Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
|
|
- Lorraine Gregory
- 7 years ago
- Views:
Transcription
1 Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University
2 Hacking buffer overflows Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
3 Crash or no Crash? Enough to build exploit GET /blabla HTTP/1.0 HTTP/ Not Found GET /AAAAAAAAAAAAAAAA connection closed
4 Don t even need to know what application is running! Exploit scenarios: 1. Open source 2. Open binary 3. Closed-binary (and source)????
5 Attack effectiveness Works on 64-bit Linux with ASLR, NX and canaries Server Requests Time (mins) nginx 2,401 1 MySQL 3, Toy proprietary service (unknown binary and source) 1,950 5
6 Attack requirements 1. Stack vulnerability, and knowledge of how to trigger it. 2. Server process that respawns after crash E.g., nginx, MySQL, Apache, OpenSSH, Samba.
7 Outline Introduction. Background on exploits. Blind ROP (BROP). Optimizations.
8 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address 0x urn; } handle_client() buf[1024]
9 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA handle_client() AAAAAAAAA AAAAAAAAA
10 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA?? AAAAAAAAA AAAAAAAAA
11 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x AAAAAAAAA AAAAAAAAA AAAAAAAAA AAAAAAAAA
12 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x x
13 Exploit protections void process_packet(int s) { char buf[1024]; 1. Make stack non-executable int len; (NX) read(s, &len, sizeof(len)); read(s, 2. buf, Randomize len); memory addresses (ASLR) Stack: urn address 0x } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x
14 Return-Oriented Programming (ROP).text: Stack: code fragment 0x Executable dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x Non-Executable
15 Return-Oriented Programming (ROP).text: Stack: code fragment 0x dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0);...
16 Return-Oriented Programming (ROP).text: Stack: code dup2(sock, 0); 0x fragment urn; 0x dup2(sock, 1); 0x x urn; execve( /bin/sh, 0, 0); urn; 0x x ROP gadget
17 Address Space Layout Randomization (ASLR).text: 0x code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x x x800000
18 Address Space Layout Randomization (ASLR).text: 0x ?? code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x ?? 0x ?? 0x ??
19 Exploit requirements today 1. Break ASLR. 2. Copy of binary (find ROP gadgets / break NX). Is it even possible to hack unknown applications?
20 Blind Return-Oriented Programming (BROP) 1. Break ASLR. 2. Leak binary: Remotely find enough gadgets to call write(). write() binary from memory to network to disassemble and find more gadgets to finish off exploit.
21 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address buf[1024] 0x401183
22 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x401183
23 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
24 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
25 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
26 How to find gadgets?.text: 0x code fragment 0x x x x x401130?????????? Stack: urn address 0x buf[1024]
27 How to find gadgets?.text: 0x code 0x x x x x fragment crash???????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
28 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash?????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
29 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash???? Connection hangs Stack: urn address 0x AAAAAAAAA AAAAAAAAA
30 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash crash crash Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
31 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn
32 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn
33 Finding useful gadgets 0x Stack: Crash!! dup2(sock, 0); urn; other urn address 0x x buf[1024] sleep(10); urn;
34 Finding useful gadgets 0x Stack: dup2(sock, 0); urn; 0x urn address 0x x buf[1024] sleep(10); urn; No crash
35 How to find gadgets?.text: 0x code fragment 0x x x x x crash crash stop gadget crash crash Stack: other urn address 0x buf[1024]
36 How to find gadgets?.text: 0x code fragment Connection hangs 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA
37 How to find gadgets?.text: 0x code fragment Connection closes 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA
38 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write
39 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write AAAAA buf[1024] 0x addr sock rdi 0x buf rsi 0x len rdx 0x700000
40 Pieces of the puzzle pop rsi pop rdi stop gadget [call sleep] pop rdx call write
41 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi pop rdx stop gadget [call sleep] call write
42 Finding the BROP gadget Stack: Connection hangs stop gadget urn address 0x buf[1024]
43 Finding the BROP gadget Stack: stop gadget crash gadget pop rbx Connection hangs urn address 0x buf[1024]
44 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget crash gadget crash gadget crash gadget crash gadget urn address 0x pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 BROP gadget Connection hangs buf[1024]
45 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi pop rdx stop gadget [call sleep] call write
46 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi call strcmp stop gadget [call sleep] call write
47 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi PLT stop gadget [call sleep] call strcmp call write
48 Procedure Linking Table (PLT).text: PLT libc.text: PLT... call write call strcmp... jmp [sleep] jmp [write] jmp [strcmp] jmp [dup2] jmp [execve] jmp [...]
