Games and the Impossibility of Realizable Ideal Functionality
Download
Report
Transcript Games and the Impossibility of Realizable Ideal Functionality
Spring 2006
CS 155
Final Review Session
Collin Jackson
1
Final Details
Open book, open notes, closed laptop
Main final (recommended)
7-10 PM on Tuesday, June 13
Gates B01
Alternate final
3:30-6:30 PM on Monday, June 12
Gates B03
Study suggestions:
Previous finals available on course webpage
Reading, slides, lectures, homework
Email [email protected] with questions
2
Some Topics
Project 2 recap
SQL injection
Access control
TPM
3
Project 2 Recap
Part 1
Part 2
Grading
4
Part 1: Attacks
Attack A: Cookie Theft
lin
k
zoobar.org email
Attack B: Silent Transfer
badguy.com
Attack C: Login Snooping
zoobar.org
stanford.edu
Attack D: Profile Worm
badguy.com
zoobar.org email
zoobar.org
Most common issues were race conditions or attack
differs from specification in some detail
Mostly full credit given for attacks where idea was
there.
5
Part 2: Defenses
Attack A: Cookie Theft
Attack D: Profile Worm
Everybody fixed these.
6
Part 2: Defenses
Attack B: Request Forgery
Ok:
authentication cookie
Easy to circumvent:
userid or hash(userid)
Attack C: Login Snooping
Ok:
Add quotes around value
Easy to circumvent:
Blacklist dangerous strings
7
Part 2: More XSS Tests
index.php
Profile </textarea><script>…</script>
Exploitable? Depends on (optional) login
CSRF defense
users.php
Profile <img onload=…>
User </script><script>…<script>
transfer.php
Recipient <script>…</script>
Exploitable? Depends on transfer CSRF
defense
8
Part 2: Grading
Key ideas:
Preferred approach is escaping
Alternate approach is whitelisting
Blacklisting is easy to get wrong
Grades released sometime this weekend
If you feel your project was misgraded
Contact TAs
Reserve right to regrade entire project
9
SQL Injection
Problem Overview
Good defenses
Bad defenses
10
SQL Syntax
Four basic commands (plus many others)
INSERT INTO [table] ([column], …)
VALUES ([value], …)
SELECT [column], … FROM [table] WHERE
[condition]
UPDATE [table] SET [column]=[value], …
WHERE [condition]
DELETE FROM [table] WHERE [condition]
Strings delimited with '
Statements separated with ;
Comments start with -11
Attack Characteristics
Victim site builds query using concatenation
User data not validated
String may appear where integer expected
"SELECT * FROM UserTable WHERE id="
+ $_POST["userid"]
Breaks out of quoted string
“SELECT Password FROM UserTable
WHERE Username='" +
$_POST["username"] + "'";
12
Crafting an attack
Spider site and look for input fields
Put ' in each field and look for errors
Try to determine the structure of the query
Guess and observe results
Error messages can be helpful
Construct malicious attack query, e.g.
Return sensitive data from other rows or
tables
Modify passwords file to give attacker access
13
Example Question
Site form allows lookup by integer id:
<input name=id><input type=submit>
Fix this query: "SELECT * FROM UserTable
WHERE id=“ + Request["id"];
Best: Parameterized SQL
cmd.CommandText = "SELECT * FROM
UserTable WHERE id=@id";
cmd.Parameters.Add("@id",Request["id"]);
cmd.ExecuteReader();
Okay: Escaping functions provided by language
Must always use right one, compose in right order
Okay: Casting to numerical data type
14
Bad Defense: Manual Blacklist
Check input for dangerous characters
Replace with harmless equivalents, or
Die without executing query
Hard to get right
Easy to forget unusual corner cases
Alternate character encodings
Escape handling may depend on db server software
May not match developer expectation
If server software changes, code is vulnerable
15
Bad Defense: Authentication
Developer says:
“Only administrators can view the vulnerable page and
the admin already has full database access. Therefore,
SQL injection is not a problem.”
