Fall 2022

CC551: Computer and Network

Security
Lecture 2

Ahmed Kosba

Department of Computer and Systems Engineering

Faculty of Engineering, Alexandria University

1
Outline
• Previous lecture (Lecture #1)
• Introduction - Real world threats and attacks
• Security principles
• Low-level software security
• Buffer overflow and format string vulnerabilities

• Today's lecture
• Low-level software security (cont.)
• Countermeasures and secure coding practices
• Introduction to cryptography
• Symmetric-key encryption
• Classical ciphers
2
From lecture 1 Recall: What is the difference between a CWE and a CVE?

Top 10 CWEs in 2019 [Data from https://cwe.mitre.org/]

Rank ID Name
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Neutralization of Input During Web Page Generation ('Cross-site
[2] CWE-79
Scripting')
[3] CWE-20 Improper Input Validation
[4] CWE-200 Information Exposure
[5] CWE-125 Out-of-bounds Read
Improper Neutralization of Special Elements used in an SQL Command
[6] CWE-89
('SQL Injection')
[7] CWE-416 Use After Free
[8] CWE-190 Integer Overflow or Wraparound
[9] CWE-352 Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path
[10] CWE-22
Traversal')
3
See also: https://nvd.nist.gov/vuln/categories
Recall: CVEs VS CWEs
Table from: https://www.cvedetails.com/

Note the different impact of each CVE, although the CWE is the same. 4
From lecture 1 Stack
High Address
.
Recap: Buffer overflow .
.
%ebp

void f(char *s){

int authentic = 0; s
char b[4];
strcpy(b,s); The caller’s %eip
if(authentic){
The caller’s %ebp %ebp
// …
} 0
E F0 0
G 0
}
A B C D
int main(){
char *t = “ABCDEFG”;
f(t);
}

• Note: The string s is longer than the buffer b.

• This can affect the control flow of the
program, grant the adversary extra
permissions, etc.
5
 Stack
High Address
.
Code injection .
.
%ebp

void f(char *s){

int authentic = 0; s
char b[4];
strcpy(b,s);
if(authentic){
The caller’s %ebp %ebp
// …
} E F G 0
}
A B C D
int main(){
char *t = “ABCDEFG”;
f(t); Malicious Code
}

Stack Growth
Segment

• The attacker can change the return address,

and make it point to a malicious code
segment.
6
Notes on buffer overflow attacks
• If you inspect the assembly produced by C compilers, you could find
different behavior compared to the behavior we discussed.
• The behavior depends on the compiler type and compiler version/options.
• For example, GCC itself can assign a different order to the local variables
depending on whether stack protection is enabled or not.

• The goal here was to illustrate the attack, not the compiler details.
• It is important to note that even if the order details changed, the attack would
still be possible.

7
Countermeasures
• Use a memory-safe and a type-safe language Stack canaries:
- protect IP (instruction pointer) to
• Most modern languages are memory and type safe. avoid code injections.

• This still does not prevent all issues. You need to follow security
recommendations. (We will see an example shortly)
arg Memory
• What if we still need to use C? IP 0x256

• Use secure coding guidelines. BP

0x256
• Tools that check whether a program is memory safe or not. canary: a
special value

• Some known countermeasures in the space - compare between saved value and the canary,
they should be the same if not altered by buffer
• Stack canaries overflow.
- canary protects IP but not the local variables.
• Make code on stack or heap not executable.
• However, some types of attack could still work. See Return-to-libc
• Address space layout randomization
• Control flow integrity
8
However, countermeasures are not perfect.
 Stack
High Address

Example: Stack Canaries .

