Acest text este depozitat (și) aici din motive de siguranță. Recomandarea noastră este să respectați dorința autorului exprimată în secțiunea 1.1
Security Concepts
[email protected]
This is an online book about computer, network, technical, physical, information and cryptographic security. It is a labor of love, incomplete until the day I am finished.
1 Metadata
The books that help you most are those which make you think the most. The hardest way of learning is that of easy reading; but a great book that comes from a great thinker is a ship of thought, deep freighted with truth and beauty.
— Theodore Parker
1.1 Copyright and Distribution Control
1.2 Goals
1.3 Audience
When I picture a perfect reader, I always picture a monster of courage and curiosity, also something supple, cunning, cautious, a born adventurer and discoverer.
— Friedreich Nietzsche
1.4 About This Work
1.5 On the HTML Version
1.6 About Writing This
1.7 Tools Used To Create This Book
2 Security Properties
2.1 Information Security is a PAIN
2.2 Parkerian Hexad
- confidentiality
- possession
- integrity
- authenticity
- availability
- utility
2.3 Pentagon of Trust
- Admissibility (is the remote node trustworthy?)
- Authentication (who are you?)
- Authorization (what are you allowed to do?)
- Availability (is the data accessible?)
- Authenticity (is the data intact?)
2.4 Security Equivalency
2.5 Other Questions
- Secure to whom? A web site may be secure (to its owners) against unauthorized control, but may employ no encryption when collecting information from customers.
- Secure from whom? A site may be secure against outsiders, but not insiders.
3 Security Models
- Computer Security Models
- Bell-LaPadula Model
- Biba Integrity Model
- Brewer-Nash Model
- Graham-Denning Model
- Take-Grant Model
- Clark-Wilson Model
- Harrison-Ruzzo-Ullman Model
- Non-interference Model
4 Security Concepts
There is no security on this earth, there is only opportunity.
— General Douglas MacArthur (1880-1964)
4.1 The Classification Problem
4.1.1 Classification Errors
4.1.2 The Base-Rate Fallacy
4.1.3 Test Efficiency
4.1.4 Incompletely-Defined Sets
As far as the laws of mathematics refer to reality, they are not certain; and as far as they are certain, they do not refer to reality.
— Albert Einstein
4.1.5 The Guessing Hazard
4.2 Security Layers
- network security
- application/database security
- OS security
- hardware security
- physical security
4.3 Privilege Levels
- Anonymous, remote systems
- Authenticated remote systems
- Local unprivileged user (UID > 0)
- Administrator (UID 0)
- Kernel (privileged mode, ring 0)
- Hardware (TPM, ring -1, hypervisors, trojaned hardware)
4.4 What is a Vulnerability?
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term “vulnerability” is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures.
— OWASP Vulnerabilities Category (http://www.owasp.org/index.php/Category:Vulnerability)
4.5 Vulnerability Databases
4.5.1 National Vulnerability Database
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
— NVD Home Page
- National Vulnerability Database (http://nvd.nist.gov/)
4.5.2 Common Vulnerabilities and Exposures
International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
— CVE Home Page
- Common Vulnerabilities and Exposures (http://cve.mitre.org/)
4.5.3 Common Weakness Enumeration
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type. CWE is currently maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). A detailed CWE list is currently available at the MITRE website; this list provides a detailed definition for each individual CWE.
— CWE Home Page
- Common Weakness Enumeration (http://cwe.mitre.org/)
4.5.4 Open Source Vulnerability Database
OSVDB is an independent and open source database created by and for the community. Our goal is to provide accurate, detailed, current, and unbiased technical information.
— OSVDB Home Page
- The Open Source Vulnerability Database (http://osvdb.org/)
4.6 Accuracy Limitations in Making Decisions That Impact Security
On two occasions I have been asked, “Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?” In one case a member of the Upper, and in the other a member of the Lower, House put this question. I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.
— Charles Babbage
4.7 Rice’s Theorem
- Wikipedia article on Rice’s Theorem (http://en.wikipedia.org/wiki/Rice%27s_theorem)
5 Economics of Security
5.1 How Expensive are Security Failures?
5.1.1 TJ Maxx
- WEP Security + Pringles-Can = $1B TJX Loss?
