necessary background on
play

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION - PowerPoint PPT Presentation

Nov 14, 2023 •491 likes •901 views

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

  1. 1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES

  2. Outline 2  Memory safety attacks  Buffer overruns  Format string vulnerabilities  Web application vulnerabilities  SQL injections  Cross-site scripting attacks

  3. Buffer Overflows 3

  4. Buffer Overrun Example 4 Frame 2 Frame 1 sfp ret str sfp ret str local local void lame (void) { char small[30]; gets(small); printf("%s\n", small); }

  5. Input Validation 5 Classifying vulnerabilities:  Buffer overflows can be viewed as an example of improper input validation  Another related type of vulnerability is information leaks  Other notable examples:  Format string vulnerabilities  SQL injection attacks  Cross-site scripting attacks  Mechanisms to prevent attacks  Better input validation  Safe programming techniques  Techniques for detecting potential buffer overflows in code  Static analysis  Runtime analysis  Fuzzing/penetration testing  Write-box fuzzing  etc. 

  6. Secure Programming Techniques 6  Validate all input  Easier said than done  Why is that?  Avoid buffer overflows  Use safe string manipulation functions  Careful length checking  Avoid statically declared arrays  etc.  Or use a memory-safe language  Java or C#  JavaScript (not type-safe)

  7. Validating Input 7  Determine acceptable input, check for match --- don’t just check against list of “non - matches”  Limit maximum length  Watch out for special characters, escape chars.  Check bounds on integer values  Check for negative inputs  Check for large inputs that might cause overflow!

  8. Avoid strcpy , … 8  We have seen that strcpy is unsafe  strcpy(buf, str) simply copies memory contents into buf starting from *str until “ \ 0” is encountered, ignoring the size of buf  Avoid strcpy (), strcat (), gets (), etc.  Use strncpy (), strncat (), instead  Still, computing proper bounds is difficult in practice  Easy to mess up, off-by-one errors are common

  9. Static and Dynamic Analysis 9 Static analysis: run on the source code prior to deployment; check for known flaws  e.g., flawfinder, cqual  Or Prefix/Prefast  Or Coverity or Fortify tools  Will look at some more recent work in this course as well as older stuff  Dynamic analysis: try to catch (potential) buffer overflows during program execution  Soundness  Precision  Comparison?  Static analysis very useful, but not perfect  False positives  False negatives  Dynamic analysis can be better (in tandem with static analysis), but can slow down execution  Historically of great importance, drove adoption of type-safe languages such as Java and C# 

  10. Dynamic analysis: Libsafe 10  Very simple example of what can be done at runtime  Intercepts all calls to, e.g., strcpy (dest, src)  Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src)  If so, executes strcpy ; otherwise, terminates application

  11. Preventing Buffer Overflows 11  Operating system support:  Can mark stack segment as non-executable  Randomize stack location  Problems:  Does not defend against `return-to-libc ’ exploit  Overflow sets ret-addr to address of libc function  Does not prevent general buffer overflow flaws, or heap overflow  Basic heap overflows can be helped with ALSR

  12. Heap-based Buffer Overruns and Heap Spraying 12  Buffer overruns consist of two steps  Introduce the payload  Cause the program to jump to it  Can put the payload/shellcode in the heap  Arbitrary amounts of code  Doesn’t work with heap randomization  Location of the payload changes every time  Heap spraying:  Allocate multiple copies of the payload  When the jump happens, it hits the payload with a high probability

  13. StackGuard 13  Embed random “canaries” in stack frames and verify their integrity prior to function return  This is actually used!  Helpful, but not foolproof… Frame 2 Frame 1 sfp ret str sfp ret str local canary local canary

  14. More Methods … 14  Address obfuscation  Encrypt return address on stack by XORing with random string. Decrypt just before returning from function  Attacker needs decryption key to set return address to desired value

  15. More Input Validation Flaws 15

  16. Format String Vulnerabilities 16  What is the difference between printf(buf); and printf (“%s”, buf); ?  What if buf holds %x ?  Look at memory, and what printf expects…

