outline
play

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 - PowerPoint PPT Presentation

Oct 23, 2022 •316 likes •966 views

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

  1. Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack

  2. Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs 5 Nov 20 th 2015 / GreHack 2

  3. Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs 5 Nov 20 th 2015 / GreHack 3

  4. Failure is not an option * The ancestor of all bugs Moth in relay Nov 20 th 2015 / GreHack 4

  5. Failure is not an option * Still nowadays 1 1 http://www.theregister.co.uk/2010/11/26/ventblockers_2/ Nov 20 th 2015 / GreHack 5

  6. Failure is not an option * Valve’s Steam on Linux 2 Steam can clean your home and more STEAMROOT="$(cd "${0%/*}" && echo $PWD)" # Scary! rm -rf " $STEAMROOT /"* 2 https://github.com/valvesoftware/steam-for-linux/issues/3671 Nov 20 th 2015 / GreHack 6

  7. Failure is not an option * Haunted doors 3 Office doors are keycard-protected CC BY 2.0 https://www.flickr.com/photos/identicard/4305911075 Doors were slow to open : 5 to 30s, sometimes more Everyone had his ninja techniques that seemed to open them faster : swipe card slowly swipe card quickly swipe once and wait swipe furiously over and over until door unlocks stand on one foot etc. 3 http://thedailywtf.com/articles/The-Haunted-Door Nov 20 th 2015 / GreHack 7

  8. Failure is not an option * Haunted doors One day, an employee stayed late and alone in the office He heard clicks from doors being unlocked Eventually found the authentication server It turns out that: log file was very big it took a long time to open it and append a new line all the card swipes were correctly queued the software was still working on card swipes from the day before problem was made even worse by people swiping multiple times ⇒ door unlockings were not 30s long but ≈ 30h long = ⇒ 30s was the time you had to wait for any door to open ; no need to swipe = any card Nov 20 th 2015 / GreHack 8

  9. Failure is not an option * Bad guys have bugs too Linux.Encoder.1 ransomware design flaw 4 derives AES key and IV from libc rand() seeded with current system timestamp ⇒ recover key from file’s creation time = ⇒ no need to pay the ransom! = Power Worm ransomware variant 5 author wanted to simplify his task: same AES key for all victims ransomware encrypted files and did not store the key programming error made the key actually random ⇒ no way to recover the files = 4 http://labs.bitdefender.com/2015/11/ linux-ransomware-debut-fails-on-predictable-encryption-key/ 5 http://news.softpedia.com/news/ epic-fail-power-worm-ransomware-accidentally-destroys-victim-s-data-during-encryption-495833. shtml Nov 20 th 2015 / GreHack 9

  10. Failure is not an option * RC4 implementation error A bad implementation int main(int argc , char *argv []) { unsigned char S[256] , c; unsigned char key [] = KEY; int klen = strlen(key ); int i,j,k; /* Init S[] */ for(i=0; i <256; i++) S[i] = i; /* Scramble S[] with the key */ j = 0; for(i=0; i <256; i++) { j = (j+S[i]+ key[i%klen ]) % 256; S[i] ^= S[j]; S[j] ^= S[i]; S[i] ^= S[j]; } /* Generate the keystream and cipher the input stream */ i = j = 0; while (read(0, &c, 1) > 0) { i = (i+1) % 256; j = (j+S[i]) % 256; S[i] ^= S[j]; S[j] ^= S[i]; S[i] ^= S[j]; c ^= S[(S[i]+S[j]) % 256]; write (1, &c, 1); } } Nov 20 th 2015 / GreHack 10

  11. Failure is not an option * RC4 implementation error A good implementation int main(int argc , char *argv []) { unsigned char S[256] , c; unsigned char key [] = KEY; int klen = strlen(key ); int i,j,k; /* Init S[] */ for(i=0; i <256; i++) S[i] = i; /* Scramble S[] with the key */ j = 0; for(i=0; i <256; i++) { j = (j+S[i]+ key[i%klen ]) % 256; k = S[i]; S[i] = S[j]; S[j] = k; } /* Generate the keystream and cipher the input stream */ i = j = 0; while (read(0, &c, 1) > 0) { i = (i+1) % 256; j = (j+S[i]) % 256; k = S[i]; S[i] = S[j]; S[j] = k; c ^= S[(S[i]+S[j]) % 256]; write (1, &c, 1); } } Nov 20 th 2015 / GreHack 11

