SAS (Secure Active Switch)

762 views

Published on

This document is a presentation of Secure Active Switch algorithm.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
762
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SAS (Secure Active Switch)

  1. 1. Secure Active Switch (SAS): hardening del Linux kernel bridge implementato su sistema embedded ColdFire Motorola Giuseppe Gottardi Università Politecnica delle Marche D ipartimento di E lettronica I ntelligenza artificiale e T elecomunicazioni D.E.I.T. Correlatore: Dott. Ing. Valerio Frascolla Relatore: Prof. Massimo Conti
  2. 2. S ecure A ctive S witch <ul><li>Cos’è il SAS </li></ul><ul><li>Perché usarlo </li></ul><ul><li>Come funziona </li></ul>
  3. 3. S ecure A ctive S witch Cos’è il SAS?
  4. 4. SAS: IT security tool <ul><li>Tool di prevenzione verso gli attacchi informatici in rete locale basato su un algoritmo di nuova concezione sviluppato dall’autore della tesi in collaborazione con il DEIT. </li></ul><ul><li>Hardening del kernel Linux v2.6 </li></ul><ul><ul><li>Modifica al kernel di Linux nel modulo “bridge” </li></ul></ul><ul><li>Switch di rete Attivo e Sicuro </li></ul><ul><ul><li>Attivo: capace di mandare pacchetti di controllo </li></ul></ul><ul><ul><li>Sicuro: capace di bloccare attacchi di tipo ARP </li></ul></ul><ul><li>Sistema embedded su MCF5485EVB </li></ul><ul><ul><li>Board Freescale con µproc ColdFire Motorola (MIPS 32-bit) </li></ul></ul>
  5. 5. S ecure A ctive S witch Perché usarlo?
  6. 6. Attacchi in L ocal A rea N etwork STATS – CSI/FBI Fonte: C omputer S ecurity I nstitute F ederal B ureau of I nvestigation Abusi della rete dall’interno (60% sulla totalità degli attacchi nel 2004) Perdite per oltre 11.000.000 $
  7. 7. Attacchi in L ocal A rea N etwork TYPOLOGIES <ul><li>LAN non commutata (HUB) </li></ul><ul><li> - T utti i pacchetti transitano per l’host attaccante. </li></ul><ul><li>LAN commutata (switching tradizionale) </li></ul><ul><li>- I pacchetti degli host attaccati transitano per l’host attaccante dopo un attacco M.I.T.M. </li></ul><ul><li>Tipologia di attacchi M.I.T.M. </li></ul><ul><li>DA LOCALE A LOCALE: </li></ul><ul><li>- ARP poisoning - DNS spoofing - STP mangling </li></ul><ul><li>- Port stealing </li></ul><ul><li>DA LOCALE A REMOTO (attraverso il gateway): </li></ul><ul><li>- ARP poisoning - DNS spoofing - DHCP spoofing </li></ul><ul><li>- ICMP redirection - IRDP spoofing - route mangling </li></ul>
  8. 8. Attacchi “ Man In The Middle” HTTPS (SSL) 1111 2222 3333 4444 18 08 19 09 Giuseppe Gottardi [email_address]
  9. 9. Attacchi “ Man In The Middle” KEY EXCHANGING - HTTPS <ul><li>Consiste nella modifica del certificato SSL scambiato tra un server web HTTPS e un client (vale anche per SSH v1). Questa tecnica consente di decodificare sessioni codificate. </li></ul>S-KEY S-KEY S-KEY M Server Client MITM start KEY-A RSA KEY-B RSA E key-B ( S-Key ) E key-A (S-Key) E skey (M) D(E(M)) D(E(M))
  10. 10. Attacchi “ Man In The Middle” FILTERING - HTTPS redirection <ul><li>Una form in HTTPS viene forzata all'autenticazione in HTTP </li></ul>Client Server MITM login password Http main page with https login form Change form destination to http://mitm Http post (loginpassword) Auto-submitting hidden form with right authentication data Real https authentication post Authenticated connection
  11. 11. S ecure A ctive S witch Come funziona?
  12. 12. ARP poisoning SIMULATION ARP poisoning ARP poisoning Packet from A IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.3 MAC 01:02:03:04:05:0C IP 10.0.0.2 MAC 01:02:03:04:05:0B ARP cache A ARP cache B Packet from B DEV-1 DEV-2 DEV-3 CAM table 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0B 10.0.0.2 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0A 10.0.0.1 MAC IP 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.2 MAC IP Host A Host B Attaccante Switch 01:02:03:04:05:0C 10.0.0.3 01:02:03:04:05:0C 10.0.0.1 MAC IP FORWARDING 01:02:03:04:05:0B DEV-2 … FORWARDING 01:02:03:04:05:0C DEV-3 FORWARDING 01:02:03:04:05:0A DEV-1 STATE MAC DEV
