Alexey Smirnov's blog

Beautiful security, 1st edition. By Andy Oram and John Viega. OReilly Media Inc, 2009.

I have read another security book which a notable security expert John Viega has co-edited (the previous one is The Myths of Security). This book offers a comprehensive analysis of the today’s security, its problems and offers ideas for improvement. A number of people have contributed toward this book which makes it a lot of fun to read. Each chapter is written in its special style. This book is a potpurri of security topics.

In Chapter 1 the book mentions a number of reasons why security is so difficult to adopt in modern software lifecycle. The reasons are: learned helplessness, naivete, confirmation traps, and functional fixation. Examples are probided for each problem. It turns out that Microsoft has messed up a great deal with its network authentication protocols trying to preserve backward compatibility. As a result, an improved version of the network protocol was still carrying the features of the previous weaker version and the improvement was therefore nullified. Another great example was when a company which was undergoing security audit has successfuly exploited vulnerabilities in the scanner that the auditor was using. This way they were able to demonstrate that the auditor was not competent enough to audit their organization.

Chapter 2 is dedicated to the wireless networks. The books describes how easy it is now to earn money through faked wireless networks in public areas such as airports. Also wireless networks are very dangerous in corporate world because employees tend to use their personal unprotected wireless-enabled devices to access the intranet which opens lots of possibilities to road warriors. Shocking stuff which makes you think why are we still using wireless.

Chapter 4 sheds light on the underground security economy. This includes prices typically offered for producers of malware and owners of botnets. It is so detailed that it makes me wonder how the author got all this information himself.

Chapter 5 raises a well know problem of using credit cards in the Internet and the dangers of privacy breaches. A new scheme for Internet commerce is proposed. Its corner stone is the idea of using virtual or one-time credit card numbers. This idea has already been implemented in few banks but many users are either unaware of it or don’t consider it a threat big enough to sustain the overhead that it imposes (need to log in to the banking site to generate one-time number every time you make a purchase on the Internet). Obviously, one the biggest challenges that the community needs to address is removing this overhead.

Chapter 6 deals with online advertising. I never thought that it is such a battlefield for both white hats and bad guys! Everybody has heard of click fraud when advertising agency is the victim. What is surprising is that there are lots of malicious advertising agencies which employ a number of forms cheating, for example placing ads on top of each other with different z-values or displaying your ad only few seconds and then replacing it with another ad (indeed, your agreement probably does not mention how long the ad will stay visible because you think that it is as long as the user stays on the page) and so on. Then the book mentions several forms of online advertising: pay per view, per click, and per transaction (the last one means that the user has to buy something before advertiser pays to the agency). Even the most secure form pay per transaction is vulnerable to realistic attacks when a gang of malicious buyers buys things only to return them immediately to the shop! I could never imaging that this was possible but the book claims that the number of buying gangs is growing.

Chapter 7 – great overview of history of PGP and web of trust (I am running out of space to go into greater detail).

Chapter 8 – honeyclient. The book claims that client exploits are more dangerous than server-side because it takes longer to fix the former. Honeyclient was an academic idea which has grown into a useful product! It employs a number of virtual machines running unprotected Windows and visits various suspicious sites. When a change in the state of OS is detected (registry, file system) an alert is triggered.

Chapter 9 – new ideas for security industry. Mentions the need for better cooperation using social networking.

Chapter 10 explains how to integrate security into developing practices. Every stage of the process needs to incorporate security. A common mistake is to address only one stage, for example development and then expect overall improvement – not necessarily the case. Microsoft spent its 2 billion dollars not only running a source code analyzer on Windows but rather re-engineering the whole development cycle.

All right, lets skip a few chapters…

Chapter 13 explains the importance of logging and provides one real-life example of how an FTP server was hijacked. I was surprised to find out that many large organizations are still using FTP servers with a world-writable incoming directory. This opens them to bad guys who use such servers as illegal file shares. Only thorough logging can detect such uses. How do we sift through millions of log records?

Chapter 14 claims that the detection rate of modern IDS is only 32%. What a shocking number! This is due to limitation of signature-based approaches. A better idea is to use behavior-based methods which requires taking context into account to separate false negatives and false positives. For example, if a mail server makes 100 outgoing connections is it an indication of its being owned? Is it sending spam as a zombie? If yes, we need to stop the server immediately. If no, stopping it could disrupt the functioning of a large enterprise. What are normal activities of a mail server, a file server, etc? Machine learning algorithms are becoming useful.

