dynamic security testing
play

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 - PDF document

Dec 08, 2023 •269 likes •1.58k views

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today The world of software security How is it possible? Integer overflows Buffer overflows Heartbleed Stagefright How can it be

  1. What is a buffer overflow? • Suppose in a C program we have an array of length 4 char buffer[4]; • What happens if we execute the statement below ? buffer[4] = ‘a’; • This is UNDEFINED! ANYTHING can happen! • If the data written (ie. ‘a’) is user input that can be controlled by an attacker, this vulnerability can be exploited: anything that the attacker wants can happen! 32 Challenge the future

  2. The solution • Check array bounds at runtime • Algol 60 proposed this back in 1960! • Unfortunately, C and C++ have not adopted this solution for efficiency reasons • (Perl, Python, Java, C#, and even Visual Basic have) • As a result, buffer overflows have been the no 1 security problem in software ever since • The first Internet worm, and all subsequent ones (CodeRed, Blaster, …), exploited buffer overflows • And they are still being exploited… 33 Challenge the future

  3. Pointers and memory • Computer memory is a sequence of bytes , in hex notation 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0x00 0x13 • A pointer is a memory reference: p* = 0x05 • In C you • copy pointer values to point to the same memory a = p • dereference a pointer to access memory content b = *p • a contains 0x05 , b contains 6 34 Challenge the future

  4. Pointers and memory • Computer memory is a sequence of bytes , in hex notation 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0x00 0x13 • An array is a fixed pointer: char a[5] • Pointing to a fixed length memory block • use arrays as pointers *p = a • offset the pointer value b = p+1 • dereference array values using brackets c = a[1] • but also works for pointers d = b[1] • p contains 0x09, b contains 0x10, c contains 1, d contains 2 35 Challenge the future

  5. The Stack • When calling functions, memory is allocated to hold local variables, this memory is called the stack • The stack grows when calling functions • The stack decreases when returning • Ever function call gets assigned its own stack frame, simply a block of memory similar to an array 36 Challenge the future

  6. Stack!Frame! -0xC0000000 To!previous!stack! !frame!pointer! user%stack% arguments% return%address% stack%frame%pointer% excep9on%handlers% shared%libraries% To!!the!point!at!which! -0x40000000 !this!funcTon!was!called! local%variables% run%9me%heap% callee%saved%registers% sta9c%data% segment% text%segment% (program)% -0x08048000 unused% 37 Challenge the future -0x00000000

  7. Stack!Frame! $1:void$copy_lower$(char*$in,$char*$out)${$ $2:$$int$i$=$0;$ $3:$$while$(in[i]!=‘\0’$&&$in[i]!=‘\n’)${$ $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ $6:$$}$ $7:$$buf[i]$=$‘\0’;$ $8:}$ !9:int!parse(FILE!*fp)!{! 10:!!char!buf[5],!*url,!cmd[128];! 11:!!fread(cmd,!1,!128,!fp);! 12:!!int!header_ok!=!0;! 13:!!if!(cmd[0]!==!‘G’)! 14:!!!!if!(cmd[1]!==!‘E’)! 15:!!!!!!if!(cmd[2]!==!‘T’)! 16:!!!!!!!!if!(cmd[3]!==!‘!’)! 17:!!!!!!!!!!header_ok!=!1;! 18:!!if!(!header_ok)!return!R1;! 19:!!url!=!cmd!+!4;! 20:$$copy_lower(url,$buf);$ 21:!!printf(“Location!is!%s\n”,!buf);! 22:!!return!0;!}! A%quick%example%to%illustrate% mul9ple%stack%frames% 38 Challenge the future Example and slides from Dawn Song

  8. What!are!buffer!overflows?! parse’s! parse.c% frame! ! $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 args ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! ret address ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! frame ptr ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% ! !8:}! ! 0xbffff748 header_ok% 0x00000001 ! ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0xbf02224c ! buf[3,2,1,0]% local 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% variables ! 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% ! . .! . ! .% ! .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! ! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! callee saved 22:!!return!0;!}! ! registers ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! args ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! ret address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! frame ptr ! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! local variables ! i% 0xbffff69c 0x00000000 ! callee saved copy_lower’s! 39 Challenge the future registers ! frame! (Unallocated)!

