Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Published byLester Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved."— Presentation transcript:

1 Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

2 What we are covering Exploiting Software Insider Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

3 Exploiting Software – Buffer overflow attacks Control Flow Attacks Non-Control Flow Attacks – Memory Corruption Attacks Format String Attack Dangling pointers – Null Pointer Dereference Attacks – Integer Overflow attacks – Command Injection Attacks – Time of Check to Tome of Use Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

4 Insider Attacks – Logic Bomb – Back Doors – Login Spoofing Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

5 Buffer Overflow Attacks (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown in gray. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

6 Defense: Stack Canaries Modern computers use digital ‘canaries’ as an early warning system, detecting possible buffer overflow attack. In the code, at places where the program makes a function call, the compiler inserts code to save a random ‘canary’ value on the stack, just below the return address. The compiler inserts code at the return to check the canary value. If the canary has changed… trouble! Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

7 Defense: Data Execution Prevention Redefine the ‘real’ problem: The fact that the attacker can inject code and have it executed in the heap or stack! Defense: prevent the bytes provided by the attacker from being executed as legitimate code. Modern CPUs have a feature NX bit (No-eXecute bit). It distinguishes between data segments and the code segments. This ensures data segments are writable, but not executable. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

8 Code Reuse Attacks Attacker constructs the necessary functions out of existing functions and instructions in the existing binaries and libraries Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

9 Code Reuse Attacks: return to libc Almost all c (C++) programs are linked with a shared library containing the function system. System takes a string containing a command and passes it to the shell for execution. Attack: Place a string containing commands to be executed and divert control the system function via the return address. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reservesd.

10 Code Reuse Attacks Return-Oriented Programming (ROP) Return-oriented programming: linking gadgets Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

11 Defense: Address Space Layout Randomization (ASLR) Randomize the address of functions and data between every run of the program Supported with varying granularity. Few apply it to the system kernel Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

12 Non-Control Flow Attacks Change the data instead of the return addresses!! Possible use: change the security credentials granting more or less protection on objects. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

13 Format String Attacks In a C functions that perform formatting, (printf), when the application doesn’t properly validate the input, the attacker can causes the submitted data to be compromised. EX: By using exactly the right number of %08x, the attacker can use the first four characters of the format string as an address. Tanenbaum & Bo, Modern Operating Sy stems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

14 Dangling Pointers Attack User frees memory. But later tries to access it with the pointer. Attacker places a specific heap object in the memory location the user frees and re-uses Techniques like heap feng shui help attackers pull this off. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

15 Null Pointer Derefence Attacks In linux, the kernel space is mapped to every process’ address space… and whenever the kernel executes it runs in a process’s address space. If a buggy kernel dereferences a NULL pointer, it usually leads to a crash. Or attacker triggers a NULL pointer dereference from the user process. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

16 Null Pointer Derefence Attacks Crash occurs because there is no code at page 0. Using a tool like mmap (Posix function that maps files into memory) attacker can map bad code at that location. Defense: mmap no longer makes it possible to map to page 0. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

17 Integer Overflow Attack Integer errors can happen when mathematical operations, and external input lead to a result that is too large to fit within the range of values that can be stored in variables of a given data type. Can be expoited to corrupt applications. Integer overflow attacks are possible largely due to incorrectly defining numerical data. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

18 Command Injection Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. The execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

19 Command Injection Attacks Command injection attacks are possible largely due to insufficient input validation. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Suppose user enters for the destination file: ‘file2.txt; rm –rf Command excited is then: system(“cp file1 file 2; rm –rf”)

20 Time of Check to Time of Use Attack Exploits a race condition Example: if (access(“./myPasswordFile”, W_OK) != 0) {return;} fd = open(“./ myPasswordFile, W_WRONLY) …. Between the statements, attacker creates a symbolic link with the same file name to the password file Then user writes password information to attackers file. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

21 Insider Attacks Executed by programmers from within the company. Attackers have specialized knowledge Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

22 Logic Bomb Code secretly inserted into system Waits for a specific date or time….. ….. or until employee is fired and no longer feeds it the ‘wait’ command Then execute the bad behavior. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

23 Back Doors (a) Normal code. b) Code with a back door inserted. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Defense: Code reviews

24 Login Spoofing (a)Correct login screen. (b) Phony login screen. Defense: have a login sequence start with a key combination the user programs can’t catch: CTLR-ALT-DEL in Windows cause the current user to log out and system login program started. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Legitimate user attempting to collect other people’s passwords.

25 End of Part 2 Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Download ppt "Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.

Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs.

Chapter 9 Security Authentication Insider Attacks Exploiting Code Bugs.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.

Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Similar presentations

Ads by Google