malicious code malicious code
play

Malicious Code Malicious Code for Fun and Profit for Fun and - PowerPoint PPT Presentation

Nov 24, 2022 •17 likes •707 views

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

  1. Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006

  2. What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, … Code that breaks your security policy. Attack vector Characteristics Payload Spreading algorithm 23 March 2006 Mihai Christodorescu 2

  3. Outline Outline • Attack Vectors • Payloads • Spreading Algorithms • Case Studies 23 March 2006 Mihai Christodorescu 3

  4. Attack Vectors Attack Vectors • Social engineering “Make them want to run it.” • Vulnerability exploitation “Force your way into the system.” • Piggybacking “Make it run when other programs run.” 23 March 2006 Mihai Christodorescu 4

  5. Social Engineering Social Engineering • Suggest to user that the executable is: – A game. – A desirable picture/movie. – An important document. – A security update from Microsoft. – A security update from the IT department. • Spoofing the sender helps. 23 March 2006 Mihai Christodorescu 5

  6. Outline Outline • Attack Vectors: � Social Engineering � Vulnerability Exploitation � Piggybacking • Payloads • Spreading Algorithms • Case Studies 23 March 2006 Mihai Christodorescu 6

  7. Vulnerability Exploitation Vulnerability Exploitation • Make use of flaws in software input handling. • Sample techniques: – Buffer overflow attacks. – Format string attacks. – Return-to-libc attacks. – SQL injection attacks. 23 March 2006 Mihai Christodorescu 7

  8. Buffer Basic Principles Basic Principles Overflows A buffer overflow occurs when data is stored past the boundaries of an array or a string. The additional data now overwrites nearby program variables. Result: Attacker controls or takes over a currently running process. 23 March 2006 Mihai Christodorescu 8

  9. Buffer Example Example Overflows Expected input: \ \ host nam e\ pat h voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; ⇒ � O O K K r et ur n; ) ; ⇒ � BAD pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhh\ bar ” BAD } 23 March 2006 Mihai Christodorescu 9

  10. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 10

  11. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 11

  12. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 12

  13. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 13

  14. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 14

  15. Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } local: pos pos strcpy() 23 March 2006 Mihai Christodorescu 15

  16. Buffer Normal Execution Normal Execution Overflows pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } local: pos pos 23 March 2006 Mihai Christodorescu 16

  17. Buffer Normal Execution Normal Execution Overflows pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . 2 \ 0 r et ur n; t u x 1 } local: pos pos 7 23 March 2006 Mihai Christodorescu 17

  18. Buffer Overflow Execution Overflow Execution Overflows pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhhi i i j j j \ bar ” ) ; Characters that main() overwrite the arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) j j \ 0 return address. { return address i i i j process_request() / / G et host nam e frame pointer g h h h char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; f f g g st r cpy( host , e e e f subst r ( r eq, 2, pos – 1 ) ) ; local: host host c d d d . . . b b c c r et ur n; a a a b } local: pos pos 32 32 23 March 2006 Mihai Christodorescu 18

  19. Buffer Smashing the Stack Smashing the Stack Overflows The attacker gets one chance to gain control. Craft an input string such that: • The return address is overwritten with a pointer to malicious code. • The malicious code is placed inside the input string. Malicious code can create a root shell by executing “ / bi n/ sh ”. 23 March 2006 Mihai Christodorescu 19

  20. Buffer Shell Code Shell Code Overflows EB 17 5E 89 76 08 31 C0 Code for exec(“/bin/sh”): 88 46 07 89 46 0C B0 0B m ov edx, ar g2 m ov ecx, ar g1 m ov ebx, “ / bi n/ sh” 89 F3 8D 4E 08 31 D2 CD m ov eax, 0Bh i nt 80h 80 E8 E4 FF FF FF / b i n / s h \ 0 ar g 2 ar g 2 ar g 1 poi nt er Pointer value for overwriting the return address. t o code 23 March 2006 Mihai Christodorescu 20

  21. Buffer Thicker Armor Thicker Armor Overflows • Defense against stack-smashing attacks: – Bounds-checking. – Protection libraries. – Non-executable stack. – setuid()/chroot(). – Avoid running programs as root! – Address randomization. – Behavioral monitoring. 23 March 2006 Mihai Christodorescu 21

  22. More Info More Info “Smashing the Stack for Fun and Profit” by Aleph One StackGuard , RAD , PAX , ASLR CERT 23 March 2006 Mihai Christodorescu 22