  9. What!are!buffer!overflows?! parse’s! parse.c% frame! ! $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 args ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! ret address ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! frame ptr ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% ! !8:}! ! 0xbffff748 header_ok% 0x00000001 ! ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0xbf02224c ! buf[3,2,1,0]% local 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% variables ! 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% ! . .! . ! .% ! .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! ! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! callee saved 22:!!return!0;!}! ! registers ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! args ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! ret address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! frame ptr ! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! local variables ! i% 0xbffff69c 0x00000000 ! callee saved copy_lower’s! 40 Challenge the future registers ! frame! (Unallocated)!

  10. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0xbf022261 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000000 ! 41 Challenge the future (Unallocated)!

  11. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0xbf026161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000001 ! 42 Challenge the future (Unallocated)!

  12. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0xbf616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000002 ! 43 Challenge the future (Unallocated)!

  13. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!=‘\n’)!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef20dc ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000003 ! 44 Challenge the future (Unallocated)!

  14. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef2061 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000004 ! 45 Challenge the future (Unallocated)!

  15. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbfef6161 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000005 ! Uh!oh….! 46 Challenge the future (Unallocated)!

  16. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0xbffff6c4 ! url% !8:}! 0xbffff748 header_ok% 0x00000001 ! 0xbffff744 %%%%%%%%%%buf[4]% 0xbf616161 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000005 ! Uh!oh….! 47 Challenge the future (Unallocated)!

  17. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0xbffff778 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0x61616161 ! url% !8:}! 0xbffff748 header_ok% 0x61616161 ! 0xbffff744 %%%%%%%%%%buf[4]% 0x61616161 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x0000000d ! Uh!oh….! 48 Challenge the future (Unallocated)!

  18. What!are!buffer!overflows?! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x61616161 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x61616161 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0x61616161 ! url% !8:}! 0xbffff748 header_ok% 0x61616161 ! 0xbffff744 %%%%%%%%%%buf[4]% 0x61616161 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000019 ! Uh!oh….! 49 Challenge the future (Unallocated)!

  19. What!are!buffer!overflows?! 0x61616161 ! parse.c% 0x61616161 ! 0x61616161 ! $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x61616161 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x61616161 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! 0xbffff74c 0x61616161 ! url% !8:}! 0xbffff748 header_ok% 0x61616161 ! 0xbffff744 %%%%%%%%%%buf[4]% 0x61616161 ! !9:int!parse(FILE!*fp)!{! 0xbffff740 0x61616161 ! buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0xbffff73c 0x00000000 ! cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! . . ! .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% .! 0xbffff6c4 0x41414141 ! cmd[7,6,5,4]% .! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000025 ! Uh!oh….! 50 Challenge the future (Unallocated)!

  20. What!are!buffer!overflows?! 0x61616161 ! parse.c% 0x61616161 ! 0x61616161 ! $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x61616161 ! fp% 0xbffff760 !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c $4:$$$$out[i]$=$tolower(in[i]);$ 0x61616161 ! $5:$$$$i++;$ stack%frame%ptr% 0xbffff758 !6:!!}! 0x61616161 ! !7:!!buf[i]!=!‘\0’;! 0xbffff74c url% 0x61616161 ! !8:}! 0xbffff748 header_ok% 0x61616161 ! 0xbffff744 %%%%%%%%%%buf[4]% !9:int!parse(FILE!*fp)!{! 0x61616161 ! 0xbffff740 buf[3,2,1,0]% 10:!!char!buf[5],!*url,!cmd[128];! 0x61616161 ! 0xbffff73c cmd[128,127,126,125]% 11:!!fread(cmd,!1,!256,!fp);! 0x00000000 ! . .% 12:!!int!header_ok!=!0;! . . ! .% . .! . ! .% . ! .! 0xbffff6c4 cmd[7,6,5,4]% .! 0x41414141 ! 19:!!url!=!cmd!+!4;! 0xbffff6c0 cmd[3,2,1,0]% 0x20544547 ! 20:!!copy_lower(url,!buf);! ! 0xbffff6c4 ! 21:!!printf(“Location!is!%s\n”,!buf);! 0x00000001 ! 22:!!return!0;!}! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! in% (input!file)! file% 0xbffff6b0 0xbffff6c4 ! return%address ! 0xbffff6ac 0x080485a2 ! GET!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! stack%frame%ptr% 0xbffff6a8 0xbffff758 ! i% 0xbffff69c 0x00000025 ! And!when!you!try!to!return!from!parse…! …!SEGFAULT,!since!0x61616161!is!not!!a! 51 Challenge the future valid!locaTon!to!return!to.! (Unallocated)!

