intro to information security 1 introduction to information security mark stamp department of...
Post on 22-Dec-2015
214 views
TRANSCRIPT
Intro to Information Security 1
Introduction to
Information Security
Mark StampDepartment of Computer Science
San Jose State [email protected]
Intro to Information Security 2
The Cast of Characters
Alice and Bob are the good guys
Trudy is the bad guy
Trudy is our generic “intruder”
Intro to Information Security 3
Alice’s Online Bank Alice opens Alice’s Online Bank (AOB) What are Alice’s security concerns? If Bob is a customer of AOB, what are
his security concerns? How are Alice and Bob concerns
similar? How are they different? How does Trudy view the situation?
Intro to Information Security 4
CIA Confidentiality, Integrity and
Availability AOB must prevent Trudy from
learning Bob’s account balance Confidentiality: prevent
unauthorized reading of information
Intro to Information Security 5
CIA Trudy must not be able to change
Bob’s account balance Bob must not be able to
improperly change his own account balance
Integrity: prevent unauthorized writing of information
Intro to Information Security 6
CIA AOB’s information must be available
when needed Alice must be able to make transaction
o If not, she’ll take her business elsewhere Availability: Data is available in a
timely manner when needed Availability is a “new” security concern
o In response to denial of service (DoS)
Intro to Information Security 7
Beyond CIA How does Bob’s computer know that
“Bob” is really Bob and not Trudy? Bob’s password must be verified
o This requires some clever cryptography What are security concerns of pwds? Are there alternatives to passwords?
Intro to Information Security 8
Beyond CIA When Bob logs into AOB, how does AOB
know that “Bob” is really Bob? As before, Bob’s password is verified Unlike standalone computer case,
network security issues arise What are network security concerns? Protocols are critically important Crypto also important in protocols
Intro to Information Security 9
Beyond CIA Once Bob is authenticated by AOB, then
AOB must restrict actions of Bobo Bob can’t view Charlie’s account infoo Bob can’t install new software, etc.
Enforcing these restrictions is known as authorization
Access control includes both authentication and authorization
Intro to Information Security 10
Beyond CIA Cryptography, protocols and access
control are implemented in software
What are security issues of software?o Most software is complex and buggyo Software flaws lead to security flawso How to reduce flaws in software
development?
Intro to Information Security 11
Beyond CIA Some software is intentionally evil
o Malware: computer viruses, worms, etc.
What can Alice and Bob do to protect themselves from malware?
What can Trudy do to make malware more “effective”?
Intro to Information Security 12
Beyond CIA Operating systems enforce security
o For example, authorization OS: large and complex software
o Win XP has 40,000,000 lines of code!o Subject to bugs and flaws like any other
softwareo Many security issues specific to OSso Can you trust an OS?
Intro to Information Security 13
My Book The text consists of four major
partso Cryptographyo Access controlo Protocolso Software
Intro to Information Security 14
Cryptography “Secret codes” The book covers
o Classic cryptographyo Symmetric cipherso Public key cryptographyo Hash functionso Advanced cryptanalysis
Intro to Information Security 15
Access Control Authentication
o Passwordso Biometrics and other
Authorizationo Access Control Lists (ACLs) and Capabilitieso Multilevel security (MLS), security modeling,
covert channel, inference controlo Firewalls and Intrusion Detection Systems
Intro to Information Security 16
Protocols Simple authentication protocols
o “Butterfly effect” --- small change can have drastic effect on security
o Cryptography used in protocols Real-world security protocols
o SSL, IPSec, Kerberoso GSM security
Intro to Information Security 17
Software Software security-critical flaws
o Buffer overflowo Other common flaws
Malwareo Specific viruses and wormso Prevention and detectiono The future of malware
Intro to Information Security 18
Software Software reverse engineering (SRE)
o How hackers “dissect” software Digital rights management
o Shows difficulty of security in softwareo Also raises OS security issues
Limits of testingo Open source vs closed source
Intro to Information Security 19
Software Operating systems
o Basic OS security issueso “Trusted” OS requirementso NGSCB: Microsoft’s trusted OS for PC
Software is a big security topico Lots of material to covero Lots of security problems to consider
Intro to Information Security 20
Think Like Trudy In the past, no respectable sources
talked about “hacking” in detail It was argued that such info would
help hackers Very recently, this has changed
o Books on network hacking, how to write evil software, how to hack software, etc.
