Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)

Slides:

Advertisements

Similar presentations

Smashing the Stack for Fun and Profit

Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

By Hiranmayi Pai Neeraj Jain

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

CS252: Systems Programming Ninghui Li Final Exam Review.

Penetration Testing Security Analysis and Advanced Tools: Snort.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

TCP/IP Malicious Packet Detection (SQL Injection Detection) Ashok Parchuri.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Multi-part Messages in KMIP John Leiseboer, QuintessenceLabs.

Mitigation of Buffer Overflow Attacks

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.

Network Programming and Network Security Lane Thames Graduate Research Assistant.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Programming Faults Programming Errors that Lead to Compromised Systems.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Network Intrusion Detection System (NIDS)

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Shellcode COSC 480 Presentation Alison Buben.

Overflows Mark Shtern.

Mitigation against Buffer Overflow Attacks

Chapter 9 Intruders.

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Module 30 (Unix/Linux Security Issues II)

Backdoor Attacks.

Protecting Memory What is there to protect in memory?

Secure Software Confidentiality Integrity Data Security Authentication

CSC 495/583 Topics of Software Security Stack Overflows (2)

Learning Snort Rules by Capturing Intrusions In Live Network Traffic

Learning Snort Rules by Capturing Intrusions In Live Network Traffic

Software Security Lesson Introduction

Chapter 9 Intruders.

Smashing the Stack for Fun and Profit

Lecture 3: Secure Network Architecture

Buffer Overflows.

CS5123 Software Validation and Quality Assurance

Session 20 INST 346 Technologies, Infrastructure and Architecture

FIGURE Illustration of Stack Buffer Overflow

Intrusion Detection Systems

Return-to-libc Attacks

Presentation transcript:

Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)

Buffer Overflow Attack ‘Buffer overflow’ is famous/infamous hacking technique in computer security. Buffer overflow conditions are caused by missed boundary checks of user-supplied data.

Smashing The Stack Give application a very long string with malicious code. The string length, being much larger than the space allocated in the stack. The return address now points to the beginning of the malicious code

Protection Against Buffer Overflow Attack Network Based Intrusion Detection and Prevention Systems. Host Based Protection Mechanisms. ◦ Stack based buffer overrun detection. ◦ Safe structured exception handling. ◦ DEP ◦ ASLR

Return-to-libc Attack Divert control flow of exploited program into libc code ◦ system(), printf(), No code injection required

Simulation of attack

Perpetrating the attack Attack: system(sh –c ‘wget /rshell’); chmod +x rshell;./rshell) Requests rshell program Receives rshell program Executes rshell program Attacker has remote shell

Detection of Return-to-libc Attack Rule 1: Indicative of remote connection brute force attempt. ◦ alert tcp /32 any -> any(msg:“Stack smashing brute force or DOA attack”; flow : to_client, established; flags:R; threshold: type both, track by_dst, count 5, seconds 5; priority: 1; classtype: attempted-user; sid: ;) Rule 2: Identify when a “wget” is attempted from the server. ◦ alert tcp /32 any -> any(content: "Wget"; msg:"wget request,possible malicious code download attempt";priority: 1;classtype:attempted-user; sid: ;)

Rule 2: Identify when a “wget” is attempted from the server. ◦ alert tcp /32 any -> any any(content: "Wget"; msg:"wget request,possible malicious code download attempt";priority: 1;classtype:attempted-user; sid: ;) Rule 3: Identify when “sh –c” is attempted from the server ◦ alert tcp any any -> /32 any (flow:to_server,established; content: "sh -c"; msg: "shell command sent from client, possible remoteattack";classtype:attempted-user; sid: ;)

Rule 3: Looks for a repeated concurrent 4 byte pattern which contains any character other than null byte characters i.e. 0x00. ◦ alert tcp any -> /24 80,443,20,25,110,143 (flow:to_server,established; pcre: ([^\x00]{4})\1; msg: "repeated words, possible stack overflow";classtype:attempted-user; sid: ; rev:3;)

Testing of Rules Streamed over 250MB of data over network to the application along with some attack strings. According to the authors no false positives were detected !! ◦ Really ?? Rules can be fine tuned by combining multiple of these keywords in one rule.

Our Work Simulating the attack as shown in the paper. ◦ Writing the network application (for victim server) ◦ Corresponding attack client ◦ Detection of the attack ◦ Testing of false positives Extending this idea to bypass ASLR security

References Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems by David J Day, Zhengxu Zhao, Minhua Ma in 2010 Fourth International Conference on Digital Society

Rule 5: To detect if payload has “dup2” ◦ alert tcp any any -> /32 any(flow:to_client,established;content: "dup2"; msg: "dup2 in string table, possible remote shell attack";classtype:attempted- user; sid: ;) Rule 6: To detect if payload has “/bin/sh” ◦ alert tcp any any -> /32 any (flow:to_server,established; content:"/bin/sh"; msg: "binsh request, possibleremote shell attack";classtype:attempteduser; sid: ;)