Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS703 - Advanced Operating Systems

Published byJuha-Pekka Salo Modified over 5 years ago

Similar presentations

Presentation on theme: "CS703 - Advanced Operating Systems"— Presentation transcript:

1 CS703 - Advanced Operating Systems
By Mr. Farhan Zaidi

2 Lecture No. 42

3 Overview of today’s lecture
Trojan Horses Login spoofing attacks Logic bombs Trap doors Buffer and stack overflow attacks Unsafe C library functions

4 Trojan Horses (from Tanenbaum’s book)
Free program made available to unsuspecting user Actually contains code to do harm Place altered version of utility program on victim's computer trick user into running that program

5 Login Spoofing (a) Correct login screen (b) Phony login screen

6 Logic Bombs Company programmer writes program potential to do harm
OK as long as he/she enters password daily ff programmer fired, no password and bomb explodes

7 Trap Doors (a) Normal code. (b) Code with a trapdoor inserted

8 Buffer overflows First major exploit: 1988 Internet Worm. fingerd.
Extremely common bug. First major exploit: Internet Worm. fingerd. 10 years later: over 50% of all CERT advisories: 1997: 16 out of CERT advisories. 1998: 9 out of ”- 1999: 6 out of ”- Often leads to total compromise of host. Fortunately: exploit requires expertise and patience. Two steps: Locate buffer overflow within an application. Design an exploit.

9 Buffer Overflow (a) Situation when main program is running
(b) After program A called (c) Buffer overflow shown in gray

10 What are buffer overflows?
Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } When the function is invoked the stack looks like: What if *str is 136 bytes long? After strcpy: str ret-addr sfp buf top of stack str top of stack *str ret

11 Basic stack exploit Program P: exec( “/bin/sh” )
Main problem: no range checking in strcpy(). Suppose *str is such that after strcpy stack looks like: When func() exits, the user will be given a shell !! Note: attack code runs in stack. To determine ret guess position of stack when func() is called. Use a stream of NOPs top of stack *str ret Code for P Program P: exec( “/bin/sh” ) (exact shell code by Aleph One)

12 Some unsafe C lib functions
strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … ) How does an attacker actually launches this attack. Inspection of source code Help of Debuggers Cramming a lot of data into a program

13 Exploiting buffer overflows
Suppose web server calls func() with given URL. Attacker can create a 200 byte URL to obtain shell on web server. Some complications: Program P should not contain the ‘\0’ character. Overflow should not crash program before func() exists. Sample buffer overflows of this type: Overflow in MIME type field in MS Outlook. Overflow in ISAPI in IIS.

Download ppt "CS703 - Advanced Operating Systems"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Buffer Overflow Prabhaker Mateti Wright State University.

Buffer Overflow Prabhaker Mateti Wright State University.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }

Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1.

Avishai Wool, lecture Introduction to Information Security Lecture 1.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.
SCSC 555 Computer Security Chapter 10 Malicious software Part B.

SCSC 555 Computer Security Chapter 10 Malicious software Part B.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Control Hijacking Attacks Buffer overflows and format string bugs.

1 Control Hijacking Attacks Buffer overflows and format string bugs.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
1 Control Hijacking Attacks Buffer overflows and format string bugs.

1 Control Hijacking Attacks Buffer overflows and format string bugs.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.

Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.
1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.

1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.
Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs.

Chapter 9 Security Authentication Insider Attacks Exploiting Code Bugs.

Similar presentations

Ads by Google