8. Defense Mechanisms 2 – Techniques and Methods
Defense Mechanisms 2:
Techniques and Methods
CITS3004
Alvaro Monsalve
1
1. Vulnerability scanning
2. Sandboxing
3. Steganography
4. Moving Target Defense
Agenda
2
What is a vulnerability?
– Software flaws or configuration error(s) that allow
attackers to violate the security objectives (CIA) of the
system
• Vulnerabilities arise from bugs in applications or
design flaws in the system
• Vulnerabilities can be found in all layers of the
system
3
1. Vulnerability
• Vulnerability scanning can
– Identify flaws in the system applications and designs
– Find what services are running
– Ensure vulnerabilities are patched correctly
– Part of a pre-emptive step to remove vulnerabilities before
attackers exploit them
4
Vulnerability Scanning
• “Scanning” is means of collecting information about
computer systems and the entities they belong to
• Attackers also conduct “scanning” in the pre-attack
phase, or more commonly known as reconnaissance
5
Vulnerability Scanning
• How are vulnerabilities discovered?
– Known vulnerabilities using tools
– New vulnerabilities by humans
• Hacker groups
• Security companies or
• Researchers
– E.g., a group may discover a vulnerability related to a software
(could be by accident or through a directed research)
– Vulnerability is disclosed to the public
• When?
6
Vulnerability Scanning
7
Vulnerability Scanning
https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cwe-over-time#vuln-type-total-by-year-title
• Some widely used canning categories are
– Port scanners
• Nmap – https://nmap.org/
– Network vulnerability scanners
• Nessus – https://www.tenable.com/products/nessus/nessus-professional
• OpenVAS – http://www.openvas.org/
• Qualys, SAINT, etc.
– Web application vulnerability scanning tools
• List from OWASP –
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
• There are other types as well
– E.g., database security scanner, host-based vulnerability scanner etc.
8
Vulnerability Scanning
https://nmap.org/
https://www.tenable.com/products/nessus/nessus-professional
http://www.openvas.org/
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
• Ping and ICMP (Internet Control Message Protocol)
scan
– Typically for server scanning
• TCP and UDP scan
– Typically for port scanning
9
Basics of scanning
10
Ping in Windows
1
2 3 4
5
6
1) ICMP packet length
2) ICMP echo reply packet length
3) Time to receive the ICMP echo reply packet
4) Time to live value
5) Number of request, reply and lost packets
6) Approximate round trip time
11
Well known ports
• UDP scanning
– Attacker sends an UDP packet
• No response → the port is open
• ICMP Unreachable packet received → the port is closed
• TCP scanning
– Attacker sends SYN packet
• SYN+ACK packet received → the port is open
• RST+ACK packet received → the port is closed
12
TCP/UDP scanning
• Initiate the 3-way handshake to check the port
• Provides fast port scanning and requires no privilege
• However, this is easily detectable
– And so likely to be blocked
– Sol: use stealth scanning methods
13
TCP scanning
• TCP SYN scanning (aka half-open scanning)
14
Stealth TCP scanning 1
Attacker Victim
SYN
SYN, ACK
RST
Attacker Victim
SYN
RST, ACK
Port is open Port is closed
Note: many systems will not log this connection attempt
• TCP FIN scanning
15
Stealth TCP scanning 2
Attacker Victim
FIN
Attacker Victim
FIN
RST, ACK
Port is open Port is closed
No response
Note: Some systems may sent RST packets regardless
• Other techniques include
– Fragmentation scanning
• Chopping the existing scanning packets into smaller fragments
– TCP reverse ident scanning
• Ident protocol to extract connection information
– FTP bounce attack
• Manipulating the FTP server protocol interpreter to redirect files
– Etc… see additional items for more.
16
Stealth TCP scanning +
17
Vulnerability Scanning
Scanning
engine
Vulnerability
database
Scan results
UI
1
2
3
4
• From Tenable©
• Runs on various Oses
– Linux, Unix-based, Windows etc
• Keeps their own vulnerability database
– Good or bad?
