1. 資訊工程概論 許 富 皓 資訊工程系 國立中央大學
資訊工程概論 許 富 皓 資訊工程系 國立中央大學

2. 網路工程研究學群
網路工程研究學群
先進網路通訊技術的研發、完整網路通
訊理論的構建
新世代網路應用的開拓
全方位網路與電腦安全的建制

3. 專兼任教師
教學領域
所屬教師
網路工程研究群
顏嵩銘、許富皓、黃興燦、江振瑞、張貴雲、孫敏德、周立德、曾黎明、吳曉光、王尉任

4. 網路工程研究群

5. 網路工程研究群課程地圖

6. Stack Smashing Attacks

7. Principle of Stack Smashing Attacks
Overwritten control transfer structures, such as return addresses or function pointers, to redirect program execution flow to desired code.
Attack strings carry both code and address(es) of the code entry point.

8. Explanation of BOAs (1) Input String: xyz G’s stack frame 0xabc 0xabb
G(int a) {
H(3);
add_g: }
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
G’s stack frame b
return address add_g
H’s stack
frame
address of G’s
frame point
C[99]
0xabc Z Y X
0xabb
Input String: xyz
0xaba
C[0]

9. Explanation of BOAs (2) Attack String: xxInjected Codexy0xabc
Length=108 bytes
G(int a) {
H(3);
add_g: }
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
Attack String: xxInjected Codexy0xabc b
return address add_g
addrress oxabc
H’s stack
frame
address of G’s
frame point y x
C[99]
Injected Code
0xabc
0xabb x
0xaba
C[0]

10. Injected Code:
The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege.
The injected code is already in machine instruction form; therefore, a CPU can directly execute it.
However the above fact also means that the injected code must match the CPU type of the attacked host.
Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.

11. Injected Code of Remote BOAs
In order to be able to interact with the newly forked root shell, the injected code usually need to execute the following two steps:
Open a socket.
Redirect standard input and output of the newly forked root shell to the socket.

12. Example of Injected Code for X86 Architecture : Shell Code
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

13. Two Factors for A Successful Buffer Overflow-style Attack(1)
A successful buffer overflow-style attack should be able to overflow the right place (e.g. the place to hold a return address with the correct value (e.g. the address of injected code entry point)).

14. Two Factors for A Successful Buffer Overflow-style Attack(2)
return address
buffer where the
overflow start
injected code
address of injected code
entry point.
offset between the beginning of the
overflowed buffer and the overflow
target.
The offset and the entry point address are non-predicable. They can
not decided by just looking the source code or local binary code.

15. Non-predicable Offset
For performance concerns, most compilers don’t allocate memory for local variables in the order they appear in the source code, sometimes some space may be inserted between them. (Source Code doesn’t help)
Different compiler/OS uses different allocation strategy. (Local binaries don’t help)
Address obfuscation insert random number of space between local variables and return address. (Super good luck may help)

16. Non-predicable Entry Point Address
webserver –a –b security
system data
0xbfffffff
environment variables
argument strings
command line arguments
and environment variables
env pointers
argv pointers
argc
Function main()’s stack frame

17. Strategies Used by Attackers to Increase Their Success Chance
Repeat address patterns.
Insert NOP (0x90) operations before the entry point of injected code.

18. Exploit Code Web Sites
Exploit World
MILWORM
Metasploit
Securiteam

19. An Exploit Code Generation Program
This program uses the following three loop to generate the attack string which contains the shell code.
for(i=0;i<sizeof(buff);i+=4)
*(ptr++)=jump;
for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90;
for(j=0;j<strlen(evil);j++) buff[i++]=evil[j];

20. Buffer Overflow Attacks
Countermeasures of
Buffer Overflow Attacks

21. Countermeasures of Buffer Overflow Attacks (1)
Array bounds checking.
Non-executable stack/heap.
Safe C library.
Compiler solutions, e.g.,
StackGuard
RAD
Type safe language, e.g. Java.
Static source code analysis.

22. Countermeasures of Buffer Overflow Attacks (2)
Anomaly Detection, e.g. through system calls.
Dynamic allocation of memory for data that will overwrite adjacent memory area.
Memory Address Obfuscation/ASLR
Randomization of executable Code.
Network-based buffer overflow detection

23. Array Bounds Checking
Fundamental solution for all kinds of buffer overflow attacks.
High run-time overhead (1 time in some situations)

24. Non-executable Stack/Heap
The majority of buffer overflow attacks are stack smashing attacks; therefore, a non-executable stack could block the majority of buffer overflow attacks.
Disable some original system functions, e.g. signal call handling, nested functions.

