New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Information Security Lab

by: Alayna Veum

Information Security Lab CS 6265

Alayna Veum

GPA 3.81


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 0 page Class Notes was uploaded by Alayna Veum on Monday November 2, 2015. The Class Notes belongs to CS 6265 at Georgia Institute of Technology - Main Campus taught by Staff in Fall. Since its upload, it has received 18 views. For similar materials see /class/234097/cs-6265-georgia-institute-of-technology-main-campus in ComputerScienence at Georgia Institute of Technology - Main Campus.

Similar to CS 6265 at

Popular in ComputerScienence


Reviews for Information Security Lab


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 11/02/15
Computer and Network Security via Program Analysis Monirul Sharif Guest Lecture 086265 College of Computing Georgia Institute of Technology Date 09202006 Introduction 0 We will cover several topics related to program analysis for security 0 Today program analysis techniques for defending against attacks 0 Next class will cover how to use program analysis on malware Vulnerabilities and Exploits o Vulnerability A weakness in a system caused by a flawthat allows an attacker to violate integrity confidentiality authenticity or availability of a system The flaws are usually programmer errors or bugs 0 Exploits A software a portion of data or a sequence of commands that is made to take advantage of a vulnerability in order to violate integrity confidentiality authenticity or availability of a system Used as part of an attack on a system Malware Software designed to infiltrate or damage computer systems Malicious Software Computer viruses worms trojan horses spyware adware May use exploits as a means infiltrating a computer automatically o Can be infectious Viruses worms spread from file to file and computer to computer respectively 0 Disguised or using concealment Trojan horses are disguised malware o Malware for profit by hackers Spyware adware loggers and diallers Botnets controlled army of compromised hosts 0 Ville will be looking at malware analysis in details in the next c ass Software Vulnerabilities Bugs are common in software Implementation error by a programmer Bugs are hard to find in large software Huge budget on testing almost 80 of software development But still bugs exist Some bugs are considered security flaws Bugs gt Security Flaw gt Vulnerability gt Exploit gt Attack Take a look at Microsoft Software Don t blame Microsoft Microsoft continues to spend a lot on testing The fact that Microsoft software is used by millions reveal more bugs and attract more attackers An Example Vulnerable Program bool checkpassword bool passwordok false 313jodi rre tuse dlttt Where is the bug in the program How can it be exploited puts Enter passwordzquot getspassword if strcmpgetpassworduserid password0 passwordok true return passwordok int maintint argc char argv first get user id then check password if lcheckpassword exitl Buffer Overflows bool checkpassword bool passwordok false int userid getourrentuserid char password10 lt puts Enter passwordzquot gets password Bug unbounded Input In a bounded buffer if strcmpgetpassworduserid password passwordok true return passwordok This stack overflow vulnerability allows the following attacks Gain privileged access with unprivileged user id and password Most frightening arbitrary code execution Let s see how it works briefly Buffer Overflows bool checkpassword bool passwordok false int userid getcurrentuserid char password10 puts Enter password quot gets password if strcmpgetpassworduserid password passwordok true return pas swordok Stack growth Unbounded direction write ovenNrHes contents of stack Structure of Data on stack Buffer Overflows bool checkpassword bool passwordok false int userid getcurrentuserid char password10 puts Enter passwordzquot getspassword if strcmpgetpassworduserid password passwordok true return passwordok The exploit is a specially crafted input larger than 10 bytes Exploit can change local variables to let an attacker gain privileged access Stack growth direction Change other variables with input Gain privileged access Structure of Data on stack Buffer Overflows bool checkpassword The exploit can contain injected code and change return address to point to it Injected code can contain a shellcode to provide root access to the attacker bool passwordok false int userid getcurrentuserid char password10 puts Enter passwordzquot getspassword if strcmpgetpassworduserid password passwordok true Change return address return passwordOk Redirect execution to executed injected code Vulnerabilities in the Wild a Most common exposed vulnerabilities include Buffer overflows Heap overflows Format Strings Integer overflows etc 0 Disclosure of common vulnerabilities Security alerts are posted regularly by experts httpcvemitreorg and httpwwwuscertgov Software developers become aware and fix the vulnerabilities by making downloadable patches available Question A hacker may come to know of a published vulnerability and exploit it Why expose publicly o Severity of vulnerability depends on How much an attacker can achieve by exploiting it How widespread the vulnerable application is Threats and Attacks 0 Common attacks are DoS very simple just corrupt