IT Security Basic Ch.5 Buffer overflow & Web Security

Buffer overflow & Web Security

Buffer overflow concept (溢出漏洞)

什麼是溢出漏洞？

互聯網保安應用

網絡基本架構

互聯網攻擊數字不停上升

最常見的互聯網攻擊

（最常見的互聯網攻擊有哪幾種?）

SQL Injection

XSS – Cross-site scripting

Example

CSRF – Cross-site request forgery

服務器端攻擊

1. 75％ using HTTP
2. 入侵session （cookie）

1. web 服務器的溢出漏洞
2. crack 密碼
3. SQL 注入

防止服務器端受到攻擊之方法

1. Firewall
2. 仔細分析設計SQL 程式
3. 密碼要16位長而且包括數字，英文，符號

客戶端攻擊

向dns 假扮ip 地址

XSS

別登入後不登出呀～！

IT Security Basic Ch.4 Network Security

Ch.4 Network Security

Naming and Addressing Translation [IP 轉址]

Domain name service (DNS)

MAC address

Also called LAN address, Physical address

Having 48Bit

IP address - 把相應的封包帶到終點的 Network

MAC address - 把相應的封包帶到終點的 HOST

ARP - Address Resolution Protocol

Has a ARP table

把對應的IP address 換成 MAC address

一般的攻擊手法

Spoofing － 欺騙 Identity

－IP spoofing

－DNS spoofing

－ARP spoofing

Sniffing 偷聽

－Record traffic, E.g. Wireshark

-Hub vs bridge

So, who are not that secure??

Tampering 損害 with data

－修改／破壞資料

Repudiation - 拒絕

-令到系統拒絕所有服務

Information Disclosure 揭發

-Guess password

-unauthorized login

Denial of Service (DOS)

－發出大量 request／無用信息令到目標不能正常運作

-TCP sync flood

-Smurf Amplification

-Reflectors

-DDOS

－TCP Hijacking 騎劫

－Man in the middle attack

Elevation 提升 of privilege

－利用程式溜動，得到更高的權限

So how to counter those attacks??

IT Security Basic - Ch.3 Key Management

Key Management

Symmetric Key Problem

在交換 KEY 的時候，如何在網路上安全的進行

－ 使用KDC 作中轉站

Public Key Problem

如何得知你收到的是真的public key

－ 仲用CA 作認證

*KDC 責任是與每一位用者分享secret key

Key Distribution Centre - KDC

- 分發keys 給成對的使用者

- 每個用者都要有與kdc 溝通的 master key

-使用者是用 master key 在KDC 中得到session, SECRET KEY 才會分發到使用者

-使用者要用非加密方式得到master key

KDC vs CA

KDC

－使用者需要kdc 頻密溝通

－使用者需要長期online

－kdc 可造成效用差異／攻擊對象

－kdc有足夠的個人資料，一但攻破，網絡就變得脆弱

CA

－ca 不能解密

－ca 發出的cert 可對外公開

－使用者不用長期online

Kerberos

－以加密方法認證的服務器

－安全的登錄管理

－不需用public key 來加密

Kerberos 的問題

－駭客扮作其他用者

－駭客記著用家與服務器的溝通，再重新作一次

－駭客扮作用家的ip address

introduction to networking - Ch.7 MAC

MAC

Multiple Access Control (MAC) protocols

Kinds of MAC protocols

coordinates transmissions from different stations in order to minimize/avoid collisions

1. Channel Partitioning MAC protocols
2. Random Access MAC protocols
3. “Taking turns” MAC protocols

Channel Partitioning Mac protocols

1. TDM (Time Division Multiplexing): channel divided into N time slots, one per user; ineffificient with low duty cycle users and at light load.
2. FDM (Frequency Division Multiplexing): frequency subdivided.
3. Other examples include Code Division Multiple Access (CDMA)

4. GSM, Used for mobile phones

Random Access protocols

1. A node transmits at random at full channel data rate R.
2. If two or more nodes “collide”, they retransmit at random time
3. The random access MAC protocol specifies how to detect collisions and how to recover from them

4. E.g. Slotted Aloha, ALOHA, CSMA ...

CSMA - Carrier Sense Multiple Access

1. Listen before transmit, if the channel is busy, defer transmission.
2. If collision happens, the entire transmission time is wasted.

