CS 161: Computer Security on

Security Principles

Mon, 01 Jan 0001 00:00:00 +0000

What is security? #

Security is enforcing a desired property (confidentiality, privacy, integrity, authentication, availability) in the presence of attackers.

Some things that security helps protect:

Physical safety (prevent disruption of cars, planes, etc)
Personal information (health records…)
National security

Everything is hackable, especially if it’s connected to the internet.

Threat Model #

It is important to understand the motives and methods behind attacks, and make general assumptions about them to be safe. A threat model is a model of the attacker and the resources they have.

x86

Mon, 01 Jan 0001 00:00:00 +0000

Memory Layout #

Code/text: program code
Data: static variables allocated on start
Heap: dynamic memory allocated with alloc and free
Stack: local variables and stack frames

![[/cs161/img/x86/Untitled.png]]

Basics #

x86 is a commonly used instruction set in consumer computers.

x86 is little endian (smallest bit on lowest memory address)
x86 has variable length instructions that can be from 1 to 16 bytes long.
x86 has 8 general purpose registers (EAX, EBX, ECX, EDX, ESI, EDI), a stack pointer ESP (sp in riscv), a base pointer EBP (fp in riscv), and an instruction pointer register EIP (pc in riscv)

Syntax #

Registers: mod signs (%eax, %esp, %edi)
Immediates: dollar signs ($1, $0x4)
Memory reference: 8(%esp) gets 8 bytes past esp location
Example instruction: add $0x8, %ebx adds 8 to ebx

Stack Frames #

The stack frame of a function is the space on the stack allocated for local variables. It goes away upon return from the function.

Memory Safety Vulnerabilities

Mon, 01 Jan 0001 00:00:00 +0000

Buffer Overflow Attacks #

(For the underlying C memory model — pointers, addresses, stack layout — see [[cs61c/Memory, Pointers, Addresses]] and [[cs61c/Memory Management]]. Most of these attacks exploit unchecked pointer arithmetic on the runtime stack.)

out-of-bounds write #

Overwriting bytes in a later position by making the current value much larger than anticipated.

This works because C doesn’t check memory boundaries.
Vulnerable code: gets() writes bytes until it encounters a newline. If there’s no newline, then it may overwrite far more than intended.
The following is an example. Attackers can simply write 21 ones into name and write a 1 into authenticated, thus logging in.

char name[20];
int authenticated = 0;

void bad(void) {
	...
	gets(name);
 ...
}

Stack Smashing #

When overflows overwrite RIP to jump to a new address and run a custom script.

Heap Vulnerabilities

Mon, 01 Jan 0001 00:00:00 +0000

C++ Vtables #

C++ is an object oriented language that has polymorphism, instance variables, methods, etc.

To support these features, every class has a vtable (function pointer table). Each object then points to its vtable, where pointers can be dereferenced from.

![[/cs161/img/Heap-Vulnerabilities/Untitled.png]]

Vtables exist in the heap. Vulnerability: add shellcode and point to it

![[/cs161/img/Heap-Vulnerabilities/Untitled 1.png]]

Heap Overflow #

Objects are allocated in the heap (malloc), but writes to a buffer in the heap are not checked. Attackers can overflow the heap and overwrite the vtable pointer of the next object to point to a malicious vtable.

Memory Safety Mitigations

Mon, 01 Jan 0001 00:00:00 +0000

How do we protect against memory safety vulnerabilities?

Memory Safe Languages #

Memory safe languages check bounds and prevent undefined memory accesses, and therefore are immune to memory safety vulnerabilities.

Examples: Java, Python, C#…

However, memory safe languages come at the cost of performance: malloc takes amortized constant time, but having memory checking and garbage collection can add additional overhead. These days, this is fairly insignificant and languages like Go, Rust have comparable performance.