49 Fingerprinting strcmp arg1 arg2 result readable 0x0 crash 0x0 readable crash readable readable nocrash Can now control three arguments: strcmp sets RDX to length of string
50 Finding write Try sending data to socket by calling candidate PLT function. check if data received on socket. chain writes with different FD numbers to find socket. Use multiple connections.
51 Launching a shell 1. dump binary from memory to network. Not blind anymore! 2. dump symbol table to find PLT calls. 3. redirect stdin/out to socket: dup2(sock, 0); dup2(sock, 1); 4. read() /bin/sh from socket to memory 5. execve( /bin/sh, 0, 0)
52 Braille Fully automated: from first crash to shell. 2,000 lines of Ruby. Needs function that will trigger overflow: nginx: 68 lines. MySQL: 121 lines. toy proprietary service: 35 lines. try_exp(data) true crash false no crash
53 Attack complexity dump bin 222 find write 101 find strcmp 61 stack reading 846 find BROP gadget 469 find PLT 702 # of requests for nginx
Exploiting nginx chunked overflow bug, the undisclosed attack vector
Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked
More informationtelnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012
telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed
More informationPractical taint analysis for protecting buggy binaries
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 Traditional
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationSoftware security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationBuffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015
CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationModern Binary Exploitation Course Syllabus
Modern Binary Exploitation Course Syllabus Course Information Course Title: Modern Binary Exploitation Course Number: CSCI 4968 Credit Hours: 4 Semester / Year: Spring 2015 Meeting Days: Tuesday/Friday
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security Homework 1 Due: Friday, February 15, at 10PM Instructions. You must submit this homework electronically. To submit, put a single solution file hw1.pdf in a directory
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationCustom Penetration Testing
Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools
More informationApplication Security: Web service and E-Mail
Application Security: Web service and E-Mail (April 11, 2011) Abdou Illia Spring 2011 Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security Discuss E-Mail security
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Program Security: Buffer Overflow 1 Buffer Overflow BO Basics Stack smashing Other buffer overflow
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationBetriebssysteme KU Security
Betriebssysteme KU Security IAIK Graz University of Technology 1 1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2 1. Drivers 2. Security - The simple stuff
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More information64-Bit NASM Notes. Invoking 64-Bit NASM
64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit
More informationIntroduction to Information Security
Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran
More informationPuttyRider. With great power comes great responsibility. # Pivoting from Windows to Linux in a penetration test. Adrian Furtunã, PhD adif2k8@gmail.