Chapter 15 presents a new framework for secure databases. However, it is not based on encrypting tables using DBMS facilities. Instead, the data translucency approach stores encrypted versions of sensitive data such as user names. The key is generated from user name and password which makes it possible to identify the data belonging to a particular user. But the database still operates on the encrypted data.

Finally, Chapter 16 describes a framework for desktop security based on machine learning, snapshotting, and fast reboots. I recall that several years ago this idea was published in a paper from Stanford University researchers (Armando Fox).

John Viega. The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know O’Reilly Media, 2009.

This is a great book for either security specialist or a general computer user. For the former the book gives lots of criticism for the awful state of today’s security, for the latter the book identifies traps which users are likely to fall into and provides help in avoiding them. The book’s biggest achievement is the breadth with which it considers various aspects of security: from anti-virus programs to secure shopping to secure hardware platforms and identifies possible improvements.

The book consists of many small chapters but the gloabl picture is easily visible. Based on his experience as a leading industry security expert, the author makes a proposal on how to improve the state of security. This is call for action for everybody who wants to avoid global security crisis.

The book starts with mentioning Randy Pausch – a professor who was smashing VCRs because of their bad user interfaces. According to the author, most of what security companies have to offer is worth smashing as well. The author says that security companies are responsible for security being treated as inevitable evil that would slow down your computer and print out lots of false alarms.

He explains in greater detail how an anti-virus works. The companies spend most of their time analysing virus samples and writing signatures. This is a tedious process and the value of this intellectual property is rather minimal. The author calls for better cooperation among security companies. Each company has its own signature format. On the Web everybody is using XML to facilitate interoperability. Why cannot the companies agree on a similar signature format?

The author analyses an opposite method of protection which is behavior-based methods. They do not work in the current environment because of false positives. For example, if a program writes garbage to disk it is possible that it decrypts something. Viruses and media players do this alike, their behavior is the same. The author proposes a solution to this problem. In order to decrease the rate of false positives each program needs to get signed. A signature is verified in a repository of good programs. The problem is that users are not cooperating in creating such directories of programs that are verified. If such directories existed then behavior-based anti-virus suite would not raise an alarm for any trusted application.

Therefore, the author believes that the solution to our problems is in a collaborative approach to security or an approach that involves a trusted authority. One real example of a successful implementation of this idea is SiteAdvisor – a program that runs as a plugin in Firefox and checks every web site a user visits against a database of good/bad sites. The rating of a web site depends on analysis that security experts performed earlier but I guess it is possible to use crowed intelligence as well.

Are the companies spending their money wisely? The economics of security is another issue that the author analyses. His conclusion is that 1 billion dollars that Microsoft spent on imrpoving the security of Vista operating system are spent wrongly. One reason is that the author says security training of developers is not worth spending money on because people will forget everything in a couple of months. Instead, give money to the specialized security audit companies whose employees are doing security work for living. Even though their rates are quite high and reach as much as 75 cents per line of code it would cost less than 1 billion to audit Windows.

Finally, the author challenges the state of security in our society. For example, everybody is very concerned with identity theft. But there are so many interesting documents ending up in your garbage that any potential attacker would rather look into your garbage can than attempt to get into your computer.

The state of secure Web is also challenged. The author claims that man-in-the middle attacks are efficient. He says that people are ignoring expired SSL certificates or those issued by a dubious authority. The author calls for a mutual authentication when not only you know that you are talking to a legitimate web site but the site knows who it is talking to as well.

The author blames academia for re-inventing things that industry has been using for a while. He calls for better cooperation between industry and academia.

This book reminds me of a security book of Ross Anderson. However, this book is much more ciritcal and focused on identifying the vulnerabilities and proposing how to fix them. Despite its criticism the book is written with a great wish for a better state of security.

Five must-have security resources

A few interesting tools including exploit search. It is basically Google results filtered out. I have noticed that this trend is becoming popular. Thomson Scientific Web is a scientific search engine that serves only those results that are originating from research institutions, etc.

