Category: Security

初期
.htaccess
192.168.33.11と192.168.33.12をアクセスdenyしています。

.htaccessの行数をカウントし、2行目から、最終行の前までをfgetsで1行ずつ取得し、新たに制限するipを追加して、file_put_contentsします。

$count = count(file(".htaccess"));

$file = fopen(".htaccess", "r");
$body = "<Files ~ \"^form\.php$\">\n";
$i = 0;
if($file){
  while ($line = fgets($file)) {
  	$i++;
  	if($i < $count and $i !== 1){
  		$body .= $line;
  	}
  }
}
$ip = "192.168.33.13";
$body .= "deny from ".$ip."\n";
$body .= "</Files>";
file_put_contents('.htaccess', $body);

.htaccessに、新たにdeny fromが追加されました。

iptables とは、Linux に実装されたパケットフィルタリング型のファイアウォール機能
ファイヤーウォールは本読むと絶対でてきますよね。

さて、iptable
etc/sysconfig/にある

ip6tables-config
iptables-config

機能
1.パケットフィルタリング
送られてきたパケットを検査して設定した条件に該当する場合、設定したアクション（通過、遮断、転送）を実行

2.アドレス変換
送られてきたパケットを検査して設定した条件に該当する場合、パケットの宛先アドレスや送信元アドレスを別のアドレスに書き換え

テーブル
filter パケットのフィルタリングに使用
nat アドレス変換に使用
mangle パケットをNAT以外の目的で置き換えるときに使用

チェイン
INPUT 入力（受信）パケットのチェイン
OUTPUT 出力（送信）パケットのチェイン
FORWARD 転送パケットのチェイン
PREROUTING 受信時に変換するチェイン
POSTROUTING 送信時に変換するチェイン

IPv4とIPv6
IPv6の特徴
-グローバルIPアドレスの数が多い
-セキュリティ機能を標準で装備している
-エンドユーザーの設定が簡単

なるほど、ここまで来たか

allo from で指定したipアドレスからのアクセスを許可する

.htaccess

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

なるほど！

localなどに置くのが普通とのことですが、

<Files ~ "hoge.php">
Order allow,deny
Deny from all
</Files>

confidentiality, integrity, availability

The security of a system, application, or protocol is always relative to:
– a set of desired properties
– an adversary with specific capabilities

Control systems
sensor, system, actuator, controller

Open – loop
Desired output response -> controller -> actuator -> process -> output

closed – loop
Desired output response -> error -> controller -> actuator -> process -> output

BAN, LAN, MAN and WAN

Ring Topology, star, extended star

OSI Model
Application, presentation, session, transport, network, datalink, physical

Application:to allow access to network resource, FTP, http
Presentation: to translate, encrypt, & compress data
Session: to establish, manage, and terminate sessions
Transport: reliable process-to-process msg delivery, tcp, udp
network: packet transport and internetworking
data link: bits -> frames, hop-to-hop delivery
physical: transmit bits over a medium

Each layer communicate logically with intermediate node.

RTT: Round Trip Time
WAN is much greater than that of LAN.
TCP flow control -> Three way handshake,

On demand self service
Broad or wide network access
Resource pooling or sharing
Measured service
Rapid elasticity

SaaS, PaaS, IaaS
Software as a servicd: use the provider’s applications running on a cloud infrastructure
Platform as a service: consumer-created applications using programming languages and tools supported by the provider
Infrastructure as a service: Capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources

Key Issues:
Trust, multi-tenancy, encryption, compliance
Clouds are massively complex systems
Simple primitives and common functional units

Cloud security challenges
– trusting vendor’s security model
– Customer inability to respond to audit findings
– Obtaining support for investigations
– Indirect administrator accountability
– Proprietary implementations can’t be examined
– Loss of physical control

Primary Technology
-Virtualization
-Grid technology
-Service Oriented Architectures
-Distributed Computing
-Broadband Networks

Hypervisor has higher privilege than guest kernel
Security VM is separated from User VM

User = application + data (encrypt)

Frequency Analysis Attack
connect data with public information
Optimization Attack

Machine Learning Review
y = f(x)
output, prediction function, training/testing example

test image -> image features -> learned model -> prediction
raw pixels, histograms, gist descriptors

Decision Tree: Determining which attribute is best
Entropy(E) is the minimum number of bits needed represent the examples according to their class labels

There is no perfect way of labelling data, therefore there is really no perfect IDS dataset.

(flag = S0, service = http),(flag = S0, service = http) -> (flag = S0, service = http)[0.6, 2s]

Info from the public blockchain + Owner’s secret signing key
So it’s all about key management!

Simplest approach: store key in a file, on your computer or pphone
device compromised -> key leaked -> coins stolen

Hot storage: online convenient but risky
Cold storage: offline archival but safer

Generate a big batch of addresses/keys, transfer to hot beforehand

generateKeyHier -> address gen info -> genAddr -> ith address
-> private key gen info -> genKey -> ith key

linked list with hash pointers = “block chain”

Cryptocurrencies
CreateCoin[ uniqueCoinID ]
signed by pk (scret signing key)
-> Goofy coin

A coin’s owner can spend it – using cryptographic operations

signed by pk
Pay to pkalice:()

signed by pk
CreateCoin[ uniqueCoinID ]

Scrooge coin
A designated entity publishes an append-only ledger containing the history of all the transactions that have happened.
All transactions be written to the ledger before they are accepted.