1 INFORMATION SECURITY
UNIT - I
Security attacks are of two types
Passive attacks and
A passive attack attempts to learn or make use of information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain
information that is being transmitted. Two types of passive attacks are
• Release of message contents and
• Traffic analysis.
The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred
file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of
A second type of passive attack, traffic analysis, if we had encryption protection in place, an opponent might still be able to
observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and
could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature
of the communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic
is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the
messages or observed the traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing
with passive attacks is on prevention rather than detection.
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four
• Modification of messages, and
• Denial Of Service.
A masquerade takes place when one entity pretends to be a different entity (Figure 1.4a). A masquerade attack usually includes
one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid
authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or
reordered, to produce an unauthorized effect. For example, a message meaning "Allow John Smith to read confidential file
accounts" is modified to mean "Allow Fred Brown to read confidential file accounts."
The Denial Of Service prevents or inhibits the normal use or management of communications facilities. This attack may have a
specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit
service). Another form of service denial is
The authentication service is concerned with assuring that a communication is authentic. Two specific authentication services
• Peer entity authentication: Provides for the confirmation of the identity of a peer entity in an association. It is provided for
use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that
an entity is not performing either a masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the confirmation of the source of a data unit. It does not provide protection against
the duplication or modification of data units. This type of service supports applications like electronic mail where there are no
prior interactions between the communicating entities.
In the context of network security, access control is the ability to limit and control the access to host systems and applications
via communications links. To achieve this, each entity trying to gain access must first be identified, or authenticated, so that
access rights can be tailored to the individual.
Confidentiality is the protection of transmitted data from passive attacks. With respect to the content of a data transmission,
several levels of protection can be identified. The broadest service protects all user data transmitted between two users over a
period of time.
The other aspect of confidentiality is the protection of traffic flow from analysis. This requires that an attacker not be able to
observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility. Data
A connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent,
with no duplication, insertion, modification, reordering, or replays. The destruction of data is also covered under this service.
Thus, the connection-oriented integrity service addresses both message stream modification and denial of service. On the other
hand, a connectionless integrity service, one that deals with individual messages without regard to any larger context, generally
provides protection against message modification only.
We can make a distinction between the service with and without recovery. Because the integrity service relates to active
attacks, we are concerned with detection rather than prevention. If a violation of integrity is detected, then the service may
simply report this violation, and some other portion of software or human intervention is required to recover from the
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the
receiver can prove that the alleged sender in fact sent the message. Similarly, when a message is received, the sender can prove
that the alleged receiver in fact received the message.
Property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according
to performance specifications for the system (i.e., a system is available if it provides services according to the system design
whenever users request them). A variety of attacks can result in the loss of or reduction in availability. Some of these attacks
are amenable to automated countermeasures, such as authentication and encryption, whereas others require some sort of
physical action to prevent or recover from loss of availability of elements of a distributed system.
This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control
of system resources and thus depends on access control service and other security services.
• Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The
transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.
• Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).
• Access Control A variety of mechanisms that enforce access rights to resources.
• Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
• Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information
3 INFORMATION SECURITY
• Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
• Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes,
especially when a breach of security is suspected.
• Notarization The use of a trusted third party to assure certain properties of a data exchange.
• Pervasive Security Mechanisms
• Mechanisms those are not specific to any particular OSI security service or protocol layer.
• Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a
• Security Label The marking bound to a resource (which may be a data unit) that names or designates the security
attributes of that resource.
• Event Detection Detection of security-relevant events.
• Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review
and examination of system records and activities.
• Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and
takes recovery actions.
A MODEL FOR NETWORK SECURITY
A message is to be transferred from one party to another across some sort of internet. The two parties, who are the principals
in this transaction, must cooperate for the exchange to take place. A logical information channel is established by defining a
route through the internet from source to destination and by the cooperative use of communication protocols (e.g., TCP/IP) by
the two principals.
Security aspects come into play when it is necessary or desirable to protect the information transmission from an opponent
who may present a threat to confidentiality, authenticity, and so on. All the techniques for providing security have two
Figure: Model for Network Security
• A security-related
transformation on the
information to be sent.
Examples include the
encryption of the message,
which scrambles the
message so that it is
unreadable by the opponent,
and the addition of a code
based on the contents of the
message, which can be used
to verify the identity of the
• Some secret information shared by the two principals and, it is hoped, unknown to the opponent. An example is an
encryption key used in conjunction with the transformation to scramble the message before transmission and
unscramble it on reception
A trusted third party may be needed to achieve secure transmission. For example, a third party may be responsible for
distributing the secret information to the two principals while keeping it from any opponent. Or a third party may be needed to
arbitrate disputes between the two principals concerning the authenticity of a message transmission.