  17. Format String Exploits 17 Technique: #include <stdio.h>   Declare a variable of type int in line int main() { 4 and call it bytes_formatted int bytes_formatted=0;  Line 6 the format string specifies char that 20 characters should be formatted in hexadecimal (“%.20x”) buffer[28 ]=”ABCDEFGHIJKLMNOPQRSTUVWXYZ”; using buffer  When this is done, due to the “%n” printf (“%.20x%n”,buffer,&bytes_formatted); specifier write the value 20 to printf( bytes_formatted “ \nThe number of bytes formatted in the previous printf statement Result:  was %d\ n”, bytes_formatted);  This means that we have written a return 0; value to another memory location }  Very definition of violating memory safety  May be possible to gain control over a program’s execution

  18. Other Input Validation Bugs 18  Integer overflow…  Consider the code: strncpy(msg+offset, str, slen); where the adversary may control offset  By setting the value high enough, it will wrap around and be treated as a negative integer!  Write into the msg buffer instead of after it

  19. 19 Web Application Vulnerabilities

  20. SQL Injection Attacks 20  Affect applications that use untrusted input as part of an SQL query to a back-end database  Specific case of a more general problem: using untrusted input in commands

  21. SQL Injection: Example 21  Consider a browser form, e.g.:  When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10

  22. Example Continued … 22  Upon receiving the request, a Java program might produce an SQL query as follows: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month") ;  A normal query would look like: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10

  23. Example Continued … 23  What if the user makes a modified http request: https://www.pizza.com/show_orders?month=0%20OR%201%3D1  (Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)  This has the effect of setting request.getParameter (“month”) equal to the string 0 OR 1=1

  24. Example Continued 24  So the script generates the following SQL query: SELECT pizza, quantity, order_day FROM orders ( WHERE userid=4123 ) AND order_month=0 OR 1=1  Since AND takes precedence over OR, the above always evaluates to TRUE  The attacker gets every entry in the database!

  25. Even Worse … 25  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 OR 1=0 UNION SELECT cardholder, number, exp_date FROM creditcards  Attacker gets the entire credit card database as well!

  26. More Damage … 26  SQL queries can encode multiple commands, separated by ‘;’  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; DROP TABLE creditcards  Credit card table deleted!  DoS attack

  27. More Damage … 27  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; INSERT INTO admin VALUES („hacker‟, ...)  User (with chosen password) entered as an administrator!  Database owned!

  28. May Need to be More Clever … 28  Consider the following script for text queries: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= „ " + request.getParameter (“topping") + “‟”  Previous attacks will not work directly, since the commands will be quoted  But easy to deal with this…

  29. Example Continued … 29  Craft an http request where request.getParameter (“topping”) is set to abc ‟; DROP TABLE creditcards; --  The effect is to generate the SQL query: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND toppings=„ abc ‟; DROP TABLE creditcards ; -- ‟  (‘ -- ’ represents an SQL comment)

  30. 30 Source : http://xkcd.com/327/

  31. Solutions? 31  Blacklisting  Whitelisting  Encoding routines  Prepared statements/bind variables  Mitigate the impact of SQL injection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tracer Study Public Workshop August 27, 2019 Background Background Background Background

Tracer Study Public Workshop August 27, 2019 Background Background Background Background

Tracer Study Public Workshop August 27, 2019 Background Background Background Background Historic drought in US southwest since 2000, yet population has continued to grow. See:

339 views • 13 slides
Background The Community Network Background Background The Vision Increase community use of

Background The Community Network Background Background The Vision Increase community use of

Background The Community Network Background Background The Vision Increase community use of schools Opportunities for communities and neighbourhoods to identify needs/wants Provision of services to children and families in their

580 views • 33 slides
AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows

AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows

AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows you to change background color BACKGROUND SETTINGS: Allows you to change background templates INTERACTIVE PEN TOOL: Chose thickness and color for

810 views • 29 slides
BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE

BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE

CHUCK REEVES @MANCHUCK BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE PROCESSOR UPLOAD IMAGE PROCESS IMAGE ENTERS QUEUE ZendCon 2016 BACKGROUND JOB PROCESSING - DO'S AND DON'TS THE PROBLEM

817 views • 35 slides
Background Body background Subtle patterns background textures List marker (see

