Presentation is loading. Please wait.

Presentation is loading. Please wait.

G53SEC 1 Software Security Overflows, overruns and (some) confusions.

Published byJulian Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "G53SEC 1 Software Security Overflows, overruns and (some) confusions."— Presentation transcript:

1 G53SEC 1 Software Security Overflows, overruns and (some) confusions

2 G53SEC 2 Today’s Lecture: Malware Taxonomy Characters and Numbers Canonical Representations Memory Management Race Conditions Defences

3 G53SEC 3 Introduction: Bad software is everywhere: NASA mars Lander ($165 million) – Conversion of units Ariane-5 rocket ($500 million) – Integer overflowAriane-5 National Cancer Institute (8 patients die) – Drug Dosage Miscalculation Search for “software horror stories” or “worst software bugs” in Google

4 G53SEC 4 Why is that?: Complexity: SystemLines of Code: Netscape – 17,000,000 Windows – 40,000,000 Space Shuttle – 10,000,000 Boeing 777 – 7,000,000 Estimated 5 bugs/1000 loc

5 G53SEC 5

6 6

7 7

8 8 Malware Taxonomy: Malware Software that has malicious purpose Types of malware:Viruses Worms Trojan Horse Backdoors Mobile Code Adware

9 G53SEC 9 Malware Taxonomy: Viruses - self-replicating program with malicious intent - attaches themselves to executables - usually must be executed to propagate First virus developed in 1982, called Elk Cloner for Apple DOS. First PC Virus called (c)Brain in 1986

10 G53SEC 10 Malware Taxonomy: Worms - malicious programs that use the internet to spread - also self-replicates - does not need human intervention to duplicate - can spread uncontrollably in a very brief period of time - usually uses a software exploit or via e-mail Examples: Morris Worm, CodeRed, SQL Slammer

11 G53SEC 11 Malware Taxonomy: Trojan Horses - seemingly innocent application that contains malicious code - usually useful programs that have unnoticeable but harmful side effects Example: pretending a file is innocent, possible due to Windows hiding extensions.

12 G53SEC 12 Malware Taxonomy: Backdoors - Malware that creates covert access for attacker - Used for connecting, spying, collecting data etc… - Can be embedded in normal programs - Sometimes planted by rogue software developers Example: Windows encryption software, BT HomeHub

13 G53SEC 13 Malware Taxonomy: Mobile Code - A class of benign programs that are mobile, executed on a large number of systems, not explicitly installed by end-user - Usually for purpose of interactive content e.g. ActiveX, Java applets - Can be misused by rogue developers - Exploit user’s inability to distinguish between good and rogue sites

14 G53SEC 14 Malware Taxonomy: Adware - Program forcing unsolicited advertising on end users - Very popular - Usually bundled with free software, funded by the advertising - Gathers statistics about internet usage - Information used to display targeted information

15 G53SEC 15 Malware Taxonomy: Sticky Software - Software implementing methods that prevent its deletion (e.g. no uninstall program) Future of Malware: - Bios, Firmware, Sub-OS, etc… - Polymorphic and Metamorphic Viruses

16 G53SEC 16 Characters and Numbers: Many software flaws due to broken abstractions Characters: - Different ways of representing characters exist - If input validation does not exist or not complete - > trouble! Example: MS IIS vulnerability {IPaddress}/scripts/..%c0%af../winnt/system32/ %c0%af in UTF-8 encoding = / thus -> C:\winnt\system32\

17 G53SEC 17 Characters and Numbers: Integer overflows: - when arithmetic operation attempts to create an integer larger than can be represented in available memory e.g. Ariane-5: - 64 bit floating point number converted to 16-bit signed integer - Number larger than 32,767 thus conversion failed - Rocket exploded

18 G53SEC 18 Characters and Numbers: Array overflows: - Computing array indices uses integer arithmetic - If no check exists, memory outside of allocated space gets accessed. - upper and lower bounds of arrays should be checked - some languages deal with this issue better than others (e.g. C vs. Java)

19 G53SEC 19 Canonical Representations: - Alternative names for various parts of systems e.g. DNS, relative file paths - Translation of names to their correct representations can be done in more than one way - If not kept in mind, problems can arise e.g. case sensitivity of files pwd vs. Pwd Lesson – never trust your inputs

20 G53SEC 20 Memory Management: - In C and C++ programmer performs memory management - Flexible, fast but dangerous - Buffer Overruns - Stack Overruns - Heap Overruns - Type Confusion

21 G53SEC 21 Memory Management: Buffer overrun: - When program is executed, memory sections (buffers) are allocated to variables - If such value exceeds size of buffer, an overflow occurs - adjacent memory locations are overwritten

22 G53SEC 22 Memory Management: Stack overrun: Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } When this function is invoked, a new frame with local variables is pushed onto the stack Stack grows this way bufsfp ret addr str Local variables Frame of the calling function Arguments Pointer to previous frame Allocate local buffer (126 bytes reserved on stack)‏ Copy argument into local buffer

23 G53SEC 23 Memory Management: In case str is overstuffed Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy(buf,str); } If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations strcpy does NOT check whether the string at *str contains fewer than 126 characters buf str This will be interpreted as return address! overflow Top of stack Frame of the calling function

24 G53SEC 24 Memory Management: Heap overrun: - Occurs on the heap - Heap – memory area dynamically allocated by application - contains for example pointers to (temporary) files and functions - attacker redirects pointer from tmp file to target file using a buffer overrun, e.g. to a password file and overwrites it with his own data

25 G53SEC 25 Memory Management: Type Confusion: - manipulation of pointer structure so that two pointers, one with a wrong class tag, point to the same objects - thus object can be manipulated by parties that have access to the ‘wrong’ type. - Java and.NET attempt to prevent this

26 G53SEC 26 Race Conditions: - Occurs when multiple computations access shared data in a way that their results depend on the sequence of access. - Known in security literature as TOCTTOU - Traditional issues of concurrency

27 G53SEC 27 Defences: - Hardware – specialised hardware - Type Safety – type safe languages - Safer Functions – using safer coding practices - Code Inspection – Fuzzing, Valgrind, etc… - Testing - Least Privilege Prevention Detection Mitigation

28 G53SEC 28 Summary: Malware Taxonomy Overflows Defences

Download ppt "G53SEC 1 Software Security Overflows, overruns and (some) confusions."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
SCSC 555 Computer Security Chapter 10 Malicious software Part B.

SCSC 555 Computer Security Chapter 10 Malicious software Part B.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Software and Security Buffer Overflow 1.

Software and Security Buffer Overflow 1.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.

1 Protection and Security Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Similar presentations

Ads by Google