Intro to Information Security 21
Think Like Trudy Good guys must think like bad
guys! A police detective
o Must study and understand criminals In information security
o We want to understand Trudy’s motives
o We must know Trudy’s methodso We’ll often pretend to be Trudy
Intro to Information Security 22
Think Like Trudy Is all of this security information a
good idea? “It’s about time somebody wrote a
book to teach the good guys what the bad guys already know.” --- Bruce Schneier
Intro to Information Security 23
Think Like Trudy We must try to think like Trudy We must study Trudy’s methods We can admire Trudy’s cleverness Often, we can’t help but laugh at
Alice and Bob’s stupidity But, we cannot act like Trudy
Intro to Information Security 24
Security Books
Intro to Information Security 25
Security Books Security Engineering: A Guide to
Building Dependable Distributed Systems, Anderson, John Wiley & Sons, Inc., 2001
Plusseso Highly readable/entertainingo Case studieso Emphasis on human factors
Minuseso Glosses over technical issueo Not a textbook
Intro to Information Security 26
Security Books Network Security: Private Communication
in a Public World, second edition, Kaufman, Perlman, and Speciner, Prentice Hall, 2002
Plusseso Solid on protocolso Brief but good on crypto
Minuseso No software, access controlo Too much RFC detail
Intro to Information Security 27
Security Books Security in Computing, third edition,
Pfleeger and Pfleeger, Prentice Hall, 2003
Plusseso Good on OS topicso OK on software topics
Minuseso Datedo Boring
Intro to Information Security 28
Security Books Applied Cryptography: Protocols,
Algorithms and Source Code in C, Second Edition, Schneier, John Wiley & Sons, Inc., 1995 (2nd edition)
Plusseso Encyclopedico Widely used
Minuseso Crypto onlyo Sloppy in places
Intro to Information Security 29
Security Books Computer Security, Gollmann, John
Wiley & Sons, Inc., 1999 Plusses
o Chapter 8: How things go wrongo Good on security modeling
Minuseso Mostly theoreticalo No software/limited topics
Intro to Information Security 30
Security Books Computer Security: Art and
Science, Bishop, Addison Wesley, 2003 Plusses
o Security modelingo Theory
Minuseso Theory, theory, and more theoryo As much fun to read as a calculus textbook
Intro to Information Security 31
Security Books Fundamentals of Secure Computer
Systems, Tjaden, Franklin, Beedle, and Associates, 2003
Plusseso Intrusion detection systemso Good general approach
Minuseso Weak crypto, software, protocolso Good approach, not well executed
Intro to Information Security 32
Security Books Cryptography and Network
Security: Principles and Practice, 3rd edition, Stallings, Prentice Hall, 2002
Plusseso Some OK protocols material
Minuseso Lots of pointless factso Not coherent
Intro to Information Security 33
“Hacker” Books Counter Hack: A Step-by-Step Guide
to Computer Attacks and Effective Defenses, Skoudis, Prentice Hall, 2001
Shellcoder’s Handbook: Discovering and Exploiting Security Holes, Koziol et al, Wiley, 2004
Hacker Disassembling Uncovered, Kaspersky, A-List, 2003
Reversing: Secrets of Reverse Engineering, Eilam, Wiley, 2005
Intro to Information Security 34
My Book Information Security:
Principles and Practice, Stamp, John Wiley & Sons, Inc., 2005
Plusseso Too many to list…
Minuseso Can’t think of any…
Intro to Information Security 35
Crypto
Intro to Information Security 36
Crypto Topics Crypto Basics Symmetric ciphers
o Stream ciphers, Block ciphers Public key crypto
o Knapsack, RSA, DH, ECC, signatures, etc. Hash functions Advanced cryptanalysis
Intro to Information Security 37
Crypto Cryptology The art and science
of making and breaking “secret codes”
Cryptography making “secret codes”
Cryptanalysis breaking “secret codes”
Crypto all of the above (and more)
Intro to Information Security 38
How to Speak Crypto A cipher or cryptosystem is used to encrypt
the plaintext The result of encryption is ciphertext We decrypt ciphertext to recover plaintext A key is used to configure a cryptosystem A symmetric key cryptosystem uses the same
key to encrypt as to decrypt A public key cryptosystem uses a public key
to encrypt and a private key to decrypt (sign)
Intro to Information Security 39
Crypto Basis assumption
o The system is completely known to the attacker
o Only the key is secret Also known as Kerckhoffs Principle
o Crypto algorithms are not secret Why do we make this assumption?