memory to crash application Privilege escalation increase access privilege maliciously Privacy attack divulge private information Arbitrary code execution execute foreign code 0 Most Risky Vulnerabilities allow arbitrary code execution Hackers can gain access to remote systems and take complete control Can be used to automatically spread malware Fast automated spreading Compromised computers become zombies bots etc that are controlled by an attacker to serve other purposes o Worms and Bots May contain code that exploits remote vulnerabilities to spread themselves Once exploitation is successful infect host with malware Where does program analysis come in o Program Analysis Software Engineering approach that has become increasingly important in security A lot techniques derived from Compilers Used in SE for o Testing and debugging 0 Formal methods model checking verification of properties of software undecidable more later a Profiling and a lot more Used extensively in Compilers for code optimization o Its place in security Why do we need it Vulnerabilities exist in programs Malware are programs written for malicious purposes Some uses o Vulnerability identification a lot like bug finding and hardening Software protect from exploitation o Intrusion detection amp intrusion prevention 0 Malware detection and Malware analysis reverse engineering Program Analysis Approaches 0 Program analysis is almost always done using automated tools Human beings direct analysis a Used on Source code Available source is analyzed 0 More meaningful analysis can be done Binary Executable version is analyzed 0 Used in cases where source code is not available 0 Has become very important in security 0 Very hard a lot of information is lost 0 Two approaches Static Analysis 0 Analysis is done without executing program Dynamic Analysis 0 Executing program is observed for analysis Static Analysis 0 Analysis is done without executing program All possible execution patterns are taken into account Actual runtime behavior is covered but overassumption remains imprecise Sound and formal methods can be applied o What sorts of analysis Several welldefined techniques exist for o controlflow analysis dataflow analysis controldependence analysis datadependence analysis Usually program code is represented as graphs Algorithms are applied on graph data structures for automated analysis o Limitations Exact execution pattern is hard to know Most properties that are analyzed Obfuscation may hinder static analysis Used extensively by malware next class Dynamic Analysis o Executed program is analyzed One execution gives a partial view therefore several attempts are required Execution gives the actual behavior of the program precise o How performed Observable behavior can be analyzed o System calls a VG file access etc Snippets of code is inserted so that more runtime information can be gathered Instrumentation 0 Code can write logs check for conditions or change execution as required Tools Valgrind Dynlnst etc o Limitations Gathering complete picture of program behaviOr may become infeasible Binary Analysis 0 Has become very important in security The need to protectsecure legacy and commercial software where source code is not available Malware is found in binary form Reverse engineering to understand how malware works a Very important for malware detection and analysis Generate signatures for detection Generate behavior patterns Understanding how malware works We will cover this huge topic in the next class 0 Has been used by antivirus companies for a long time But now hot for security research Example Controlflow Analysis Here s an example of static analysis on code Controlflow analysis is done by first finding the CFG Control flow Graph A directed graph Each node is usually a basicblock of code sequentially executing block of statements Possible controlflow is shown by directed edges between the nodes Loops conditionals are represented 0 Identify individual functions in the program For each function find CFG Intraprocedural CFG Make Interprocedural CFG Connect CFG s using interprocedural cOntroIfflow function calls and return sites 0 CFG is the building block of almost all other program analysis techniques Can we find vulnerabilities o A very hard problem Theoretical results show determining if a program will show a specific runtime error is undecidable derived from the halting problem Vulnerabilities are the same Also checking a property of a language is undecidable 0 Even if we know the vulnerability type there are approximate solutions Approximation gives rise to 0 False positives A warning of a vulnerability even though its not 0 False negatives Missing a vulnerability 0 Several other problems make it hard Pointers Pointer analysis is imprecise Can we find vulnerabilities 0 Let us do an exercise Think about how Buffer overflows can be detected First let us think in terms of static analysis Now let us think of dynamic analysis methods Can we find vulnerabilities 0 Many tools exist Some identify some protect without identifying An example is ProPolice o Analyzes code statically 0 Uses heuristics to detect possible bugs 0 A lot of false positives and false negatives Stackguard o A dynamic method 0 Uses specialcanary values around buffers Detects at runtime when overwrite occurs 0 