Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Vulnerabilities in Embedded Harvard Architecture Processors Presented By: Michael J. Hohnka Cyber Vulnerabilities Lead Cyber Innovation Division Communications,
Lectures on File Management
Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Failure to handle errors correctly
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Teaching Buffer Overflow Ken Williams NC A&T State University.
SQL Injection and Buffer overflow
Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Software design and development Marcus Hunt. Application and limits of procedural programming Procedural programming is a powerful language, typically.
Lecture 12 Overview.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
SEC835 Runtime integrity and resource control. Application based Denial of Service Application can crash for many reasons and at any time due to programming.
Software attacks int ConcatString(char *buf1, char *buf2, size_t len1, size_t len2) { char buf[256]; if((len1 + len2) > 256) return -1; memcpy(buf, buf1,
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Chapter-4 Software Security Why Software?  Why is software as important to security as crypto, access control and protocols?  Virtually all of information.
CSCE 548 Integer Overflows Format String Problem.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Announcements Assignment 2 Out Today Quiz today - so I need to shut up at 4:25 1.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Secure Coding Techniques
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Format String.
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student

 Native execution environment Vs. Compiled execution environment  The majority of web applications are now written using languages and platforms that run in a managed execution environment in which classic vulnerabilities do not arise. ◦ C# and Java : No need to worry about these vulnerabilities ◦ C and C++ : native language very prone to attacks  If you can find Web applications with, at least, some parts written in Native code, that is an opportunity to attack Alexis Kirat - International Student

 Main categories of classic sofware vulnerability ◦ Buffer Overflow ◦ Integer Vulnerabilities ◦ Format String Bugs (won’t be explained)  For each one ◦ Description of vulnerabilities (as well as I can…) ◦ Example : makes everything easier to understand! ◦ Practical steps to probe these vulnerabilities  One consistent problem : probing for these vulnerabilities will certainly lead to denial of service to the application (and cause it to stop functioning)  BLUE COLOR :IMPORTANT!!! Alexis Kirat - International Student

 Buffer overflow vulnerabilities occur when an application copies user controllable data into a memory buffer that is not sufficiently large to accommodate it.  The destination buffer is overflowed, resulting in adjacent memory being overwritten with the user’s data.  You may be able to exploit this “Overwriting” to execute arbitrary code. Alexis Kirat - International Student

 Stack Overflows ◦ Tipically happens when an application uses an unbounded copy operation (such as strcpy in C) to copy a variable-size buffer into a fixed-size buffer without verifying that the fixed-sized buffer is large enough. ◦ Example : This function copies the username string into a fixed-size buffer allocated on the stack ◦ If the username string contains more than 32 characters, the _username buffer is overflowed, and the attacker will overwrite the data in adjacent memory. Alexis Kirat - International Student

◦ If an attacker can overflow the _username buffer, he can overwrite the saved return address with a value of his choosing, thereby causing the processor to jump to this address and execute arbitrary code. ◦ That’s how it works! Alexis Kirat - International Student

 Heap Overflows ◦ Heap-based buffer overflows essentially involve the same kind of unsafe operation as described previously, except that the overflowed destination buffer is allocated on the heap, not the stack: ◦ In a heap-based buffer overflow, what is typically adjacent to the destination buffer is not any saved return address but other blocks of heap memory, separated by heap control structures. ◦ When a heap buffer is overflowed, the control structure of an adjacent heap block is overwritten with user- controllable data. Alexis Kirat - International Student

◦ This type of vulnerability is less straightforward to exploit than a stack-based overflow, but a common approach is to write crafted values into the overwritten heap control structure so as to cause an arbitrary overwrite of a critical pointer at some future time. Alexis Kirat - International Student

 “Off-by-One” Vulnerabilities ◦ A specific kind of overflow vulnerability arises where a programming error enables an attacker to write a single byte (or a small number of bytes) beyond the end of an allocated buffer. ◦ If carried out successfully, when the application parse out the request parameters, it continues up until the next null byte, and so includes the parameters supplied by another user. Alexis Kirat - International Student

 Detecting Buffer Overflow Vulnerabilities ◦ The basic methodology for detecting buffer overflow vulnerabilities is to send long strings of data to an identified target and monitor for anomalous results. ◦ Target one item of data at a time, to maximize the coverage of code paths within the application. ◦ Monitor the application’s responses to identify any anomalies. An uncontrolled overflow is almost certain to cause an exception in the application. Detecting when this has occurred in a remote process is difficult, but there are anomalous events to look for. Alexis Kirat - International Student

