How to Break Software by James Whittaker

Similar documents
Testing. How to break software Acknowledgements: Michael Huth

Lecture 4 September Required reading materials for this class

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

CS 161 Computer Security. Security Throughout the Software Development Process

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Lecture 17: Testing Strategies. Developer Testing

CS252 S05. Main memory management. Memory hardware. The scale of things. Memory hardware (cont.) Bottleneck

Fuzzing: Breaking software in an automated fashion

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

16 Sharing Main Memory Segmentation and Paging

15 Sharing Main Memory Segmentation and Paging

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Processes. Sanzheng Qiao. December, Department of Computing and Software

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Recall: Address Space Map. 13: Memory Management. Let s be reasonable. Processes Address Space. Send it to disk. Freeing up System Memory

The compiler is spewing error messages.

MSRPC Heap Overflow Part II

Memory Management Outline. Operating Systems. Motivation. Paging Implementation. Accessing Invalid Pages. Performance of Demand Paging

Lecture 3: O/S Organization. plan: O/S organization processes isolation

CS 167 Final Exam Solutions

ECE 471 Embedded Systems Lecture 22

ECS 153 Discussion Section. April 6, 2015

Hardware, Modularity, and Virtualization CS 111

P1_L3 Operating Systems Security Page 1

CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu

Page Replacement. (and other virtual memory policies) Kevin Webb Swarthmore College March 27, 2018

All you need is fun. Cons T Åhs Keeper of The Code

Verification & Validation of Open Source

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Final Examination CS 111, Fall 2016 UCLA. Name:

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

VFS, Continued. Don Porter CSE 506

OS: An Overview. ICS332 Operating Systems

Intrusion Detection and Malware Analysis

Security. 1 Introduction. Alex S. 1.1 Authentication

CS 241 Honors Memory

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

CS61C : Machine Structures

Security Coding Module - Buffer Overflow Data Gone Wild CS1

High Reliability Systems. Lloyd Moore, President

Goal of lecture. Object-oriented Programming. Context of discussion. Message of lecture

Operating Systems Virtual Memory. Lecture 11 Michael O Boyle

ò Server can crash or be disconnected ò Client can crash or be disconnected ò How to coordinate multiple clients accessing same file?

Process Description and Control. Chapter 3

Black-box Testing Techniques

NFS. Don Porter CSE 506

CS 111. Operating Systems Peter Reiher

Virtual Memory Management

Testing. Unit, integration, regression, validation, system. OO Testing techniques Application of traditional techniques to OO software

Chapter 9: Virtual Memory

An Interrupt is either a Hardware generated CALL (externally derived from a hardware signal)

EXAMINING THE CODE. 1. Examining the Design and Code 2. Formal Review: 3. Coding Standards and Guidelines: 4. Generic Code Review Checklist:

Hackveda Training - Ethical Hacking, Networking & Security

Contents. Error Message Descriptions... 7

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Recitation #12 Malloc Lab - Part 2. November 14th, 2017

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2008.

Swapping. Operating Systems I. Swapping. Motivation. Paging Implementation. Demand Paging. Active processes use more physical memory than system has

CS 103 Lab The Files are *In* the Computer

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

Analysis of MS Multiple Excel Vulnerabilities

Multithreading and Interactive Programs

CS510 Operating System Foundations. Jonathan Walpole

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

CPS104 Computer Organization and Programming Lecture 16: Virtual Memory. Robert Wagner

Buffer overflow background

Programming assignment A

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi.

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Address spaces and memory management

OS structure. Process management. Major OS components. CSE 451: Operating Systems Spring Module 3 Operating System Components and Structure

Another View of the Memory Hierarchy. Lecture #25 Virtual Memory I Memory Hierarchy Requirements. Memory Hierarchy Requirements

CSCI 1100L: Topics in Computing Lab Lab 11: Programming with Scratch

Laboratory Assignment #4 Debugging in Eclipse CDT 1

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Memory Corruption 101 From Primitives to Exploit

Building a Reactive Immune System for Software Services

Important From Last Time

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 13: Address Translation

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

HOUR 4 Understanding Events

CPS 104 Computer Organization and Programming Lecture 20: Virtual Memory

CS 550 Operating Systems Spring Interrupt

CS 142 Style Guide Grading and Details

Software Design Models, Tools & Processes. Lecture 6: Transition Phase Cecilia Mascolo