• Uses Nessus Attack Scripting Language
– So you can write your own scripts and plugins
• There are various (and many free) plugins available to use
– https://www.tenable.com/plugins/nessus/families
• Vulnerabilities found are classified based on their risk-factor
• Is a commercial product
– Currently $3468.11AUD per annum for the professional version (as of 2018)
18
Example: Nessus
$4164.34AUD per annum for the professional version (as of 2019)!
https://www.tenable.com/plugins/nessus/families
• Nessus can scan various types of vulnerabilities
– Windows vulnerabilities
– Insecure scripts
• E.g., Common Gateway Interface
– RPC (remote procedure call)
program vulnerabilities
– Firewall misconfigurations
– FTP insecure implementations
– Etc.
• Provides ranking of them
19
Example: Nessus
• Widely used vulnerability database
20
Vulnerability database
• CVE provides a list of standardised names for
vulnerabilities
– These vulnerabilities are publicly known
– Security experts form editorial board and provide the
description
– E.g., CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle
Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from
process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading
private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
• MITRE Corporation maintains CVE and moderates the
editorial board discussions
21
Vulnerability database
http://cve.mitre.org
• NVD is a comprehensive cybersecurity vulnerability
database
– Maintained by NIST, an US organisation
– Synchronised with CVE vulnerability naming standard
– Provides some security metrics about the vulnerability
• E.g., CVSS base score, vectors, etc.
• CVE-2014-0160 has the CVSS BS of 5.0
22
Vulnerability database
http://nvd.nist.gov
• Requires continuous efforts to discover and mitigate
vulnerabilities
• Difficult to address problems with new and unknown
vulnerabilities
– E.g., zero-day vulnerabilities
• Global efforts are made to address issues associated with
each steps of vulnerability scanning
– E.g., improve anomaly detection using AI and machine learning
23
Vulnerability Scanning:
Summary
• Often we have untrusted code that we wish to run
– E.g., program from Internet including toolbars, viewers, codecs
etc
• We should contain that code in a zone such that if it
misbehaves, we can easily kill it
• Create the zone through confinement – sandboxing!
24
2. Sandboxing
• Confinement: To contain the application in an isolation to
ensure it does not carry out unapproved actions
• Can be implemented at many levels:
– Hardware: run application on isolated hw (air gap)
– Virtual machines: isolate OS’s on single hardware
– System call interposition: Isolates a process in a single operating system
– Software Fault Isolation (SFI): Isolating threads sharing same address space
– Application specific: e.g. browser-based confinement
25
Sandboxing
• Example: using chroot
• Often used for guest accounts
• The path “/tmp/guest” is added to the file system accesses for
applications in jail
chroot
Requires root privilege
chroot /tmp/guest root dir “/” is now “/temp/guest”
su guest EUID is set to “guest”
Problem: utility programs also need to be available in the jail (e.g., ls, ps, vi)
CH
27
chroot
CHAccess is restricted within the boundaries
• Application cannot access files outside of jail
• Jailkit is used to address this problem
• auto builds files, libs, and directories needed in the jail
environment
• jk_init: creates jail environment
• jk_check: checks jail env for security problems
• checks for any modified programs,
• checks for world writable directories, etc.
• jk_lsh: restricted shell to be used inside jail
28
chroot CH
• Of course, people will try to break out of jails…
29
chroot
Scenario 1:
open(“../../etc/password”, “r”)
Scenario 2:
mkdir “/asdf/etc/passwd”
chroot “/asdf ”
chroot(“../../../../../../../../../..”)
CH
If the process has a
root privilege, you
can escape the jail!
