Computer Security

Introduction

1
References
• https://cs155.stanford.edu/lectures/01-intro.pptx

2
Information Security CIA
• At the core of information security is the act of maintaining the
following:
• Confidentiality
• Integrity
• Availability

3
CIA in day-to-day lives

4
 Top 10 products by total number of “distinct” vulnerabilities in 2019

5
source: https://www.cvedetails.com/top-50-products.php?year=2019
 Vulnerable applications being exploited

Office

Java Android

Browser

6
Source: Kaspersky Security Bulletin 2017
Security Bugs Types
• Edge cases
• Valuable design –“Not a bug, a feature”
• Too high permission

7
Computer Networks

8
 Why so many security bugs? Case study: Zoom
client
Users have an expectation of privacy.

https://zoom.com/[meeting]

Browser Zoom app

launch
zoom.com

user’s MacOS system 9

 Why so many security bugs? Case study: Zoom
client
Users have an expectation of privacy.

https://zoom.com/[meeting]

Can we bypass the

Browser Zoom app
launch security dialog?
zoom.com

user’s MacOS system 10

 Why so many security bugs? Case study: Zoom client
Local Zoom web server listens on port localhost:19421
• To launch app: web page from zoom.com tells
browser to send an HTTP request to the local web server
• Web requests do not require a dialog …

Browser
Zoom Can this be attacked?
web server
zoom.com

http://localhost:19421/launch?action=join&confno=[confrence number] 11
 The problem [J. Leitschuh, July 2019]

Any web site can send a request to the local web server
• Joins users to conference w/o user’s knowledge!
What happened next? Responsible disclosure, 90 days (CVE-2019-13450).
• Fixed by Zoom. Web server removed by Apple’s MRT tool.

Browser
Zoom
web server
evil.com

http://localhost:19421/launch?action=join&confno=[confrence number] 12
Why so many security bugs? Case study: Zoom client

Users have an expectation of privacy. But:

(1) Problems with crypto (Marczak and Scott-Railton, April 2020)
(2) How not to save a user click (J. Leitschuh, July 2019)
(3) Disable MacOS hardened runtime (P. Wardle, April 2020)
Defends against code injection, library hijacking,
and process memory space tampering.
Once user gives Zoom access to camera and mic,
MacOS ensures that entire application code does not change

13
What happens if protection is disabled?

requires user
approval

Can this be abused? 14

 The impact [Wardle, 4/2020]
dynamic libraries loaded at Zoom startup

libssl.1.0.0

Zoom curl64
app

User approved access

⋮
to camera & mic
user’s MacOS system 15
 The impact [Wardle, 4/2020]
Attacker installs malware library that proxies libssl.

⇒ has access to camera & mic

hardened runtime libssl.1.0.0 libssl.1.0.0

does not notify user
of change to libssl! Zoom curl64
app
⋮
disable-library-validation:true
user’s MacOS system 16
 Goals for this course
• Understand exploit techniques
• Learn to defend and prevent common exploits

• Understand the available security tools

• Learn to architect secure systems

17
Introduction

What motivates
attackers?
… economics 18
Why compromise systems?
1. IP address and bandwidth stealing

Attacker’s goal: look like a random Internet user

Use the IP address of infected machine or phone for:

• Spam (e.g. the storm botnet)
Spamalytics: 1:12M pharma spams leads to purchase
1:260K greeting card spams leads to infection

• Denial of Service: Services: 1 hour (20$), 24 hours (100$)

• Click fraud (e.g. Clickbot.a)
19
Why compromise systems?
2. Steal user credentials
keylog for banking passwords, corporate passwords, gaming pwds
Example: SilentBanker (and many like it)

User requests login page

Malware injects Bank sends login page

Javascript needed to log in
Bank
When user submits
information, also sent to
attacker Similar mechanism used
by Zeus botnet, and others
Man-in-the-Browser (MITB) 20
MitB – Man in the Browser

21
 Lots of financial malware

• records banking passwords

via keylogger
• spread via spam email and
hacked web sites
• maintains access to PC for
future installs

22
Source: Kaspersky Security Bulletin 2017
 Similar attacks on mobile devices
Example: FinSpy.
• Works on iOS and Android (and Windows)

• once installed: collects contacts, call history, geolocation,

texts, messages in encrypted chat apps, …
• How installed?
• Android pre-2017: links in SMS / links in E-mail
• iOS and Android post 2017: physical access

23
Why own machines: 3. Ransomware
a worldwide problem
• Worm spreads via a vuln.
in SMB (port 445)
• Apr. 14, 2017: Eternalblue vuln.
released by ShadowBrokers
• May 12, 2017: Worm detected
(3 weeks to weaponize)