  21. Overwriting memory • Overwriting the return address and thereby causing SEGFAULTS causes programs to crash • But this is not the main problem, by overwriting the memory now contains the input file name (AAAAA…A) • In other words, the user input is in control of what gets written in the programs memory! • Suppose we replace this with actual commands, called shellcode… 52 Challenge the future

  22. Basic!Stack!Exploit! parse.c% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x080485a2 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 53 Challenge the future (Unallocated)!

  23. Basic!Stack!Exploit! parse.c% OVERWRITE%POINT!% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x08048564 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 54 Challenge the future (Unallocated)!

  24. Basic!Stack!Exploit! parse.c% OVERWRITE%POINT!% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x0804f764 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 55 Challenge the future (Unallocated)!

  25. Basic!Stack!Exploit! parse.c% OVERWRITE%POINT!% $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0x08fff764 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 56 Challenge the future (Unallocated)!

  26. Basic!Stack!Exploit! parse.c% OVERWRITE%POINT!% 0xbffff764 $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x0804a008 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0xfffff764 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! % ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 57 Challenge the future (Unallocated)!

  27. Basic!Stack!Exploit! ACTIVATE%POINT!% parse.c% shellcode ! 0xbffff764 $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x61616161 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0xfffff764 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% ! 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 58 Challenge the future (Unallocated)!

  28. Basic!Stack!Exploit! ACTIVATE%POINT!% parse.c% shellcode ! 0xbffff764 $ 1:void!copy_lower!(char*!in,!char*!out)!{! !2:!!int!i!=!0;! 0x61616161 ! fp% 0xbffff760 ! !3:!!while!(in[i]!=‘\0’!&&!in[i]!='\n')!{! return%address ! 0xbffff75c 0xfffff764 ! $4:$$$$out[i]$=$tolower(in[i]);$ $5:$$$$i++;$ stack%frame%ptr% 0x61616161 ! 0xbffff758 !6:!!}! !7:!!buf[i]!=!‘\0’;! url% 0xbffff74c 0x61616161 ! header_ok% !8:}! 0xbffff748 0x61616161 ! %%%%%%%%%%buf[4]% 0xbffff744 0x61616161 ! buf[3,2,1,0]% 0xbffff740 !9:int!parse(FILE!*fp)!{! 0x61616161 ! cmd[128,127,126,125]% 0xbffff73c 10:!!char!buf[5],!*url,!cmd[128];! 0x00000000 ! .% . . ! 11:!!fread(cmd,!1,!256,!fp);! .% . . ! 12:!!int!header_ok!=!0;! cmd[25,26,27,28]% 0xbffff7d8 .! 0xfffff764 ! .! .% . . ! .! .% . . ! 19:!!url!=!cmd!+!4;! cmd[7,6,5,4]% 0xbffff6c4 0x41414141 ! 20:!!copy_lower(url,!buf);! cmd[3,2,1,0]% ! 0xbffff6c0 0x20544547 ! 21:!!printf(“Location!is!%s\n”,!buf);! ! 22:!!return!0;!}! ! 23:!/**!main!to!load!a!file!and!run!parse!*/! out% 0xbffff6b4 0xbffff740 ! (input!file)! file% in% 0xbffff6b0 0xbffff6c4 ! GET!AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff return%address ! \xffAAAA \xeb\x1f\x5e 0xbffff6ac 0x080485a2 ! \x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b user gets shell! stack%frame%ptr% \x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb 0xbffff6a8 0xbffff758 ! \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ! i% 0x00000019 ! 0xbffff69c 59 Challenge the future (Unallocated)!

