Download presentation
Presentation is loading. Please wait.
2
Application and OS Attacks 1 Application and OS Attacks
3
Application and OS Attacks 2 Attack Phases Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining access o Application/OS attacks o Network attacks/DoS attacks Phase 4: Maintaining access Phase 5: Covering tracks and hiding
4
Application and OS Attacks 3 So Far… Recon and Scanning completed Attacker has inventory of target system and possible vulnerabilities How to exploit vulnerabilities? o Application & OS attacks (this chapter) o Network-based attacks (next chapter)
5
Application and OS Attacks 4 Main Topics Buffer Overflow o Stack, heap, and integer overflow Passwords Web-based attacks o Session tracking, SQL injection, … o Browser flaws
6
Application and OS Attacks 5 Script Kiddies Attacks are widely available o French Security Response Team (FrSIRT) o Packet Storm Security o Bugtraq Archives o Metasploit Project Little or no knowledge required
7
Application and OS Attacks 6 FrSIRT
8
Application and OS Attacks 7 Sophisticated Attacks Next, we consider common attacks Useful to understand how attacks work Advanced attackers can use these for o Original attacks o More clever uses of existing attacks
9
Application and OS Attacks 8 Buffer Overflow
10
Application and OS Attacks 9 Some C Code
11
Application and OS Attacks 10 The Stack
12
Application and OS Attacks 11 Vulnerable C Code
13
Application and OS Attacks 12 Stack for Vulnerable Code
14
Application and OS Attacks 13 Smashed Stack
15
Application and OS Attacks 14 Typical Exploit
16
Application and OS Attacks 15 Heap Overflow Vulnerability
17
Application and OS Attacks 16 Heap
18
Application and OS Attacks 17 Heap: Normal and Attack
19
Application and OS Attacks 18 Typical Attack Scenario Users enter data into a Web form Web form is sent to server Server writes data to buffer, without checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by anyone with an Internet connection
20
Application and OS Attacks 19 Buffer Overflow Q: What happens when this is executed? A: Depending on what resides in memory at location “buffer[20]” o Might overwrite user data or code o Might overwrite system data or code int main(){ int buffer[10]; buffer[20] = 37;}
21
Application and OS Attacks 20 Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag allowing anyone to authenticate! buffer FT FOURSC… Boolean flag In some cases, attacker need not be so lucky as to have overflow overwrite flag
22
Application and OS Attacks 21 Memory Organization Text == code Data == static variables Heap == dynamic data Stack == “scratch paper” o Dynamic local variables o Parameters to functions o Return address stack heap data text high address low address SP
23
Application and OS Attacks 22 Simplified Stack Example high void func(int a, int b){ char buffer[10]; } void main(){ func(1, 2); } :::: buffer ret a b return address low SP
24
Application and OS Attacks 23 Smashing the Stack high What happens if buffer overflows? :::: buffer a b ret… low SP retoverflow Program “returns” to wrong location NOT! ??? A crash is likely overflow
25
Application and OS Attacks 24 Smashing the Stack high Trudy has a better idea… :::: evil code a b low SP ret Code injection Trudy can run code of her choosing!
26
Application and OS Attacks 25 Smashing the Stack Trudy may not know o Address of evil code o Location of ret on stack Solutions o Precede evil code with NOP “landing pad” o Insert lots of new ret evil code :::: :::: ret : NOP : ret ret
27
Application and OS Attacks 26 Stack Smashing Summary A buffer overflow must exist in the code Not all buffer overflows are exploitable o Things must line up just right If exploitable, attacker can inject code Trial and error likely required o Lots of help available online o Smashing the Stack for Fun and Profit, Aleph One Smashing the Stack for Fun and Profit Also heap overflow, integer overflow, etc. Stack smashing is “attack of the decade”
28
Application and OS Attacks 27 Stack Smashing Example Program asks for a serial number that the attacker does not know Attacker does not have source code Attacker does have the executable (exe) Program quits on incorrect serial number
29
Application and OS Attacks 28 Example By trial and error, attacker discovers an apparent buffer overflow Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!
