1
Computer Security: Computer Science with
Attackers
Usable Privacy and SecurityFall 2009
As told by David Brumley
2
Find X
3
4
X
X is 5There it
is
3
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
4
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
5
Ken Thompson• Born Feb 4, 1943• Notable Work:– B Programming Language– UNIX– Plan 9– Popularized regular expressions
• 1983: Turing Award (joint with Ritchie) for UNIX and work in OS
• 1999: US National Medal of Technology
• 1999: First IEEE Tsutomu Kanai Award
6
A Self-Reproducing Program
main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
7
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
8
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 ascii is a quote (“)
char *f=“
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
9
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
10
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
11
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
12
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 10 is newline
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
13
Note• This program can contain an arbitrary
amount of excess baggage that will be reproduced along with the main algorithm.
main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
14
The C Compiler• The C compiler (cc) is written in C• Special characters, such as newlines,
quotes, etc., are escaped with backslashes. This is called a “character escape sequence”c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();if(c == ‘\\’) return ‘\\’; // Will return “\\”if(c == ‘n’) return ‘\n’etc.
15
Adding a New Escape Sequence
• The C compiler (cc) is written in C• How do we add a new escape
sequence?– Not yet valid C until added to compiler– But compiling modified compiler will not
work because not valid Cc = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return ‘\v’; /// INVALID!etc.
16
What you do• Solution: Encode in current valid C• ‘\v’ is ASCII 11
c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return 11; // Worksetc.
17
Checkpoint• Can make a program that prints itself
out• Can change the semantics of a compiler
18
How a compiler works
Source Code get(s);compile(s);
ExecutableCode
Source Language Compiler
TargetLanguage
19
Trojaning Login
‘login’get(s);compile(s);if(s == ‘login’) compile(backdoor);
Trojaned‘login’
Compiler
20
Trojaning Compiler
‘cc’
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
21
Using Trojaned Compiler
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
‘cc’ source
‘login’ source
Source
trojaned exec
‘cc’
trojaned exec
‘login’
22
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
“Regularly Install Patches”− Computer Security Wisdom
BBuggy Program
PPatched New Program
Patches Help Security
Patches Can Help Attackers− Evil David
Evil David
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched Users
Delayed PatchAttack
T2
Use Patch to Reverse Engineer Bug
Evil David
Asia gets P
Patch Delay
N. Americagets patched version P
[Gkantsidis et al 06]
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched UsersT2
Reverse Engineer Bug
I can reverse engineer the patched bug and create an
exploit in
minutes
Minutes
IntuitionParticula
rInput
Bad Good
Trigger Bug
program
Intuition
BBuggy Program
Exploit
Bad Good
program
Intuition
BBuggy Program
PPatched ProgramBad Good
program
Patch leaks:1) Where2) How to exploit
AutomaticPatch-Based Exploit Generation
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
Profit!
AutomaticPatch-Based Exploit Generation
IE6 Bug Example• All integers unsigned
32-bits• All arithmetic mod 232
• B is binary codeif input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
IE6 Bug Example
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B input = 232-2
232-2 % 2 == 0
s := 0 (232-2 + 2 % 232)
ptr := realloc(ptr,0)
Using ptr is a problem
IE6 Bug ExampleWanted:
s > input
Integer Overflow when:
¬(s > input)
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
Bif input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
if input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
Exploits for B are inputs that fail new safety condition check in P
(s > input) = false
Result OverviewASPNet_Filter Information Disclosure 29 sec
GDI Hijack Control 135 sec
PNG Hijack Control 131 sec
IE COMCTL32 (B) Hijack Control 456 sec
IGMP Denial of Service 186 sec
• No public exploit for 3 out of 5• Exploit unique for other 2
Does Automatic Patch-Based Exploit Generation Always Work?NO!
However, in security attackers get lucky, defenders do not
Current Delayed Patch Distribution Insecure
40
Intermission
41
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
42
RSA Cryptosystem• Invented in 1978 by Rivest, Shamir, and
Adleman
• RSA is widely used – Apache+mod_SSL (https)– stunnel (Secure TCP/IP servers)– sNFS (Secure NFS)– bind (name service)– ssh (secure shell)
• We believe RSA is secure
RSA Algorithm• RSA Initialization:
– pick prime p (secret)– pick prime q (secret)– Let N = pq (N is public)– pick e (public)– Find d s.t. d*e = 1 mod (p-
1)(q-1) (private)
• RSA encryption of m: calculate me mod N = c
• RSA decryption of c: calculate cd mod N = m
• p = 61, q = 53• N = 3233• e = 17• d = 2753
• Suppose m = 123• c = 12317 mod 3233 =
855• m = 8552753 mod 3233
= 123
44
Why is RSA Secure• Step 1: define “security”• Step 2: Show that RSA meets definition
45
Step 1: Define Security
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)RSA Problem:
Given N,e, me mod N, compute m
RSA is secure if the RSA problemcannot be solved efficiently
46
Step 2: Show RSA Meets Definition
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)
RSA Problem:Given N,e, me mod N, compute m
Fact: we do not know RSA is secure
47
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
FactoringAlgorithm
PublicNe
Privatepqd
Fact: if we can factor, we can break RSA
Given me, we can decrypt just like those who know d
48
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
RootsPublicme mod
Nm
Fact: if we can take roots modulo N, we can break
RSA
49
Arguing Security• Define what is public and private• Define protocol–What bad guy gets to see–What bad guy cannot see
• Show that any run of the protocol the bad guy– cannot see what he is not suppose to– cannot efficiently compute what he is not
suppose to
50
I. Attackers Get Lucky Defenders Do Not
51
NP Complete (i.e., it could be difficult)
is Insufficient
Problem DomainHard Instances
Probability of picking a hard instance is low
52
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
53
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
Can move instance
(homomorphism)
54
II. Attackers are Creative
Breaking RSA in Practice• RSA decryption: gd mod N = m
– d is private decryption exponent, N is public modulus
• Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N)
• Goal: learn factors of N.
