PSC CyberSecurity 4 Systems v2

Cri$cal Infrastructure Security: The Emerging Smart Grid

Cyber Security Lecture 3: System Vulnerabili$es

Carl Hauser & Adam Hahn

Overview

•  System Vulnerabili$es –  SoEware – Hardware –  Side Channel –  Social – Malware –  Supply Chain

•  Security Mechanisms – Access Control – Malware Detec$on

Overview



Vulnerability Characteris$cs •  Time introduced

–  Design •  oEen due to incorrect, insufficient system requirements

–  Implementa$on •  Some error or overlooked detail in the coding process

–  Opera$onal •  Result from the opera$onal use of soEware in some environment

•  System Components –  SoEware –  Hardware –  Network

•  Impact –  Confiden$ality, Integrity Availability

Most Dangerous SoEware Errors 1.  Improper Neutraliza$on of Special Elements used in an SQL

Command ('SQL Injec$on') 2.  Improper Neutraliza$on of Special Elements used in an OS

Command ('OS Command Injec$on') 3.  Buffer Copy without Checking Size of Input ('Classic Buffer

Overflow') 4.  Improper Neutraliza$on of Input During Web Page Genera$on

('Cross-‐site Scrip$ng') 5.  Missing Authen$ca$on for Cri$cal Func$on 6.  Missing Authoriza$on 7.  Use of Hard-‐coded Creden$als 8.  Missing Encryp$on of Sensi$ve Data 9.  Unrestricted Upload of File with Dangerous Type 10.  Reliance on Untrusted Inputs in a Security Decision

hhp://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf

Run-‐$me Memory Subdivision

Stack (grows down)

Buffer Overflow Basics

•  Buffer larger than the allocated space can overwrite return value

•  Ahacker can influence return loca$on to usurp control

Buffer Overflow Basics

Fundamental Problem

Related Problems

•  Integer wraparound – Can cause many issues with memory management

•  Unsigned/signed value conversions •  In summary C programming language is very fast

C programming language is not type-‐safe or memory-‐safe language

•  Other languages have problems – Many recent vulnerabili$es found within Java JRE

TOCTTOU: Another Kind of Problem

Essen$al problem: OS func$on (permission checking) cannot be correctly performed in user-‐level processes using available Unix syscalls. [Example from Wikipedia]

Running setuid (i.e, as root) Running concurrently

Overview



Hardware Security •  Ahacker may have physical access to hardware:

–  Example: smart meter

•  Ahacker can use physical access to: –  Extract cryptographic keys or other data – Understand device func$on

•  Approaches –  Reverse engineering –  Side channel analysis

Hardware Reverse Engineering

•  Read memory/firmware –  EEPROM, Flash/ROM, RAM

•  Monitor buses –  Serial Peripheral Interfaces (SPI) bus/JTAG – Use logic analyzers to interpret bus signals protocols

•  Connect to bus, pins

•  Vendors oEen employ tamper-‐resistant techniques –  Cover components in epoxy

Overview



Side Channel •  Side channel ahack

–  alterna$ve methods to obtain key from crypto system (i.e., not brute force, cryptanalysis)

–  Requires some ability to monitor power/computa$on $me of system (usually physical access)

•  Types of side channels: –  Power consump$on of chip (differen$al power analysis) –  Timing of some algorithm

Source: Rostami, M.; Koushanfar, F.; Karri, R., "A Primer on Hardware Security: Models, Methods, and Metrics," Proceedings of the IEEE , vol.102, no.8, pp.1283,1295, Aug. 2014

•  Example – Timing analysis –  RSA Encryp$on

•  computes (c = me mod n)

–  Can infer key based on whether a mul$plica$on occurs every itera$on

Overview



Social Engineering •  Humans are oEen the weakest link in a security system

•  Social Engineering –  ahemp$ng to gain and manipulate trust from others in order to gain access to a system or informa$on

•  Examples: – Malware on USB – when people find a USB device, they’ll generally plug it in

–  Phone – call people and try to impersonate IT staff or other trusted par$es (e.g., Kevin Mitnick)

–  Phishing …

Phishing Example •  Phishing – malicious email message which ahempts to come from trusted

source –  Spear phishing – very targeted phishing where ahacker leverages personal

informa$on about you to tailor the message •  Why?

