Games and the Impossibility of Realizable Ideal Functionality

Download Report

Transcript Games and the Impossibility of Realizable Ideal Functionality 

Spring 2006
CS 155
Final Review Session
Collin Jackson
1
Final Details
Open book, open notes, closed laptop
Main final (recommended)
 7-10 PM on Tuesday, June 13
 Gates B01
Alternate final
 3:30-6:30 PM on Monday, June 12
 Gates B03
Study suggestions:
 Previous finals available on course webpage
 Reading, slides, lectures, homework
 Email [email protected] with questions
2
Some Topics
Project 2 recap
SQL injection
Access control
TPM
3
Project 2 Recap
Part 1
Part 2
Grading
4
Part 1: Attacks
Attack A: Cookie Theft
lin
k
zoobar.org email
Attack B: Silent Transfer
badguy.com
Attack C: Login Snooping
zoobar.org
stanford.edu
Attack D: Profile Worm
badguy.com
zoobar.org email
zoobar.org
Most common issues were race conditions or attack
differs from specification in some detail
Mostly full credit given for attacks where idea was
there.
5
Part 2: Defenses
Attack A: Cookie Theft
Attack D: Profile Worm
Everybody fixed these.
6
Part 2: Defenses
Attack B: Request Forgery
Ok:
authentication cookie
Easy to circumvent:
userid or hash(userid)
Attack C: Login Snooping
Ok:
Add quotes around value
Easy to circumvent:
Blacklist dangerous strings
7
Part 2: More XSS Tests
index.php
 Profile </textarea><script>…</script>
 Exploitable? Depends on (optional) login
CSRF defense
users.php
 Profile <img onload=…>
 User </script><script>…<script>
transfer.php
 Recipient <script>…</script>
 Exploitable? Depends on transfer CSRF
defense
8
Part 2: Grading
Key ideas:
 Preferred approach is escaping
 Alternate approach is whitelisting
 Blacklisting is easy to get wrong
Grades released sometime this weekend
If you feel your project was misgraded
 Contact TAs
 Reserve right to regrade entire project
9
SQL Injection
Problem Overview
Good defenses
Bad defenses
10
SQL Syntax
Four basic commands (plus many others)




INSERT INTO [table] ([column], …)
VALUES ([value], …)
SELECT [column], … FROM [table] WHERE
[condition]
UPDATE [table] SET [column]=[value], …
WHERE [condition]
DELETE FROM [table] WHERE [condition]
Strings delimited with '
Statements separated with ;
Comments start with -11
Attack Characteristics
Victim site builds query using concatenation
User data not validated
 String may appear where integer expected
"SELECT * FROM UserTable WHERE id="
+ $_POST["userid"]
Breaks out of quoted string
“SELECT Password FROM UserTable
WHERE Username='" +
$_POST["username"] + "'";

12
Crafting an attack
Spider site and look for input fields
Put ' in each field and look for errors
Try to determine the structure of the query
 Guess and observe results
 Error messages can be helpful
Construct malicious attack query, e.g.
 Return sensitive data from other rows or
tables
 Modify passwords file to give attacker access
13
Example Question
Site form allows lookup by integer id:
<input name=id><input type=submit>
Fix this query: "SELECT * FROM UserTable
WHERE id=“ + Request["id"];
Best: Parameterized SQL
cmd.CommandText = "SELECT * FROM
UserTable WHERE id=@id";
cmd.Parameters.Add("@id",Request["id"]);
cmd.ExecuteReader();
Okay: Escaping functions provided by language
 Must always use right one, compose in right order
Okay: Casting to numerical data type
14
Bad Defense: Manual Blacklist
Check input for dangerous characters
 Replace with harmless equivalents, or
 Die without executing query
Hard to get right
 Easy to forget unusual corner cases
 Alternate character encodings
Escape handling may depend on db server software
 May not match developer expectation
 If server software changes, code is vulnerable
15
Bad Defense: Authentication
Developer says:
“Only administrators can view the vulnerable page and
the admin already has full database access. Therefore,
SQL injection is not a problem.”
Is this exploitable?
Problem: Malicious content elsewhere can exploit site’s
trust in the user to allow access to vulnerable page
<img src="/admin/lookupuser.php?id=';
UPDATE Person SET Password='x' WHERE
username='admin">
16
Access Control
ACL version CL
Bell-La Padula
Biba
SetUID
17
Access Control Example
Alice can read and write the file x, read the
file y, and an execute the file z
Bob can read x, read and write y, and cannot
access z
Write a ACL and capability list
18
ACL
File x

