CS计算机代考程序代写 scheme python x86 database compiler file system AI FTP interpreter 8. Defense Mechanisms 2 – Techniques and Methods

8. Defense Mechanisms 2 – Techniques and Methods

Defense Mechanisms 2:
Techniques and Methods

CITS3004
Alvaro Monsalve

1

1. Vulnerability scanning
2. Sandboxing
3. Steganography
4. Moving Target Defense

Agenda

2

What is a vulnerability?
– Software flaws or configuration error(s) that allow

attackers to violate the security objectives (CIA) of the
system

• Vulnerabilities arise from bugs in applications or
design flaws in the system

• Vulnerabilities can be found in all layers of the
system

3

1. Vulnerability

• Vulnerability scanning can
– Identify flaws in the system applications and designs
– Find what services are running
– Ensure vulnerabilities are patched correctly
– Part of a pre-emptive step to remove vulnerabilities before

attackers exploit them

4

Vulnerability Scanning

• “Scanning” is means of collecting information about
computer systems and the entities they belong to

• Attackers also conduct “scanning” in the pre-attack
phase, or more commonly known as reconnaissance

5

Vulnerability Scanning

• How are vulnerabilities discovered?
– Known vulnerabilities using tools
– New vulnerabilities by humans

• Hacker groups
• Security companies or
• Researchers

– E.g., a group may discover a vulnerability related to a software
(could be by accident or through a directed research)

– Vulnerability is disclosed to the public
• When?

6

Vulnerability Scanning

7

Vulnerability Scanning

https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cwe-over-time#vuln-type-total-by-year-title

• Some widely used canning categories are
– Port scanners

• Nmap – https://nmap.org/
– Network vulnerability scanners

• Nessus – https://www.tenable.com/products/nessus/nessus-professional
• OpenVAS – http://www.openvas.org/
• Qualys, SAINT, etc.

– Web application vulnerability scanning tools
• List from OWASP –

https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

• There are other types as well
– E.g., database security scanner, host-based vulnerability scanner etc.

8

Vulnerability Scanning

https://nmap.org/
https://www.tenable.com/products/nessus/nessus-professional
http://www.openvas.org/
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

• Ping and ICMP (Internet Control Message Protocol)
scan
– Typically for server scanning

• TCP and UDP scan
– Typically for port scanning

9

Basics of scanning

10

Ping in Windows
1

2 3 4

5

6

1) ICMP packet length
2) ICMP echo reply packet length
3) Time to receive the ICMP echo reply packet
4) Time to live value
5) Number of request, reply and lost packets
6) Approximate round trip time

11

Well known ports

• UDP scanning
– Attacker sends an UDP packet

• No response → the port is open
• ICMP Unreachable packet received → the port is closed

• TCP scanning
– Attacker sends SYN packet

• SYN+ACK packet received → the port is open
• RST+ACK packet received → the port is closed

12

TCP/UDP scanning

• Initiate the 3-way handshake to check the port
• Provides fast port scanning and requires no privilege

• However, this is easily detectable
– And so likely to be blocked

– Sol: use stealth scanning methods
13

TCP scanning

• TCP SYN scanning (aka half-open scanning)

14

Stealth TCP scanning 1

Attacker Victim
SYN

SYN, ACK

RST

Attacker Victim
SYN

RST, ACK

Port is open Port is closed

Note: many systems will not log this connection attempt

• TCP FIN scanning

15

Stealth TCP scanning 2

Attacker Victim
FIN

Attacker Victim
FIN

RST, ACK

Port is open Port is closed

No response

Note: Some systems may sent RST packets regardless

• Other techniques include
– Fragmentation scanning

• Chopping the existing scanning packets into smaller fragments
– TCP reverse ident scanning

• Ident protocol to extract connection information
– FTP bounce attack

• Manipulating the FTP server protocol interpreter to redirect files
– Etc… see additional items for more.