30
Application and OS Attacks 29 Example Next, disassemble bo.exe to find The goal is to exploit buffer overflow to jump to address 0x401034
31
Application and OS Attacks 30 Example Find that 0x401034 is “ @^P4 ” in ASCII Byte order is reversed? Why? X86 processors are “little-endian”
32
Application and OS Attacks 31 Example Reverse the byte order to “ 4^P@ ” and… Success! We’ve bypassed serial number check by exploiting a buffer overflow Overwrote the return address on the stack
33
Application and OS Attacks 32 Example Attacker did not require access to the source code Only tool used was a disassembler to determine address to jump to May be possible to find address by trial and error o Necessary if attacker does not have exe
34
Application and OS Attacks 33 Example Source code for bo example: Note: Flaw easily found by attacker o Without the source code!
35
Application and OS Attacks 34 Stack Smashing Prevention Employ non-executable stack o “No execute” NX bit (if available) o Seems like the logical thing to do, but some real code executes on the stack (Java does this) Use safe languages (Java, C#) Use safer C functions o For unsafe functions, there are safer versions o For example, strncpy instead of strcpy
36
Application and OS Attacks 35 Stack Smashing Prevention Canary o Run-time stack check o Push canary onto stack o Canary value could be… Constant 0x000aff0d Or depends on ret high :::: buffer a b low overflowret canaryoverflow
37
Application and OS Attacks 36 Microsoft’s Canary Microsoft added buffer security check feature to C++ with /GS compiler flag Uses canary (or “security cookie”) Q: What to do when canary dies? A: Check for user-supplied handler Handler may be subject to attack o Claimed that attacker can specify handler code o If so, “safe” buffer overflows become exploitable when /GS is used!
38
Application and OS Attacks 37 ASLR Address Space Layout Randomization o Randomize location of code in memory Makes buffer overflow attacks probabilistic o Address to jump to is “random” Vista uses ASLR o With 256 “random” layouts (roughly) o So only 1/256 chance attack succeeds Similar thing is done in Mac OS X
39
Application and OS Attacks 38 ASLR A form of computing “diversity” Works well with NX Tricky to implement Not a panacea o There is no substitute for correct code For more info… o See slides herehere
40
Application and OS Attacks 39 Buffer Overflow The “attack of the decade” for 90’s o Will be the attack of the decade for 00’s Can be greatly reduced o ASLR, NX, etc. o Use safe languages/safer functions o Educate developers, use tools, etc. Buffer overflows will exist for a long time o Legacy code o Bad software development
41
Application and OS Attacks 40 Incomplete Mediation
42
Application and OS Attacks 41 Input Validation Consider: strcpy(buffer, argv[1]) A buffer overflow occurs if len(buffer) < len(argv[1]) Software must validate the input by checking the length of argv[1] Failure to do so is an example of a more general problem: incomplete mediation
43
Application and OS Attacks 42 Input Validation Consider web form data Suppose input is validated on client For example, the following is valid http://www.things.com/orders/final&custID=112&num=55A&qty =20&price=10&shipping=5&total=205 Suppose input is not checked on server o Why bother since input checked on client? o Then attacker could send http message http://www.things.com/orders/final&custID=112&num=55A&qty =20&price=10&shipping=5&total=25
44
Application and OS Attacks 43 Incomplete Mediation Linux kernel o Research has revealed many buffer overflows o Many of these are due to incomplete mediation Linux kernel is “good” software since o Open-source o Kernel written by coding gurus Tools exist to help find such problems o But errors can be subtle o And tools useful to attackers too!
