We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKennedy Greenhow
Modified over 2 years ago
Human Factor vs. Technology Joanna Rutkowska Invisible Things Lab Gartner IT Security Summit, London, 17 September, 2007.
3© Invisible Things Lab, http://invisiblethingslab.com, 2007 Message of this talk Human factor is not the weakest link in IT security The technology factor is as week as the human factor! Human factor used to describe: User’s unawareness (“stupidity”) Admin’s incompetence NOT developer’s incompetence NOT system designer’s incompetence Security Consumers “Human Factor” Security Vendors “Technology Factor”
4© Invisible Things Lab, http://invisiblethingslab.com, 2007 Getting Into System Exploiting User’s Unawareness/Incompetence Social engineering Bad configuration Exploiting Technological Weakness Software flaw (e.g. buffer overflow) Protocol weakness (e.g. MitM) Usual Goal: arbitrary code execution on target system
5© Invisible Things Lab, http://invisiblethingslab.com, 2007 After Getting In… “Break and Escape” E.g. website defacement, files deletion Introduce damage, not compromise! “Steal and Escape” Steal confidential files, databases records, etc.. Do not compromise system – escape after data theft! Problems: encrypted data, passwords – only hashes stored “Install Some Malware” Compromise the system for full control!
7© Invisible Things Lab, http://invisiblethingslab.com, 2007 Prevention Approaches Signature-based User’s education AI-based (anomaly detection) Host IPSes OS hardening (anti-exploitation) Host IPSes Least privilege design Code verification
8© Invisible Things Lab, http://invisiblethingslab.com, 2007 Signature based approaches Protect against “user’s stupidity” by blacklisting known attack patterns – e.g. certain “phishing mails” Protect against technological weaknesses by having a signature for an exploit (majority) or generic signature for an attack (minority, unfortunately) No protection against unknown (targeted) attacks! All major A/V vendors alerts about increasing number of targeted attacks, since 2006 targeted we usually don’t have a signature
9© Invisible Things Lab, http://invisiblethingslab.com, 2007 User’s education Increase awareness among users and competences of system administrators Should eliminate most of the social engineering based attacks, e.g. sending a malware via email Can not protect against attacks exploiting flaws in software, i.e. exploits “Keeping your A/V up to date” does not address the problem of targeted attacks
10© Invisible Things Lab, http://invisiblethingslab.com, 2007 AI (anomaly based) Using “Artificial Intelligence” (heuristics) to detect “abnormal” patterns of: … behavior (e.g. iexplore.exe starting cmd.exe ) … network traffic (e.g. suspicious connections) Problems: No guarantee to detect anything! False positives! Do you think “AI” can solve problems better then “HI” (Human Intelligence)? ;)
11© Invisible Things Lab, http://invisiblethingslab.com, 2007 Anti Exploitation Make exploitation process (very) hard! Stack Protection Stack Guard for UNIX-like systems (1998) Microsoft /GS stack protection (2003) Address Space Layout Randomization (ASLR) PaX project for Linux (2001) Vista ASLR (Microsoft, 2007) Non-Executable pages PaX project for Linux (2000) OpenBSD’s W^X (2003) Windows NX (2005-06) Other technologies
12© Invisible Things Lab, http://invisiblethingslab.com, 2007 Least Privilege and Privilege Separation Limit scope of an attack by limiting the rights/privileges of the components exposed to the attack (e.g. processes) Least Privilege Principle: every process (or other entity) has the minimal set of rights necessary to do its job How many people work using the Administrator’s account? Privilege Separation Different programs have different, non-overlapping, competences…
13© Invisible Things Lab, http://invisiblethingslab.com, 2007 Example: Vista’s User Account Control Attempt to force people to adhere to the LP Principle All user’s processes run by default with restricted privs, User want to perform an operation which requires more privileges – a popup appears asking for credentials, Goal: if restricted process gets exploited, attacker does not automatically get administrator’s rights! Many implementation problems though: February 2007: Microsoft announced that UAC is not… a security feature!
14© Invisible Things Lab, http://invisiblethingslab.com, 2007 Example: Privilege Separation Different account for different tasks, e.g.: joanna – main account used to log in joanna.web – used to run Firefox joanna.email – used to run Thunderbird joanna.sensitive – access to /projects directory, run password manager and another instance of web browser for banking. Easy to implement on Linux or even on Vista! In Vista we rely on User Interface Privilege Isolation (UIPI)
15© Invisible Things Lab, http://invisiblethingslab.com, 2007 Problems with priv-separation If attacker exploits a bug in kernel or one of kernel drivers (e.g. graphics card driver)… … then she has full control over the system and can bypass all the protection offered by the OS! This is a common problem of all general purpose OSes based on monolithic kernel – e.g. Linux, Windows. Drivers are the weakest point in OS security! Hundreds of 3 rd party drivers, All run with kernel privileges! We will get back top this later…
16© Invisible Things Lab, http://invisiblethingslab.com, 2007 Avoiding Bugs and Code Verification Developers education e.g. Microsoft and Secure Development Lifecycle (SDL) Fuzzing Generate random “situations” and see when software crashes… Currently the favorite bughunter’s technique… Code auditing Very expensive – requires experienced experts, Few automatic tools exist to support the process. Formal verification methods Manual methods only for very small projects (a few k-lines) No mature automatic tools yet (still 5-10 years?)
How Prevention Fails In Practice…
18© Invisible Things Lab, http://invisiblethingslab.com, 2007 Example: the ANI bug ANI bug (MS07-17, April 2007) “This vulnerability can be exploited by a malicious web page or HTML email message and results in remote code execution with the privileges of the logged-in user. The vulnerable code is present in all versions of Windows up to and including Windows Vista. All applications that use the standard Windows API for loading cursors and icons are affected. This includes Windows Explorer, Internet Explorer, Mozilla Firefox, Outlook and others.” Source: Determina Security, http://www.determina.com/
19© Invisible Things Lab, http://invisiblethingslab.com, 2007 ANI Bug vs. Vista Code Review and Testing Process? MS admitted their fuzzers were not tuned up to catch this bug in their code… Anti-Exploitation technologies? GS stack protection failed, because compiler “heuristics” decided not to include it for the buggy function! NX usually fails, because IE and explorer have DEP disabled by default! ASLR could be bypassed due to implementation weaknesses!
20© Invisible Things Lab, http://invisiblethingslab.com, 2007 ANI Bug vs. Vista UAC? UAC allows to run IE in a so called Protected Mode (PM) However: PM is not deigned to protect user’s information! It only protects against modification user’s data! Also, MS announced that UAC/Protected Mode can not be treated as a security boundary! i.e. expect that it will be easy to break out from Protected Mode…
21© Invisible Things Lab, http://invisiblethingslab.com, 2007 ANI Bug vs. educated user? To exploit this bug it’s just enough to redirect a user to browse a compromised page (or open an email)… No special action from a user required! Exploit can be very reliable – even experienced user might not realize that he or she has been just attacked!
22© Invisible Things Lab, http://invisiblethingslab.com, 2007 ANI vs. A/V Attack was discovered in December 2006 Information has been published in April 2007 What if it was discovered by a “black hat” even earlier? Do you really believe that there was only 1 person on the planet capable of discovering it? Why would A/V block/detect such an attack when the information about it was not public?
23© Invisible Things Lab, http://invisiblethingslab.com, 2007 Going further… So, now we see that the technology can not protect (even smart) user from being exploited… We saw an attack scenario, when an exploit bypasses various anti-exploitation techniques and eventually gets admin access to the systems… The next goal is usually to install some rootkit in other words to get into kernel… But, we have Vista Kernel Protection on Vista!
24© Invisible Things Lab, http://invisiblethingslab.com, 2007 Digital Drivers Signing… “Digital signatures for kernel-mode software are an important way to ensure security on computer systems.” “Windows Vista relies on digital signatures on kernel mode code to increase the safety and stability of the Microsoft Windows platform” “Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems.” Quotes from the official Microsoft documentation: Digital Signatures for Kernel Modules on Systems Running Windows Vista, http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
25© Invisible Things Lab, http://invisiblethingslab.com, 2007 Example: Vista Kernel Protection Bypassing Presented by Invisible Things Lab at Black Hat in August Exploiting bugs in 3 rd party kernel drivers, e.g.: ATI Catalyst driver NVIDIA nTune driver It’s not important whether the buggy driver is present on the target system – a rootkit might always bring it there! There are hundreds of vendors providing kernel drivers for Windows… All those drivers share the same address space with the kernel…
26© Invisible Things Lab, http://invisiblethingslab.com, 2007 Buggy Drivers: Solution? Today we do not have tools to automatically analyze binary code for the presence of bugs Binary Code Validation/Verification There are only some heuristics which produce too many false positives and also omit more subtle bugs There are some efforts for validation of C programs e.g. ASTREE (http://www.astree.ens.fr/) Still very limited – e.g. assumes no dynamic memory allocation in the input program Effective binary code verification is a very distant future
27© Invisible Things Lab, http://invisiblethingslab.com, 2007 Buggy Drivers: Solutions? Drivers in ring 1 (address space shared among drivers) Not a good solution today (lack of IOMMU) Drivers in usermode Drivers execute in their own address spaces in ring3 Very good isolation of faulty/buggy drivers from the kernel Examples: MINIX3, supports all drivers, but still without IOMMU Vista UMDF, supports only drivers for a small subset of devices (PDAs, USB sticks). Most drivers can not be written using UMDF though.
28© Invisible Things Lab, http://invisiblethingslab.com, 2007 Message I believe its not possible to implement effective kernel protection on General Purpose OSes based on a microkernel architecture Establishing a 3 rd party drivers verification authority might raise a bar, but will not solve a problem Move on towards microkernel based architecture!
29© Invisible Things Lab, http://invisiblethingslab.com, 2007 Moral Today’s prevention technology does not always work… In how many cases it does work vs. fails?
30© Invisible Things Lab, http://invisiblethingslab.com, 2007 How secure is our system? In how many cases our prevention fails? This is a meaningless question! If you know that a certain type of attacks is possible (i.e. practically) then the system is simple insecure! “System is not compromised with probability = 98%”?! “The cat is alive with probability of 50%”?! What does it mean?
Detection for the Rescue!
32© Invisible Things Lab, http://invisiblethingslab.com, 2007 Detection Detection is used to verify that prevention works Detection can not replace prevention E.g. data theft – even if we detect it, we can not make the attacker to “forget” the data she has stolen!
33© Invisible Things Lab, http://invisiblethingslab.com, 2007 Detection Host-Based Tries to find out whether current OS and applications has been compromised or not A/V products Network Based Tries to detect attacks by analysis network traffic E.g. detect known exploit, or suspicious connections Network IDS Sometimes combined with firewall – IPS systems
34© Invisible Things Lab, http://invisiblethingslab.com, 2007 Stealth Malware rootkits, backdoors, keyloggers, etc… stealth is a key feature! stealth – means that legal processes can’t see it (A/V) stealth – means that administrator can’t see it (admin tools) stealth – means that we should never know whether we’re infected or not!
35© Invisible Things Lab, http://invisiblethingslab.com, 2007 Paradox… If a stealth malware does its job well… …then we can not detect it… …so how can we know that we are infected?
36© Invisible Things Lab, http://invisiblethingslab.com, 2007 How we know that we were infected? We count on a bug in the malware! We hope that the author forgot about something! We use hacks to detect some known stealth malware (e.g. hidden processes). We need to change this! We need a systematic way to check for system integrity! We need a solution which would allow us to detect malware which is not buggy!
37© Invisible Things Lab, http://invisiblethingslab.com, 2007 State of Detection Current detection products cannot not deal well with targeted stealth malware, We need systematic way for checking system compromises, but, Unfortunately current OS are too complex! We can’t even reliably read system memory! Due to various attacks, e.g. against DMA But… maybe we should be not afraid of targeted stealth malware? Maybe it’s just a FUD?
38© Invisible Things Lab, http://invisiblethingslab.com, 2007 Targeted Stealth Malware? Gartner: 10 Key Predictions for 2007: #5: By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. (source: eWeek based on Gartner)
39© Invisible Things Lab, http://invisiblethingslab.com, 2007 Prevention vs. Detection Prevention is not perfect as we saw, Detection is very immature, We should have better detection to verify our prevention mechanisms, OS complexity is a problem when verifying system integrity There is no way to implement effective detection without cooperation with the OS vendors!
40© Invisible Things Lab, http://invisiblethingslab.com, 2007 Human Factor vs. Technology “User stupidity” is only part of the problem (a small part) Many modern attacks do not require user to do anything “stupid” or suspicious (e.g. WiFi driver’s exploitation) There is no technology on the market that offers unbreakable prevention Even competent admins can not do much about it Current technology does not even allow for detecting many modern stealth malware! Conscious users can not find out whether their systems has been compromised -- they can only count on attacker’s mistake!
41© Invisible Things Lab, http://invisiblethingslab.com, 2007 Final Message Human Factor is a weak link in computer security, But the technology is also flawed! We should work on improving the technology just as we work on educating users… Unfortunately challenges here are much bigger, mostly due to over complexity of the current OSes. As a savvy user, I would like to have technology, that would protect me! I don’t have it today! Not even effective detection! Cooperation from OS vendors required!
42© Invisible Things Lab, http://invisiblethingslab.com, 2007 Invisible Things Lab Focus on Operating System Security In contrast to application security and network security Targeting 3 groups of customers Vendors – assessing their products, advising Corporate Customers (security consumers) – unbiased advice about which technology to deploy Law enforcement/forensic investigators – educating about current threats (e.g. stealth malware)
Thank You Joanna Rutkowska, Invisible Things Lab email@example.com
44© Invisible Things Lab, http://invisiblethingslab.com, 2007 Topics For Roundtable Discussion 1.Virtualization based malware (a-little-bit-technical topic) how different from “classic” kernel malware? should we be afraid? defense approaches 2.Tricky tricks! why we should avoid tricks when building security? built-in security vs. 3 rd party-provided security? 3.“Dump users” human factor vs. technology Can users be educated in security? Should they?
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Threads, SMP, and Microkernels Chapter 4 1. Process Resource ownership - process includes a virtual address space to hold the process image Scheduling/execution-
Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.
Services Course Windows Live SkyDrive Participant Guide.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host Host In networking, a host is any device that has an IP address. Hosts include.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 11Slide 1 Chapter 11 Distributed Systems Architectures.
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 29Slide 1 Configuration management l Managing the products of system change l Objectives.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Time for a BREAK! You have 45 Minutes. Time Left 44.
Role Of Network IDS in Network Perimeter Defense.
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
13 Copyright © 2005, Oracle. All rights reserved. Monitoring and Improving Performance.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Computing Fundamentals Module Lesson 6 Using Technology to Solve Problems Computer Literacy BASICS.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
C Copyright © 2005, Oracle. All rights reserved. Practice Solutions.
Operating Systems Operating Systems - Winter 2011 Dr. Melanie Rieback Design and Implementation.
1 Computer Networks TCP/IP Protocol Suite. 2 Protocols Cooperative action is necessary computer networking is not only to exchange bytes huge system with.
VistA Imaging Capture via Import. 2October 2007 The information in this documentation includes only new and updated functionality of the software after.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
SecuBat: An Automated Web Vulnerability Detection Framework Stefan Kals, Engin Kirda Christopher Kruegel and Nenad Jovanovic Secure Systems Lab Vienna.
Thank you to IT Training at Indiana University Computer Malware.
Operating Systems Operating Systems - Winter 2012 Dr. Melanie Rieback Design and Implementation.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
System and Network Security Practices COEN 351 E-Commerce Security.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
ZERO-DAY ATTACKS By Hiranmayi Pai Neeraj Jain. Table of Contents Introduction Evolution of Vulnerabilities and Threats Propagation of Zero-Day Threats.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Securing. Agenda Hard Drive Encryption User Account Permissions Root Level Access Firewall Protection Malware Protection.
UNESCO ICTLIP Module 1. Lesson 4.1 Introduction to Information and Communication Technologies Lesson 4. What are the software components of computers?
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
CRM ( Customer Relationship Management) An Application For iSeries 400 DMAS from Copyright I/O International, 2003, 2010 Skip Intro.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Executional Architecture Lecture Conceptual vs execution Conceptual Architecture Execution Architecture Component Connector Domain-level responsibilities.
© 2017 SlidePlayer.com Inc. All rights reserved.