• chroot lacks many capabilities
– All or nothing access to the file system
• Not so useful for web applications etc
– Need to provide access to files outside the jail
– Malicious applications can access the network
• And do something with other internally connected machines
• Suggestion: do not use chroot as a security solution
– Use better approaches and combinations with other approaches
30
chroot CH
• Software Fault Isolation
• Problem: legitimate and malicious applications running
in the same address space
– E.g., device drivers trying to corrupt kernel
• Solution
– Separate applications into different address spaces
– Instructions are added before memory operations and verify
behaviour (e.g., illegal memory access)
31
SFI
• Partition process memory into segments
• Locate unsafe instructions (e.g., jmp, load, store)
– Add safety instructions for memory access
– Add guards before unsafe instructions at compile time
– Validate guards when loading them
32
SFI
code
segment
data
segment
code
segment
data
segment
app #1 app #2
• Reconstruct code instructions for safety
• Untrusted code (applications) should only be able to
– Jump within its domain’s code segment
– Write within its domain’s data segment
33
SFI
STR R0, R1 ; write R1 to Mem[R0]
MOV Ra, R0 ; copy R0 into Ra
SHR Rb, Ra, Rc ; Rb = Ra >> Rc, get the segment ID
CMP Rb, Rd ; Rd holds the data segment ID
BNE fault ; wrong data segment ID
STR Ra, R1 ; Ra in data segment, so write
Unsafe instruction
Rewritten instruction
by sandbox
STR – store
MOV – move
SHR – shift logical right
CMP – compare
BNE – branch on not equal
• Some instructions use register and offset addressing
– i.e., needs extra space for the instruction
• Add guard zone to each segment to avoid calculating
the offset
34
SFI
code
segment
data
segment
app #1
G
ua
rd
z
on
e
G
ua
rd
z
on
e
G
ua
rd
z
on
e
G
ua
rd
z
on
e
• Verifier ensures all instructions are safe
• Verifier checks no privileged instructs are in the code
• Verifier also checks relevant instructions are within
the code/data segments
• If the sandboxed code fails any checks, verifier
rejects the code
35
SFI
• Provides a good performance with a little overhead
– Typically around 4% processing overhead
• Confines writes and control transfers in extension’s data and
code segments, respectively
• Prevent execution of privileged instructions
• However, more difficult to implement on x86 architectures
– It was not designed for x86 in the first place
– Variable length instructions: hard to place guards
– Many instructions that affects the memory: need more guards
36
SFI
• Various techniques for sandboxing in different layers
of the system
• It is difficult to fully isolate malicious code, due to
dependencies
• Defining sandboxing policy is one of the top key
challenges
37
Sandboxing summary
38
3. Steganography
They are not the same picture!
39
Steganography
This is the original imageThis is the altered image
• Art (and science) of creating hidden messages which
can only be identified by the sender and the receiver
– Hiding a piece of information within another
40
Steganography
“He encouraged leaving late on Wednesday
only realising Laurie did!”
He encouraged leaving late on Wednesday
only realising Laurie did! -> Hello World!
41
Steganography
Secret
Message
Cover
Stegosystem
encoder
Stegosystem
decoder
Key
Original
cover
Secret
Message
Steganography
object
Optional
Optional
• Popular steganography techniques include
– Text steganography
• Position, alignment, alternation, font etc.
– Media steganography
• Image, video, audio etc.
42
Steganography
• Here is a steganography example used in WW2
• “Apparently neutral’s protest is thoroughly
discounted And ignored. Isman hard hit. Blockade
issue affects Pretext for embargo on by products,
ejecting suets and Vegetable oils.”
• Can you tell what the secret message is?
• Hint: position of the texts
43
Text Steganography
Ans: Read every second letter from each word
“PERSHING SAILS FROM NY [R] JUNE I”
PERSHING was a senior
army officer from US
44
Text Steganography
Key
• Let’s take an example approach
45
Text Steganography
This sentence.
To be seen or not.
Regardless of the nature.
One cannot decide.
What to do, what not to do.
Hence, it could be argued.
Nevertheless, useless.
Only time will tell.
Again, tomorrow.
Anything secret about this? How about now?
Unusual white spaces
• We can encode 1s and 0s by the number of white
spaces at the end of each line.
– No space for 0, extra space for 1
– Previous example encoded 110101011
• The encoded text is invisible to the human eyes in
typical text editors (white spaces)
• However, the file size will be altered
– Typically increased
46
Text Steganography
• Take advantage of the limitations of human visual
capabilities.
• One commonly used technique is to alter the least
significant bit (LSB)
• Changing the least significant bit (i.e., each of the 8th bit
for each colour in the image colour coding)
– Can embed 3 bits per pixel
• BMP images are used in common due to their lossless
compression
47
Image Steganography
• Imagine we are given the following RGB encoding
• Now, we want to hide data 101 101 101, then we get the following
48
Image Steganography
10010101 00001101 11001001
10010110 00001111 11001010
10011111 00010000 11001011
10010101 00001100 11001001
10010111 00001110 11001011
10011111 00010000 11001011
Essentially, we only changed 4/9 bits, or 44% of the LSB
• Steganos
• S-Tools (GIF, JPEG)
• StegHide (WAV, BMP)
• Invisible Secrets (JPEG)
• JPHide
• MP3Stego
• Hiderman
• And many other privately created tools
49
Steganography tools
• To discover hidden information in given data
• Similar to cryptanalysis, attackers can hold various
information
– Stego only, known cover, known message, chosen stego etc.
