nuclear missile

Opening a bank vault

which leads to the early discovery and correction of

security vulnerabilities caused by design errors
http://www.snagfilms.com/films/title/hacking_democracy

The open design principle is the opposite of the

approach known as security by obscurity
achieve security by keeping cryptographic algorithms
secret
which has been historically used without success by several
organizations
41

42

Least privilege

Least common mechanism

Each program and user of a computer system

should operate with the bare minimum privileges
necessary to function properly.

In a system with multiple users, mechanisms

allowing resources to be shared by more than
one user should be minimized.

abuse of privileges is restricted, the damage

caused by the compromise of a user is minimized

if a file needs to be accessed by more than one

user, then these users should have separate
channels by which to access these resources,

The military concept of need-to-know

information is an example of this principle

to prevent unforeseen consequences that could cause

security problems
Easy to figure out who is the traiter

43

44

Psychological acceptability

Work factor

user interfaces should be well designed and

intuitive, and all security-related settings should
adhere to what an ordinary user might expect
NSA Pat-down procedure

the cost of circumventing a security mechanism

should be compared with the resources of an
attacker when designing a security scheme.
A system developed to protect student grades in a
university database,
which may be attacked by snoopers or students trying to
change their grades,

needs less sophisticated security measures than a

system built to protect military secrets,
which may be attacked by government intelligence
organizations

45

46

Compromise recording

Topic: Access Control

it is more desirable to record the details of

an intrusion than to adopt more sophisticated
measures to prevent it

Traditional topic on a
single computer

Which users can

read/write which files?

Users and groups

Are my files really

safe?

Internet-connected surveillance cameras are a

typical example of an effective compromise record
system that can be deployed to protect a building
in lieu of reinforcing doors and windows.

Authentication

The servers in an office network may maintain logs

for all accesses to files, all emails sent and
received, and all web browsing sessions

Access control
matrices/lists

47

Passwords
File protection

What does it mean to

be root?
What do we really want
to control?

48

Access Control Matrices

2. Access Control Lists

A table that defines permissions

for each object o, a list L is defined

Each row of this table is associated with a subject,

which is a user, group, or system that can perform actions.

Each column is associated with an object,

which is a file, directory, document, device, resource, or
any other entity for which we want to define access rights.

Each cell is then filled with the access rights for

enumerates all the subjects that have access

rights for o
for each such subject s gives the access rights
that s has for object o.
/etc/passwd

the associated combination of subject and object.

/usr/bin/

/u/roberto/

/admin/

root: r,w,x
mike: r,x
roberto: r,x
backup: r,x

root: r,w,x
root: r,w,x
roberto: r,w,x backup: r,x
backup: r,x

Access rights can include actions such as reading, writing,

copying, executing, deleting, and annotating.
An empty cell means that no access rights are granted.

root: r,w
mike: r
roberto: r
backup: r

49

50

3. Capabilities
a subject-centered
approach to access
control

root

/etc/passwd: r,w,x; /usr/bin: r,w,x;

/u/roberto: r,w,x; /admin/: r,w,x

rather than for subjects directly

mike

for each subject s, it

defines the list of the
roberto
objects for which s
has nonempty access
control rights
together with the
specific rights for
each such object

4. Role-based Access Control

Define roles and then specify access control
rights for these roles

backup

Department
Chair

/usr/passwd: r; /usr/bin: r,x

Administrative
Manager

/usr/passwd: r; /usr/bin: r;
/u/roberto: r,w,x

Accountant

/etc/passwd: r,x; /usr/bin: r,x;

/u/roberto: r,x; /admin/: r,x

Lab
Manager

Secretary

Lab
Technician

Administrative
Personnel

Undergraduate
TA

Backup
Agent

Technical
Personnel

Undergraduate
Student

Faculty

Graduate
TA
Graduate
Student

Student

Department
Member

51

Social Engineering

System
Administrator

52

Ch.2 Physical Security

Pretexting: creating a convincing story that convinces

Physical Protection and Attacks

an administrator into revealing secret information

Digital data must physically located somewhere

Knowing a lot of details: dumpster diving!

