Massachusetts Institute of Technology. Lecture course # ???. "Security of computer systems". Nikolai Zeldovich, James Mykens. 2014

3r33475.  
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications. 3r33475.  
3r33475.  
Lecture 1: "Introduction: threat models" 3r312. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3 3r33475.  
Lecture 3: "Buffer overflow: exploits and protection" 3r-328. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 4: "The division of privileges" 3r-336. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 5: “Where Security Errors Come From” Part 1 / Part 2 3r33475.  
Lecture 6: "Opportunities" 3r350. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 7: “Sandbox Native Client” Part 1 / Part 2 / Part 3 3r33475.  
Lecture 8: “Network Security Model” 3r3666. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 9: “Web application security” 3r374. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 10: “Symbolic Execution” 3r382. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 11: The Ur /Web Programming Language 3r3-390. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 12: "Network Security" Part 1 / Part 2 / Part 3 3r33475.  
Lecture 13: “Network Protocols” 3r3106. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 14: “SSL and HTTPS” 3r3114. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 15: “Medical Software” 3r3122. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 16: "Attacks through the side channel" 3r3-33130. Part 1
/ Part 2 / Part 3 3r33475.  
Lecture 17: User Authentication Part 1 / Part 2 / Part 3 3r33475.  
Lecture 18: "Private Internet Browsing" Part 1 / Part 2 / Part 3 3r33475.  
Lecture 19: “Anonymous Networks” 3r3154. Part 1
/ Part 2 / Part 3 3r3-33160.
3r33475.  
3r33475.  
Let's take a closer look at how the protocol works. Because it would be a shame to read a lecture article and not to talk about the things on which she focuses attention. I want to apologize again for my drawing on the blackboard, most of the time I spend at the table typing on the computer. 3r33475.  
3r33475.  
This is an alien technology. So, here is the repeater. And here is Alice. Here is another repeater and here is Bob. Now Alice wants to talk to Bob, so the first thing she does is create a chain through these repeaters to Bob. Let's say she chose these two repeaters, R1 and R2. First, Alice makes a TLS link to R? let's say that she already has a TLS link to R2. Then, first of all, Alice performs one-way authentication, one-way negotiation of anonymous keys. 3r33475.  
3r33475.  
3r3174. 3r33475.  
3r33475.  
The old Tor protocol was called TAP - Tor Authentication Protocol, the new one is called NTor. They both have evidence of security. This is the correct evidence, although their description made mistakes. 3r33475.  
3r33475.  
After authentication, Alice chooses the channel ID of the circuit ID, say, ? instructs the relay to create the channel “3” - create “3”, and he responds to her that the channel created is created. Now Alice and the relay share the secret symmetric key S1. And they both store it with the index "3", which is a link to this channel. 3r33475.  
3r33475.  
3r3187. 3r33475.  
3r33475.  
Alice can now use this key to send R1 messages. She says that on the “troika”, this is the channel identifier, which is referred to in the lecture article, an extended cell with content is sent to the repeater. 3r33475.  
3r33475.  
3r3196. 3r33475.  
3r33475.  
The expanded cell basically contains the first half of the handshake. But this time it is not encrypted with the public key R? but encrypted with the public key R2. This means that the message is sent to R2. Thus, R1 knows that it is necessary to open a new channel to R? and reports this to the R2 relay with the create () Message, where the half of the handshake that came from Alice is placed in brackets. In doing so, R1 creates its own circuit ID, as the channel identifiers define other channels in this second TLS connection. Moreover, Alice does not know which channel identifiers are still used here, because this is a “personal matter” of R1 and R2. 3r33475.  
3r33475.  
3r33475.  
3r33475.  
So the repeater can choose, for example, ID 95. In fact, this is unlikely, because the channel number is randomly selected from 4 byte spaces, but I don’t want to write out all 32-bit numbers today. 3r33475.  
3r33475.  
After this, R2 responds to the first “created” transponder, and R1 returns the expanded cell to Alice, encrypted with the S1 key. Now Alice and R2 relay share the key S2 and Alice can send messages, first encrypted with S2 and then with S1. It sends such a message, R1 removes S1 encryption and forwards it. 3r33475.  