This general model shows that there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent
cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to
achieve a particular security service.
The hacker can be someone who, with no malign intent, simply gets satisfaction from breaking and entering a computer
system. Or, the intruder can be a disgruntled employee who wishes to do damage, or a criminal who seeks to exploit computer
assets for financial gain (e.g., obtaining credit card numbers or performing illegal money transfers).
Another type of unwanted access is the placement in a computer system of logic that exploits vulnerabilities in the system and
that can affect application programs as well as utility programs, such as editors and compilers. Programs can present two kinds
• Information access threats intercept or modify data on behalf of users who should not have access to that data.
• Service threats exploit service flaws in computers to inhibit use by legitimate users.
Figure: Network Access Security Model
Viruses and worms are two examples of software attacks. Such attacks can be introduced into a system by means of a disk that
contains the unwanted logic concealed in otherwise useful software. They can also be inserted into a system across a network;
this latter mechanism is of more concern in network security.
The security mechanisms needed to cope with unwanted access fall into two broad categories. The first category might be
termed a gatekeeper function. It includes password-based login procedures that are designed to deny access to all but
authorized users and screening logic that is designed to detect and reject worms, viruses, and other similar attacks. Once either
an unwanted user or unwanted software gains access, the second line of defence
consists of a variety of internal controls that monitor activity and analyse stored
information in an attempt to detect the presence of unwanted intruders.
INTERNET STANDARDS AND RFC’S
By universal agreement, an organization known as the Internet Society is responsible for
the development and publication of these standards. The Internet Society is a professional membership organization that
oversees a number of boards and task forces involved in Internet development and standardization.
The Internet Organizations and RFC Publication
The Internet Society is the coordinating committee for Internet design, engineering, and management. Areas covered include
the operation of the Internet itself and the standardization of protocols used by end systems on the Internet for
interoperability. Three organizations under the Internet Society are responsible for the actual work of standards development
• Internet Architecture Board (IAB): Responsible for defining the overall architecture of the Internet, providing
guidance and broad direction to the IETF
• Internet Engineering Task Force (IETF): The protocol engineering and development arm of the Internet
• Internet Engineering Steering Group (IESG): Responsible for technical management of IETF activities and the Internet
Working groups chartered by the IETF carry out the actual development of new standards and protocols for the Internet.
Membership in a working group is voluntary; any interested party may participate. During the development of a specification, a
working group will make a draft version of the document available as an Internet Draft, which is placed in the IETF's "Internet
Drafts" online directory. The document may remain as an Internet Draft for up to six months, and interested parties may review
and comment on the draft. During that time, the IESG may approve publication of the draft as an RFC (Request for Comment). If
the draft has not progressed to the status of an RFC during the six-month period, it is withdrawn from the directory. The
working group may subsequently publish a revised version of the draft.
The IETF is responsible for publishing the RFCs, with approval of the IESG. The RFCs are the working notes of the Internet
research and development community. A document in this series may be on essentially any topic related to computer
communications and may be anything from a meeting report to the specification of a standard.
The Standardization Process
The decision of which RFC’s become Internet standards is made by the IESG, on the recommendation of the IETF. To become a
standard, a specification must meet the following criteria:
• Be stable and well understood
• Be technically competent
5 INFORMATION SECURITY
• Have multiple, independent, and interoperable implementations with substantial operational experience
• Enjoy significant public support
• Be recognizably useful in some or all parts of the Internet
Figure: Internet RFC Publication Process
The Figure shows the series of steps, called the standards track, that a specification goes through to
become a standard. At each step, the IETF must make a recommendation for advancement of the
protocol, and the IESG must ratify it. The process begins when the IESG approves the publication of an
Internet Draft document as an RFC with the status of Proposed standard.
The white boxes in the diagram represent temporary states, which should be occupied for the minimum practical time.
However, a document must remain a Proposed Standard for at least six months and a Draft Standard for at least four months to
allow time for review and comment. The gray boxes represent long-term states that may be occupied for years.
For a specification to be advanced to Draft Standard status, there must be at least two independent and interoperable
implementations from which adequate operational experience has been obtained.
After significant implementation and operational experience has been obtained, a specification may be elevated to Internet
Standard. At this point, the Specification is assigned an STD number as well as an RFC number.