  29. How to attack this code? char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error(“length too large, nice try!”); return; } memcpy(buf, p, len); } 60 Challenge the future

  30. How to attack this code? char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error(“length too large, nice try!”); return; } memcpy(buf, p, len); third argument expects } an unsigned int 61 Challenge the future

  31. How to attack this code? char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error(“length too large, nice try!”); return; } memcpy(buf, p, len); len is implicitly cast from } int to unsigned int! 62 Challenge the future

  32. How to attack this code? char buf[80]; void vulnerable() { provide a negative int len = read_int_from_network(); value for len char *p = read_string_from_network(); if (len > sizeof buf) { if statement is happy error(“length too large, nice try!”); return; } memcpy(buf, p, len); but the cast makes a negative } len a very large int! causing a buffer overflow… 63 Challenge the future

  33. Spot the bugs 3 #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf #define TCHAR char #endif TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%s\n”, input); 64 Challenge the future

  34. Spot the bugs 3 #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf _sntprintf’ s 2 nd argument #define TCHAR char #endif is # of chars in buffer, not # of bytes TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%s\n”, input); 65 Challenge the future

  35. Spot the bugs 3 #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf _sntprintf’ s 2 nd argument #define TCHAR char #endif is # of chars in buffer, not # of bytes TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%s\n”, input); The CodeRed worm exploited such an mismatch, where code written under the assumption that 1 char was 1 byte allowed buffer overflows after the move from ASCI to Unicode From presentation by John Pincus 66 Challenge the future

  36. Stack/heap exploits • Overwrite memory to contain your own code, or some library/shellcode of interest • Not easy: • Have to determine return address (include NOP commands) • Overflow should not crash program before function exits • Shellcode may not contain ‘\0’ causing string to end • But very powerful: • Any code can be executed, eg. granting system access • Bugs that make them possible are hard to spot! • Avoid making input assumptions, be paranoid! 67 Challenge the future

  37. Not unique to C/C++ • Memory safe languages such as Java can trigger buffer overflows, eg. due to graphic libraries relying on fast native code: CVE reference: CVE-2007-0243, Release Date: 2007-01-17 Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability Critical: Highly critical, Impact: System access, Where: From remote Description: A vulnerability has been reported in Sun Java Runtime Environment (JRE), which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when processing GIF images and can be exploited to cause a heap-based buffer overflow via a specially crafted GIF image with an image width of 0. Successful exploitation allows execution of arbitrary code. 68 Challenge the future

  38. What would you test? • Testing a response system: hello 5 hello hi 2 hi … 69 Challenge the future

  39. Spot the bug… / * Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; … unsigned char *buffer, *bp; int r; buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; … *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 70 Challenge the future

  40. Missing bound check / * Read type and payload length first */ hbtype = *p++; put payload length in payload, n2s(p, payload); pl is pointer to actual payload pl = p; … unsigned char *buffer, *bp; int r; buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; … *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 71 Challenge the future

  41. Missing bound check / * Read type and payload length first */ hbtype = *p++; put payload length in payload, n2s(p, payload); pl is pointer to actual payload pl = p; … unsigned char *buffer, *bp; int r; buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; allocate up to 65535+1+2+16 of memory … *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 72 Challenge the future

  42. Missing bound check / * Read type and payload length first */ hbtype = *p++; put payload length in payload, n2s(p, payload); pl is pointer to actual payload pl = p; … unsigned char *buffer, *bp; int r; buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; allocate up to 65535+1+2+16 of memory … *bp++ = TLS1_HB_RESPONSE; copy memory from pl pointer to s2n(payload, bp); bp pointer of length payload memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 73 Challenge the future

  43. Missing bound check pl and payload are input and should not be trusted! / * Read type and payload length first */ hbtype = *p++; put payload length in payload, n2s(p, payload); pl is pointer to actual payload pl = p; … unsigned char *buffer, *bp; int r; buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; allocate up to 65535+1+2+16 of memory … *bp++ = TLS1_HB_RESPONSE; copy memory from pl pointer to s2n(payload, bp); bp pointer of length payload memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 74 Challenge the future

  44. April(7,(2014:(discovered(that(2/3d(of(all(web(servers(in(world(leak(passwords.( Programming(oversight(due(to(insufficient(tes-ng.(#heartbleed(#openssl( 49( 75 Challenge the future