–  Email is usually not authen$cated –  Emails contain :

•  Ahachments with malware (e.g., .pdf, .doc, .exe) •  URLs to websites with malware (WSU uses “Proofpoint URL Defense” to defend

against this) •  Example:

Overview



Malware •  Malicious SoEware (Malware)

–  Runs on system without user’s consent –  Does some malicious func$on

•  Malware categorize –  Viruses, worms, trojan horses, spyware, dishonest

adware, scareware, crimeware…

•  Key components –  Infec$on/propaga$on method

•  SoEware vulnerabili$es, social engineering, etc •  “Shellcode” to exploit a vulnerability & install malware

–  Payload •  What malicious func$on is performed

–  Obfusca$on techniques

This quan$ta$ve illustra$on shows the early (yellow), middle (orange), and late (red) stages in the spread of the Code Red worm over a period of 13 hours on July 19, 2001 (360,000 hosts) (www.caida.org)

Infec$on/Propaga$on •  How does malware spread?

•  Remotely accessible soEware vulnerabili$es (e.g., buffer overflows)

•  File sharing –  Download from website

•  <A href=“badstuff.exe”>En$cingImage.jpg</A> –  Portable media (USB keys, floppy disks, CDROMS, etc.)

•  En$cingImage.jpg.exe (Windows likes to hide “known file suffixes” •  Automa$c execu$on of a file when media inserted •  Automa$c installa$on of a driver when new USB device inserted

–  Anything that can contain executable code is poten$ally a threat: •  Documents with macros (Word, Excel, PDF, …) •  Email ahachments

•  Hard-‐coded, well known authen$ca$on creden$als

Payload – Malicious func$on •  Low-‐level extor$on (encrypt data, holding it “hostage” un$l vic$m pays $$$)

–  hhp://arstechnica.com/tech-‐policy/2015/04/police-‐chief-‐paying-‐the-‐bitcoin-‐ransom-‐was-‐the-‐last-‐resort/

•  Steal financial/credit card data –  hhp://krebsonsecurity.com/2014/09/home-‐depot-‐56m-‐cards-‐impacted-‐malware-‐contained/

•  Steal privacy data –  hhp://www.infosecurity-‐magazine.com/news/socialpath-‐malware-‐backs-‐up-‐to-‐cc/

•  Send SPAM emails to your colleagues, etc. –  hhps://nakedsecurity.sophos.com/2014/08/05/how-‐to-‐send-‐5-‐million-‐spam-‐emails/

•  Log user keystrokes (acquire passwords for bank accounts, etc.) –  hhp://www.csoonline.com/ar$cle/2112405/social-‐networking-‐security/how-‐keylogging-‐

malware-‐steals-‐your-‐informa$on-‐-‐includes-‐video-‐.html

•  Persistent ads (some$mes for malware removal soEware) –  hhps://zeltser.com/malver$sing-‐malicious-‐ad-‐campaigns/

Botnets •  Botnet:

–  a collec$on of computers (perhaps hundreds of thousands) running remote-‐control soEware under the (illegi$mate) control of an individual or group

•  Typically the computers are doing everyday work for their legi$mate owners as well as par$cipa$ng in the botnet

•  Control takes place using IRC (Internet Relay Chat) or other peer-‐to-‐peer soEware

•  Uses: –  DDoS –  Spam sending –  Click fraud –  Distribute new exploit code

Disguise/Obfusca$on Techniques •  Encrypt the virus code

–  Constant encryp$on technique and variable key •  Encrypted files stored on system •  Encrypt network C&C communica$on

–  Variable encryp$on technique and variable key (so-‐called polymorphic virus)

•  Obfusca$on –  Re-‐write binaries so they different, but func$onally equivalent

–  This can be applied inside the virus so “copies” are not literal but rather func$onal copies

–  Tools available to make it easy for the virus writer

Rootkits •  Ahackers want to maintain administra$ve (root) privileges aEer an ahack

•  Types –  Kernel mode

•  Modify OS kernel or device driver to maintain highest privilege level

•  Direct Kernel Object Manipula$on (DKOM) -‐ rootkit directly modifies entries in the OS process table, scheduler to hid presence

–  Bootkit •  Modifies Master Boot Record (MBR) to manipulate OS when it boots

•  Difficult to detect/remove because has same privileges as OS/AV soEware

Overview



Supply Chain Issues •  Modern informa$on technology has very complex supply chain –  SoEware

