H Hailstorm, siehe Fault Injection Heap 12, 151 HP 225, 625

Size: px
Start display at page:

Download "H Hailstorm, siehe Fault Injection Heap 12, 151 HP 225, 625"

Transcription

1 658 A ACT, siehe Application Compability Toolkit ADD 38, 349 Address Space Layout Randomization, siehe PaX Alan DeKok 535 Annotations 255, 550 Application Compability Toolkit 283 Application Verifier 283 AppVerifier, siehe Application Verifier Argus 625 argv 41, 80, 478 ASCII-Tabelle 35 ASCIIZ 397 ASLR, siehe Address Space Layout Randomization Assembler-Code 26, 45, 63, 66, 297, 307, 351 Assembler-Codes 627 AT&T Labs Research 624 B Back Pointer, siehe Chunk Base-Pointer-Register 23 bash 82 Basisregister 20 bcopy(3) 214 Benutzer-Code 614 Big-endian-byte-Ordering 44 Bin 160 Bin-Struktur 161 Binärdatei 9 Binary Audit 286, 560 Binary, siehe Binärdatei binfmt_elf.c 11 bk, siehe Back Pointer Block Started by Symbol, siehe BSS Boundary Tags 157 Bounds Checking 304, 613, 623 Breakpoint 15 Brute Force 144 BSS 12, 129 Bugtraq 463 Byte 4 Byte Ordering 44 C CALL 22, 32, 57, 63, 298 calloc(3) 156 Canary 306 cat(1) 503 Cenzic, siehe Hailstorm Chunk 156 allokiert 158 Back Pointer 159 chunk 158 Forward Pointer 159 IS_MMAPPED 159 mem 158 nextchunk 158 PREV_INUSE 159 prev_size 159 size 159 unbenutzt 159 Cisco 625 Closed-Source-Software 190 Code Red 2, 187 Coredump 49, 52, 575 CQUAL 553 Cross Site Scripting 1 Cyclone 624 D Datarescue, siehe Interactive Disassembler Pro Data-Segment 11 Dateiformate 9 Dave Aitel 292 David A. Wheeler 246, 538 David Evans 254 DDoS, siehe Distributed Denial of Service Debian 3 Debugging Toolkit 284 Denial of Service 49, 187 Direct Parameter Access 483, 504 Disassembler 297 Distributed Denial of Service 187 DoS, siehe Denial of Service Doubleword 4

2 659 Doug Lea 156 DTORS 524 dword 4 Dynamische Analyse 241, 271 E EBP, siehe Base-Pointer-Register EIP, siehe Instruction Pointer Electric Fence, siehe Tracer ELF, siehe Executable and Linking Format EMACS 553 Endlosschleife 591, 619 Epilog 39 err() 464 ESP 23 ESP, siehe Stack-Pointer-Register ET_DYN 617 ET_EXEC 414 EUID 82 Exception 618, 622 Exec Shield 461 Executable and Linking Format 9, 414 execve(3) 638 exec(3) 60, 638 exit(3) 603 Exploit 1, 8, 463 F False Negatives 245, 534 False Positives 243, 245, 534 Fault Injection 287, 560 BFBTester 293 Fuzz 292 Hailstorm 295 Sharefuzz 292 fd, siehe Forward Pointer fgetc(3) 233 fgets(3) 195, 266 Flat Memory Model 22 flawfinder 246, 538, 644 -fomit-frame-pointer 393 Formatanweisungen 465 Format-Funktionen 463 benutzerdefiniert 528, 541 FormatGuard 565 Format-String 465 Forward Pointer, siehe Chunk fosbi 518, 579, 630 fprintf(3) 527 Frame Pointer 25, 40 Frame Pointer Overwrite 94, 96 fread(3) 214 FreeBSD 3, 18, 193 free(3) 12, 156, 272 frontlink() 184 function_epilog() 306 function_prolog() 306 fundamental data types 4 Funktionen 23, 25 Funktionsaufruf 27 Funktionsepilog 27 Funktionsprolog 27 Fuzz, siehe Fault Injection G gcc(1) 3 General Purpose Register 21 EAX 21 EBP 21 EBX 21 ECX 21 EDI 21 EDX 21 ESI 21 ESP 21 Generationen von Buffer-Overflow- Schwachstellen 8 getchar(3) 228, 267 getc(3) 233 getenv(3) 233, 266 GetESP 66, 72, 143 gethostname(3) 214 gets(3) 136, 192, 262 GID 82 Glibc, siehe GNU C Library Global Offset Table 174, 415, 514, 524, 573 Globale Variablen 11 GNU C Compiler 3, 5, 15, 26, 253, 305, 393, 554 GNU C Library 156, 450, 566, 606 GNU C PreProcessor 566 GNU Debugger 5, 15, 297 GOT, siehe Global Offset Table GPR, siehe General Purpose Register Graph 302 grep(1) 239, 243, 245, 531 H Hailstorm, siehe Fault Injection Heap 12, 151 HP 225, 625