Old friend calls you on a quick loan

Baiting: offering a kind of gift to get a user or agent

to perform an insecure action

Free game, $5 rebate, Drop a USB key at

Pentagon parking lot

Physical security: Any physical object that

creates a barrier to unauthorized access
This includes: locks, latches, safes, alarms, guards,
guard dogs, doors, windows, walls, ceilings, floors,
fences, door strikes, door frames and door closers
1. Location protection

Quid pro quo: offering a service and then

expecting something in return

2. Physical intrusion detection

3. Hardware attacks

Something-for-something

Psychological Your grandson is in jail! Send bail money asap!

53

4. Eavesdropping
5. Physical interface attacks
54

Pin Tumbler Lock Terminology

basic algorithm for picking locks

The top pin of that pin stack will be trapped above
the shear line, the bottom pin will fall freely, and
now a new pin stack (the next most misaligned one)
prevents further rotation

shell
diverpin

tumbler
spring

basic algorithm for picking locks

Apply a small amount of torque to the plug
Repeat until lock turns:

sheerline

Key pin

cylinderorplug

Locate the pin stack that's being pinched at the shear line (it
resists slightly when pushed up)
Continue to push that pin stack up until its cut reaches the
shear line and the plug turns slightly

keyway
56

55

Side Channel Attacks

Rather than attempting to
directly bypass security
measures, an attacker
instead goes around them
by exploiting other
vulnerabilities not
protected by the security
mechanisms.

Authentication Technologies
Cheap hinges

The determination of identity, usually based on a

combination of
something the person has (like a smart card or a
radio key fob storing secret keys),
something the person knows (like a password),
something the person is (like a human with a
fingerprint, or a voice)

Side channel attacks are

sometimes surprisingly
simple to perform.

password=ucIb()w1V
mother=Jones
pet=Caesar

human with fingers

and eyes

Something you are

Something you know

High security lock

radio token with
secret keys
Something you have

57

What is Computer Forensics?

58

Computer Forensics Procedures

A Scientific process of

The Forensic
Paradigm

preserving, identifying, extracting,

documenting, and interpreting
data on a computer/network device, etc.
Identification

Used to obtain potential legal evidence

Deleted/encrypted files

Identify
specific
that

Browser history

objects

store

System logs boot time, login time

data access records, GPS records,

important data
for the case
analysis

Trace back IP addresses

59

Collection
Establish a
chain of
custody and
document all
steps to prove
that the
collected data
remains intact
and unaltered

Analysis and
Evaluation
Determine the
type of
information
stored on
digital evidence
and conduct a
thorough
analysis of the
media

Reporting
Prepare and
deliver an
official
report

60

10

A Computer Model

OS Concepts

a computer consists of a CPU, random access

memory (RAM), input/output (I/O) devices,
and long-term storage

I
/
O

CPU

0
1
2
3
4
5
6
7
8
9
.
.
.

OS provides the interface between the users

of a computer and that computers hardware
OS manages how applications access the
resources in a computer
including its disk drives, CPU, main memory, input
devices, output devices, and network interfaces
Regular user cannot directly access otherwise,

RAM

sniffing/changing every bit

Disk
Drive

OS manages multiple users

OS manages multiple programs

61

Multiple processes sharing the

CPU and memory

62

Multitasking
Give each running program a
slice of the CPUs time, 1ms

A program must be brought into memory and placed

within a process for it to be run.
An Input queue: collection of processes on the disk
that are waiting to be brought into memory to run the
program
Ready Queue: Multiple processes sharing the CPU and
memory

Process scheduling

CPU is switching processes very

fast
to any user, it appears that
the computer is running all the
programs simultaneously

New Task
63

A Layer Model: The Kernel

Input/Output (I/O) Devices

The kernel is the core component of OS

manage low-level hardware resources
including memory, processors, and input/output (I/O) devices, such as a
keyboard, mouse, or video display.

OSs define the tasks associated with the kernel in layers

User Applications

I/O devices of a computer include keyboard, mouse,

video display, and network card
and other optional devices, like a scanner, Wi-Fi interface,
video camera, USB ports, etc.

Userland

Each device is represented in OS using a device driver,

which encapsulates the details of how interaction with
that device should be done

Operating System

The application programmer interface (API) of the

device drivers allows application programs to interact
with those devices at a high level,

Non-essential OS
Applications
The OS Kernel
CPU, Memory,
Input/Output

64

while the OS does the heavy lifting of

performing the low-level interactions that make
such devices actually work.

Hardware

65

66

11

What is a System Call?