Finally, when a protocol becomes obsolete, it is assigned to the Historic state
Internet Standards Categories
All Internet standards fall into one of two categories:
• Technical specification (TS): A TS defines a protocol, service, procedure, convention, or format. The bulk of the
Internet standards are TSs.
• Applicability statement (AS): An AS specifies how, and under what circumstances, one or more TSs may be applied to
support a particular Internet capability. An AS identifies one or more TSs that are relevant to the capability, and may
specify values or ranges for particular parameters associated with a TS or functional subsets of a TS that are relevant
for the capability.
Other RFC Types
There are numerous RFC’s that are not destined to become Internet standards. Some RFC’s standardize the results of
community deliberations about statements of principle or conclusions about what is the best way to perform some operations
or IETF process function. Such RFC’s are designated as Best Current Practice (BCP). Approval of BCPs follows essentially the
same process for approval of Proposed Standards. Unlike standards-track documents, there is not a three-stage process for
BCP’s; a BCP goes from Internet draft status to approved BCP in one step.
A protocol or other specification that is not considered ready for standardization may be published as an Experimental RFC.
After further work, the specification may be resubmitted. If the specification is generally stable, has resolved known design
choices, is believed to be well understood, has received significant community review, and appears to enjoy enough community
interest to be considered valuable, then the RFC will be designated a Proposed Standard.
Finally, an Informational Specification is published for the general information of the Internet community.
A buffer overflows when too much data is put into it. Think of a buffer as a glass of water; you can fill the glass until it is full, but
any additional water added to that glass will spill over the edge. Buffers are much like this, and the C language (and its
derivatives, like C++), offer many ways to cause more to be put into a buffer than was anticipated.
As you have seen, local variables can be allocated on the stack This means that there is a buffer of a set size sitting on the stack
somewhere. Since the stack grows down and there are very important pieces of information stored there, what happens if you
put more data into the stack allocated buffer than it can handle? Like the glass of water, it overflows!
When 16 bytes of data are copied into the buffer from Figure above, it becomes full. When 17 bytes get copied, one byte spills
over into the area on the stack devoted to holding int2.This is the beginning of data corruption. All future references to int2 will
give the wrong value. If this trend continues, and we put 28 bytes in, we control what EBP points to, at 32 bytes, we have
control of EIP.
/* chapter 1 sample 1
This is a very simple program to explain how the stack operates
int main(int argc, char **argv)
char buffer="Hello World"; /* a 15 byte character buffer */
int int1=1,int2=2; /* 2 4 byte integers */
Figure: How the Stack Operates
When a ret happens and it pops our overwritten EIP and then jumps to it, we take control. After gaining control of EIP, we can
make it point to anywhere we want, including code we have provided.
The C language has a saying attributed to it: “We give you enough rope to hang yourself ”. Basically, this means that with the
degree of power over the machine that C offers, it has its potential problems as well. C is a loosely typed language, so there
aren’t any safeguards to make you comply with any data rules. Many buffer overflows happen in C due to poor handling of
string data types.
Table below shows some of the worst offenders in the C language. The table is by no means a complete table of problematic
functions, but will give you a good idea of some of the more dangerous and common ones.
Table: A Sampling of Problematic Functions in C
char *strcpy( char *strDestination, This function will copy a string from
const char *strSource ) strSource to strDestination
char *strcat( char *strDestination, This function adds (concatenates) a string
const char *strSource ) to the end of another string in a buffer
int sprintf( char *buffer, const This function operates like printf, except
char *format [, argument] ... ) this copies the output to buffer instead of
Printing to the stdout stream.
char *gets( char *buffer ) Gets a string of input from the stdin
stream and stores it in buffer
FORMAT STRING VULNERABILITIES
Format String Vulnerabilities versus Buffer Overflows On the surface, format string and buffer overflow exploits often look
similar. It is not hard to see why some may group together in the same category. Whereas attackers may overwrite return
addresses or function pointers and use shellcode to exploit them, buffer overflows and format string vulnerabilities are
fundamentally different problems.
In buffer overflow vulnerability, the software flaw is that a sensitive routine such as a memory copy relies on an externally
controllable source for the bounds of data being operated on. For example, many buffer overflow conditions are the result of C
library string copy operations. In the C programming language, strings are NULL terminated byte arrays of variable length. The
strcpy() (string copy) libc function copies bytes from a source string to a destination buffer until a terminating NULL is
encountered in the source string. If the source string is externally supplied and greater in size than the destination buffer, the
strcpy() function will write to memory neighboring the data buffer until the copy is complete. Exploitation of a buffer overflow
is based on the attacker being able to overwrite critical values with custom data during operations such as a string copy.
