Security Through the Lens of Failure J. Alex Halderman.

Slides:



Advertisements
Similar presentations
Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.
Advertisements

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
White-Box Cryptography
1 The Sony CD DRM Debacle A case study of digital rights management.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
VM: Chapter 5 Guiding Principles for Software Security.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Iron Key and Portable Drive Security Zakary Littlefield.
Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
0x1A Great Papers in Computer Security
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter Nine Maintaining a Computer Part III: Malware.
Presented By Peter Matthews
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Data Security.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Week #7 Objectives: Secure Windows 7 Desktop
1 J. Alex Halderman Legal Challenges in Security Research J. Alex Halderman Center for Information Technology Policy Department of Computer Science Princeton.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Chapter Fourteen Windows XP Professional Fault Tolerance.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Protecting Data on Smartphones and Tablets from Memory Attacks
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
Protecting Your Business! SBA Ft. Lauderdale November 15, 2006 Gregory Levine, Sr. Director Marketing.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Chapter 6 Protecting Your Files. 2Practical PC 5 th Edition Chapter 6 Getting Started In this Chapter, you will learn: − What you should know about losing.
Chapter Six Maintaining a Computer Part II: Installing, Repairing, and Removing Applications.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Chapter 3 Installing and Learning Software. 2Practical PC 5 th Edition Chapter 3 Getting Started In this Chapter, you will learn: − What is in an application.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Database Role Activity. DB Role and Privileges Worksheet.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Computer Literacy for IC 3 Unit 1: Computing Fundamentals © 2010 Pearson Education, Inc. | Publishing as Prentice Hall.1 Chapter 5: Identifying Operating.
Wireless and Mobile Security
Electronic Voting: Danger and Opportunity
W elcome to our Presentation. Presentation Topic Virus.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business.
Why Cryptosystems Fail R. Anderson, Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993 Reviewed by Yunkyu Sung
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
John Samuels October, Why Now?  Vista Problems  New Features  >4GB Memory Support  Experience.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
Computer Security Keeping you and your computer safe in the digital world.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
Data-Tech Guardian Endpoint Security Suite. Guardian Endpoint Security Suite secures All Things Mobile TM from one management console.
Presented by Kartik Patel
Chapter 3 Installing and Learning Software
EVoting 23 October 2006.
LINUX WINDOWS Vs..
Secure Software Confidentiality Integrity Data Security Authentication
Controlling Computer-Based Information Systems, Part II
Lesson 16-Windows NT Security Issues
Implementing Client Security on Windows 2000 and Windows XP Level 150
TPM, UEFI, Trusted Boot, Secure Boot
Presentation transcript:

Security Through the Lens of Failure J. Alex Halderman

Thinking About Failure “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” – Bruce Schneier

J. Alex Halderman Spectacular Security Failures Wide Impact Costly Repairs Collateral Damage Systemic

J. Alex Halderman Disaster Investigation

J. Alex Halderman Lessons from Failures New Security Intuitions New Research Directions Improved Public Policy

J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Lessons from the Sony CD-DRM Episode J. A. Halderman and E. Felten USENIX Security 2006

J. Alex Halderman Compact Disc DRM Restrict use (Untrusted device) Compatibility (Legacy format)

J. Alex Halderman Three Generations st Generation:Passive protection nd Generation:Active protection rd Generation:Weak passive + Aggressive active [H02] [H03] [HF05]

J. Alex Halderman A Spectacular Failure Systemic failure Multiple systems cause danger to users Mass exposure Millions of computers vulnerable Difficult repairs Most users unaware they’re at risk High costs Lawsuits, recalls, lost sales

J. Alex Halderman SunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs First4Internet

J. Alex Halderman Active Protection Drivers Ripper/copier Application Protection driver Normal CD OS Protection driver Autorun # CD Marked “Protected”  Audio CDHybrid CD [H03]

J. Alex Halderman Rootkit Magic prefix: $sys$ Files Processes Registry keys Hidden DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it [HF06] “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business

J. Alex Halderman Rootkit Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it Attack: Privilege escalation Mistake: Hides arbitrary objects $sys$virus.exe [HF06]

J. Alex Halderman Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  13+ MB installed before EULA screen Everyone: Full Control Runs with administrator privileges next time CD is inserted

J. Alex Halderman Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  Sony releases patch…but, patch calls potentially booby trapped code [HF06] How do users know they need to patch? Vulnerable even if refused installation

J. Alex Halderman Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access “HTTP GET /XCP.dat” Web page calls ActiveX control CodeSupport.Uninstall(“ Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls UnInstall_xcp() User obtains single-use code for uninstallation web page 1. [HF06]

J. Alex Halderman Control accepts arbitrary URL Remote code not authenticated Control not removed after use Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access Attack: Remote code execution Mistakes: “HTTP GET /XCP.dat” Server sony-bmg.com XCP.dat Client CodeSupport.ocx Rookie mistakes Victim visits attacker’s web page CodeSupport.Uninstall(“ Client executes code from Evil.dat with user’s privileges 3. “HTTP GET /Evil.dat” Server attacker.com Evil.dat “Oops!... I did it again” [HF06]