PuttyRider # Pivoting from Windows to Linux in a penetration test With great power comes great responsibility Adrian Furtunã, PhD adif2k8@gmail.com root@bt:~# Agenda # Idea origin and usage scenario #
More informationN-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer) http://www.cs.virginia.edu/evans/sdwest
1 N-Variant Systems Slides extracted from talk by David Evans (provenance in footer) 2 Inevitability of Failure Despite all the best efforts to build secure software, we will still fail (or have to run
More informationDesign of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks
Stware Security Holes and Defenses Design a secure system Follows a ring design. Every object has an associated security attribute. Every subject has a security clearance. Least secure Highest security
More informationHOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR
HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR WHO ARE WE? STEVEN Software developer Security fanatic Produces dance
More informationHacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K About the speaker Wrote the Social-Engineer Toolkit (SET),
More informationA Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge
A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara HITCON Enterprise August 27th, 2015 Agenda Shellphish The
More informationHow To Protect Your Computer From Being Hacked By A Hacker (For A Fee)
Illuminating the Security Issues with Lights-Out Server Management Anthony J. Bonkoski J. Alex Halderman University of Michigan What is IPMI? Need to manage a massive cluster of servers? OS installs, monitoring,
More informationJekyll on ios: When Benign Apps Become Evil
Jekyll on ios: When Benign Apps Become Evil Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee School of Computer Science, College of Computing, Georgia Institute of Technology {tielei.wang,
More informationASL IT SECURITY XTREME XPLOIT DEVELOPMENT
ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits
More informationAn introduction to the Return Oriented Programming. Why and How
An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets'
More informationFrom SQL Injection to MIPS Overflows
From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection
More informationFor a 64-bit system. I - Presentation Of The Shellcode
#How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationDynamic Behavior Analysis Using Binary Instrumentation
Dynamic Behavior Analysis Using Binary Instrumentation Jonathan Salwan jsalwan@quarkslab.com St'Hack Bordeaux France March 27 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic
More informationCS3235 - Computer Security Thirteenth topic: System attacks. defenses
Overflows... Security case studies CS3235 - Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson
More informationERNW Newsletter 51 / September 2015
ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING
More informationMSc Computer Science Dissertation
University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel
More informationLinux exploit development part 2 (rev 2) - Real app demo (part 2)
Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques
More informationIPMI: Understanding Your Server s Remote Backdoor
IPMI: Understanding Your Server s Remote Backdoor Anthony J. Bonkoski abonkosk@umich.edu SUMIT 2013 What is IPMI? Need to manage a massive cluster of servers? Operating system installs Monitoring Power
More informationReview and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU
Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System
More informationHacking. The Edge Pieces. Ken Gottry May2002. 2002 Ken Gottry
Hacking The Edge Pieces Ken Gottry May2002 Objective - Edge Pieces When you start a jigsaw puzzle, you pick out the edge pieces, the ones with the flat sides. You can do this without knowing what the picture
More informationStatic Checking of C Programs for Vulnerabilities. Aaron Brown
Static Checking of C Programs for Vulnerabilities Aaron Brown Problems 300% increase in reported software vulnerabilities SetUID programs Run with full access to the system Required to gain access to certain
More informationtcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL
tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack! Stanford, UCL Reminder: project goal IPsec SSH TLS Unencrypted TCP traffic today Not drawn to scale Reminder:
More informationKernel Intrusion Detection System
Kernel Intrusion Detection System Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org Monica's Team!! Brazilian famous H.Q. story Amazon Forest Yeah, Brazilian country! Soccer Brazilian
