Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015
|
|
- Rhoda Gibbs
- 8 years ago
- Views:
Transcription
1 CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet Worm. Used fingerd 15 years later: 50% of all CERT advisories: 1998: 9 out of : 14 out of : 13 out of 28 Still a top-10 exploit in 2015, estimated at 20% Can give attacker complete control of victim host Developing buffer overflow attacks: identify buffer overflow within an application design an exploit 13 Buffer Overflow CSCD27 Computer and Network Security 2 Buffer Overflows are everywhere /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00 c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a Code Red worm URL signature Web servers (Heartbleed), SQL servers, code repo s, network services such as sendmail, ftp, telnet, xterm, httpd, named,... Hardware such as network switches can be hung/crashed by similar methods Most common exploited code-flaw in reported attacks Required attacker coding practices: planted attack program must not contain the \0 char o since null byte will terminate copy operation prematurely overflow should not crash program before attack function exits 13 Buffer Overflow CSCD27 Computer and Network Security 3 CSCD27F Computer and Network Security 1
2 So You Want to be a Hacker? You ll need to: understand C functions and the runtime be somewhat familiar with machine code know how systems calls are performed understand the exec() system call Also need to know which CPU and OS are running on the target machine. Why? Details vary between CPU s and OS s: o little endian vs. big endian (e.g. x86 vs. Motorola) o -frame ucture (Linux vs. Windows) o direction of growth 13 Buffer Overflow CSCD27 Computer and Network Security 4 What are Buffer Overflows? Suppose you are writing a C program that requires some input from the user: First of all, what is the code supposed to do? gets() reads as many bytes of input as are available on standard input, storing them in array buffer[] Simple enough piece of code. But now consider the unexpected... if the input happens to contain more than 80 bytes of data, then what? 13 Buffer Overflow CSCD27 Computer and Network Security 5 What are Buffer Overflows? gets() will dutifully keep writing bytes, right past the end of our buffer array, with what consequence? some other part of memory will get overwritten by this input This is a bug, not that hard to spot, but also not that hard to introduce, if you've got your mind on something else, and you haven't been bitten by this one before once you learn the pattern you become sensitized to it and are less likely to miss it in future code So what happens when we blow past the end of buffer writing bytes? 13 Buffer Overflow CSCD27 Computer and Network Security 6 CSCD27F Computer and Network Security 2
3 What are Buffer Overflows? what happens when we blow past the end of buffer writing bytes? Typically the program crashes leaving a "core-dump", often recorded as file "core" Of course you don't necessarily catch this in your testing, so maybe a user of your application gets a weird abort at runtime bad, especially if the crashed program is a server that should be always on maliciously causing a service to stop responding: DoS! What may be less obvious is that the consequences can be even worse 13 Buffer Overflow CSCD27 Computer and Network Security 7 More Buffer Overflows Let's make a slight adjustment to the example to show one possible consequence: int authenticated = 0; Alogin function (not shown) sets the authenticated flag, only if the user logs in with a valid password Unfortunately, the authenticated flag is stored in memory right after array buffer[] 13 Buffer Overflow CSCD27 Computer and Network Security 8 More Buffer Overflows int authenticated = 0; If the attacker can write 81 bytes of data to buffer, with the 81st byte set to a non-zero value, this will set the authenticated flag to true, and the attacker will have the status of an authenticated user! The program above allows that to happen, because gets() does no bounds-checking: it will write as much data to buffer as is supplied to it In other words, the code above is vulnerable: an attacker who can control the input to the program, can bypass the password-authentication check 13 Buffer Overflow CSCD27 Computer and Network Security 9 CSCD27F Computer and Network Security 3
4 Code Injection Attack Here's another variation, that poses a different kind of threat: int (*func_ptr)(); What is *func_ptr? A pointer to... a function, e.g. a callback, for event-handlers. The function referenced by *func_ptr is invoked elsewhere in the program This enables a more serious attack. Do you see it? If an attacker can overwrite func_ptr with an address of his choice, he will be able to redirect program execution to some chosen memory location 13 Buffer Overflow CSCD27 Computer and Network Security 10 Code Injection Attack int (*func_ptr)(); An attacker could supply inputconsisting of malicious inuctions, followed by a few bytes that overwrite func_ptr with some address A When func_ptr is next invoked, the flow of control is redirected to address A attacker can choose address A however he likes; e.g. &buffer[0] This attack is referred to as a malicious code-injection attack Many variations on this