CSE 523S:
Systems Security
Computer & Network
Systems Security
Spring 2018
Jon Shidal
Plan for Today
• Announcements
– You should have completed the Python tutorial
– Get started on HW2… There is an account
creation step that requires operator approval.
Don’t wait until the last minute, the operator
may not be available…
• Security News? Questions?
• Assignment
• System Design & Security
– [x] Why are our computer systems vulnerable?
– Why are our networks vulnerable?
Assignment
• Wednesday
– HTAOE: Ch. 2 81-114
• Monday
– HW2 due
– HTAOE: Ch. 4 195-223
WHY ARE OUR NETWORKS
VULNERABLE?
Networks are Vulnerable
• IP has an any-to-any communications model
– Within IP you cannot control who sends you a packet
• Networks have weak authentication
– When a packet arrives, you trust the source address
• Binding between layers and between names &
addresses are based on trust
– Insecure services map between network layers (eg, IP to
Ethernet), and names to addresses
• Secure the “channel” only
– You really want to secure the data and its source, not an
address
Understanding Networks
Wash U Network
In
te
rn
et
MAC:
IP:
00:1f:16:37:34:6e
192.168.1.6
MAC:
IP:
00:14:6c:ff:55:4e
192.168.1.1
MAC:
IP:
?
?
Python!
>>> import urllib2 as u2
>>> f = u2.urlopen(“http://xkcd.com”)
>>> f.read()
Console
User
Kernel
IP
Ethernet
TCP/UDP
What do we need to know to answer these
questions:
How does the request find its way to the
server?
How does the reply find its way back to the
client?
Once at the client, how does the reply find
its way back to the app?
Internet
Packets are bit strings
If we knew the format rules we understand this
packet to be… we’ll decode it in a later slide
ffffffffffff001f
1637346e08060001
080006040001001f
1637346ec0a80106
000000000000c0a8
0101000000000000
0000000000000000
00000000
char pkt[] =
“\xff\xff\xff\xff\xff\x
ff\x00\x1f\x16\x37\x34\
x6e\x08\x06\x00\x01\x08
\x00\x06\x04\x00\x01\x0
0\x1f\x16\x37\x34\x6e\x
c0\xa8\x01\x06\x00\x00\
x00\x00\x00\x00\xc0\xa8
\x01\x01\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\
x00\x00\x00”;
Network Layering
• Network protocols are layered; they have well-defined interfaces and
separation of concerns
• Typical Internet layering
– Application
– TCP
– IP
– Ethernet
– Physical link: wired or wifi
• Network packets encapsulate one protocol inside another
– (Ethernet (IP (TCP ( Application ) ) ) )
• Applications typically use the “sockets” interface, and specify TCP or UDP
– All lower-level details are the concern of the OS and underlying infrastructure
• Our concern is with TCP/IP and Ethernet
Ethernet
• Is the dominant wired-LAN technology
• Much to learn about its history, in your spare time
– Used to be proprietary, now an IEEE standard
– Used to be shared medium, now is switched
– Always gets faster: 1M, 10M, 100M, 1G, 10G, …
– Is rapidly becoming the only wired protocol that matters (LAN,
campus, metro, …)
• Ethernet features
– Variable length packets
– Point-to-point communication between machines with MAC
addresses
– Broadcast: send packet to all nodes on local network
– Virtual LANs (VLANs): limit broadcast domains to a VLAN
– Uses “type” field to help receiver know what to do next
Ethernet II Frame Format
0 1 2 3 4 5 6 7
Preamble (pattern 10101010 repeated 7 times) SFD10101011
Destination MAC address Source MAC address
Source MAC address, continued VLAN tag (opt)
Type
32-bit CRC Interframe gap
Interframe gap, continued
42-1500 payload octets
Byte
Offset
0
8
16
24
68 to
1526
72 to
1532
Ethernet II Illustrated Frame
ffffffffffff001f
1637346e08060001
080006040001001f
1637346ec0a80106
000000000000c0a8
0101000000000000
0000000000000000
00000000
Destination MAC
Source MAC
Type
payload
Padding to 60
bytes
Internet Protocol, IP
• IP allows distinct networks to be connected
• From 30,000 feet
– Each network is assigned an IP address range
• WU: 128.252.0.0 – 128.252.255.255 (128.252.0.0/16)
– A dynamic, globally distributed protocol is used to create
routes between address ranges
– A dynamic, globally distributed service is used to map
domain names to IP addresses
– IP supports multiple protocols for communications: UDP,
TCP, ICMP, …
• Two aspects of IP to understand
– Node model
– Packet format
Internet
IP Nodes and Routes
128.252.0.0/16
74.125.0.0/16
72.26.192.0/19
hosted by voxel.net
Note: In reality,
Google is its own
“cloud”, with many
connections
Internet
IP Nodes and Routes
128.252.0.0/16
74.125.0.0/16
72.26.192.0/19
hosted by voxel.net
1 2
3
4
Matching
Prefix
Link
128.252/16 1
72.26.192/19 2
74.125/16 3
Note: In reality,
Google is its own
“cloud”, with many
connections
IP Packet Format
0 1 2 3 4 5 6 7 8 9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
3
0
3
1
Version HeaderLength DiffServ
ECN Total Datagram Length (bytes)
Identification Flags Fragment Offset
Time to live Protocol Header checksum
Source IP address
Destination IP address
0 to 10 IP option words
0 to 16384 data words
Bit
Offset
0
32
64
96
128
160
160 to
480
UDP & TCP
• Two primary protocols for applications
– UDP: unreliable datagrams
– TCP: reliable, in-order byte streams
• “Ports” are used to demultiplex to apps on hosts
– Example in a few slides
User Datagram Protocol, UDP
• Connection-less communications
– Messages are sent, no in-protocol means for
reliability
• Not reliable
– May not arrive
– May arrive out of order
– May be duplicated
• No support for managing congestion
UDP Packet Format
0 1 2 3 4 5 6 7 8 9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
3
0
3
1
Destination port number
Length
Bit
Offset
0
32
64
Source port number (opt)
Datagram checksum (opt)
0 to 16376 data words
Transport Control Protocol, TCP
• Connection-oriented
– 3-way handshake used between communicating end
hosts
• SYN, SYN-ACK, ACK
• Reliable, ordered delivery of byte streams
– All will arrive
– Will arrive in order
– Will not be duplicated
• Includes provision for “congestion control” so that
sender-receiver pairs scale up/down their data rates
in response to (un)dropped packets.
