New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Advanced Information Assurance

by: Nick Rowe

Advanced Information Assurance CS 62600

Marketplace > Purdue University > ComputerScienence > CS 62600 > Advanced Information Assurance
Nick Rowe
GPA 3.68


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 81 page Class Notes was uploaded by Nick Rowe on Saturday September 19, 2015. The Class Notes belongs to CS 62600 at Purdue University taught by Staff in Fall. Since its upload, it has received 37 views. For similar materials see /class/208094/cs-62600-purdue-university in ComputerScienence at Purdue University.

Similar to CS 62600 at Purdue

Popular in ComputerScienence


Reviews for Advanced Information Assurance


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/19/15
C5626 Classes of Attacks and Vulnerabilities Pascal Meunier PhD MSc CISSP Purdue University March 6 2008 Based on a chapter I wrote for the Handbook of Science and Technology for Homeland Security Wiley 39nttp vvwwncerias purdueedu Plan Problem Statement Popular Vulnerability Classifications Popular Attack Classifications Scientific Classifications Enumeration of Attack and Vulnerability Types 0 Future Research 39nttp vvwwncerias purdueedu Problem Statement Grouping vulnerabilities and attacks based on common properties and similarities can help understand them better 0 Many groups and types have been proposed but none seems to withstand rigorous scientific examination I call them popular classifications 39nttp wwwcerias purdue edu Popular Classifications Capture a defect or weak technology or present a point of view or framework appealing succinct useful 0 Example Set of vulnerabilities that allow attack scenario X X vulnerabilities Crosssite scripting vulnerabilities 39nttp wwwncerias purdue edu Typical Classification Issues 0 Not objective Depends on some point of view or abstraction level a Not reproducible or ambiguous Different people will classify a vulnerability in different categories 39nttp wwwcerias purdueedu Typical Classification Issues cont 0 Multiple category memberships overlaps Simultaneously 0 Different times 0 Some things can39t be classified Unstable category changes greatly when a bit more information is uncovered from one tree branch to one far away Example Defect in a private method of an object that is usually recognized as a vulnerability All externally callable methods eg public call that method safely not exploitable as long as no code changes are made to the object Regardless of all external code changes 0 Could be exposed by a child class defining a new public method 39nttp wwwcerias purdueedu Why do we care o Vendors often downplay vulnerability reports by saying an issue is not exploitable Often proven wrong by proofofconcept exploits Creating exploits can be difficult and expensive Claiming unexploitability can be a way to minimize bad press delay fixes discredit and discourage vulnerability repo rts 39nttp wwwcerias purdueedu Relevant to Fixing Vulnerabilities Vendors often just block an exploit path instead of fixing the core issue 0 This only downgrades the vulnerability to latent status Vulnerability reappears later Multiple patches Multiple advisories More risk and headaches 39nttp wwwcerias purdue edu SDLC Phase 0 Classical phases 1Feasibiity study 2Requirements definition 3Design 4Impementation 5Integration and testing 6Operations and maintenance In which phase was the vulnerability introduced 39nttp wwwncerias purdueedu Variations Simpler model Design first 3 groups Implementation Operation and maintenance 0 Appeals to academics to distinguish a correct good algorithm or protocol badly implemented a vulnerable algorithm or protocol correctly implemented 39nttp vvwwncerias purdueedu Problems 0 Choice in number of phases 0 Many software engineering models Which model was used to develop software X Depends on level of abstraction How specific is the design A design issue is sometimes an implementation issue for someone else Common for programs to abstract issues 39 away in other units or layers 39nttp wwwcerias purdue edu Genesis 0 Reasons and ways in which flaws are introduced into a system goal provide insight into prevention or detection 0 What it looks like Intentional flaws o malicious intent o nonmalicious Inadvertent flaws 39nttp vvwwncerias purdue edu Problems Intent is not observable Impossible to determine after the fact Classification is not objective and specific Intent is irrelevant when analyzing consequences but not the purpose of this classification Regardless it proved useful in understanding how some flaws could be prevented or caught 39nttp wwwcerias purdue edu Location in Object Models Idea in which layer entity object or subsystem is the vulnerability located 0 Example 051 reference model