What is a Process?

User applications dont communicate directly

with low-level hardware components, and
instead delegate such tasks to the kernel via
system calls

is an instance of a program that currently executing

The actual contents of all programs are initially stored
in persistent storage, such as a hard drive.
In order to be executed, a program must be loaded
into random-access memory (RAM) and uniquely
identified as a process.

System calls are usually contained in a collection

of programs, e.g., C library (libc) printf()

In this way, multiple copies of the same program can

be run as different processes.

they provide an interface that allows

applications to use APIs for communicating
with the kernel

E.g., multiple copies of Editor open at the same time

Examples of system calls include those for

performing file I/O (open, close, read, write)
and running application programs (exec).
67

68

Memory Management

6 segments for x86

address space is the RAM of a computer

Stack Segment (SS). Pointer to the stack.

It contains both the code for the running program,

its input data, and its working memory

segments

Code Segment (CS). Pointer to the code.

Data Segment (DS). Pointer to the data.
Extra Segment (ES). Pointer to extra data ('E'
stands for 'Extra').

For any running process, it is organized into

different segments

F Segment (FS). Pointer to more extra data ('F'

comes after 'E').

keep the different parts of the address space separate

security concerns require that we never mix up

these different segments

G Segment (GS). Pointer to still more extra data

('G' comes after 'F').
69

70

Virtual Machines

What is Virtual Memory?

There is not enough physical memory for the address
spaces of all running processes

Virtual machine: A view that an OS presents that a

process is running on a specific architecture and OS
E.g., a windows emulator on a Mac.

32-bit 4 GB, 64-bit 8 TB per process

OS gives each running process the illusion that it has

access to its complete (contiguous) address space

Benefits:
Hardware Efficiency

The previous view is virtual, but it is not really

how the memory is organized

Portability

memory is divided into pages, and the OS keeps

track of which ones are in memory and which
ones are stored out to disk

Management

Security

Public domain image from http://commons.wikimedia.org/wiki/File:VMM-Type2.JPG

71

72

12

What is an Exploit?
An exploit is any input that takes advantage of a bug
or vulnerability in order to cause an attack
i.e., a piece of software, an argument string, or
sequence of commands

Buffer Overflow Attack

One of the most common OS bugs is a buffer overflow
The developer fails to include code that checks whether an
input string fits into its buffer array
An input to a process

not necessarily a program that communicates bad input

to a vulnerable piece of software

exceeds the length of a buffer

overwrites a portion of the memory of the process

Causes the application to behave improperly and unexpectedly

can also be just the bad input itself

any bad input (or even valid input that the developer just
failed to anticipate) can cause the vulnerable application to
behave improperly...

Effect of a buffer overflow

operate on malicious data or

execute malicious code passed in by the attacker

The process can

An attack is an unintended behavior that occurs on

computer software, hardware, or sth. electronic and
that brings an advantage to the attacker

If the process is executed as root, the malicious code will be

executing with

root privileges, e.g., SET_UID programs

73

74

Unix Address Space

Text: machine code of the program,
compiled from the source code
Data: static program variables
initialized in the source code prior to
execution

strcpy() Vulnerability

High Addresses
0xFFFF FFFF

domain.c

BSS (block started by symbol):

static variables that are uninitialized

Heap

Heap : data dynamically generated

during the execution of a process

BSS
Data

Stack: structure that grows

downwards and keeps track of the
activated method calls, their
arguments and local variables

Top of
Memory
0xFFFFFFFF

main(int argc, char *argv[])

/*get user_input*/
{
char var1[15];
char command[20];
strcpy(command, whois ");
strcat(command, argv[1]);
strcpy(var1, argv[1]);
printf(var1);
system(command);
}

Stack

argv[1]
var1argv[1]
(15 char)
(15
(20char)
char)
Overflow

command
exploit
(20 char)
..
.

argv[1] is the user input

strcpy(dest, src) does not check
buffer
strcat(d, s) concatenates strings

Text
Low Addresses
0x0000 0000

Stack
Fill
Direction

Bottom of
Memory
0x00000000

75

Stack-based buffer overflow

detection using a random canary

The Unix fingerd() system call, which

runs as root (it needs to access
sensitive files), used to be vulnerable to
buffer overflow
Write malicious code into buffer and
overwrite return address to point
to the malicious code
When return address is reached, it will
now execute the malicious code with the
full rights and privileges of root

f() arguments
return address
buffer

attackers input

local variables

EIP

f() arguments
return address

EIP

current
frame

previous
frames

Return Address Smashing

void fingerd () {
char buf[80];

get(buf);