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Chapter 8: Virtual Memory. Operating System Concepts Essentials 2 nd Edition

Lecture 4: Memory Management & The Programming Interface

Finding and Fixing Bugs

int $0x32 // call interrupt number 50

EECS 482 Introduction to Operating Systems

Transcription:

How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes app App requests memory from OS App interfaces with database, API, libraries App opens, reads, and closes files Opening powerpoint : 59 calls to 29 Windows functions upon invocation 1

Testing Let s examine attacks from these perspectives User Interface Black Box : Inputs and Outputs Open Box : Explore stored data, computation and feature interaction System Interface File System Operating System Black Box User Interface Attack #1 Apply inputs that force error messages to occur Basic test to ensure that software responds appropriately to bad input Ensures developers wrote code to handle erroneous input, something that is often not in their mindset How to carry out: explore input types, length, boundary values Example: Word 2000. I)nsert, Index and Tables, change Columns to five, press enter. Get two error messages. 2

Attack 1 Example On Windows ME, Powerpoint 2000, inserting MSVSA Button Class Object from Insert menu, Object item Powerpoint found an error that it can t correct. You should save presentations, quit, and then restart Powerpoint. UI Attack #2 Apply inputs that force the software to (re) establish default values If software tries to use a variable before it is initialized to a proper value, the software will fail How to carry out: Change default values, enter null values, enter legit values and switch to null values Example: Word 2000, I)nsert, Index and Tables, Table of Contents, click Options and Enter. Anything missing? 3

UI Attack #3 Explore allowable character sets and data types Example, in an input string, try NULL character or other characters that might be used as delimiters Unix uses ^D as text end-of-file, program might terminate or behave unpredictably In some bugs, shell command strings can be sent UI Attack #4 Overflow input buffers Exceeding array or structure size will cause a crash How: input long strings or other data beyond normal size Example : Word 2000, find/replace. Replace a short string with one that is 255 characters long. Winword crash. Such bugs are more serious in a server or other component that could be exploited to run arbitrary code 4

UI Attack #5 Find inputs that interact and test combinations of their values Check to see if integration testing has been adequately performed How to carry out: identify candidate processes that are normally separate, but through some interaction may share a common data structure Example: Word 2000, insert table. Max columns = 63 but Max rows = 32767. App hangs if enter 32000+ rows and 50+ for columns. UI Attack #6 Repeat the same input or series of inputs numerous times Applicable when input received within a loop. May consume resources or cause data initialization problems. Example : memory leak, chunk of allocated memory not released 5

UI Attack #7 Force different outputs to be generated for each input This checks if all major behaviors associated with each input are tested How: A single input often causes different outputs depending on the context Example: picking up the phone when someone else is on the line, vs. idle UI Attack #8 Force invalid outputs to be generated Similar to attack #7, but focusing on invalid outputs One key ingredient is often input sequencing to generated the invalid output Example: Feb 29, 2001 possible on Windows NT date/time clock if Feb 29 selected on a valid date (leap year) then change year to 2001 6

Attack #9 Force properties of an output to change Gives testers a way to think about persistent outputs; outputs that hang around on the screen or file can be updated in ways to break the software How to conduct: Set properties to one value, then try changing to something else Example: WordArt in Windows 2000. Enter long word art too big to fit on the screen. This sets the width/height properties. Then edit to a single letter. The width/height properties stay the same. UI Attack #10 Force the screen to refresh There are often errors with refresh events where not everything is repainted correctly How to conduct: resize, minimize, drag objects about so they are overlapping Example: Equation Editor in Word 2000 has refresh problems as formulas are added 7

Open Box - UI Attack #11 Apply inputs using a variety of initial conditions Search for a configuration where internal data is incompatible with the inputs and input sequences As with all open box attacks, requires access to the source to design the attack UI Attack #12 Force a data structure to store too many or too few values The overflow/boundary check problem for arrays or data structures Even dynamic structures like lists or stacks have upper bounds How to conduct : Read/write beyond size of allocated array or data structures Example : Table in Word with 32767 rows and 50 columns 8