45
Application and OS Attacks 44 Race Conditions
46
Application and OS Attacks 45 Race Condition Security processes should be atomic o Occur “all at once” Race conditions can arise when security- critical process occurs in stages Attacker makes change between stages o Often, between stage that gives authorization, but before stage that transfers ownership Example: Unix mkdir
47
Application and OS Attacks 46 mkdir Race Condition mkdir creates new directory How mkdir is supposed to work 1. Allocate space mkdir 2. Transfer ownership
48
Application and OS Attacks 47 mkdir Attack Not really a “race” o But attacker’s timing is critical 1. Allocate space mkdir 3. Transfer ownership 2. Create link to password file The mkdir race condition
49
Application and OS Attacks 48 Race Conditions Race conditions appear to be common o May be more common than buffer overflows But race conditions harder to exploit o Buffer overflow is “low hanging fruit” today To prevent race conditions… o Make security-critical processes atomic o Occur all at once, not in stages o Not easy to accomplish in practice
50
Application and OS Attacks 49 Heap Overflow Heap used for dynamic variables o For example, malloc in C Can overflow one array into another Makes it possible to change data o Like simpleminded example given earlier
51
Application and OS Attacks 50 Heap Overflow Example First print o buf2 = 22222222 Second print o buf2 = 11122222
52
Application and OS Attacks 51 Integer Overflow Many “integer” problems This example… o What if len is negative? o Note that memcpy thinks len is unsigned
53
Application and OS Attacks 52 Exploitation Engines Developing a buffer overflow attack o Tedious, lots of trial and error o Until Metasploit… Metasploit o Knows about lots of attacks o Has lots of payloads
54
Application and OS Attacks 53 Metasploit Payloads include o Bind shell to current port o Bind shell to arbitrary port o Reverse shell o Windows VNC Server DLL inject o Reverse VNC DLL inject o Inject DLL into running application o Create local admin user o The Meterpreter (run command of attacker’s choosing)
55
Application and OS Attacks 54 Metasploit Web Interface
56
Application and OS Attacks 55 Metasploit Advantages for attackers? o Reduces “development cycle” o Resulting attacks much more reliable Advantages for good guys? o Helps identify false positives o Help improve IDS o Improved penetration testing o Improved management awareness
57
Application and OS Attacks 56 Buffer Overflow Defenses NX, safe languages, safer functions (in C), canary, ASLR Better software development o Use tools, such as o ITS4 ITS4 o RATS RATS o Flawfinder Flawfinder
58
Application and OS Attacks 57 Authentication
59
Application and OS Attacks 58 Who Goes There? How to authenticate a human to a machine? Can be based on… o Something you know For example, a password o Something you have For example, a smartcard o Something you are For example, your fingerprint
60
Application and OS Attacks 59 Something You Know Passwords Lots of things act as passwords! o PIN o Social security number o Mother’s maiden name o Date of birth o Name of your pet, etc.
61
Application and OS Attacks 60 Trouble with Passwords “Passwords are one of the biggest practical problems facing security engineers today.” “Humans are incapable of securely storing high- quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)”
62
Application and OS Attacks 61 Why Passwords? Why is “something you know” more popular than “something you have” and “something you are”? Cost: passwords are free Convenience: easier for SA to reset pwd than to issue user a new thumb
63
Application and OS Attacks 62 Keys vs Passwords Crypto keys Spse key is 64 bits Then 2 64 keys Choose key at random… …then attacker must try about 2 63 keys Passwords Spse passwords are 8 characters, and 256 different characters Then 256 8 = 2 64 pwds Users do not select passwords at random Attacker has far less than 2 63 pwds to try (dictionary attack)
64
Application and OS Attacks 63 Good and Bad Passwords Bad passwords o frank o Fido o password o 4444 o Pikachu o 102560 o AustinStamp Good Passwords? o jfIej,43j-EmmL+y o 09864376537263 o P0kem0N o FSa7Yago o 0nceuP0nAt1m8 o PokeGCTall150
65
Application and OS Attacks 64 Password Experiment Three groups of users each group advised to select passwords as follows o Group A: At least 6 chars, 1 non-letter o Group B: Password based on passphrase o Group C: 8 random characters Results o Group A: About 30% of pwds easy to crack o Group B: About 10% cracked Passwords easy to remember o Group C: About 10% cracked Passwords hard to remember winner
66
Application and OS Attacks 65 Password Experiment User compliance hard to achieve In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!) Assigned passwords sometimes best If passwords not assigned, best advice is o Choose passwords based on passphrase o Use pwd cracking tool to test for weak pwds o Require periodic password changes?