Alice: read, write

Bob: read
File y

Alice: read

Bob: read, write
File z

Alice: execute
19
Capability list
Alice:

File

File

File
Bob:

File

File
x: read, write
y: read
z: execute
x: read
y: read, write
20
Comparison
Q: Which access control mechanism is better
at containing a Trojan horse virus?
Capability model allows capability owner to
reduce capability inherited by process
Trojan horse process can be run without write
access to file y (for example)
Can this stop all Trojans?
21
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
Read Write
22
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Paul
TOPSECRET, {A, C}
SECRET, {C}
Robin
CONFIDENTIAL, {B}
SECRET, {B}
Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
Read Write


23
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}


Robin
CONFIDENTIAL, {B}
SECRET, {B}


Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}
Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
24
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}


Robin
CONFIDENTIAL, {B}
SECRET, {B}


Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}


Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}
25
Bell-La Padula Model
TOPSECRET > SECRET > CONFIDENTIAL
A≠B≠C
User
Cleared for
Wants to access
Read Write
Paul
TOPSECRET, {A, C}
SECRET, {C}


Robin
CONFIDENTIAL, {B}
SECRET, {B}


Sammi
TOPSECRET, {A, C}
CONFIDENTIAL, {A}


Anna
CONFIDENTIAL, {C}
CONFIDENTIAL, {B}


26
Biba Policy
How would a virus spread if:

The virus were places in the system at
system low (the compartment which all
other compartments dominate)
Could only infect lowest compartment

The virus were places in the system at
system high (the compartment which
dominates all other compartments)
Could infect all other compartments
27
Effective user id (EUID)
Each process has three Ids (+ more under Linux)
 Real user ID
(RUID)
 same as the user ID of parent (unless changed)
 used to determine which user started the process
 Effective user ID (EUID)
 from set user ID bit on the file being executed, or
sys call
 determines the permissions for process

file access and port binding
Saved user ID
(SUID)
 So previous EUID can be restored
Real group ID, effective group ID, used similarly

28
Example
Program B
Owner 33
User 25
RUID 25
EUID 25
SUID 25
…;
fork( );
exec( );
Program C
Owner 18
SetUID
…;
…;
i=getruid()
setuid(i);
…;
…;
RUID 25
EUID 18
SUID 25
RUID 25
EUID 25
SUID 18
If program C was owner 0 (root),
could change ids to anything…
29
TPM
Functions
Keys
30
TPM Functions
Updating PCR

TPM_Extend(n,D): PCR[n]  SHA-1 ( PCR[n] || D )
TPM_PcrRead(n): returns value(PCR(n))
 TPM_SaveState and TPM_Startup(ST_STATE)
Encrypted storage
 TPM_TakeOwnership( OwnerPassword, … )
 TPM_CreateWrapKey


TPM_Seal(keyhandle, KeyAuth, PcrValues, data)

TPM_Unseal only when PCR matches blob PCR
31
TPM Functions
Attestation: TPM_Quote
(some)
Arguments:
 keyhandle: which AIK key to sign with
 KeyAuth: Password for using key `keyhandle’
 PCR List: Which PCRs to sign.
 Challenge: 20-byte challenge from remote server

Prevents replay of old signatures.
 Userdata: additional data to include in sig.

Returns signed data and signature.
32
TPM Keys
Data encrypted by TPM_Seal (usually AES key)
 Only key not hidden inside TPM
Storage Root Key (SRK): certifies wrap keys
 Created by TPM_TakeOwnership
Wrap keys: encrypts data with TPM_Seal
 Created by TPM_CreateWrapKey
Attestation Identity Key (AIK) for use with TPM_Quote
 Creation details “not important”
Endorsement key (EK) for endorsing AIK
 Certificate issued once for TPM by vendor
33
34
Malware
Example question
35
Example Question
The Earlybird worm signature generation system only
finds worm signatures that consist of a consecutive
sequence of characters.
Give an example of a vulnerability that a worm can
exploit that cannot be detected using such signatures.
36
Follow up
Suppose Earlybird was able to generate signatures
that contain wild cards (for example, "script/*.cgi").
Give an example of a vulnerability that a worm can
exploit that cannot be detected using such signatures.
37
38