Journal Online. Buffer Overflows Seven Points IS Auditors Must Know. Holder John Doe
|
|
- Harvey Taylor
- 5 years ago
- Views:
Transcription
1 Journal Online Markus Pfister, CISA, works as an IT auditor and security consultant and is a guest teacher at the Lucerne University of Applied Sciences (Lucerne, Switzerland) for virtualization topics, where he studied information security. He was one of the developers of the COAST C++ framework and specialized in developing reverse proxy servers based upon this framework. Pfister s interests include ethical hacking and buffer overflows ISACA. All rights reserved. Buffer Overflows Seven Points IS Auditors Must Know Following the release of Aleph One s famous paper Smashing the Stack for Fun and Profit in 1996, 1 buffer overflows have been one of the top most dangerous software vulnerabilities. 2 But why should the IS auditor care about buffer overflows? Buffer overflows are the tool of trade to get access to a computer system. While phishing attacks require user interaction, since an unheeding user is tricked into opening malicious content allowing an attacker to access the user s computer, buffer overflows work without a user being involved. From a hacker s perspective, this is a less risky attack than phishing, as the hacker can avoid the risk of getting noticed by alert users. Furthermore, if a process with high privileges can be attacked (exploited), the attacker may be able to inherit the privileges of the attacked process using buffer overflow techniques. Buffer overflow exploits are readily available on the Internet. For an attacker, it can be as simple as doing some exploration to determine what programs run on a potential victim system and checking for relevant buffer overflow exploits. Buffer overflow vulnerabilities found by an individual hacker who does not share the knowledge with the vendor are deadly. In such a case, a zero-day exploit allows the attacker to strike without giving the vendor of the vulnerable program a chance to fix the vulnerability. To mitigate the risk, IS auditors should have a general knowledge of buffer overflows and how they work. This article explains the basic concepts of buffer overflows and presents seven points IS auditors should consider in their audit programs. Ingredients of Buffer Overflows What is needed to create a buffer overflow? First, a vulnerable program has to be found. This is done via fuzzing passing oversized input to a program and using a debugger to examine how the program reacts. If the oversized input causes the program to crash, chances are high that a buffer overflow vulnerability can be exploited. This is because the input overwrites the program s internal memory, causing the program to crash. Second, shell code is needed. A shell is a window on a computer system that allows users to type commands such as dir(ectory) or copy. Shell code is assembly code that opens the shell window when the code is invoked. In other words, shell code gives the attacker means to execute commands on the exploited computer system. Last, the shell code provided by the attacker must be executed through a buffer overflow. This will provide the attacker access to the exploited system. How Buffer Overflows Work For example, inside a maintenance program for account holder names and corresponding accounts, the programmer provides space for holder and account. The program writes these values to the database. The account data are stored right after the holder data in the computer memory, as shown in figure 1. Figure 1 Layout of and in Computer Memory John Doe Entering John Doe would change the holder to John Doe, as expected from the program. However, what if someone typed the following, passing 20 characters instead of the expected 10 character? John Doe characters 10 characters ISACA JOURNAL Volume 6,
2 The result depends on the security of the program code. If the program checks that only 10 characters are allowed for holder (length check), the input is refused or truncated to the allowed size. If the programmer forgot this test, the memory following holder, in the example account, is overwritten with , resulting in the change illustrated in figure 2. the attacker s computer (reverse shell) (figure 3). Firewalls control the traffic to and from a computer system, acting as traffic cops. It is common that connections originating from a computer within a company network are considered more trustworthy than incoming, external connections from the Internet. Thus, an attacker prefers a reverse shell. Figure 2 Buffer Overflow to Change Data Figure 3 Reverse Shell Used to Connect Back to the Attacker John Doe Attacker Reverse Shell Code Shell Company Firewall Company Network Vulnerable Program 10 characters 10 characters Since the program writes the input to the database, John Doe s account number is now Although this looks innocent, the attacker was able to change the program from the outside. If shell code is passed to the maintenance program, for example, the attacker might gain access to the computer on which the maintenance program runs. Passing Shell Code to a Vulnerable Program How can the attacker pass malicious code (the shell code) to a vulnerable program? Input is provided through arguments (such as invoking notepad with an additional file name) environment variables that the program reads in (e.g., the language) or through advanced hacking techniques. 