- TJX’s failure to secure Wi-Fi could cost $1B
- Report of an Investigation into the Security, Collection and Retention of Personal Information
5.1.2 Greek Cell Tapping Incident
5.1.3 VAServ/LxLabs
- Slashdot article (http://it.slashdot.org/story/09/06/09/1422200/Security-Flaw-Hits-VAserv-Head-of-LxLabs-Found-Hanged)
- LxLabs boss found hanged after vuln wipes websites (http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/)
- Webhost hack wipes out data for 100,000 sites (http://www.theregister.co.uk/2009/06/08/webhost_attack/)
5.1.4 CardSystems
- CardSystems Solutions Settles FTC Charges (http://www.ftc.gov/opa/2006/02/cardsystems_r.shtm)
5.1.5 Egghead Software
Egghead was hurt by a December 2000 revelation that hackers had accessed its systems and potentially compromised customer credit card data. The company filed for bankruptcy in August 2001. After a deal to sell the company to Fry’s Electronics for $10 million fell through, its assets were acquired by Amazon.com for $6.1 million.
…
In December 2000, the company’s IIS-based servers were compromised, potentially releasing credit card data of over 3.6 million people. In addition to poor timing near the Christmas season, the handling of the breach by publicly denying that there was a problem, then notifying Visa, who in turn notified banks, who notified consumers, caused the breach to escalate into a full blown scandal.
— Wikipedia
- Wikipedia article on Egghead Software (http://en.wikipedia.org/wiki/Egghead_Software)
5.1.6 Heartland Payment Systems
- Heartland sued over data breach (http://news.cnet.com/8301-1009_3-10151961-83.html)
5.1.7 Verizon Data Breach Study
- Verizon Business 2009 Data Breach Study Finds Significant Rise in Targeted Attacks, Organized Crime Involvement (http://newscenter.verizon.com/press-releases/verizon/2009/verizon-business-2009-data.html)
5.1.8 Web Hacking Incidents Database
- Old Site (http://www.webappsec.org/projects/whid/)
- New Site (http://www.xiom.com/whidf)
5.1.9 DATALOSSdb
- Web Site (http://datalossdb.org/)
5.1.10 Data Breach Investigations Report
5.2 Abuse Detection and Response: A Cost-Benefit Perspective
6 Adversary Modeling
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
— Sun Tzu, The Art of War (http://en.wikipedia.org/wiki/The_Art_of_War)
6.1 Common Psychological Errors
- Overly different; if you looked at grapes all day, you’d know a hundred different kinds, and naturally think them very different. But they all squish when you step on them, they are all fruits and frankly, not terribly different at all. So too we are conditioned to see people as different because the things that matter most to us, like finding an appropriate mate or trusting people, cannot be discerned with questions like “do you like breathing?”. An interesting experiment showed that a description of how they felt by people who had gone through a process is more accurate in predicting how a person will feel after the process than a description of the process itself. Put another way, people assume that the experience of others is too dependent on the minor differences between humans that we mentally exaggerate.
- Overly similar; people assume that others are motivated by the same things they are motivated by; we project onto them a reflection of our self. If a financier or accountant has ever climbed mount Everest, I am not aware of it. Surely it is a cost center, yes?
6.2 Cost-Benefit
6.3 Risk Tolerance
6.4 Capabilities
6.5 Sophistication Distribution
If they were capable, honest, and hard-working, they wouldn’t need to steal.
6.6 Goals
7 Threat Modeling
Men of sense often learn from their enemies. It is from their foes, not their friends, that cities learn the lesson of building high walls and ships of war.
— Aristophanes
7.1 Common Platform Enumeration
CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
— CPE Home Page
- Common Platform Enumeration (http://cpe.mitre.org/)
7.2 A Taxonomy of Privacy Breaches
- A Taxonomy of Privacy (http://www.concurringopinions.com/archives/2006/03/a_taxonomy_of_p.html)
- surveillance
- interrogation
- aggregation
- identification
- insecurity
- secondary use
- exclusion
- breach of confidentiality
- disclosure
- exposure
- increased accessibility
- blackmail
- appropriation
- distortion
- intrusion
- decisional interference
7.3 Threats to Security Properties
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
- Wikipedia on STRIDE (http://en.wikipedia.org/wiki/STRIDE_(security))
- Uncover Security Design Flaws Using The STRIDE Approach (http://msdn.microsoft.com/en-us/magazine/cc163519.aspx)
7.4 Quantifying Risk
- Damage potential
- Reproducibility
- Exploitability
- Affected users
- Discoverability
7.5 Attack Surface
Gnothi Seauton (“Know Thyself”)
— ancient Greek aphorism (http://en.wikipedia.org/wiki/Know_thyself)
- Malware Distribution through Physical Media a Growing Concern (http://it.slashdot.org/article.pl?sid=08/01/13/1533243)
- usbroken, a USB fuzzer based on Arduino (http://code.google.com/p/usbroken/)
- Schneier Hacking Computers over USB (http://www.schneier.com/blog/archives/2006/06/hacking_compute.html)
- USB Devices can Crack Windows (http://www.eweek.com/c/a/Security/USB-Devices-Can-Crack-Windows/)
- psgroove, a jailbreak exploit for PS3 (http://github.com/psgroove/psgroove)
7.6 Attack Trees
- Wikipedia on Attack Tree (http://en.wikipedia.org/wiki/Attack_tree)
- Schneier on Attack Trees (http://www.schneier.com/paper-attacktrees-ddj-ft.html)
- https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/236.html
- Microsoft on Attack Trees (http://msdn.microsoft.com/en-us/library/ff648644.aspx)
7.7 The Weakest Link
Amdahl’s law, also known as Amdahl’s argument, is named after computer architect Gene Amdahl, and is used to find the maximum expected improvement to an overall system when only part of the system is improved.