3 660 HP Virtual Vault 625 HP-PA 297 HP-UX 220 I IA-32 8, 22, 131, 154, 297 IA-64 4, 297 IDA Pro, siehe Interactive Disassembler Pro IDS Evasion 413 Immunix 306, 566 info symbol 16 Injection Vector 61 Überlaufpuffer 65 Umgebungsvariable 88, 512 Inline Assembler 66 Instruction Pointer, siehe Register Insure Integer Overflows 1 Intel 3, 22 Interactive Disassembler Pro, siehe Reverse Engineering Internet Security Scanner 188 interp.o-object-file 596 Intrusion-Prevention-Systeme 625 IPS, siehe Intrusion-Prevention-Systeme IRIX 10 ITS4 243 J Java Native Interface 614 Java Virtual Machi ne 613 javac 615 javah 616 JMP 22, 63 JNIEXPORT 616 JNI, siehe Java Native Interface JVM, siehe Java Virtual Machine K Kernel 11, 625 kgcc(1) 3 klogd(1) 412 knox 461 L last-in first-out, siehe LIFO-Prinzip Laufzeitmodul 2, 623 LCLint 254 ldd(1) 450 LD_LIBRARY_PATH 617 LD_PRELOAD 387, 562 Least Significant Byte 5, 78, 95 LEAVE 37, 99, 118 Lexikalische Analyse 242, 531 Libformat 561 Libsafe 387 LIDS 626 LIFO-Prinzip 19 Link Editor 414 lint 254 Linux 3, 10 Lisp 624 Little-endian-Byte-Ordering 4 Little-endian-byte-Ordering 44 Lokale Variablen 11 longjmp(3) 148 LSB, siehe Least Significant Byte ltrace(1) 178, 297, 427, 590 M malloc(3) 12, 156, 254, 272 Managed Code 623 Manipulation von Funktionszeigern 94 ManPages 12 Mass Rooter 2 memccpy(3) 214 memcpy(3) 214 memmove(3) 214 Memory Management Unit 10 memset(3) 143 Michal Zalewski 297 Mike Heffner 293 MIPS 4 mmap(3) 18, 412, 487 MMU, siehe Memory Management Unit Modula MOV 30 N Native Code 619 Nativer C-Code 614 Nessus 188 netcat(1) 599 Netscape Browser 183 Newline-Zeichen 229 No Operation, siehe NOP Non-executable Stack 396, 571 No-NOP-Technik 88, 638 NOP 67 NOP Sliding 68