•  Examples: –  Pla|orms: Opera$ng systems, services, drivers –  Third-‐party libraries (e.g., graphics, math, strings, encryp$on)

•  Can contain unknown backdoors, vulnerabili$es –  Hidden hardware

•  Addi$onal processing capability built into a product that does something other than the main purpose of the product

–  E.g., Network sniffer that looks for password-‐containing packets; periodically sends to ahacker

•  The hardware operates completely outside the control of the installed soEware/firmware of the main product

Reflec$on on Trus$ng Trust Ken Thompson

Turing Award Lecture, 1983

Lesson: Can’t trust anything you didn’t completely develop yourself

SoEware Supply Chain

hhps://buildsecurityin.us-‐cert.gov/ar$cles/best-‐prac$ces/acquisi$on/a-‐systemic-‐approach-‐assessing-‐soEware-‐supply-‐chain-‐risk

Supply Chain Risk •  Examples:

–  Lenovo Superfish •  Malicious soEware added to laptops directly from store to MitM secure web conntec$ons

–  hhp://www.cnet.com/news/lenovos-‐superfish-‐screwup-‐highlights-‐biggest-‐problem-‐in-‐soEware/

–  FBI report on knock-‐off Cisco device •  Large number of knock-‐off devices found within govt

–  hhp://www.ny$mes.com/2008/05/09/technology/09cisco.html?_r=0 –  Dragonfly/Energe$c Bear hack

•  Sophis$cated ahacks against both energy companies and vendors –  hhp://www.symantec.com/connect/blogs/dragonfly-‐western-‐energy-‐

companies-‐under-‐sabotage-‐threat

–  HP devices shipped with malware •  hhp://www.gao.gov/assets/590/589568.pdf

Overview



Access Control

•  Enforced by –  Hardware (processor) –  SoEware (OS)

•  Hardware enforced –  Various HW enforced privilege levels (or “rings”)

•  Ring 3 – user mode applica$ons (e.g., Firefox, MS Word) •  Ring 0 – kernel mode (e.g., Windows kernel, Linux)

–  Privileged instruc$ons include memory mgmt, I/O

–  CPU checks instruc$on vs privilege level before execu$ng

–  System calls & hardware interrupts allow data flow across rings

Access Control •  Opera$ng System

–  Based on subjects and objects •  Subject – user, process •  Object – file, hardware driver access

–  Access control matrix – •  Specify whether the subject and read, write, or execute the object

–  Approaches •  Discre$onary -‐ object owner determine who has access •  Mandatory -‐ security administrator determines who has access to the objects •  Role-‐based – subject’s role determines their access to file

•  Example: Linux file permissions (discre$onary) –  Format:

•  R – read, W – write, X – execute •  |Owner|Group|Everyone |

–  -‐rw-‐r-‐-‐-‐-‐-‐ 1 root shadow Feb 4 16:15 shadow –  -‐rw-‐r-‐-‐r-‐-‐ 1 root root Feb 4 16:15 passwd –  -‐rwxr-‐xr-‐x 2 ahahn ahahn Sep 10 2014 file.txt

Overview



Malware Detec$on

•  An$virus soEware – Compares programs to known malware paherns – Analyzes programs for malicious opera$ons – Scanning

•  Pahern matching on known virus signatures •  Integrity checks: has a file changed (use checksums) •  Run program in emulated environment and see if it produces either data that matches a signature or an execu$on sequence that matches a signature

Malware Detec$on

•  Difficult because: – Malware performs muta$on/obfusca$on/encryp$on – AV companies must first obtain the malware in the wild before developing a signature

•  Only common malware is detected •  Detec$on of new, sophis$cated malware tends towards 0% •  Malware developers can also use AV to test their malware

– AV poorly detects malware samples using well known obfusca$on techniques

hhp://www.sans.org/reading-‐room/whitepapers/casestudies/effec$veness-‐an$virus-‐detec$ng-‐metasploit-‐payloads-‐2134

Malware detec$on in control systems

•  Tradi$onal AV – Blacklist of known malicious signatures

•  Control systems – suggests whitelists –  Specify all programs that should execute, block others

•  Example – MS Windows

•  Specify allowed applica$ons with “Group Policy” •  AppLocker , rules based white list on Win 7, Server 2008

–  Can be bypassed

–  ICS Whitelist (hhps://www.icswhitelist.com) •  Maintains library of hashes of common ICS applica$ons •  Can be used to compare running programs against known valid program hashes

End