Intro to Info Security
Intro to Info Security CS 4235
Popular in Course
Popular in ComputerScienence
This 0 page Class Notes was uploaded by Alayna Veum on Monday November 2, 2015. The Class Notes belongs to CS 4235 at Georgia Institute of Technology - Main Campus taught by Staff in Fall. Since its upload, it has received 13 views. For similar materials see /class/234156/cs-4235-georgia-institute-of-technology-main-campus in ComputerScienence at Georgia Institute of Technology - Main Campus.
Reviews for Intro to Info Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 11/02/15
A Practical Review of Stack Based Buffer Overflows Malicious Code Posse Brandon Olekas John Markott Vaibhav Padliya Saurabh Shah TIIIIiBS Memory Overview and Stack Tutorial How does the stack work How do overflows occur Historical Review of Stack Overflows When did this become a problem What are the historical trends Buffer Overflows in Viruses and Worms How can buffer overflows be used to attack What kind of damage can a hacker do Detection Prevention and Good Programming Procedure What practices can prevent stack based overflows What products are available to prevent them Conclusion TIIIIiBS gt Memory Overview and Stack Tutorial How does the stack work How do overflows occur MBIIIIIW Organization Text Area El Includes code and read only data Uninitialized El Any attempt to Data write to this area will cause a Initialized segmentation fault El Not exploitable Stack MBIIIIIW Organization Data Area Text El Contains initialized and uninitialized data El Static variables are stored here El New memory is added between the stack and data segments Stack El Not exploitable MBIIIIIW Organization Stack Area El Size is dynamically adjusted by quot 9 Uninitialized kernel at run tIme El Consists of logical Data stack frames that are Initialized pushed when calling a function and popped when returning CI EXPLOITABLE Text A stack frame contains El Parameters arguments to function El Return Address El Local variables El Anything pushed on the stack High Addresses Argume Stack grows this way J Low Addresses Retu rn add r99 ad d rO Basic Overflow condition High Addresses Argumeb If the array is filled MW past capacity then addrI991 items will begin to be Stack grows overwritten In this addr0 way addr0 memory Why should we care J Low Addresses Basic Overflow condition A 39If a hacker can ngh Addresses quottilumeqI overwrite the WEai 05 j a r instruction pointer of Stack a program runnlng grows with root access 333 helshe can execute arbitrary code on the system with root p v eges Low Addresses argestring255 void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring Dgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgt argestring255 void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring Dgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgt argestring255 void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring Dgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgt void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring argestring255 buffer16 A A A A A A A A A A A A A 2 A A A A A A A A A A A A A 2 A A A A A A A A argestring255 buffer16 void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring A A A A A A A A A A A A A A A A A A A A A A A argestring255 buffer16 void functionchar str char bufferl6 strcpybufferstr void main char largestring256 int i for i 0 i lt 255 i largestringi A functionlargestring gtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgtgt A A A A A argestring255 buffer16 In this example you can see that an array of size 16 is being filled with 255 A s obviously an overflow Exlllllil code jmp Oxlf popl esi movl esi0x8esi xorl eaxeax