4 661 NSA Linux 626 NUL-Canary 311 Null-Byte 64 Numega, siehe Softice O objdump(1) 177, 515, 574, 583 Off-by-One 95 Offset 24 One-Shot-Write-Methode 492, 505, 635 Opcode 67 OpenBSD 120, 221 Openwall 398, 571 P padzero() 11 PaP, siehe Penetrate-and-Patch-Techniken PA-RISC 4 Patch 187 PaX 431, 487, 592 Address Space Layout Randomization 442 chpax 434 ET_DYN 455 ET_EXEC 455 PAGEEXEC 432 RANDKSTACK 443 RANDMMAP 452 RANDUSTACK 443 SEGMEXEC 432 Payload 61 Penetrate-and-Patch-Techniken 188 Penetration Test 188 Per-Byte-Write-Methode 511, 630 Perl 623 Perl-Einzeiler 42, 291 perlsec(1) 550 PE, siehe Portable Executable PHP 623 Pitbull LX 625 PLT, siehe Procedure Linkage Table POP 19, 24, 64 Portable Executable 9 PowerPC 4 PPC 297 Principle of Least Privilege 624 printf(3) 463, 526, 621 printf(3)-familie 464 Privilege Escalation 1 proc-dateisystem 18, 640 Procedure Linkage Table 414, 586 ProFTPD 463 Program-Analysis-Mode 553 Programm, siehe Binärdatei Prolog 39 Proof-of-Concept 8 Prozess 10 Prozessorarchitektur 3 IA-32 3 IA-64 4 MIPS 4 PA-RISC 4 PowerPC 4 SPARC 44 x86 3 Prozessspeicher-Layout 14 PScan 535 find_format.sh 544 ptmalloc 156 Purify, siehe Tracer PUSH 19, 24 Python 623 Q Quellcode-Inspektion 239 R Race Condition 1, 137, 249 Random-Canary 312 RATS 249, 539 readelf(1) 458 readelf(3) 597 read(3) 233 read(3)-familie 214 realloc(3) 156 Red Hat 3, 15, 147 Register 20 EFLAGS-Register 22 Instruction Pointer 22 Segment-Register 22 Registersatz 20 Registerspeicher 20 RET 22, 38, 100, 117 Return Instruction Pointer 32 Return-into-lib(c) 94, 405, 447, 580, 598 Return-into-PLT 94, 414, 446, 580, 586 Reverse Engineering 295, 560 Interactive Disassembler Pro 297 Legalität 303 RIP, siehe Return Instruction Pointer Root-Shell 85

5 662 Routinen 23 RSBAC 626 Rücksprungadresse 23, 40 Runtime addressspace Extender 461 S SAE, siehe Secure Application Environment Sandbox-Systeme 625 Sapphire 2 Saved Frame Pointer 28 Scalable Processor ARChitecture, siehe SPARC scanf(3) 225, 227, 266 SCO OpenServer 220 Secure Application Environment 625 Secure Software Solutions 249 Security Cookie 347 Security Scanner 188 segment selectors 22 Segmentation Fault 47, 48, 76, 575 segvguard 459 Semantische Analyse 242, 546 setjmp(3) 148 setproctitle() 464 setuid root 81, 642 setuid(0) 85, 629 SFP, siehe Saved Frame Pointer Shared object file, siehe ET_DYN Shellcode 62, 71, 628 Linux 628 {Free,Open,Net}BSD 629 shielddatabase 362 Short-Write-Methode 506, 632 SIGSEGV 199, 488 Skriptsprachen 623 Slackware 3 Slapper 2 slocate(1) 184 snprintf(3) 223, 248, 265, 478, 527, 536 SoftIce 297 Software-Schwachstellen 1, 187 Solaris 10, 220, 625 Source Code Analyzer 241, 531 Source Code Audit 239, 530 Space-Sliding 448 SPARC 44, 297, 396, 414 Speicherorganisation 9 Speicherzugriffsfehler 124 Spike 294 Splint 254, 546 ensures-kennzeichner 257 Extensible Checking 550 formatconst 547 requires-kennzeichner 256 taintedness-mechanismus 550 +bounds 258 +bounds-read 258 +bounds-write 257 +unixlib 265 sprintf(3) 221, 263 srtcpy(3) 257 SSP, siehe Stack Smashing Protection Stack 13, 467 Stack Frames 20, 23 Stack Shield Global-Ret-Stack-Technik 351 Ret-Range-Check-Technik 362 Schutzmechanismus für Funktionszeiger 366 Stack Smashing Protection 387 Stack-Basis 23 StackGhost 387 StackGuard 305 Stack-Pointer-Register 23 Stack-Rahmen, siehe Stack Frames StackShield 350 Stack-Spitze 23 static 13, 149 Statische Analyse 241, 531 stdarg(3) 485 stderr 74 stdout 74 StormWatch 625 strace(1) 297 strcat(3) 214, 258 strcpy(3) 41, 197, 420, 639 strlcat() 220 strlcy() 220 strncat(3) 217, 259 strncmp(3) 581 strncpy(3) 200, 259 strnlen(3) 388 SUB 29 Sun 44, 625 Symlink-Attacke 137 SysInternals 297 syslog(3) 464, 527 system(3) 341, 581, 604 T taint-option 550 Terminator-Canary 312