16

Stealth TCP scanning +

17

Vulnerability Scanning

Scanning
engine

Vulnerability
database

Scan results

UI

1

2

3

4

• From Tenable©
• Runs on various Oses

– Linux, Unix-based, Windows etc
• Keeps their own vulnerability database

– Good or bad?
• Uses Nessus Attack Scripting Language

– So you can write your own scripts and plugins
• There are various (and many free) plugins available to use

– https://www.tenable.com/plugins/nessus/families
• Vulnerabilities found are classified based on their risk-factor
• Is a commercial product

– Currently $3468.11AUD per annum for the professional version (as of 2018)
18

Example: Nessus

$4164.34AUD per annum for the professional version (as of 2019)!

https://www.tenable.com/plugins/nessus/families

• Nessus can scan various types of vulnerabilities
– Windows vulnerabilities
– Insecure scripts

• E.g., Common Gateway Interface
– RPC (remote procedure call)

program vulnerabilities
– Firewall misconfigurations
– FTP insecure implementations
– Etc.

• Provides ranking of them
19

Example: Nessus

• Widely used vulnerability database

20

Vulnerability database

• CVE provides a list of standardised names for
vulnerabilities
– These vulnerabilities are publicly known
– Security experts form editorial board and provide the

description
– E.g., CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle
Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from
process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading
private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

• MITRE Corporation maintains CVE and moderates the
editorial board discussions

21

Vulnerability database

http://cve.mitre.org

• NVD is a comprehensive cybersecurity vulnerability
database
– Maintained by NIST, an US organisation
– Synchronised with CVE vulnerability naming standard
– Provides some security metrics about the vulnerability

• E.g., CVSS base score, vectors, etc.
• CVE-2014-0160 has the CVSS BS of 5.0

22

Vulnerability database

http://nvd.nist.gov

• Requires continuous efforts to discover and mitigate
vulnerabilities

• Difficult to address problems with new and unknown
vulnerabilities
– E.g., zero-day vulnerabilities

• Global efforts are made to address issues associated with
each steps of vulnerability scanning
– E.g., improve anomaly detection using AI and machine learning

23

Vulnerability Scanning:
Summary

• Often we have untrusted code that we wish to run
– E.g., program from Internet including toolbars, viewers, codecs

etc
• We should contain that code in a zone such that if it

misbehaves, we can easily kill it
• Create the zone through confinement – sandboxing!

24

2. Sandboxing

• Confinement: To contain the application in an isolation to
ensure it does not carry out unapproved actions

• Can be implemented at many levels:
– Hardware: run application on isolated hw (air gap)
– Virtual machines: isolate OS’s on single hardware
– System call interposition: Isolates a process in a single operating system
– Software Fault Isolation (SFI): Isolating threads sharing same address space
– Application specific: e.g. browser-based confinement

25

Sandboxing

• Example: using chroot
• Often used for guest accounts

• The path “/tmp/guest” is added to the file system accesses for
applications in jail

chroot

Requires root privilege

chroot /tmp/guest root dir “/” is now “/temp/guest”

su guest EUID is set to “guest”

Problem: utility programs also need to be available in the jail (e.g., ls, ps, vi)

CH

27

chroot

CHAccess is restricted within the boundaries

• Application cannot access files outside of jail
• Jailkit is used to address this problem
• auto builds files, libs, and directories needed in the jail

environment
• jk_init: creates jail environment
• jk_check: checks jail env for security problems

• checks for any modified programs,
• checks for world writable directories, etc.

• jk_lsh: restricted shell to be used inside jail
28

chroot CH

• Of course, people will try to break out of jails…

29

chroot

Scenario 1:
open(“../../etc/password”, “r”)

Scenario 2:
mkdir “/asdf/etc/passwd”
chroot “/asdf ”
chroot(“../../../../../../../../../..”)

CH

If the process has a
root privilege, you
can escape the jail!

• chroot lacks many capabilities
– All or nothing access to the file system

• Not so useful for web applications etc
– Need to provide access to files outside the jail
– Malicious applications can access the network

• And do something with other internally connected machines

• Suggestion: do not use chroot as a security solution
– Use better approaches and combinations with other approaches

30

chroot CH

• Software Fault Isolation
• Problem: legitimate and malicious applications running

in the same address space
– E.g., device drivers trying to corrupt kernel

• Solution
– Separate applications into different address spaces
– Instructions are added before memory operations and verify

behaviour (e.g., illegal memory access)

31

SFI

• Partition process memory into segments

• Locate unsafe instructions (e.g., jmp, load, store)
– Add safety instructions for memory access
– Add guards before unsafe instructions at compile time
– Validate guards when loading them

