Fundamentals of Cyber Security

Hui Tian

Griffith University
Jul. 2020



• Intro. To Cyber Security • Cryptography
• Cyber Security Attacks & OS Module 1 Module 2 • AAA protocols
attacks
1. Cyber 2. Counter-
Threats measures

Policy Technology
4. Policy and 3. Network
Governance Security
• Cyber Security Standards &
Assessment Module 4-5 Module 3 • Network security
architectures
• Social Engineering and Security
Awareness • Firewalls
• Risk Management & Governance • IDS, IPS
• Privacy & Online Rights People
 

1. Cyber Attacks

– Software threats such as worm, trojan horse program, virus, malware.

– Web attacks
– Network attacks such as DDoS attacks, botnet etc.
– Hardware threats

2. Operating System Attacks

– Set UID approach

– Buffer overflow
– Return to libc
– Race condition
 

Objectives

– Identify various cyber attacks

– Understand how various attacks happens

– Learn the attack surface in operating systems

– Understand how countermeasures could be applied and defeated

 


worms
1. Software threats
botnets ransomware
– worm
– trojan horse program
– virus
– Ransomware keylogger virus
– Blended threats
Malware
adware rootkit

spyware Trojan horse

 


1. Software threats
Host A:
– worm {find_host(h);
– trojan horse program rcopy (worm, h)
– virus rexec(worm, h)}
– Ransomware
– Blended threats Host B:
{find_host(h);
rcopy (worm, h)
rexec(worm, h)}

Host C:
{find_host(h);
rcopy (worm, h)
rexec(worm, h)}
 


1. Software threats
Print “type password:”
– worm Accept (password)
– trojan horse program If valid (password) then allow
– virus Print “type password:”
– Ransomware Accept (password)
– Blended threats If valid (password) or password=“ABC” then allow

Ask_permission (location
Use (location) in map
Map app becomes
Ask_permission (location) a Spyware
Send (location) to developer
Use (location) in map
 


File infectors
1. Software threats
Macro viruses
– worm Overwrite viruses
Polymorphic viruses
– trojan horse program Resident viruses
– virus Human action involved in spreading Rootkit viruses
– Ransomware System or boot-record infectors
…….
– Blended threats
Signs of being infected:

Slower system performance

Pop-ups bombarding the screen
Programs running on their own
Files multiplying/duplicating on their own
New files or programs in the computer
Files, folders or programs getting deleted or corrupted
The sound of a hard drive
 


Macro viruses
1. Software threats • Macros are keystrokes that are
– worm embedded in docs or saved seq for
– trojan horse program
commands.
• Add malicious code to the genuine
– virus
macro sequences.
– Ransomware
• Office 2016 allows security
– Blended threats managers to selectively enable
File infectors: macro use.
• Attached with program files, eg. com/exe files Overwrite viruses
• Some viruses infect any program for which • target specific files or applications
execution is requested, including .sys, .ovl, .prg, • systematically overwrite all files
and .mnu files. Polymorphic viruses
• Some are completely included programs sent in Change or mutate its underlying code without
email attachments. changing its basic functions or features.
Escape detection and identification.
 


1. Software threats
Rootkit Viruses
– worm • Secretly installs an illegal rootkit on
– trojan horse program an infected system
– virus • Created to bypass antivirus
– Ransomware software
– Blended threats
System or boot-record infectors:
Resident Viruses: • Infect executable code found in
specific system areas on a disk:
• Implants itself in the memory of a computer
USB thumb drives
• Original virus program deleted, but the
DOS boot sector on
version stored in memory can be activated. diskettes
• Unnoticed by antimalware software Master Boot Record (MBR)
on hard disks
 


1. Software threats CryptoLocker 2013
CryptoLocker.F 2014
– worm CryptoWall 2014
– trojan horse program Fusob 2015
– virus WannaCry 2017
Petya 2017
– Ransomware Bad Rabbit 2017
– Blended threats Samsam 2016
Jigsaw 2016

https://en.wikipedia.org/wiki/Ransomware

https://www.forbes.com/sites/kateoflahertyuk/2018/08/17/h
ow-to-survive-a-ransomware-attack-and-not-get-hit-
again/#288bc46b6cd3
 


FacexWorm Target at Cyptocurrency
1. Software threats May 2018
Spread through facebook msgr
– worm
– trojan horse program
– virus
– Ransomware
– Blended threats

http://resources.infosecinstitute.com/crooks-exploit-facebook-spread-crypto-miner-malware/
 


2. Web Attacks

Cross Site Request Forgery (CSRF)

Cross-Site Scripting Attack (XSS)
SQL injection Attack
 


2. Web Attacks

Cross Site Request Forgery

Cross-Site Scripting Attack
SQL injection Attack
XSS Exploit the trust a user has for a particular site CSRF Exploit the trust a site has in a user’s browser

XSS: Malicious website leverages bugs in trusted CSRF: When a malicious website causes a user’s
website to cause unwanted action on user’s browser to perform unwanted actions on a trusted
browser website

Attacker tries to control what the website sends to Attacker tries to control what the client bowser sent to
the client browser. the website.