UI Attack #13 Investigate ways to modify internal data constraints More general form of previous attack; rather than concentrate on overflowing size, investigate violating any constraint (e.g. dimension, location on screen, etc.) How to conduct: Look for constraints and see if there are any ways to access ways to violate them Example: Powerpoint 2000. Insert table; allows only 25x25 in creation. But then edit the table to insert a row and column (boom!) UI Attack #14 Experiment with invalid operand and operator combinations Verifies that computations do not take place with incorrect or invalid data, that the software accounts for more global exception handling Ex: divide by zero Example: Windows calculator. Take square root of 4 (inverse x 2 ). Then square and subtract 4. Don t get zero! (close, though). Windows hides the floating point format in rounding the number. 9

UI Attack #15 Force a function to call itself recursively Checks if developer correctly handles the termination case and whether or not an object can interact with itself Can manifest itself as an infinite loop How to conduct: Find recursive calls and test if there are ways to invoke them Example: Insert a footnote within a footnote in Word 2000; get weird behavior, should be disabled UI Attack #16 Find features that share data or interact poorly These are candidates for errors with integration, especially when we are mixing data types or creating new data structures How to conduct: Look at shared features and ask if the same inputs can be applied to each feature in question Example: Word 2000, resize embedded text box, picture, word art, or drawing objects that have been grouped together 10

System Interface Attacks First let s look at attacks through the file system Inputs from the file system similar to inputs from the user But often even worse since many apps expect user input to be weird, but files often expected to be consistent with some specified format Media Based Attacks: Simulate problems with the storage media, e.g. failure in the disk File Based Attacks: Problems with properties of a particular file System Attack #1 Fill the file system to its capacity Has the developer tested for this potential problem? A crash would be undesirable when the user has the chance to free up some space to allow execution to continue How to conduct: Fill file system, try file operations 11

System Attack #2 Force the media to be busy or unavailable A resource may be unavailable in a multitasking operating system Does the app wait, lock, or? Typically we can look at issues such as delayed response times; may need to put up appropriate delay error messages System Attack #3 Damage the media Useful for software that should work despite damaged media, or software that should at least detect that there was a problem with the file Dust, dirt, scratches, magnetic scrambling 12

System Attack #4 Assign an invalid file name File names often restricted by the file system, or can exploit common standards used by the file system (long names, weird characters, etc.) Example: Saving a Word file as startrek;starwars-8.1.2001 is saved, but the.doc extension is not generated and a user could not double-click to open it System Attack #5 Vary file access permissions Can uncover subtle bugs if apps might require most general permissions Example: Web server app may not function properly unless all permission set to readable, but then this might compromise security 13

System Attack #6 Vary or corrupt file contents Simulates data being modified intentionally (perhaps maliciously) or incidentally (e.g., during transmission). Many apps may not check for an error code. Ex: With Excel, a carefully placed bad block causes the file to open, but then Excel crashes with a memory pointer error (Instruction referenced memory at address 08). Should notify user the file is bad. Operating System Attacks Next, let s look at various attacks through the operating system (excluding the file system) 14

System Attack #7 Exhaust the amount of physical memory Does the application handle cases when no more free memory is available on the heap? C/C++ coders: When was the last time you checked if your new call returned null? Can also test under varying amounts of memory or generating other memory faults System Attack #8 Inject Network Faults Explore network traffic, load on a particular port, or loss of services (e.g. network is down, port unavailable) Useful to examine performance E.g., on versions of IE can lose current page if network shut down 15

Generating System Faults Some of these system faults are difficult to generate, e.g. Out of memory Locked memory Out of disk space CRC errors Tools exist to simulate the system software Tester can inject faults of choosing Ex. Canned HEAT or Holodeck from Florida Institute of Technology Virtual machine, e.g. VM Ware of Virtual Server Canned Heat 3 16

Conclusions Being a tester is like studying for a Ph.D.; the more you learn, the more you realize there is much more to know Testing is not something one can master, always something new to learn But we can learn what kind of tests to perform and what kind of bugs are common Testing often not as glamorous as developing, but requires lots of creativity and often as much expertise as the developer to do well Can be challenging and also fun to find bugs! 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback