Application and OS Attacks 1 Application and OS Attacks

Application and OS Attacks 2 Attack Phases  Phase 1: Reconnaissance  Phase 2: Scanning  Phase 3: Gaining access o Application/OS attacks o Network attacks/DoS attacks  Phase 4: Maintaining access  Phase 5: Covering tracks and hiding

Application and OS Attacks 3 So Far…  Recon and Scanning completed  Attacker has inventory of target system and possible vulnerabilities  How to exploit vulnerabilities? o Application & OS attacks (this chapter) o Network-based attacks (next chapter)

Application and OS Attacks 4 Main Topics  Buffer Overflow o Stack, heap, and integer overflow  Passwords  Web-based attacks o Session tracking, SQL injection, … o Browser flaws

Application and OS Attacks 5 Script Kiddies  Attacks are widely available o French Security Response Team (FrSIRT) o Packet Storm Security o Bugtraq Archives o Metasploit Project  Little or no knowledge required

Application and OS Attacks 6 FrSIRT

Application and OS Attacks 7 Sophisticated Attacks  Next, we consider common attacks  Useful to understand how attacks work  Advanced attackers can use these for o Original attacks o More clever uses of existing attacks

Application and OS Attacks 8 Buffer Overflow

Application and OS Attacks 9 Some C Code

Application and OS Attacks 10 The Stack

Application and OS Attacks 11 Vulnerable C Code

Application and OS Attacks 12 Stack for Vulnerable Code

Application and OS Attacks 13 Smashed Stack

Application and OS Attacks 14 Typical Exploit

Application and OS Attacks 15 Heap Overflow Vulnerability

Application and OS Attacks 16 Heap

Application and OS Attacks 17 Heap: Normal and Attack

Application and OS Attacks 18 Typical Attack Scenario  Users enter data into a Web form  Web form is sent to server  Server writes data to buffer, without checking length of input data  Data overflows from buffer  Sometimes, overflow can enable an attack  Web form attack could be carried out by anyone with an Internet connection

Application and OS Attacks 19 Buffer Overflow  Q: What happens when this is executed?  A: Depending on what resides in memory at location “buffer[20]” o Might overwrite user data or code o Might overwrite system data or code int main(){ int buffer[10]; buffer[20] = 37;}

Application and OS Attacks 20 Simple Buffer Overflow  Consider boolean flag for authentication  Buffer overflow could overwrite flag allowing anyone to authenticate! buffer FT FOURSC… Boolean flag  In some cases, attacker need not be so lucky as to have overflow overwrite flag

Application and OS Attacks 21 Memory Organization  Text == code  Data == static variables  Heap == dynamic data  Stack == “scratch paper” o Dynamic local variables o Parameters to functions o Return address stack heap  data text  high address  low address  SP

Application and OS Attacks 22 Simplified Stack Example high  void func(int a, int b){ char buffer[10]; } void main(){ func(1, 2); } :::: buffer ret a b  return address low   SP

Application and OS Attacks 23 Smashing the Stack high   What happens if buffer overflows? :::: buffer a b  ret… low   SP retoverflow  Program “returns” to wrong location NOT! ???  A crash is likely overflow

Application and OS Attacks 24 Smashing the Stack high   Trudy has a better idea… :::: evil code a b low   SP ret  Code injection  Trudy can run code of her choosing!

Application and OS Attacks 25 Smashing the Stack  Trudy may not know o Address of evil code o Location of ret on stack  Solutions o Precede evil code with NOP “landing pad” o Insert lots of new ret evil code :::: :::: ret : NOP : ret  ret

Application and OS Attacks 26 Stack Smashing Summary  A buffer overflow must exist in the code  Not all buffer overflows are exploitable o Things must line up just right  If exploitable, attacker can inject code  Trial and error likely required o Lots of help available online o Smashing the Stack for Fun and Profit, Aleph One Smashing the Stack for Fun and Profit  Also heap overflow, integer overflow, etc.  Stack smashing is “attack of the decade”

Application and OS Attacks 27 Stack Smashing Example  Program asks for a serial number that the attacker does not know  Attacker does not have source code  Attacker does have the executable (exe)  Program quits on incorrect serial number

Application and OS Attacks 28 Example  By trial and error, attacker discovers an apparent buffer overflow  Note that 0x41 is “A”  Looks like ret overwritten by 2 bytes!