  45. Who is to blame? C/C++? – speed can be important The OpenSSL developers? – a small group of volunteers with little funds Vague specification? – should specifications cover all security bugs? Functionality over security? – who uses heartbeat? OpenSSL users? – billion dollar companies using free software without security audits… April(7,(2014:(discovered(that(2/3d(of(all(web(servers(in(world(leak(passwords.( Programming(oversight(due(to(insufficient(tes-ng.(#heartbleed(#openssl( 49( 76 Challenge the future

  46. Another example, july 2015 • bla slides from Joshua Drake 77 Challenge the future

  47. Spot the bug… @@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams … mTimeToSampleCount = U32_AT(&header[4]); uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } mTimeToSample = new uint32_t[mTimeToSampleCount * 2]; size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; … 78 Challenge the future

  48. Spot the bug… in C, multiplying two 32-bit ints, gives a 32-bit int @@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams … mTimeToSampleCount = U32_AT(&header[4]); uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } mTimeToSample = new uint32_t[mTimeToSampleCount * 2]; size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; … 79 Challenge the future

  49. Spot the bug… in C, multiplying two 32-bit ints, gives a 32-bit int @@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams … mTimeToSampleCount = U32_AT(&header[4]); uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } mTimeToSample = new uint32_t[mTimeToSampleCount * 2]; size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; … check for security problem does not work since upper 32-bits are not checked! 80 Challenge the future

  50. How bad is it? Worst exploit: MMS • Media is AUTOMATICALLY processed ON MMS RECEIPT. • BEFORE creating a notification! • Actually, while creating the notification • Exploiting a vulnerability in Stagefright via MMS could allow SILENT, REMOTE, PRIVILEGED code execution. • The attacker's payload simply needs to prevent the notification. • Who has your phone number? • When was the last time you updated your phone? 81 Challenge the future

  51. Another example, july 2015 • bla Who is to blame? C/C++? – speed can be important.. The developer that wrote this code? The compiler for not raising a warning? Why are these errors even possible…. 82 Challenge the future

  52. • bla 83 Challenge the future

  53. Spot the bug int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) { _WORD *v1; unsigned int v2; unsigned int v3; int v4; int v6; v1 = a1; v6 = 0; v2 = (unsigned int)a1 + *a1; v3 = (unsigned int)(a1 + 1); if ( (unsigned int)(a1 + 1) < v2 ) { while ( v3 + 4 < v2 ) { v4 = *(_WORD *)(v3 + 2) + *(_BYTE *)(v3 + 1); if ( v4 + v3 + 4 + 1 > v2 ) break; if ( RtlSizeTAdd(v6, (v4 + 12) & 0xFFFFFFFC, &v6) < 0 ) return 0; v3 += v4 + 5; if ( v3 >= v2 ) return v6; v1 = a1; } *v1 = (_WORD)(v3 - v1); } return v6; } 84 Challenge the future

  54. Spot the bug int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) { _WORD *v1; unsigned int v2; unsigned int v3; int v4; int v6; v1 = a1; v6 = 0; v2 = (unsigned int)a1 + *a1; v3 = (unsigned int)(a1 + 1); if ( (unsigned int)(a1 + 1) < v2 ) { while ( v3 + 4 < v2 ) { v4 = *(_WORD *)(v3 + 2) + *(_BYTE *)(v3 + 1); if ( v4 + v3 + 4 + 1 > v2 ) break; if ( RtlSizeTAdd(v6, (v4 + 12) & 0xFFFFFFFC, &v6) < 0 ) return 0; v3 += v4 + 5; if ( v3 >= v2 ) return v6; puts a WORD (16 bits) into what is at address v1 v1 = a1; } *v1 = (_WORD)(v3 - v1); } return v6; } 85 Challenge the future