Ex: Reading cookies, authentication info, code Ex: transfer money out of user’s account, harvest user
injection id, compromise user account
 


2. Web Attacks

Cross Site Request Forgery SELECT * FROM students WHERE studentID=100 or 1=1
Cross-Site Scripting Attack
SQL injection Attack
 


3. Network Attacks

Packet Sniffing
Packet Spoofing
Attacks on TCP/IP protocol
DNS Attacks
Heartbleed Bug and Attack
DDoS
 


4 types of hardware:
4. Hardware threats
• Information system hardware
• Physical facility Natural disasters, fire smoke,
A hardware security
• Supporting facilities water, lightning;
module (HSM) is a physical Chemical/radiological/biological
computing device that • Personnel
hazards:
safeguards and Dust;
manages digital keys for strong Infestation
authentication and 3 categories of threats:
provides cryptoprocessing. • Environmental threats Electrical power;
• Technical threats Electromagnetic inference(EMI);
• Human-caused threats HSM design;
• Design HSMs with both
symmetric and asymmetric
Unauthorized physical access;
cryptography (2048bits).
Theft
• Support ECC with a shorter Vandalism
key. Misuse
 


How to prevent these types of attacks?

--- Using software or other security policies to block known payloads from
launching


--- Keeping "offline" backups of data;

--- install security updates;
--- cyber hygiene
--- exercising caution
 


Password Dilemma
No change Change particular field
Password is stored in usr/etc/shadow
-rw-r----- 1 root shadow 1443 May 20 12:33 /etc/shadow
Request to change the pwd?

Allow to change shadow file Finer-grained access control

Users (non-root) change own

What about others’ pwd? pwd but not others’ (file-level
granularity)

No “write”! Increase OS complexity!

19
 


Password Dilemma

Two-Tier Approach!

• Generic AC model to express simple AC (rwx)

• OS relies on extension to enforce fine-grained AC
in form of privileged programs
• eg: Shadow only writable to root, a normal user
write is restricted. To allow changes, a privileged
program “passwd” is used to change shadow for
normal users.

20
 


Superman Story
1. Superperson + power suit
2. Superperson + power suit with Set-UID
embedded chip
3. Superperson + power suit with embedded
chip + revised code

Operating Systems

Need superusers’ power to do routine tasks:

A super user grants Do it by

power to a normal user
OR himself?

Daemon approach
 


Different types of privileged programs

• Daemons approach
– Program runs in the background
– Needs to run as root or other privileged
users (Windows Service approach)
• Set-UID program • Real user ID
– Widely used in Unix • Effective user ID
– Program marked by a single bit • Saved user ID

• rwxrwxrwx ==> means full privilege is available for that file OR directory
• rws tells the operating system to execute that program with the user-id of its owner, typically used
with files owned by root to allow normal users to execute them as root with no external tools (such
as sudo).
22
 


Set-UID concepts
• UID: Identifies real owner of process
• EUID: Identifies privilege of a process
• Access control is based on EUID
• When a normal program is executed, RUID=EUID, they both equal to the Id of the
user who runs the program
• When a Set-UID is executed, RUID≠EUID, RUID still equal to the user’s ID, but
EUID equals to the program owner’s ID
– If the program is owned by root, the program runs with root privilege

1. Change the owner to root $ sudo chown root myfile

-rwxr-xr-x 1 root seed 51036 Mar 19 07:11 myfile
2. Turn on Set-UID bit $ sudo chmod 4755 myfile
-rwsr-xr-x 1 root seed 51036 Mar 19 07:13 myfile 23
 


Attack surfaces of Set-UID programs

• User Inputs Buffer overflow

• System Inputs Format string vul
• Hidden Inputs
• Capability leak

System(“ls”)

Race condition attack

OS X 10.10 dynamic linker

24
 


Set-UID Service
Functionality Similar Similar
Performance Better because doesn’t run a back Becomes better nowadays (due to
ground process (especially in old precious resource in memory and
times) computation power)
Security Broader attack surface Less attack surface because
Environment var may come from environment var are all from
normal user trusted sources
Applications Linux Windows, Android

25
 


Attack surfaces of Set-UID programs

• Old Unix OS has only 2 levels of privileges Android OS has more than 100
• Modern OS, provides fine-grained privileges privilege!