3 Normally, an attacker needs access to the local machine to provide arguments to the vulnerable program or change environment variables. Many network-based services (e.g., Web Services, FTP, Telnet) or custom network programs accept remote input over the network. Remote exploits refer to programs having exploitable vulnerabilities accessible over the network. Programs accessible from the Internet or some other network should attract the IS auditor s attention since attacks are possible from every computer in the network. As mentioned, most buffer overflows aim at gaining a shell on the exploited system. For this purpose, a lot of ready-to-use shell codes are available on the Internet. After a successful exploit, an attacker might connect to the exploited server (bind shell) or have the exploited server connect back to Shell code can be detected by an intrusion detection system (IDS). Shell code obfuscation (hiding) is a challenge to an IDS, especially when the shell code is polymorphic (changes its appearance). 4 IS auditors should be aware that IDS may help raise the bar for an attacker, but there is no guarantee that an attack will be detected. The Mechanics of a Buffer Overflow Without going too deep into detail, buffer overflows aimed to execute attacker-provided code work as follows (figure 4): Input (malicious code) provided by the attacker (1) is read by the program and placed into the data fields defined by the programmer without properly checking the length of the input. This allows the attacker to place data into the program s memory. 5 The goal is to change the program flow so that the shell code provided by the attacker gets executed. Functions are called many times in programs, e.g., to copy data. When the function has done its work, the next program statement to execute is the one stored in the function s return (RET) address. If the attacker suceeds in overwriting the RET address (2) with the start address of the shell code (1), this shell code is executed on function return (3). Figure 4 Attack Code Layout and Invocation NOP NOP NOP NOP Shell Code EBP RET 2 ISACA JOURNAL Volume 6, ISACA. All rights reserved.
3 To increase chances to hit the shell code, no-operation instructions (doing nothing) are prepended to the shell code. If one of the no-operation instructions is hit, the shell code is executed after all the no-operation instructions are processed. Since the mechanisms of how to return from a function are always the same, validating checks can be inserted into code to verify that the RET address has not been changed. This is what is done by the compiler-defined safeguards discussed later in this article. Compiler Features Compilers offer features to protect memory from buffer overflow attacks. For example, they detect when the RET address or program variables are overwritten. 7 IS auditors should ensure that programs are compiled with stack protection enabled (e.g., -fstack-protector-all and D_FORTIFY_SOURCE 8 for the GNU compiler). C# programs should use safe methods, disabling the classic pointer type widely used in C/C++. Privilege Escalation Because an attacker is interested in high privileges, buffer overflows are used to attack programs that already run with high privileges, such as root or admin. Thus, the executed shell code may inherit these privileges. IS auditors should pay attention to programs that run with high privileges because they are primary targets. Countermeasures To counter the vulnerabilities caused by buffer overflows, compilers and operating systems offer built-in mechanisms to make attacks harder. IS auditors should know about them and include checks in their audit programs. ess Space Layout Randomization ess Space Layout Randomization (ASLR) randomizes the address (memory) space of a program every time the program is run. Without ASLR, an attacker can determine in advance the location of the RET address as well as the address (start of the shell code) that must be written to the RET address. Techniques include debugging, probing and analyzing the executable program file. Changing the address space every time the program runs counters exploits based on fixed addresses. Now, only two types of exploits have a chance to succeed: brute-force attacks and attacks that use addresses relative to the randomized addresses. 6 ASLR should be enabled at the operating system level (i.e., UNIX derivates, Windows). IS auditors should consider this in their audit procedures. Nonexecutable Stack and Heap Nonexecutable stack and heap prevents attack code passed to a vulnerable program from being executed. Modern CPUs support this feature by marking memory as never executable (NX). Microsoft coined the term data execution prevention (DEP). IS auditors should ensure that programs accepting remote input have nonexecutable stack/heap protection enabled. Sandboxes and Virtualization The last and most effective protection mechanism is separating applications from each other using virtualization. Code may run in a sandbox (e.g., Java,.NET), limiting a successful exploit to the sandbox. With containers, many instances of an application regardless of the programming language with which it was written may run on the same hosting server in a jail, separated from each other. IS auditors should audit the following points:.net applications should, whenever feasible, run as managed code and be sandboxed. 9 Java applications should use the Java Native Interface, allowing it to call code written in other programming languages only if absolutely necessary. Security-critical applications should run in a separated environment. This can be achieved using virtualization and security zoning. Circumventing the Protection Mechanism Part of the fascination in the security area is the ongoing challenge between people trying to exploit software and those providing countermeasures ISACA. All rights reserved. ISACA JOURNAL Volume 6,