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationBug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit
Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough
More informationReturn-oriented Programming: Exploitation without Code Injection
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad Bad behavior
More informationTool-based Approaches to Software Security. Prof. Dr. Eric Bodden Andreas Follner
Tool-based Approaches to Software Security Prof. Dr. Eric Bodden Andreas Follner Outline General Information Timeline Term Paper / Review / Talk Grading Next Steps Topics General Information Purpose of
More informationWeb Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA 2011 - Minneapolis
Web Application Security Payloads Andrés Riancho Director of Web Security OWASP AppSec USA 2011 - Minneapolis Topics Short w3af introduction Automating Web application exploitation The problem and how
More informationnoway.toonux.com 09 January 2014
noway.toonux.com p3.7 10 noway.toonux.com 88.190.52.71 Debian Linux 0 CRITICAL 0 HIGH 5 MEDIUM 2 LOW Running Services Service Service Name Risk General Linux Kernel Medium 22/TCP OpenSSH 5.5p1 Debian 6+squeeze4
More informationVulnerability Assessment and Penetration Testing
Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More informationWhere s the FEEB? The Effectiveness of Instruction Set Randomization
Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract
More informationLab 4: Socket Programming: netcat part
Lab 4: Socket Programming: netcat part Overview The goal of this lab is to familiarize yourself with application level programming with sockets, specifically stream or TCP sockets, by implementing a client/server
More informationEECS 354 Network Security. Introduction
EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationAdvanced Web Security, Lab
Advanced Web Security, Lab Web Server Security: Attacking and Defending November 13, 2013 Read this earlier than one day before the lab! Note that you will not have any internet access during the lab,
More informationSecurity: Attack and Defense
Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing
More informationExploiting Trustzone on Android
1 Introduction Exploiting Trustzone on Android Di Shen(@returnsme) retme7@gmail.com This paper tells a real story about exploiting TrustZone step by step. I target an implementation of Trusted Execution
More informationFine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich
Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application access
More informationLearn Ethical Hacking, Become a Pentester
Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,
More informationApplication. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection
Application Layer Security Application Presentation Session TCP UDP IP Data Link Physical Protocols File Transfer Protocol (FTP) Telnet Simple Mail Transfer Protocol (SMTP) Hypertext Transfer Protocol
More informationFirewalls. configuring a sophisticated GNU/Linux firewall involves understanding
Firewalls slide 1 configuring a sophisticated GNU/Linux firewall involves understanding iptables iptables is a package which interfaces to the Linux kernel and configures various rules for allowing packets
More informationOut Of Control: Overcoming Control-Flow Integrity
Out Of Control: Overcoming Control-Flow Integrity Enes Göktaş Vrije Universiteit Amsterdam, The Netherlands Email: enes.goktas@vu.nl Elias Athanasopoulos FORTH-ICS Heraklion, Ce, Greece Email: elathan@ics.forth.gr
More informationIntroduction to web security Jakob Korherr. Freitag, 11. Mai 12
Introduction to web security Jakob Korherr 1 Agenda $ whoami Basics of (web) security Web application architecture OWASP top 10 SQL injection Cross site scripting (XSS) Cross site request forgery (XSRF)
More informationStack Overflows. Mitchell Adair
Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very
More informationMacro-Reliability in Win32 Exploits
Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky http://www.immunityinc.com/ Agenda Problems with large scale exploitation Immunity's Solutions Common Addresses Remote Language
More informationIntroduction to computer and network security. Session 2 : Examples of vulnerabilities and attacks pt1
Introduction to computer and network security Session 2 : Examples of vulnerabilities and attacks pt1 Jean Leneutre jean.leneutre@telecom-paristech.fr Tél.: 01 45 81 78 81 Page 1 Outline I- Introduction
More informationAdvanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com
Advanced IBM AIX Heap Exploitation Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Introduction Our society has become dependent on computers and network systems.