movb eaXOX7esi movl eaXOXCesi movb 0Xbal movl esiebx leal OX8esiecx leal OXCesiedX int OX80 xorl ebxebx movl ebxeax inc eaX int OX80 call OX24 string quotbinshquot TIIIIiBS gt Historical Review of Stack Overflows When did this become a problem What are the historical trends THE INTERNET WORM 1988 By Robert Morris The rst signi cant buffer over ow Over 6000 machines infected Caused thousands of dollars in damages and loss of productivity in I Veme Fin with was THE CULPRITS I 1 IIIIJ39IIX a I quotquot i Robert Morris padre Robert Morris hijo NOtice the Ex Jefe Cientf co de la NSA Ex convicto NOtice the resemblance resemblance Los 39padres de la 39 Javier quot 39 39 Fotos de personajes 15 Nov 2004 lthttpwwwsmaIdonecomarfotografiaspersonajesshtmgt Bll l over ow Timetable Ellnufferoverflow total a Q a 331 buffer overflowquottota w C 5 IRebertMofr39riis s nterner werrh The case III the nisannearing Butler Over ows MNLJ 501C L Ln 3 E E 2 2 393 2 quotE15 E a D 2 E Z 3 t P39 t Internet WOrm Lull A SIGN OF IMMATURITY ma Hacker magzu 00 Phrack 49 00 Volume Seven Issue Forty Nine File 14 of 16 100 and Underground0g bring you x x x xxx xxxx x xxx xx Smashing The Stack For Fun And Profit XXX 6 x 1 X X X xx x xxxx by Aleph One lephlundergroundorg a Levy Elias quotSmashing the Stack for Fun and Profitquot Phrack 06 Oct 1996 lthttpwwwphrackorgphrack49P4914gt 7 i i x A if 39 39 Elias lew akanlenll one Lu Author of Smashing the Stack for Fun and Profit I Closely associated with BugTraQ a2 a 2 22 CJ 393 CD 9 LG 0 m umoumomano Jagnq a C3 Ln C In C Kn C m I N x w Quill y JaqUJIIN t at ikf fair Fuln anle ri Pest the 39 BOMPII39I39EII IllllNEIIABIlITV OF THE BERNIE 1999 Festa Paul Studv savs 39buffer overflow is most common securitv buq 23 Nov 1999 Newscom lthttpnewscomcom21001001233483htmlegacycnetgt What IIIIBS Bll l Overflow A ect Clsco Svsmns M NDKM CONNECTING PEOPLE TIIIIiBS gt Buffer Overflows in Viruses and Worms How can buffer overflows be used to attack What kind of damage can a hacker do EXPIIII39I39INE BIIFFEII WEBHOW Rootkits Backdoors Trojan horses Viruses Worms Collection of tools an intruder downloads to a victim computer after gaining initial access Rootkit package contains EITrojanized system utilities EIAdditional programs Program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time KorgoE worm May 2004 Code Red ll worm August 2001 Program that replicates itself onto other files within the same machine Can infect another program boot sector partition sector or a document supporting macros by inserting itself or attaching itself to that medium Troian IIIII SB Program that masquerades as a benign application Compromises security of the computer Code red worm Program that self replicates itself over a computer network Spreads copies of itself as a standalone program Real time Illl f over ow BXIlIlIiIS Code red worm July 2001 Slammer worm January 2003 Blaster worm August 2003 Sasser worm April 2004 Released July 2001 Exploits buffer overflow in Microsoft IIS server s Indexing Service DLL IIS Internet Information Service Index Service ISAPI Internet Service Application Programming Interface idqdl The culprit Exploit Successful Connection Successful Host HELLO American Welcome to httpwwwwormcom English Hacked By Chinese Language Time sensitive El Day1 19 Propagation El Day 20 27 DOS 19813724091 L El Day 28 end of month Sleep Released January 2003 Exploits buffer overflow vulnerability in the Resolution Service of Microsoft SQL Server 2000 Fastest spreading worm in history Infected more than 90 percent of vulnerable hosts within 10 minutes of outbreak Fits in a single UDP packet Had no malicious payload but overloaded networks disabling database