25. Safe C Library
Some string-related C library functions, such as strcpy and strcat don’t check the buffer boundaries of destination buffers, hence, modifying these kinds of unsafe library functions could secure programs that use these function.
Replace strcpy with strncpy, or replace strcat with strncat, … and so on.
Plenty of other C statements could still results in buffer overflow vulnerabilities.
E.g. while ((*(ptr+i)=getchar())!=EOF)
i++;

26. Compiler Solutions: StackGuard
Put a canary word before each return address in each stack frame. Usually, when a buffer overflow attack is launched, not only the return address but also the canary word will be overwritten; thus, by checking the integrity of the canary word, this mechanism can defend against stack smashing attacks.
Low performance overhead.
Change the layout of the stack frame of a function; hence, this mechanism is not compatible with some programs, e.g. debugger.
Only protect return addresses.

27. Compiler Solutions: RAD
Store another copies of return addresses in a well-protected area, RAR.
When a function is call, instead of saving its return address in its corresponding stack frame, another copy of its return address is saved in RAR. When the function finishes, before returning to its caller, the callee checks the return address in its stack frame to see whether the RAR has a copy of that address. If there is no such address in the RAR, then a buffer overflow attack is alarmed.
Low performance overhead.
Only protect return addresses.

28. Type Safe Language, e.g. Java
These kinds of languages will automatically perform array bound checking.
The majority of programs are not written in these kinds of languages; rewriting all programs with these kinds of languages becomes an impossible mission.

29. Static Source Code Analysis.
Analyze source code to find potential program statements that could result in buffer overflow vulnerabilities. E.g. program statements like
while((*(buf+i)=getchar())!=EOF)
i++;
are not safe.
False positive and false negative.
Difficulty to obtain the source code.

30. Anomaly Detection
This mechanism is based on the idea that most malicious code that is run on a target system will make system calls to access certain system resources, such as files and sockets.
This technique has two main parts:
Preprocessing
monitoring.
False positive and false negative.

31. Memory Address Obfuscation/ASLR
This approach randomizes the layout of items in main memory; hence attackers can only guess the address where their injected code reside and the address of their target functions.
Change the run-time memory layout specifying by the original file format.
Increase the complexity of debugging a program.

32. Aspects of Address Obfuscation (1)
The first is the randomization of the base addresses of memory regions.
This involves the randomization of the base address of
the stack
heap
the starting address of dynamically linked libraries
the locations of functions and static data structures contained in the executable.
The second aspect includes permuting the order of variables and functions.

33. Aspects of Address Obfuscation(2)
The last is the introduction of random length gaps, such as
padding in stack frames
padding between malloc allocations
padding between variables and static data structures
random length gaps in the code segment, with jumps to get over them.

34. Randomization of executable Code
This method involves the randomization of the code that is executed in a process.
This approach encrypts instructions of a process, and decrypts instructions when they are prepared to be executed. Because attackers don’t know the key to encrypt their code, their injected code can not be decrypted correctly. As a result their code can not be executed.
The main assumption of this method is that most attacks that attempt to gain control of a system are code-injection attacks.
Need special hardware to improve performance overhead.

35. Botnet [Trend Micro]

36. Definition of a Botnet
A botnet (zombie army or drone army) refers to a pool of compromised computers that are under the command of a single hacker, or a small group of hackers, known as a botmaster.

37. Definition of a Bot
A bot refers to a compromised end-host, or a computer, which is a member of a botnet.

38. The First Bot Generation Malware - PrettyPark
The first bot generation malware, PrettyPark worm, appeared in 1999.
A critical difference between PrettyPark and previous worms is that it makes use of IRC as a means to allow a botmaster to remotely control a large pool of compromised hosts.
Its revolutionary idea of using IRC as a discrete and extensible method for Command and Control (C&C) was soon adopted by the black hat community.

39. How Fast Could Your Computer Be Comprised?
Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP.
Normally it takes only a couple of minutes before it is successfully compromised.
On average, the expected lifespan of the honeypot is less than ten minutes.
After this small amount of time, the honeypot is often successfully exploited by automated malware.
The shortest compromise time was only a few seconds:
Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.

40. Typical Size of Botnets
Some botnets consist of only a few hundred bots.
In contrast to this, several large botnets with up to hosts were also oberved.
Botnets with over several hundred thousands hosts have been reported in the past.

41. A Hosts May be Infected by Several Botnets Simultaneously
A home computer which got infected by 16 different bots has been found.