Cryptography

Mon, 01 Jan 0001 00:00:00 +0000

What is Cryptography? #

Cryptography is the study of secure communication over insecure channels, and often involves providing guarantees on the security of resources in the presence of an attacker. (For the number-theory foundations behind RSA and Diffie–Hellman — modular exponentiation, Fermat’s little theorem, multiplicative inverses — see [[cs70/discrete-math/modular-arithmetic]] and [[cs70/discrete-math/rsa-cryptography]].)

The Cast

Alice: sender
Bob: recipient
Eve: eavesdropper (cannot modify messages)
Mallory: malicious attacker (can modify messages)

Three Goals of Cryptography #

Confidentiality: adversary cannot read messages
1. Lock and unlock messages on local machine of sender and recipient, so all messages in the communication channel are encrypted
2. If encrypted, the ciphertext should not give attackers any additional information about the plaintext, other than what the attacker already knew beforehand.
3. Ideally, it should be impossible to distinguish between two encrypted messages of the same length.
4. IND-CPA: Indistinguishability under chosen plaintext attack: If Eve sends a pair of plaintexts $M_0$ and $M_1$ to Alice to encrypt, Eve must only be able to guess which encrypted message was which plaintext with probability $0.5$. (This must also apply for two identical strings!)
  1. Edge cases: does not hide length, and only applies to polynomial time attacks (since exponential time brute forcing would be unfeasible). For example, probability $0.5 + 0.5^{128}$ is acceptable.
Integrity: adversary cannot change messages without being detected
1. Attach a tag to messages. If the tag was changed, then the message was modified
Authenticity: can prove that a message came from its intended sender

Kerckhoff’s Principle #

Security through obscurity: always assume attackers know the system. i.e. cryptosystems should be secure even if attackers know exactly how it works:

Web Security

Mon, 01 Jan 0001 00:00:00 +0000

What is the Web? #

The Web is a platform for deploying application and sharing information portably and securely.

HTTP #

HyperText Transfer Protocol is a common data communication protocol on the web.

Clients make a resource request to a specific URL (see below for an example).

![[/cs161/img/Web-Security/Untitled.png]]

An HTTP request has a method (GET, POST..), a path, and some headers (like version, date, content type…)
A HTTP response primarily has a status code (200 OK) with some more headers.

HTML/CSS/JS #

HTML specifies the layout, CSS specifies the style, and JS specifies the behavior. All three work together to modify the DOM (Document Object Model) of a webpage, which is then sent to a painter that outputs an image on the screen.

Networking

Mon, 01 Jan 0001 00:00:00 +0000

What is the Internet? #

A network is a set of connected machines that can communicate with each other through some agreed protocol.

A protocol is a shared agreement on syntax (structure, format, order of messages) and semantics (what actions to take when a message is received)

The Internet is a global network of computers (also known as a network of networks). (For a full networking course’s treatment of every layer below — including how TCP, BGP, and DNS actually work — see [[cs168/internet organization and layers]]. This page focuses on the security properties and attacks at each layer.)

Mon, 01 Jan 0001 00:00:00 +0000

[[Security Principles]] - How to evaluate threat models [[x86]] - x86 assembly basics and calling convention. [[Memory Safety Vulnerabilities]] - Buffer overflows and related vulnerabilities. [[Heap Vulnerabilities]] - Vtables and heap overflow. [[Memory Safety Mitigations]] - Canaries, NX pages, ASLR, PAC. [[Cryptography]] - Hashing, authentication, encryption, MAC, signatures. [[Web Security]] - Same-origin policy, CSRF, SQL injection, cookies, XSS, UI Attacks. [[Networking]] - The OSI layer model and all related technologies.

Extra Topics

Mon, 01 Jan 0001 00:00:00 +0000

Malware #

Malware is a catch-all term for malicious software, and can also be known as malcode or potentially unwanted application (PUA). Malware includes:

File deleting software
Spam email senders
DoS attack platforms
Rootkits that hide in the OS
And so on

Self-replicating code #

One thing that malware needs to do in order to become effective is spread quickly. One method to do so automatically is to write self-replicating code, which outputs a copy of itself and propagates onwards. Self-replicating code is extremely dangerous and should never be written intentionally.