3r33475.  
3r33475.  
3r33475.  
The first repeater knows that channel 3 messages should be sent to the second repeater via channel 95. Upon receiving this message, the second repeater sees that channel 95 corresponds to the S2 key, and with its help decrypts this message: “oh, it says to open a connection with Bob”! After reading this, R2 repeater opens a TCP connection with Bob and informs Alice of this, using the same reverse messaging process. 3r33475.  
3r33475.  
After all this, Alice says: “great, then tell Bob something like http: 1.0get /index.html,” and then life goes on. 3r33475.  
3r33475.  
Let's see what I missed in the lecture article so this, this and this. Ok, so what are we actually relaying? Some solutions in this area claim that it is necessary to transfer IP packets back and forth, that is, this scheme should be simply a method of transmitting IP packets. One of the problems is that we want to support as many users as possible, and that means we need to work on all kinds of operating systems. 3r33475.  
3r33475.  
But TCP stacks of different operating systems act differently. If you have ever used Nmap or any kind of network traffic analysis tool, you can easily distinguish between Windows TCP and FreeBSD TCP or Linux TCP. You can even distinguish different versions. Moreover, if you can send raw IP packets to a selected host, you can trigger responses that are based in part on what the host does. 3r33475.  
3r33475.  
3r33475.  
3r33475.  
So if you transfer IP packets back and forth, you need IP normalization. Since everything that is smaller than the full IP stack cannot work for normalization, you do not go to do it. 3r33475.  
3r33475.  
Instead, we choose the easiest way - we just take all the content from TCP streams, assuming that it is reliable and everything is fine with it. The program analyzes all the data transmitted by Alice, agrees to accept TCP connections originating from her applications, and simply relays the content without doing anything complicated at the network level. 3r33475.  
3r33475.  
You could try to increase productivity using other tools described in the lecture materials. But I described a scheme that can really be implemented, because when creating Tor, we paid much more attention to security classes and compilers than to network classes. Now we have network specialists, but in 2003-2004 we were deficient in them. 3r33475.  
3r33475.  
TCP seems to be quite appropriate, the right level. The higher-level protocols discussed in some of the original projects use separate proxies for HTTP, FTP on the Alice side and seem like a bad idea. This is because any protocol must have encryption from beginning to end throughout the entire Alice-Bob connection, and if we are lucky, Alice will be able to create a TLS connection between R2 and Bob, with integrity and security features. 3r33475.  
3r33475.  
But if this is so, then any anonymity transformations that you want to apply to the encrypted data must occur in the application that Alice uses before the TLS connection is fully created. But this cannot be done using a proxy server, so TCP is more suitable for us. 3r33475.  
3r33475.  
Someone asked me where is our safety evidence? We have security evidence for the many encryption methods we use, these are standard editions of documents. In general, for the protocol, there is evidence of the safety of certain aspects of onion routing. But the models that they must use to prove that this provides anonymity must be based on such bizarre properties of the universe, network properties, or attacking abilities, that they can satisfy only the programming commissions that sit on some theoretical conferences. 3r33475.  
In short, these properties of anonymity must prove that an attacker who can see the data volume and timings in the Alice-R1 segment will not be able to identify them, observing only the output bytes in the R2-Bob segment. But this is not quite a satisfactory result. Let's just say - what kind of security guarantees would you want from a system that you don’t know how to build? Okay, I have to be careful with these statements Recall that there are systems with strong guarantees of anonymity, and you know how to create such systems, but you never want to use them. Like, for example, classic DC-Net networks, which provide guaranteed anonymity, except that any participant can close the entire network simply by ceasing to participate in it. In addition, this system does not scale. 3r33475.  
3r33475.  
But for the things created in our time, the properties of anonymity are more probabilistic, and not categorically guaranteed. So instead of asking whether this system guarantees Alice's security, it would be worth asking how much traffic Alice can safely send if she wants to have a 99% chance that this network activity cannot be linked to her activities? 3r33475.  
3r33475.  
The first question we asked ourselves when we started to create Tor is who will manage all these things? We didn’t know if our system would really “stand up”, so the only option was to try and see what came out of it. 3r33475.  
3r33475.  