  23. Format Format String Attacks Format String Attacks Strings • Another way to illegally control program values. • Uses flaws in the design of pr i nt f ( ) pr i nt f ( ) : pr i nt f ( “ % pr i nt f ( “ % s: % s: % d” , s, x ) ; d” , s, x ) ; 23 March 2006 Mihai Christodorescu 23

  24. Format ( ) Operation Operation Strings pr i nt f pr i nt f ( ) ( ) pr i nt f pr i nt f ( ) foo() y x pr i nt f ( “ % pr i nt f ( “ % s: % s: % d, % d, % x” , x” , s s, x, y ) ; s, x, y ) ; format string ptr printf() 23 March 2006 Mihai Christodorescu 24

  25. Format Attack 1: Read Any Value Attack 1: Read Any Value Strings secret key ptr What the code says: pr i nt f ( st r pr i nt f ( st r ) ; What the programmer meant: format string ptr pr i nt f ( “ % pr i nt f ( “ % s” , st r s” , st r ) ; If str = “ % s ” % x% x% x% x% x% x% x% x% s 23 March 2006 Mihai Christodorescu 25

  26. Format Attack 2: Write to Address Attack 2: Write to Address Strings 4 return address What the code says: pr i nt f ( st r pr i nt f ( st r ) ; format string ptr If str = “ % n ” % x% x% x% x% x% x% x% x% n 23 March 2006 Mihai Christodorescu 26

  27. Format Defenses Defenses Strings Never use pr i nt f ( ) pr i nt f ( ) without a format string! FormatGuard. 23 March 2006 Mihai Christodorescu 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

1.02k views • 71 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of

373 views • 22 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph

Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph

Technische Universitt Mnchen Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph Goebel, H.-A. Jacobsen Technische Universitt Mnchen Institut fr Informatik, Lehrstuhl I13 Prof. Dr. H.-A.

462 views • 14 slides
Representing Huge Translation Models Statistical Machine Translation parallel text + alignment

Representing Huge Translation Models Statistical Machine Translation parallel text + alignment

Representing Huge Translation Models Statistical Machine Translation parallel text + alignment Statistical Machine Translation extract rules parallel text + alignment Statistical Machine Translation score extract rules rules parallel

1.27k views • 109 slides
Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos

Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos

Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos Pfitscher, Ronaldo Alves Ferreira, Lisandro Zambenedetti Granville UFRGS UFMS Budapest, Hungary August 24, 2018 Self-Driving Networks High-level

874 views • 31 slides
Unik Idit Levine EMC CONFIDENTIALINTERNAL USE ONLY EMC CONFIDENTIALINTERNAL USE ONLY 1

Unik Idit Levine EMC CONFIDENTIALINTERNAL USE ONLY EMC CONFIDENTIALINTERNAL USE ONLY 1

Unik Idit Levine EMC CONFIDENTIALINTERNAL USE ONLY EMC CONFIDENTIALINTERNAL USE ONLY 1 Virtualization Stack Application Config Application The aim is to run single Language Runtime Application with a single user on a single server

2.88k views • 28 slides
Grounding LING 575: Spoken Dialog Systems May 12 th , 2016 1 What is Grounding? Spoken Dialog

Grounding LING 575: Spoken Dialog Systems May 12 th , 2016 1 What is Grounding? Spoken Dialog

Grounding LING 575: Spoken Dialog Systems May 12 th , 2016 1 What is Grounding? Spoken Dialog is special way of communication It is the result of a joint collaboration Achieving a common ground of mutually believed facts of what is being

1.07k views • 73 slides
Location & Context Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab,

Location & Context Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab,

MMI 2: Mobile Human- Computer Interaction Location & Context Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab, LMU Mnchen Lectures # Date Topic 1 19.10.2011 Introduction to Mobile Interaction, Mobile Device

1.27k views • 92 slides
Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Universit di

Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Universit di

Programming with Android: Notifications, Threads, Services Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Universit di Bologna Outline Notification Services: Status Bar Notifications Notification Services:

729 views • 41 slides
Making the case, creating the culture Report Neighbourhood Network 11 th Oct 2018 The event

Making the case, creating the culture Report Neighbourhood Network 11 th Oct 2018 The event

Making the case, creating the culture Report Neighbourhood Network 11 th Oct 2018 The event it was one of the best events Ive ever been to be honest, the energy was amazing and the learning I took away was so valuable. I cant wait for

469 views • 33 slides

More recommend