Scaricare la presentazione
La presentazione è in caricamento. Aspetta per favore
1
SAS © 2005 - Giuseppe Gottardi 1 Secure Active Switch (SAS): hardening del Linux kernel bridge implementato su sistema embedded ColdFire Motorola Giuseppe Gottardi Università Politecnica delle Marche Dipartimento di Elettronica Intelligenza artificiale e Telecomunicazioni D.E.I.T. Correlatore: Dott. Ing. Valerio Frascolla Relatore: Prof. Massimo Conti
2
SAS © 2005 - Giuseppe Gottardi2 Secure Active Switch 1. Cosè il SAS 2. Perché usarlo 3. Come funziona
3
SAS © 2005 - Giuseppe Gottardi3 Secure Active Switch Cosè il SAS? Cosè il SAS?
4
SAS © 2005 - Giuseppe Gottardi4 SAS: IT security tool Tool di prevenzione verso gli attacchi informatici in rete locale basato su un algoritmo di nuova concezione sviluppato dallautore della tesi in collaborazione con il DEIT. Hardening del kernel Linux v2.6 Hardening del kernel Linux v2.6 –Modifica al kernel di Linux nel modulo bridge Switch di rete Attivo e Sicuro Switch di rete Attivo e Sicuro –Attivo: capace di mandare pacchetti di controllo –Sicuro: capace di bloccare attacchi di tipo ARP Sistema embedded su MCF5485EVB Sistema embedded su MCF5485EVB –Board Freescale con µproc ColdFire Motorola (MIPS 32-bit)
5
SAS © 2005 - Giuseppe Gottardi5 Secure Active Switch Perché usarlo?
6
SAS © 2005 - Giuseppe Gottardi6 Attacchi STATS – CSI/FBI Attacchi in Local Area Network STATS – CSI/FBI Fonte: Computer Security Institute Federal Bureau of Investigation Abusi della rete dallinterno (60% sulla totalità degli attacchi nel 2004) Perdite per oltre 11.000.000 $
7
SAS © 2005 - Giuseppe Gottardi7 Attacchi TYPOLOGIES Attacchi in Local Area Network TYPOLOGIES LAN non commutata (HUB) - T - Tutti i pacchetti transitano per lhost attaccante. LAN commutata (switching tradizionale) - I pacchetti degli host attaccati transitano per lhost attaccante dopo un attacco M.I.T.M. Tipologia di attacchi M.I.T.M. DA LOCALE A LOCALE: - ARP poisoning- DNS spoofing- STP mangling - Port stealing DA LOCALE A REMOTO (attraverso il gateway): DA LOCALE A REMOTO (attraverso il gateway): - ARP poisoning- DNS spoofing- DHCP spoofing - ICMP redirection- IRDP spoofing- route mangling
8
SAS © 2005 - Giuseppe Gottardi8 Attacchi Man In The Middle HTTPS (SSL) 1111 2222 3333 4444 18 0819 09 Giuseppe Gottardi overet@secutitydate.it
9
SAS © 2005 - Giuseppe Gottardi9 Attacchi Man In The Middle KEY EXCHANGING - HTTPS Consiste nella modifica del certificato SSL scambiato tra un server web HTTPS e un client (vale anche per SSH v1). Questa tecnica consente di decodificare sessioni codificate. Consiste nella modifica del certificato SSL scambiato tra un server web HTTPS e un client (vale anche per SSH v1). Questa tecnica consente di decodificare sessioni codificate. ServerClient MITM start KEY-A RSA KEY-B RSA E key-B (S-Key)E key-A (S-Key) S-KEY M E skey (M) D(E(M))
10
SAS © 2005 - Giuseppe Gottardi10 Attacchi Man In The Middle FILTERING - HTTPS redirection Una form in HTTPS viene forzata all'autenticazione in HTTP Http main page with https login form Change form destination to http://mitm Http post (login\password) Auto-submitting hidden form with right authentication data Real https authentication post Authenticated connection Client Server MITM login password
11
SAS © 2005 - Giuseppe Gottardi11 Secure Active Switch Come funziona?