6 663 Text-Segment 10 tf8 463 Theo de Raadt 220 Todd C. Miller 220 TOS, siehe Trusted Operating System Tracer 241, 271 checkergcc 279 dmalloc 279 Electric Fence 271 Fenris 297 Purify 280 Valgrind 279 traceroute(1) 184 Trapkit 5 Trusted Operating System 625 Trusted Solaris 625 Tymm Twillman 463 Type Qualifier 531, 553 type-safe 623 U UID 82 ulimit(1) 333 Umgebungsvariable 88 Umwandlungsspezifikationen 465 unlink() 166 V Valgrind, siehe Tracer varargs(3) 485 va_arg(3) 464 va_end(3) 464 va_start(3) 464 Verwalteter Code, siehe Managed Code Visual Studio.Net 280, 347 vsnprintf(3) 223 vsprintf(3) 221 W Wall-Option 253 warn() 464 Web-Applikationsbereich 623 White House 187 Wilderness Chunk 157 WinDbg 284 Windows API 239 Windows XP Professional 280 Wolfram Gloger 156 Word 4 Wrapper 387 Wu-Ftpd 463 Würmer 2 X XCHG 67 XOR 348 XSS, siehe Cross Site Scripting x86 8 Z Zeigermanipulation 126 Sonderzeichen %n-formatanweisung 491.NET Framework class libraries 623.NET Framework core 623.NET-Common Language Runtime 623 /etc/ld.so.preload 387 /etc/passwd 141 /etc/shells 503 _libsafe_die() 389 canary_death_handler() 310 libc_start_main() 602 libsafe_stackvariablep() 388 security_check_cookie 349 security_cookie 348 security_error_handler() 349 Ziffern 0x90, siehe NOP

Software Vulnerabilities

Software Vulnerabilities Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in

More information

Defense in Depth: Protecting Against Zero-Day Attacks

Defense in Depth: Protecting Against Zero-Day Attacks Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth

More information

Return-oriented programming without returns

Return-oriented programming without returns Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy

More information

Off-by-One exploitation tutorial

Off-by-One exploitation tutorial Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend

More information

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which

More information

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation 2006. IBM System p, AIX 5L & Linux Technical University

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation 2006. IBM System p, AIX 5L & Linux Technical University X05 An Overview of Source Code Scanning Tools Loulwa Salem Las Vegas, NV Objectives This session will introduce better coding practices and tools available to aid developers in producing more secure code.

More information

Custom Penetration Testing

Custom Penetration Testing Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools

More information

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic

More information

Exploiting Format String Vulnerabilities

Exploiting Format String Vulnerabilities Exploiting Format String Vulnerabilities scut / team teso March 17, 2001 version 1.0 Contents 1 Introduction 2 1.1 Comparison: Buffer Overflows and Format String Vulnerabilities................................

