Download presentation
Presentation is loading. Please wait.
1
CS703 - Advanced Operating Systems
By Mr. Farhan Zaidi
2
Lecture No. 42
3
Overview of today’s lecture
Trojan Horses Login spoofing attacks Logic bombs Trap doors Buffer and stack overflow attacks Unsafe C library functions
4
Trojan Horses (from Tanenbaum’s book)
Free program made available to unsuspecting user Actually contains code to do harm Place altered version of utility program on victim's computer trick user into running that program
5
Login Spoofing (a) Correct login screen (b) Phony login screen
6
Logic Bombs Company programmer writes program potential to do harm
OK as long as he/she enters password daily ff programmer fired, no password and bomb explodes
7
Trap Doors (a) Normal code. (b) Code with a trapdoor inserted
8
Buffer overflows First major exploit: 1988 Internet Worm. fingerd.
Extremely common bug. First major exploit: Internet Worm. fingerd. 10 years later: over 50% of all CERT advisories: 1997: 16 out of CERT advisories. 1998: 9 out of ”- 1999: 6 out of ”- Often leads to total compromise of host. Fortunately: exploit requires expertise and patience. Two steps: Locate buffer overflow within an application. Design an exploit.
9
Buffer Overflow (a) Situation when main program is running
(b) After program A called (c) Buffer overflow shown in gray
10
What are buffer overflows?
Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } When the function is invoked the stack looks like: What if *str is 136 bytes long? After strcpy: str ret-addr sfp buf top of stack str top of stack *str ret
11
Basic stack exploit Program P: exec( “/bin/sh” )
Main problem: no range checking in strcpy(). Suppose *str is such that after strcpy stack looks like: When func() exits, the user will be given a shell !! Note: attack code runs in stack. To determine ret guess position of stack when func() is called. Use a stream of NOPs top of stack *str ret Code for P Program P: exec( “/bin/sh” ) (exact shell code by Aleph One)
12
Some unsafe C lib functions
strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … ) How does an attacker actually launches this attack. Inspection of source code Help of Debuggers Cramming a lot of data into a program
13
Exploiting buffer overflows
Suppose web server calls func() with given URL. Attacker can create a 200 byte URL to obtain shell on web server. Some complications: Program P should not contain the ‘\0’ character. Overflow should not crash program before func() exists. Sample buffer overflows of this type: Overflow in MIME type field in MS Outlook. Overflow in ISAPI in IIS.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.