Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programming Faults Programming Errors that Lead to Compromised Systems.

Published byGarry Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Programming Faults Programming Errors that Lead to Compromised Systems."— Presentation transcript:

1 Programming Faults Programming Errors that Lead to Compromised Systems

2 Definition of Information Security Confidentiality == assurance that information is not disclosed to unauthorized entities or processes Integrity == quality of an information system that reflects its logical correctness and reliability Availability == timely, reliable access to data and information services for authorized users

3 Definition of a Fault Fault == defect that does not change state Failure == manifestation of a fault “A programming mistake is a latent fault until that code is invoked by the system.” “If a fault affects the delivered service, a failure occurs.”

4 Programming Faults and Intrusion Detection Intrusion Detection Systems monitor for attempts to exploit Programming Faults Exploits become rules in signature databases used by IDS software to detect the failures caused by activating the flaws

5 Confidentiality Faults Buffer Overruns Environment Variables Interactive Input Handling Sensitive Data Executing Other Programs

6 Buffer Overruns Subvert the normal course of execution to execute code written by the cracker Exploit root privileged programs to gain root authority Result of mismanaging arrays and pointers (mostly character arrays) Write past the end of the buffer to overwrite other data in memory

7 Two types of buffers - static and dynamic Dynamic buffers are allocated from the stack at run time As part of the stack, they are in the same area of memory as data used by kernels in OSes which do not maintain separate user and kernel modes

8 void function (char *str) { char buffer[16]; strcpy(buffer, str); } void main() { char large_string[256]; int i for (i=0; i<255; i++) large_string[i]=‘A’; function(large_string); }

9 top of stack bottom of memory <------------------------------< |Buffer Sfp Ret *Str |... |[ ][ ] [ ] [ ] |... <------------------------------< top of memory bottom of stack

10 #include void main() { char *name[2]; name[0] = “/bin/sh”; name[1] = “NULL; execve(name[0], name, NULL); } char shellcode[] = “\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00]x00\x00” “\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80” “\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff” “\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3”;

11 If the IDS captures a long series of NOOPs being transmitted to a protected system, it should flag that as a potential exploit attempt. alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:5;) Buffer Overruns and IDS

12 Environment Variables Environment variables are sources of user input Depending on how a program handles the variable, it’s possible to insert an exploit to either cause a failure, or to take advantage of poor logic

13 Suppose IFS (variable to control whitespace designator) is set to ‘/’ (the pathname seperator). Then exec(“/bin/sh”,”-c”,”/bin/mail userbob”); Becomes bin mail userbob

14 Environment Variables and IDS If the IDS detects an IFS setting being transmitted to a protected system, should it flag that as a potential exploit attempt?

15 Integrity Flaws Executing Input Links Regular Files Race Conditions Resource Sharing

16 Executing Input From an old version of a web browser: sprintf(buf, telnet %s”, resid_url); system(buf); Internet clients that try to be helpful by downloading & executing content.

17 User Input and IDS Formatted commands to network services make good signatures for IDS. alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|0 0|e|00|l|00|l|00|"; nocase; flow:to_server,established; offset:32; classtype:attempted-user; sid:681; rev:4;)

18 Links Replace a temporary file used by a privileged program with a link to another file. Can capture data, or trick the program into corrupting system files.

19 Ex: suppose /tmp/abc123 is used by a root program and to temporarily store data. If the program doesn’t verify that /tmp/abc123 doesn’t already exist, a user can pre-create /tmp/abc123 -> /etc/passwd. The program follows the link, and clobbers the password file.

20 File Manipulations and IDS How can a network device tell the difference between creating a link to exploit a program, or creating a link to create a link? Host Based IDS are required to detect file changes (ie file integrity checkers).

21 Availability Faults Local System DOS Network DOS Buffer Overruns System Overload Spoofing

22 Local System DOS Fill up the filesystem int main() { int ifd; char buf[8192]; ifd=open(“./attack”, O_WRITE|O_CREATE, 0777); unlink(“./attack”); while(1) write(ifd, buf, sizeof(buf)); } Use up inodes, fill up the process table, use up memory…

23 Local DOS and IDS Look for error messages indicating system problems. Good system administration practices probably more important. Filesystem monitoring Memory statistics monitoring CPU load monitoring …

24 Network DOS Manipulate the network protocols to cause a failure on the target. Ex: >6 bytes data in a SYN packet Ex: ICMP ECHO requests > 65507 octets Ex: setting packet header flags to nonsensical values …

25 More often than not protocols and standards are not properly or fully implemented, creating flaws that lead to denial of service. RFCs provide the structure and behavior guidelines; following the RFC reduces flaws; testing the RFC finds the flaws.

26 Network DOS and IDS Use the IDS to monitor network traffic for packets in unexpected parts of network; malformed packets; or just certain types of packets. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388; classtype:misc- activity; rev:4;)

27 Conclusion(s) Use good programming techniques to avoid perpetuating the same old flaws. The same flaws that existed in the dawn of the Internet still exist. Example - the Morris Worm and the Blaster Worm used the same techniques to exploit a system and spread themselves to other systems.

28 IDS systems, network based and host based, are an important layer in the Defense-in- Depth approach to good information security. IDS systems also make good system administration tools.

29 Works Consulted Aleph One. Smashing the Stack for Fun and Profit. Phrack. Vol 7, Num 49. Forbes, Liam. Secure Programming in the UNIX Environment. UAF CS Dept., 1998. Patterson, David A. An Introduction to Dependability. ;login: The Magazine of USENIX & SAGE. August 2002, Vol 27, Num 4.

Download ppt "Programming Faults Programming Errors that Lead to Compromised Systems."

Similar presentations

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Applications Complex applications must: run for weeks or months properly release resources to avoid waste cope with outrageously malicious user input recover.

Applications Complex applications must: run for weeks or months properly release resources to avoid waste cope with outrageously malicious user input recover.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
1 Kyung Hee University Prof. Choong Seon HONG Network Control.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google