Slides on GSM security and Overflow attacks

1,401 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,401
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
52
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Beskriv trusler separat?
  • Slides on GSM security and Overflow attacks

    1. 1. GSM <ul><li>Global System for Mobile Communications, 1992 </li></ul><ul><li>Security in mobile phones </li></ul><ul><li>System used all over the world </li></ul>
    2. 2. GSM: Threat Model <ul><li>What </li></ul><ul><ul><li>Cloning </li></ul></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Tracking </li></ul></ul><ul><li>Who </li></ul><ul><ul><li>Criminals </li></ul></ul><ul><ul><li>Secret Services </li></ul></ul><ul><li>Why </li></ul><ul><ul><li>Break Confidentiality </li></ul></ul><ul><ul><li>Free phone calls </li></ul></ul><ul><ul><li>Reveal whereabouts </li></ul></ul><ul><li>How </li></ul><ul><ul><li>Break Crypto </li></ul></ul><ul><ul><li>Exploit bad design </li></ul></ul>
    3. 3. GSM: Security Policy <ul><li>Security Objectives </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>No tracking </li></ul></ul><ul><ul><li>Confidential Calls </li></ul></ul><ul><li>Strategy </li></ul><ul><ul><li>Crypto </li></ul></ul><ul><ul><li>SIM PIN codes </li></ul></ul>
    4. 4. GSM-system <ul><li>SIM </li></ul><ul><ul><li>PIN </li></ul></ul><ul><ul><li>IMSI </li></ul></ul><ul><ul><li>K i </li></ul></ul><ul><li>Base station </li></ul><ul><li>HLR </li></ul><ul><li>VLR </li></ul>
    5. 5. GSM: mechanisms authentication SIM (phone) Base station VLR HLR IMSI IMSI IMSI RAND SRES K c RAND SRES K c RAND SRES PIN SRES||K c = E Ki (RAND) Comp128
    6. 6. GSM: mechanisms No tracking <ul><li>When SIM registers on network </li></ul><ul><ul><li>TMSI – temporary/anonymous IMSI </li></ul></ul><ul><li>But IMSI must still be sent initially </li></ul>
    7. 7. GSM: mechanisms Confidentiality <ul><li>All conversation encrypted </li></ul><ul><ul><li>Key: Kc </li></ul></ul><ul><ul><li>Algoritme: among others, A5 (was secret, like Comp128) </li></ul></ul>
    8. 8. GSM: attack1 on authentication SIM (phone) Base station VLR HLR IMSI IMSI IMSI RAND SRES K c RAND SRES K c RAND SRES SRES||K c = E Ki (RAND) cleartext!
    9. 9. GSM: attack2 on authentication <ul><li>Access to SIM </li></ul><ul><li>150.000 well chosen challenges </li></ul><ul><ul><li>Exploit weaknesses in Comp128 </li></ul></ul><ul><ul><li>Find K i </li></ul></ul>
    10. 10. GSM: attack/tracking <ul><li>When SIM registers on network </li></ul><ul><ul><li>TMSI – temporary/anonymous IMSI </li></ul></ul><ul><li>But IMSI sent initially </li></ul><ul><li>IMSI-catcher </li></ul><ul><ul><li>Strong signal </li></ul></ul><ul><ul><li>Pretend not to understand ”forstå” TMSI </li></ul></ul><ul><ul><li>SIM sends IMSI </li></ul></ul>
    11. 11. GSM: attack on Confidentiality <ul><li>All conversation encrypted </li></ul><ul><ul><li>Key: Kc </li></ul></ul><ul><ul><li>Algorithm: A5 and others(originally secret, like Comp128) </li></ul></ul><ul><li>A5 and the way it is used has weaknesses </li></ul><ul><ul><li>Attack can be done within minutes </li></ul></ul>
    12. 12. GSM: what can we learn? <ul><li>Krypto the weakest link?! </li></ul><ul><ul><li>Kerchhoffs principle (Comp128 og A5 secret) </li></ul></ul><ul><li>Misunderstanding of architecture </li></ul><ul><ul><li>Transmission of keys in cleartext  </li></ul></ul><ul><li>Was GSM security a succes or a failure? </li></ul><ul><ul><li>for who? </li></ul></ul>