It does not find a vulnerability but will protect a program if one exists a In the Practical World Human experience and expertise and hours of hard work Many security experts use automated tools that aid in search by finding it potential points Program Analysis for Defense 0 New types of vulnerabilities may be found so we may need security without identifying them 0 Now let us consider another direction of securing applications Suppose that we do not know about vulnerabilities Suppose that we only know about different types of attacks What can we do a Intrusion Detection Will be covered in details throughout the course We will only consider instances where program analysis is used Host based Intrusion Detection Monitor activityland raise alert for a possible intrusion violation in security 0 Detection is based on activity at a host Different from Networkbased Intrusion Detection that observes network traffic only Activity may include 0 Application activity 0 Network communication from the host 0 System logs etc 0 Again two classifications Misuse detection use signatures of known attacks Anomaly detection use model of normal behavior analysis a We will consider anomaly HIDS that use program Host based Intrusion Detection cont 0 Misuse detection use signatures of known attacks Signature can be constructed from exploit code Can be constructed from semantics of attack steps in the exploit Our next class will look at malware analysis 0 Anomaly detection use model of normal behavior How do we define normal behavior We use program analysis to find the possible execution behavior of the application normal behavior and represent it using a model An anomaly which is a deviation raises an alarm Possible attack Hostbased Anomaly IDS Attacker attacks behavior 0 A lot of products are available 0 IPS Intrusion Prevention Systems IDS with automatic preventive steps rather than just raising alarms to be done sequences 0 Has been an area of intense research throughout the years and still has work 0 What do you base your model on Most prominent in research System call Attacker attacks Systemcall sequence based HIDS Kernel address space Application address space System calls are easily observable 08 can help intercepting them Useful attacks require system calls to be invoked opening files execve etc Efficient to intercept no extra overhead Main research aspects are how to create a model Extensive research work in the literature Building Models of Systemcall Sequences 0 Model representation A sliding window of system call sequences finite length possible sequences Automaton based approaches take program controlflow into account 0 build NFA Nondeterministic finite Automa ta o PDA pushdown automata or other complex models 0 Static Analysis Analyze program and find systemcall points in code Model is constructed from allpossible valid execution paths Due to safe coverage zero falsepositives Due to imprecision attacks may be missed false negatives 0 Dynamic Analysis Build model from system call trace of executions Learn from several runs Due to partial coverage false positives are appear Due to better precision might catch more attacks int mainltint argc Example of Intrusion Detection bool checkpassword Allowed seguences Open read exit Open read write exit Open read close bool passwordok char password10 false puts Enter passwordzquot getspassword liread if strcmpgetpassword password0 Open read write close passwordok true writestatus Write return passwordok char argv open files open then check password if lcheckpassword exitl lexit close files close bool checkpassword int mainint argc Example of Intrusion Detection bool passwordok char password10 false puts Enter passwordzquot getspassword read if strcmpgetpassword password0 passwordok true writestatus wr1te return passwordok char argv open files open then check password if Icheckpassword exitl lexit close files close Allowed seguences Open read exit Open read write exit Open read close Open read Monitored seguences Open read execve intrusion detected write close Mimicry Attacks 0 Evading Detection Attacker cloaks execution of attack by revealing behavior that IDS cannot find an anomaly o Mimicry attacks on system call sequences An attacker knows the model used by IDS Inserts extraneous system calls to form sequences that follow the model Eventually the IDS cannot detect and attacker succeeds in achieving goal Actually it is hard because required system calls must exist Example of Mimicry Attacks int mainint argc bool checkpassword bool passwordok false char password10 puts Enter passwordzquot getspassword read if strcmpgetpassword password0 passwordok true writestatus Write return passwordok char argv open files open then check password if loheckpassword exitl lexit close files close execve Allowed seguences Open read close execve Open read write exit Open read close Open read write close Monitored seguences Open read close execve intrusion not detected


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Jennifer McGill UCSF Med School

"Selling my MCAT study guides and notes has been a great source of side revenue while I'm in school. Some months I'm making over $500! Plus, it makes me happy knowing that I'm helping future med students with their MCAT."

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.