Application and OS Attacks 29 Example  Next, disassemble bo.exe to find  The goal is to exploit buffer overflow to jump to address 0x401034

Application and OS Attacks 30 Example  Find that 0x is ” in ASCII  Byte order is reversed? Why?  X86 processors are “little-endian”

Application and OS Attacks 31 Example  Reverse the byte order to “ ” and…  Success! We’ve bypassed serial number check by exploiting a buffer overflow  Overwrote the return address on the stack

Application and OS Attacks 32 Example  Attacker did not require access to the source code  Only tool used was a disassembler to determine address to jump to  May be possible to find address by trial and error o Necessary if attacker does not have exe

Application and OS Attacks 33 Example  Source code for bo example:  Note: Flaw easily found by attacker o Without the source code!

Application and OS Attacks 34 Stack Smashing Prevention  Employ non-executable stack o “No execute” NX bit (if available) o Seems like the logical thing to do, but some real code executes on the stack (Java does this)  Use safe languages (Java, C#)  Use safer C functions o For unsafe functions, there are safer versions o For example, strncpy instead of strcpy

Application and OS Attacks 35 Stack Smashing Prevention  Canary o Run-time stack check o Push canary onto stack o Canary value could be…  Constant 0x000aff0d  Or depends on ret  high  :::: buffer a b low  overflowret canaryoverflow

Application and OS Attacks 36 Microsoft’s Canary  Microsoft added buffer security check feature to C++ with /GS compiler flag  Uses canary (or “security cookie”)  Q: What to do when canary dies?  A: Check for user-supplied handler  Handler may be subject to attack o Claimed that attacker can specify handler code o If so, “safe” buffer overflows become exploitable when /GS is used!

Application and OS Attacks 37 ASLR  Address Space Layout Randomization o Randomize location of code in memory  Makes buffer overflow attacks probabilistic o Address to jump to is “random”  Vista uses ASLR o With 256 “random” layouts (roughly) o So only 1/256 chance attack succeeds  Similar thing is done in Mac OS X

Application and OS Attacks 38 ASLR  A form of computing “diversity”  Works well with NX  Tricky to implement  Not a panacea o There is no substitute for correct code  For more info… o See slides herehere

Application and OS Attacks 39 Buffer Overflow  The “attack of the decade” for 90’s o Will be the attack of the decade for 00’s  Can be greatly reduced o ASLR, NX, etc. o Use safe languages/safer functions o Educate developers, use tools, etc.  Buffer overflows will exist for a long time o Legacy code o Bad software development

Application and OS Attacks 40 Incomplete Mediation

Application and OS Attacks 41 Input Validation  Consider: strcpy(buffer, argv[1])  A buffer overflow occurs if len(buffer) < len(argv[1])  Software must validate the input by checking the length of argv[1]  Failure to do so is an example of a more general problem: incomplete mediation

Application and OS Attacks 42 Input Validation  Consider web form data  Suppose input is validated on client  For example, the following is valid =20&price=10&shipping=5&total=205  Suppose input is not checked on server o Why bother since input checked on client? o Then attacker could send http message =20&price=10&shipping=5&total=25

Application and OS Attacks 43 Incomplete Mediation  Linux kernel o Research has revealed many buffer overflows o Many of these are due to incomplete mediation  Linux kernel is “good” software since o Open-source o Kernel  written by coding gurus  Tools exist to help find such problems o But errors can be subtle o And tools useful to attackers too!

Application and OS Attacks 44 Race Conditions

Application and OS Attacks 45 Race Condition  Security processes should be atomic o Occur “all at once”  Race conditions can arise when security- critical process occurs in stages  Attacker makes change between stages o Often, between stage that gives authorization, but before stage that transfers ownership  Example: Unix mkdir

Application and OS Attacks 46 mkdir Race Condition  mkdir creates new directory  How mkdir is supposed to work 1. Allocate space mkdir 2. Transfer ownership

Application and OS Attacks 47 mkdir Attack  Not really a “race” o But attacker’s timing is critical 1. Allocate space mkdir 3. Transfer ownership 2. Create link to password file  The mkdir race condition

Application and OS Attacks 48 Race Conditions  Race conditions appear to be common o May be more common than buffer overflows  But race conditions harder to exploit o Buffer overflow is “low hanging fruit” today  To prevent race conditions… o Make security-critical processes atomic o Occur all at once, not in stages o Not easy to accomplish in practice

Application and OS Attacks 49 Heap Overflow  Heap used for dynamic variables o For example, malloc in C  Can overflow one array into another  Makes it possible to change data o Like simpleminded example given earlier

Application and OS Attacks 50 Heap Overflow Example  First print o buf2 =  Second print o buf2 =

Application and OS Attacks 51 Integer Overflow  Many “integer” problems  This example… o What if len is negative? o Note that memcpy thinks len is unsigned

Application and OS Attacks 52 Exploitation Engines  Developing a buffer overflow attack o Tedious, lots of trial and error o Until Metasploit…  Metasploit o Knows about lots of attacks o Has lots of payloads

Application and OS Attacks 53 Metasploit  Payloads include o Bind shell to current port o Bind shell to arbitrary port o Reverse shell o Windows VNC Server DLL inject o Reverse VNC DLL inject o Inject DLL into running application o Create local admin user o The Meterpreter (run command of attacker’s choosing)

Application and OS Attacks 54 Metasploit Web Interface

Application and OS Attacks 55 Metasploit  Advantages for attackers? o Reduces “development cycle” o Resulting attacks much more reliable  Advantages for good guys? o Helps identify false positives o Help improve IDS o Improved penetration testing o Improved management awareness

Application and OS Attacks 56 Buffer Overflow Defenses  NX, safe languages, safer functions (in C), canary, ASLR  Better software development o Use tools, such as o ITS4 ITS4 o RATS RATS o Flawfinder Flawfinder

Application and OS Attacks 57 Authentication

Application and OS Attacks 58 Who Goes There?  How to authenticate a human to a machine?  Can be based on… o Something you know  For example, a password o Something you have  For example, a smartcard o Something you are  For example, your fingerprint

Application and OS Attacks 59 Something You Know  Passwords  Lots of things act as passwords! o PIN o Social security number o Mother’s maiden name o Date of birth o Name of your pet, etc.

Application and OS Attacks 60 Trouble with Passwords  “Passwords are one of the biggest practical problems facing security engineers today.”  “Humans are incapable of securely storing high- quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)”

Application and OS Attacks 61 Why Passwords?  Why is “something you know” more popular than “something you have” and “something you are”?  Cost: passwords are free  Convenience: easier for SA to reset pwd than to issue user a new thumb

Application and OS Attacks 62 Keys vs Passwords  Crypto keys  Spse key is 64 bits  Then 2 64 keys  Choose key at random…  …then attacker must try about 2 63 keys  Passwords  Spse passwords are 8 characters, and 256 different characters  Then = 2 64 pwds  Users do not select passwords at random  Attacker has far less than 2 63 pwds to try (dictionary attack)

Application and OS Attacks 63 Good and Bad Passwords  Bad passwords o frank o Fido o password o 4444 o Pikachu o o AustinStamp  Good Passwords? o jfIej,43j-EmmL+y o o P0kem0N o FSa7Yago o 0nceuP0nAt1m8 o PokeGCTall150

Application and OS Attacks 64 Password Experiment  Three groups of users  each group advised to select passwords as follows o Group A: At least 6 chars, 1 non-letter o Group B: Password based on passphrase o Group C: 8 random characters  Results o Group A: About 30% of pwds easy to crack o Group B: About 10% cracked  Passwords easy to remember o Group C: About 10% cracked  Passwords hard to remember winner 

Application and OS Attacks 65 Password Experiment  User compliance hard to achieve  In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!)  Assigned passwords sometimes best  If passwords not assigned, best advice is o Choose passwords based on passphrase o Use pwd cracking tool to test for weak pwds o Require periodic password changes?

