Dear All, Here is another portion of readings in systems and networks security, this time with practical exercises and research questions. If you are taking this class as a research credit, I will expect you to pick a research problem that is either listed here or has a similar flavor (please run it by me!), and submit a written report of your findings by June 9. Your research report should include a survey of recent papers published on the topic (you'll find these by googling and by using websites that keep track of who cited which papers, such as Google Scholar, the CiteSeer, and the ACM digital library). If you are taking this course as readings, I will expect you to submit a writeup of how you built a successful exploit for a known vulnerability of the kind covered by your readings. You will be expected to replicate a vulnerable environment (say, in a virtual machine or with debootstrap) and to demonstrate that the exploit succeeds, and then discuss the fix and the modern countermeasures (if any). The CVE list maintained by Mitre (https://cve.mitre.org/cve/) will help you find well-documented vulns. Finding a new vuln gets you an instant High Pass :) -------------------------[ Systems ]------------------------- The goal of this batch is to try practical attacks against purposefully weakened software. Most modern systems include protections such as DEP (which would prevent execution of payload instructions from the stack), and ASLR (which randomizes addresses at which libraries and/or segments of an executable are loaded, making it hard to guess or compute addresses of data or code objects needed for exploits). The following link explains how to disable them on Linux: https://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/ (Your mileage may vary -- check stackoverflow.com for more recent advice!) See https://wiki.ubuntu.com/Security/Features for more information about hardening Linux systems. If you wonder how useful ASLR is in real life, check out https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/aslr.pdf (2008) and the earlier academic http://www.hovav.net/dist/asrandom.pdf (2004) The use of stack canaries, introduced in https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/Stackguard.pdf, and later implemented by GCC and Microsoft's VCC (see https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf) has become common for compilers. To compile vulnerable code without stack canaries/SSP, use the -fno-stack-protector option. Research question: investigate how the state of ASLR protections has changed since these publications! Research question: An example of using Debian's debootstrap to build a vulnerable version of a program: http://www.cs.dartmouth.edu/~sergey/langsec/cve-2004-0600/ (read http://www.cs.dartmouth.edu/~sergey/langsec/cve-2004-0600/cve-2004-0600-overview.txt first) -------------------------[[ Buffer overflows ]]------------------------- Exploit these vulnerable programs (on a weakened Linux system): http://community.coresecurity.com/~gera/InsecureProgramming/ -------------------------[[ Exploiting heaps ]]------------------------- Exploiting heaps: (These writeups discuss the same topic from slightly different angles. Start with whichever you like best, then check the rest for details it left out) https://sploitfun.wordpress.com/2015/03/04/heap-overflow-using-malloc-maleficarum/ http://www.mathyvanhoef.com/2013/02/understanding-heap-exploiting-heap.html http://phrack.org/issues/66/10.html Exploiting a more modern flavor of heaps: http://www.phrack.org/issues/68/13.html http://www.phrack.org/issues/68/10.html http://census-labs.com/media/bhusa-2012-slides.pdf Research question: investigate developments in heap attacks and countermeasures. -------------------------------[ Networks ]------------------------------ NIDS evasion we addressed in the previous batch of papers relied on the differences between how TCP/IP stacks and their IDS counterparts implemented assembly of packets into streams. These differences are a special case of a broader phenomenon: disagreement of parsers on the meaning of the bytes they are parsing. Here is a similar weakness pattern in X.509, the SSL/TLS certificate standard, critical to HTTPS security on the Internet: http://www.ioactive.com/pdfs/PKILayerCake.pdf (detailed walkthrough) https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf (academic version) (If you wonder how SSL/TLS work, this link gives a good summation in the first two answers: http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work of course, there are many others, including youtube videos, etc.) Research question: Assess the state of parser differentials in modern open-source X.509 parsers. Have the "PKI layer cake" issues been fully fixed? ------------------------------[[Privacy leaks]]------------------------------ Implementation differences in TCP/IP and other protocols between systems and their most popular applications have long been used for fingerprinting systems both actively (via crafted packets) or passively (by sniffing their connections). -------------------------[[ Active fingerprinting ]]------------------------- Active fingerprinting is quite old. It's been incorporated into Nmap, the standard scanning tool: http://nmap.org/book/osdetect.html . Other projects like SynFP tried to minimize the amount of traffic needed to determine the OS: http://taosecurity.blogspot.com/2006/05/host-fingerprinting-with-sinfp-picture.html, others limited scanning to just a single protocol: http://redeslinux.com/manuales_english/seguridad/ICMP_Scanning_v3.0.pdf Use these tools to fingerprint your systems. Can you fingerprint your smartphone with a minimal number of packets? Research question: Most modern smartphones come with IPv6. Can you use ICMPv6 to fingerprint them? For an in-depth take on IPv6, read https://sites.google.com/site/yartikhiy/home/ipv6book We did some work on this, too: https://www.usenix.org/legacy/event/lisa11/tech/full_papers/Williamson.pdf http://dxoig.mn/papers/wisec08-bratus.pdf for Wi-Fi networks. (see below for 802.11 link layer details). -------------------------[[ Passive fingerprinting ]]------------------------- P0f is a classic passive fingerprinting tool. It has gone through several versions, the latest is http://lcamtuf.coredump.cx/p0f3/ . See also the summary of its development in http://resources.infosecinstitute.com/passive-fingerprinting-os/ Richer link layers such as 802.11 (Wi-Fi) provide more opportunities for passive fingerprinting: https://share.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf and even using values in a single field: http://uninformed.org/index.cgi?v=5&a=1 (hacker version) http://cisr.nps.edu/downloads/theses/06thesis_ellch.pdf (academic version) (My favorite book on the 802.11 Link layer is http://www.amazon.com/802-11-WLAN-Hands-On-Analysis-Troubleshooting/dp/1425907350 I strongly recommend it -- and, sadly, there seem to be no electronic versions of it. Summaries like https://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx http://seat.massey.ac.nz/159334/Lectures/Week2_3_1s.pdf and http://www3.nd.edu/~mhaenggi/NET/wireless/802.11b/Data%20Link%20Layer.htm may help). Research question: explore whether these methods still work for modern systems such as smartphones and laptops. Wireshark on Linux and MacOS should be capable of Monitor Mode link-layer frame capturing; you need this "monitor mode" a.k.a. "RF mode", because it's the only mode that passes true frames from the air to the packet analyzer. Some info for older Macs can be found in https://supportforums.cisco.com/document/75221/wireless-sniffing-using-mac-os-x-106-and-above) Research question: find new ways of fingerprinting systems actively or passively (by sniffing their connections). Of particular interest are mobile phones and/or IPv6 stacks. Fingerprinting has had practical applications for wireless intrusion detection systems (WIDS): http://www.willhackforsushi.com/presentations/Wireless_Device_Fingerprinting.pdf -------------------------[[ Other privacy leaks ]]------------------------- There are many other kinds of privacy leaks in the Application layer of the OSI network stack. For example: https://panopticlick.eff.org/browser-uniqueness.pdf https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks Research question: For a recent Debian or Ubuntu distribution, explore privacy leaks via information the default desktop installs send to various systems unencrypted.