— Wikipedia (http://en.wikipedia.org/wiki/Amdahl%27s_law)
You are the weakest link, goodbye!
— The Weakest Link (TV series)
8 Physical Security
- Wikipedia article on Physical Security (http://en.wikipedia.org/wiki/Physical_security)
8.1 No Physical Security Means No Security
While the locks are getting tougher, the door and frame are getting weaker. A well-placed kick usually does the trick.
— a burglar
8.2 Data Remanence
I know what your computer did last summer.
- A Guide to Understanding Data Remanence in Automated Information Systems (Ver.2 09/91) (http://www.fas.org/irp/nsa/rainbow/tg025-2.htm)
- National Security Agency/CSS Degausser Products List 25 Sep 2001 (http://www.fas.org/irp/nsa/degausse.pdf)
8.2.1 Magnetic Storage Media (Disks)
- Hard drive’s data survives shuttle explosion (http://blocksandfiles.com/article/5056)
- German firm probes final World Trade Center deals (http://www.prisonplanet.com/german_firm_probes_final_world_trade_center_deals.htm)
- Wikipedia entry on Data Recovery (http://en.wikipedia.org/wiki/Data_recovery)
- 200 ways to recover your data (http://btjunkie.org/torrent/200-Ways-To-Recover-Revive-Your-Hard-Drive/4358cd27083f53a0d4dc3a7ec8354d22b61574534c96)
- Data Recovery blog (http://datarecovery-hddrecovery.blogspot.com/)
8.2.2 Semiconductor Storage (RAM)
- BoingBoing video demonstration (http://www.boingboing.net/2008/05/12/bbtv-hacker-howto-co.html)
- On A New Way to Read Data from Memory (http://www.cl.cam.ac.uk/~rja14/Papers/SISW02.pdf)
8.3 Smart Card Attacks
9 Hardware Security
9.1 Introduction
9.2 Protection Rings
9.3 Operating Modes
- Real-address mode (http://en.wikipedia.org/wiki/Real_mode)
- Protected Mode (http://en.wikipedia.org/wiki/Protected_mode)
- System Management Mode (http://en.wikipedia.org/wiki/System_Management_Mode)
- Virtual 8086 Mode (http://en.wikipedia.org/wiki/Virtual_8086_mode)
9.4 NX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data, a feature normally only found in Harvard architecture processors. However, the NX bit is being increasingly used in conventional von Neumann architecture processors, for security reasons.
An operating system with support for the NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory. The general technique, known as executable space protection, is used to prevent certain types of malicious software from taking over computers by inserting their code into another program’s data storage area and running their own code from within this section; this is known as a buffer overflow attack.