  12. Failure is not an option * RC4 implementation error Exchanging values Classical way (using temporary variable) tmp = a a = b b = tmp To show-off a = a+b a += b b = a-b b = a-b a = a-b a -= b a = a^b a ^= b b = a^b b ^= a a = a^b a ^= b Nov 20 th 2015 / GreHack 12

  13. Failure is not an option * RC4 implementation error The bug The working idiom a = a^b b = a^b a = a^b The buggy adaptation S[i] = S[i]^S[j] S[j] = S[i]^S[j] S[i] = S[i]^S[j] Nov 20 th 2015 / GreHack 13

  14. Failure is not an option * RC4 implementation error The bug When i=j, we have S[i] = S[i]^S[i] S[i] = S[i]^S[i] S[i] = S[i]^S[i] i.e. actually a = a^a a = a^a a = a^a ⇒ instead of exchanging a value with itself, we set it to 0 = ⇒ the RC4 state fills up with 0 = ⇒ the bitstream quickly degrades to a sequence of 0 = ⇒ encryption does not happen anymore = Nov 20 th 2015 / GreHack 14

  15. Failure is not an option * Beyond the code Double-checked locking pattern does not work 6 Single threaded version of a singleton instantiation class Foo { 1 private Helper helper = null; 2 public Helper getHelper () { 3 if (helper == null) 4 helper = new Helper (); 5 return helper; 6 } 7 // other functions and members ... 8 } 9 6 http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html Nov 20 th 2015 / GreHack 15

  16. Failure is not an option * Beyond the code Double-checked locking pattern does not work Multithreaded version of a singleton instantiation class Foo { 1 private Helper helper = null; 2 public synchronized Helper getHelper () { 3 if (helper == null) 4 helper = new Helper (); 5 return helper; 6 } 7 // other functions and members ... 8 } 9 Nov 20 th 2015 / GreHack 16

  17. Failure is not an option * Beyond the code Double-checked locking pattern does not work Multithreaded version of a singleton instantiation using the double-checked locking pattern. Most calls to getHelper() will not be synchronized (better performance). class Foo { 1 private Helper helper = null; 2 public Helper getHelper () { 3 if (helper == null) 4 synchronized (this) { 5 if (helper == null) 6 helper = new Helper (); 7 } 8 return helper; 9 } 10 // other functions and members ... 11 } 12 Nov 20 th 2015 / GreHack 17

  18. Failure is not an option * Beyond the code Double-checked locking pattern does not work Actual code that can be executed (after JIT) call 01 F6B210 ; allocate space for Helper , 1 ; return result in eax 2 mov dword ptr [ebp],eax ; EBP is "helper" field. Store 3 ; the unconstructed object here. 4 mov ecx ,dword ptr [eax] ; dereference the handle to 5 ; get the raw pointer 6 mov dword ptr [ecx ] ,100h ; Next 4 lines are 7 mov dword ptr [ecx +4] ,200h ; Helper ’s inlined constructor 8 mov dword ptr [ecx +8] ,400h 9 mov dword ptr [ecx +0Ch],0 F84030h 10 Nov 20 th 2015 / GreHack 18

  19. Failure is not an option * Beyond the code Compiler optimizations may “optimize” security checks 7 , 8 Example with overflow check: unsigned int len; ... if (ptr + len < ptr || ptr + len > max) return EINVAL; For the compiler, ptr + len < ptr can mean len < 0 this is impossible ( len is unsigned). ⇒ the overflow check can be optimized out = Could be rewritten len > max-ptr 7 http://www.kb.cert.org/vuls/id/162289 8 http://bsidespgh.com/2014/media/speakercontent/DangerousOptimizationsBSides.pdf Nov 20 th 2015 / GreHack 19

  20. Failure is not an option * Good old injection W00t! I just rooted my router! Nov 20 th 2015 / GreHack 20

  21. Failure is not an option * Good old injection On another tab, not so far away Oh! Actually I was already root. Nov 20 th 2015 / GreHack 21

  22. Failure is not an option * Good old injection Escalate privileges to ... where you already are Nov 20 th 2015 / GreHack 22

  23. Failure is not an option * Whois stack buffer overflow (CVE-2003-0709) The bug and the fix The textbook case of buffer overflows $ whois -g $(perl -e "print ’A’x2000") Segmentation fault - sprintf(p--, " -%c %s ", ch , optarg ); + snprintf(p--, sizeof(fstring), " -%c %s ", ch , optarg ); Nov 20 th 2015 / GreHack 23