Background Body background Subtle patterns background textures List marker (see

Background Body background Subtle patterns background textures List marker (see snippets) Default: window size Advantage: grows and shrinks easily Disadvantage: harder to design Making body fixed width Advantage:

277 views • 4 slides
FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment

FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment

FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment Unpredictable Circuitry Background Incompatible parts Background Our Goal Characterize and standardize circuits to organize standard parts correctly

847 views • 63 slides
Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley

Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley

Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley Background 2010: Greece UC Berkeley 2016: PhD with Jitendra Malik 2016-2018: PostDoc at FAIR Now: Research Scientist at FAIR

585 views • 23 slides
Background Background Background Background Design Task Museum! Museum! Design step1

Background Background Background Background Design Task Museum! Museum! Design step1

Background Background Background Background Design Task Museum! Museum! Design step1 Define the city step2 Build a database for the city Design How to build a bio-database Design Specific enzyme cutting sites Design

674 views • 38 slides
Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and

Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and

Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and Early History Steps Indirect Effect Broadening Mediation Analysis Taking Assumptions Seriously My Current Work 2 Background and

497 views • 46 slides
Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background:

Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background:

Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background: GANs Background: GANs The IAN Model Multiscale Dilated Conv Blocks Image credit: http://liangchiehchen.com/fg/deeplab_aspp.jpg Multiscale Dilated

355 views • 17 slides
Reducing the pupil premium gap Background Background But this does not show .. The

Reducing the pupil premium gap Background Background But this does not show .. The

Northfleet School for Girls Reducing the pupil premium gap Background Background But this does not show .. The Story! Year % 5A*-C with PPG Gap English and Maths 2012 50% -32% 2013 64% -43% 2014 52% -21% Why do PPG

551 views • 34 slides
Background Background The impact of Musculoskeletal Conditions and Chronic Widespread Pain

Background Background The impact of Musculoskeletal Conditions and Chronic Widespread Pain

Outline What t ar are th the most rel elevant t en envi vironmenta tal fac facto tors in in rel elation to to hea ealth? Background Cristina Bostan 2 , Cornelia Oberhauser 1 , Alarcos Cieza 1,2 Objectives 1 Chair of Public

267 views • 5 slides
Assessment 2016 Background and objectives Background With programming in over 160

Assessment 2016 Background and objectives Background With programming in over 160

UNICEF Solar Powered Water System Assessment 2016 Background and objectives Background With programming in over 160 countries, a number of solar solutions has been implemented in various which varying results and outcomes There is the

505 views • 18 slides
B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii

B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii

B A B AR B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii Super B Factory Workshop April 21, 2005 Motivation Motivation EMC EMC y g r Beam background conditions result in Beam background

547 views • 30 slides
Background Presenter: Josh Andre Background Sources Animal:

Background Presenter: Josh Andre Background Sources Animal:

10/23/13 Background Presenter: Josh Andre Background Sources Animal: organ meats, fish, poultry, cheese Oxida&lt;on States: Plant: Ranges from Cr

533 views • 9 slides
Let us know who you are . Background survey 1. Major 2. Primary background (biology,

Let us know who you are . Background survey 1. Major 2. Primary background (biology,

Let us know who you are . Background survey 1. Major 2. Primary background (biology, computation, other) 3. Programming experience (how much, what language) Registered/not-registered/waiting-list Genome 373: Genomic Informatics

802 views • 42 slides
More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd

1.36k views • 98 slides
CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood ... ... Ben Wood 0x00007fffffffffff Stack not drawn to scale Caller Buffer Overflows Frame

335 views • 4 slides
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32 Nota=on Format : inst src dst registers prefixed with a %, constants with $

756 views • 31 slides
Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk about gdb, etc. Approaches to Fin inding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis From Coverity 3

613 views • 33 slides
vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

RTSS 2014 vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang Raj Rajkumar * shige.wang@gm.com raj@ece.cmu.edu hyoseung@cmu.edu * General Motors R&amp;D RTSS 2014 Benefits of Multi-Core

538 views • 24 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup December Workgroups aims; - Long-term ambition - Specific issues caused by the short-term problems - Agree Workplan January

656 views • 14 slides

More recommend