• There are many tools that can be used to detect for
different types of data
– But you need to know what you are looking for
– See additional items for more tools
50
Steganalysis
• To make steganalysis more difficult, steganography and
cryptography are typically used together
– The secret message is encrypted, so even if it was detected, it is
difficult to decode the message
• To retrieve such information, both steganalysis and
cryptanalysis are needed
– Adding another layer of complexity
– Good for protecting assets from malicious users
– Much more difficult to detect malicious activities (e.g., terrorists)
51
Steganalysis
• Simply MTD, is a defense mechanism that continuously
changes the attack surface to thwart cyberattacks
• Different types of changes can be made in the system, and
they can be categorised into three
52
4. Moving Target Defense
Shuffle
Every t seconds
Virtual IP: X Virtual IP: Y
Redundancy
Single server One additional
replica server
Diversity
2 Apache Servers 1 Apache, 1 Windows
Servers
• MTD can also be implemented in different layers of
the system
– For example:
• Application layer – code regeneration/diversification
• Transport layer – routing node redundancy
• Internet layer – IP shuffling and virtualisation
53
MTD
54
MTD
Evans, David, Anh Nguyen-Tuong, and John Knight. “Effectiveness of moving target defenses.” Moving Target Defense. Springer New York, 2011. 29-48.
• The MTD shuffle technique changes the configuration of
the system such that connections/dependencies are
altered but the operations are maintained
– E.g., changing the routing table in the SDN
• Existing vulnerabilities are not removed, but it redirects
the attack sequence to be taken
– Hence, delaying the reconnaissance process, as well as breaking
an ongoing attack
55
MTD Shuffle
• Example: Openflow Random Host Mutation
– Typically, a host has one (physically) IP address
– In ‘HF-RHM scheme’, each host has a physical IP address and a virtual IP
address
– Only the SDN controller knows the physical IP address of each host
– Virtual IP (vIP) addresses are used for establishing communication
channels
– vIP addresses are shuffled every x seconds, OF switches are updated to
redirect flows and update the existing communications
– Attackers probing for IP addresses loses the identified victim host as vIP
shuffles
56
MTD Shuffle
Jafarian, Jafar Haadi, Ehab Al-Shaer, and Qi Duan. “Openflow random host mutation: transparent moving target defense using software defined networking.” Proceedings of the
first workshop on Hot topics in software defined networks. ACM, 2012.
57
MTD Shuffle
rIP: 192.168.0.32
vIP: 202.100.64.84
rIP: 192.168.0.33
vIP: 202.102.75.22
rIP: 192.168.0.103
vIP: 202.116.3.89
Found open port at
IP: 202.102.75.22
1 Attacker found vulnerabilities in the web server by scanning
Talking with web server
58
MTD Shuffle
rIP: 192.168.0.32
vIP: 202.167.69.41
rIP: 192.168.0.33
vIP: 202.122.78.14
rIP: 192.168.0.103
vIP: 202.198.43.1
Preparing exploits
2 SDN controller shuffles vIP
Seamlessly authenticate
59
MTD Shuffle
rIP: 192.168.0.32
vIP: 202.167.69.41
rIP: 192.168.0.33
vIP: 202.122.78.14
rIP: 192.168.0.103
vIP: 202.198.43.1
Launch exploit to
202.102.75.22
3 Attacker cannot reach the target
Continue talking to the server
• What are some issues to consider using shuffle?
– Shuffled system state may not be secure
– Shuffle may violate security requirements
– Shuffle may not be feasible
• E.g., cannot satisfy performance requirements
– Shuffle may not be applicable
• E.g., homogeneous network/system
– How frequently should we shuffle?
• Proactively, reactively, etc.
