Outline

• More SRE Tools
• SRE Examples
• SRE Mitigation
• HW Problem
• OS and Security

SRE Tools

On Monday, we had begun talking about software reverse engineering, and had started talking about some generic tools (dissassembler, debugger, hex editor, etc.) that are useful for this. We now look at some specific examples of these tools

• IDA Pro -- the top-rated disassembler
  • Cost is a few hundred dollars
  • Converts binary to assembly (as best it can)
• OllyDbg -- high-quality shareware debugger
  • Includes a good disassembler
• Hex editor -- to view/modify bits of exe
  • UltraEdit is good -- freeware
  • HIEW -- useful for patching exe
• Process Monitor -- freeware

Why is Debugger Needed?

• Disassembler gives static results
  • Good overview of program logic
  • User must "mentally execute" program
  • Difficult to jump to specific place in the code
• Debugger is dynamic
  • Can set break points
  • Can treat complex code as "black box"
  • And code not always disassembled correctly
• Disassembler and debugger both required for any serious SRE task

SRE Necessary Skills

• Working knowledge of target assembly code
• Experience with the tools
  • IDA Pro -- sophisticated and complex
  • OllyDbg -- best choice for this class
• Knowledge of Windows Portable Executable (PE) file format
• Boundless patience and optimism
• SRE is a tedious, labor-intensive process!

SRE Example

• We consider a simple example
• This example only requires disassembler (IDA Pro) and hex editor
  • Trudy disassembles to understand code
  • Trudy also wants to patch the code
• For most real-world code, would also need a debugger (OllyDbg)

SRE Example

• Program requires serial number
• But Trudy doesn't know the serial number...
  
• Can Trudy get serial number from exe?

SRE Example

• IDA Pro disassembly
  
• Looks like serial number is S123N456 !

SRE Example

• Try the serial number S123N456
  
• It works!
• Can Trudy do "better"?

SRE Example

• Again, IDA Pro disassembly
  
• And hex view...
  

SRE Example

• "test eax,eax" is AND of eax with itself
  • Flag bit set to 0 only if eax is 0
  • If test yields 0, then jz is true
• Trudy wants jz to always be true
• Can Trudy patch exe so jz always holds?

SRE Example

• Can Trudy patch exe so that jz always true?
  

SRE Example

• Edit serial.exe with hex editor
  
• Save as serialPatch.exe

SRE Example

• Any "serial number" now works!
• Very convenient for Trudy!

SRE Example

• Back to IDA Pro disassembly...

SRE Attack Mitigation

• Impossible to prevent SRE on open system
• But can make such attacks more difficult
• Anti-disassembly techniques
  • To confuse static view of code
• Anti-debugging techniques
  • To confuse dynamic view of code
• Tamper-resistance
  • Code checks itself to detect tampering
• Code obfuscation
  • Make code more difficult to understand

HW Problem

Exercise 13.1 Expand and define each of the following acronyms: TCG, TCB, PITA, MAC, DAC, NGSCB.

Answer.

TCG stands for Trusted Computing Group. It is a consortium led by Intel with the goal of producing a tamper-resistant hardware on which crypto keys etc might be stored.

TCB stands for Trusted Computing Base. This consists of everything in the operating system we rely on to enforce security.

PITA stands for Pain in the A**. It is used when describing how painful it is to deal with some of the secure OS issues.

MAC stands for Mandatory Access Control. It is access that is not controlled by the owner of an object. For example, Alice might have Top Secret clearance but might not be able to completely control access to a document at this clearance.

DAC stands for Discretionary Access Control. It is the access that is controlled by the owner of an object. For example an owner of an object can set its rwx privileges in Unix.

NGSCB stands for Next Generation Secure Computing Base. It is Microsoft's secure operating system features which were originally slated for Vista. It was supposed to have four main feature groups: (a) strong process isolation, (b) sealed storage, (c) secure path to and from mouse, keyboard, etc, and (d) attestation which allowed devices, services, etc to be securely authenticated.

