CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room - - PowerPoint PPT Presentation

cs161 midterm 1 review
SMART_READER_LITE
LIVE PREVIEW

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room - - PowerPoint PPT Presentation

Dec 05, 2022 126 likes •427 views

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

slide-1
SLIDE 1

CS161 Midterm 1 Review

Midterm 1: March 4, 18:30- 20:00 Same room as lecture

slide-2
SLIDE 2

Security Analysis and Threat Model

  • Basic security properties

– CIA

  • Threat model
  • A. We want perfect security
  • B. Security is about risk analysis and

economics Answer is B.

slide-3
SLIDE 3

Software Vulnerabilities

  • Bufger overfmow vulnerabilities and

attacks

  • Integer overfmow vulnerabilities and

attacks

  • Format string vulnerabilities and attacks
  • Arc injection/return-to-libc/ROP

vulnerabilities and attacks

  • General control hijacking attacks
  • Data hijacking attacks
slide-4
SLIDE 4

General Control Hijacking

Control Flow Pointer

jump to address longjmp pointer function pointer in heap

return address frame pointer

exception Handler

function pointer as local variable

shellcode, library (return to libc) Overwrite Step: Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest. Activate Step: Find some way to activate that modifjed Control Flow Pointer. expected code

Dawn Song 4

slide-5
SLIDE 5

Instances of Control Hijacking

Location in Memory

Control Flow Pointer How to activate

Stack

Return Address Return from function

Stack

Frame Pointer Return from function

Stack

Function Pointers as local variables Reference and call function pointer

Stack

Exception Handler T rigger Exception

Heap

Function pointer in heap (i.e. method of an object) Reference and call function pointer

Anywhe re

setjmp and longjmp program state bufger Call longjmp

Ret Addr Frame Ptr

buf (stack frame)

exception handers local fn ptrs

ptr data

Object T

FP1: FP2: FP3:

vtable method #1 method #2 method #3

( H E A P )

buf

saved pointer …

  • ther data

longjmp

buf

ptr data

Object T

FP1: FP2: FP3:

vtable method #1 method #2 method #3

( H E A P )

buf

Dawn Song 5

slide-6
SLIDE 6

arguments return address stack frame pointer authentication_variable bufger

Data Hijacking

Dawn Song 6

Normal Situation: User types in a password which is stored in the bufger, and if the user is successfully authenticated, the authentication_variable is set.

  • difying data in a way not intended

Example: Authentication variab

arguments return address stack frame pointer authentication_variable bufger

Exploited Situation: User types in a password which is long enough to overfmow bufger and into the authentication_variable. The user is now unintentionally authenticated.

arguments return address stack frame pointer authentication_variable bufger

slide-7
SLIDE 7

Stack and Format Strings

  • Function behavior is controlled by the format

string

  • Retrieves parameters from stack as

requested: “%”

  • Example:

printf(“Number %d has no address, number %d has: %08x\n”, I, a, &a)

stack top … <&a> <a> <i> A … stack bottom

A Address of the format string i Value of variable I a Value of variable a &a Address of variable a

slide-8
SLIDE 8

SW Vuln. Defenses

  • Non-execute (NX)
  • Stack canaries
  • ASLR
  • Bounds check
  • Which defenses are efgective against

what attacks?

slide-9
SLIDE 9

Code Injection Arc Injection Stack

Non-Execute (NX)* ASLR StacKGuard(Canaries) ProPolice /GS libsafe ASLR StacKGuard(Canaries) ProPolice /GS libsafe

Heap

Non-Execute (NX)* ASLR PointGuard ASLR PointGuard

Exceptio n Handler s

Non-Execute (NX)* ASLR SAFESEH and SEHOP ASLR SAFESEH and SEHOP

  • Defense against bufger overfmow

attacks

Code Injection Arc Injection Stack

Non-Execute (NX)* ASLR StacKGuard(Canaries) ASLR StacKGuard(Canaries)

Heap

Non-Execute (NX)* ASLR ASLR

Exceptio n Handler s

Non-Execute (NX)* ASLR ASLR

Defenses/Mitigations * When Applicable

Efgectiveness and Limitations

Dawn Song 9

slide-10
SLIDE 10

Fuzzing

  • Random fuzzing
  • Mutation-based fuzzing
  • Generation-based fuzzing
  • Code coverage

– line, branch and path coverage

  • Example problem: given a program,

calculate how many inputs can achieve a full line/branch/path coverage (e.g., Discussion 5)

slide-11
SLIDE 11

Coverage Metrics

Lines

slide-12
SLIDE 12

Coverage Metrics

Lines

slide-13
SLIDE 13

Coverage Metrics

Lines Branche s

slide-14
SLIDE 14

Coverage Metrics

Lines Branche s

slide-15
SLIDE 15

Coverage Metrics

Lines Branche s Paths

slide-16
SLIDE 16

Coverage Metrics

Lines Branche s Paths

slide-17
SLIDE 17

Coverage Metrics

Lines Branche s Paths

slide-18
SLIDE 18

Quiz on Line Coverage

1 2 3 4

How many lines are in this code? How many test cases (pairs of values for (a,b)) are needed to achieve 100% line coverage?

1 2 3 4

slide-19
SLIDE 19

Quiz on Branch Coverage

1 2 3 4

How many branches are in this code? How many test cases (pairs of values for (a,b) are needed to achieve 100% branch coverage?

1 2 3 4

slide-20
SLIDE 20

Quiz on Path Coverage

1 2 3 4

How many paths are in this code? How many test cases (pairs of values for (a,b) are needed to achieve 100% path coverage?

1 2 3 4

slide-21
SLIDE 21

Completeness of Coverage Metrics

Which of the following coverage results guarantee the bug will be found?

100% line coverage 100% branch coverage 100% path coverage None of the above

slide-22
SLIDE 22

Properties of Coverage Metrics

  • A numeric measure of an analysis
  • An objective basis for comparing difgerent analyses
  • A way to evaluate if no progress is made (no coverage

metrics are increasing) Important: Metrics are not suffjcient conditions for completeness. 100% coverage does not mean all sources of vulnerabilities have been evaluated.

slide-23
SLIDE 23

Symbolic Execution

  • Path predicates
  • Security vulnerabilities as assertion

violations

  • How to use symbolic execution to

fjnd bugs

  • Constraint-based automatic test case

generation

  • Challenges for symbolic execution
slide-24
SLIDE 24

Assertion Violation as Satisfjability

err

input < UINT_MAX

  • 2

&& len == input + 3 && ! (len < 10) && ! (len % 2 == 0) && !(len < UINT_MAX – 1)

is satisfjed by the assignment In the appropriate theory, the formula

input

UINT_MAX - 3

len UINT_MAX

slide-25
SLIDE 25

Quiz: Branches and Paths

1 1F 1T 2 n nF nT ER R 2F 2T 3

Suppose we want to know if there is a feasible path to the location ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated?

F T F T F T

slide-26
SLIDE 26

Quiz: Branches and Paths

1 1F 1T 2 n nF nT ER R 2F 2T 3

Suppose we want to know if there is a feasible path to the location ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? 2n

F T F T F T

slide-27
SLIDE 27

Quiz: Branches and Paths

1 1F 1T 2 n nF nT ER R 2F 2T 3

Suppose we want to know if there is a feasible path to the location ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? 2n Number of predicates can be exponential in the number of branches.

F T F T F T

slide-28
SLIDE 28

T

  • pics Covered in Midterm 2
  • Static analysis
  • Program Verifjcation
  • Security principles and architectures
  • Malware
  • Other topics after midterm 2
slide-29
SLIDE 29