.
• How could the stack be protected against some .

buffer overflow attacks? Args

• One solution to protect the return address: The caller’s %eip

• push some special value (the canary) before the buffer on The caller’s %ebp
the stack.
Canary
• Check the value of the canary before returning. The

Stack Growth
Note: The original canary value is kept in another memory overflow
will change
location in case it was not fixed, e.g., randomly selected. the value of
Buffer
• This is implemented by GCC, but this protects the the canary.
return data, not the other local variables on the
stack.
• What could be done to protect the other local variables?
(next slide)
- attacker can still find the value of the stack canary using
• How to select the value of the canary? Different memory leaks attacks
How can an attacker bypass a canary?
types of canaries in practice. (Example: Random - value of the canary should be hard to detect/expect.
9
canary)
 Stack
(canary --> buffers --> local variables) High Address

Note - variables are buffers or non-buffers.

- If we put the buffers below canary, we will detect it and protect non-buffer values
- Buffer values are not protected here.
.
.
.
• GCC also employs variable reordering to
protect non-buffer variables [Ref]. Args
• Local non-buffer variables, e.g., ints, are The caller’s %eip
allocated after the buffers. The caller’s %ebp
• Overflow in the buffers won't overwrite the
values of other local variables (but might Canary
The
overwrite the canary instead). overflow
• This is how the attack in the previous lecture will change
was prevented. However, this scheme won't the value of
Buffers the canary.
protect against all out-of-bound writes in the

Stack Growth
buffers (Example will be posted).
Other local non-
• Note: The canary idea can be extended to buffer variables.
protect other data on the stack, by adding a
canary for each buffer, but this will cause
overhead. 10
Top 10 Secure Coding Practices [SEI – CERT]
• Validate input. • Adhere to the least privilege
• Heed compiler warnings. principle.
• Architect and design for security • Sanitize data sent to other
policies. systems. before sending it to more general purpose
systems.

• Keep it simple. • Use multiple layers of defense.

• Default deny. • Adopt a secure coding standard
for the target development
• Quality assurance techniques language.
• Fuzz testing, penetration testing
and source code audits Fuzz testing: random unpredictable input

• Independent security reviews Penetration testing: hiring people who try to attack your system

- formal verification: takes the system and the safety specification that can't happen
and the formal verifier looks for a trace where this safety specification can happen. 11
Another low-level vulnerability in the news

CWE-416: Use After Free

Example from cwe.mitre.org

12
 Later in the course, we will discuss more software weaknesses
and vulnerabilities in the web context.
Top 10 CWEs in 2019
Rank ID Name
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Neutralization of Input During Web Page Generation ('Cross-site
[2] CWE-79
Scripting')
[3] CWE-20 Improper Input Validation
[4] CWE-200 Information Exposure
[5] CWE-125 Out-of-bounds Read
Improper Neutralization of Special Elements used in an SQL Command
[6] CWE-89
('SQL Injection')
[7] CWE-416 Use After Free
[8] CWE-190 Integer Overflow or Wraparound
[9] CWE-352 Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory ('Path
[10] CWE-22
Traversal')
13
[Data from https://cwe.mitre.org/]
Introduction to Cryptography

14
Modern Cryptography
• Historically, cryptography was more of an art.
• Goal: Private communication between two parties who share a key in
advance. (Symmetric key encryption)
• Used heuristic and ad hoc designs that seemed clever.

• Modern Cryptography is a science that has rich theoretical

foundations and requires rigorous analysis.
• Enables much broader security services.

15
 Symmetric-key Encryption How will Alice and Bob share the
key securely?
In person or through a trusted person.

k k
- each party has key to decrypt.
- attacker must not know the key

c
m (ciphertext)
(plaintext)
channel is insecure
Alice Bob
c = E(k, m) m = D(k, c)

Note on notation: Enck(m) is used instead of E(k, m) sometimes. Both will have the same meaning
in our discussions.
16
Shift/Caesar Cipher (100 B.C.) weak because number of keys is only 26 including 0, which isn't
a shift so an attacker can easily use brute force on the key.

- Encryption: E(k,m) = (m+k) mod 26

- Decryption: D(k, c) = (m-k) mod 26

• How many values for the key in this cipher? Available values would be the number of alphabets, 26 letters.