  55. Spot the bug int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) { _WORD *v1; unsigned int v2; unsigned int v3; int v4; int v6; But *v1 is v1 = a1; v6 = 0; SMB_FEA_LIST->SizeOfListInBytes v2 = (unsigned int)a1 + *a1; v3 = (unsigned int)(a1 + 1); which is a DWORD (32 bits) if ( (unsigned int)(a1 + 1) < v2 ) { while ( v3 + 4 < v2 ) { v4 = *(_WORD *)(v3 + 2) + *(_BYTE *)(v3 + 1); if ( v4 + v3 + 4 + 1 > v2 ) break; if ( RtlSizeTAdd(v6, (v4 + 12) & 0xFFFFFFFC, &v6) < 0 ) return 0; v3 += v4 + 5; if ( v3 >= v2 ) return v6; puts a WORD (16 bits) into what is at address v1 v1 = a1; } *v1 = (_WORD)(v3 - v1); } return v6; } 86 Challenge the future

  56. Spot the bug int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) { _WORD *v1; unsigned int v2; unsigned int v3; int v4; int v6; But *v1 is v1 = a1; v6 = 0; SMB_FEA_LIST->SizeOfListInBytes v2 = (unsigned int)a1 + *a1; v3 = (unsigned int)(a1 + 1); which is a DWORD (32 bits) if ( (unsigned int)(a1 + 1) < v2 ) { So if *v1 contains a large value 0x10000 while ( v3 + 4 < v2 ) { and the assignment puts 0x0FFFF (MAX WORD) into it v4 = *(_WORD *)(v3 + 2) + *(_BYTE *)(v3 + 1); the result is 0x1FFFF, instead of the intended 0x0FFFF if ( v4 + v3 + 4 + 1 > v2 ) break; if ( RtlSizeTAdd(v6, (v4 + 12) & 0xFFFFFFFC, &v6) < 0 ) return 0; v3 += v4 + 5; if ( v3 >= v2 ) return v6; puts a WORD (16 bits) into what is at address v1 v1 = a1; } *v1 = (_WORD)(v3 - v1); } return v6; } 87 Challenge the future

  57. Spot the bug int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) { _WORD *v1; unsigned int v2; unsigned int v3; int v4; int v6; But *v1 is v1 = a1; v6 = 0; SMB_FEA_LIST->SizeOfListInBytes v2 = (unsigned int)a1 + *a1; v3 = (unsigned int)(a1 + 1); which is a DWORD (32 bits) if ( (unsigned int)(a1 + 1) < v2 ) { So if *v1 contains a large value 0x10000 while ( v3 + 4 < v2 ) { and the assignment puts 0x0FFFF (MAX WORD) into it v4 = *(_WORD *)(v3 + 2) + *(_BYTE *)(v3 + 1); the result is 0x1FFFF, instead of the intended 0x0FFFF if ( v4 + v3 + 4 + 1 > v2 ) break; When SMB_FEA_LIST->SizeOfListInBytes if ( RtlSizeTAdd(v6, (v4 + 12) & 0xFFFFFFFC, &v6) < 0 ) return 0; with incorrect value is used in later code, v3 += v4 + 5; it can be used to create a buffer overflow , if ( v3 >= v2 ) return v6; puts a WORD (16 bits) into what is at address v1 and allows arbitrary code execution… v1 = a1; } *v1 = (_WORD)(v3 - v1); } return v6; } 88 Challenge the future

  58. Spread all over the world in a day • bla 89 Challenge the future

  59. Who is to blame? • Simple arithmetic mistake • In a function that is never used (legacy code) • Who will test this thoroughly? • But, from wikipedia: “EternalBlue , sometimes stylized as ETERNALBLUE , [1] is an exploit generally believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017.” 90 Challenge the future

  60. Security Testing 91 Challenge the future

  61. Security/penetration testing • Normal testing investigates correct behavior for sensible inputs, and inputs on borderline conditions • Security testing involves looking for the incorrect behavior for really silly inputs • Try to crash the system! • and discover why it crashed! • In general, this is very hard 92 Challenge the future

  62. Why is it hard? • Systems are (typically) not designed to crash, they work fine on most inputs • Like finding a needle in a haystack: all possible inputs . input that triggers normal . . . . . . security bug inputs 93 Challenge the future

  63. Basic technique: random fuzzing • Test different inputs at random, until the system crashes • What is the probability of reaching line 11 with random input? 94 Challenge the future