o Experience has shown that secret algorithms are weak when exposed
o Secret algorithms never remain secreto Better to find weaknesses beforehand
Intro to Information Security 40
Crypto as Black Box
plaintext
keykey
plaintext
ciphertext
encrypt decrypt
Intro to Information Security 41
Taxonomy of Cryptography
Symmetric Keyo Same key for encryption as for decryptiono Stream cipherso Block ciphers
Public Keyo Two keys, one for encryption (public), and
one for decryption (private)o Digital signatures --- nothing comparable in
symmetric key crypto Hash algorithms
Intro to Information Security 42
Taxonomy of Cryptanalysis
Ciphertext only Known plaintext Chosen plaintext
o “Lunchtime attack”o Protocols might encrypt chosen text
Adaptively chosen plaintext Related key Forward search (public key crypto only) Etc., etc.
Intro to Information Security 43
Symmetric Key Crypto Stream cipher --- like a one-time pad
o Key is relatively shorto Key is stretched into a long keystreamo Keystream is then used like a one-time pad
Block cipher --- based on codebook concepto Block cipher key determines a codebooko Each key yields a different codebooko Employ both “confusion” and “diffusion”
Intro to Information Security 44
Block Cipher Notation P = plaintext block C = ciphertext block Encrypt P with key K to get ciphertext C
o C = E(P, K) Decrypt C with key K to get plaintext P
o P = D(C, K)
Intro to Information Security 45
Block Cipher Modes Many modes of operation
o We discuss two Electronic Codebook (ECB) mode
o Obvious thing to doo Encrypt each block independentlyo There is a serious weakness
Cipher Block Chaining (CBC) modeo Chain the blocks togethero More secure than ECB, virtually no extra
work
Intro to Information Security 46
ECB Mode Notation: C=E(P,K) Given plaintext P0,P1,…,Pm,… Obvious way to use a block cipher is
Encrypt DecryptC0=E(P0,K), P0=D(C0,K),
C1=E(P1,K), P1=D(C1,K),
C2=E(P2,K),… P2=D(C2,K),… For a fixed key K, this is an electronic
version of a codebook cipher A new codebook for each key
Intro to Information Security 47
ECB Weaknesses
Suppose Pi=Pj
Then Ci=Cj and Trudy knows Pi=Pj
This gives Trudy some information, even if she does not know Pi or Pj
Trudy might know Pi
A “cut and paste” attack also possible
Intro to Information Security 48
Alice Hates ECB Mode Alice’s uncompressed image, Alice ECB encrypted (TEA)
Why does this happen? Same plaintext block same ciphertext!