76

Normal (safe) stack configuration:

malicious code

Buffer

next location

Canary

(random)

Return
address

Other data

Buffer overflow attack attempt:

padding

Buffer

program code

Other
local
variables

Overflow data

Corrupt
return
address

Attack code

The canary is placed in the stack prior to the return

address, so that any attempt to over-write the return
address also over-writes the canary.

program code

77

78

13

Calling Convention

C language calling convention

It is a protocol about how to call & return from routines

programmers use a common calling convention to

This allows you to write assembly language

subroutines that are safely callable from C code
will also enable you to call C library functions from
your assembly language code

to share code and libraries

to use subroutines

It is based on the hardware-supported stack

use push/pop/call/ret instructions

given a set of calling convention rules,

(1) Subroutine parameters are passed on the stack

a programmer knows how to pass parameters to subroutine

high-level language compilers can be made to follow the rules,
thus allowing hand-coded assembly language routines and
high-level language routines to call one another

(2) Registers are saved on the stack

(3) local variables used by subroutines are placed in
memory on the stack
Most high-level procedural languages used similar
calling conventions

79

Two sets of rules

80

Stack during Subroutine Call: 3 vars and 3 para

The calling convention has two sets of rules

The first set of rules is employed by the caller of
the subroutine

the stack pointer

the second set of rules is observed by the writer

of the subroutine (the callee)

the base pointer

81

82

Rule Set 1: Caller Rules (1/2)

1. Before calling a subroutine, the caller should save the
contents of certain registers that are designated caller-saved
The caller-saved registers are EAX, ECX, EDX, since the called
subroutine is allowed to modify these registers
if the caller uses their values after the subroutine returns, the
caller must push the values in these registers onto the stack (so
they can be restore after the subroutine returns.)

2. To pass parameters to the subroutine, push them onto the

stack before the call
The parameters should be pushed in inverted order
Since the stack grows down, the first parameter will be stored at
the lowest address

3. To call the subroutine, use the call instruction

This instruction places the return address on top of the
parameters on the stack, and branches to the subroutine code.
This invokes the subroutine, which should follow callee rules 83

Rule Set 1: Caller Rules (2/2)

After the subroutine returns (immediately following
the call instruction), the caller finds the return
value of the subroutine in the register EAX
To restore the machine state, the caller should
1. Remove the parameters from stack.

This restores the stack to its state before the call was
performed.

2. Restore the contents of caller-saved registers (EAX, ECX,

EDX) by popping them off of the stack.

The caller can assume that no other registers were modified

by the subroutine.

84

14

Caller Rules Example

After the call

The caller is calling a function _myFunc that takes

three integer parameters.

The result produced by _myFunc is now available for

use in the register EAX

First parameter is in EAX, the second parameter is the constant

216; the third parameter is in memory location var.
push [var] ; Push last parameter first
push 216 ; Push the second parameter
push eax ; Push first parameter last

The values of the caller-saved registers (ECX and

EDX), may have been changed
If the caller uses them after the call, it would have
needed to save them on the stack before the call and
restore them after it.

call _myFunc ; Call the function (assume C naming)

add esp, 12 ; the caller cleans up the stack afterwards

We have 12 bytes (3 parameters * 4 bytes each) on the

stack, and the stack grows down. Thus, to get rid of the
parameters, we can simply add 12 to the stack pointer.

85

Rule Set 2: Callee Rules

86

Callee Rules: prologue

For who writes the subroutine

1. Push the value of EBP onto the stack, and then copy the
value of ESP into EBP
push ebp

The first half of the rules apply to the beginning of

the function, and are commonly said to define
the prologue to the function.

; maintains the base pointer, EBP; save old

mov ebp, esp; copy the stack pointer to the base pointer; create

new

EBP is used as a point of reference for finding parameters and local

variables on the stack.
When a subroutine is executing, the base pointer holds a copy of the stack
pointer value from the caller
Parameters and local variables will always be located at known, constant offsets
away from the base pointer value.

The latter half of the rules apply to the end of the

function, and are thus commonly said to define
the epilogue of the function.