More informationUnix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>
Unix Security Technologies: Host Security Tools Peter Markowsky Syllabus An Answer to last week s assignment Four tools SSP W^X PaX Systrace Last time You were assigned to get a
More informationstatic void insecure (localhost *unix)
static void insecure (localhost *unix) Eric Pancer epancer@infosec.depaul.edu Information Security Team DePaul University http://infosec.depaul.edu Securing UNIX Hosts from Local Attack p.1/32 Overview
More informationGeneralised Socket Addresses for Unix Squeak 3.9 11
Generalised Socket Addresses for Unix Squeak 3.9 11 Ian Piumarta 2007 06 08 This document describes several new SocketPlugin primitives that allow IPv6 (and arbitrary future other) address formats to be
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationSecurity Products Development. Leon Juranic leon@defensecode.com
Security Products Development Leon Juranic leon@defensecode.com Security Products Development Q: Why I picked this boring topic at all? A: Avoidance of any hackingrelated topics for fsec (khm.) :) Security
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1 Big
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationTutorial on Socket Programming
Tutorial on Socket Programming Computer Networks - CSC 458 Department of Computer Science Seyed Hossein Mortazavi (Slides are mainly from Monia Ghobadi, and Amin Tootoonchian, ) 1 Outline Client- server
More informationAn Analysis of Address Space Layout Randomization on Windows Vista
ADVANCED THREAT RESEARCH 2007 Symantec Corporation 1 An Analysis of Address Space Layout Randomization on Windows Vista Ollie Whitehouse, Architect, Symantec Advanced Threat Research Abstract: Address
More informationData on Kernel Failures and Security Incidents
Data on Kernel Failures and Security Incidents Ravishankar K. Iyer (W. Gu, Z. Kalbarczyk, G. Lyle, A. Sharma, L. Wang ) Center for Reliable and High-Performance Computing Coordinated Science Laboratory
More informationThe Advantages of Block-Based Protocol Analysis for Security Testing
The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes
More informationCoverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing
Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies
More informationDynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software James Newsome jnewsome@ece.cmu.edu Carnegie Mellon University Abstract Software vulnerabilities
More informationModule 26. Penetration Testing
Module 26 Penetration Testing Page 633 Ethical Hacking and Countermeasures v6 Copyright Lab 26-01 Objective: Use Azure Web Log to know details about your web traffic In the CEHv6 Labs CD-ROM, navigate
More informationCataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems
Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationCIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks
CIT 480: Securing Computer Systems Vulnerability Scanning and Exploitation Frameworks Vulnerability Scanners Vulnerability scanners are automated tools that scan hosts and networks for potential vulnerabilities,
More informationHow I hacked PacketStorm (1988-2000)
Outline Recap Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 13th February 2014 Overview Some past attacks Reminder: basics Classification Injection route and motive
More informationIntroduction to Security
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 9 Nov 16, 2010 Authentication, Identity Vulnerability Analysis 1 Objectives Understand/explain the issues related
More information============================================================= =============================================================
Stephan Lantos Subject: FW: @RISK: The Consensus Security Vulnerability Alert: Vol. 13, Num. 23 In partnership with SANS and Sourcefire, Qualys is pleased to provide you with the @RISK Newsletter. This
More informationHow to hack a website with Metasploit
How to hack a website with Metasploit By Sumedt Jitpukdebodin Normally, Penetration Tester or a Hacker use Metasploit to exploit vulnerability services in the target server or to create a payload to make
More informationCSE331: Introduction to Networks and Security. Lecture 17 Fall 2006
CSE331: Introduction to Networks and Security Lecture 17 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Summary:
More informationILR: Where d My Gadgets Go?
2012 IEEE Symposium on Security and Privacy ILR: Where d My Gadgets Go? Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, Jack W. Davidson University of Virginia, Department of Computer Science
More informationA Perfect CRIME? TIME Will Tell. Tal Be ery, Web research TL
A Perfect CRIME? TIME Will Tell Tal Be ery, Web research TL Agenda BEAST + Modes of operation CRIME + Gzip compression + Compression + encryption leak data TIME + Timing + compression leak data Attacking
More informationRed Hat. www.redhat.com. By Karl Wirth
Red Hat Enterprise Linux 5 Security By Karl Wirth Abstract Red Hat Enterprise Linux has been designed by, and for, the most security-conscious organizations in the world. Accordingly, security has always
More informationAutomating Mimicry Attacks Using Static Binary Analysis
Automating Mimicry Attacks Using Static Binary Analysis Christopher Kruegel and Engin Kirda Technical University Vienna chris@auto.tuwien.ac.at, engin@infosys.tuwien.ac.at Darren Mutz, William Robertson,
More informationNetwork Security In Linux: Scanning and Hacking
Network Security In Linux: Scanning and Hacking Review Lex A lexical analyzer that tokenizes an input text. Yacc A parser that parses and acts based on defined grammar rules involving tokens. How to compile
More information