J. Alex Halderman CD DRM Impact Millions of dangerous CDs recalled Class action suits against Sony, vendors FTC consumer protection investigation Both protection vendors leave the market Labels abandon CD copy protection

J. Alex Halderman CD DRM Lessons DRM problem → inherent conflict New intuition: DRM as a threat to client security Lack of transparency hid problems DMCA reform Mandatory disclosure Conflicting incentives led vendors to take risks Liability for harm to users

J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Security Analysis of the Diebold AccuVote-TS Voting Machine A. J. Feldman, J. A. Halderman, and E. Felten EVT 2007 Machine-Assisted Election Auditing J. A. Calandrino, J. A. Halderman, and E. Felten EVT 2007

J. Alex Halderman DRE Voting Machines = Direct Recording Electronic

J. Alex Halderman Diebold’s History of Secrecy Prevented states from allowing independent security audits – hid behind NDAs, trade secret law Source code leaked in 2003, Hopkins researchers found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal s leaked in 2003, reveal poor security practices Diebold tried to suppress sites with legal threats

J. Alex Halderman We Get a Machine (2006) Diebold AccuVote TS Obtained legally from an anonymous private party Software version certified and used in actual elections First complete, public, independent security audit of a DRE

J. Alex Halderman A Spectacular Failure Systemic failure Similar risks in different vendors’ products Mass exposure Millions of votes at risk Difficult repairs Some attacks not patchable High costs Many states have to discard machines

J. Alex Halderman Reverse Engineering [FHF07]

J. Alex Halderman Inserting Code Bootloader WinCE Kernel BallotStation FBOOT.NB0 Bootloader NK.BIN WinCE Kernel INSTALL.INS BallotStation (Internal Flash or EPROM) (Internal Flash) [FHF07]

J. Alex Halderman [FHF07] Stealing Votes Kernel BallotStation Primary Vote RecordBackup Vote Record Audit Log Primary Vote RecordBackup Vote Record Audit Log Stuffer

J. Alex Halderman Voting Machine Viruses [FHF07] Reboot Single point of infection Entire county or state

J. Alex Halderman Physical Security [FHF07]

J. Alex Halderman Physical Security [FHF07]

J. Alex Halderman HartSequoiaDiebold California “Top-to-Bottom” Review

J. Alex Halderman E-Voting Lessons Systemic threats of code injection, viruses New intuition: DREs and desktops suffer like threats Blatant problems slipped by gov’t process Mandatory transparency, paper trails Improved specs and certification Market unable to build trustworthy e-voting Can we use computers to improve voting without having to trust them?

J. Alex Halderman Improving Voting Security Paper Ballots Physical tampering “Retail” fraud After the election Redundancy + Different failure modes = Greater security Electronic Records Cyber-tampering “Wholesale” fraud Before the election But…Redundancy only helps if we use both records!

J. Alex Halderman Auditing Approaches Precinct-based auditing (standard practice) Ballot-based auditing Expensive Privacy problems

J. Alex Halderman 100 marbles, 10% blue6300 beads, 10% blue How large a sample do we need to find error?

J. Alex Halderman Why Not Ballot-Based? Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob Need to match up electronic with paper ballots. Difficult without compromising the secret ballot! 1 Alice 2 Bob 3 Alice ● Alice ○ Bob 1 ○ Alice ● Bob 2 ● Alice ○ Bob Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob

J. Alex Halderman Machine-Assisted Auditing = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob Step 1. Check electronic records against paper records using a recount machine. Shuffled ballots [CHF07]

J. Alex Halderman Machine-Assisted Auditing = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob [CHF07]

J. Alex Halderman = 321 Bob 716 Alice Machine-Assisted Auditing ○ Alice ● Bob 1 1 Bob 2 Alice Bob = ○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 Step 2. Audit the recount machine by selecting random ballots for human inspection. [CHF07]

J. Alex Halderman As efficient as ballot-based auditing, while protecting the secret ballot. Machine-Assisted Auditing Machine Recount Manual Audit We can use a machine without having to trust it! [CHF07]

J. Alex Halderman Considering Ballot Content Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice. Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper [CHF07]

J. Alex Halderman Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence [CHF07]

J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Cold-Boot Attacks on Encryption Keys J. A. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felten In submission, 2008

J. Alex Halderman Data Theft Threat OS Access ControlAttacker’s Computer

J. Alex Halderman Disk Encryption Defense File System Disk Drivers On-the-Fly Crypto Password: ********

J. Alex Halderman A Spectacular Failure Systemic failure Nearly all disk encryption products at risk Mass exposure Millions vulnerable in common use case Difficult repairs No simple hardware or software remedies High costs Critical data at risk despite encryption

J. Alex Halderman Disk Encryption Defense Security Assumptions: The OS protects the key in RAM The attacker might reboot to circumvent the OS, but since RAM is volatile, the key will be lost