More information

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali

More information

Reverse Engineering and Computer Security

Reverse Engineering and Computer Security Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and

More information

Stack Overflows. Mitchell Adair

Stack Overflows. Mitchell Adair Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very

More information

Buffer Overflows. Security 2011

Buffer Overflows. Security 2011 Buffer Overflows Security 2011 Memory Organiza;on Topics Kernel organizes memory in pages Typically 4k bytes Processes operate in a Virtual Memory Space Mapped to real 4k pages Could live in RAM or be

More information

Introduction to Information Security

Introduction to Information Security Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran

More information

Assembly Language: Function Calls" Jennifer Rexford!

Assembly Language: Function Calls Jennifer Rexford! Assembly Language: Function Calls" Jennifer Rexford! 1 Goals of this Lecture" Function call problems:! Calling and returning! Passing parameters! Storing local variables! Handling registers without interference!

More information

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08 CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 20: Stack Frames 7 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Where We Are Source code if (b == 0) a = b; Low-level IR code

More information

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application

More information

Unix Security Technologies. Pete Markowsky

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu> Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make

More information

A Comparison of Buffer Overflow Prevention Implementations and Weaknesses

A Comparison of Buffer Overflow Prevention Implementations and Weaknesses A Comparison of Buffer Overflow Prevention Implementations and Weaknesses Written by: Peter Silberman and Richard Johnson 1875 Campus Commons Dr. Suite 210 Reston, VA 20191 Toll Free: 877.516.2974 Main:

More information

Syscall Proxying - Simulating remote execution Maximiliano Caceres Copyright 2002 CORE SECURITY TECHNOLOGIES

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES Syscall Proxying - Simulating remote execution Maximiliano Caceres Copyright 2002 CORE SECURITY TECHNOLOGIES Table of Contents Abstract.........................................................................................

More information

Memory management in C: The heap and the stack

Memory management in C: The heap and the stack Memory management in C: The heap and the stack Leo Ferres Department of Computer Science Universidad de Concepción leo@inf.udec.cl October 7, 2010 1 Introduction When a program is loaded into memory, it

More information

Bypassing Memory Protections: The Future of Exploitation

Bypassing Memory Protections: The Future of Exploitation Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript

More information

Working with Buffers

Working with Buffers University Hamburg Department of Informatics Scientific Computing Research Group Working with Buffers Seminar Paper Seminar Efficient Programming in C Christoph Brauer 0brauer@informatik.uni-hamburg.de

More information

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks Stware Security Holes and Defenses Design a secure system Follows a ring design. Every object has an associated security attribute. Every subject has a security clearance. Least secure Highest security

More information

Secure Software Development and Code Analysis Tools

Secure Software Development and Code Analysis Tools Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Secure

More information

Software Fingerprinting for Automated Malicious Code Analysis

Software Fingerprinting for Automated Malicious Code Analysis Software Fingerprinting for Automated Malicious Code Analysis Philippe Charland Mission Critical Cyber Security Section October 25, 2012 Terms of Release: This document is approved for release to Defence

More information

For a 64-bit system. I - Presentation Of The Shellcode

For a 64-bit system. I - Presentation Of The Shellcode #How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation

More information

EECS 354 Network Security. Introduction

EECS 354 Network Security. Introduction EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature

More information

Hotpatching and the Rise of Third-Party Patches

Hotpatching and the Rise of Third-Party Patches Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments

More information

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Static Checking of C Programs for Vulnerabilities. Aaron Brown Static Checking of C Programs for Vulnerabilities Aaron Brown Problems 300% increase in reported software vulnerabilities SetUID programs Run with full access to the system Required to gain access to certain

More information

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)

More information

Unix Security Technologies: Host Security Tools. Peter Markowsky

Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu> Unix Security Technologies: Host Security Tools Peter Markowsky Syllabus An Answer to last week s assignment Four tools SSP W^X PaX Systrace Last time You were assigned to get a

More information

Return-oriented Programming: Exploitation without Code Injection

Return-oriented Programming: Exploitation without Code Injection Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad Bad behavior

More information

MSc Computer Science Dissertation

MSc Computer Science Dissertation University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel

More information

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015 CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet

More information

64-Bit NASM Notes. Invoking 64-Bit NASM

64-Bit NASM Notes. Invoking 64-Bit NASM 64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Program Security: Buffer Overflow 1 Buffer Overflow BO Basics Stack smashing Other buffer overflow

More information

CS61: Systems Programing and Machine Organization

CS61: Systems Programing and Machine Organization CS61: Systems Programing and Machine Organization Fall 2009 Section Notes for Week 2 (September 14 th - 18 th ) Topics to be covered: I. Binary Basics II. Signed Numbers III. Architecture Overview IV.

More information

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough

More information

CSE 265: System and Network Administration

CSE 265: System and Network Administration CSE 265: System and Network Administration MW 1:10-2:00pm Maginnes 105 http://www.cse.lehigh.edu/~brian/course/sysadmin/ Find syllabus, lecture notes, readings, etc. Instructor: Prof. Brian D. Davison

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview

More information

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com 風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program

More information

Introduction. Figure 1 Schema of DarunGrim2

Introduction. Figure 1 Schema of DarunGrim2 Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast 2011 Abstract The paper would try to reveal the vulnerable code for a particular disclosed vulnerability,

More information

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Abysssec Research. 1) Advisory information. 2) Vulnerable version Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5

More information

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and

More information

Testing for Security

Testing for Security Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is

More information

From SQL Injection to MIPS Overflows

From SQL Injection to MIPS Overflows From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection

More information

Practical taint analysis for protecting buggy binaries

Practical taint analysis for protecting buggy binaries Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 Traditional

More information

SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION DINO DAI ZOVI THESIS. Submitted in Partial Fulfillment of the Requirements for the Degree of

SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION DINO DAI ZOVI THESIS. Submitted in Partial Fulfillment of the Requirements for the Degree of SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION by DINO DAI ZOVI THESIS Submitted in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science Computer Science The University of

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 39 System Security Welcome

More information

Some people have claimed that open-source

Some people have claimed that open-source Software Security for Open-Source Systems Debate over whether open-source software development leads to more or less secure software has raged for years. Neither is intrinsically correct: open-source software

More information

esrever gnireenigne tfosorcim seiranib

esrever gnireenigne tfosorcim seiranib esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview

More information

Intel microprocessor history. Intel x86 Architecture. Early Intel microprocessors. The IBM-AT

Intel microprocessor history. Intel x86 Architecture. Early Intel microprocessors. The IBM-AT Intel x86 Architecture Intel microprocessor history Computer Organization and Assembly Languages g Yung-Yu Chuang with slides by Kip Irvine Early Intel microprocessors Intel 8080 (1972) 64K addressable

More information

The Plan Today... System Calls and API's Basics of OS design Virtual Machines

The Plan Today... System Calls and API's Basics of OS design Virtual Machines System Calls + The Plan Today... System Calls and API's Basics of OS design Virtual Machines System Calls System programs interact with the OS (and ultimately hardware) through system calls. Called when

More information

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military

More information

CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II CSC 405 Dr. Peng Ning 1 Targeted Malicious Code General purpose malicious code Affect users and machines indiscriminately

More information

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,

More information

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Attacking Obfuscated Code with IDA Pro. Chris Eagle Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size

More information

Introduction to Reverse Engineering

Introduction to Reverse Engineering Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011 What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a

More information

A Security Assessment of the Minos Architecture

A Security Assessment of the Minos Architecture A Security Assessment of the Minos Architecture Jedidiah R. Crandall and Frederic T. Chong University of California at Davis Computer Science Department crandall, chong @cs.ucdavis.edu Abstract Minos is

More information

Safety measures in Linux

Safety measures in Linux S a f e t y m e a s u r e s i n L i n u x Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Standard Unix security measures: permissions, capabilities, ACLs, chroot Linux kernel

