Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Slides:



Advertisements
Similar presentations
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Advertisements

Kernighan/Ritchie: Kelley/Pohl:
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Key Concepts:  Why C?  Life Cycle Of a C program,  What is a computer program?  A program statement?  Basic parts of a C program,  Printf() function?
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 3: Introduction to C Programming Language C development environment A simple program example Characters and tokens Structure of a C program –comment.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
1 SEEM3460 Tutorial Unix Introduction. 2 Introduction What is Unix? An operation system (OS), similar to Windows, MacOS X Why learn Unix? Greatest Software.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Advanced Shell Programming. 2 Objectives Use techniques to ensure a script is employing the correct shell Set the default shell Configure Bash login and.
An Introduction to Textual Programming
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Chapter 1. Introduction What is an Operating System? Mainframe Systems
1 Computing Software. Programming Style Programs that are not documented internally, while they may do what is requested, can be difficult to understand.
RjpSystem Level Programming Operating Systems 1 Having fun withy the Unix Operating System Praxis Week 7 Rob Pooley.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
Programmer's view on Computer Architecture by Istvan Haller.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Web Applications Testing By Jamie Rougvie Supported by.
File I/O Michael Ernst UW CSE 140 Winter File Input and Output As a programmer, when would one use a file? As a programmer, what does one do with.
Virtual Memory 1 1.
Class 6 Distributed Systems CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
© 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Software.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
“I am not in the office at the moment. Send any work to be translated.”
CSE 303 Concepts and Tools for Software Development Richard C. Davis UW CSE – 10/11/2006 Lecture 7 – Introduction to C.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Copyright © Curt Hill More on Operating Systems Continuation of Introduction.
Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
Introduction to Information Security Vulnerabilities 1.
Introduction to Information Security
Outline Basic concepts in computer security
Protecting Memory What is there to protect in memory?
World Wide Web policy.
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Stack Data Structure, Reverse Polish Notation, Homework 7
Operation System Program 4
O.S Lecture 13 Virtual Memory.
Software Security Lesson Introduction
Format String.
File I/O in C Lecture 7 Narrator: Lecture 7: File I/O in C.
Modern PC operating systems
Sai Krishna Deepak Maram, CS 6410
CS5123 Software Validation and Quality Assurance
Outline Introduction Memory protection Buffer overflows
Outline Introduction Memory protection Buffer overflows
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Understanding and Preventing Buffer Overflow Attacks in Unix
System and Cyber Security
Outline Introduction Memory protection Buffer overflows
Virtual Memory 1 1.
Presentation transcript:

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Today More vulnerability types! More logical More illogical

Ariane 5 A space-launch platform by the ESA / CNES Controle software written in Ada, and taken from the Ariane 4 Redundant hardware (2 identical sets) 37 seconds after launch, a cast from 64-bit float to 16-bit signed integer caused a processor trap On the Ariane 4, the values were considered to be physically limited No one considered the new parameters for the Ariane 5

Slide taken from a technical report by Michael Barr prepared for the BOOKOUT V. TOYOTA court case

Let’s get back on topic

What’s wrong here? inp_str = user supplied data char * tmp = strstr(inp_str, "%n") *tmp = '\0'; printf(inp_str);

Brief analysis Attacker omits the token completely String will be far longer than expected Attacker can read stack contents – Information Leakage Vulnerability Since attacker can also control printf’s format string, they could just as well read throught the stack in another way – “%x%x%x%x…”

Information Leaks Anything that the attacker can learn despite not having the right to Often serves as a way to make the attack feasible / more efficient Example – ASLR can defeat simple ROP exploits, but the ability to read arbitrary memory and re-write the ROP chain can create a “perfect” ROP exploit

What’s wrong here? hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(...);...

What’s wrong here? … if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; /* THIS LINE SHOULD NOT BE HERE */ if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; …

Brief analysis The first ‘goto’ is “in” the if-statement The second one isn’t, so it will always be run! In this case, this led to a compromise of the SSL/TLS security for many versions of iOS up to iOS Goto’s aren’t bad! Bad programmers are bad! In this recitation – we’re interested in bad programmers!

Directory Traversal Assume an otherwise secure FTP server Supports requests for o GET [file] o PUT [file] o CD [path] o etc. CD requests are well filtered to remain within the exposed (‘public’) directory But what about GET and PUT requests? Try using escaping sequences – “../”, “/////”, etc.

Command Injection def perform_calculation(expression): exec(“ret = %s”) return ret The user can control ‘expression’ And can thus run arbitrary python code! See also: eval()

CVE Windows shell wants to display an LNK file LNK’s icon is stored in a CPL file CPL file is actually a standard PE (exe) file, which will be loaded and initialized in the windows shell process When installed at a location the user will see (like the root of a removable drive) – the attacker’s code will be executed!

Slides taken from Karsten Nohl’s talk at BlackHat 2013

Logical Vulnerabilities Often a higher-level mistake (i.e.: not a buffer size check, but a whole concept) More common when there are quick-and-dirty solutions, or when someone takes a shortcut Can subvert most protection mechanisms with one small (large) mistake Exploitation is usually easier and much more reliable Much harder to find automatically, since there are fewer clear patterns

Side Channel Attacks You cannot get what you want directly So you’ll get it indirectly! By measuring the time something takes (Timing analysis) By measuring the power usage of a processor/device (Power analysis) By generating faults (Differential Fault Analysis) By measuring acoustic noise (Acoustic analysis) By measuring RF emissions (TEMPEST) By reading uninitialized data (Data remanence)

Questions? חג פסח שמח !

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.