Intro to Information Security 49
CBC Mode Blocks are “chained” together A random initialization vector, or IV, is
required to initialize CBC mode IV is random, but need not be secret
Encryption DecryptionC0 = E(IVP0,K), P0 = IVD(C0,K),
C1 = E(C0P1,K), P1 = C0D(C1,K),
C2 = E(C1P2,K),… P2 = C1D(C2,K),…
Intro to Information Security 50
CBC Mode Identical plaintext blocks yield different
ciphertext blocks Cut and paste is still possible, but more
complex (and will cause garbles) If C1 is garbled to, say, G thenP1 C0D(G,K), P2 GD(C2,K)
But, P3 = C2D(C3,K), P4 = C3D(C4,K), … Automatically recovers from errors!
Intro to Information Security 51
Alice Likes CBC Mode Alice’s uncompressed image, Alice CBC encrypted (TEA)
Why does this happen? Same plaintext yields different ciphertext!
Intro to Information Security 52
Access Control
Intro to Information Security 53
Access Control Topics Authentication
o Something you know (passwords) o Something you have (smartcard)o Something you are (biometrics)
Authorizationo ACLs/capabilities, MLS, CAPTCHAo Firewalls, IDS
Intro to Information Security 54
Turing Test Proposed by Alan Turing in 1950 Human asks questions to one other human
and one computer (without seeing either) If human questioner cannot distinguish the
human from the computer responder, the computer passes the test
The gold standard in artificial intelligence No computer can pass this today
Intro to Information Security 55
CAPTCHA CAPTCHA Completely Automated
Public Turing test to tell Computers and Humans Apart
Automated test is generated and scored by a computer program
Public program and data are public Turing test to tell… humans can pass
the test, but machines cannot pass the test
Like an inverse Turing test (sort of…)
Intro to Information Security 56
CAPTCHA Paradox “…CAPTCHA is a program that can
generate and grade tests that it itself cannot pass…”
“…much like some professors…” Paradox computer creates and scores
test that it cannot pass! CAPTCHA used to restrict access to
resources to humans (no computers) CAPTCHA useful for access control
Intro to Information Security 57
CAPTCHA Uses? Original motivation: automated “bots”
stuffed ballot box in vote for best CS school
Free email services spammers used bots sign up for 1000’s of email accountso CAPTCHA employed so only humans can get
accts Sites that do not want to be automatically
indexed by search engineso HTML tag only says “please do not index me” o CAPTCHA would force human intervention
Intro to Information Security 58
CAPTCHA: Rules of the Game
Must be easy for most humans to pass Must be difficult or impossible for
machines to passo Even with access to CAPTCHA software
The only unknown is some random number
Desirable to have different CAPTCHAs in case some person cannot pass one typeo Blind person could not pass visual test, etc.
Intro to Information Security 59
Do CAPTCHAs Exist? Test: Find 2 words in the following
Easy for most humans Difficult for computers (OCR problem)
Intro to Information Security 60
CAPTCHAs Current types of CAPTCHAs
o Visual Like previous example Many others
o Audio Distorted words or music
No text-based CAPTCHAso Maybe this is not possible…
Intro to Information Security 61
CAPTCHA’s and AI
Computer recognition of distorted text is a challenging AI problemo But humans can solve this problem
Same is true of distorted soundo Humans also good at solving this
Hackers who break such a CAPTCHA have solved a hard AI problem
Putting hacker’s effort to good use!
Intro to Information Security 62
Protocols
Intro to Information Security 63
Protocol Topics Simple authentication protocols
o Nonces, session keys, timestamps, etc.o Perfect forward secrecy, zero knowledge
proofs Real-world security protocols
o SSLo IPSeco Kerberoso GSM
Intro to Information Security 64
Authentication Authentication on a stand-alone
computer is relatively simpleo “Secure path” is the primary issueo Main concern is an attack on authentication
software (we discuss software attacks later) Authentication over a network is much
more complexo Attacker can passively observe messageso Attacker can replay messageso Active attacks may be possible (insert,
delete, change messages)
Intro to Information Security 65
Symmetric Key Authentication
Alice and Bob share symmetric key KAB
Key KAB known only to Alice and Bob Authenticate by proving knowledge
of shared symmetric key How to accomplish this?
o Must not reveal keyo Must not allow replay attack
Intro to Information Security 66
Authentication with Symmetric Key
Alice, KABBob, KAB
“I’m Alice”
E(R,KAB)
Secure method for Bob to authenticate Alice Alice does not authenticate Bob
Can we achieve mutual authentication?