It could be easily broken by analyzing the number of shifts

• How easy would it be to break it? between the letters, they must be equal so knowing the shift of
one letter would eventually make you reach the rest of the
• Can you modify it to make it more secure? characters.

- Can be more secure if we used arbitrary mapping instead of shifting. (monoalphabetic substitution)
- The key in this case is the whole sequence (26! possibilities). 17
- Statistical distribution can still be used to break this so still not very secure.
Monoalphabetic Substitution (800 A.D.)
• Each plaintext character is mapped to another different character.
• The mapping is done arbitrarily.

A B C D E F G H I J K L MN O P Q R S T U V WX Y Z
F WT X P C V S MA E N I U R J G B Z D H L Y O Q K

• How many possible values for the key? 26! possible keys because we use keys without replacement
• Is it secure? Can be broken by analyzing which letter is repeated the most, this would
most probably be the letter "e" as it's used most in English words and so on..
(statistical distribution)

18
Relative frequency of letters in English text

Figure Source: https://www3.nd.edu/~busiforc/handouts/cryptography/letterfrequencies.html

19
Observation
• Historical ciphers seem easy to break.
• Even a massive key space did not help with the problem.
• How to design a secure cipher?
• Should we keep the ciphering algorithm secret? (see next slide)

20
Kerckhoffs’ principle
• The encryption algorithm must be secure even if the attacker knows
the details of the algorithm.
• Only the key will be kept secret.
• What are the advantages of this approach?
• Hint: Recall the “Open Design” security principle.

21
Kerckhoffs’ principle
• Advantages
• Allowing the cryptographic algorithms to be reviewed and standardized
(public scrutiny)
• Easier to keep a key secure than to keep the algorithm secure.
• In case of any leaks, it’s easier to change the key than to change the
algorithm.
• It would be more practical for large-scale deployment if users rely on the
same encryption software (with different keys), instead of having a different
encryption algorithm for every context.

23
Brute-Force Attacks and Cryptanalytic Attacks
• Brute-force attacks:
• The attacker tries every possibility of the key as input to the decryption
algorithms and inspects the output plaintext to see if it is intelligible.
• Knowledge about the plaintext structure would be needed.

• Cryptanalysis:
• The attacker exploits the characteristics of the algorithm and possibly some
plaintext-ciphertext pairs in order to decipher an encrypted text or to find the
key.

25
Characterization of ciphers (1/2)
1) Type of operations:
• Substitution: Each element in the plaintext is substituted by another element.
• Transposition: The positions of the plaintext elements are changed. (Re-
arrangement)

Note: the operations must be reversible, otherwise information will be lost

during the encryption operation.

In practice, multiple stages of substitution and transposition would be involved

in the encryption stage.

26
Characterization of ciphers (2/2)
2) Stream vs Block ciphers:
• Stream cipher: encrypts one element, e.g., one byte, at a time.
• Block cipher: encrypts one block of the input plaintext at a time. (A block is a
group of elements.)

27
Classical Ciphers (cont.)
• Substitution mode
• Caesar cipher
• Mono-alphabetic substitution cipher
• Playfair cipher
• Hill cipher
• Poly-alphabetic substitution ciphers
• Vernam cipher
• Transposition mode
• Rail Fence cipher
• Row transposition cipher

28
Poly-alphabetic substitution ciphers
• Provides an improvement upon the mono-alphabetic ciphers
discussed earlier.
• Uses different mono-alphabetic ciphers as the plaintext is being
encrypted. (character doesn't get mapped to the same character every time)

29
 The Vigenère cipher
• One of the simplest poly-alphabetic substitution ciphers.
• Uses a series of Caesar ciphers whose shifts are set based on the key.
• If the key is shorter than the message, the key is repeated.
• Example [Stallings book]: - each letter is a shift in the cipher in the key
• Plaintext: wearediscoveredsaveyourself..
• Key: deceptivedeceptivedeceptive..
• Ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ..
explanation: "w" here is shifted by the index of letter "d" which is "3", if we start counting from 0 (it's the fourth letter in the
alphabet) so "w"-->"x"-->"y"-->''z".
• How to break this cipher?
30
 Vernam cipher (1917)
• Uses a key that is a long as the message. The used key should not have any statistical
relationship to the plaintext.
• The original implementation of this cipher was vulnerable. It read the key from a tape. If
the plaintext was longer than the tape length, the tape loops after a complete cycle.
• Will see a better version later in the lecture.