4 Audit Guidelines Summary A critical step in the audit process is to determine the applications and servers that might be subject to buffer overflow attacks and assess the associated risk. The following questions may help IS auditors find the appropriate answers: 1. Is an application or server exposed to the Internet or accessible over a network and is input to an application provided remotely ( remote exploit )? 2. Is a server a focal point in the IT landscape, such as a web entry server, a jump server or a hosting server for virtualization? 3. Are applications running with high privileges? 4. Is the application written in a language known for being safe from buffer overflows or vulnerable to them? 5. If the programming language is vulnerable to buffer overflows, were the developers trained in avoiding buffer overflows and did they use appropriate compiler options and safe code libraries? 6. Are regular patch procedures in place? 7. Are the implications using virtualization to mitigate the risk of buffer overflows understood and considered? 11 Conclusion Buffer overflows are a serious threat. However, many protection and prevention mechanisms are available and their usage should be audited. While it is not enough to rely solely on the protection mechanisms presented in this article, they help raise the bar for an attacker. Virtualization, used correctly, further confines the attack to defined security perimeters. The best countermeasure is to eliminate buffer overflows using development tools that assist programmers detecting pitfalls or using programming languages and runtime environments that are (relatively) immune to buffer overflow attacks. Most important, developers must be trained to know the implications of buffer overflows and how to avoid them, and IS auditors should understand the threats of buffer overflows and act accordingly in their audit programs. Endnotes 1 Aleph One, Smashing the Stack for Fun and Profit, 1996, 2 CWE/SANS ranks buffer overflows third. The MITRE Corporation, 2011 CWE/SANS Top 25 Most Dangerous Software Errors, 2011, 3 Scut/Team Teso, Exploiting Format String Vulnerabilities, 2001, cs155old/cs155-spring08/papers/formatstring-1.2.pdf 4 Song, Yingbo, et al.; On the Infeasibility of Modeling Polymorphic Shell Code, 2009, Springer, columbia.edu/~angelos/papers/2010/polymorph-mlj.pdf 5 This is the typical strcpy (buffertooverflow, inputfromuser) programming flaw. Before inputfromuser is copied (this is what strcpy does), it should be cleaned (untainted) from dangerous injections and truncated to the size buffertooverflow can hold. 6 Learn more about this in: Muller, Tilo; ASLR Smack & Laugh Reference, 2008, edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf 7 IBM, GCC Extension for Protecting Applications From Stack-smashing Stacks, projects/security/ssp/ 8 With the GNU compiler FORTIFY_SOURCE setting specialized, versions of system calls known as notorious causes for buffer overflows are used. A system call such as copy memory from A to B limits the amount of copied memory to the size of the target memory location. 9 Da, Andrew; Exploring the.net Framework 4 Security Model, ee aspx 10 The following document contains an excellent chart depicting the advances in circumventing protection mechanisms against buffer overflows. The chart demonstrates that buffer overflows are evolving over time and that there does not seem to be an end to it in the near future. Syssec, Deliverable D7.1: Review of the State-ofthe-Art in Cyberattacks, 2011, p. 14, eu/media/page-media/3/syssec-d7.1-soa-cyberattacks.pdf 11 For an in-depth discussion of virtualization threats, refer to: Markus Pfister, Risk Mitigation in Virtualized Systems, 2008, Dokumente/04_Downloads/DO_04_Diplomarbeiten/ Diplom_Risk_Mitigation.pdf\ 4 ISACA JOURNAL Volume 6, ISACA. All rights reserved.
5 The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN ( ), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. 5 ISACA JOURNAL Volume 6, 2013
SAME RISK-BASED APPROACH
Journal Online Using Microsoft Office in Analyzing SAP SoD and Beyond Haiyan Chen, CISA, CIA, is head of IT internal audit in the group internal audit department of Sodexo. He has many years of experience
More information1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques
1 Bug Hunting Bug hunting is the process of finding bugs in software or hardware. In this book, however, the term bug hunting will be used specifically to describe the process of finding security-critical
More informationCMSC 414 Computer and Network Security
CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationMapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma
Volume 2, April 2011 Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 21 April
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationManaged. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS
Managed Code Rootkits Hooking into Runtime Environments Erez Metula ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint
More informationLab 2: Buffer Overflows
Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable
More informationEthical Hacking: Preventing & Writing Buffer Overflow Exploits
Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Rochester Security Summit 2014 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Ralph Durkee Background Founder
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationBuffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.
Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationI run a Linux server, so we re secure
Silent Signal vsza@silentsignal.hu 18 September 2010 Linux from a security viewpoint we re talking about the kernel, not GNU/Linux distributions Linux from a security viewpoint we re talking about the
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationSymlink attacks. Do not assume that symlinks are trustworthy: Example 1
Symlink attacks Do not assume that symlinks are trustworthy: Example 1 Application A creates a file for writing in /tmp. It assumes that since the file name is unusual, or because it encodes A's name or
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationStack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security
Running Head: BUFFER OVERFLOW 1 Stack-Based Buffer Overflow Explained Marc Koser East Carolina University ICTN 4040: Enterprise Information Security Instructor: Dr. Philip Lunsford 03-17-2015 Prepared
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationTrends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview 2 Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis
More informationShellbased Wargaming
Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationHands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits
Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits OWASP AppSec 2013 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Hands-on Ethical Hacking: Preventing
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationWe will focus on Buffer overflow attacks SQL injections. See book for other examples
We will focus on Buffer overflow attacks SQL injections See book for other examples Buffer overrun is another common term Buffer Overflow A condition at an interface under which more input can be placed
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationCSCD 303 Fall Lecture 15 Buffer Overflows
CSCD 303 Fall 2017 Lecture 15 Buffer Overflows 1 Introduction Buffer overflow What s a buffer overflow? How do attackers exploit buffer overflows? Potential solutions 2 Vulnerabilities are Everywhere Some
More informationBuffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to
CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationInformation Security Architecture Gap Assessment and Prioritization
FEATURE Information Security Architecture Gap Assessment and Prioritization Do you have something to say about this article? Visit the Journal pages of the ISACA website (www.isaca. org/journal), find
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationCIT 380: Securing Computer Systems. Software Security
CIT 380: Securing Computer Systems Software Security Topics 1. The problem of software security 2. System security standards 3. Secure lifecycle 4. Buffer overflows 5. Integer overflows 6. Format string
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationCertified Ethical Hacker
Certified Ethical Hacker Certified Ethical Hacker Course Objective Describe how perimeter defenses function by ethically scanning and attacking networks Conduct information systems security audits by understanding
More informationProtection and Mitigation of Software Bug Exploitation
Protection and Mitigation of Software Bug Exploitation Vartan Padaryan vartan@ispras.ru 1 How safe is latest Linux release? Command line arguments fuzzer (inspired by Brumley s article) Launch programs
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationCIT 480: Securing Computer Systems. Software Security
CIT 480: Securing Computer Systems Software Security Topics 1. The problem of software security 2. System security standards 3. Secure lifecycle 4. Buffer overflows 5. Integer overflows 6. Format string
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationCISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline
CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker Learn to find security vulnerabilities before the bad guys do! The Certified Ethical Hacker (CEH) class immerses students in an interactive environment
More informationHeaps of Heap-based Memory Attacks
Heaps of Heap-based Memory Attacks Kevin Leach kleach2@gmu.edu Center for Secure Information Systems 3 October 2012 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October 2012 1 / 23 Goals During
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported
More informationHunting Security Bugs
Microsoft Hunting Security Bugs * Tom Gallagher Bryan Jeffries Lawrence Landauer Contents at a Glance 1 General Approach to Security Testing 1 2 Using Threat Models for Security Testing 11 3 Finding Entry
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More informationBuilding a Reactive Immune System for Software Services
Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationFIREWALL BEST PRACTICES TO BLOCK
FIREWALL BEST PRACTICES TO BLOCK Ransomware attacks are only increasing in complexity and are getting more efficient at exploiting network and system vulnerabilities, leaving organizations with a significant
More informationTOP 10 Vulnerability Trends for By Nevis Labs
TOP Vulnerability Trends for 28 By Nevis Labs Date: December 11, 27 Page 1 It s the last month of 27 and the time is right to look back at the year and predict the vulnerability trends for 28. A quick
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationDeliver Strong Mobile App Security and the Ultimate User Experience
Deliver Strong Mobile App Security and the Ultimate User Experience The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationTopics in Software Security Vulnerability
Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More information