SAS (Secure Active Switch)
Upcoming SlideShare
Loading in...5
×
 

SAS (Secure Active Switch)

on

  • 770 views

This document is a presentation of Secure Active Switch algorithm.

This document is a presentation of Secure Active Switch algorithm.

Statistics

Views

Total Views
770
Views on SlideShare
770
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SAS (Secure Active Switch) SAS (Secure Active Switch) Presentation Transcript

    • Secure Active Switch (SAS): hardening del Linux kernel bridge implementato su sistema embedded ColdFire Motorola Giuseppe Gottardi Università Politecnica delle Marche D ipartimento di E lettronica I ntelligenza artificiale e T elecomunicazioni D.E.I.T. Correlatore: Dott. Ing. Valerio Frascolla Relatore: Prof. Massimo Conti
    • S ecure A ctive S witch
      • Cos’è il SAS
      • Perché usarlo
      • Come funziona
    • S ecure A ctive S witch Cos’è il SAS?
    • SAS: IT security tool
      • Tool di prevenzione verso gli attacchi informatici in rete locale basato su un algoritmo di nuova concezione sviluppato dall’autore della tesi in collaborazione con il DEIT.
      • Hardening del kernel Linux v2.6
        • Modifica al kernel di Linux nel modulo “bridge”
      • Switch di rete Attivo e Sicuro
        • Attivo: capace di mandare pacchetti di controllo
        • Sicuro: capace di bloccare attacchi di tipo ARP
      • Sistema embedded su MCF5485EVB
        • Board Freescale con µproc ColdFire Motorola (MIPS 32-bit)
    • S ecure A ctive S witch Perché usarlo?
    • Attacchi in L ocal A rea N etwork STATS – CSI/FBI Fonte: C omputer S ecurity I nstitute F ederal B ureau of I nvestigation Abusi della rete dall’interno (60% sulla totalità degli attacchi nel 2004) Perdite per oltre 11.000.000 $
    • Attacchi in L ocal A rea N etwork TYPOLOGIES
      • LAN non commutata (HUB)
      • - T utti i pacchetti transitano per l’host attaccante.
      • LAN commutata (switching tradizionale)
      • - I pacchetti degli host attaccati transitano per l’host attaccante dopo un attacco M.I.T.M.
      • Tipologia di attacchi M.I.T.M.
      • DA LOCALE A LOCALE:
      • - ARP poisoning - DNS spoofing - STP mangling
      • - Port stealing
      • DA LOCALE A REMOTO (attraverso il gateway):
      • - ARP poisoning - DNS spoofing - DHCP spoofing
      • - ICMP redirection - IRDP spoofing - route mangling
    • Attacchi “ Man In The Middle” HTTPS (SSL) 1111 2222 3333 4444 18 08 19 09 Giuseppe Gottardi [email_address]
    • Attacchi “ Man In The Middle” KEY EXCHANGING - HTTPS
      • Consiste nella modifica del certificato SSL scambiato tra un server web HTTPS e un client (vale anche per SSH v1). Questa tecnica consente di decodificare sessioni codificate.
      S-KEY S-KEY S-KEY M Server Client MITM start KEY-A RSA KEY-B RSA E key-B ( S-Key ) E key-A (S-Key) E skey (M) D(E(M)) D(E(M))
    • Attacchi “ Man In The Middle” FILTERING - HTTPS redirection
      • Una form in HTTPS viene forzata all'autenticazione in HTTP
      Client Server MITM login password Http main page with https login form Change form destination to http://mitm Http post (loginpassword) Auto-submitting hidden form with right authentication data Real https authentication post Authenticated connection
    • S ecure A ctive S witch Come funziona?
    • ARP poisoning SIMULATION ARP poisoning ARP poisoning Packet from A IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.3 MAC 01:02:03:04:05:0C IP 10.0.0.2 MAC 01:02:03:04:05:0B ARP cache A ARP cache B Packet from B DEV-1 DEV-2 DEV-3 CAM table 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0B 10.0.0.2 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0A 10.0.0.1 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.2 MAC IP Host A Host B Attaccante Switch 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.1 MAC IP FORWARDING 01:02:03:04:05:0B DEV-2 … FORWARDING 01:02:03:04:05:0C DEV-3 FORWARDING 01:02:03:04:05:0A DEV-1 STATE MAC DEV
    • S ecure A ctive S witch HOW IT WORKS - simulation ARP poisoning IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.2 MAC 01:02:03:04:05:0B IP 10.0.0.3 MAC 01:02:03:04:05:0C Switch SAS DEV-1 DEV-2 DEV-3 Packet header CAM table SAS ? mismatch ARP request ARP reply IP 10.0.0.2 MAC 01:02:03:04:05:0C IP 10.0.0.3 MAC 01:02:03:04:05:0B TIMEOUT Lo switch SAS aggiunge alla CAM table tradizionale le informazioni del layer 3 10.0.0.1 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0A src MAC LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0C dest MAC … 10.0.0.3 dest IP 01:02:03:04:05:0B src MAC Host A Host B Attaccante LEARNING --- --- DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.3 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0C src MAC FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0B src MAC DISABLED 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV Host C 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.2 01:02:03:04:05:0C DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 LEARNING --- --- DEV-1 STATE IP MAC DEV
    • S ecure A ctive S witch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP 192.168.1.3 [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | 192.168.1.3] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP 192.168.1.1 [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | 192.168.1.1] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP 192.168.1.2 [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | 192.168.1.2] REGISTERED $ ./poisoning Usage: ./poisoning srcip srcmac destip $ ./poisoning 192.168.1.2 00:00:b4:5f:5a:fd 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP 192.168.1.2 [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a 192.168.1.2 (192.168.1.2) at 00:0e:a6:7f:75:46 [ether] on eth0 192.168.1.3 (192.168.1.3) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA
    • S ecure A ctive S witch EMBEDDED SYSTEM - FREESCALE M5485 2 Porte Ethernet 10/100 integrate Porta Ethernet 10/100 su BUS PCI
      • Elevato grado di riconfigurabilità del sistema embedded
      • Possibilità di sviluppo con licenza GPL (a costo zero)
      Attaccante Host A Host B
    • S ecure A ctive S witch PERFORMANCE EVALUATIONS $ ping hosta PING hosta (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=117 time=0.428 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=117 time=0.493 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=117 time=0.469 ms … --- ping statistics --- 1000 packets transmitted, 1000 packets received, 0% packet loss round-trip min/avg/max = 0.417/0.473/0.539 ms Variazione percentuale +1.06% 0.468 media 0.047 deviazione 0.413 minimo 0.532 massimo Round Trip non SAS 0.473 media 0.049 deviazione 0.417 minimo 0.539 massimo Round Trip SAS
    • Conclusioni
      • Gli attacchi ARP attuabili in rete locale dall’attaccante sono stati efficacemente bloccati
      • Il carico di lavoro introdotto in condizioni normali di funzionamento della rete è stato del 1.06% (misurato con il round trip medio su un campione di 1000 ICMP)
      • Il porting del bridge Linux con patch S.A.S. su architettura ColdFire è stato ottenuto con successo .
        • Giuseppe Gottardi
        • [email_address]
        • http://overet.securitydate.it
        • S.P.I.N.E Research Group, Inc.
        • S.D.G. Security Date Group, Inc.