R
Intro to Information Security 67
Mutual Authentication Since we have a secure one-way
authentication protocol… The obvious thing to do is to use
the protocol twiceo Once for Bob to authenticate Aliceo Once for Alice to authenticate Bob
This has to work…
Intro to Information Security 68
Mutual Authentication
Alice, KAB Bob, KAB
“I’m Alice”, RA
RB, E(RA,KAB)
E(RB,KAB)
This provides mutual authentication Is it secure? See the next slide…
Intro to Information Security 69
Mutual Authentication Attack
Bob, KAB
1. “I’m Alice”, RA
2. RB, E(RA,KAB)
Trudy
Bob, KAB
3. “I’m Alice”, RB
4. RC, E(RB,KAB)
Trudy
5. E(RB,KAB)
Intro to Information Security 70
Mutual Authentication Our one-way authentication protocol
not secure for mutual authentication Protocols are subtle! The “obvious” thing may not be secure Also, if assumptions or environment
changes, protocol may not worko This is a common source of security failureo For example, Internet protocols
Intro to Information Security 71
Symmetric Key Mutual Authentication
Alice, KABBob, KAB
“I’m Alice”, RA
RB, E(“Bob”,RA,KAB)
E(“Alice”,RB,KAB)
Do these “insignificant” changes help? Yes!
Intro to Information Security 72
Socket layer “Socket layer”
lives between application and transport layers
SSL usually lies between HTTP and TCP
application
transport
network
link
physical
Socket“layer”
OS
User
NIC
Intro to Information Security 73
What is SSL? SSL is the protocol used for most secure
transactions over the Internet For example, if you want to buy a book
at amazon.com…o You want to be sure you are dealing with
Amazon (authentication)o Your credit card information must be
protected in transit (confidentiality and/or integrity)
o As long as you have money, Amazon doesn’t care who you are (authentication need not be mutual)
Intro to Information Security 74
Simple SSL-like Protocol
Alice Bob
I’d like to talk to you securely
Here’s my certificate
{KAB}Bob
protected HTTP
Is Alice sure she’s talking to Bob? Is Bob sure he’s talking to Alice?
Intro to Information Security 75
Simplified SSL Protocol
Alice Bob
Can we talk?, cipher list, RA
Certificate, cipher, RB
{S}Bob, E(h(msgs,CLNT,K),K)
Data protected with key K
h(msgs,SRVR,K)
S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants
Intro to Information Security 76
SSL MiM Attack
Alice Bob
RA
certificateT, RB
{S1}Trudy,E(X1,K1)
E(data,K1)
h(Y1,K1)
Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a
certificate authority (such as Verisign) What does Web browser do if sig. not valid? What does user do if signature is not valid?