67
Application and OS Attacks 66 Attacks on Passwords Attacker could… o Target one particular account o Target any account on system o Target any account on any system o Attempt denial of service (DoS) attack Common attack path o Outsider normal user administrator o May only require one weak password!
68
Application and OS Attacks 67 Password Retry Suppose system locks after 3 bad passwords. How long should it lock? o 5 seconds o 5 minutes o Until SA restores service What are +’s and -’s of each?
69
Application and OS Attacks 68 Password File Bad idea to store passwords in a file But need a way to verify passwords Cryptographic solution: hash the passwords o Store y = h(password) o Can verify entered password by hashing o If attacker obtains password file, he does not obtain passwords o But attacker with password file can guess x and check whether y = h(x) o If so, attacker has found password!
70
Application and OS Attacks 69 Dictionary Attack Attacker pre-computes h(x) for all x in a dictionary of common passwords Suppose attacker gets access to password file containing hashed passwords o Attacker only needs to compare hashes to his pre-computed dictionary o Same attack will work each time Can we prevent this attack? Or at least make attacker’s job more difficult?
71
Application and OS Attacks 70 Password File Store hashed passwords Better to hash with salt Given password, choose random s, compute y = h(password, s) and store the pair (s,y) in the password file Note: The salt s is not secret Easy to verify password Attacker must recompute dictionary hashes for each user lots more work!
72
Application and OS Attacks 71 Password Cracking: Do the Math Assumptions Pwds are 8 chars, 128 choices per character o Then 128 8 = 2 56 possible passwords There is a password file with 2 10 pwds Attacker has dictionary of 2 20 common pwds Probability of 1/4 that a pwd is in dictionary Work is measured by number of hashes
73
Application and OS Attacks 72 Password Cracking Attack 1 password without dictionary o Must try 2 56 /2 = 2 55 on average o Just like exhaustive key search Attack 1 password with dictionary o Expected work is about 1/4 (2 19 ) + 3/4 (2 55 ) = 2 54.6 o But in practice, try all in dictionary and quit if not found work is at most 2 20 and probability of success is 1/4
74
Application and OS Attacks 73 Password Cracking Attack any of 1024 passwords in file Without dictionary o Assume all 2 10 passwords are distinct o Need 2 55 comparisons before expect to find password o If no salt, each hash computation gives 2 10 comparisons the expected work (number of hashes) is 2 55 /2 10 = 2 45 o If salt is used, expected work is 2 55 since each comparison requires a new hash computation
75
Application and OS Attacks 74 Password Cracking Attack any of 1024 passwords in file With dictionary o Probability at least one password is in dictionary is 1 – (3/4) 1024 = 1 o We ignore case where no pwd is in dictionary o If no salt, work is about 2 19 /2 10 = 2 9 o If salt, expected work is less than 2 22 o Note: If no salt, we can precompute all dictionary hashes and amortize the work
76
Application and OS Attacks 75 Other Password Issues Too many passwords to remember o Results in password reuse o Why is this a problem? Who suffers from bad password? o Login password vs ATM PIN Failure to change default passwords Social engineering Error logs may contain “almost” passwords Bugs, keystroke logging, spyware, etc.