servers t Sal an 25 USJJINO 1003 MC mwuiclnvug Numb ul lmu minted will 553mm 116 555 Cupyrlghl D 1003 UC ingrvm 03803 lllle l0 IIIIHBI overflow Financial losses Legal proceedings What Statistics Salt Code Red worm resulted in worldwide losses of 262 billion In August 2003 Symantec reported more than 1 million computers hit by the Blaster worm Remediation costs for Blaster were 475000 per company with larger companies reporting losses of up to 4228000 SOURCE 4 Jan 2002 Computer Economics 1 Nov 2004 lthttpWWWcomputereconomicscomarticlecfmid133gt Sana Security Sana Security 2 Nov 2004 lthttp39WWW dspdfgt TIIIIiBS gt Detection Prevention and Good Programming Procedure What practices can prevent stack based overflows What products are available to prevent them Ways l0 attack Bll l Over ows Compiler based protection EIWriting secure code EIChecking array bounds EICanaries Kernel based protection EINonexecutable Stack EIAddress Layout Randomization EIHardware Protection Secure coding practices El Don t use C El Don t use vulnerable functions El Check the use of those functions El Use safer versions of these functions Limitations El Huge amount of code is already written El Programmers still like C checking IE Array IIIIIIIIIIS Static Analysis EISoftware to review the source code Dynamic Analysis CIRuntime boundary checks EIProgram Testing Limitations EIOverhead affects system performance Detects code injection Ellnsert a canary value in between the control values and the variables EICheck value of canary before returning EIFunction returns only if canary value is intact Types EIRandom Canaries EITerminatorNull Canaries EIRandom XOR Canaries canaries cont Limitations CIRequires modification of compiler ElDoes not prevent the return address from being overwritten EIWays to modify the canary value exists Attack code injected in the stack cannot be executed Allows separation of data from the code Limitations EIFails if code is accessed by manipulating function pointers EILinux uses stack execution for signals sent to processes Alllll BSS layout Randomization Eliminate predictability in memory access Randomize the virtual memory layout Randomize El User stack address El Kernel stack address El All file and anonymous mappings El Locations of executables Limitations EIComplexity of implementation Extra bit in the page table for execute permission NX No Execute AMD El Athlon 64 Opteron processors XD Execute Disable Intel El Itanium Prescott processors Data Execution Prevention Microsoft CI SP2 Method Effectiveness Ease of use Total 1 10 1 10 NonExecutable Stack 10 7 17 gt Array Bounds 1O 5 15 Checking Canaries 7 8 15 Secure Coding 10 3 13 Address Layout 8 4 12 Randomization Hardware protection 8 10 18 Memory Overview and Stack Tutorial 1 How does the stack work quot How do overflows occur Historical Review of Stack Overflows When did this become a problem What are the historical trends Buffer Overflows in Viruses and Worms How can buffer overflows be used to attack What kind of damage can a hacker do Detection Prevention and Good Programming Procedure What practices can prevent stack based overflows What products are available to prevent them Conclusion Buffer overflow exploits EILarge number of attacks till date EIProductivity losses and damages Methods of Detection and Prevention EIKernel compiler amp hardware based protection There is no foolproof solution EIOptimal results include a combination of strategies We predict buffer overflows to remain a constant problem for the next several years Top 20 Countries with the Highest Number of Internet Users PierreAlain Fayolle A Buffer Overflow StudJQAttacks amp Defenses 2002 ENSEIRB Networks and distributed