3. Collision detection is easy in wired LANs (eg, Ethernet): can measure signal strength on the line, or code violations, or compare tx and receive signals
4. Collision detection cannot be done in wireless LANs (the receiver is shut off while transmitting, to avoid damaging it with excess power)

LAN

1. Use IP address - Drive the packet to destination network
2. 48 bit Mac address - burnt in the Ethernet card ROM and is unique
3. Use ARP (Address resolution Protocol) to resolve MAC address to IP address and run on network layer

ARP

1. Each IP node (Host, Router) on the LAN has ARP module and Table (aka ARP cache)
2. ARP Table: IP/MAC address mappings for some LAN nodes E.g.
3. <>
   < ………………………….. >
4. TTL (Time To Live): timer, typically 20 min

Hub

Physical Layer devices: essentially repeaters operating at bit levels: repeat received bits on one interface to all other interfaces

Bridge

Link layer device

1. stores and forwards Ethernet frames
2. examines frame header and selectively forwards frame based on MAC dest address
3. when frame is to be forwarded on segment, uses CSMA/CD to access segment

Bridge vs router

1. Both are store-and-forward devices, but Routers are Network Layer devices (examine network layer headers) and Bridges are Link Layer devices
2. Routers maintain routing tables and implement routing algorithms, bridges maintain filtering tables and implement filtering, learning and spanning tree algorithms

Switches

1. Offer large number of interface
2. Layer 2 device
3. Point-to-point connection

Sample network

introduction to networking - Ch.6 Routing

Routing

When network becomes large, it will have many routers and many links

=> You need a mechanism to determine which path should go

Routing protocol - Determine "good" path thru network from source to destination. "Good" depends on

1. Cost $
2. Congestion level
3. delay
4. no. of hop

Static route

1. Routes changes slowly over time
2. Usually manually set by command in router

Dynamic route

routes change more quickly

1. periodic update
2. in response to link cost changes
3. Affected by other routers changes and changed itself

Link-State Routing - LSP

1. Each router is responsible for meeting its neighbors and learning their names
   -Sending Hello / Keep-alive messages
2. Each router constructs a packet known as a link state packet (LSP) which contains a list of names of and cost to each of its neighbors
3. The LSP is flooded to all other routers, and each router stores the most recently generated LSP from each other router in the whole network.
4. Each router, now armed with a complete map of the network topology
   -Shortest-path-based route will be used

*If not use shortest-path algorithm, looping will occur

Distance Vector routing Algorithm

1. Each router consider themselves as [Distance 0]
2. Each router saves its own ID and attached links's cost
3. Transmit these data to neighbor routers
4. Form a DV table eventually

Example of Distance table of E in the figure

And it forms a routing table

When there is changes (E.g. UNplug a router)

LS vs DV

1. DV has count to infinity problem - I.E. A dead loop will occur when link cost change suddenly
2. LS: Node may advertise incorrect link cost to other routers and other routers use it to build its own table
3. DV may advertise incorrect path cost
4. LS & DV can be down if just one router in the network not following the rules

When network goes large --> cannot store the whole routing table in each single router

Large network is

1. interconnections of Autonomous Systems (AS)
2. Each of AS undergoes Inter-domain routing

AS

1. There are gateway routers
2. Gateway routers run inter-as routing protocol with other ASes
3. Gateway routers run intra-as routing protocol with other routers in a AS
4. Hierarchical Routing

IT Security Basic - CH.2.2 Authentication

Authentication

To prove you are who you say you are

1. Password
2. Certification authority (CA) - Organization / company to binds public key to particular entity
3. Address
4. Authentication Tokens
5. Biometrics
6. Fingerprints
7. Voice Recognition
8. Keystroke Timing
9. Signatures

To register a Public Key in CA

1. Money
2. Proof of identity - I.E. ID Card, Staff Card
3. CA uses their private key to sign on your Key, as to proof that "You are really you"
4. There is a expiry time of signed keys

What do a Digital certificate looks like

To identify a public key(Bob) signed by CA

1. Get the certificate signed with the public key [from the owner(B0b) /others] = A
2. Sign the public key's certificate(the figure above) using CA's public key = B
3. If A=B, then "Bob is really Bob"

Sample of Certificate (When you go to https websites, you can get it)

A real structure of a certificate

Chain of trust

1. You have a CA(Name K) certificated a Public Key = A
2. Your gf Marry trust you and you have private key = B with Marry
3. As a result, if you sign A with B (A*B=C), Marry can use C and she will also trust the CA(K)

Trust Hierarchy

From the concept of chain of trust, the following hierarchy can be built

Attacks

Man-in-the-middle-attack

1. A send password to B with A's IP address
2. middle man (C) capture the password
3. Drop A's messages
4. Send B A's password and change the IP address to C itself
5. B trust the password of A and believe C is A

Offline password attacks

Guess the correct password by test billions of times

Replay with fake address

Change victim's address to attacker's address

Key Management

KDC - Key Distribution Center, shares different secret key with each registered users

1. Each user share a master key with KDC
2. The master use to obtain a session key from KDC
3. Master key may be distributed by "Post mail", face-to-face, pick up at Bank etc

KDC vs CA

1. KDC stores real symmetric keys
2. CA only identify a person, do not store many keys
3. CA certificate can use during offline
4. KDC must use online
5. The server used by KDC called Kerberos

Preventing man-in-the-middle attack

Tickets

1. Provide a real time authentication
2. Use a non-internet channel to distribute
3. Remember HSBC will give you a Black egg which will generate a number?
4. The session key signed by ticket and the ticket will be expire every time after used

Global Clock synchronization

1. Sync system time with NTP
2. Detect delays caused by middle-man attack

More: http://web.mit.edu/kerberos/www/dialogue.html