Is this exploitable?
Problem: Malicious content elsewhere can exploit site’s
trust in the user to allow access to vulnerable page
<img src="/admin/lookupuser.php?id=';
UPDATE Person SET Password='x' WHERE
username='admin">
16
Access Control
ACL version CL
Bell-La Padula
Biba
SetUID
17
Access Control Example
Alice can read and write the file x, read the
file y, and an execute the file z
Bob can read x, read and write y, and cannot
access z
Write a ACL and capability list
18
ACL
File x
Alice: read, write
Bob: read
File y
Alice: read
Bob: read, write
File z
Alice: execute
19
Capability list
Alice:
File
File
File
Bob:
File
File
x: read, write
y: read
z: execute
x: read
y: read, write
20
Comparison
Q: Which access control mechanism is better
at containing a Trojan horse virus?
Capability model allows capability owner to
reduce capability inherited by process
Trojan horse process can be run without write
access to file y (for example)
Can this stop all Trojans?
21
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
Read Write
22
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
Read Write
23
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
24
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
25
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
26
Biba Policy
How would a virus spread if:
The virus were places in the system at
system low (the compartment which all
other compartments dominate)
Could only infect lowest compartment
The virus were places in the system at
system high (the compartment which
dominates all other compartments)
Could infect all other compartments
27
Effective user id (EUID)
Each process has three Ids (+ more under Linux)
Real user ID
(RUID)
same as the user ID of parent (unless changed)
used to determine which user started the process
Effective user ID (EUID)
from set user ID bit on the file being executed, or
sys call
determines the permissions for process
file access and port binding
Saved user ID
(SUID)
So previous EUID can be restored
Real group ID, effective group ID, used similarly
28
Example
Program B
Owner 33
User 25
RUID 25
EUID 25
SUID 25
…;
fork( );
exec( );
Program C
Owner 18
SetUID
…;
…;
i=getruid()
setuid(i);
…;
…;
RUID 25
EUID 18
SUID 25
RUID 25
EUID 25
SUID 18
If program C was owner 0 (root),
could change ids to anything…
29
TPM
Functions
Keys
30
TPM Functions
Updating PCR
TPM_Extend(n,D): PCR[n] SHA-1 ( PCR[n] || D )
TPM_PcrRead(n): returns value(PCR(n))
TPM_SaveState and TPM_Startup(ST_STATE)
Encrypted storage
TPM_TakeOwnership( OwnerPassword, … )
TPM_CreateWrapKey
TPM_Seal(keyhandle, KeyAuth, PcrValues, data)
TPM_Unseal only when PCR matches blob PCR
31
TPM Functions
Attestation: TPM_Quote
(some)
Arguments:
keyhandle: which AIK key to sign with
KeyAuth: Password for using key `keyhandle’
PCR List: Which PCRs to sign.
Challenge: 20-byte challenge from remote server
Prevents replay of old signatures.
Userdata: additional data to include in sig.
Returns signed data and signature.
32
TPM Keys
Data encrypted by TPM_Seal (usually AES key)
Only key not hidden inside TPM
Storage Root Key (SRK): certifies wrap keys
Created by TPM_TakeOwnership
Wrap keys: encrypts data with TPM_Seal
Created by TPM_CreateWrapKey
Attestation Identity Key (AIK) for use with TPM_Quote
Creation details “not important”
Endorsement key (EK) for endorsing AIK
Certificate issued once for TPM by vendor
33
34
Malware
Example question
35
Example Question
The Earlybird worm signature generation system only
finds worm signatures that consist of a consecutive
sequence of characters.
Give an example of a vulnerability that a worm can
exploit that cannot be detected using such signatures.
36
Follow up
Suppose Earlybird was able to generate signatures
that contain wild cards (for example, "script/*.cgi").
Give an example of a vulnerability that a worm can
exploit that cannot be detected using such signatures.
37
38