  13. 13. S ecure A ctive S witch HOW IT WORKS - simulation ARP poisoning IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.2 MAC 01:02:03:04:05:0B IP 10.0.0.3 MAC 01:02:03:04:05:0C Switch SAS DEV-1 DEV-2 DEV-3 Packet header CAM table SAS ? mismatch ARP request ARP reply IP 10.0.0.2 MAC 01:02:03:04:05:0C IP 10.0.0.3 MAC 01:02:03:04:05:0B TIMEOUT Lo switch SAS aggiunge alla CAM table tradizionale le informazioni del layer 3 10.0.0.1 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0A src MAC LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0C dest MAC … 10.0.0.3 dest IP 01:02:03:04:05:0B src MAC Host A Host B Attaccante LEARNING --- --- DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.3 src IP 01:02:03:04:05:0B dest MAC … 10.0.0.2 dest IP 01:02:03:04:05:0C src MAC FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0B src MAC DISABLED 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.3 01:02:03:04:05:0C DEV-2 … FORWARDING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV Host C 10.0.0.2 src IP 01:02:03:04:05:0A dest MAC … 10.0.0.1 dest IP 01:02:03:04:05:0C src MAC BLOCKING 10.0.0.3 01:02:03:04:05:0C DEV-2 … WAITING 10.0.0.2 01:02:03:04:05:0B DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV FORWARDING 10.0.0.2 01:02:03:04:05:0C DEV-2 … LEARNING --- --- DEV-3 FORWARDING 10.0.0.1 01:02:03:04:05:0A DEV-1 STATE IP MAC DEV LEARNING --- --- DEV-2 … LEARNING --- --- DEV-3 LEARNING --- --- DEV-1 STATE IP MAC DEV
  14. 14. S ecure A ctive S witch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP 192.168.1.3 [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | 192.168.1.3] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP 192.168.1.1 [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | 192.168.1.1] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP 192.168.1.2 [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | 192.168.1.2] REGISTERED $ ./poisoning Usage: ./poisoning srcip srcmac destip $ ./poisoning 192.168.1.2 00:00:b4:5f:5a:fd 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP 192.168.1.2 [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a 192.168.1.2 (192.168.1.2) at 00:0e:a6:7f:75:46 [ether] on eth0 192.168.1.3 (192.168.1.3) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA
  15. 15. S ecure A ctive S witch EMBEDDED SYSTEM - FREESCALE M5485 2 Porte Ethernet 10/100 integrate Porta Ethernet 10/100 su BUS PCI <ul><li>Elevato grado di riconfigurabilità del sistema embedded </li></ul><ul><li>Possibilità di sviluppo con licenza GPL (a costo zero) </li></ul>Attaccante Host A Host B
  16. 16. S ecure A ctive S witch PERFORMANCE EVALUATIONS $ ping hosta PING hosta (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=117 time=0.428 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=117 time=0.493 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=117 time=0.469 ms … --- ping statistics --- 1000 packets transmitted, 1000 packets received, 0% packet loss round-trip min/avg/max = 0.417/0.473/0.539 ms Variazione percentuale +1.06% 0.468 media 0.047 deviazione 0.413 minimo 0.532 massimo Round Trip non SAS 0.473 media 0.049 deviazione 0.417 minimo 0.539 massimo Round Trip SAS
  17. 17. Conclusioni <ul><li>Gli attacchi ARP attuabili in rete locale dall’attaccante sono stati efficacemente bloccati </li></ul><ul><li>Il carico di lavoro introdotto in condizioni normali di funzionamento della rete è stato del 1.06% (misurato con il round trip medio su un campione di 1000 ICMP) </li></ul><ul><li>Il porting del bridge Linux con patch S.A.S. su architettura ColdFire è stato ottenuto con successo . </li></ul>
  18. 18. <ul><ul><li>Giuseppe Gottardi </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>http://overet.securitydate.it </li></ul></ul><ul><ul><li>S.P.I.N.E Research Group, Inc. </li></ul></ul><ul><ul><li>S.D.G. Security Date Group, Inc. </li></ul></ul>

×