3r33475.  
3r33475.  
We had enough volunteers. A fair number of non-profit organizations just wanted to make donations and use them to purchase bandwidth and launch Tor nodes. Some universities and several private companies took part in the project, whose security services decided that it would be fun to run your own Tor server. 3r33475.  
At the same time, legal issues arose, but again, I am not a lawyer and I cannot give a legal assessment of these things. However, five different people asked me about the legality of our system. As far as I can tell, at least in the US, there are no legal obstacles to starting the Tor server. And it seems to me that a similar situation occurs in most European countries. In countries with less internet freedom, using Tor is more strictly regulated. 3r33475.  
3r33475.  
The problem is not how legitimate or illegal the use of Tor is, but that someone can do something illegal or undesirable with my Tor server. For example, if my provider doesn’t disconnect me from the network, if I provide my computer as a Tor node, do law enforcement agencies believe that I’m just using a Tor server, or come and take my computer to verify this. 3r33475.  
3r33475.  
For this case, I would advise you not to start the Tor server from your dorm room, or rather, not to use your computer to broadcast a large amount of output traffic, assuming that network policy allows it. Honestly, I have no idea what this policy is now, because it has changed a lot since my student days. But in any case, large outgoing traffic from your computer to the hostel can lead to trouble. However, launching a repeater without issuing traffic to the Internet will be less problematic. But if your provider allows you to act in this way, then this is quite a reasonable thing. 3r33475.  
3r33475.  
Someone asked me what if users do not trust a particular site? This brings us to the next topic. Clients of the network use the software at their own discretion, and you cannot forbid them to use any particular programs and oblige them to use others. But remember that anonymity loves company. If I use three nodes, you use three other nodes, and you have three more nodes; our traffic will not mix at all. 3r33475.  
3r33475.  
3r33333. 3r33475.  
3r33475.  
As long as we share the parts of the network that we use, we can easily be distinguished from each other. Now, if I just exclude one or two nodes, and you just exclude one or two nodes, then it will not be such a big network splitting into parts and will make our identification more difficult. But it would be best for everyone to use the same nodes as much as possible. How do we achieve this? 3r33475.  
3r33475.  
So, in the first version of Tor, we just dropped users a list of all nodes, there were about 6 of them, three of which worked on the same computer in the Tech Square computer science laboratory. But it was not a good idea, because the number of nodes increases and decreases, the nodes themselves change, and you would not want to release a new version of the software every time someone joins creating a network. 3r33475.  
3r33475.  
But you can make sure that each node contains a list of all the other nodes that are connected to it, and all of them "advertised" each other. Then, when a client connects to the network, he just needs to know one node to say: “Hey, who is online?” 3r33475.  
3r33475.  
In fact, many people have projects built on this principle. Many early peer-to-peer anonymity projects work this way. But this is a terrible idea. Because if you connect to the same node and ask who is online, and you trust the respondent, then I can answer you: “I’m online, and my friend is here on the network, and my friend is also online, and more no one is online! ” That is, I can give you any number of fake nodes that I manage and which intercept all of your traffic. This is what is called a raw capture attack, or an attack to intercept the source node. 3r33475.  
3r33475.  
So, perhaps, if we have only one directory managed by a trusted party, this is not so good, so let's still assume that we have several trusted parties. Clients go to these trusted parties, get a list of all nodes from each and combine them into one common list of nodes on the network. 3r33475.  
3r33475.  
This is not good because we are again divided into identifiable network clusters. If I select these three nodes, and you choose three other nodes, then we will use different sets of nodes, which is not good. In addition, if I use the list of nodes transferred to me, any of the trusted parties may prevent me from using the node that she does not like, simply by not listing it in the list. If I use the combined list, then someone can flood me with 20 thousand fake servers, specifying them in the list. I could vote for their exclusion and could somehow solve the last two problems, but I will still be separated from everyone who uses different trusted parties. 3r33475.  
3r33475.  
3r33333. 3r33475.  
3r33475.  
We could create a magical DHT, or a distributed hash table, a kind of magical distributed structure passing through all nodes. I say "magic" because, although there are projects in this area, and some are better than others, none of them currently have solid evidence of security. So hard so that I can safely say that it is really safe. 3r33475.  