Application and OS Attacks 66 Attacks on Passwords  Attacker could… o Target one particular account o Target any account on system o Target any account on any system o Attempt denial of service (DoS) attack  Common attack path o Outsider  normal user  administrator o May only require one weak password!

Application and OS Attacks 67 Password Retry  Suppose system locks after 3 bad passwords. How long should it lock? o 5 seconds o 5 minutes o Until SA restores service  What are +’s and -’s of each?

Application and OS Attacks 68 Password File  Bad idea to store passwords in a file  But need a way to verify passwords  Cryptographic solution: hash the passwords o Store y = h(password) o Can verify entered password by hashing o If attacker obtains password file, he does not obtain passwords o But attacker with password file can guess x and check whether y = h(x) o If so, attacker has found password!

Application and OS Attacks 69 Dictionary Attack  Attacker pre-computes h(x) for all x in a dictionary of common passwords  Suppose attacker gets access to password file containing hashed passwords o Attacker only needs to compare hashes to his pre-computed dictionary o Same attack will work each time  Can we prevent this attack? Or at least make attacker’s job more difficult?

Application and OS Attacks 70 Password File  Store hashed passwords  Better to hash with salt  Given password, choose random s, compute y = h(password, s) and store the pair (s,y) in the password file  Note: The salt s is not secret  Easy to verify password  Attacker must recompute dictionary hashes for each user  lots more work!

Application and OS Attacks 71 Password Cracking: Do the Math  Assumptions  Pwds are 8 chars, 128 choices per character o Then = 2 56 possible passwords  There is a password file with 2 10 pwds  Attacker has dictionary of 2 20 common pwds  Probability of 1/4 that a pwd is in dictionary  Work is measured by number of hashes

Application and OS Attacks 72 Password Cracking  Attack 1 password without dictionary o Must try 2 56 /2 = 2 55 on average o Just like exhaustive key search  Attack 1 password with dictionary o Expected work is about 1/4 (2 19 ) + 3/4 (2 55 ) = o But in practice, try all in dictionary and quit if not found  work is at most 2 20 and probability of success is 1/4

Application and OS Attacks 73 Password Cracking  Attack any of 1024 passwords in file  Without dictionary o Assume all 2 10 passwords are distinct o Need 2 55 comparisons before expect to find password o If no salt, each hash computation gives 2 10 comparisons  the expected work (number of hashes) is 2 55 /2 10 = 2 45 o If salt is used, expected work is 2 55 since each comparison requires a new hash computation

Application and OS Attacks 74 Password Cracking  Attack any of 1024 passwords in file  With dictionary o Probability at least one password is in dictionary is 1 – (3/4) 1024 = 1 o We ignore case where no pwd is in dictionary o If no salt, work is about 2 19 /2 10 = 2 9 o If salt, expected work is less than 2 22 o Note: If no salt, we can precompute all dictionary hashes and amortize the work

Application and OS Attacks 75 Other Password Issues  Too many passwords to remember o Results in password reuse o Why is this a problem?  Who suffers from bad password? o Login password vs ATM PIN  Failure to change default passwords  Social engineering  Error logs may contain “almost” passwords  Bugs, keystroke logging, spyware, etc.

Application and OS Attacks 76 Passwords  The bottom line  Password cracking is too easy! o One weak password may break security o Users choose bad passwords o Social engineering attacks, etc.  The bad guy has all of the advantages  All of the math favors bad guys  Passwords are a big security problem

Application and OS Attacks 77 Password Cracking Tools  Popular password cracking tools o Password Crackers Password Crackers o Password Portal Password Portal o L0phtCrack and LC4 (Windows) L0phtCrack and LC4 o John the Ripper (Unix) John the Ripper  Admins should use these tools to test for weak passwords since attackers will!  Good article on password cracking o Passwords - Conerstone of Computer Security Passwords - Conerstone of Computer Security