• Disabling privileges does not make a program immune to all attacks!

such as buffer overflow, involve code injection

26
 


Buffer overflow attack

1. Program memory is divided into five segments: stack,

Morris worm 1988
heap, BSS segment, Data segment and text segment.
2. Buffer overflow can happen on both stack and heap.

Code Red worm

2001
Void function(int a, int b)
{
int x, y;
SQL Slammer 2003
x = a + b;
y = a – b;
}
Stagefright attack to
Android phone 2015
27
 


Stack Buffer Overflow Attack
• Before data copied from source to another place, a program needs to allocate
memory space for the destination.
• Not sufficient amount of memory is allocated.
• Cause more than crashing a program.
• May enable attackers to gain a complete control of a program.
void main ( ) Strcpy stops when it sees number zero ‘\0’

{
char src[40]=“Hello world \0 Extra string”;
char dest[40];
//copy to dest from src
strcpy (dest, src);
} 28
 


Stack Buffer Overflow Attack

void foo(char *str)

{
char buffer[12];
strcpy(buffer, str);
}
int main()
{
char *str = “This is definitely longer than 12”
foo(str);
return 1;
}
29
 


Buffer overflow – find the address of malicious code

30
 


Buffer overflow – countermeasures 2^8=256 stack addresses for 32 bit android Nexus 5

• Randomize memory space (OS) 2^19=524288 stack addresses for 32 bit machine

• Make stack non-executable (CPU feature, hardware) Return-to-libc attack

• Stack guard to add some special data and checking mechanism to the code so as to
detect buffer overflows (complier)

$ sudo sysctl –w kernel.randomize_va_space=0

$ gcc –o stack –z execstack –fno-stack-protector stack.c

• Safer functions: strncpy, snprintf, strncat, fgets, specify the max length of data that
can be copied to the buffer

31
 


Defeating buffer overflow’s countermeasures

$gcc –z noexecstack shellcode.c

Making stacks non-executable stops

attackers running the malicious code they
injected to the memory

Find some code already in the memory!

Standard C library function

--- libc, dynamic link library

Return-to-libc attack

32
 


Return-to-libc Attack

$gcc –fno-stack-protector –z noexecstack –o stack stack.c

$sudo sysctl –w kernel.randomize_va_space=0

$ sudo chown root stack • Launch the Return-to-libc Attack

$ sudo chmod 4755 stack
1. Find the address of system()
2. Find the address of the “/bin/sh” string
3. Put the address on the stack, pass it to the
system ().

33
 


Race Condition Vulnerability

Output of a system/program is dependent on the timing of other uncontrollable events

If a privileged program has a race condition problem, attacker may affect the output of the program

function withdraw($amount) What if two withdraw requests arrive simultaneously?

{
$balance = getBalance(); Example:
if($amount <= $balance) {
$balance = $balance - $amount; Balance is $100
echo “You have withdrawn: $amount”; Each request tries to withdraw $90
saveBalance($balance); Request 2 arrives just before the new balance is saved.
}
else { Timing of signals is important!
echo “Insufficient funds.”;
} Two signals racing each other to influence the output
} --------- Race Condition
34
 


Race Condition Vulnerability --- Dirty Cow

A race condition vul in Linux kernel was found in Oct 2016;

The vulnerability allows attackers to modify any protected file, though the file is readable only.
Attacker can exploit this vulnerability to gain the root privilege.
The Vulnerability also affects the Android OS (built on the top of Linux)
Time-of-Check to Time-of-use (TOCTTOU) condition change

Dirty cow exploits this vulnerability to change file “/etc/passwd” to gain the root privilege on the system.

35
 


SUMMARY
– Software attacks: worm, trojan horse program, virus, ransomware.
– Web attacks
– Network attacks
– Hardware threats
– Operating system attacks
• Set UID vs Service approach
• Buffer overflow
• Return to libc
• Race condition
Next Module

– Countermeasures
• Cryptography
• Authentication, Authorisation and Accountability protocols