attack are possible; malicious code need not be stored in buffer[]; can be elsewhere in memory 13 Buffer Overflow CSCD27 Computer and Network Security 11 Stack Based Buffer Overflows Stack-based buffer overflows are more common than other forms; they exploit the runtime layout of memory (next slide) When function is called, parameters/local variables stored on a (pushed at call time, popped at urn time), together with a pointer to the caller's frame (for the pop) and a urn address, where execution resumes upon urn Revisiting our insecure()definition in this context, add a parameter so we can see where it ends up on the and change from gets() to cpy(): void insecure(char *) { cpy(buffer, ); 13 Buffer Overflow CSCD27 Computer and Network Security 12 CSCD27F Computer and Network Security 4
5 Linux process address space %esp ( ptr) User Stack 0xC brk (heap ptr) Shared libraries Run time heap 0x Loaded from exec Code (text) Unused 0x Buffer Overflow CSCD27 Computer and Network Security 13 0 Stack Frame Layout Caller s frame SP Parameters Return address Stack Frame Pointer Callee saved registers Local variables higher address Stack growth as functions are called lower address 13 Buffer Overflow CSCD27 Computer and Network Security 14 Stack Buffer Overflows void insecure(char *) { Notice how buffer has moved inside the function to become a local variable... so that it will be allocated on the In a " smashing" attack, a buffer overflow causes the saved SP and urn address to be overwritten In the simplest form of -smashing attack, malicious code is introduced somewhere in the program's address space, possibly within the buffer array itself If an 88-byte input is provided as the value of to the cpy() call, the last 8 bytes will overwrite the saved frame pointer and urn addr(assuming a 32-bit processor), the latter of which is set to point at the malicious code! 13 Buffer Overflow CSCD27 Computer and Network Security 15 cpy(buffer, ); CSCD27F Computer and Network Security 5
6 Stack Buffer Overflows Suppose a system command contains the function: void insecure(char *) { cpy(buffer, );... When insecure() is invoked, looks like this: top of buffer Local variables addr Stack grows this way 13 Buffer Overflow CSCD27 Computer and Network Security 16 Pointer to Execute Arguments previous code at frame this address after func() finishes frame of calling function Stack Buffer Overflows What happens if the caller supplies 88 bytes (or more) of input, not 80 bytes as insecure() intended? After cpy()the will look like this: Top of buffer addr Stack grows this way frame of calling function cpy() fills buffer bytes this way the value stored in this location will be interped as urn address for caller of insecure() so what will our wily attacker use as the value of param? 13 Buffer Overflow CSCD27 Computer and Network Security 17 Stack Smashing Exploit Attacker puts code into buffer such that after cpy() looks like this: Top of attack code addr frame of calling function attacker code e.g.: execv(/bin/sh) expressed in ASM and run as, say root? When insecure() exits, user gets root shell!! note: attack code runs in the exploited flaw: no range checking in cpy() challenge for attacker: to determine addr attacker must correctly guess memory position of frame when insecure() is called 13 Buffer Overflow CSCD27 Computer and Network Security 18 CSCD27F Computer and Network Security 6
7 Stack Smashing Exploit How can attacker mitigate not knowing actual runtime address of attack code? Top of NOP slide attack code addr frame of calling function Attacker guesses approximate memory position of frame when insecure() is called Inserts NOP (no-op) slide in front of attack code NOP code has no effect, but executes sequentially until inuction pointer gets to attack-code 13 Buffer Overflow CSCD27 Computer and Network Security Buffer Overflow CSCD27 Computer and Network Security Buffer Overflow CSCD27 Computer and Network Security 21 CSCD27F Computer and Network Security 7
8 Format Strings in C Proper use of printf format ing: int test = 1234; printf("test = %d in decimal, %X in hex", test, test); o Prints: test = 1234 in decimal, 4D2 in hex Careless use of printf format ing: char buffer[13]="hello, world!"; printf(buffer); // should use printf("%s", buffer); o If buffer contains format symbols starting with %, location pointed to by printf sinternal pointer will be interped as an argument of printf. This can be exploited to move printf sinternal pointer 13 Buffer Overflow CSCD27 Computer and Network Security 22 Format String Attack if (fgets(buffer,sizeof buffer,stdin)==null) urn; printf(buffer); What is the if-statement testing? Why does it urn? fgets() reads into buffer until sizeof-buffer- bytes have been read, and ing value in buffer is then terminated with a null byte. fgets() urns NULL if EOF (end-of-file) is encountered. What happens when the printf() is executed if its argument contains a % formatting character? If there is a %, then printf() will look for arguments, which probably don't exist, and that in turn may cause the program to crash. Hmm, same way we got started above, with a crash, which is bad news, but could it actually be worse? 13 Buffer Overflow CSCD27 Computer and Network Security 23 Format String Attack if (fgets(buffer,sizeof buffer,stdin)==null) urn; printf(buffer); Let's try it out... see insecure.c in buf_ovfl_ex (on Lectures page), compile and run a.out < stdinn stdin0 (no format ing in input) -ok stdin1 (contains %s) core dump, awww, but wait, this is a DoS attack!! If the stdinvalue is "%x:%x", then the 1st 2 words of memory will be printed. stdin2 (%x:%x) -this is cool stdin3 (%x:%x:%x:%x:%x %s) -shows ing stored at memory address given by 6th word of, interped as address Different results depending on whether you compile and run on mathlab or other Linux system. Why? 13 Buffer Overflow CSCD27 Computer and Network Security 24 CSCD27F Computer and Network Security 8