24
 WannaCry ransomware

25
 Server-side attacks
• Data theft: credit card numbers, intellectual property
• Example: Equifax (July 2017), ≈ 143M “customer” data impacted
• Exploited known vulnerability in Apache Struts (RCE)
• Many many similar attacks since 2000

• Political motivation:
• DNC, Tunisia Facebook (Feb. 2011), GitHub (Mar. 2015)

• Infect visiting users

26
 Infecting visiting users. Example: Mpack

• PHP-based tools installed on compromised web sites

• Embedded as an iframe on infected page
• Infects browsers that visit site

• Features
• management console provides stats on infection rates
• Sold for several 100$
• Customer care can be purchased, one-year support contract

• Impact: 500,000 infected sites (compromised via SQL injection)

• Several defenses: e.g. Google safe browsing

27
 Data theft: what is stolen (2012-2015)

28
Source: California breach notification report, 2015
 How companies lose customer data

insider misuse/attack
Physical document
7% loss
Accidental disclosure 21%

22%

17% 32%

malware/hacking
lost/stolen laptops or servers

How do we have this data?

29
Source: PrivacyRights.org, 2020
 Introduction

The Marketplace for

Vulnerabilities

30
 Marketplace for Vulnerabilities
Option 1: bug bounty programs (many)
• Google Vulnerability Reward Program: up to $31,337
• Microsoft Bounty Program: up to $100K
• Apple Bug Bounty program: up to $200K
• Stanford bug bounty program: up to $1K
• Pwn2Own competition: $15K

Option 2:
• Zerodium: up to $2M for iOS, $2.5M for Android (2019)
• … many others
31
 Marketplace for Vulnerabilities

RCE: remote code execution

LPE: local privilege escalation
SBX: sandbox escape

Source: Zerodium payouts 32

 Marketplace for Vulnerabilities

RCE: remote code execution

LPE: local privilege escalation
SBX: sandbox escape

Source: Zerodium payouts 33

Why buy 0days?

https://zerodium.com/faq.html

34
 Marketplace for owned machines
clients spam
keylogger
Pay-per-install (PPI) services bot

PPI operation:
1. Own victim’s machine PPI service
2. Download and install client’s code
3. Charge client

Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) 35
 Marketplace for owned machines
clients spam
keylogger
bot

Cost: US - 100-180$ / 1000 machines

PPI service
Asia - 7-8$ / 1000 machines

Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) 36
Ken Thompson’s clever Trojan
Turing award lecture
(CACM Aug. 1984)

What code can we trust?

37
 What code can we trust?
Can we trust the “login” program in a Linux distribution? (e.g. Ubuntu)
• No! the login program may have a backdoor
⇾ records my password as I type it

• Solution: recompile login program from source code

Can we trust the login source code?

• No! but we can inspect the code, then recompile

38
 Can we trust the compiler?
No! Example malicious compiler code:

compile(s) {
if (match(s, “login-program”)) {
compile(“login-backdoor”);
return
}
/* regular compilation */
}
39
 What to do?
Solution: inspect compiler source code,
then recompile the compiler

Problem: C compiler is itself written in C, compiles itself

What if compiler binary has a backdoor?

40
 Thompson’s clever backdoor
Attack step 1: change compiler source code:

compile(s) {
if (match(s, “login-program”)) {
compile(“login-backdoor”);
return
}
if (match(s, “compiler-program”)) { (*)
compile(“compiler-backdoor”);
return
}
/* regular compilation */
} 41
 Thompson’s clever backdoor
Attack step 2:
• Compile modified compiler ⇒ compiler binary
• Restore compiler source to original state

Now: inspecting compiler source reveals nothing unusual

… but compiling compiler gives a corrupt compiler binary

Complication: compiler-backdoor needs to include all of (*)

42
What can we trust?
I order a laptop by mail. When it arrives, what can I trust on it?
• Applications and/or operating system may be backdoored
⇒ solution: reinstall OS and applications
• How to reinstall? Can’t trust OS to reinstall the OS.
⇒ Boot Tails from a USB drive (Debian)
• Need to trust pre-boot BIOS,UEFI code. Can we trust it?
⇒ No! (e.g. ShadowHammer operation in 2018)
• Can we trust the motherboard? Software updates?
43
 So, what can we trust?
Sadly, nothing … anything can be compromised
• but then we can’t make progress

Trusted Computing Base (TCB)

• Assume some minimal part of the system is not compromised
• Then build a secure environment on top of that

will see how during the course.

44
Do you want to know more #1?

45
Do you want to know more #2?

46