K. K. Mookhey Network Intelligence India Pvt. Ltd.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
SQL Injection and Buffer overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications
Attacks Against Database By: Behnam Hossein Ami RNRN i { }
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
FILES AND EXCEPTIONS Topics Introduction to File Input and Output Using Loops to Process Files Processing Records Exceptions.
Shellcode COSC 480 Presentation Alison Buben.
Buffer Overflow By Collin Donaldson.
CSCE 548 Student Presentation Ryan Labrador
Development Environment
Protecting Memory What is there to protect in memory?
Introduction to Information Security
Microprocessor and Assembly Language
Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation
MODULAR PROGRAMMING Many programs are too large to be developed by one person. programs are routinely developed by teams of programmers The linker program.
Data Types Variables are used in programs to store items of data e.g a name, a high score, an exam mark. The data stored in a variable is entered from.
Software Security Testing
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
A Security Review Process for Existing Software Applications
Introduction to SQL Server 2000 Security
CSC 495/583 Topics of Software Security Stack Overflows (2)
Introduction to Information Security
Security mechanisms and vulnerabilities in .NET
CMSC 414 Computer and Network Security Lecture 21
Unit# 8: Introduction to Computer Programming
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Topics Introduction to File Input and Output
Software Security Lesson Introduction
Format String.
Lecture 2 - SQL Injection
Binary and Protocol Security Assurance
Fundamentals of Python: First Programs
Security.
Buffer Overflows.
CS5123 Software Validation and Quality Assurance
Operating System Concepts
Topics Introduction to File Input and Output
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CSC 221: Introduction to Programming Fall 2018
System and Cyber Security
Week 3: Format String Vulnerability
Format String Vulnerability
Presentation transcript:

K. K. Mookhey Network Intelligence India Pvt. Ltd. Bug-finding K. K. Mookhey Network Intelligence India Pvt. Ltd.

Main types Mainly two types of audits Assembly or Black Box Open Source

Approach There are two main types of methods: Outside-in: Look at all input avenues for the program. Imagine, any input validation that may or may not have been done Try to circumvent it Well-suited to black-box testing Easy bugs get found out fast Reasonable ROI Critical issues usually get missed out Subtle bugs may take years to surface

Approach Inside-out Completely audit the entire code Requires extensive documentation support to make task easier Audit must adopt mindset of programmer Low ROI Must follow all code paths Will uncover subtle bugs Ideal for source-code audits

Black-box Testing Looks Familiar?

Black Box Testing Again two methods Inside-out: Involves assembly code analysis Outside-in: Involves analysis of overall software structure

Assembly Audit Use tools mainly Look for assembly equivalents of strcpy, strcat, sprintf, etc. Figuring out actual path of execution is the challenge Not recommended Less ROI

Black Box Snapshot system before software installation Registry Keys (Regmon) Open Files (Filemon) Open Network Connections (Netmon) All tools are from www.sysinternals.com

Black Box - 2 Install software Run software Note new files added Note new registry keys added See ACLs on these – could be source for potential malcious inputs Run software Again snapshot the system Open Reg keys, Net connections, files, etc.

Black Box Ascertain CIA of data when the following occur: Authorization: Encryption, Credentials, Protocols, etc. Authentication: Privilege Levels, implementation, etc. Auditing: Audit trails, locations, integrity, etc. Input Validation: Buffer Overflows, Format Strings, Directory Traversal, Information Disclosure, etc. Miscellaneous: Cryptanalysis, Unseen threats, etc.

Black Box – 3 Basic Approach Determine all input avenues to the software Imagine as programmers what data structures we will read the data into What input checking could the programmer have missed? Length (Buffer Overflows) Meta characters (SQL Injection, XSS) Format string characters (Format string bugs)

Black Box - 4 Determine bugs in other such software Try those out in your target Examples: Long filenames crashed Winzip. Could they crash other archival software? IE does not validate length of HTTP data from server. Does Opera?

Methods for Black Box Can be done individually More productive if done with team of 2-3 people Too many people reduce productivity One person only might miss some obvious tests

Buffer Overflow #define data_len 500 char buff[data_len]; strcpy (buff, argv[1]); strncpy (buff, argv[1], data_len); strncat (buff, argv[1], sizeoff(buff)); strncat (buff, argv[1], sizeof(buff) - strlen(buf) - 1);

Format String printf(“The value in decimal is %d and in hexadecimal is %x”,dVal,dVal); Normal printf syntax: Format string, followed by valued. Format specifiers are %d, %x, %i, %s, etc. Special format specifier %n. Receives number of bytes formatted. printf(“format%.10x%n”,buffer,num_bytes); Allows us to write a value to memory location specified by num_bytes.

Format String The printf family of functions can also be written without the format string: printf(“user_data”) instead of printf(“%s”,&user_data) Attack method: Send in format specified in user_data to jump specific values up the stack, and write next IP using %n

Format String First identify location of exploit code in memory Say at memory location 0x0012DD00 The printf statement must format 0x0012DD00 characters. Followed by a %n to over write a saved memory location. Enter user_date = %.618112x%.618112x%n

Format String The user_data also needs to include our exploit code, which will be pushed onto stack during execution. user_data = shellcode%.NNNNNNx%n Upon execution, code tries to write data at some address, which also is derived from our user_data. We need to overwrite this with the saved return address determined earlier.

Format String user_data = shellcode%NNNNNNx%nsaved_address Saved_address points to our own string user_data. NNNNNN is used to push up into stack until we reach desired location. Whereupon shellcode will be executed.

Open Source Use RATS for automated code audit Then go to each function, sub-routine Determine inputs Check filtering of inputs Check processing of inputs Follow program execution to see where original input comes from

General Guidelines When testing a software, go especially to the new features that they have added The older modules are likely to be more tested and stable Do the unexpected – go where no one expects you to go

Example – Latest IE Insufficient input validation for data received from a web server in an HTTP reply Some fields not parsed properly – length! – Stack Buffer Overflow Present in the URLMON.dll

Happy bug hunting Questions?