56
Suppose I implement RSA as:
if (d == 1) sleep(1) decrypt(c)if(d == 2) sleep(2) decrypt(c)if(d==3) sleep(3) decrypt(c)
Time to decrypt leaks key
RSA Decryption Time Variance
• Causes for decryption time variation:–Which multiplication algorithm is used.• OpenSSL uses both basic mult. and Karatsuba
mult.– Number of steps during a modular
reduction• modular reduction goal: given u, compute u mod
q• Occasional extra steps in OpenSSL’s reduction
alg.
• There are MANY:–multiplications by input c–modular reductions by factor q (and p)
Reduction Timing Dependency
• Modular reduction: given u, compute u mod q.– OpenSSL uses Montgomery
reductions [M’85] .
• Time variance in Montgomery reduction:– One extra step at end of reduction
algorithmwith probability
Pr[extra step] (c mod q) [S’00]
2q
Pr[extra step] (c mod q) 2q
Value c
Decryption Time
q 2q p
Multiplication Timing Dependency
• Two algorithms in OpenSSL:– Karatsuba (fast): Multiplying two numbers
of equal length– Normal (slow): Multiplying two numbers of
different length
• To calc xc mod q OpenSSL does:– When x is the same length as (c mod q),
use Karatsuba mult.– Otherwise, use Normal mult.
Multiplication Summary
c < q
Decryption Time
q
Normal MultiplicationKaratsuba Multiplication
cc > q
Data Dependency Summary
• Decryption value c < q–Montgomery effect: longer decryption time–Multiplication effect: shorter decryption
time
• Decryption value c > q–Montgomery effect: shorter decryption time–Multiplication effect: longer decryption time
Opposite effects! But one will always dominate
Timing Attack
High Level Attack:1) Suppose g=q for the top i-1 bits, and 0 elsewhere.
2) ghi = g, but with the ith bit 1. Then g < ghi Goal: decide if g<q<ghi or g<ghi<q
3) Sample decryption time for g and ghi:t1 = DecryptTime(g)t2 = DecryptTime(ghi)
4) If |t1 - t2| is large bit i is 0 (g < q < ghi)
else bit i is 1 (g < ghi < q)don’t
straddle q
large vs. small creates 0-1 gap
g and ghi straddle q
Timing Attack Details• We know what is “large” and “small” from attack on
previous bits.
• Decrypting just c does not work because of sliding windows– Decrypt a neighborhood of values near g– Will increase diff. between large and small values
larger 0-1 gap• Only need to recover 1/2 bits of q [C’97] • Attack requires only 2 hours, about 1.4 million queries
The Zero-One Gap
Zero-one gap
How does this work with SSL?
How do we get the server to decrypt our c?
Normal SSL Decryption
Regular Client SSL Server 1. ClientHello
2. ServerHello (send public key)
3. ClientKeyExchange (re mod N)
Result: Encrypted with computed shared master secret
Attack SSL Decryption
Attack Client SSL Server
1. ClientHello
2. ServerHello (send public key)
3. Record time t1 Send guess g or ghi
4. Alert
5. Record time t2 Compute t2 –t1
Attack requires accurate clock
• Attack measures 0.05% time difference between g and ghi– Only 0.001 seconds on a P4
• We use the CPU cycle counter as fine-resolution clock– “rdtsc” instruction on Intel– “%tick” register on UltraSparc
Attack extract RSA private keyin OpenSSL
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
Attack extract RSA private key
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
72
Timing channels fell outside RSA security game
RSA Problem:Given N,e, me mod N, compute m
73
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
74
Good GuyBad Guy
VS
Good Guy vs. Bad Guy
75
Good Guy vs. Many Bad Guys
Good Guy
VS
Bad Guys
76
What if they are powerful?
Good Guy
VS
77
My WorkI. Securing the entire
software lifecycle
Developer
Writing Debugging Releasing
Updating
Designing
User
VerifyingInstallingRunning
Exploiting
79
My WorkI. Securing the entire
software lifecycleII. Allowing everyone to reason about the security of the code
they execute
BAP: Binary Code Analysis Platform
• Binary code is everywhere• Security of the code you run
(not just the code compiled)
Formal Methods Compilers
ProgrammingLanguages
Usability Algorithm
Design
82
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
83
Thoughts?
84
That is all I have for today.