We push the old base pointer value at the beginning of the subroutine so
that we can later restore the appropriate base pointer value for the caller
when the subroutine returns.
the caller is not expecting the subroutine to change the value of the base pointer
We then move the stack pointer into EBP to obtain our point of reference for
accessing parameters and local variables.
87

Callee Rules: prologue

88

epilogue : When the subroutine is returns,

it must follow these steps

2. allocate local variables by making space on the stack.

to make space on the top of the stack, the stack pointer should be
decremented
The amount depends on the number and size of local variables
if 3 local integers (4 bytes each) were required, the stack pointer would need
to be decremented by 12 to make space for these local variables
(i.e., sub esp, 12).

1. Leave the return value in EAX

2. Restore the old values of any callee-saved registers (EDI
and ESI) that were modified
are restored by popping them from the stack

3. Deallocate local variables by moving the value in the base

pointer into the stack pointer: mov esp, ebp

local variables will be located at known offsets from the NEW

base pointer

4. Immediately before returning, restore the caller's OLD base

pointer value by popping EBP off the stack
5. return to the caller by executing a ret instruction

3. save the values of the callee-saved registers that will be

used by the function
push them onto the stack
The callee-saved registers are EBX, EDI, and ESI

89

90

15

Circuit and Packet Switching

Circuit switching

What is a network protocol?

A protocol defines the rules for communication between
computers

Packet switching

Legacy phone network,

analog circuit

Internet / data network

Single route through

sequence of hardware
devices established
when two nodes start
communication

Packets transported
independently through
the network

classified as connectionless and connection oriented

Connectionless protocol

Data split into packets

Sends data out as soon as there is enough data to be

transmitted
E.g., user datagram protocol (UDP)

Connection-oriented protocol

Each packet handled on

a best efforts basis

Data sent along the

same physical route
A Route maintained until
communication ends

Packets may follow

different physical
routes

Provides a reliable connection stream between two nodes

Consists of set up, transmission, and tear down phases
Creates virtual circuit-switched network
E.g., transmission control protocol (TCP)

Each has pros and cons

91

92

Network Layers

Internet Layers

Network models use a stack of layers

Higher layers use the services of lower layers via

encapsulation
A layer can be implemented in hardware or software
The bottommost layer must be in hardware

A network device may implement several layers

A IP router has Physical/link/IP three layers (layer 3

device)

A Ethernet switch has Physical/link, two layers

(layer-2 device)

Application

Application

Transport

Transport

Network

Network

Network

Network

Link

Link

Link

Link

A communication channel between two nodes is

established for each layer

Fiber
Optics

Ethernet

An physical channel at the bottom layer

A Virtual channel at higher layers

Wi-Fi

Physical Layer
93

94

Internet Packet Encapsulation

Encapsulation
A packet typically consists of
Control information for addressing a packet: header/ footer
Data: payload

A network protocol N1 (e.g., IP) can use the services of

another network protocol N2 (e.g., Ethernet)

TCP
Header

A packet p1 of N1 is encapsulated into a packet p2 of N2

The payload of p2 is p1
The control information of p2 is derived from that of p1
IP
Header
Ethernet
Header

IP
Header

Payload

Footer

Application
data, e.g.,
email

Application Layer

TCP Data

Transport Layer

IP Data

Network Layer

Footer

Frame
Header

Payload of p2
95

Frame Data

Frame
Footer

Link Layer
96

16

Network Interfaces

MAC Addresses
is a 48-bit number usually represented in hex

Network interface is a device connecting a

E.g., 00-1A-92-D4-BF-86

computer to a network

Most network interfaces come with a predefined MAC address

Ethernet card, WiFi adapter, bluetooth adapter, etc.

A computer may have multiple network interfaces
Packets transmitted between network interfaces

The first three octets of any MAC address are

IEEE-assigned Organizationally Unique Identifiers
E.g., Cisco 00-1A-A1, Apple 00-0a-95

Most local area networks, (including Ethernet and

WiFi) broadcast frames
In regular mode, each network interface gets
the frames intended for it (addressed to it)
Traffic sniffing can be accomplished by
configuring the network interface to read all
frames (in the promiscuous mode)

The next three can be assigned by organizations as they

please, with uniqueness being the only constraint

Organizations can utilize MAC addresses to identify

computers on their network
e.g., EE wireless network

MAC address can be reconfigured by network

interface driver software
97

What does a Switch do?