  64. Structured input • When input has to start with eg. ‘http’, testing all possible strings that start differently is a waste of time • Fortunately, we often know: • Example input files or strings • Protocol specifications, or test implementations • Solutions: • Generate random permutations from example files • Mutation-based fuzzing • Fuzz only values but keep in line with the specification • Protocol (generative) fuzzing 95 Challenge the future

  65. Mutation-based fuzzing example 1. Google for .pdf 2. Crawl pages to build a test set 3. Use mutation-based fuzzing tool (eg. ZZuf) or script: a) Load pdf file b) Mutate file (eg. randomly flipping bits, adding random chars) c) Feed to program d) Record if it crashed and what crashed it A piece of cake, and it can find many real-world bugs! 96 Challenge the future

  66. Mutation-based fuzzing example 2 • Fuzzing with 5 lines of Python code: numwrites = random.randrange(math.ceil((float(len(buf)) / FuzzFactor)))+1 for j in range(numwrites): rbyte = random.randrange(256) rn = random.randrange(len(buf)) buf[rn] = "%c"%(rbyte) • Given sufficient time/power this will crash your system! Code by Charlie Miller 97 Challenge the future

  67. Example : GSM protocol fuzzing • We can use an universal software radio peripheral (USRP) with open source cell tower software (OpenBTS) to fuzz phones [Mulliner et al, SMS of Death: from analyzing to attacking mobile phones on a large scale] [Brinio Hond, Fuzzing the GSM protocol, MSc thesis, Radboud University] 98 Challenge the future

  68. Example : GSM protocol fuzzing • Fuzzing SMS layer of GSM reveals weird functionality in GSM standard and on phones 99 Challenge the future

  69. Example : GSM protocol fuzzing • Fuzzing SMS layer of GSM reveals weird functionality in GSM standard and on phones you have a fax! eg possibility to send faxes (!?) Only way to get rid if this icon: reboot the phone 100 Challenge the future

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Testing the Software with Blinders on [Reading assignment: Chapter 5, pp. 63-79] Dynamic

Testing the Software with Blinders on [Reading assignment: Chapter 5, pp. 63-79] Dynamic

Testing the Software with Blinders on [Reading assignment: Chapter 5, pp. 63-79] Dynamic black-box testing Dynamic black-box testing is testing without having an insight into the details of the underlying code. Dynamic, because the

736 views • 42 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security Testing Andreas Zeller, Saarland University Our Goal We want to cause the program to fail We have seen random (unstructured) input

868 views • 69 slides
Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat Landscape Customers Biggest Security Challenges Changing Dynamic Complexity Business Models Threat Landscape and Fragmentation A

550 views • 13 slides
Topics in Software Dynamic White-box Testing Part 1: Control-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 1: Control-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 1: Control-flow Testing [Reading assignment: Chapter 7, pp. 105-122 plus many things in slides that are not in the book ] Control-Flow Testing Control-flow testing is a structural testing

509 views • 48 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment: Chapter 7, pp. 105-122 plus many things in slides that are not in the book ] Data-Flow Testing Data-flow testing uses the control flowgraph to

1.09k views • 43 slides
Dynamic Underbalance: DALLAS - FORTH WORTH. AUGUST 5-6, 2019. API 19b Section IV testing of

Dynamic Underbalance: DALLAS - FORTH WORTH. AUGUST 5-6, 2019. API 19b Section IV testing of

Dynamic Overbalance vs. Dynamic Underbalance: DALLAS - FORTH WORTH. AUGUST 5-6, 2019. API 19b Section IV testing of encapsulated shaped charges compared to conventional hollow steel carrier guns 2019-NAPS-2.3 AUTHORS: Bernd Fricke, Davood

350 views • 18 slides
Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Alain MERLE CESTI LETI CEA Grenoble Alain.merle@cea.fr Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI Abstract What are you doing in ITSEFs ? Testing, Security testing, Attacks,

809 views • 23 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Manual Testing Topics For Presentation In this dynamic presentation, Anna will reveal the mindSET

Manual Testing Topics For Presentation In this dynamic presentation, Anna will reveal the mindSET

Manual Testing Topics For Presentation In this dynamic presentation, Anna will reveal the mindSET and skillSET of She will be explaining the concepts of context-driven testing to a wider QA general invisibility, and subtle questions about my