Application and OS Attacks 78 Password Problems  Weak passwords  Too many passwords  Default passwords  And so on…

Application and OS Attacks 79 Default Passwords

Application and OS Attacks 80 Password Cracking  Cain and Abel

Application and OS Attacks 81 Password Cracking  John the Ripper

Application and OS Attacks 82 Password Cracking Defenses  Strong password policy  User awareness  Pwd filtering software o Password Guardian, Strongpass  Use other forms of authentication  Try password cracking  Protect password files

Application and OS Attacks 83 Web-Related Attacks  Rapidly growing area of interest  For up-to-date info, see, for example, The Ghost in the Browser The Ghost in the Browser o Slides are herehere

Application and OS Attacks 84 Web Application Attacks  Book discusses…  Account harvesting  Session tracking issues  SQL injection

Application and OS Attacks 85 Account Harvesting  Targets authentication process when application requests ID/password  Attacker can collect IDs o And sometimes passwords too  A simple concept  Very effective in some Web apps

Application and OS Attacks 86 Account Harvesting  Error message for bad ID

Application and OS Attacks 87 Account Harvesting  Error message for good ID, bad password

Application and OS Attacks 88 Account Harvesting Defense  Have consistent error messages  Other?

Application and OS Attacks 89 Session Tracking Issues  Authenticate to Web application o Use a password  Then often use a session ID to connect traffic to authenticated user o Session ID is given to client browser o Usually independent of SSL connection o Bottom line: ID can be changed by client

Application and OS Attacks 90 Attacking Session Tracking  Session ID can be implemented using o URL session tracking (next slide) o Hidden form elements (next slide) o Nonpersistent cookies (most common)

Application and OS Attacks 91 Session Tracking  URL session tracking example  Hidden form, in html:

Application and OS Attacks 92 Session Tracking Attacks  Might be able to alter session ID o If so, can hijack an active session o Called “session cloning”  Why doesn’t Web application connect session ID to IP address?

Application and OS Attacks 93 Session Tracking Attacks  Attacker first needs to find valid ID  How to do so? o Collect a bunch of IDs o Try to see how they change o Then make educated guesses…

Application and OS Attacks 94 Session Tracking Attacks  Attacker must change session ID in active session  Spse nonpersistent Web cookies used

Application and OS Attacks 95 Session Tracking Attacks  Can use a “Web application manipulation proxy” to change session ID in active session  Web app manipulation proxies include o Achilles, Paros Proxy, WebScarab, Web Sleuth, etc.

Application and OS Attacks 96 Web Application Manipulation Proxy

Application and OS Attacks 97 Achilles

Application and OS Attacks 98 Paros Proxy

Application and OS Attacks 99 Defenses  Integrity protect session ID o Sign/MAC/HMAC o Then, only legitimate user can properly sign/MAC/HMAC  Note that this is separate from SSL  Is this really necessary???

Application and OS Attacks 100 SQL Injection  Structured Query Language (SQL) o Used by web application to communicate with back-end database  By manipulating SQL, attacker may o Get access to info o Change data  We’ve seen this before

Application and OS Attacks 101 WebGoat  Fake e- commerce site o Intentionally full of vulnerabilities

Application and OS Attacks 102 WebGoat

Application and OS Attacks 103 WebGoat

Application and OS Attacks 104 WebGoat

Application and OS Attacks 105 SQL Injection Defenses  Complete mediation o Filter all user-supplied info  Limit permissions of Web app when accessing database  “Parameterized stored procedures” o I.e., do not compose queries on the fly

Application and OS Attacks 106 Browser Flaws  Browsers are complex pieces of software o Lots of flaws have been found o Buffer overflows, for example  For example, buffer overflow in Safari (related to tiff files) used to break iPhone restrictions

Application and OS Attacks 107 Browser Flaws

Application and OS Attacks 108 Defenses  Use antivirus  “…consider using a browser other than Internet Explorer”

Application and OS Attacks 109 Conclusions

Application and OS Attacks 110 Summary