Sender Receiver
SYN
ACK
SYN-ACK
TCP Packet Format
0 1 2 3 4 5 6 7 8 9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
3
0
3
1
Destination port number
Bit
Offset
0
32
64
Source port number
Options and data
Sequence number
Acknowledgement number
Data
offset Res
NS
C
W
R
E
C
E
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Window size (bytes)
Urgent pointerChecksum
96
128
160
Sockets
• Apps primarily use sockets API to connect
– Create a socket by specifying address family (AF_INET),
and type (SOCK_DGRAM or SOCK_STREAM)
– Connect it to an address and port
– Send and receive
– Library also includes helper functions
• Network byte ordering is distinct from host byte ordering
– Little-endian: least significant byte at lower address
– Big-endian: most significant byte at lower address
– X86: little-endian; network: big-endian
– Apps must convert to and from network byte order:
ntohl(), htonl()
Two Machines on an Ethernet LAN
MAC:
IP:
00:1f:16:37:34:6e
192.168.1.6
MAC:
IP:
00:14:6c:ff:55:4e
192.168.1.1
import socket as s
sock = s.socket(s.AF_INET,
s.SOCK_DGRAM)
sock.connect((“192.168.1.7”,7777))
sock.send(“Mr. Watson–come here\
–I want to see you.”)
sock.close()
Python Console
User
Kernel
IP
Ethernet
TCP/UDP
MAC:
IP:
00:1f:42:81:e4:a1
192.168.1.7
import socket as s
sock = s.socket(s.AF_INET,
s.SOCK_DGRAM)
sock.bind((”,7777))
while 1:
data, addr = sock.recvfrom(1024)
if not data: break
print “From “, addr, “: “, data
s.close()
Python Console
User
Kernel
IP
Ethernet
TCP/UDP
7777
Sender app:
sends UDP
packet to IP:port.
Recv app: listens
on UDP port
Sender OS:
Which MAC has
dest IP address?
How?
Address Resolution, ARP
• General protocol for mapping between protocol
layers
• In practice, a protocol for mapping IP addresses to
Ethernet MAC addresses
– Not part of TCP/IP per-se, but you won’t find a network
without it
• Two operations
– Request: Who has
– Reply:
ARP Ethernet:IP Packet Format
0 1
HW Addr Len
(Eth is 6)
Proto Addr Len
(IP is 4)
Hardware type (Eth is 1) Protocol type (IP is 0x0800)
Operation (1 request, 2 reply)
Sender HW Address (SHA)
2 3
SHA, continued Sender Protocol Address (SPA)
SPA, continued Target HW Address (THA)
THA, continued
Target Protocol Address (TPA)
Byte
Offset
0
4
8
12
16
20
24
ARP Illustrated Packet
ffffffffffff001f
1637346e08060001
080006040001001f
1637346ec0a80106
000000000000c0a8
0101000000000000
0000000000000000
00000000
Destination MAC
Source MAC
Type
ARP packet
Padding to 60
bytes
Internet Names and Addresses
• The Domain Name System,
DNS, maps names to addresses
– Dynamic, globally distributed
system
– Uses port 53, UDP (infreq. TCP)
Wash U Network
In
te
rn
et
MAC:
IP:
00:1f:16:37:34:6e
192.168.1.6
MAC:
IP:
00:14:6c:ff:55:4e
192.168.1.1
Python!
>>> import urllib2 as u2
>>> f = u2.urlopen(“http://xkcd.com”)
>>> f.read()
Console
User
Kernel
IP
Ethernet
TCP/UDP
DNS
Resolver
Cache
Try local DNS lookup
Else, try Wash U DNS lookup
Else, try ISP’s DNS lookup
1
2
3
1
2
3
Other questions to answer
• How do we get a MAC address?
– Pre-configured or set it yourself
• How do we get an IP address?
– Static allocation or via DHCP
• How do we get to the Internet from within LAN?
– Default gateway. How do we find it?
Understanding Networks
Wash U Network
In
te
rn
et
MAC:
IP:
00:1f:16:37:34:6e
192.168.1.6
MAC:
IP:
00:14:6c:ff:55:4e
192.168.1.1
MAC:
IP:
?
?
How does the request find its way to
the server?
How does the reply find its way back
to the client?
Once at the client, how does the
reply find its way back to the app?
Python!
>>> import urllib2 as u2
>>> f = u2.urlopen(“http://xkcd.com”)
>>> f.read()
Console
User
Kernel
IP
Ethernet
TCP/UDP
DNS
Resolver
Cache
Issues we will revisit
• Where do protocols assume trust?
– Are addresses valid?
– Are gateways valid?
– Are name:address bindings valid?
• What can someone else observe?
Helpful Tools
• On your machine
– wireshark to log and inspect packets
– host, dig and nslookup to map names to addresses
• On the Internet
– ARIN’s service to name:address mappings and
prefix owners
• https://www.arin.net/
Assignment
• Wednesday
– HTAOE: Ch. 2 81-114
• Monday
– hw2 due
– HTAOE: Ch. 4 195-223