496 views • 4 slides
State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is dynamic instrumentation? Applications of dynamic instrumentation How does it work? Simulating different states and transitions

1.25k views • 21 slides
Web Performance in 2017 with @bighappyface Big thanks to DrupalCon Team Big thanks to you

Web Performance in 2017 with @bighappyface Big thanks to DrupalCon Team Big thanks to you

Web Performance in 2017 with @bighappyface Big thanks to DrupalCon Team Big thanks to you (its almost a wrap) Please note This session assumes familiarity. I am speaking as if folks are already into this stuff. This session is

757 views • 53 slides
Inferring syntactic rules for word alignment through Inductive Logic Programming Sylwia Ozdowska,

Inferring syntactic rules for word alignment through Inductive Logic Programming Sylwia Ozdowska,

Inferring syntactic rules for word alignment through Inductive Logic Programming Sylwia Ozdowska, Vincent Claveau CLLE-ERSS - Univ. of Toulouse IRISA-CNRS Toulouse, France Rennes, France May 19, 2010 Ozdowska, Claveau (ERSS / IRISA) ILP for

544 views • 40 slides
Third Quarter 2018 Earnings Teleconference November 8 th , 2018 HYDRO ONE LIMITED 3Q18 FINANCIAL

Third Quarter 2018 Earnings Teleconference November 8 th , 2018 HYDRO ONE LIMITED 3Q18 FINANCIAL

Third Quarter 2018 Earnings Teleconference November 8 th , 2018 HYDRO ONE LIMITED 3Q18 FINANCIAL SUMMARY Third Quarter YTD ($ millions) 2018 2017 % Change 2018

275 views • 8 slides
QCD matter studies with ALICE ALICE soft physics summary Dariusz Miskowiec, GSI Darmstadt v

QCD matter studies with ALICE ALICE soft physics summary Dariusz Miskowiec, GSI Darmstadt v

QCD matter studies with ALICE ALICE soft physics summary Dariusz Miskowiec, GSI Darmstadt v bulk particle production for the ALICE Collaboration v spatial extension v collective flow v introduction v probing QCD matter v bulk

1.21k views • 86 slides
Highprecision luminosity at e + e colliders: theory status and challenges Guido Montagna

Highprecision luminosity at e + e colliders: theory status and challenges Guido Montagna

Highprecision luminosity at e + e colliders: theory status and challenges Guido Montagna Dipartimento di Fisica, Universit` a di Pavia &amp; INFN, Sezione di Pavia guido.montagna@pv.infn.it September 2015 Ustron, Matter to the Deepest

421 views • 17 slides
Topic 8 graphics &quot;What makes the situation worse is that the highest level CS course I've

Topic 8 graphics &quot;What makes the situation worse is that the highest level CS course I've

Topic 8 graphics &quot;What makes the situation worse is that the highest level CS course I've ever taken is cs4, and quotes from the graphics group startup readme like ' these paths are abstracted as being the result of a topological sort on

409 views • 22 slides
Strong fields in heavy ion collisions at VLHC P. Lvai (Wigner RCP, Budapest, Hungary) V.V.

Strong fields in heavy ion collisions at VLHC P. Lvai (Wigner RCP, Budapest, Hungary) V.V.

Strong fields in heavy ion collisions at VLHC P. Lvai (Wigner RCP, Budapest, Hungary) V.V. Skokov (BNL, Upton, USA) D. Bernyi, A. Psztor (ELTE, Budapest, Hungary) Phys. Rev. D71 (2005) 094010; D78 (2008) 054004. J. Phys. G36 (2009)

821 views • 42 slides
Statistical methods Toma Podobnik Oddelek za fiziko, FMF, UNI-LJ , , Odsek za

Statistical methods Toma Podobnik Oddelek za fiziko, FMF, UNI-LJ , , Odsek za

Statistical methods Toma Podobnik Oddelek za fiziko, FMF, UNI-LJ , , Odsek za eksperimentalno fiziko delcev, IJS Contents: I. Prologue, II. Mathematical Preliminaries, III. Frequency Interpretation of Probability Distributions, IV.

1.17k views • 33 slides

More recommend