◦ What are they?  An HTTP 500 status code or error message, where other malformed (but not overlong) input does not have the same effect.  An informative message, indicating that a failure occurred in some native code component.  A partial or malformed response is received from the server.  The TCP connection to the server closes abruptly without returning a response.  The entire web application stops responding. ◦ Pay attention to the input validation of the application to submit valid inputs. ◦ But remember that Buffer overflow manipulations can crash down the Application! Alexis Kirat - International Student

 Integer-related vulnerabilities typically arise when an application performs some arithmetic on a length value, prior to performing some buffer operation, but fails to take account of certain features of the way compilers and processors handle integers.  Two types of integer bugs are worthy of note: overflows and signedness errors. Alexis Kirat - International Student

 Integer Overflows ◦ These occur when an operation on an integer value causes it to increase above its maximum possible value or decrease below its minimum possible value. When this occurs, the number wraps, so a very large number becomes very small or vice versa. ◦ Let’s take a look at this with one example Alexis Kirat - International Student

◦ Here, the application measures the length of the user-submitted username, adds 1 to accommodate the trailing null, allocates a buffer of the resulting size, and then copies the username into it. With normal-sized input, this code behaves as intended. However, if the user submits a username of 65,535 characters, then an integer overflow occurs. A short-sized integer contains 16 bits, which are enough for its value to range between 0 and 65,535. When a string of length 65,535 is submitted, the program adds 1 to this, and the value wraps to become 0. A zero-length buffer is allocated, and the long username is copied into it, causing a heap overflow. The attacker has effectively subverted the programmer’s attempt to ensure that the destination buffer is large enough. Alexis Kirat - International Student

 Signedness Errors ◦ These occur when an application uses both signed and unsigned integers to measure the lengths of buffers, and confuses them at some point. ◦ Thus, the signed value is treated as its unsigned equivalent, meaning that a negative number becomes a large positive number. ◦ Same sentence as before : Let’s see how it works! Alexis Kirat - International Student

◦ Here, the function takes both the user-supplied username and a signed integer indicating its length. The programmer creates a fixed-size buffer on the stack, checks whether the length is less than the size of the buffer, and if so performs a counted buffer copy, designed to ensure that the buffer is not overflowed. ◦ If the len parameter is a positive number, this code behaves as intended. However, if an attacker can cause a negative value to be passed in to the function, then the programmer’s protective check is subverted. The comparison with 32 still succeeds, because the compiler treats both numbers as signed integers. Hence, the negative length is passed to the strncpy function as its count parameter. Because strncpy takes an unsigned integer as this parameter, the compiler implicitly casts the value of len to this type, so the negative value is treated as a large positive number. If the user-supplied username string is longer than 32 bytes, then the buffer is overflowed just as in a standard stackbased overflow. Alexis Kirat - International Student

 Detecting Integer Vulnerabilities ◦ Naturally, the primary locations to probe for integer vulnerabilities are any instances where an integer value is submitted from the client to the server. ◦ Having identified targets for testing, you need to send suitable payloads designed to trigger any vulnerabilities. For each item of data being targeted, send a series of different values in turn, representing boundary cases for the signed and unsigned versions of different sizes of integer. For example:  0x7f and 0x80 (127 and 128)  0xff and 0x100 (255 and 256)  0xffff and 0x10000 (65535 and 65536) ◦ You should monitor the application’s responses for anomalous events, in the same way as described for buffer overflow vulnerabilities. Alexis Kirat - International Student

 If you are interested, I invite you to look at the Chapter 15 in the book! Not able to explain! I won’t pretend! Alexis Kirat - International Student

 Most applications run in a managed execution environment in which the classic software flaws described in this chapter do not arise. However, in occasional cases, these kinds of vulnerabilities are highly relevant and have been found to affect many web applications running on hardware devices and other unmanaged environments.  But unfortunately for the Hacker (that you are!), in most cases, these flaws are very difficult to exploit, given only remote access to the vulnerable application.  And, in contrast to most other types of web application vulnerability, even the act of probing for classic software flaws is highly likely to cause a denial-of service condition if the application is vulnerable. Alexis Kirat - International Student

 Hope you got something from this presentation! Alexis Kirat - International Student

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.