@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
SCSC 555 Computer Security Chapter 10 Malicious software Part B.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Buffer Overflow By: John Quach and Napoleon N. Valdez.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.
Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
DoS/DDoS attack and defense
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Web Security Firewalls, Buffer overflows and proxy servers.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
@Yuan Xue Worm and Botnet Yuan Xue Fall 2013.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Internet Quarantine: Requirements for Containing Self-Propagating Code
Protecting Memory What is there to protect in memory?
The Hardware/Software Interface CSE351 Winter 2013
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Smashing the Stack for Fun and Profit
Brad Karp UCL Computer Science
CSE551: Introduction to Information Security
Understanding and Preventing Buffer Overflow Attacks in Unix
Introduction to Internet Worm
System and Cyber Security
Presentation transcript:

@Yuan Xue Worm Attack Yuan Xue Fall 2012

@Yuan Xue Background What is worm? Self-propagating malicious code History Morris worm was one of the first worms distributed over Internet Timeline of notable worms  _worms _worms Two examples Code Red – 2001, MS IIS Slammer – 2003, MS SQL Samy (MySpace Worm) – 2005, XSS Two topics System vulnerability Propagation model

@Yuan Xue Slammer (Sapphire) Worm When Jan How Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002) Scale At least 74,000 hosts Feature Fast propagation speed (>55million scans per second, two orders of magnitude faster than Code Red worm) No harmful payload Countermeasure Patch Firewall (port blocking)

@Yuan Xue Scale The diameter of each circle is a function of the logarithm of the number of infected machines, so large circles visually underrepresent the number of infected cases in order to minimize overlap with adjacent locations

@Yuan Xue Details of Slammer Worm SQL server vulnerability The SSRS (SQL Server Resolution Service (SSRS) ) contains a stack buffer overflow that allows an attacker to execute arbitrary code by sending a crafted request to port 1434/udp The code within such a request will be executed by the server host with the privileges of the SQL Server service account. Slammer worm Crafts packets of 376-bytes and send them to a chosen IP addresses on port 1434/udp Random scanning  Randomly select IP addresses If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate.

@Yuan Xue Buffer Overflow The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Heap-based buffer overflow stack-based buffer overflow Linux system memory layout Buffer overflow is an anomalous condition where a program writes data beyond the allocated end of a buffer in memory. 1.The program's code and data consisting of the program's instructions and the initialized and uninitialized static and global data 2.Run-time heap (created using malloc/calloc) 3.Users stack. This stack is used whenever a function call is made.

@Yuan Xue Buffer Overflow Stack-based buffer overflow An example void function (int a, int b, int c){ char buffer1[5]; char buffer2[10]; } int main(){ function(1,2,3); }

@Yuan Xue Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path void function (char *str) { char buffer[16]; strcpy (buffer, str); } int main () { char *str = "I am greater than 16 bytes"; // length of str = 27 bytes function (str); } Function's return address is the address of the next instruction in memory, which is executed immediately after the function returns.

@Yuan Xue Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path Hacker can spawn a shell (with root permissions) by jumping the execution path to such code. If there is no such code in the program to be exploited  Place the code we are trying to execute in the buffer's overflowing area.  Overwrite the return address so it points back to the buffer and executes the intended code.  Such code can be inserted into the program using environment variables or program input parameters.

@Yuan Xue Propagation Model Random Scanning Initially spread exponentially, slows as the worms retry infected or immune addresses Probe rate of Code red worm (a typical random-scanning worm) Probes of Slammer worm from Dshield data set Initially matched random scanning worm Soon slowed down due to bw saturation and network failures

@Yuan Xue Why Slammer Was So Fast? Bandwidth constraint vs. delay constraint Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint Code Red 4K bytes TCP based – delay constraint UDP vs. TCP

@Yuan Xue How to Defend? Buffer Overflow Write secure code  Use of safe libraries Compiler tools  Choice of programming language Dynamic run-time checks  Executable space protection  Stack-smashing protection Worm Patch  MS has released the patch before the worm attack happens Firewall IDS  Deep packet inspection Architecture  Address space layout randomization

@Yuan Xue Reference Worm A Taxonomy of Computer Worms A Taxonomy of Computer Worms en.wikipedia.org/wiki/Computer_worm Slammer Worm letter.mspx letter.mspx Inside the Slammer Worm, IEEE S&P 2003 Network Telescope

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.