Download presentation
Presentation is loading. Please wait.
Published byValentine Daniels Modified over 9 years ago
2
1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall
3
2 Figure 9-1: General Application Security Issues Executing Commands with the Privileges of a Compromised Application If an attacker takes over an application, the attacker can execute commands with the privileges of that application Many applications run with super user (root) privileges
4
3 Figure 9-1: General Application Security Issues Buffer Overflow Attacks From Chapter 6: Vulnerabilities Exploits Fixes Patches Manual work-arounds, or Version upgrades Buffers are places where data is stored temporarily If an attacker sends too much data, a buffer might overflow, overwriting an adjacent section of RAM
5
4 Figure 9-1: General Application Security Issues Buffer Overflow Attacks If that section is retrieved, various problems can occur Read as data, read as program instructions, illegal values that cause a crash Stacks are used to hold information temporarily on subprograms Stack overflows might allow an attacker to execute any command (Figure 9-2) An example: The IIS IPP Buffer Overflow Attack: Host variable is overflowed
6
5 Figure 9-2: Stack Entry and Buffer Overflow Return Address 1. Write Return Address 2. Add Data to Buffer Data Buffer 5. Start of Attack Code 3. Direction of Data Writing 4. Overwrite Return Address
7
6 Figure 9-1: General Application Security Issues Few Operating Systems But Many Applications Application hardening is more total work than operating system hardening Application Security Actions Understanding the server’s role and threat environment If it runs only one or a few services, easy to disallow irrelevant things
8
7 Figure 9-1: General Application Security Issues Application Security Actions Basics Physical security backup harden the operating system Minimize applications Main applications Subsidiary applications Be guided by security baselines
9
8 Figure 9-1: General Application Security Issues Application Security Actions Minimize the permissions of applications In UNIX, use chroot to put application in a directory Attacks will be limited to this directory and subdirectories However, chroot protection can be broken, especially by root applications for which it is most critical
10
9 Figure 9-1: General Application Security Issues Application Security Actions Add application layer authentication Implement cryptographic systems Delete optional learning aids Install patches New chips being designed that isolates programs from data
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.