J. Alex Halderman 0 Dynamic RAM Volatility 1 Write “1” 1 DRAM Cell (Capacitor) 0 Refresh (Read and rewrite) Refresh Interval ≈ 32 ms What if we don’t refresh? Security Hardness Assumptions: Data fades almost instantaneously without refresh Any residual data is difficult to recover

J. Alex Halderman 5 secs30 secs60 secs300 secs DRAM Remanence DRAM data fades almost instantaneously Data fades gradually, over seconds or minutes Unidirectional Highly predictable Decay doesn’t spike until 10s or 100s of missed refreshes (almost 100% recovery for first few seconds) [HSHCPCFAF08]

J. Alex Halderman Capturing Residual Data Complication Booting OS overwrites large areas of RAM Solution Boot a small low-level program to write out memory content Implementations PXE Dump (9 KB) EFI Dump (10 KB) USB Dump (22 KB) [HSHCPCFAF08] Any residual data is difficult to recover Residual data can be captured easily, with no special equipment

J. Alex Halderman Basic Cold-Boot Attack Dumping RAM… Screen-locked machine (if hibernating/sleeping, just wake it up!) [HSHCPCFAF08]

J. Alex Halderman Countermeasure BIOS: Clearing RAM… !!! Common in machines that support ECC RAM

J. Alex Halderman Advanced Cold-Boot Attack Attacker’s Computer Dumping RAM… Won’t RAM data decay too quickly? [HSHCPCFAF08]

J. Alex Halderman DRAM Cooling [HSHCPCFAF08]

J. Alex Halderman Dealing with Bit Errors Some bit errors inevitable, especially without cooling (worsening as memory density increases) Given corrupted K’, find K Brute-force search over low Hamming distance to K’ 256-bit key with 10% unidirectional error rate (slow!) Naïve Approach Most programs store precomputed derivatives of K, for performance (e.g. key schedules) These derivatives contain redundancy, treat them as error correcting codes (Performance vs. security) Insight [HSHCPCFAF08]

J. Alex Halderman AES Key Schedule  Round 0 key (= K) Round 1 key Round 10 key … … Core 128-bit key K  10 more 128-bit keys for cipher rounds Output: 176 bytes of key material

J. Alex Halderman AES Key Reconstruction  Round 0 key (= K) Round 1 key Core: Rotate 8 ByteSub Slices: 7 bytes, uniquely determined by 4 bytes from K Find likely decodings of slice, given error model Combine decodings to form candidate K’s Test candidates against full key schedule In practice, reconstruction almost always unique [HSHCPCFAF08]

J. Alex Halderman Reconstructing Other Keys 256-bit AES, DES (key schedules) LRW tweak keys (multiplication tables) RSA private keys (primes P and Q) Also: Key Finding Insight: Target precomputation products instead of keys, use their redundant structure to locate them automatically [HSHCPCFAF08]

J. Alex Halderman Practical Attacks Windows Vista BitLocker Mac OS FileVault Linux dm-crypt Linux LoopAES TrueCrypt [HSHCPCFAF08]

J. Alex Halderman Disk Encryption Lessons DRAM security assumptions were wrong OS access control weaker than thought New threat model for memory New risk profile for users Abstraction hid security problems Investigate other abstractions CPU microcode? Running software has nowhere to store secrets Secure memory architectures Storing secrets in the user

J. Alex Halderman Contributions and Impacts 1. Compact disc DRM Inherent limitations of CD copy protection [H02, H03] Client security dangers of aggressive DRM [HF06]  Music industry abandoned CD DRM, then DRM 2. E-voting First comprehensive academic review of a DRE [FHF07] Systemic problems in related voting systems [CFHWYZ07] Trustworthy computer-assisted auditing [CHF07]  National shift away from DRE voting 3. Disk encryption [HSHCPCFAF08] Cold-boot attacks against encrypted disks Experimental characterization of DRAM remanence Automatic key finding and reconstruction  Security community rethinking memory threat models

J. Alex Halderman Eight Research Directions I Didn’t Have Time to Talk About Privacy protection for camera phones H., Waters, and Felten WPES 04 Client puzzles for denial-of-service prevention Waters, Juels, H., and Felten CCS 04 Convenient web password security H., Waters, and Felten WWW 05 Harvesting challenges from oblivious online sources H. and Waters CCS 07 Voting machine hardware analysis H. and Feldman 2008 AACS security flaws, DRM game theory In preparation Safely using cryptographic randomness in elections In preparation Repairing insecure DRE voting machines In preparation

J. Alex Halderman Thank You!

J. Alex Halderman References H02 H. Evaluating New Copy-Prevention Techniques for Audio CDs. DRM H03 H. Analysis of the MediaMax CD3 Copy-Prevention System HF06 H. and Felten. Lessons from the Sony CD DRM Episode. USENIX Security FHF07 Feldman, H., and Felten. Security Analysis of the Diebold AccuVote-TS Voting Machine. EVT CHF07 Calandrino, H., and Felten. Machine-Assisted Election Auditing. EVT CFHWYZ07 Calandrino, Feldman, H., Zeller, Yu, and Wagner. Source Code Review of the Diebold Voting System HSHCPCFAF08 H., Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In submission, 2008.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.