— Wikipedia
- Wikipedia entry on NX bit (http://en.wikipedia.org/wiki/NX_bit)
9.5 Supervisors and Hypervisors
- Supervisory Program (http://en.wikipedia.org/wiki/Supervisory_program)
- Hypervisor (http://en.wikipedia.org/wiki/Hypervisor)
9.6 Trusted Computing
- Trusted Platform Module (http://en.wikipedia.org/wiki/Trusted_Platform_Module)
- Trusted Computing: The Mother(board) of All Big Brothers (http://www.cypherpunks.to/TCPA_DEFCON_10.pdf)
- Trusted Computing Group (http://en.wikipedia.org/wiki/Trusted_Computing_Group)
- Intel TCPA Overview (http://yuan.ecom.cmu.edu/trust/cd/Presentations/Intel%20TCPA%20Overview.ppt)
- Trusted Computing Group homepage (http://www.trustedcomputinggroup.org/)
- EFF: Trusted Computing: Promise and Risk (http://www.eff.org/wp/trusted-computing-promise-and-risk)
- Ross Anderson’s TCPA FAQ (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)
- FSF: Can You Trust Trusted Computing (http://www.gnu.org/philosophy/can-you-trust.html)
- OpenTC project (http://www.opentc.net/)
- IBM TCPA Group (http://www.research.ibm.com/gsal/tcpa/)
- Infineon TPM chip hacked (http://www.flylogic.net/blog/?tag=infineon)
9.7 Intel vPro
- Intel vPro (http://en.wikipedia.org/wiki/Intel_vPro)
- Big Brother Potentially Exists Right Now (http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr) (note: he is wrong about what ECHELON is)
9.8 Hardware Vulnerabilities and Exploits
- f00f bug (http://en.wikipedia.org/wiki/F00f)
- Cyrix Coma Bug (http://en.wikipedia.org/wiki/Cyrix_coma_bug)
- Using CPU System Management Mode to Circumvent Operating System Security Functions (http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf)
- Attacking SMM Memory via Intel CPU Cache Poisoning (http://theinvisiblethings.blogspot.com/2009/03/attacking-smm-memory-via-intel-cpu.html)
- Attacking Intel Trusted Execution Technology (http://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf)
- Blue Pill (http://en.wikipedia.org/wiki/Blue_Pill_(malware))
- SMM Rootkits: A New Breed of OS Independent Malware (http://www.eecs.ucf.edu/%7Eczou/research/SMM-Rootkits-Securecom08.pdf)
- Subverting the Xen Hypervisor (http://invisiblethingslab.com/resources/bh08/)
- TPM Reset Attack (http://www.cs.dartmouth.edu/~pkilab/sparks/)
10 Distributed Systems
10.1 Network Security Overview
10.2 Network Access Control: Packet Filters, Firewalls, Security Zones
- Trusted networks were internal to your corporation.
- An untrusted network may be the Internet, or a wifi network, or any network with open, public access.
- Demilitarized zones (DMZs) were originally defined as an area for placing machines that must talk to nodes on both trusted and untrusted networks. At first they were placed outside the firewall but inside a border router, then as a separate leg of the firewall, and now in are defined and protected in a variety of ways.
10.3 Network Reconnaissance: Ping Sweeps, Port Scanning
- nmap (http://www.nmap.org/)
- GNU netcat (http://netcat.sourceforge.net/)
- firewalk (http://www.packetfactory.net/projects/firewalk/)
10.4 Network Intrusion Detection and Prevention
- IDS (http://en.wikipedia.org/wiki/Intrusion-detection_system)
- Snort IDS (http://www.snort.org/)
10.5 Cryptography is the Sine Qua Non of Secure Distributed Systems
All cryptography lets you do is create trust relationships across untrustworthy media; the problem is still trust between endpoints and transitive trust.
— Marcus Ranum
10.6 Hello, My Name is 192.168.1.1
Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations).
— Network Security / PRIVATE Communication in a PUBLIC World by Charlie Kaufman, Radia Perlman, & Mike Speciner (Prentice Hall 2002; p.237)
10.7 Source Tapping; The First Hop and Last Mile
10.8 Security Equivalent Things Go Together
10.9 Man In The Middle
10.9.1 DNS MITM Issues
- Wikipedia article on DNS cache poisoning (http://en.wikipedia.org/wiki/DNS_cache_poisoning)
- Spoofing replies – transaction ID predictability (http://www.net-security.org/dl/articles/Attacking_the_DNS_Protocol.pdf, http://www.securityfocus.com/bid/30131)
- Maybe you are querying a DNS server the adversary controls (i.e. your ISP)
10.9.2 IP Routing MITM Issues
10.9.3 Link Layer MITM Issues
- dsniff (http://www.monkey.org/~dugsong/dsniff/)
- ettercap (http://ettercap.sourceforge.net/)
10.9.4 Physical Layer MITM Issues
10.9.5 Cryptographic Methods
10.10 Network Surveillance
- AT&T Invents Programming Language for Mass Surveillance (http://blog.wired.com/27bstroke6/2007/10/att-invents-pro.html)
10.11 Push vs. Pull Updates
10.12 DNS Issues
- Dan Kaminski’s web site (http://www.doxpara.com/)
10.13 Network Topology
11 Identification and Authentication
11.1 Identity
Sometimes I suspect I’m not who I think I am.
