Presentation is loading. Please wait.

Presentation is loading. Please wait.

K. K. Mookhey Network Intelligence India Pvt. Ltd.

Published bySabrina Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "K. K. Mookhey Network Intelligence India Pvt. Ltd."— Presentation transcript:

1 K. K. Mookhey Network Intelligence India Pvt. Ltd.
Bug-finding K. K. Mookhey Network Intelligence India Pvt. Ltd.

2 Main types Mainly two types of audits Assembly or Black Box
Open Source

3 Approach There are two main types of methods: Outside-in:
Look at all input avenues for the program. Imagine, any input validation that may or may not have been done Try to circumvent it Well-suited to black-box testing Easy bugs get found out fast Reasonable ROI Critical issues usually get missed out Subtle bugs may take years to surface

4 Approach Inside-out Completely audit the entire code
Requires extensive documentation support to make task easier Audit must adopt mindset of programmer Low ROI Must follow all code paths Will uncover subtle bugs Ideal for source-code audits

5 Black-box Testing Looks Familiar?

6 Black Box Testing Again two methods
Inside-out: Involves assembly code analysis Outside-in: Involves analysis of overall software structure

7 Assembly Audit Use tools mainly
Look for assembly equivalents of strcpy, strcat, sprintf, etc. Figuring out actual path of execution is the challenge Not recommended Less ROI

8 Black Box Snapshot system before software installation
Registry Keys (Regmon) Open Files (Filemon) Open Network Connections (Netmon) All tools are from

9 Black Box - 2 Install software Run software Note new files added
Note new registry keys added See ACLs on these – could be source for potential malcious inputs Run software Again snapshot the system Open Reg keys, Net connections, files, etc.

10 Black Box Ascertain CIA of data when the following occur:
Authorization: Encryption, Credentials, Protocols, etc. Authentication: Privilege Levels, implementation, etc. Auditing: Audit trails, locations, integrity, etc. Input Validation: Buffer Overflows, Format Strings, Directory Traversal, Information Disclosure, etc. Miscellaneous: Cryptanalysis, Unseen threats, etc.

11 Black Box – 3 Basic Approach
Determine all input avenues to the software Imagine as programmers what data structures we will read the data into What input checking could the programmer have missed? Length (Buffer Overflows) Meta characters (SQL Injection, XSS) Format string characters (Format string bugs)

12 Black Box - 4 Determine bugs in other such software
Try those out in your target Examples: Long filenames crashed Winzip. Could they crash other archival software? IE does not validate length of HTTP data from server. Does Opera?

13 Methods for Black Box Can be done individually
More productive if done with team of 2-3 people Too many people reduce productivity One person only might miss some obvious tests

14 Buffer Overflow #define data_len 500 char buff[data_len];
strcpy (buff, argv[1]); strncpy (buff, argv[1], data_len); strncat (buff, argv[1], sizeoff(buff)); strncat (buff, argv[1], sizeof(buff) - strlen(buf) - 1);

15 Format String printf(“The value in decimal is %d and in hexadecimal is %x”,dVal,dVal); Normal printf syntax: Format string, followed by valued. Format specifiers are %d, %x, %i, %s, etc. Special format specifier %n. Receives number of bytes formatted. printf(“format%.10x%n”,buffer,num_bytes); Allows us to write a value to memory location specified by num_bytes.

16 Format String The printf family of functions can also be written without the format string: printf(“user_data”) instead of printf(“%s”,&user_data) Attack method: Send in format specified in user_data to jump specific values up the stack, and write next IP using %n

17 Format String First identify location of exploit code in memory
Say at memory location 0x0012DD00 The printf statement must format 0x0012DD00 characters. Followed by a %n to over write a saved memory location. Enter user_date = % x% x%n

18 Format String The user_data also needs to include our exploit code, which will be pushed onto stack during execution. user_data = shellcode%.NNNNNNx%n Upon execution, code tries to write data at some address, which also is derived from our user_data. We need to overwrite this with the saved return address determined earlier.

19 Format String user_data = shellcode%NNNNNNx%nsaved_address
Saved_address points to our own string user_data. NNNNNN is used to push up into stack until we reach desired location. Whereupon shellcode will be executed.

20 Open Source Use RATS for automated code audit
Then go to each function, sub-routine Determine inputs Check filtering of inputs Check processing of inputs Follow program execution to see where original input comes from

21 General Guidelines When testing a software, go especially to the new features that they have added The older modules are likely to be more tested and stable Do the unexpected – go where no one expects you to go

22 Example – Latest IE Insufficient input validation for data received from a web server in an HTTP reply Some fields not parsed properly – length! – Stack Buffer Overflow Present in the URLMON.dll

23 Happy bug hunting Questions?

Download ppt "K. K. Mookhey Network Intelligence India Pvt. Ltd."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.

Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.

Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Attacks Against Database By: Behnam Hossein Ami RNRN i { }
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG 12 30 th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.

Similar presentations

Ads by Google