Trudy
RA
certificateB, RB
{S2}Bob,E(X2,K2)
E(data,K2)
h(Y2,K2)
Intro to Information Security 77
Software
Intro to Information Security 78
Software Topics Flaws Malware Software-based attacks Software reverse engineering (SRE) Digital rights management (DRM) Software development Operating systems/trusted OS NGSCB
Intro to Information Security 79
Why Software? Why is software as important to security
as crypto, access control and protocols? Virtually all of information security is
implemented in software If your software is subject to attack,
your security is brokeno Regardless of strength of crypto, access
control or protocols Software is a poor foundation for
security
Intro to Information Security 80
Bad Software is Everywhere
NASA Mars Lander (cost $165 million)o Crashed into Marso Error in converting English and metric units
Denver airporto Buggy baggage handling systemo Delayed airport opening by 11 monthso Cost of delay exceeded $1 million/day
MV-22 Ospreyo Advanced military aircrafto Lives have been lost due to faulty software
Intro to Information Security 81
Software Issues
Attackers Actively look for
bugs and flaws Like bad software… …and try to make
it misbehave Attack systems
thru bad software
“Normal” users Find bugs and
flaws by accident Hate bad
software… …but must learn to
live with it Must make bad
software work
Intro to Information Security 82
Complexity “Complexity is the enemy of security”, Paul
Kocher, Cryptography Research, Inc.
Netscape 17,000,000
Space shuttle 10,000,000
Linux 1,500,000
Windows XP 40,000,000
Boeing 777 7,000,000
system Lines of code (LOC)
A new car contains more LOC than was required to land the Apollo astronauts on the moon
Intro to Information Security 83
Buffer Overflow Attack Scenario
Users enter data into a Web form Web form is sent to server Server writes data to buffer, without
checking length of input data Data overflows from buffer Sometimes, overflow can enable an
attack Web form attack could be carried out by
anyone with an Internet connection
Intro to Information Security 84
Buffer Overflow
Q: What happens when this is executed?
A: Depending on what resides in memory at location “buffer[20]”o Might overwrite user data or codeo Might overwrite system data or code
int main(){
int buffer[10];
buffer[20] = 37;}
Intro to Information Security 85
Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag
allowing anyone to authenticate!
buffer
FTF O U R S C …
Boolean flag
In some cases, attacker need not be so lucky as to have overflow overwrite flag
Intro to Information Security 86
Memory Organization
Text == code Data == static variables Heap == dynamic data Stack == “scratch
paper” o Dynamic local variableso Parameters to functionso Return address
stack
heap
data
text
high address
low address
SP
Intro to Information Security 87
Simplified Stack Example
high
void func(int a, int b){
char buffer[10];
}
void main(){
func(1, 2);
}
::
buffer
ret
a
b
return address
low
SP
SP
SP
SP
Intro to Information Security 88
Smashing the Stack
high
What happens if buffer overflows?
::
buffer
a
b
ret…
low
SP
SP
SP
SP
retoverflow
Program “returns” to wrong location
NOT!
???
A crash is likelyoverflow
Intro to Information Security 89
Smashing the Stack
high
Attacker has a better idea… :
:
evil code
a
b
low
SP
SP
SP
SP
retret
Code injection Attacker can run
any code on affected system!
Intro to Information Security 90
Smashing the Stack
Attacker may not knowo Address of evil codeo Location of ret on stack
Solutionso Precede evil code with
NOP “landing pad” o Insert lots of new ret
evil code
::
::
ret
ret
:
NOP
NOP:
ret ret
Intro to Information Security 91
Stack Smashing Summary
A buffer overflow must exist in the code Not all buffer overflows are exploitable
o Things must line up correctly If exploitable, attacker can inject code Trial and error likely required
o Lots of help available onlineo Smashing the Stack for Fun and Profit, Aleph
One Also possible to overflow the heap Stack smashing is “attack of the decade”
Intro to Information Security 92
Stack Smashing Example Program asks for a serial number that the
attacker does not know Attacker also does not have source code Attacker does have the executable (exe)
Program quits on incorrect serial number
Intro to Information Security 93
Example By trial and error, attacker discovers an
apparent buffer overflow
Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!