77
Application and OS Attacks 76 Passwords The bottom line Password cracking is too easy! o One weak password may break security o Users choose bad passwords o Social engineering attacks, etc. The bad guy has all of the advantages All of the math favors bad guys Passwords are a big security problem
78
Application and OS Attacks 77 Password Cracking Tools Popular password cracking tools o Password Crackers Password Crackers o Password Portal Password Portal o L0phtCrack and LC4 (Windows) L0phtCrack and LC4 o John the Ripper (Unix) John the Ripper Admins should use these tools to test for weak passwords since attackers will! Good article on password cracking o Passwords - Conerstone of Computer Security Passwords - Conerstone of Computer Security
79
Application and OS Attacks 78 Password Problems Weak passwords Too many passwords Default passwords And so on…
80
Application and OS Attacks 79 Default Passwords
81
Application and OS Attacks 80 Password Cracking Cain and Abel
82
Application and OS Attacks 81 Password Cracking John the Ripper
83
Application and OS Attacks 82 Password Cracking Defenses Strong password policy User awareness Pwd filtering software o Password Guardian, Strongpass Use other forms of authentication Try password cracking Protect password files
84
Application and OS Attacks 83 Web-Related Attacks Rapidly growing area of interest For up-to-date info, see, for example, The Ghost in the Browser The Ghost in the Browser o Slides are herehere
85
Application and OS Attacks 84 Web Application Attacks Book discusses… Account harvesting Session tracking issues SQL injection
86
Application and OS Attacks 85 Account Harvesting Targets authentication process when application requests ID/password Attacker can collect IDs o And sometimes passwords too A simple concept Very effective in some Web apps
87
Application and OS Attacks 86 Account Harvesting Error message for bad ID
88
Application and OS Attacks 87 Account Harvesting Error message for good ID, bad password
89
Application and OS Attacks 88 Account Harvesting Defense Have consistent error messages Other?
90
Application and OS Attacks 89 Session Tracking Issues Authenticate to Web application o Use a password Then often use a session ID to connect traffic to authenticated user o Session ID is given to client browser o Usually independent of SSL connection o Bottom line: ID can be changed by client
91
Application and OS Attacks 90 Attacking Session Tracking Session ID can be implemented using o URL session tracking (next slide) o Hidden form elements (next slide) o Nonpersistent cookies (most common)
92
Application and OS Attacks 91 Session Tracking URL session tracking example Hidden form, in html:
93
Application and OS Attacks 92 Session Tracking Attacks Might be able to alter session ID o If so, can hijack an active session o Called “session cloning” Why doesn’t Web application connect session ID to IP address?
94
Application and OS Attacks 93 Session Tracking Attacks Attacker first needs to find valid ID How to do so? o Collect a bunch of IDs o Try to see how they change o Then make educated guesses…
95
Application and OS Attacks 94 Session Tracking Attacks Attacker must change session ID in active session Spse nonpersistent Web cookies used
96
Application and OS Attacks 95 Session Tracking Attacks Can use a “Web application manipulation proxy” to change session ID in active session Web app manipulation proxies include o Achilles, Paros Proxy, WebScarab, Web Sleuth, etc.
97
Application and OS Attacks 96 Web Application Manipulation Proxy
98
Application and OS Attacks 97 Achilles
99
Application and OS Attacks 98 Paros Proxy
100
Application and OS Attacks 99 Defenses Integrity protect session ID o Sign/MAC/HMAC o Then, only legitimate user can properly sign/MAC/HMAC Note that this is separate from SSL Is this really necessary???
101
Application and OS Attacks 100 SQL Injection Structured Query Language (SQL) o Used by web application to communicate with back-end database By manipulating SQL, attacker may o Get access to info o Change data We’ve seen this before
102
Application and OS Attacks 101 WebGoat Fake e- commerce site o Intentionally full of vulnerabilities
103
Application and OS Attacks 102 WebGoat
104
Application and OS Attacks 103 WebGoat
105
Application and OS Attacks 104 WebGoat
106
Application and OS Attacks 105 SQL Injection Defenses Complete mediation o Filter all user-supplied info Limit permissions of Web app when accessing database “Parameterized stored procedures” o I.e., do not compose queries on the fly
107
Application and OS Attacks 106 Browser Flaws Browsers are complex pieces of software o Lots of flaws have been found o Buffer overflows, for example For example, buffer overflow in Safari (related to tiff files) used to break iPhone restrictions
108
Application and OS Attacks 107 Browser Flaws
109
Application and OS Attacks 108 Defenses Use antivirus “…consider using a browser other than Internet Explorer”
110
Application and OS Attacks 109 Conclusions
111
Application and OS Attacks 110 Summary
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.