Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Published byJonathan Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

2 Today More vulnerability types! More logical More illogical

3 Ariane 5 A space-launch platform by the ESA / CNES Controle software written in Ada, and taken from the Ariane 4 Redundant hardware (2 identical sets) 37 seconds after launch, a cast from 64-bit float to 16-bit signed integer caused a processor trap On the Ariane 4, the values were considered to be physically limited No one considered the new parameters for the Ariane 5

4 Slide taken from a technical report by Michael Barr prepared for the BOOKOUT V. TOYOTA court case

5 Let’s get back on topic

6 What’s wrong here? inp_str = user supplied data char * tmp = strstr(inp_str, "%n") *tmp = '\0'; printf(inp_str);

7 Brief analysis Attacker omits the token completely String will be far longer than expected Attacker can read stack contents – Information Leakage Vulnerability Since attacker can also control printf’s format string, they could just as well read throught the stack in another way – “%x%x%x%x…”

8 Information Leaks Anything that the attacker can learn despite not having the right to Often serves as a way to make the attack feasible / more efficient Example – ASLR can defeat simple ROP exploits, but the ability to read arbitrary memory and re-write the ROP chain can create a “perfect” ROP exploit

9 What’s wrong here? hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(...);...

10 What’s wrong here? … if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; /* THIS LINE SHOULD NOT BE HERE */ if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; …

11 Brief analysis The first ‘goto’ is “in” the if-statement The second one isn’t, so it will always be run! In this case, this led to a compromise of the SSL/TLS security for many versions of iOS up to iOS 7.0.6 Goto’s aren’t bad! Bad programmers are bad! In this recitation – we’re interested in bad programmers!

12 Directory Traversal Assume an otherwise secure FTP server Supports requests for o GET [file] o PUT [file] o CD [path] o etc. CD requests are well filtered to remain within the exposed (‘public’) directory But what about GET and PUT requests? Try using escaping sequences – “../”, “/////”, etc.

13 Command Injection def perform_calculation(expression): exec(“ret = %s”) return ret The user can control ‘expression’ And can thus run arbitrary python code! See also: eval()

14 CVE-2010-2568 Windows shell wants to display an LNK file LNK’s icon is stored in a CPL file CPL file is actually a standard PE (exe) file, which will be loaded and initialized in the windows shell process When installed at a location the user will see (like the root of a removable drive) – the attacker’s code will be executed!

15 Slides taken from Karsten Nohl’s talk at BlackHat 2013

16

17 Logical Vulnerabilities Often a higher-level mistake (i.e.: not a buffer size check, but a whole concept) More common when there are quick-and-dirty solutions, or when someone takes a shortcut Can subvert most protection mechanisms with one small (large) mistake Exploitation is usually easier and much more reliable Much harder to find automatically, since there are fewer clear patterns

18 Side Channel Attacks You cannot get what you want directly So you’ll get it indirectly! By measuring the time something takes (Timing analysis) By measuring the power usage of a processor/device (Power analysis) By generating faults (Differential Fault Analysis) By measuring acoustic noise (Acoustic analysis) By measuring RF emissions (TEMPEST) By reading uninitialized data (Data remanence)

19 Questions? חג פסח שמח !

Download ppt "Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"

Similar presentations

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Key Concepts:  Why C?  Life Cycle Of a C program,  What is a computer program?  A program statement?  Basic parts of a C program,  Printf() function?

1 Key Concepts:  Why C?  Life Cycle Of a C program,  What is a computer program?  A program statement?  Basic parts of a C program,  Printf() function?
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.

Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 3: Introduction to C Programming Language C development environment A simple program example Characters and tokens Structure of a C program –comment.

Chapter 3: Introduction to C Programming Language C development environment A simple program example Characters and tokens Structure of a C program –comment.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara

Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
1 SEEM3460 Tutorial Unix Introduction. 2 Introduction What is Unix? An operation system (OS), similar to Windows, MacOS X Why learn Unix? Greatest Software.

1 SEEM3460 Tutorial Unix Introduction. 2 Introduction What is Unix? An operation system (OS), similar to Windows, MacOS X Why learn Unix? Greatest Software.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Advanced Shell Programming. 2 Objectives Use techniques to ensure a script is employing the correct shell Set the default shell Configure Bash login and.

Advanced Shell Programming. 2 Objectives Use techniques to ensure a script is employing the correct shell Set the default shell Configure Bash login and.
An Introduction to Textual Programming

An Introduction to Textual Programming
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Chapter 1. Introduction What is an Operating System? Mainframe Systems

Chapter 1. Introduction What is an Operating System? Mainframe Systems
1 Computing Software. Programming Style Programs that are not documented internally, while they may do what is requested, can be difficult to understand.

1 Computing Software. Programming Style Programs that are not documented internally, while they may do what is requested, can be difficult to understand.

Similar presentations

Ads by Google