32

SFI

code
segment

data
segment

code
segment

data
segment

app #1 app #2

• Reconstruct code instructions for safety
• Untrusted code (applications) should only be able to

– Jump within its domain’s code segment
– Write within its domain’s data segment

33

SFI

STR R0, R1 ; write R1 to Mem[R0]

MOV Ra, R0 ; copy R0 into Ra
SHR Rb, Ra, Rc ; Rb = Ra >> Rc, get the segment ID
CMP Rb, Rd ; Rd holds the data segment ID
BNE fault ; wrong data segment ID
STR Ra, R1 ; Ra in data segment, so write

Unsafe instruction

Rewritten instruction
by sandbox

STR – store
MOV – move
SHR – shift logical right
CMP – compare
BNE – branch on not equal

• Some instructions use register and offset addressing
– i.e., needs extra space for the instruction

• Add guard zone to each segment to avoid calculating
the offset

34

SFI

code
segment

data
segment

app #1

G
ua

rd
z

on
e

G
ua

rd
z

on
e

G
ua

rd
z

on
e

G
ua

rd
z

on
e

• Verifier ensures all instructions are safe
• Verifier checks no privileged instructs are in the code
• Verifier also checks relevant instructions are within

the code/data segments
• If the sandboxed code fails any checks, verifier
rejects the code

35

SFI

• Provides a good performance with a little overhead
– Typically around 4% processing overhead

• Confines writes and control transfers in extension’s data and
code segments, respectively

• Prevent execution of privileged instructions
• However, more difficult to implement on x86 architectures

– It was not designed for x86 in the first place
– Variable length instructions: hard to place guards
– Many instructions that affects the memory: need more guards

36

SFI

• Various techniques for sandboxing in different layers
of the system

• It is difficult to fully isolate malicious code, due to
dependencies

• Defining sandboxing policy is one of the top key
challenges

37

Sandboxing summary

38

3. Steganography

They are not the same picture!

39

Steganography

This is the original imageThis is the altered image

• Art (and science) of creating hidden messages which
can only be identified by the sender and the receiver
– Hiding a piece of information within another

40

Steganography

“He encouraged leaving late on Wednesday
only realising Laurie did!”

He encouraged leaving late on Wednesday
only realising Laurie did! -> Hello World!

41

Steganography

Secret
Message

Cover

Stegosystem
encoder

Stegosystem
decoder

Key

Original
cover

Secret
Message

Steganography
object

Optional

Optional

• Popular steganography techniques include
– Text steganography

• Position, alignment, alternation, font etc.
– Media steganography

• Image, video, audio etc.

42

Steganography

• Here is a steganography example used in WW2
• “Apparently neutral’s protest is thoroughly

discounted And ignored. Isman hard hit. Blockade
issue affects Pretext for embargo on by products,
ejecting suets and Vegetable oils.”

• Can you tell what the secret message is?
• Hint: position of the texts

43

Text Steganography

Ans: Read every second letter from each word
“PERSHING SAILS FROM NY [R] JUNE I”

PERSHING was a senior
army officer from US

44

Text Steganography

Key

• Let’s take an example approach

45

Text Steganography

This sentence.
To be seen or not.
Regardless of the nature.
One cannot decide.
What to do, what not to do.
Hence, it could be argued.
Nevertheless, useless.
Only time will tell.
Again, tomorrow.

Anything secret about this? How about now?

Unusual white spaces

• We can encode 1s and 0s by the number of white
spaces at the end of each line.
– No space for 0, extra space for 1
– Previous example encoded 110101011

• The encoded text is invisible to the human eyes in
typical text editors (white spaces)

• However, the file size will be altered
– Typically increased

46

Text Steganography

• Take advantage of the limitations of human visual
capabilities.

• One commonly used technique is to alter the least
significant bit (LSB)

• Changing the least significant bit (i.e., each of the 8th bit
for each colour in the image colour coding)
– Can embed 3 bits per pixel

• BMP images are used in common due to their lossless
compression

47

Image Steganography

• Imagine we are given the following RGB encoding

• Now, we want to hide data 101 101 101, then we get the following

48

Image Steganography

10010101 00001101 11001001
10010110 00001111 11001010
10011111 00010000 11001011

10010101 00001100 11001001
10010111 00001110 11001011
10011111 00010000 11001011

Essentially, we only changed 4/9 bits, or 44% of the LSB

• Steganos
• S-Tools (GIF, JPEG)
• StegHide (WAV, BMP)
• Invisible Secrets (JPEG)
• JPHide
• MP3Stego
• Hiderman
• And many other privately created tools

49

Steganography tools

• To discover hidden information in given data
• Similar to cryptanalysis, attackers can hold various

information
– Stego only, known cover, known message, chosen stego etc.