12
SAS © 2005 - Giuseppe Gottardi12 ARP poisoning SIMULATION IPMAC10.0.0.201:02:03:04:05:0B 10.0.0.301:02:03:04:05:0CIPMAC10.0.0.101:02:03:04:05:0A 10.0.0.301:02:03:04:05:0CIPMAC10.0.0.2 10.0.0.3 Host AHost B Attaccante Switch ARP poisoning Packet from A IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.3 MAC 01:02:03:04:05:0C IP 10.0.0.2 MAC 01:02:03:04:05:0B ARP cache AARP cache BIPMAC10.0.0.101:02:03:04:05:0C 10.0.0.3 Packet from B DEV-1 DEV-2 DEV-3 DEVMACSTATE DEV-101:02:03:04:05:0AFORWARDING DEV-301:02:03:04:05:0CFORWARDING DEV-201:02:03:04:05:0BFORWARDING … CAM table
13
SAS © 2005 - Giuseppe Gottardi13 Secure Active Switch HOW IT WORKS - simulation src MAC01:02:03:04:05:0A dest MAC01:02:03:04:05:0B src IP10.0.0.1 dest IP10.0.0.2 … DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-3--- LEARNING DEV-2--- LEARNING … src MAC01:02:03:04:05:0B dest MAC01:02:03:04:05:0C src IP10.0.0.2 dest IP10.0.0.3 … Host AHost B Attaccante ARP poisoning IP 10.0.0.1 MAC 01:02:03:04:05:0A IP 10.0.0.2 MAC 01:02:03:04:05:0B IP 10.0.0.3 MAC 01:02:03:04:05:0C Switch SAS DEV-1DEV-2DEV-3 Packet headerCAM table SAS DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2FORWARDING DEV-2--- LEARNING … src MAC01:02:03:04:05:0C dest MAC01:02:03:04:05:0B src IP10.0.0.3 dest IP10.0.0.2 … DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2FORWARDING DEV-201:02:03:04:05:0C10.0.0.3FORWARDING … src MAC01:02:03:04:05:0C dest MAC01:02:03:04:05:0A src IP10.0.0.2 dest IP10.0.0.1 … ? mismatch DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2WAITING DEV-201:02:03:04:05:0C10.0.0.3BLOCKING … ARP requestARP reply src MAC01:02:03:04:05:0B dest MAC01:02:03:04:05:0A src IP10.0.0.2 dest IP10.0.0.1 … DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2FORWARDING DEV-201:02:03:04:05:0C10.0.0.3DISABLED … DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2FORWARDING DEV-201:02:03:04:05:0C10.0.0.3FORWARDING … Host C IP 10.0.0.2 MAC 01:02:03:04:05:0C IP 10.0.0.3 MAC 01:02:03:04:05:0B src MAC01:02:03:04:05:0C dest MAC01:02:03:04:05:0A src IP10.0.0.2 dest IP10.0.0.1 … TIMEOUT DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-301:02:03:04:05:0B10.0.0.2WAITING DEV-201:02:03:04:05:0C10.0.0.3BLOCKING … DEVMACIPSTATE DEV-101:02:03:04:05:0A10.0.0.1FORWARDING DEV-3--- LEARNING DEV-201:02:03:04:05:0C10.0.0.2FORWARDING … DEVMACIPSTATE DEV-1--- LEARNING DEV-3--- LEARNING DEV-2--- LEARNING … Lo switch SAS aggiunge alla CAM table tradizionale le informazioni del layer 3
14
SAS © 2005 - Giuseppe Gottardi14 Secure Active Switch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP 192.168.1.3 [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | 192.168.1.3] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP 192.168.1.1 [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | 192.168.1.1] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP 192.168.1.2 [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | 192.168.1.2] REGISTERED $./poisoning Usage:./poisoning srcip srcmac destip $./poisoning 192.168.1.2 00:00:b4:5f:5a:fd 192.168.1.1 42: 192.168.1.2[00:00:b4:5f:5a:fd] -> 192.168.1.1 SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP 192.168.1.2 [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a 192.168.1.2 (192.168.1.2) at 00:0e:a6:7f:75:46 [ether] on eth0 192.168.1.3 (192.168.1.3) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA
![SAS © Giuseppe Gottardi14 Secure Active Switch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | ] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | ] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | ] REGISTERED $./poisoning Usage:./poisoning srcip srcmac destip $./poisoning :00:b4:5f:5a:fd : [00:00:b4:5f:5a:fd] -> SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a ( ) at 00:0e:a6:7f:75:46 [ether] on eth ( ) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA](http://images.slideplayer.it/3/982697/slides/slide_14.jpg "SAS © Giuseppe Gottardi14 Secure Active Switch HOW IT WORKS – practical example Bridge SAS registered to SYSCTL SAS: port 3(eth0) entering learning state SAS: port 2(eth1) entering learning state SAS: port 1(eth1) entering learning state SAS: Secure Active Switch [started] SAS: logging [started] SAS: debugging [started] SAS: topology change detected, propagating SAS: port 3(eth0) entering forwarding state SAS: topology change detected, propagating SAS: port 2(eth1) entering forwarding state SAS: topology change detected, propagating SAS: port 1(eth2) entering forwarding state SWITCH SAS (kernel messages) SAS: MAC 00:00:b4:5f:5a:fd [unknow] IP [not exist] SAS: [eth1 | 00:00:b4:5f:5a:fd | ] REGISTERED SAS: MAC 00:50:da:71:61:a6 [unknow] IP [not exist] SAS: [eth0 | 00:50:da:71:61:a6 | ] REGISTERED SAS: MAC 00:0e:a6:7f:75:46 [unknow] IP [not exist] SAS: [eth2 | 00:0e:a6:7f:75:46 | ] REGISTERED $./poisoning Usage:./poisoning srcip srcmac destip $./poisoning :00:b4:5f:5a:fd : [00:00:b4:5f:5a:fd] -> SAS: ARP attack detected from [eth1] SAS: MAC 00:00:b4:5f:5a:fd [know] IP [exist] SAS: port 2(eth1) entering blocking state SAS: port 1(eth2) entering waiting state SAS: ARP REQUEST sent to eth2 SAS: packet from waiting port [eth2] SAS: port 2(eth1) entering disabled state SAS: port 1(eth2) entering forwarding state SAS: ARP POISONING on [eth1] SAS: [eth1] DISABLED for 1 seconds SAS: [eth1] DISABLED for 2 seconds SAS: [eth1] DISABLED for 3 seconds ATTACCANTE $ arp -a ( ) at 00:0e:a6:7f:75:46 [ether] on eth ( ) at 00:00:b4:5f:5a:fd [ether] on eth0 HOST VITTIMA")
15
SAS © 2005 - Giuseppe Gottardi15 Secure Active Switch EMBEDDED SYSTEM - FREESCALE M5485 Attaccante Host A Host B 2 Porte Ethernet 10/100 integrate Porta Ethernet 10/100 su BUS PCI Elevato grado di riconfigurabilità del sistema embedded Possibilità di sviluppo con licenza GPL (a costo zero)
16
SAS © 2005 - Giuseppe Gottardi16 Secure Active Switch PERFORMANCE EVALUATIONS non SAS Round Trip massimo0.532 minimo0.413 media0.468 deviazione0.047 $ ping hosta PING hosta (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=117 time=0.428 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=117 time=0.493 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=117 time=0.469 ms … --- ping statistics --- 1000 packets transmitted, 1000 packets received, 0% packet loss round-trip min/avg/max = 0.417/0.473/0.539 msSAS Round Trip massimo0.539 minimo0.417 media0.473 deviazione0.049 Variazione percentuale +1.06%
17
SAS © 2005 - Giuseppe Gottardi17 Conclusioni Gli attacchi ARP attuabili in rete locale dallattaccante sono stati efficacemente bloccati Il carico di lavoro introdotto in condizioni normali di funzionamento della rete è stato del 1.06% (misurato con il round trip medio su un campione di 1000 ICMP) Il porting del bridge Linux con patch S.A.S. su architettura ColdFire è stato ottenuto con successo.
18
SAS © 2005 - Giuseppe Gottardi18 Giuseppe Gottardi overet@securitydate.it http://overet.securitydate.it S.P.I.N.E Research Group, Inc. S.D.G. Security Date Group, Inc.
Presentazioni simili