9 Format String Attacks Lots of variations on these ideas, permit an attacker to peer into the victim's addr space, e.g.: If attacker can observe output of function within Web server, and that output shows up in the browser window things start to get interesting a remote attacker can poke around the address space on your server. Why should you care? if (fgets(buffer,sizeof buffer,stdin)==null) urn; printf(buffer); consider what may be stored in the server s memory at runtime: passwords, crypto keys, other confidential info. Even worse, the attacker can write any value to ANY address in the victim's address space, using %n 13 Buffer Overflow CSCD27 Computer and Network Security 25 Preventing Buffer Overflow Attacks Main problem: cpy(), cat(), sprintf(), gets(), scanf() perform no range checking Safe versions ncpy(), ncat() misleading: Defenses: o ncpy() may leave buffer unterminated o ncpy(), ncat() encourage off-by-1 bugs Type-safe languages (Java, ML). Legacy code? Mark as non-execute. Randomize location. Static Analysis Run time checking: StackGuard, Libsafe, SafeC, (Purify) 13 Buffer Overflow CSCD27 Computer and Network Security 29 Preventing Overflow Attacks Some programming languages are designed to be intrinsically memory-safe, no matter what the programmer does Java for example Memory-safe languages eliminate the opportunityfor a common kind of programming mistake that has been known to cause serious security vulnerabilities What if you re stuck maintaining a legacy app written in a non-safe language, like C or C++, which relies on the programmer to preserve memory safety? 13 Buffer Overflow CSCD27 Computer and Network Security 30 CSCD27F Computer and Network Security 9
10 Mark Stack as Non-Execute Basic -smashing exploit can be prevented by marking segment as non-executable NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott, but not 32-bit x86 (NX bit in every Page Table Entry (PTE)) Support in Win XP SP2+, Win 7/8/10. Code patches for Linux Limitations: Doesn t defend against `urn-to-libc exploit o overflow sets -addr to address of libc function Doesn t block more general overflow exploits: o overflow on heap: overflow buffer next to func pointer Doesn t prevent logic-modification errors such as overflow into authentication flag Some apps need executable (e.g. LISP interpers) 13 Buffer Overflow CSCD27 Computer and Network Security 31 Runtime Checking: StackGuard Many many run-time checking techniques Here, only cover methods relevant to overflow protection Solutions 1: StackGuard (WireX) Run time tests for integrity. Embed canaries in frames and verify their integrity prior to function urn. top of local Frame 2 canary local Frame 1 canary growth 13 Buffer Overflow CSCD27 Computer and Network Security 33 Stackguard Canary Types Random canary: choose random ing at program startup insert canary ing into every frame verify canary before urning from function to avoid corrupting random canary, attacker must learn current random ing (hard) Terminator canary: canary = "\0", newline, linefeed, EOF ing functions like cpy(), gets() will not copy beyond terminator canary hence, attacker cannot use ing functions to corrupt 13 Buffer Overflow CSCD27 Computer and Network Security 34 CSCD27F Computer and Network Security 10
11 StackGuard Implementation StackGuard implemented as a GCC patch program must be recompiled Modest performance hit: e.g. 8% for Apache Web server Newer version: PointGuard protects function pointers and setjmpbuffers by placing canaries next to them more noticeable performance effects Note: canaries don t offer complete protection some -smashing attacks leave canaries untouched 13 Buffer Overflow CSCD27 Computer and Network Security 35 Run time checking: Libsafe Solution 2: libsafe (Avaya Labs) top of dynamically loaded library (if can t recompile) intercepts calls to e.g. cpy(buf,src) o validates sufficient space in current frame: frame-pointer buf > len(src) o if so, executes cpyotherwise, terminates application cpy() fills dest bytes this way -addr src buf -addr libsafe cpy main 13 Buffer Overflow CSCD27 Computer and Network Security 36 Buffer Overflows Buffer overflows remain an important mechanism for system compromise e.g. Code Red 2 worm infected over 250K machines; utilized a buffer overflow in IIS Attackers have been very resourceful in working around apparent showstoppers, such as: the buffer variable being stored in the heap malicious code's location is unknown (e.g. randomization) buffer characters limited to lower-case letters /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00 c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a Code Red worm URL signature things that would seem to make attack infeasible -not so! 13 Buffer Overflow CSCD27 Computer and Network Security 37 CSCD27F Computer and Network Security 11
Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationDesign of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks
Stware Security Holes and Defenses Design a secure system Follows a ring design. Every object has an associated security attribute. Every subject has a security clearance. Least secure Highest security
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Program Security: Buffer Overflow 1 Buffer Overflow BO Basics Stack smashing Other buffer overflow
More informationIntroduction to Information Security
Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationCSC 405 Introduction to Computer Security
CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II CSC 405 Dr. Peng Ning 1 Targeted Malicious Code General purpose malicious code Affect users and machines indiscriminately
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 39 System Security Welcome
More informationData on Kernel Failures and Security Incidents
Data on Kernel Failures and Security Incidents Ravishankar K. Iyer (W. Gu, Z. Kalbarczyk, G. Lyle, A. Sharma, L. Wang ) Center for Reliable and High-Performance Computing Coordinated Science Laboratory
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationERNW Newsletter 51 / September 2015
ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1 Big
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationA Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/
A Test Suite for Basic CWE Effectiveness Paul E. Black paul.black@nist.gov http://samate.nist.gov/ Static Analysis Tool Exposition (SATE V) News l We choose test cases by end of May l Tool output uploaded
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationCS420: Operating Systems OS Services & System Calls
NK YORK COLLEGE OF PENNSYLVANIA HG OK 2 YORK COLLEGE OF PENNSYLVAN OS Services & System Calls James Moscola Department of Physical Sciences York College of Pennsylvania Based on Operating System Concepts,
More informationCSE331: Introduction to Networks and Security. Lecture 15 Fall 2006
CSE331: Introduction to Networks and Security Lecture 15 Fall 2006 Worm Research Sources "Inside the Slammer Worm" Moore, Paxson, Savage, Shannon, Staniford, and Weaver "How to 0wn the Internet in Your
More informationQuiz I Solutions MASSACHUSETTS INSTITUTE OF TECHNOLOGY. 6.858 Fall 2012. Department of Electrical Engineering and Computer Science
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2012 Quiz I Solutions 30 Grade for q1 25 20 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100 Histogram
More informationBetriebssysteme KU Security
Betriebssysteme KU Security IAIK Graz University of Technology 1 1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2 1. Drivers 2. Security - The simple stuff
More informationChapter 15 Operating System Security
Operating Systems: Internals and Design Principles Chapter 15 Operating System Security Eighth Edition By William Stallings System Access Threats System access threats fall into two general categories:
More informationCS3600 SYSTEMS AND NETWORKS
CS3600 SYSTEMS AND NETWORKS NORTHEASTERN UNIVERSITY Lecture 2: Operating System Structures Prof. Alan Mislove (amislove@ccs.neu.edu) Operating System Services Operating systems provide an environment for
More informationMSc Computer Science Dissertation
University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel
More informationTesting for Security
Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationEECS 354 Network Security. Introduction
EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature
More informationEnlisting Hardware Architecture to Thwart Malicious Code Injection
Enlisting Hardware Architecture to Thwart Malicious Code Injection Ruby B. Lee, David K. Karig, John P. McGregor, and Zhijie Shi Princeton Architecture Laboratory for Multimedia and Security (PALMS) Department
More informationThe programming language C. sws1 1
The programming language C sws1 1 The programming language C invented by Dennis Ritchie in early 1970s who used it to write the first Hello World program C was used to write UNIX Standardised as K&C (Kernighan
More informationCataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems
Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,
More informationSome Anti-Worm Efforts at Microsoft. Acknowledgements
Some Anti-Worm Efforts at Microsoft Helen J. Wang System and Networking Research Group Microsoft Research Oct 29, 2004 1 Acknowledgements Matt Braverman, Opher Dubrovsky, John Dunagan, Louis Lafreniere,
More informationHands-on Hacking Unlimited
About Zone-H Attacks techniques (%) File Inclusion Shares misconfiguration SQL Injection DNS attack through social engineering Web Server external module intrusion Attack against the administrator/user
More informationX05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation 2006. IBM System p, AIX 5L & Linux Technical University
X05 An Overview of Source Code Scanning Tools Loulwa Salem Las Vegas, NV Objectives This session will introduce better coding practices and tools available to aid developers in producing more secure code.