• There are many tools that can be used to detect for
different types of data
– But you need to know what you are looking for
– See additional items for more tools

50

Steganalysis

• To make steganalysis more difficult, steganography and
cryptography are typically used together
– The secret message is encrypted, so even if it was detected, it is

difficult to decode the message
• To retrieve such information, both steganalysis and

cryptanalysis are needed
– Adding another layer of complexity
– Good for protecting assets from malicious users
– Much more difficult to detect malicious activities (e.g., terrorists)

51

Steganalysis

• Simply MTD, is a defense mechanism that continuously
changes the attack surface to thwart cyberattacks

• Different types of changes can be made in the system, and
they can be categorised into three

52

4. Moving Target Defense

Shuffle
Every t seconds

Virtual IP: X Virtual IP: Y

Redundancy

Single server One additional
replica server

Diversity

2 Apache Servers 1 Apache, 1 Windows
Servers

• MTD can also be implemented in different layers of
the system
– For example:

• Application layer – code regeneration/diversification
• Transport layer – routing node redundancy
• Internet layer – IP shuffling and virtualisation

53

MTD

54

MTD

Evans, David, Anh Nguyen-Tuong, and John Knight. “Effectiveness of moving target defenses.” Moving Target Defense. Springer New York, 2011. 29-48.

• The MTD shuffle technique changes the configuration of
the system such that connections/dependencies are
altered but the operations are maintained
– E.g., changing the routing table in the SDN

• Existing vulnerabilities are not removed, but it redirects
the attack sequence to be taken
– Hence, delaying the reconnaissance process, as well as breaking

an ongoing attack
55

MTD Shuffle

• Example: Openflow Random Host Mutation
– Typically, a host has one (physically) IP address
– In ‘HF-RHM scheme’, each host has a physical IP address and a virtual IP

address
– Only the SDN controller knows the physical IP address of each host
– Virtual IP (vIP) addresses are used for establishing communication

channels
– vIP addresses are shuffled every x seconds, OF switches are updated to

redirect flows and update the existing communications
– Attackers probing for IP addresses loses the identified victim host as vIP

shuffles
56

MTD Shuffle

Jafarian, Jafar Haadi, Ehab Al-Shaer, and Qi Duan. “Openflow random host mutation: transparent moving target defense using software defined networking.” Proceedings of the
first workshop on Hot topics in software defined networks. ACM, 2012.

57

MTD Shuffle

rIP: 192.168.0.32
vIP: 202.100.64.84

rIP: 192.168.0.33
vIP: 202.102.75.22

rIP: 192.168.0.103
vIP: 202.116.3.89

Found open port at
IP: 202.102.75.22

1 Attacker found vulnerabilities in the web server by scanning

Talking with web server

58

MTD Shuffle

rIP: 192.168.0.32
vIP: 202.167.69.41

rIP: 192.168.0.33
vIP: 202.122.78.14

rIP: 192.168.0.103
vIP: 202.198.43.1

Preparing exploits

2 SDN controller shuffles vIP

Seamlessly authenticate

59

MTD Shuffle

rIP: 192.168.0.32
vIP: 202.167.69.41

rIP: 192.168.0.33
vIP: 202.122.78.14

rIP: 192.168.0.103
vIP: 202.198.43.1

Launch exploit to
202.102.75.22

3 Attacker cannot reach the target

Continue talking to the server

• What are some issues to consider using shuffle?
– Shuffled system state may not be secure
– Shuffle may violate security requirements
– Shuffle may not be feasible

• E.g., cannot satisfy performance requirements
– Shuffle may not be applicable

• E.g., homogeneous network/system
– How frequently should we shuffle?