3r33475.  
So, here is the solution we came to as a result. Our network has several trusted bodies managed by trusted parties that collect lists of sites that vote on an hourly basis, which nodes can work on the network, and can vote to exclude suspicious nodes. They all work on the same /1? which gets up such strange things with traffic, and form a consensus, which is based on the calculation of the result of the vote. 3r33475.  
And customers do not use the site if it is not signed by a sufficient number of “votes” of trusted parties. 3r33475.  
3r33475.  
This is not the final version of the project, but it is the best that we have been able to come up with so far. By the way, all you need to distribute among customers is a list of all authorized public keys and a list of some places to get directories. You want all the nodes to cache these directories, because if you don’t do this, the network load will become dangerous and the network bandwidth will drop dramatically. 3r33475.  
3r33475.  
I intend to skip the next question and go directly to how customers should choose which paths they should route through the network. I would like to talk about the problems of application and creating applications that would not give themselves away. I would like to talk about network abuse, about hidden services and how they work, talk about resistance to censorship, and I would also like to talk about attacks and defense. But we only have 35 minutes left, so I can’t talk about everything I want. I ask you to vote for topics that you consider most important for discussion. 3r33475.  
3r33475.  
If you think that one of the most important topics is the choice of paths and nodes, please raise your hand. If one of the most important topics is application problems and how to ensure that applications do not violate your anonymity, please raise your hand. If one of the most important problems is abuse and how to prevent it, please raise your hand. So, I see that this topic is popular, and I mark it. 3r33475.  
3r33475.  
If it matters to you how hidden services work and how they can be made to work better, please raise your hand. Yeah, it's much more popular on this side of the audience than on the other. Well, we note this topic. Censorship, who is interested in censorship? I see that this is a popular topic. Attacks and defense? 3r33475.  
3r33475.  
3r33333. 3r33475.  
3r33475.  
So, we will not consider the choice of paths and application problems. As for the optimal choice of the path, this topic requires a separate lecture, because the design of node protection is determined by the bandwidth of the node. On the one hand, you need to ensure high throughput, and on the other, you need a reliable way to measure throughput. 3r33475.  
3r33475.  
Regarding problems with applications, it is worth noting that almost no protocol is intended to ensure anonymity. Because almost every popular protocol assumes that anyone will be able to determine the IP address from which traffic is coming, so there is no point in trying to hide the user's identity. Even in such a particularly complex protocol as the Whole stack, which is mainly used by web browsers, there is no real way to ensure the anonymity of traffic, as Tor does. 3r33475.  
3r33475.  
You need to seriously “break” the web browser so that it stops doing such things as leaking the list of fonts that identify your system, leaking the exact size of your windows, which all types of cookies cause, leaking what’s in the cache and what’s not there , and so on. 3r33475.  
Thus, you have a small choice: either to isolate everything and it is constantly restarted from a fresh virtual machine, or redirect the browser, or both. Other things are much simpler than web browsers, but still quite problematic. That's all I was going to say about application problems. Let's discuss the topics for which the majority voted in the audience. These are abuses and hidden services. If we have time, I’ll censor and attack. 3r33475.  
3r33475.  
So let's move on to abuse. When we were working on this thing, one problem that everyone was afraid of us passed away - this is file sharing that your Internet provider can oppose, and this will create huge legal problems and ruin your lives. We were afraid that people would try to use BitTorrent, Gnutella or something similar. Yes, it was a long time ago, and we thought about how we could avoid it. 3r33475.  
3r33475.  
In the materials for the lecture, you can read about our outgoing traffic policy, for example, to allow outgoing nodes to allow connections only to port 80 and port 443. In fact, this does not help to completely avoid abuse because you can try to spread worms through port 80. You can post offensive material on IRC channels through IRC web interfaces. Today everyone has a web interface, so you cannot say that it is only the Internet, it is safe, it is useful and it cannot be abused. 3r33475.  
3r33475.  
However, there are people who agree to launch sites with access ports on websites 80 and 44? and not with all ports, so this turned out to be useful, but still did not solve the problem of abuse. I’ll say that criminal activity doesn’t create many problems for Tor’s network operators at all. From time to time, someone's server is captured and returned after six months, and they sometimes need to clean everything up. This is a rare occurrence, and if this happens, it is surprising. 3r33475.  