More informationCustom Penetration Testing
Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools
More informationOperating Systems and Networks
recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls
More informationOPERATING SYSTEM SERVICES
OPERATING SYSTEM SERVICES USER INTERFACE Command line interface(cli):uses text commands and a method for entering them Batch interface(bi):commands and directives to control those commands are entered
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationCSE331: Introduction to Networks and Security. Lecture 1 Fall 2006
CSE331: Introduction to Networks and Security Lecture 1 Fall 2006 Basic Course Information Steve Zdancewic lecturer Web: http://www.cis.upenn.edu/~stevez E-mail: stevez@cis.upenn.edu Office hours: Tues.
More informationLecture Overview. INF3510 Information Security Spring 2015. Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure
Lecture Overview INF3510 Information Security Spring 2015 Fundamental computer security concepts CPU and OS kernel security mechanisms Virtualization Memory Protection Trusted computing and TPM Lecture
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationCSE331: Introduction to Networks and Security. Lecture 32 Fall 2004
CSE331: Introduction to Networks and Security Lecture 32 Fall 2004 Hackers / Intruders External attacks Typical hacker Exploits carried out remotely Does not have an account on the remote machine Insider
More informationA Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention John Wilander and Mariam Kamkar Dept. of Computer and Information Science, Linköpings universitet johwi, marka @ida.liu.se
More informationX86-64 Architecture Guide
X86-64 Architecture Guide For the code-generation project, we shall expose you to a simplified version of the x86-64 platform. Example Consider the following Decaf program: class Program { int foo(int
More informationWhere s the FEEB? The Effectiveness of Instruction Set Randomization
Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationHomeland Security Red Teaming
Homeland Security Red Teaming Directs intergovernmental coordination Specifies Red Teaming Viewing systems from the perspective of a potential adversary Target hardening Looking for weakness in existing
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationAn Attack Simulator for Systematically Testing Program-based Security Mechanisms
An Attack Simulator for Systematically Testing Program-based Security Mechanisms Ben Breech Computer and Info Sciences University of Delaware Newark, DE 19716 breech@cis.udel.edu Mike Tegtmeyer Army Research
More informationExploits: XSS, SQLI, Buffer Overflow
Exploits: XSS, SQLI, Buffer Overflow These vulnerabilities continue to result in many active exploits. XSS Cross Site Scripting, comparable to XSRF, Cross Site Request Forgery. These vulnerabilities are
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security Homework 1 Due: Friday, February 15, at 10PM Instructions. You must submit this homework electronically. To submit, put a single solution file hw1.pdf in a directory
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationApplication. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection
Application Layer Security Application Presentation Session TCP UDP IP Data Link Physical Protocols File Transfer Protocol (FTP) Telnet Simple Mail Transfer Protocol (SMTP) Hypertext Transfer Protocol
More informationSECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION DINO DAI ZOVI THESIS. Submitted in Partial Fulfillment of the Requirements for the Degree of
SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION by DINO DAI ZOVI THESIS Submitted in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science Computer Science The University of
More informationASSURE: Automatic Software Self- Healing Using REscue points. Automatically Patching Errors in Deployed Software (ClearView)
ASSURE: Automatic Software Self- Healing Using REscue points Automatically Patching Errors in Deployed Software (ClearView) Strategies for resolving vulnerabilities Techniques exist for detecting or preventing
More informationWill Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.