Another source of confusion is that buffer overflows and format string vulnerabilities can both exist due to the use of the
sprintf() function. To understand the difference, it is important to understand what the sprintf function actually does. sprintf()
allows for a programmer to create a string using printf() style formatting and write it into a buffer. Buffer overflows occur when
7 INFORMATION SECURITY
the string that is created is somehow larger than the buffer it is being written to. This is often the result of the use of the %s
format specifier, which embeds NULL terminated string of variable length in the formatted string. If the variable corresponding
to the %s token is externally supplied and it is not truncated, it can cause the formatted string to overwrite memory outside of
the destination buffer when it is written.
TCP SESSION HIJACKING
Let’s take a look at how the hijacking of a Transmission Control Protocol (TCP) connection works in general. When attempting
to hijack a TCP connection, a hacker must pay attention to all the details that go into a TCP connection. These details include
Sequence numbers, TCP headers, and ACK packets.
Let’s look briefly at some relevant portions as a quick reminder. Recall that a TCP connection starts out with the standard TCP
three-way handshake: The client sends a SYN (synchronization) packet, the server sends a SYN-ACK packet, and the client
responds with an ACK (acknowledgment) packet and then starts to send data or waits for the server to send. During the
information exchange, sequence counters increment on both sides, and packet receipt must be acknowledged with ACK
packets. The connection finishes with either an exchange of FIN (finish) packets, similar to the starting three-way handshake, or
more abruptly with RST (reset) packets.
Where during this sequence of packets does the hacker want to send?
Obviously, she wants to do it before the connection finishes, or else there will be no connection left to hijack. The hacker
almost always wants to hijack in the middle, after a particular event has occurred. The event in question is the authentication
step. Think about what would happen if she were to hijack the connection during the initial handshake or before the
authentication phase had completed. What would she have control of? The server would not be ready to receive commands
until the authentication phase had completed. She’d have a hijacked connection that was waiting for her to provide a password
of some sort. In other words, she’d be in exactly the same situation as she would be if she’d just connected as a normal client
As mentioned before, the point of hijacking a connection is to steal trust. The trust doesn’t exist before the authentication has
occurred. There are some services that can be configured to authenticate on IP address alone, such as the Berkeley “r” services,
but if that’s the case, no hijacking is really required; at that point, it becomes a matter of spoofing. If a hacker were in a position
to do TCP connection hijacking, she’d also easily be able to spoof effectively.
Note that when we say “If a hacker were in a position to…,” we mean that the hacker must have control of the right victim
machine to be able to accomplish any of this activity. Just as with sniffing, the hacker will almost certainly need control of a box
on the same Layer 2 network segment as either the client or the server. Unless she’s able to pull some heavy route
manipulation, the packets won’t come to the hacker—she’ll have to go to the packets.
Another way to make sure that your attacking machine gets all the packets going through it is to modify the ARP tables on the
victim machine(s). An ARP table controls the Media Access Control (MAC)-address-to-IP-address mapping on each machine.
ARP is designed to be a dynamic protocol, so as new machines are added to a network or existing machines get new MAC
addresses for whatever reason, the rest update automatically in a relatively short period of time. There is absolutely no
authentication in this protocol.
When a victim machine broadcasts for the MAC address that belongs to a particular IP address (perhaps the victim’s default
gateway), all an attacker has to do is answer before the real machine being requested does. It’s a classic race condition. You can
stack the odds in your favor by giving the real gateway a lot of extra work to do during that time so that it can’t answer as fast.
As long as you properly forward traffic from the victim (or fake a reasonable facsimile of the servers the victim machine is trying
to talk to), the victim might not notice that anything is different. Certainly, there are noticeable differences, if anyone cares to
pay attention. For example, after such an attack, each packet crosses the same local area network (LAN) segment twice, which
increases traffic somewhat and is suspicious in itself. Furthermore, the biggest giveaway is that the ARP cache on the victim
machine is changed. That’s pretty easy to watch for, if someone has prepared for that case ahead of time. One tool for
monitoring such changes is arpwatch.
A tool for performing an ARP attack is (for lack of a formal name) grat_arp. Note that ARP tricks are good not only for getting
traffic to flow through your machine, but also just so you can monitor it at all when you’re in a switched environment.