Key Stream Key Stream

Generator Generator
- to decipher, XOR with the
character once more.
- XORs the character
with the key ki ki

pi
 ci ci
 pi

Sender Receiver
31
Rail Fence Cipher
• A simple transposition cipher
• Encryption is done by writing the plaintext as a sequence of
diagonals, then writing the ciphertext characters according to the
sequence of rows.
• The key is the number of rows.
• Example:
• Encrypt (k = 2, “ATTACKATDAWN”) = “ATCADWTAKTAN”
A T C A D W
T A K T A N
- easy to break as it uses the same characters of the plaintext so brute-force on rearranging
• How to break this cipher? them would make it easily broken.
- you can easily eliminate many words that don't have these characters so brute-force is
even easier.
32
Row Transposition Cipher
• Encryption is done by writing the input plaintext in a rectangle, row by row.
• To output the ciphertext, output the columns, but in a permuted order.
• The key would be the order of the columns
• Example [Stallings]
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
• How easy would it be to break this cipher? - easy to break as it keeps characters in the same line.
- a solution would be to apply the cipher again on the output.

33
Row Transposition Cipher
• To make the previous cipher more difficult to break, use multiple
stages of transposition, i.e., encrypt the output ciphertext in another
stage.
Key: 4 3 1 2 5 6 7
Input: t t n a a p t
m t s u o a o
d w c o i x k
n l y p e t z
Ciphertext: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ

• Having multiple stages of encryption seems to make transposition

harder to break. (This applies for substitution as well) 34
Steganography vs Encryption
• Encryption conceals the content
of the message, while
Steganography conceals the
existence of a hidden message.
(hides the fact that there is a message sent)
• Other tools exist:
• Invisible ink
• Hiding messages in digital images
• ..
Once it's cracked, it can't be used again.
• Drawbacks?
Puzzle Example
From the silent world of Nicholas Quinn, by Colin Dexter
Dear George;
Greetings to all at Oxford. Many thanks for your
letter and for the summer examination package.
All Entry Forms and Fees Forms should be ready
for final dispatch to the Syndicate by Friday
20th or at the very latest, I’m told by the 21st.
Admin has improved here, thought there’s room
for improvement still, just give us all two or three
more years and we’ll really show you! Please
don’t let these wretched 16+ proposals destroy
your basic O and A pattern. Certainly, this
sort of change, if implemented immediately,
would bring chaos.
Sincerely yours;
36
What is the secret message?
Introduction to Modern
Cryptography

37
Principles of Modern Cryptography
• Formal definitions
“If you don’t understand what you want to achieve, how can you know if you
have achieved it?”
• Precise assumptions
Many modern cryptographic schemes cannot be proven unconditionally. The
proofs of security typically rely on assumptions. These assumptions should be
stated explicitly and precisely.
• Proofs of security
Provide a rigorous proof that a construction satisfies a definition under certain
assumptions.

38
Discussion adapted from Katz and Lindell’s book
Threat Models
• Definitions in cryptography
should state precisely the
security goal or guarantee
• What attacks should be c
prevented?

c = E(k, m) m = D(k, c)
• Threat Model
• Identifies the capabilities that the
attacker has. For example, what are the threat
• If not defined precisely, your models for encryption?
system could be insecure.
39
Threat Models for Encryption
• Ciphertext-only attack
• Known-plaintext attack
• Chosen-plaintext attack
• Chosen-ciphertext attack
• Chosen-text attack