Intro to Information Security 94
Example Next, disassemble bo.exe to find
The goal is to exploit buffer overflow to jump to address 0x401034
Intro to Information Security 95
Example Find that 0x401034 is “@^P4” in ASCII
Byte order is reversed? Why? X86 processors are “little-endian”
Intro to Information Security 96
Example Reverse the byte order to “4^P@” and…
Success! We’ve bypassed serial number check by exploiting a buffer overflow
Overwrote the return address on the stack
Intro to Information Security 97
Example
Attacker did not require access to the source code
Only tool used was a disassembler to determine address to jump too Can find address by trial and erroro Necessary if attacker does not have
exeo For example, a remote attack
Intro to Information Security 98
Example
Source code of the buffer overflow
Flaw easily found by attacker
Even without the source code!
Intro to Information Security 99
Malicious Software Malware is not new! Fred Cohen’s initial virus work in
1980’so Used viruses to break MLS systems
Types of malware (lots of overlap)o Virus passive propagationo Worm active propagationo Trojan horse unexpected functionalityo Trapdoor/backdoor unauthorized accesso Rabbit exhaust system resources
Intro to Information Security 100
SQL Slammer
Infected 250,000 systems in 10 minutes!
Code Red took 15 hours to do what Slammer did in 10 minutes
At its peak, Slammer infections doubled every 8.5 seconds
Slammer spread too fast “Burned out” available
bandwidth
Intro to Information Security 101
SQL Slammer
Why was Slammer so successful?o Worm fit in one 376 byte UDP
packeto Firewalls often let small packet thru,
assuming it could do no harm by itselfo Then firewall monitors the connectiono Expectation was that much more data
would be required for an attacko Slammer defied assumptions of
“experts”
Intro to Information Security 102
Polymorphic Malware Polymorphic worm (usually) encrypted New key is used each time worm
propagateso The encryption is weak (repeated XOR)o Worm body has no fixed signatureo Worm must include code to decrypt itselfo Signature detection searches for decrypt code
Detectable by signature-based methodo Though more challenging than non-
polymorphic…
Intro to Information Security 103
Metamorphic Malware A metamorphic worm mutates before
infecting a new system Such a worm can avoid signature-based
detection systems The mutated worm must do the same
thing as the original And it must be “different enough” to
avoid detection Detection is currently unsolved problem
Intro to Information Security 104
Metamorphic Worm To replicate, the worm is disassembled Worm is stripped to a base form Random variations inserted into code
o Rearrange jumpso Insert dead codeo Many other possibilities
Assemble the resulting code Result is a worm with same functionality
as original, but very different signature
Intro to Information Security 105
Warhol Worm “In the future everybody will be world-
famous for 15 minutes” Andy Warhol A Warhol Worm is designed to infect the
entire Internet in 15 minutes Slammer infected 250,000 systems in
10 minuteso “Burned out” bandwidtho Slammer could not have infected all of
Internet in 15 minutes too bandwidth intensive
Can a worm do “better” than Slammer?
Intro to Information Security 106
Warhol Worm One approach to a Warhol worm… Seed worm with an initial hit list
containing a set of vulnerable IP addresseso Depends on the particular exploito Tools exist for finding vulnerable systems
Each successful initial infection would attack selected part of IP address space
No worm this sophisticated has yet been seen in the wild (as of 2004)o Slammer generated random IP addresses
Could infect entire Internet in 15 minutes!
Intro to Information Security 107
Flash Worm
Possible to do “better” than Warhol worm? Can entire Internet be attacked in < 15
min? Searching for vulnerable IP addresses is
slow part of any worm attack Searching might be bandwidth limited
o Like Slammer A “flash worm” is designed to infect entire
Internet almost instantly
Intro to Information Security 108
Flash Worm Predetermine all vulnerable IP addresses
o Depends on the particular exploit Embed all known vulnerable addresses in
worm Result is a huge worm (perhaps 400KB) Whenever the worm replicates, it splits Virtually no wasted time or bandwidth!
Original worm
1st generation
2nd generation
Intro to Information Security 109
Flash Worm Estimated that an ideal flash worm could
infect the entire Internet in 15 seconds! Much faster than humans could respond How to defend against this?