Data breaches catalog, default passwords are other sites of interest.

Another paper from this year’s NDSS is discussed in blogs. It looks like academic conferences get attention from industry and writers. On the other hand, these researchers have released their tool for anybody to try out. This rarely happens but this is definitely a good thing. The software integrates into existing IDS setup.

Can botnets be beaten?

It looks like DNS infrastructure is the next threat for Internet. New attacks that leverage DNS are disclosed at enormous pace. Here is an NDSS paper titled

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

Application security is changing its focus after buffer overflow attack problem was solved. Indeed, most up-to-date operating systems have a defense mechanism such as address space randomization in Red Hat Linux and non-executable pages in Windows Vista. A typical buffer overflow attack aims at hijacking control of an application. On the other hand, there are dataflow attacks that do not overwrite any control-sensitive data structures. Instead, they modify application’s state so that it continues its normal execution but in a new environment. For example, if the goal of dataflow attack is to update a variable responsible for user authentication status then the program will think that the attacker has logged in successfully.

The claim is that these attacks have not been seen in wild but – how do you know? There are no practical method to detect such attacks. The papers that I am reviewing in this post have a high overhead. Buffer overflow attacks taught us an important lesson: a research prototype with a high overhead will not make it to the market. You have to improve its performance, really. As a result, the proposed tools for signature generation, program rollback, etc. are in the research phase whereas low overhead attack detection systems are in production.

• S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-Control-Data Attacks Are Realistic Threats.
• S. Bhatkar, A. Chaturvedi, R. Sekar. Dataflow Anomaly Detection.
• M. Castro, M. Costa, T. Harris. Securing software by enforcing data-flow integrity.

The first paper is a visionary explanation of looming threats. It gives a number of examples of dataflow attacks:

1. Format String Attack against User Identity Data
2. Heap Corruption Attacks against Configuration Data – this attack overwrites the name of a utility defined in a config file. The program invokes that utility at a certain time. Modifying the name allows to execute an arbitrary program.
3. Stack Buffer Overflow Attack against User Input Data – very nice example! A popular HTTP daemon ghttpd that we have also used in our research is attack to overwrite a stack value that gets loaded into a register in function epilog.
4. Integer Overflow Attack against Decision-Making Data

Sekar et al. solve dataflow attack problem using behavior models. In a few words, they first learn which arguments are used in syscalls during normal execution. When program uses unexpected arguments an attack is detected. For example, if the program was using utility called /usr/bin/login and out of nothing it tries to execute /bin/sh then this is certainly an attack.

I did not realize the power of learning methods until reading this paper.

The third paper aims at detecting dataflow attacks using static analysis methods. As always, static analysis is showing its limitations. At compile time, each memory location is simulated and source code statements accessing each location are recorded. That is, the program builds a map memory location -> instruction addresses. At run-time it assures that this relationship holds. If it does not then this is an attack. However, this approach is inferior to the learning approach as the former does not detect the register attack when an overwritten register gets popped off the stack.

A followup on a recent post on DNS binding attacks that are able to infect an unsuspecting user watching a Flash ad. Here is a Google paper describing other threats.

InformationWeek

• W. Cui, M. Peinado, H. J. Wang, M. E. Locasto. ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing.
• Y. Younan, D. Pozza, F. Piessens, W. Joosen. Extended protection against stack smashing attacks without performance loss.
• H. Wang, S. Jha, V. Ganapathy. NetSpy: Automatic Generation of Spyware Signatures for NIDS.
• H. Chen, F. Hsu, J. Li T. Ristenpart Z. Su. Back to the Future: A Framework for Automatic Malware Removal and System Repair.

The first two papers discuss stand-alone binaries whereas the remaining papers describe how to deal with malicious browser plugins.

W. Cui et al. discuss how to build a signature using the knowledge of protocol format. The idea is that given an attack instance, it is useful to generate its variations and see if this is an attack as well. Protocol knowledge enables to experiment with individual fields. After enough probes are generated, a generalizing signature is created. The prerequisite of this work is protocol description created either manually or automatically. I guess this is an interesting application for the CMU work on automatic protocol format generation.

The buffer overflow attack paper tries to prevent attacks using a separated stack. However, there was previous work on separating data and control stacks. Finally, ASR is a generalization of these two approaches. Either of them has low overhead.

