Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Published byJeffry Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp."— Presentation transcript:

1

2 Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp

3 Implementation Many security threats result not from incorrect service specifications but from poor service implementation Unintentional programming flaws include:  Weak password implementation  Buffer overflow (very common)  Unintended permission of operations  Incomplete mediation  Race conditions

4 Weak password implementations (e.g. not enforcing case-sensitivity) Brute force attacks on Unix/Linux /etc/passwd: John/LC4/LC5 On Windows, backwards compatibility to versions where weak password implementations existed weakens newer versions  http://geodsoft.com/howto/password/nt_password_hashes.htm http://geodsoft.com/howto/password/nt_password_hashes.htm  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ DepKit/b4001049-4dec-4f5b-a249-0f4dfd22c732.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ DepKit/b4001049-4dec-4f5b-a249-0f4dfd22c732.mspx  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q299656 http://support.microsoft.com/default.aspx?scid=kb;EN-US;q299656  http://support.microsoft.com/default.aspx?scid=kb;EN-US;239869 http://support.microsoft.com/default.aspx?scid=kb;EN-US;239869

5 Weak password implementation (contd): WS_FTP Use copy of WS_FTP.ini file that stores passwords Simple changes to the file will display passwords Obtain a list of users and passwords

6 Buffer Overflow: Typical Attack Scenario Users enter data into a Web form Web form is sent to server Server writes data to buffer, without checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by anyone with an Internet connection Many other examples  E.g., exploit implementation bugs in SSH/SSL (take a look); again, backwards compatibility can imply that known exploit with SSH v.1 carried over to SSH v.2take a look

7 Buffer Overflow Q: What happens when this is executed? A: Depends on what resides in memory at location “buffer[20]”  Might overwrite user data or code  Might overwrite system data or code int main(){ int buffer[10]; buffer[20] = 37;}

8 Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag allowing anyone to authenticate! buffer FT FOURSC… Boolean flag In some cases, attacker need not be so lucky as to have overflow overwrite flag

9 Memory Organization Text segment has code Data segment has static variables Heap segment has dynamic data Stack segment has  Dynamic local variables  Parameters to functions  Return address stack heap  data text  high address  low address  SP

10 Simplified Stack Example high  void func(int a, int b){ char buffer[10]; } void main(){ func(1, 2); } :::: buffer ret a b  return address low   SP

11 Smashing the Stack high  What happens if buffer overflows? :::: buffer a b  ret… low   SP retoverflow Program “returns” to wrong location NOT! ??? A crash is likely overflow

12 Smashing the Stack high  With code injection, attacker can run any code on affected system :::: mal. code a b low   SP ret

13 Smashing the Stack Attacker may not know  Address of malicious code  Location of ret on stack Solutions  Precede malicious code with NOP “landing pad”  Insert lots of new ret mal. code :::: :::: ret : NOP : ret  ret

14 Stack Smashing Summary A buffer overflow must exist in the code Not all buffer overflows are exploitable  Things must line up correctly If exploitable, attacker can inject code Trial and error likely required  Lots of help available online  Smashing the Stack for Fun and Profit, Aleph One Smashing the Stack for Fun and Profit Also possible to overflow the heap Stack smashing is popular

15 Stack Smashing Example Program asks for a serial number that attacker does not know Attacker also does not have source code Attacker does have the executable (exe) Program quits on incorrect serial number

16 Example By trial and error, attacker discovers an apparent buffer overflow Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!

17 Example Next, disassemble bo.exe to find The goal is to exploit buffer overflow to jump to address 0x401034

18 Example Find that 0x401034 is “ @^P4 ” in ASCII Byte order is reversed? Why? X86 processors are “little-endian”

19 Example Reverse the byte order to “ 4^P@ ” and… Success! We’ve bypassed serial number check by exploiting a buffer overflow Overwrote the return address on the stack

20 Example Attacker did not require access to the source code Only tool used was a disassembler to determine address to jump to  Can find address by trial and error  Necessary if attacker does not have exe  For example, a remote attack

21 Example Source code of the buffer overflow Flaw easily found by attacker Even without the source code!

22 Stack Smashing Prevention 1st choice: employ non-executable stack  “No execute” NX bit (if available)  Seems like the logical thing to do, but some real code executes on the stack! (Java does this) 2nd choice: use safe languages (Java, C#) 3rd choice: use safer C functions  For unsafe functions, there are safer versions  For example, strncpy instead of strcpy

23 Stack Smashing Prevention Canary  Run-time stack check  Push canary onto stack  Canary value:  Constant 0x000aff0d  Or value depends on ret  high  :::: buffer a b low  overflowret canaryoverflow

24 Microsoft added buffer security check feature to C++ with /GS compiler flag Uses canary (or “security cookie”) Q: What to do when canary dies? A: Check for user-supplied handler Handler may be subject to attack  Claimed that attacker can specify handler code  If so, formerly safe buffer overflows become exploitable when /GS is used! Microsoft’s Canary

25 Incomplete mediation: WEB Applications

26 WEB Applications (continued)

27 Incomplete Mediation: Input Validation Consider: strcpy(buffer, argv[1]) A buffer overflow occurs if len(buffer) < len(argv[1]) Software must validate the input by checking the length of argv[1] Failure to do so is an example of a more general problem: incomplete mediation

28 Input Validation Consider web form data Suppose input is validated on client For example, the following is valid http://www.things.com/orders/final&custID=112&num=55A& qty=20&price=10&shipping=5&total=205 Suppose input is not checked on server  Why bother since input checked on client?  Then attacker could send http message http://www.things.com/orders/final&custID=112&num=55A& qty=20&price=10&shipping=5&total=25

29 WEB Applications

30 Incomplete Mediation Linux kernel  Research has revealed many buffer overflows  Many of these are due to incomplete mediation Linux kernel is “good” software since  Open-source  Kernel  written by coding gurus Tools exist to help find such problems  But incomplete mediation errors can be subtle  And tools useful to attackers too!

31 Bypass security/copyright SHIFT MS Word SQL Injections Cross Site Scripting CTRL-ALT-DEL Anonymous PSEXEC View Source Google  Able to view protected files

32 Race Condition Security processes should occur “all at once” Race conditions can arise when security-critical process occurs in stages Attacker can make change between stages  Often, between stage that gives authorization, but before stage that transfers ownership Example: Unix mkdir

33 mkdir Race Condition mkdir creates new directory, as follows: calls mknod, to create the directory, then chown, to change ownership of the new directory from root to the real UID 1. Allocate space mkdir 2. Transfer ownership

34 A mkdir attack Attacker’s timing is critical: Between the two system calls one can delete the new directory and make a hard link to any file. chown then changes the ownership of that file 1. Allocate space mkdir 3. Transfer ownership 2. Create link to password file A mkdir race condition

Download ppt "Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Chapter 6 Weaknesses Exploited

Chapter 6 Weaknesses Exploited
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Software and Security Buffer Overflow 1.

Software and Security Buffer Overflow 1.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Application and OS Attacks 1 Application and OS Attacks.

Application and OS Attacks 1 Application and OS Attacks.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
2-1 Last time What is our goal in this course? What is security? What is privacy? Who are the adversaries? Assets, vulnerabilities, threats, attacks and.

2-1 Last time What is our goal in this course? What is security? What is privacy? Who are the adversaries? Assets, vulnerabilities, threats, attacks and.
Lecture 12 Overview.

Lecture 12 Overview.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google