Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall.

Similar presentations


Presentation on theme: "1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall."— Presentation transcript:

1

2 1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall

3 2 Figure 9-1: General Application Security Issues Executing Commands with the Privileges of a Compromised Application  If an attacker takes over an application, the attacker can execute commands with the privileges of that application  Many applications run with super user (root) privileges

4 3 Figure 9-1: General Application Security Issues Buffer Overflow Attacks  From Chapter 6: Vulnerabilities  Exploits  Fixes Patches Manual work-arounds, or Version upgrades  Buffers are places where data is stored temporarily  If an attacker sends too much data, a buffer might overflow, overwriting an adjacent section of RAM

5 4 Figure 9-1: General Application Security Issues Buffer Overflow Attacks  If that section is retrieved, various problems can occur  Read as data, read as program instructions, illegal values that cause a crash  Stacks are used to hold information temporarily on subprograms  Stack overflows might allow an attacker to execute any command (Figure 9-2)  An example: The IIS IPP Buffer Overflow Attack: Host variable is overflowed

6 5 Figure 9-2: Stack Entry and Buffer Overflow Return Address 1. Write Return Address 2. Add Data to Buffer Data Buffer 5. Start of Attack Code 3. Direction of Data Writing 4. Overwrite Return Address

7 6 Figure 9-1: General Application Security Issues Few Operating Systems But Many Applications  Application hardening is more total work than operating system hardening Application Security Actions  Understanding the server’s role and threat environment  If it runs only one or a few services, easy to disallow irrelevant things

8 7 Figure 9-1: General Application Security Issues Application Security Actions  Basics Physical security backup harden the operating system  Minimize applications Main applications Subsidiary applications Be guided by security baselines

9 8 Figure 9-1: General Application Security Issues Application Security Actions  Minimize the permissions of applications In UNIX, use chroot to put application in a directory Attacks will be limited to this directory and subdirectories However, chroot protection can be broken, especially by root applications for which it is most critical

10 9 Figure 9-1: General Application Security Issues Application Security Actions  Add application layer authentication  Implement cryptographic systems  Delete optional learning aids  Install patches New chips being designed that isolates programs from data


Download ppt "1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall."

Similar presentations


Ads by Google