    13. 13. Buffer overflows <ul><li>Very ”popular” securitybreach </li></ul><ul><li>Microsoft estimates internal expense of $100.000 pr. patch </li></ul><ul><li>Problem caused by bad code and languages that do not protect against it </li></ul><ul><ul><li>C, C++ </li></ul></ul><ul><li>Change to Java, C#, …,? Does’t always help, many OS’s are written in C </li></ul>
    14. 14. Stack overruns <ul><li>void foo(char* input){ </li></ul><ul><li>char buf[3]; </li></ul><ul><li>strcpy(buf, input); </li></ul><ul><li>} </li></ul><ul><li>void bar(void){ </li></ul><ul><li>printf(”Gotcha!”); </li></ul><ul><li>} </li></ul><ul><li>int main(int argc, char* argv[]) { </li></ul><ul><li>foo(argv[1]) </li></ul><ul><li>return 0; </li></ul><ul><li>} </li></ul>Compiled program Addr Code 0001 main: 0002 push argv[0] 0003 goto foo 0004 pop 0005 goto exit 0006 foo: 0007 allocate buf 0008 push buf 0009 push input 0010 goto strcpy 0011 return 0012 bar: 0013 push ”Gotcha!” 0014 goto printf 0015 pop 0016 return
    15. 15. Program.exe ”baz” <ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 </li></ul><ul><li>5607 </li></ul><ul><li>5608 </li></ul><ul><li>5610 </li></ul>Addr Code 0001 main: 0002 push argv[0] 0003 goto foo 0004 pop 0005 goto exit 0006 foo: 0007 allocate buf 0008 push buf 0009 push input 0010 goto strcpy 0011 return 0012 bar: 0013 push ”Gotcha!” 0014 goto printf 0015 pop 0016 return <ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 5610 </li></ul><ul><li>5604 </li></ul><ul><li>- buf </li></ul><ul><li>- </li></ul><ul><li>- </li></ul><ul><li>0004 ret adr foo </li></ul><ul><li>5608 b </li></ul><ul><li>a </li></ul><ul><li>5610 z </li></ul><ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 5610 </li></ul><ul><li>5604 </li></ul><ul><li>b buf </li></ul><ul><li>a </li></ul><ul><li>z </li></ul><ul><li>0004 ret adr foo </li></ul><ul><li>5608 b </li></ul><ul><li>a </li></ul><ul><li>5610 z </li></ul>
    16. 16. Program.exe ”baz12” <ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 </li></ul><ul><li>5607 </li></ul><ul><li>5608 </li></ul><ul><li>5610 </li></ul><ul><li>5611 </li></ul>Addr Code 0001 main: 0002 push argv[0] 0003 goto foo 0004 pop 0005 goto exit 0006 foo: 0007 allocate buf 0008 push buf 0009 push input 0010 goto strcpy 0011 return 0012 bar: 0013 push ”Gotcha!” 0014 goto printf 0015 pop 0016 return <ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 5610 </li></ul><ul><li>5604 </li></ul><ul><li>- buf </li></ul><ul><li>- </li></ul><ul><li>- </li></ul><ul><li>0004 ret adr foo </li></ul><ul><li>5608 b </li></ul><ul><li>a </li></ul><ul><li>5610 z </li></ul><ul><li>5611 12 </li></ul><ul><li>Stack </li></ul><ul><li>Addr Data </li></ul><ul><li>5601 </li></ul><ul><li>5602 5610 </li></ul><ul><li>5604 </li></ul><ul><li>b buf </li></ul><ul><li>a </li></ul><ul><li>z </li></ul><ul><li>0012 ret adr foo </li></ul><ul><li>5608 b </li></ul><ul><li>a </li></ul><ul><li>5610 z </li></ul><ul><li>5611 12 </li></ul>
    17. 17. What was wrong? <ul><li>We copied into buf and did not check if we had room </li></ul><ul><li>Values outside were changed=> program behavior changed! </li></ul>
    18. 18. Solution? <ul><li>Change Language :) </li></ul><ul><ul><li>Not (always) an option :( </li></ul></ul><ul><li>Write better code!!! </li></ul><ul><ul><li>Education </li></ul></ul><ul><ul><li>” Secure” libraries </li></ul></ul>
    19. 19. Buffer overflows: morale <ul><li>Attacks that directly target the Trusted Computing Base </li></ul><ul><li>Serious! </li></ul><ul><ul><li>Undermines most security policies </li></ul></ul><ul><li>Solution primarily to write robust code. </li></ul>

    ×