60
MTD Shuffle
• Diversity technique provides replacement of an
existing component/service, with different
implementation/configuration that provides the
same functionalities
• Existing vulnerabilities may be replaced with a new
set of vulnerabilities
– E.g., replaced the Windows-based computer to Mac
61
MTD Diversity
• Example: Compiler generated software diversity
– A version of software has a specific signature/binary
– There are number of instructions to carry out the software task
– These instructions can be remapped with other (single or
combinations) instructions to do the same operations
• Simply, 3+5 is the same as 14-6
can be replaced with
62
MTD Diversity
movl %edx, %eax
xchgl %edx, %eax
leal (%edx), %eax
xchgl %edx, %eax
Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer, New York, NY, 2011. 77-98.
63
MTD Diversity
Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer, New York, NY, 2011. 77-98.
Variant monitor and
comparison units are
added to ensure the same
operations by the variant
software
• What are some issues to consider using diversity?
– New variant(s) may be more vulnerable
– Difficult to generate variants
– Cost to implement diversity technique
• E.g., OS diversity in servers
– Downtime is more significant than shuffle
• E.g., rebooting vs SDN flow switching
64
MTD Diversity
• Redundancy aims to ensure the availability of the
system
• Replicas provide resources to handle high usage of
the system
• It can be used in conjunction with other MTD
techniques to provide defense against attackers
• For example DDoS attacks
65
MTD Redundancy
Jia, Quan, et al. “Catch me if you can: a cloud-enabled DDoS defense.” Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP
International Conference on. IEEE, 2014.
66
MTD Redundancy
Jia, Quan, et al. “Catch me if you can: a cloud-enabled DDoS defense.” Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP
International Conference on. IEEE, 2014.
• By adding redundant servers and shuffling identified bots
to the same server, we can ensure the availability of the
cloud resources to legitimate users
• Problems with redundancy techniques include
– Resource constraints
– Ineffective against attacks violating confidentiality and integrity
(but could be used for tolerance)
– Degrading performance
• Increasing redundancy does not proportionally increase availability
67
MTD Redundancy
• Different MTD techniques provide different
approaches to ensure the security objectives of the
system
• Still work to do in order to
– Assess the effectiveness of MTD techniques
• Models, metrics, methods, etc.
– Combinations of MTD techniques
• Applicable layers, compatibility etc.
68
MTD summary
• We looked at vulnerability scanning and sandboxing
methods,
• And we looked at steganography and MTD techniques
• There are many other security methods and techniques
to be explored!
• All security methods and techniques provide means to
ensure the security objectives of the system
• Should be carefully designed and implemented to
maximise the security 69
Summary
• Port scanning
– https://nmap.org/nmap_doc.html
• Vulnerability database
– CVE – https://cve.mitre.org
– NVD – https://nvd.nist.gov
• Sandboxing
– chroot jail escape – http://www.ouah.org/chroot-break.html
• Steganography
– http://io.acad.athabascau.ca/~grizzlie/Comp607/menu.htm
– https://www.garykessler.net/library/steganography.html
– https://null-byte.wonderhowto.com/how-to/steganography-hide-secret-
data-inside-image-audio-file-seconds-0180936/ 70
Additional Items
https://nmap.org/nmap_doc.html
https://cve.mitre.org/
https://nvd.nist.gov/
http://www.ouah.org/chroot-break.html
https://www.garykessler.net/library/steganography.html
https://www.garykessler.net/library/steganography.html
https://null-byte.wonderhowto.com/how-to/steganography-hide-secret-data-inside-image-audio-file-seconds-0180936/
• Steganography python examples
– https://github.com/ragibson/Steganography
– https://github.com/VasilisG/LSB-steganography
• Steganalysis
– https://www.sans.org/reading-
room/whitepapers/stenganography/steganalysis-detecting-hidden-
information-computer-forensic-analysis-1014
• Moving Target Defense
– Jajodia, Sushil, et al., eds. Moving target defense: creating asymmetric
uncertainty for cyber threats. Vol. 54. Springer Science & Business Media,
2011.
– Many other research articles on google scholar, keyword “moving target
defense” 71
Additional Items
https://github.com/ragibson/Steganography
https://github.com/VasilisG/LSB-steganography
https://www.sans.org/reading-room/whitepapers/stenganography/steganalysis-detecting-hidden-information-computer-forensic-analysis-1014