3r33475.  
The biggest problem with Internet abuse is that many websites and IRC services use IP address blocking to prevent and mitigate abusive behavior. 3r33475.  
3r33475.  
People who post pictures of murders on My Little Pony, people who insult everyone on IRC channels, people who make love to live on the requests of others, people who replace whole Wikipedia pages with racial insults - all this really creates problems. This is unacceptable for sites and services that use blocking based on IP addresses, they need to prevent this, and IP blocking is the cheapest way. So quite often Tor users get an eternal ban on some sites. 3r33475.  
3r33475.  
3r33400. 3r33475.  
3r33475.  
Why does IP blocking really work? Maybe because specific people are hiding behind IP? Not. Everyone in this room knows how to get a different IP if you need one. Everyone in this room knows how to get tens of thousands of different IP addresses if they need it. 3r33475.  
But for most people, getting another IP address is quite difficult, and it imposes restrictions on the speed and cost of resources used to abuse the Internet, unless, of course, you do not own a botnet and if you have not been blocked by services such as Tor and all other proxies -Services. 3r33475.  
3r33475.  
Therefore, you need to consider various ways to reduce resource costs. Have any of you used blind signatures? You can make it so that you need an IP to create an account, but this IP will not be associated with your real IP address. Later, if your account is blocked, you just need to create a new account from a different IP address. 3r33475.  
3r33475.  
This is a system that can be built, and we cooperate with people who are working on the creation of such systems, although this requires a lot of effort in terms of integration. What else can you think about in the field of integration - these are anonymous “black lists”. They are a bit esoteric, but the idea is that you get something that allows you to, for example, be present on the IRC server, despite the ban, and you can use it as many times as you like. 3r33475.  
3r33475.  
While you are not banned, your account is not connected with anything. When receiving a ban, all attempts of the same person to register with the same data are doomed to failure, but his past actions will not be related to each other. Such a system is relatively easy to create, the problem is to convince people more or less satisfied with IP blocking to use this innovation and integrate this service into their service. 3r33475.  
3r33475.  
Someone inevitably asks me the same question. The fact is that I started writing these lecture notes back in 201? and I’m always asking a question about Silk Road 2 and how the creator of Silk Road was caught. “Silk Road 2” was a hidden service running on the Tor network, where people gathered to buy and sell illegal things, mostly drugs. 3r33475.  
3r33475.  
As far as we know and as far as we can tell, this guy got caught by ignoring OPSEC - the safety of online operations. First, he posted a message under his own name, then caught himself, deleted it and then acted under a pseudonym. Tor is not able to help people who behave so irresponsibly. 3r33475.  
3r33475.  
On the other hand, if you are familiar with the leak of information about the work of the NSA, then you know that law enforcement agencies receive information from intelligence, and then pass it through a process called “double construction”. At the same time, the intelligence department says to law enforcement agencies: “Look, that’s Fred, and he did it. But we got this information illegally, so you can not say in court that we received it from us. So just find another way to find out exactly what Fred did, but we assure you - Fred did do it. ” According to the leaks of information from Snowden and leaks from another guy who has not yet been caught, this sometimes happens. 3r33475.  
3r33475.  
54:00
 
3r33475.  
MIT course "Computer Systems Security". Lecture 19: “Anonymous Networks”, part 3 (lecture from the creator of the Tor network) 3r34848. 3r33475.  
3r33475.  
3r33434.
3r33448.
3r33475.  
Full course version available
here is . 3r33475.  
3r33475.  
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending a friend, 30% discount for users of Habr on a unique analogue of entry-level servers, which was invented by us for you: 3r33434. The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to share the server?
(Options are available with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4). 3r33475.  
3r33475.  
3r33479. VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December for free 3r3482. If you pay for a period of six months, you can order 3r3343471. here 3r3484. . 3r33475.  
3r33475.  
3r33479. Dell R730xd 2 times cheaper? [/b] Only we have 3r33480. 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249
in the Netherlands and the USA! Read about How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r33490.