40
Threat Models for Encryption
Threat Model
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
- attackers can send a message
to the host and ask to encrypt it.
- covers this up to deceive the
host.
Chosen-ciphertext attack
- send the host ciphertext and ask
him to decrypt it.
Chosen-text attack
What the attacker has access to
- Encryption Algorithm
- Ciphertext c (one or many?)
- Encryption Algorithm
- Ciphertext c - common words like "dear" at the beginning of the email
- One or more plaintext-ciphertext pairs
- Encryption Algorithm
- Ciphertext c
- One or more plaintext-ciphertext pairs for plaintexts of its
choice.
- Encryption Algorithm
- Ciphertext c
- Decryption of any ciphertext chosen by analyst (except c)
- The union of the previous two attacks
41
Defining Security of Encryption Schemes
• Let’s start with the very basic threat model.
• Single ciphertext-only attack.

• How to define security?

What do you think of the following definitions?
• “It should be impossible for the attacker to extract the key”.
• “It should be impossible for the attacker to find the entire plaintext using the
ciphertext”.
• “It should be impossible for the attacker to figure out any character of the
plaintext from the ciphertext”.

42
Discussion adapted from Katz and Lindell’s book
Defining Security of Encryption Schemes
• Assuming single ciphertext-only attack.

• A better definition would be “Regardless of the information that the

attacker already has, the ciphertext should not leak any additional
information about the plaintext”
• How to formalize this?

43
Symmetric Encryption Schemes
• A symmetric encryption scheme over a message space M is defined
by three algorithms:
• Key generation algorithm (Gen): This is a probabilistic algorithm that
generates the key.
• Encryption algorithm: Given a message m  M, and a key k
output c = E(k, m)
• Decryption algorithm: Given a ciphertext c, and a key k, output m = D(k, c)

44
 Perfect Secrecy
• Let M be a random variable representing the value of the message to be encrypted.
• Let C be a random variable representing the value of the ciphertext.
• Let K be a random variable representing the value of the key.
• M and K should be independent random variables.
- This means that if the attacker has 4 options for the message, each with probability 0.25.
- After seeing the ciphertext, the probabilities of these possible messages should not change at all, should still be 0.25 each.
- Any change in their probabilities means that the ciphertext gave additional info to the attacker so the cipher isn't perfectly secret.
• An encryption scheme over message space M and ciphertext space C is
perfectly secret if for every distribution over M, every m  M , and
every c  C (with Pr[C = c] > 0), the following holds
Pr [M = m | C = c ] = Pr [ M = m ]
i.e., the probability distribution of M should not change after seeing
the ciphertext.
Can we have a cipher that realizes this? 45
Example
• Is the shift cipher perfectly secret?
• Example:
• Assume M has two messages only “ATTACK”, “RETURN”.
• Assume both possibilities are equi-probable, then
• Pr[M = “ATTACK”] = Pr[M = “RETURN”] = 0.5
• If the observed ciphertext is: “SFUVSM”, i.e., c = “SFUVSM”.
• What is the value of: Pr[M = “ATTACK” | C = “SFUVSM”]?
• 0 because "attack" has 2 repeated chars, "a'" and "t", so this should be corresponded in the ciphertext,
but we have only 1 repeated character, "S", in the ciphertext.
• The shift cipher is not perfectly secret in the above case.

Exercise: Is there a special case (a certain message space) where the shift cipher
can be perfectly secret?
• Any of the previous other ciphers is perfectly secret in general? 46
One-time Pad
• Recall the Vernam cipher.
• The original form was vulnerable
• However, if the key was totally random, and as long as the message, it would
be unbreakable (this is called the one-time pad).
• The one-time was proven to be perfectly secret, by Shannon in the
1940s.

• Given M = {0, 1}n

• Algorithm:
• Key generation: choose a random key k uniformly from {0, 1}n
• Encryption: E(k, m) = k  m
• Decryption: D(k, c) = k  c
47
One-time Pad
n bits

 c
n bits
XOR

m
n bits

Exercise: How to prove correctness and perfect secrecy formally? 48