for networking 7 layers The vulnerability belongs to which layer a Reality some vulnerabilities depend on the specific interactions between layers not always applicable 39nttp wwwcerias purdueedu Case Study 0 CVE1999O 144 Denial of service in Qmail by specifying a large number of recipients with the RCPT command Qmail claims it39s a configuration problem in UNIXlike operating systems configuration option could prevent the vulnerability OS guys say it39s not their problem 39nttp vvwwncerias purdueedu Who39s Fault Is It Illdefined responsibilities make it difficult to pin the blame on a specific layer or object Recurring theme in vulnerability analysis 0 Current issue browsers vs plugins extensions controls Who39s responsible for security 39nttp vvwwncerias purdueedu Affected Technology a Design limitations in technologies that create difficult or tricky situations for developers Format string vulnerabilities o Polyvariadic C functions have no way of knowing how many arguments were passed 0 Attackercontrolled format strings can exploit this limitation Write anywhere with nquot etc 39nttp vvwwncerias purdueedu Affected Technology Metacharacter vulnerabilities characters that have syntactic significance 0 Separate command and data 0 Separate commands Character encodings o Indicated by special characters eg URL percent encoding 0020 SQL Injection LDAP injection etc 39nttp vvwwncerias purdueedu Resource Exhaustion Limited computer resources that can be hogged abused maliciously to limit system functionality aka Denial of Service DoS Examples SYNflood attacks Memory leaks Algorithmic complexity attacks 39nttp vvwwncerias purdueedu Limitations 0 The name of the technology is a useful and descriptive reference but 0 Some vulnerabilities aren39t specific to a technology Flaw causing the vulnerability may have a weak relationship to the technology that is vulnerable 39nttp vvwwncerias purdueedu Errors or Mistakes Cause 0 Nature of their impact 0 Type of change or fix made to remove the error 0 Examples Use of weak passwordbased systems Faiing to store and protect data securely Doubefree memory management error 39nttp vvwwncerias purdue edu Discussion 0 Has educational value 0 However sometimes any of several changes in different code locations modules or even different programs can fiX the vulnerability Which one should be used to classify the vulnerability oAmbiguous 39nttp vvwwncerias purdueedu Enabled Attack Scenario 0 Set of vulnerabilities that enable a specific kind of attack highly descriptive precise Example Vulnerabilities that enable crosssite scripting attacks X55 0 XSS vulnerabilities succinct 39nttp vvwwncerias purdue edu Limitations DenialofService vulnerabilities isn39t useful because many different kinds of vulnerabilities can result in DOS DOS is a consequence not really an attack scenario 0 What is an attack scenario 39nttp vvwwncerias purdueedu Case Study Vulnerabilities in network protocols Linked to tests attack techniques and countermeasures Enumeration probably incomplete but still useful Pothamsetty ancl Akyol 39nttp vvwwncerias purdueedu Vulnerabilities in Network Protocols 1Cear text communication 2Nonrobust protocol message parsing 3Insecure protocol state handling 4Inability to handle abnormal packet rates 5Vulnerability arising from replay and reuse 6Protocol field authentication 7Entropy problems 39nttp wwwcerias purdueedu Tests Packet sniffing Protocol field fuzzing Protocol field spoofing Packet flooding Replay Reuse Packet size variation 39nttp vvwvncerias purdueedu Tests cont Outofsequence packets and outof range values Special and reserved packets Information retrieval exposures Communication initiation Communication termination Encryption and random number check 39nttp vvwwncerias purdue edu CLASP Comprehensive Lightweight Application Security Process Set of activities aiming to improve securty Focused on enumerating errors Simultaneously includes events and conditions oAmbiguous multiple membership possible 39nttp vvwwncerias purdueedu CLASP Range and type errors Buffer overflows Format string problems Writewhatwhere condition 0 Ability to write an arbitrary value to an arbitrary location 0 Environmental problems Events such as the failure of a random number generator 39nttp vvwwncerias purdueedu CLASP Synchronization and timing errors Includes statistical attacks Includes capturereplay o Isn39t that a protocol weakness 0 Protocol errors Using a broken or risky cryptographic algorithm 39nttp vvwwncerias purdueedu CLASP General logic errors catchall noncrypto random number generator 0 if it fails then it39s an environmental problem Too few parameters passed to a function 0 Format string vulnerabilities Isn39t that a range and type error 39nttp vvwwncerias purdue edu CLASP What if A mistake results in