98

address resolution protocol (ARP)

The ARP connects the network layer to the data layer

by converting IP addresses to MAC addresses

A switch is a common network device

Operates at the link layer

ARP works by broadcasting requests and caching

responses for future use

Has multiple ports, each connected to a computer

Caching with a timer, e.g., 60 seconds in Linux

Operation of a switch

The protocol begins with a computer broadcasting a

message of the form

Learn the MAC address of each computer

connected to it

who has <IP address1> tell <IP address2>

The requestors IP address <IP address2> is contained in
the link header

Forward frames only to the destination computer

Not broadcast to other ports sniffing does NOT work

When the machine with <IP address1> or an ARP server

receives this message, its broadcasts the response
<IP address1> is <MAC address>
99

ARP Spoofing

100

ARP Poisoning (ARP Spoofing)

The ARP table is updated whenever an ARP

response is received

According to the standard, almost all ARP

implementations are stateless

Requests are not tracked

An arp cache updates every time that it receives

an ARP reply
even if it did not send any ARP request!

What asked? When?

It is possible to poison an ARP cache by sending

ARP replies

ARP announcements are not authenticated

Machines must trust each other

Solution: Using static entries solves the problem

A rogue machine can spoof other machines

but it is almost impossible to manage!

101

102

17

Wireshark

Internet Protocol

Wireshark is a packet sniffer and protocol

analyzer

Connectionless

Packets may be lost,

reordered, corrupted, or
Each packet is transported
duplicated
independently from other
packets
IP packets

Captures and analyzes frames

Supports plugins
Usually required to run with administrator privileges
Run in seed or root account

Unreliable
Delivery on a best effort
basis
No acknowledgments

Setting the network interface in promiscuous mode

VMsettingnetworkadaptor2advancedPromiscuous
Mode: please set it to All or All VMs

Encapsulate TCP and UDP

packets
Encapsulated into link-layer
frames

Data link frame

IP packet

captures traffic across the entire LAN segment

and not just frames addressed to the machine

TCP or UDP packet

Freely available on www.wireshark.org

103

104

IP Addresses and Packets

IP addresses

IP header includes

IPv4: 32-bit addresses

Source address

IPv6: 128-bit addresses

Destination address

IP protocol version
Fragmentation information

Broadcast addresses

Transport layer protocol

information (e.g., TCP)

E.g., 128.148.32.255
v

not routed outside of a LAN

172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Operates at the network layer

Time to live (up to 255)

E.g., 128.148.32.110

10.0.0.0 - 10.255.255.255

A router bridges two or more networks

Packet length (up to 64KB)

Address subdivided into

network, subnet, and host

Private networks

IP Routing

Forwarding decisions based solely on the

destination address

Routing table

length

Maps ranges of addresses to LANs or other

gateway routers

fragmentation info
TTL

Maintains tables to forward packets to the

appropriate network

prot.

netstat r, --route

source
destination
105

IP Routing on the Internet

106

Internet Routes
Internet Control Message Protocol (ICMP)
Used for network testing and debugging
Simple messages encapsulated in single IP packets
Considered a network layer protocol

Tools based on ICMP

Ping: sends series of echo request messages and
provides statistics on roundtrip times and packet
loss
Traceroute: sends series ICMP packets with
increasing TTL value to discover routes
107

108

18

ICMP Attacks

Smurf Attack

Ping of death
ICMP specifies messages must fit a single IP
packet (64KB)
Send a ping packet that exceeds maximum size
using IP fragmentation

Amplifying
Network

Reassembled packet caused several operating

systems to crash due to a buffer overflow

echo
response

echo
request
echo
response

Smurf
Ping a broadcast address using a spoofed source
address

Attacker

109

echo
response

Victim

110

Denial of Service (DoS) Attack

Send large number of packets
to host providing service
Slows down or crashes host
Often executed by botnet

Attack propagation
Starts at zombies

Source:
M.T. Goodrich, Probabalistic Packet
Marking for Large-Scale IP Traceback,
IEEE/ACM Transactions on
Networking 16:1, 2008.

Travels through tree of

internet routers rooted
Ends at victim

IP source spoofing
Hides attacker
Scatters return traffic from
victim

111

19