The malware papers are following the industry standard, I guess. That is, there have been an huge number of anti-malware programs out there. Do these papers improve any of those programs? The automatic signature generation paper takes a different approach toward signature generation. It records packets when system is working normally, then if it finds a difference this means an attack has been detected. Instead of using just one attack instance as a signature, it tries to build a generalized signature. To achieve this, it takes a number of samples and applies LCS algorithm to find commonalities. For example, if malware logs URLs that user has entered, its packets would look as follows:

GET http://track.malware.com/index.php?url=http://google.com

That is, the user is trying to load Google and malware captured this. If the user loads another page the malware will issue a packet with another url parameter. The generalization algorithm will replace the user input with a wildcard, thus generating final signature:

GET http://track.malware.com/index.php?url=*

I am wondering if our protection tool could supply a URL consisting of a wildcard to the malware as if the user has entered this URL. After that, the malware packet will have this wildcard character in place of user input. Thus, we will get wildcards in proper places which gives us a generalized signature immediately.

• D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-Module Vulnerability Analysis of Web-based Applications.
• A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy. SpyProxy: Execution-based Detection of Malicious Web Content.
• S. Chen, D. Ross, Y.-M. Wang. An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism.

Papers of interest not just for researchers but for Internet users in general. Similar to DNS binding attacks discussed in the previous post, there are pitfalls that unsuspecting people are likely to get trapped into.

It looks like Internet is becoming a dangerous place to hang out at. Years ago, when applications were distributed using CDs and floppies there were a number of safety issues like viruses. However, anti-virus software was available. If you used it you were on the safe side. The threats were more obvious, though. For example, if a program tried to format your hard drive that was a virus for sure.

The goal of today’s malware is information stealing. Because of that, modern viruses are called spyware. DNS rebinding tries to access documents on your intranet, while a domain-isolation attack tries to find out your private information displayed in the other frame of the browser. It is often impossible to tell if the information is leaking or it is the user typing the password trying to log in to a legitimate site. The protection techniques are different. Filtering out viruses was signature-based, whereas it is impossible to generate a signature for any password. Thus, behavior-based methods are being used. In practice, the system implementing these techniques becomes paranoid which makes it a tough sell. It looks like most vendors decided to play nice with customers leaving them unprotected against these new threats.

What scares me though is low level of public awareness of these new attacks. Without reading these high-tech papers written for academia researchers I would unlikely become aware of these new threats either.

The first two papers improve on the previous work that the authors have published last year. However, these papers elaborate on how malware behaves. It often exploits vulnerabilities in additional software such as image rendering library rather than in browser itself. In this example,
as the image is rendered in the browser, SpyProxy detects an unauthorized creation of ten helper processes. Just think that you can visit a social web site, view a profile and get infected. It is worse than flu.

Another example of vulnerability is a complex Web application such as a content management system. It is possible to skip authentication only to jump to the user private page directly.

The domain isolation attacks exploit tabbed browsing implementation. Imagine a user opening bank’s web page in one frame, a malicious site in another. The latter can execute Javascript in the former’s frame to steal information from that window, for example.

Despite high-tech nature of these threats, there are rules of thumb that will help you stay on the safe side. First, do not waste your time on social sites not to say look at other people’s profiles! Also, do not use tabbed browsing. Open a web site, do what you need to do, close it, then move on to the next. If you found an interesting link on that web page, write it down on a piece of paper. Who said that our society is paper free? Of course, everybody needs those pesky NoteIt stickers.

A number of very interesting papers that describe DNS rebinding and pharming attacks. Surprisingly, these type of attacks have eluded my attention. They look very dangerous, though. In a few words, DNS rebinding allows to get a resource from behind the firewall if a victim just visits a web site hosting a malicious advertisement, not to say (s)he clicks it. That is, the attacker can craft a Flash advertisement, sign a contract with an ad network and off (s)he goes.

• C. Jackson, A. Barth, A. Bortz, W. Shao, D. Boneh. Protecting Browsers from DNS Rebinding Attacks.
• C. K. Karlof, U. Shankar, D. Tygar, D. Wagner. Dynamic pharming attacks and the locked same-origin policies for web browsers.