Systems lthttpcommunitycoresdicomljulianolenseirbofpdfgt stvan Simon A Com arative Anal sis of Methods of Defense a ainst Buffer Overflow Attacks 31 Jan 2001 California State University Hayward lthttpwwwmcscsuhaywardeduIsimonlsecuritylboflohtmlgt Farrow Rik Blocking Buffer Overflow Attacks 1 Nov 1999 Network Magazine t 39 39 39 quot 39 39NM620000511S0015gt Festa Paul Stud sa 39buffer overflow is most common securi bu 23 Nov 1999 Newscom lthttpnewscomcoml21001001233483htmllegacycnetgt Baratloo Arash et al Libsafe Protecting Critical Elements of Stacks 25 Dec 1999 Bell Labs Lucent Technologies lthttpIdownloadssecurityfocuscomllibraryllibsafepdfgt Schneier Bruce quotTHE PROCESS OF SECURITYquot nformation Security Magazine Apr 2000 I 1 tnrhtargnt 39 439 39 39 I quot 39 39 cryptorhythmsshtmlgt Altunergil Oktay LinuxDevCentercom Understanding Rootkits 14 Dec 2001 O Reilly Media Inc 30 Oct 2004 quot 39 39 39 39 39200112l14lrootkithtmlgt Busleiman Arturo Detecting and Understanding Rootkits 21 Aug 2003 iEntry Network 28 Oct 2004 lthttplunixpronewscoml20030821htmlgt Bobkiewicz Bartosz Hidden Backdoors Troian Horses and Rootkit Tools in a Windows Environment 23 Jan 2003 Internet Software Marketing Ltd 31 Oct 2004 39 39 39L 39 quot 39 quot iddeBackdoorsTrojanHorsesandRootkitToosinaWindows Envi39i39onmenthtmlgt 63 KorgoE Exploits Buffer Overrun Bug 3 June 2004 Jupitermedia Corporation 29 Oct 2004 rquot a 39 Semantic Security Response Glossam Symantec 29 Oct 2004 39 I quot quotI I symantnr 39 39 gt Liron Marc The Sasser Worm Information Page 4 May 2004 Updatexpcom 30 Oct 2004 I Ilpdatnyp 39 quotquotquothtmgt Ferrie Peter Fr d ric Perriot and P ter Szor Virus Bulletin computer virus W32lBlaster worm exploits buffer overr ow vulnerability Sept 2003 Virus Bulletin Ltd 30 Oct 2004 Iirllshtn 39 I quot quot 39 xmlgt Moore David et al quotInside the Slammer Wormquot EEE Security amp Privacy 14 2003 3339 30 Oct 2004 lthttpwwwcomputerorgsecurityv1n4j4weahtmgt CERT Advisory CA200119 39Code Red39 Worm Exploiting Buffer Overflow In quotS Indexing Service M 19 July 2001 CERT Coordination Center Carnegie Mellon University 30 Oct 2004 lthttpwwwcertorgadvisoriesCA200119htmlgt 4 Jan 2002 Computer Economics 1 Nov 2004 lthttpwwwcomputereconomicscomarticlecfmid133gt Sana Security Sana Security 2 Nov 2004 lthttpwwwsanasecuritycomcommonfilesaswsdspdfgt Levy Elias quotSmashing the Stack for Fun and Profitquot Phrack 06 Oct 2004 lthttpwwwphrackorgphrack49P4914gt Johnson Richard and Peter Silberman 2004 1 Nov 2004 lthttpwwwblackhatcunip quot quotquot us 04bh us 04 31 manLIus04silberman paperpdfgt Beattie Steve et al Protecting Systems from Stack Smashing Attacks with StackGuard Oregon Graduate Institute of Science and Technology 1 Nov 004 lthttpwwwdtmfcomartextslexp099pdfgt Cowan Crispin et al StackGuard Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks Jan 1998 Oregon Graduate Institute of Science and Technology 1 Nov 2004 lthttpwwwcseogieduDlSCprojectsimmunixstackguardusenix98psgzgt Cowan Crispin et al Buffer Overflows Attacks and Defenses for the Vulnerability of the Decade Oregon Graduate Institute of Science and Technology 1 Nov 2004 lthttpwwwcseogieduDlequot 39 quot 39 39 quot quotquot ndfgt Bishop M and E Haugh Testing C Programs for Buffer Overflow Vulnerabilities Feb 2003 University of Callifornia Davis 30 Oct http quot ict pen 39 39 39 39I I 5g527ORQII IHP quot quot 39 39 Q Imdau i 39 A quot 39 quot39 39 SSMM quotquot quot yogramsforpdfgt Wikiverse lthttpstacksmashprotectionwikiverseorggt Rogers James ComputerWeeklycom 27 Jan 2004 1 Nov 2004 lthttpwwwcomputerweeklycomArticle127806htmgt Frykholm Niklas RSA Security 30 Nov 2000 1 Nov 2004 u u aonOIA O d 45 J I