42. Taxonomy of Botnets Attacking behavior C&C models Rally mechanisms
Communication protocols
Observable botnet activities
Evasion Techniques

43. Attacking Behavior [Paul Bächer et al.]
Distributed Denial-of-Service Attacks
Spamming
Sniffing Traffic
Keylogging
Spreading new malware
Installing Advertisement Addons
Google AdSense abuse
Manipulating online polls/games
Mass identity theft

44. Distributed Denial-of-Service Attacks (1)
Often botnets are used for Distributed Denial-of-Service (DDoS) attacks.
A DDoS attack is an attack on a computer system or network that causes
a loss of service to users, typically the loss of network connectivity and services by
consuming the bandwidth of the victim network or
overloading the computational resources of the victim system.

45. Distributed Denial-of-Service Attacks (2)
Further research showed that botnets are even used to run commercial DDoS attacks against competing corporations:
Operation Cyberslam documents the story of Jay R. Echouafni and Joshua Schichtel alias EMP.
Echouafni was indicted on August 25, 2004 on multiple charges of conspiracy and causing damage to protected computers. He worked closely together with EMP who ran a botnet to send bulk mail and also carried out DDoS attacks against the spam blacklist servers.
In addition, they took Speedera - a global on-demand computing platform - offline when they ran a paid DDoS attack to take a competitor's website down.

46. Spamming
Some bots offer the possibility to open a SOCKS v4/v5 proxy - a generic proxy protocol for TCP/IP-based networking applications (RFC 1928) - on a compromised machine.
Some bots also implement a special function to harvest -addresses.
After having enabled the SOCKS proxy, this machine can then be used for nefarious tasks such as spamming.
With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk (spam).
Often that spam you are receiving was sent from, or proxied through, an old Windows computer at home.
In addition, this can of course also be used to send phishing-mails since phishing is a special case of spam.

47. Sniffing Traffic
Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine.
The sniffers are mostly used to retrieve sensitive information like usernames and passwords.
If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus it is possible to "steal" another botnet.

48. Keylogging
If the compromised machine uses encrypted communication channels (e.g. HTTPS or POP3S), then just sniffing the network packets on the victim's computer is useless since the appropriate key to decrypt the packets is missing.
With the help of a keylogger it is very easy for an attacker to retrieve sensitive information.
An implemented filtering mechanism (e.g. "I am only interested in key sequences near the keyword 'paypal.com'") further helps in stealing secret data.
And if you imagine that this keylogger runs on thousands of compromised machines in parallel you can imagine how quickly PayPal accounts are harvested.

49. Spreading New Malware
In most cases, botnets are used to spread new bots. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP.
Spreading an virus using a botnet is a very nice idea, too.
A botnet with 10,000 hosts which acts as the start base for the mail virus allows very fast spreading and thus causes more harm.

50. Installing Advertisement Addons
Botnets can also be used to gain financial advantages.
This works by setting up a fake website with some advertisements:
The operator of this website negotiates a deal with some hosting companies that pay for clicks on ads.
With the help of a botnet, these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups.
This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the "clicks" are executed each time the victim uses the browser.

51. Google AdSense Abuse
A similar abuse is also possible with Google's AdSense program:
AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way.
The company earns money due to clicks on these ads, for example per clicks in one month.
An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.
This kind of usage for botnets is relatively uncommon, but not a bad idea from an attacker's perspective.

52. Loss Caused by Click Fraud [Catherine Holahan]
On average, consultants estimate that between 14% and 15% of clicks are fraudulent.

53. Google Search Page

54. Google Search Result Page

55. Source HTML File of the Google Search Result Page

56. Ampersands (&'s) in URLs [Liam Quinn ]
Always use & in place of & when writing URLs in HTML:
E.g.:
<a href="foo.cgi?chapter=1&section=2&copy=3&lang=en">...</a>

57. Click Fraud (1) - Use the Browser’s URL Field

58. Click Fraud (2) – Connect to the Google Server Directly
Attackers could launch the same attacks by
opening a HTTP connection to a Google server
and
sending the URL in the previous slide to the above server directly.

59. Click Fraud (3) - Use Fake Page (1)

60. Click Fraud (3) - Use Fake Page (2) [Mr. 東]

61. Click Fraud (3) - Use Fake Page (3)

62. Manipulating online Polls/Games
Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person.
Online games can be manipulated in a similar way. Currently we are aware of bots being used that way, and there is a chance that this will get more important in the future.

63. Mass Identity Theft
Often the combination of different functionality described above can be used for large scale identity theft, one of the fastest growing crimes on the Internet.
Bogus s ("phishing mails") that pretend to be legitimate (such as fake PayPal or banking s) ask their intended victims to go online and submit their private information.
These fake s are generated and sent by bots via their spamming mechanism.
These same bots can also host multiple fake websites pretending to be ebay, PayPal, or a bank, and harvest personal information.
Just as quickly as one of these fake sites is shut down, another one can pop up.
In addition, keylogging and sniffing of traffic can also be used for identity theft.