a condition A vulnerability is linked to several mistakes simultaneously An event triggers a condition a Level of abstraction issues low level integer overflow higher level failure of random number generator 39nttp vvwwncerias purduaedu Usefulness of CLASP Goal is to discuss which kinds of vulnerabilities may be found during various activities Do your activities provide complete coverage 0 What should you do to catch X and Y Not directly applicable to a collection of vulnerabilities 39nttp vvwwncerias purdueedu Seven Kingdoms Input validation and representation 0 API abuse 0 Security features a Time and state 0 Error handling 0 Code quality Encapsulation Environment mostly configuration 39nttp vvwwncerias purdueedu Seven Kingdoms Simultaneously includes causes consequences and bad practices 0 A vulnerability can belong to several categories at once be classified differently depending on the abstraction level 0 API abuse category especially ambiguous 39nttp vvwwncerias purdueedu Seven Kingdoms API abuse category especially ambiguous Is a buffer overflow an input validation problem on a potentially malicious name returned by a reverseDNS call or an API abuse problem Usefulness Rules for code scanning software Convey secure programming concepts 39nttp vvwwncerias purdueedu Disclosure Process 0day vulnerabilities Written exploits before the vulnerability is either ambiguous usage publicly known 0 known by vendor Can be sold on vulnerability markets 0 Black markets 0 Programs such as iDefense vulnerability chaHenges Some government agencies 39nttp vvwwncerias purdue edu 0day States 0 Secret Not shared 0 Private Shared in small groups Disclosed end of life Admins try to mitigate consequences Vendor scrambles to provide lowquality patch downgrade to latent vulnerability a More potential attackers learn about it 39nttp vvwwncerias purdueedu Why do we Care 0 Ethical implications for security researcher Responsible disclosure Give the vendor a chance to create a good quality fix for a vulnerability before it becomes public a If the vulnerability is being exploited there is reason to give less time or no time at all to the vendor 39nttp wwwcerias purdueedu Vulnerabilities in Systems Configuration issues Exposures System vulnerabilities Proper vulnerabilities 39nttp vvwvncerias purdueedu System Vulnerabilities What39s a system 0 Combination of interacting software and hardware one or several machines performs a set of tasks as a whole a A system vulnerability may exist even if all components have correct designs and perfectly implement their designs 39nttp wwwcerias purdue edu Causes of System Vulnerabilities Misconfigurations Designs that are inappropriate for the system c Emergent properties clue to the combination and interactions of software artifacts designed separately benign flaws in various subsystems Compositional securityquot 39nttp wwwcerias purdueedu Analysis of System Vulnerabilities Needs to reference a violated security policy Policies appropriate for different organizations can result in two different lists of vulnerabilities Policy is defined externally to the system c not an intrinsic property Analyze the relevant interactions between various parts 39nttp wwwcerias purdueedu Generic System Vulnerabilities Reasonable expectation that a relevant policy would be deployed somewhere 0 Example MITRE Common Configuration Enumeration CCE Use hardening configuration guides as policy examples Identify configuration settings that are of interest to policies in a generic fashion This value should be set appropriately 39nttp wwwcerias purdueedu Proper Vulnerabilities Are apparent defects when comparing the software artifact to its requirements design and security goals Intrinsic properties of the artifact doesn39t matter where when how or by who the software is used Analysis more objective and reproducible unless researcher has to guess the design and security goals 39nttp wwwcerias purdueedu Usefulness Practitioner this is not vulnerable due to a configuration that blocks attacks 0 Academic the vulnerability is there regardless 0 it39s an intrinsic property because the artifact doesn39t meet its design goals 39nttp vvwwncerias purdueedu Usefulness Practitioner This system is vulnerable because this service is running and exposes sensitive information eg finger Academic The service does exactly what it is supposed to be doing there is no vulnerability 39nttp vvwwncerias purdueedu Limitations 0 FTP server wuftpd CVE1999O997 conversion option 0 allows compressing with tar It39s a system vulnerability because it appears through the interaction of various software artifacts It39s a software artifact vulnerability because wuftpd was designed to call other programs with the conversion oonn 39nttp vvwwncerias purdueedu Popular Attack