• Proactively, reactively, etc.
60

MTD Shuffle

• Diversity technique provides replacement of an
existing component/service, with different
implementation/configuration that provides the
same functionalities

• Existing vulnerabilities may be replaced with a new
set of vulnerabilities
– E.g., replaced the Windows-based computer to Mac

61

MTD Diversity

• Example: Compiler generated software diversity
– A version of software has a specific signature/binary
– There are number of instructions to carry out the software task
– These instructions can be remapped with other (single or

combinations) instructions to do the same operations
• Simply, 3+5 is the same as 14-6

can be replaced with

62

MTD Diversity

movl %edx, %eax
xchgl %edx, %eax

leal (%edx), %eax
xchgl %edx, %eax

Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer, New York, NY, 2011. 77-98.

63

MTD Diversity

Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer, New York, NY, 2011. 77-98.

Variant monitor and
comparison units are
added to ensure the same
operations by the variant
software

• What are some issues to consider using diversity?
– New variant(s) may be more vulnerable
– Difficult to generate variants
– Cost to implement diversity technique

• E.g., OS diversity in servers
– Downtime is more significant than shuffle

• E.g., rebooting vs SDN flow switching

64

MTD Diversity

• Redundancy aims to ensure the availability of the
system

• Replicas provide resources to handle high usage of
the system

• It can be used in conjunction with other MTD
techniques to provide defense against attackers

• For example DDoS attacks

65

MTD Redundancy

Jia, Quan, et al. “Catch me if you can: a cloud-enabled DDoS defense.” Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP
International Conference on. IEEE, 2014.

66

MTD Redundancy

Jia, Quan, et al. “Catch me if you can: a cloud-enabled DDoS defense.” Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP
International Conference on. IEEE, 2014.

• By adding redundant servers and shuffling identified bots
to the same server, we can ensure the availability of the
cloud resources to legitimate users

• Problems with redundancy techniques include
– Resource constraints
– Ineffective against attacks violating confidentiality and integrity

(but could be used for tolerance)
– Degrading performance

• Increasing redundancy does not proportionally increase availability
67

MTD Redundancy

• Different MTD techniques provide different
approaches to ensure the security objectives of the
system

• Still work to do in order to
– Assess the effectiveness of MTD techniques

• Models, metrics, methods, etc.
– Combinations of MTD techniques

• Applicable layers, compatibility etc.
68

MTD summary

• We looked at vulnerability scanning and sandboxing
methods,

• And we looked at steganography and MTD techniques

• There are many other security methods and techniques
to be explored!

• All security methods and techniques provide means to
ensure the security objectives of the system

• Should be carefully designed and implemented to
maximise the security 69

Summary

• Port scanning
– https://nmap.org/nmap_doc.html

• Vulnerability database
– CVE – https://cve.mitre.org
– NVD – https://nvd.nist.gov

• Sandboxing
– chroot jail escape – http://www.ouah.org/chroot-break.html

• Steganography
– http://io.acad.athabascau.ca/~grizzlie/Comp607/menu.htm
– https://www.garykessler.net/library/steganography.html
– https://null-byte.wonderhowto.com/how-to/steganography-hide-secret-

data-inside-image-audio-file-seconds-0180936/ 70

Additional Items

https://nmap.org/nmap_doc.html
https://cve.mitre.org/
https://nvd.nist.gov/
http://www.ouah.org/chroot-break.html
https://www.garykessler.net/library/steganography.html
https://www.garykessler.net/library/steganography.html
https://null-byte.wonderhowto.com/how-to/steganography-hide-secret-data-inside-image-audio-file-seconds-0180936/

• Steganography python examples
– https://github.com/ragibson/Steganography
– https://github.com/VasilisG/LSB-steganography

• Steganalysis
– https://www.sans.org/reading-

room/whitepapers/stenganography/steganalysis-detecting-hidden-
information-computer-forensic-analysis-1014

• Moving Target Defense
– Jajodia, Sushil, et al., eds. Moving target defense: creating asymmetric

uncertainty for cyber threats. Vol. 54. Springer Science & Business Media,
2011.

– Many other research articles on google scholar, keyword “moving target
defense” 71

Additional Items

https://github.com/ragibson/Steganography
https://github.com/VasilisG/LSB-steganography
https://www.sans.org/reading-room/whitepapers/stenganography/steganalysis-detecting-hidden-information-computer-forensic-analysis-1014