Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Published byMelanie Andrews Modified over 9 years ago

Similar presentations

Presentation on theme: "Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string."— Presentation transcript:

1 Sairajiv Burugapalli

2 This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string bugs INTRODUCTION

3 A buffer overflow is the result of stuffing more data into a buffer than it can handle. There are three types of buffer overflows Stack Overflows Heap Overflows “Off-by-One” Overflows BUFFER OVERFLOW VULNERABILITIES

4 bool CheckLogin(char* username, char* password) { char _username[32]; strcpy(_username username);... If the username string contains more than 32 characters, the _username buffer is overflowed, and the attacker overwrites the data in adjacent memory. STACK OVERFLOWS

5 bool CheckLogin(char* username, char* password) { char* _username = (char*) malloc(32); strcpy(_username, username);... The heap is implemented as a doubly linked list, each block is preceded in memory by a control structure that contains the size of the block, a pointer to the previous block on the heap, and a pointer to the next block on the heap. When a heap buffer is overflowed, the control structure of an adjacent heap block is overwritten with user-controllable data. HEAP OVERFLOWS

6 A specific kind of overflow vulnerability arises when a programming error enables an attacker to write a single byte beyond the end of an allocated buffer bool CheckLogin(char* username, char* password) { char _username[32]; int i; for (i = 0; username[i] && i < 32; i++) _username[i] = username[i]; _username[i] = 0;... “OFF-BY-ONE” VULNERABILITIES

7 The basic methodology for detecting buffer overflow vulnerabilities is to send long strings of data to an identified target and monitor for anomalous results. send an overlong string of a specific length, or within a small range of lengths. send a string that is longer than the application is expecting. DETECTING BUFFER OVERFLOW VULNERABILITIES

8 Integer-related vulnerabilities arise due to the problem of failing to handle integers. Two types of integer bugs are worthy of note: Integer overflows Signedness errors INTEGER VULNERABILITIES

9 Consider the following “fix” to the heap overflow described previously bool CheckLogin(char* username, char* password) { unsigned short len = strlen(username) + 1; char* _username = (char*) malloc(len); strcpy(_username, username);... A short-sized integer contains 16 bits, which is enough for its value to range between 0 and 65,535. When a string of length 65,535 is submitted, the program adds 1 to this, and the value wraps to become 0. A zero-length buffer is allocated, and the long username is copied into it, causing a heap overflow INTEGER OVERFLOWS

10 These errors occur when an application uses both signed and unsigned integers to measure the lengths of buffers and confuses them at some point. The problem might be the application makes a direct comparison between a signed and unsigned value, or it passes a signed value as a parameter to a function that takes an unsigned value. SIGNEDNESS ERRORS

11 Naturally, the primary locations to probe for integer vulnerabilities are any instances where an integer value is submitted from the client to the server. The most likely targets for testing are fields that appear to represent the length of a string that is being submitted DETECTING INTEGER VULNERABILITIES

12 Format string vulnerabilities arise when user-controllable input is passed as the format string parameter to a function that takes format specifiers that may be misused FORMAT STRING VULNERABILITIES

13 int count = 43; int written = 0; printf(“The value of count is %d%n.\n”, count, &written.); printf(“%d bytes were printed.\n”, written); outputs the following: The value of count is 43. 24 bytes were printed. The most dangerous format specifier is %n. This does not cause any data to be printed. Rather, it causes the number of bytes output so far to be written to the address of the pointer passed in as the associated variable parameter. FORMAT STRING VULNERABILITIES..

14 The most reliable way to detect format string bugs in a remote application is to submit data containing various format specifiers and monitor for any anomalies in the application’s behavior. DETECTING FORMAT STRING VULNERABILITIES

15 Software vulnerabilities in native code represent a relatively nice area in relation to attacks on web applications. Most applications run in a managed execution environment in which the classic software flaws described in this chapter do not arise. However, occasionally these kinds of vulnerabilities are highly relevant and have been found to affect many web applications running on hardware devices and other unmanaged environments. A large proportion of such vulnerabilities can be detected by submitting a specific set of test cases to the server and monitoring its behavior. SUMMARY

16 Time for Questions QUERIES

Download ppt "Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Page Replacement Algorithms

Page Replacement Algorithms
IT 325 OPERATING SYSTEM C programming language. Why use C instead of Java Intermediate-level language:  Low-level features like bit operations  High-level.

IT 325 OPERATING SYSTEM C programming language. Why use C instead of Java Intermediate-level language:  Low-level features like bit operations  High-level.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Module R2 Overview. Process queues As processes enter the system and transition from state to state, they are stored queues. There may be many different.

Module R2 Overview. Process queues As processes enter the system and transition from state to state, they are stored queues. There may be many different.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
CIS 101: Computer Programming and Problem Solving Lecture10 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture10 Usman Roshan Department of Computer Science NJIT.
Pointers and Memory Allocation – part 2 -L. Grewe.

Pointers and Memory Allocation – part 2 -L. Grewe.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Review of C++ Programming Part II Sheng-Fang Huang.

Review of C++ Programming Part II Sheng-Fang Huang.
Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.

Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.

Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google