More information

DTrace: The Reverse Engineer s Unexpected Swiss Army Knife

DTrace: The Reverse Engineer s Unexpected Swiss Army Knife DTrace: The Reverse Engineer s Unexpected Swiss Army Knife Tiller Beauchamp David Weston Science Applications International Corporation {Tiller.L.Beauchamp,David.G.Weston@saic.com Abstract This paper will

More information

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting nginx chunked overflow bug, the undisclosed attack vector Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked

More information

G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries

G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries Kaan Onarlioglu Bilkent University, Ankara onarliog@cs.bilkent.edu.tr Davide Balzarotti Eurecom, Sophia Antipolis balzarotti@eurecom.fr

More information

Compilers and Tools for Software Stack Optimisation

Compilers and Tools for Software Stack Optimisation Compilers and Tools for Software Stack Optimisation EJCP 2014 2014/06/20 christophe.guillon@st.com Outline Compilers for a Set-Top-Box Compilers Potential Auto Tuning Tools Dynamic Program instrumentation

More information

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014 Intelligent Things, Vehicles and Factories: Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11 The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation

More information

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and

More information

The C Programming Language course syllabus associate level

The C Programming Language course syllabus associate level TECHNOLOGIES The C Programming Language course syllabus associate level Course description The course fully covers the basics of programming in the C programming language and demonstrates fundamental programming

More information

Ethical Hacking and Attack Tools

Ethical Hacking and Attack Tools Ethical Hacking and Attack Tools Kenneth Ingham September 29, 2009 1 Course overview Attackers have at their disposal a large collection of tools that aid their exploiting systems. If you plan to defend

More information

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software James Newsome jnewsome@ece.cmu.edu Carnegie Mellon University Abstract Software vulnerabilities

More information

Surgically returning to randomized lib(c)

Surgically returning to randomized lib(c) Surgically returning to randomized lib(c) Giampaolo Fresi Roglia Lorenzo Martignoni Roberto Paleari Danilo Bruschi Dipartimento di Informatica e Comunicazione Dipartimento di Fisica Università degli Studi

More information

Example of Standard API

Example of Standard API 16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface

More information

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

INTRODUCTION TO MALWARE & MALWARE ANALYSIS INTRODUCTION TO MALWARE & MALWARE ANALYSIS by Quick Heal R&D lab Security Simplified INTRODUCTION Very often people call everything that corrupts their system a virus without being aware about what it

More information

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in

More information

Monitoring, Tracing, Debugging (Under Construction)

Monitoring, Tracing, Debugging (Under Construction) Monitoring, Tracing, Debugging (Under Construction) I was already tempted to drop this topic from my lecture on operating systems when I found Stephan Siemen's article "Top Speed" in Linux World 10/2003.

More information

A Practical Guide to Vulnerability Checkers

A Practical Guide to Vulnerability Checkers A Practical Guide to Vulnerability Checkers Secologic Project Written by: Martin Johns University of Hamburg / Security in Distributed Systems johns AT informatik.uni-hamburg.de 2006 This work was supported

More information

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research 1 There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research That s unavoidable, but the linux kernel developers don t do very much to make the situation

More information

Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits

Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Department of Computer Science, Stony Brook University, Stony

More information

Buffer Overflow Vulnerability Detection in the Binary Code

Buffer Overflow Vulnerability Detection in the Binary Code Buffer Overflow Vulnerability Detection in the Binary Code Shehab Gamal El-Dien, Reda Salama, Ahmed Eshak shehab@ispofegypt.com, redasalama@hotmail.com, a_issac@sakhr.com Al-Azhar University, Faculty of

More information

DTRACE BACKGROUND. What Is DTrace?