Classifications Perspective problem Origin Goal Mechanism Motivation 0 Purpose of an attack may be clear to the attacker but can appear as something else to the defender 39nttp vvwwncerias purdueedu DARPA IDS Evaluation 1Probe or surveillance Information gathering 2Denial of service Consequence of an attack 3R2L remote to local remote access 4U2R user to root user gains root 5Data exfiltrate confidential files 39nttp wwwncerias purdueedu Limitations Probes could actually be failed or misunderstood attacks A probe may cause a DoS accidentally DoS may be the consequence of a failed R2L of UZR attack Data attacks may require a successful R2L or UZR attack 0 Missing U2U attacks user to user 39nttp vvwwncerias purdueedu WASC Threat Classification 0 Web Application Security Consortium 1Authentication targets 2Authorization targets 3Cientside attacks technology class 4Command execution goal 5Information disclosure consequence 6Logical attacks mixed bag 39nttp wwwcerias purdueedu Transactional Attack Scenario 0 Describe attack based on the transactions between participants Replay attacks Maninthemiddle XSS with 3ml party host Eavesdropping Useful for communication protocols 39nttp vvwwncerias purdue edu Impact 0 Used in the Common Vulnerability Scoring System CVSS none partial complete 0 Worst attack enabled by a vulnerability Can we really know what is the worst possible thing that could happen 39nttp wwwncerias purduaedu Attack Language 0 Tool used Vulnerability targeted 0 Events actions targets Unauthorized result perhaps attempted 39nttp vvwvncerias purdueedu Tools 0 Physical attack Information exchange social engineering User command Script or program Autonomous agent 0 Toolkit 0 Distributed tool 0 Data tap 39nttp vvwwncerias purdueedu Attacks on Human Interactions Recon 0 Attack Social engineering 0 Phishing Ambiguity of user interfaces Mimicking Pretexting Collect passwords Trick instructions 0 Physical in person 39nttp vvwwncerias purdueedu Malicious Code 0 Attack code Parasitic code Backdoors Trojans Selfpropagating code Spyware LogicTime triggered code Rootkit Distributed code 39nttp vvwwncerias purdueedu SelfPropagating Code Viruses Parasitic o Attaches to files documents gtgt macroviruses scripts inside documents executables Worms Spread on their own duplicating their code and respawning their processes 39nttp vvwwncerias purdueedu Scientific Classifications Objectivity based on observable property of object Determinism clear and explicit procedure Repeatability Specificity unique and unambiguous value 39nttp wwwncerias purdue edu Requirements 0 Mutually exclusive subgroups taxa Exhaustive Useful to a broad audience 39nttp vvwvncerias purdueedu How to Classify Ideas Vulnerabilities are conceptual entities How do you observe something that39s conceptual Exist at several levels conceptual buffer overflow caused by an integer overflow abstraction Complex causes and effects offbyone error results in NULtermination problem that allows a format string attack 39nttp vvwwncerias purdueedu How to Construct a Domain of validity scope Purpose viewpoint eg web services 0 Use technical taxonomic criteria avoid speculation 39nttp vvwwncerias purdueedu Violated Program Invariants Assumptions Invariants Preconditions Postconditions High cardinality Formal methods can help Spark 39nttp wwwncerias purdueedu Enumerations Idea if we can39t classify everything let39s start by identifying forms test cases for a successful classification a priori topdown was unsuccessful let39s see what can be accomplished with a posteriori bottom up classification attempt 0 PLOVER 39nttp vvwwncerias purdueedu Common Weakness Enumeration CWE Dictionary of security weaknesses Actually a tree a An attempt to reconcile all the unsuccessful classification attempts mapping them to specific items leaves huge chimera fluctuating work in progress useful through exhaustiveness showing relationships 39nttp wwwcerias purdueedu Future Research Ontologies are models of reality highly structured system of concepts 0 with properties 0 allow multiple memberships complexities Vulnerabilities are concepts 0 Perhaps vulnerabilities can be completely accurately and properly represented inside ontologies better way to accumulate and transmit cs knowledge 39nttp wwwcerias purdueedu Ontology Types 0 Common ontologies Restricted domain 0 Upper ontologies wide range of domains much more difficult to create 39nttp vvwvncerias purdueedu Questions CE in ttp www cerias purduaedu


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Allison Fischer University of Alabama

"I signed up to be an Elite Notetaker with 2 of my sorority sisters this semester. We just posted our notes weekly and were each making over $600 per month. I LOVE StudySoup!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.