Normally, when there is a switch (or any kind of Layer 2 bridge) between the victim and attacking machine, the attacking
machine will not get to monitor the victim’s traffic. ARP games are one way to handle this problem.
ROUTE TABLE MODIFICATION
Typically, an attacker would be able to put himself in such a position to block packets by modifying routing tables so that
packets flow through a system he has control of (Layer 3 redirection), by changing bridge tables by playing games with
spanning-tree frames (Layer 2 redirection), or by rerouting physical cables so that the frames must flow through the attacker’s
system (Layer 1 redirection).The last technique implies physical access to your cable plant, so perhaps you’ve got much worse
problems than TCP session hijacking in that instance.
Most of the time, an attacker will try to change route tables remotely. There has been some research in the area of changing
route tables on a mass scale by playing games with the Border Gateway Protocol (BGP) that most Internet service providers
(ISPs) use to exchange routes with each other. Insiders have reported that most of these ISPs have too much trust in place for
other ISPs, which would enable them to do routing updates. A more locally workable attack might be to spoof Internet Control
Message Protocol (ICMP) and redirect packets to fool some hosts into thinking that there is a better route via the attacker’s IP
address. Many OS’s accept ICMP redirects in their default configuration. If the attacker has managed to change route tables to
get packets to flow through his system, some of the intermediate routers will be aware of the route change, either because of
route tables changing or possibly because of an Address Resolution Protocol (ARP) table change. The end nodes would not
normally be privy to this information if there are at least a few routers between the two nodes. Possibly the nodes could
discover the change via a traceroute-style utility, unless the attacker has planned for that and programmed his “router” to
account for it.
Now that we’ve seen what TCP session hijacking looks like, the rest is easy. We have problems with TCP due to all the reliability
features built into it. If it weren’t for the sequence numbers, ACK mechanism, and other things that TCP uses to ensure that
packets get where they need to go, our job would be a lot easier. Well, guess what? The User Datagram Protocol (UDP) doesn’t
have those features; at least, it doesn’t as it is. However, a protocol designer can implement the equivalents toall those features
on top of UDP. Very few attempt even a small subset of the TCP features. The Network File System (NFS) has something akin to
sequence numbers and a retransmit feature, but it’s vastly simpler than TCP. So, most of the time, “hijacking” UDP comes down
to a race. Can a hacker get an appropriate response packet in before the legitimate server or client can?
In most cases, the answer is probably yes, as long as the hacker can script the attack. The attacker needs a tool that watches for
the request, and then produces the response he wants to fake as quickly as possible, and then drops that on the wire.
For example, the Domain Name System (DNS) would be a popular protocol to hijack. Assume that the hacker’s attacking
machine is near the client and the DNS server is located somewhere farther away on the network. Then:
1. The hacker wants to pretend to be some Web server, say SecurityFocus.
2. The attacker programs his attacking machine to watch for a request for that name and store a copy of the packet.
3. The hacker extracts the request ID and then uses it to finish off a response packet that was prepared ahead of time that
points to his IP address.
4. The client then contacts the hacker’s machine instead of SecurityFocus.
5. The client sees a message to the effect of “SecurityFocus has been 0wned.”
MITM attacks are probably the most productive types of attacks used today in conjunction with encrypted protocol hijacking
and connection types such as SSH1 and SSL.
Let’s say, for example, that a typical user attempts a connection to a site that is SSL enabled. A key exchange occurs with the
SSL server and the server’s certificate is compared to the certificates stored in the Web browser’s trusted root certification
authority’s store. If the certificate information is valid and the certifying authority is present in the browser’s trusted store with
no restrictions, no warning is generated on the client end by the browser, and a session key is offered for encrypting the
communication between the SSL-enabled site and the client system.
It is Suffice (enough) to say, when an MITM attack is started, the client does not connect to the SSL site that he thinks he does.
The hijacker is instead offering bogus credentials and replaying the client’s information to the SSL site. The hijacker is making
the connection to the SSL server on behalf of the victim and replaying all the information sent both ways so that he can
essentially pick and chose what, if any, traffic to modify for his potential gain.
Many people have the unfortunate tendency to ignore generated warnings. These are actual screens from an MITM attack
scenario. If you clicked the button View Certificate under the security alert in the first screen, you would find that this
certificate is marked “Issued to:VerySign Class 1 Authority.” It’s a cute play on words (VerySign instead of VeriSign), which
would slip right by most of the user populace. This is more a social attack on people’s ignorance than it is technological