OS and Security

• OSs are large, complex programs
  • Many bugs in any such program
  • We have seen that bugs can be security threats
• Here we are concerned with security provided by OS
  • Not concerned with threat of bad OS software
• Concerned with OS as security enforcer
• In this section we only scratch the surface

OS Security Challenges

• Modern OS is multi-user and multi-tasking
• OS must deal with
  • Memory
  • I/O devices (disk, printer, etc.)
  • Programs, threads
  • Network issues
  • Data, etc.
• OS must protect processes from other processes and users from other users
  • Whether accidental or malicious

OS Security Functions

• Memory protection
  • Protect memory from users/processes
• File protection
  • Protect user and system resources
• Authentication
  • Determines and enforce authentication results
• Authorization
  • Determine and enforces access control

Memory Protection

• Fundamental problem
  • How to keep users/processes separate?
• Separation
  • Physical separation -- separate devices
  • Temporal separation -- one at a time
  • Logical separation -- sandboxing, etc.
  • Cryptographic separation -- make information unintelligible to outsider
  • Or any combination of the above

Memory Protection

• Fence -- users cannot cross a specified address
  • Static fence -- fixed size OS
  • Dynamic fence -- fence register
• Base/bounds register -- lower and upper address limit
• Assumes contiguous space

More Memory Protection

• Tagging -- specify protection of each address
  • + Extremely fine-grained protection
  • - High overhead -- can be reduced by tagging sections instead of individual addresses
  • - Compatibility
• More common is segmentation and/or paging
  • Protection is not as flexible
  • But much more efficient

Segmentation

• Divide memory into logical units, such as
  • Single procedure
  • Data in one array, etc.
• Can enforce different access restrictions on different segments
• Any segment can be placed in any memory location (if location is large enough)
• OS keeps track of actual locations

Segmentation

Segmentation

• OS can place segments anywhere
• OS keeps track of segment locations as (segment,offset)
• Segments can be moved in memory
• Segments can move out of memory
• All address references go thru OS

Segmentation Advantages

• Every address reference can be checked
  • Possible to achieve complete mediation
• Different protection can be applied to different segments
• Users can share access to segments
• Specific users can be restricted to specific segments

Segmentation Disadvantages

• How to reference (segment,offset) ?
  • OS must know segment size to verify access is within segment
  • But some segments can grow during execution (for example, dynamic memory allocation)
  • OS must keep track of variable segment sizes
• Memory fragmentation is also a problem
  • Compacting memory changes tables
• A lot of work for the OS
• More complex -- more chance for mistakes

Paging

• Like segmentation, but fixed-size segments
• Access via (page,offset)
• Plusses and minuses
  • + Avoids fragmentation, improved efficiency
  • + OS need not keep track of variable segment sizes
  • - No logical unity to pages
  • - What protection to apply to a given page?

Paging

Other OS Security Functions

• OS must enforce access control
• Authentication
  • Passwords, biometrics
  • Single sign-on, etc.
• Authorization
  • ACL
  • Capabilities
• These topics discussed previously
• OS is an attractive target for attack!

Trusted Operating System

• An OS is trusted if we rely on it for
  • Memory protection
  • File protection
  • Authentication
  • Authorization
• Every OS does these things
• But if a trusted OS fails to provide these, our security fails

Trust vs Security

Some people will use slightly different terminolgy for following:

Trust

• Trust implies reliance
• Trust is binary
• Ideally, only trust secure systems
• All trust relationships should be explicit

Security

• Security is a judgment of effectiveness
• Judge based on specified policy
• Security depends on trust relationships

Trusted Systems

• Trust implies reliance
• A trusted system is relied on for security
• An untrusted system is not relied on for security
• If all untrusted systems are compromised, your security is unaffected
• Ironically, only a trusted system can break your security!

Trusted OS

• OS mediates interactions between subjects (users) and objects (resources)
• Trusted OS must decide
  • Which objects to protect and how
  • Which subjects are allowed to do what

General Security Principles

• Least privilege -- like low watermark
• Simplicity
• Open design (Kerchoffs Principle)
• Complete mediation
• White listing (preferable to black listing)
• Separation
• Ease of use
• But commercial OSs emphasize features
  • Results in complexity and poor security

OS Security

• Any OS must provide some degree of
  • Authentication
  • Authorization (users, devices and data)
  • Memory protection
  • Sharing
  • Fairness
  • Inter-process communication/synchronization
  • OS protection

OS Services

Trusted OS

• A trusted OS also provides some or all of
  • User authentication/authorization
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)
  • Object reuse protection
  • Complete mediation -- access control
  • Trusted path
  • Audit/logs

Trusted OS Services