Your SlideShare is downloading. ×
SAS (Secure Active Switch)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SAS (Secure Active Switch)

537
views

Published on

This document is a presentation of Secure Active Switch algorithm.

This document is a presentation of Secure Active Switch algorithm.

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
537
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secure Active Switch (SAS): hardening del Linux kernel bridge implementato su sistema embedded ColdFire Motorola Giuseppe Gottardi Università Politecnica delle Marche D ipartimento di E lettronica I ntelligenza artificiale e T elecomunicazioni D.E.I.T. Correlatore: Dott. Ing. Valerio Frascolla Relatore: Prof. Massimo Conti
  • 2. S ecure A ctive S witch
    • Cos’è il SAS
    • Perché usarlo
    • Come funziona
  • 3. S ecure A ctive S witch Cos’è il SAS?
  • 4. SAS: IT security tool
    • Tool di prevenzione verso gli attacchi informatici in rete locale basato su un algoritmo di nuova concezione sviluppato dall’autore della tesi in collaborazione con il DEIT.
    • Hardening del kernel Linux v2.6
      • Modifica al kernel di Linux nel modulo “bridge”
    • Switch di rete Attivo e Sicuro
      • Attivo: capace di mandare pacchetti di controllo
      • Sicuro: capace di bloccare attacchi di tipo ARP
    • Sistema embedded su MCF5485EVB
      • Board Freescale con µproc ColdFire Motorola (MIPS 32-bit)
  • 5. S ecure A ctive S witch Perché usarlo?
  • 6. Attacchi in L ocal A rea N etwork STATS – CSI/FBI Fonte: C omputer S ecurity I nstitute F ederal B ureau of I nvestigation Abusi della rete dall’interno (60% sulla totalità degli attacchi nel 2004) Perdite per oltre 11.000.000 $
  • 7. Attacchi in L ocal A rea N etwork TYPOLOGIES
    • LAN non commutata (HUB)
    • - T utti i pacchetti transitano per l’host attaccante.
    • LAN commutata (switching tradizionale)
    • - I pacchetti degli host attaccati transitano per l’host attaccante dopo un attacco M.I.T.M.
    • Tipologia di attacchi M.I.T.M.
    • DA LOCALE A LOCALE:
    • - ARP poisoning - DNS spoofing - STP mangling
    • - Port stealing
    • DA LOCALE A REMOTO (attraverso il gateway):
    • - ARP poisoning - DNS spoofing - DHCP spoofing
    • - ICMP redirection - IRDP spoofing - route mangling
  • 8. Attacchi “ Man In The Middle” HTTPS (SSL) 1111 2222 3333 4444 18 08 19 09 Giuseppe Gottardi [email_address]
  • 9. Attacchi “ Man In The Middle” KEY EXCHANGING - HTTPS
    • Consiste nella modifica del certificato SSL scambiato tra un server web HTTPS e un client (vale anche per SSH v1). Questa tecnica consente di decodificare sessioni codificate.
    S-KEY S-KEY S-KEY M Server Client MITM start KEY-A RSA KEY-B RSA E key-B ( S-Key ) E key-A (S-Key) E skey (M) D(E(M)) D(E(M))
  • 10. Attacchi “ Man In The Middle” FILTERING - HTTPS redirection
    • Una form in HTTPS viene forzata all'autenticazione in HTTP
    Client Server MITM login password Http main page with https login form Change form destination to http://mitm Http post (loginpassword) Auto-submitting hidden form with right authentication data Real https authentication post Authenticated connection
  • 11. S ecure A ctive S witch Come funziona?
  • 12. ARP poisoning SIMULATION ARP poisoning ARP poisoning Packet from A IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.3 MAC 01:02:03:04:05:0C IP 10.0.0.2 MAC 01:02:03:04:05:0B ARP cache A ARP cache B Packet from B DEV-1 DEV-2 DEV-3 CAM table 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0B 10.0.0.2 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0A 10.0.0.1 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.2 MAC IP Host A Host B Attaccante Switch 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.1 MAC IP FORWARDING 01:02:03:04:05:0B DEV-2 … FORWARDING 01:02:03:04:05:0C DEV-3 FORWARDING 01:02:03:04:05:0A DEV-1 STATE MAC DEV
  • 13. S ecure A ctive S witch HOW IT WORKS - simulation ARP poisoning IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.2 MAC 01:02:03:04:05:0B IP 10.0.0.3 MAC 01:02:03:04:05:0C Switch SAS DEV-1 DEV-2 DEV-3 Packet header CAM table SAS ? mismatch ARP request ARP reply IP 10.0.0.2 MAC 01:02:03:04:05:0C IP 10.0.0.3 MAC 01:02:03:04:05:0B TIMEOUT Lo switch SAS aggiunge alla CAM table tradizionale le informazioni del layer 3 10.0.0.1 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0A src MAC LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0C dest MAC … 10.0.0.3 dest IP 01:02:03:04:05:0B src MAC Host A Host B Attaccante LEARNING --- --- DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.3 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0C src MAC FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0B src MAC DISABLED 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV Host C 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.2 01:02:03:04:05:0C DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 LEARNING --- --- DEV-1 STATE IP MAC DEV
  • 14. S ecure A ctive S witch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP 192.168.1.3 [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | 192.168.1.3] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP 192.168.1.1 [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | 192.168.1.1] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP 192.168.1.2 [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | 192.168.1.2] REGISTERED $ ./poisoning Usage: ./poisoning srcip srcmac destip $ ./poisoning 192.168.1.2 00:00:b4:5f:5a:fd 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP 192.168.1.2 [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a 192.168.1.2 (192.168.1.2) at 00:0e:a6:7f:75:46 [ether] on eth0 192.168.1.3 (192.168.1.3) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA
  • 15. S ecure A ctive S witch EMBEDDED SYSTEM - FREESCALE M5485 2 Porte Ethernet 10/100 integrate Porta Ethernet 10/100 su BUS PCI
    • Elevato grado di riconfigurabilità del sistema embedded
    • Possibilità di sviluppo con licenza GPL (a costo zero)
    Attaccante Host A Host B
  • 16. S ecure A ctive S witch PERFORMANCE EVALUATIONS $ ping hosta PING hosta (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=117 time=0.428 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=117 time=0.493 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=117 time=0.469 ms … --- ping statistics --- 1000 packets transmitted, 1000 packets received, 0% packet loss round-trip min/avg/max = 0.417/0.473/0.539 ms Variazione percentuale +1.06% 0.468 media 0.047 deviazione 0.413 minimo 0.532 massimo Round Trip non SAS 0.473 media 0.049 deviazione 0.417 minimo 0.539 massimo Round Trip SAS
  • 17. Conclusioni
    • Gli attacchi ARP attuabili in rete locale dall’attaccante sono stati efficacemente bloccati
    • Il carico di lavoro introdotto in condizioni normali di funzionamento della rete è stato del 1.06% (misurato con il round trip medio su un campione di 1000 ICMP)
    • Il porting del bridge Linux con patch S.A.S. su architettura ColdFire è stato ottenuto con successo .
  • 18.
      • Giuseppe Gottardi
      • [email_address]
      • http://overet.securitydate.it
      • S.P.I.N.E Research Group, Inc.
      • S.D.G. Security Date Group, Inc.

×