— Ghost in the Shell
11.2 Identity Management
- Kim Cameron’s “The Laws of Identity” (http://www.identityblog.com/?p=354)
- Ben Laurie’s “Selective Disclosure” (http://www.links.org/files/selective-disclosure.pdf)
11.3 The Identity Continuum
11.4 Problems Remaining Anonymous
In cyberspace everyone will be anonymous for 15 minutes.
— Graham Greenleaf
11.5 Problems with Identifying People
- Randomly-Chosen Identity
- Fictitious Identity
- Stolen Identity
11.6 What Authority?
Does it follow that I reject all authority? Far from me such a thought. In the matter of boots, I refer to the authority of the bootmaker; concerning houses, canals, or railroads, I consult that of the architect or the engineer.
— Mikhail Bakunin, What is Authority? 1882 (http://www.panarchy.org/bakunin/authority.1871.html)
11.7 Goals of Authentication
11.8 Authentication Factors
11.9 Authenticators
My voice is my passport; verify me.
— Sneakers, the motion picture
- Strong Passwords Not As Good As You Think (http://it.slashdot.org/article.pl?sid=09/07/13/1336235)
- Strong Web Passwords (http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html)
- Do Strong Web Passwords Accomplish Anything? (http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf)
11.9.1 People Pick Lousy Passwords
- Real World Passwords (http://www.schneier.com/blog/archives/2006/12/realworld_passw.html)
11.9.2 Picking Secure Passwords
- Choosing Secure Passwords (http://www.schneier.com/blog/archives/2007/01/choosing_secure.html)
11.9.3 Preventing Weak Passwords
11.9.4 Remembering Passwords
11.9.5 Password Guessing Lockouts
11.9.6 Limited Password Lifetimes
11.9.7 Password Reset Procedure
11.9.8 Security Questions
11.9.9 Disabling Root Logins
- The adversary takes control of the system you’re sitting at, where your ssh key is stored, in which case he could impersonate you anyway (he may have to wait for you to log in to sniff the reusable passphrase, or to hijack an existing connection, but I think it’s not worth worrying about the details; if they have root on your console, you’re hosed).
- The adversary guesses your 4096-bit private RSA key, possibly without access to the public key. In this case, he could probably use the same technique against the encryption used to protect the SSH or IPsec sessions you’re using to communicate over anyway (host keys are often much smaller than 4096-bit), and in the alternate scenario (no direct root logins, but allowing reusable passphrases) he would get access to the reusable passphrases (and all other communication).
- Someone guesses the login and password. Login names are not secrets, and never have been treated as secrets (e.g. they’re often in your email address). They may not even be encrypted in the SSH login procedure. Passwords may be something guessable to your adversary but not you; for example, a word in a dictionary you don’t have, an “alternative spelling” that you didn’t think of, or perhaps the user uses the same passphrase to access a web site (perhaps even via unencrypted HTTP).
11.9.10 Eliminating Reusable Authenticators
- Encrypted storage; this is like using encryption to communicate with your future self. Obviously, you must reuse the same key, or somehow re-encrypt the disk. One could, theoretically, disallow direct access to the key used to encrypt the storage, and re-encrypt it each time with a different passphrase, but to protect it from the administrator you’d need to use some sort of hardware decryption device, and to protect it against someone with physical access you’d need tamper-resistant hardware (e.g. TPM).
- Authenticating to the system you’re sitting at; even then, one could use S/Key or another system for one-time authenticators written down and stored in your wallet, combined with a memorized passphrase.
11.10 Biometrics
- Authenticating People By Their Typing Patterns (http://www.schneier.com/blog/archives/2005/11/authenticating.html)
- PSYLock: a typing behavior based psychometrical authentication method (http://pc50461.uni-regensburg.de/ibi/de/leistungen/research/projekte/risk/psylock_english.htm)
11.11 Authentication Issues: When, What
11.12 Remote Attestation
11.13 Advanced Authentication Tools
- Simple Authentication and Security Layer (http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) is a three-layer library (interface, mechanism, method) that supports multiple authentication methods for various systems; LDAP, SMTP AUTH, etc.
12 Authorization – Access Control
12.1 Privilege Escalation
12.2 Physical Access Control
- Guide to Lock Picking http://www.lysator.liu.se/mit-guide/mit-guide.html
- Free Lock Picking Guide http://www.free-lock-picking-guide.com/