DTRACE BACKGROUND. What Is DTrace? What Is DTrace? DTRACE BACKGROUND *Dtrace was created by Sun Microsystems, Inc. and released under the Common Development and Distribution License (CDDL), a free software license based on the Mozilla Public

More information

How to Sandbox IIS Automatically without 0 False Positive and Negative

How to Sandbox IIS Automatically without 0 False Positive and Negative How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1 Big

More information

Mike Melanson (mike@multimedia.cx)

Mike Melanson (mike@multimedia.cx) Breaking Eggs And Making Omelettes: Intelligence Gathering For Open Source Software Development Mike Melanson (mike@multimedia.cx) Legalnotice: Es können zusätzliche Angaben zur Veröffentlichung angegeben

More information

Context switch in Linux. Gabriel Kliot, Technion 1 Context switch in Linux OS course

Context switch in Linux. Gabriel Kliot, Technion 1 Context switch in Linux OS course Context switch in Linux Gabriel Kliot, Technion 1 Context switch in Linux OS course Memory layout general picture Stack Stack Stack Process X user memory Process Y user memory Process Z user memory Stack

More information

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection USENIX Security Symposium 2014, San Diego, CA, USA Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Lucas Davi Intel Collaborative Research Institute for

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or

More information

Measuring the Effect of Code Complexity on Static Analysis Results

Measuring the Effect of Code Complexity on Static Analysis Results Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099 Abstract.

More information

Server Monitoring. AppDynamics Pro Documentation. Version 4.1.7. Page 1

Server Monitoring. AppDynamics Pro Documentation. Version 4.1.7. Page 1 Server Monitoring AppDynamics Pro Documentation Version 4.1.7 Page 1 Server Monitoring......................................................... 4 Standalone Machine Agent Requirements and Supported Environments............

More information

Data Structure Reverse Engineering

Data Structure Reverse Engineering Data Structure Reverse Engineering Digging for Data Structures Polymorphic Software with DSLR Scott Hand October 28 th, 2011 Outline 1 Digging for Data Structures Motivations Introduction Laika Details

More information

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed

More information

General Introduction

General Introduction Managed Runtime Technology: General Introduction Xiao-Feng Li (xiaofeng.li@gmail.com) 2012-10-10 Agenda Virtual machines Managed runtime systems EE and MM (JIT and GC) Summary 10/10/2012 Managed Runtime

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

SANKALCHAND PATEL COLLEGE OF ENGINEERING, VISNAGAR ODD/EVEN ACADEMICSEMESTER (2014-15) ASSIGNMENT / QUESTION BANK (2110003) [F.Y.B.E.

SANKALCHAND PATEL COLLEGE OF ENGINEERING, VISNAGAR ODD/EVEN ACADEMICSEMESTER (2014-15) ASSIGNMENT / QUESTION BANK (2110003) [F.Y.B.E. SANKALCHAND PATEL COLLEGE OF ENGINEERING, VISNAGAR ODD/EVEN ACADEMICSEMESTER (2014-15) ASSIGNMENT / QUESTION BANK Subject: Computer Programming and Utilization (2110003) [F.Y.B.E.: ALL BRANCHES] Unit 1

More information

Linux exploit development part 2 (rev 2) - Real app demo (part 2)

Linux exploit development part 2 (rev 2) - Real app demo (part 2) Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques

More information

X86-64 Architecture Guide

X86-64 Architecture Guide X86-64 Architecture Guide For the code-generation project, we shall expose you to a simplified version of the x86-64 platform. Example Consider the following Decaf program: class Program { int foo(int

More information

Vulnerability Assessment and Penetration Testing

Vulnerability Assessment and Penetration Testing Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration

More information

Microsoft Windows: A lower Total Cost of 0wnership

Microsoft Windows: A lower Total Cost of 0wnership Microsoft Windows: A lower Total Cost of 0wnership August 12, 2004 Table of Contents Introduction...3 Executive Summary...3 Immunity's Methodology...4 Vulnerability Detection...4 Portability of common

More information

Dynamic Behavior Analysis Using Binary Instrumentation

Dynamic Behavior Analysis Using Binary Instrumentation Dynamic Behavior Analysis Using Binary Instrumentation Jonathan Salwan jsalwan@quarkslab.com St'Hack Bordeaux France March 27 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic

More information