The Power of Fuzz Testing to Reduce Security Vulnerabilities Transcript Part 1: Why Fuzz Testing? Julia Allen: Welcome to CERT's podcast series: Security for Business Leaders. The CERT program is part
More informationRestraining Execution Environments
Restraining Execution Environments Segurança em Sistemas Informáticos André Gonçalves Contents Overview Java Virtual Machine: Overview The Basic Parts Security Sandbox Mechanisms Sandbox Memory Native
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationExploiting Trustzone on Android
1 Introduction Exploiting Trustzone on Android Di Shen(@returnsme) retme7@gmail.com This paper tells a real story about exploiting TrustZone step by step. I target an implementation of Trusted Execution
More informationIS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection
IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection Description Lab flow At the end of this lab, you should be able to Discover how to harness the power and capabilities
More informationPayment Card Industry (PCI) Terminal Software Security. Best Practices
Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August
More informationIn the name of God. 1 Introduction. 2 General Plan
In the name of God Author: Soroush Dalili Email Address: irsdl {a7} yahoo {d07} com Website: Soroush.SecProject.com Title of Report: Finding vulnerabilities of YaFtp 1.0.14 (a client side FTP application)
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationtelnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012
telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed
More informationAutomated Faultinjection Series - Risk Management and Implementation
HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications Christof Fetzer, Zhen Xiao AT&T Labs Research 180 Park Avenue Florham Park, N.J. 07932 christof, xiao @research.att.com
More informationOperating System Overview. Otto J. Anshus
Operating System Overview Otto J. Anshus A Typical Computer CPU... CPU Memory Chipset I/O bus ROM Keyboard Network A Typical Computer System CPU. CPU Memory Application(s) Operating System ROM OS Apps
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationSecure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines
Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationCEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa
CEN 559 Selected Topics in Computer Engineering Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa Access Control Access Control Which principals have access to which resources files they can read
More informationMalware and Attacks Further reading:
Malware and Attacks Further reading: Dwan B., The Malapropisms of Malware, Computer Fraud & Security, Volume 2004, Number 3 (2004), pp. 13-16 Bradbury, D., The metamorphosis of malware writers, Computers
More informationApplication Security: Web service and E-Mail
Application Security: Web service and E-Mail (April 11, 2011) Abdou Illia Spring 2011 Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security Discuss E-Mail security
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY. 6.828 Operating System Engineering: Fall 2005
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.828 Operating System Engineering: Fall 2005 Quiz II Solutions Average 84, median 83, standard deviation
More informationSkyRecon Cryptographic Module (SCM)
SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.
More informationJonathan Worthington Scarborough Linux User Group
Jonathan Worthington Scarborough Linux User Group Introduction What does a Virtual Machine do? Hides away the details of the hardware platform and operating system. Defines a common set of instructions.
More informationMicrosoft STRIDE (six) threat categories
Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationSystem Calls and Standard I/O
System Calls and Standard I/O Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Class System calls o How a user process contacts the Operating System o For advanced services
More informationAdvanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com
Advanced IBM AIX Heap Exploitation Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Introduction Our society has become dependent on computers and network systems.
More information590.7 Network Security Lecture 2: Goals and Challenges of Security Engineering. Xiaowei Yang
590.7 Network Security Lecture 2: Goals and Challenges of Security Engineering Xiaowei Yang Roadmap What is security? Examples of secure systems Security properties Challenges What is security? System
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationSoftware security specification and verification
Software security specification and verification Erik Poll Security of Systems (SoS) group Radboud University Nijmegen Software (in)security specification and verification/detection Erik Poll Security
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationTurn the Page: Why now is the time to migrate off Windows Server 2003
Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need
More information1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
More informationGDB Tutorial. A Walkthrough with Examples. CMSC 212 - Spring 2009. Last modified March 22, 2009. GDB Tutorial
A Walkthrough with Examples CMSC 212 - Spring 2009 Last modified March 22, 2009 What is gdb? GNU Debugger A debugger for several languages, including C and C++ It allows you to inspect what the program
More informationDiscovering passwords in the memory
Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More information