  24. Failure is not an option * Whois stack buffer overflow (CVE-2003-0709) Impact non-privileged program ; not SUID ⇒ escalate your privileges to ... where you already are ? = what about all the websites proposing a whois service that actually ran whois through a CGI ? ⇒ escalate your privileges from anonymous web client to local shell = Nov 20 th 2015 / GreHack 24

  25. Failure is not an option * Shellshock Hard to analyze impact Bug: bash allows attackers to execute commands through specially crafted environment variables Impact: web servers using CGI scripts Impact: OpenSSH: users can bypass ForceCommand with SSH_ORIGINAL_COMMAND Impact: DHCP clients: some call bash scripts and transmit DHCP server parameters through environment variables . . . Nov 20 th 2015 / GreHack 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

An automatic mammogram system: from screening to diagnosis Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Pectoral muscle

589 views • 45 slides
Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in preparing for your presentation; this outline is required. Title: I. Introduction (The speech actually starts here.) A. Attention Getter:

479 views • 3 slides
PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline to organize your argument to create a logical flow of information and plan your presentation layout. This outline is worth a group grade (one copy

506 views • 3 slides
1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a line that is drawn around elements, OUTSIDE the borders, to make the element &quot;stand out&quot;. CSS has the following outline properties:

1.76k views • 117 slides
Outline Outline Background of the Network Vision Vision Aims Activities

Outline Outline Background of the Network Vision Vision Aims Activities

Asia Pacific Adaptation Network (APAN)- A k A key regional Initiative i l I iti ti Puja Sawhney Coordinator, APAN , Institute for Global Environmental Strategies Thimpu, Bhutan p 16 th November, 2011 Outline Outline Background of the

441 views • 9 slides
When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters Yogesh K. Ramadass, AnanthaGroup Microsystems Technology Laboratory Outline Outline Outline Outline

507 views • 36 slides
Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR personal presentation so you can create it however you want. These are just suggestions to help you get started. The purpose is to educate your

618 views • 3 slides
Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

ZSim Tutorial MICRO 2015 S TATS AND C ONFIGURATION Core Models Po-An Tsai Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation techniques ZSim core structure I1D I1I Simple IPC 1 core

1.96k views • 120 slides
Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Modeling Intention in Email : Speech Acts, Information Leaks and User Ranking Methods p g Vitor R. Carvalho Carnegie Mellon University William Cohen Ramnath a at Tom Tom Jon Jon Balasubramanyan Mitchell Elsas Outline Outline

1.09k views • 65 slides
Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C programming (close to the machine) storage and processing of data Linux operating system control of robots Demo Course Web site

780 views • 9 slides
Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Periodicity Sear Periodicity Search of ch of the the Geming Geminga-lik -like Pulsar e Pulsars Lupin Chun-Che Lin () Institute of Astronomy, National Central University, Taiwan Outline : Outline : Our method to perform periodicity

654 views • 19 slides
Outline for St Outline for St Outline for

Outline for St Outline for St Outline for

Outline for St Outline for St Outline for St Outline for St Francis Participation Francis Participation Francis Participation Francis Participation St Francis Overview Current Work on

120 views • 10 slides
RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa RDFa RDFa RDFa RDFa: A collection of attributes and processing p g rules for extending XHTML to support RDF. HTML contains structured data,

768 views • 37 slides
Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This is a suggested outline only. Students should work closely with their Faculty Advisors to adapt this format the presentation to the needs of the

418 views • 4 slides
1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

Goals Goals Foundations of Computer Graphics Foundations of Computer Graphics Systems: Write complex 3D graphics programs (Spring 2010) (Spring 2010) (real-time in OpenGL, offline raytracer, animation) CS 184, Lecture 1: Overview and

176 views • 5 slides
Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &amp;

Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &amp;

Sophak PHOEUN, National DRR Forum Coordinat or &amp; Executive Assistant to Vice President of NCDM , National Committee for Disaster Management. Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &amp;

346 views • 15 slides
On the Approximation of Mean-Payoff Games Raffaella Gentilini University of Perugia Convegno

On the Approximation of Mean-Payoff Games Raffaella Gentilini University of Perugia Convegno

Mean-Payoff Games Exact Solutions Approximation On the Approximation of Mean-Payoff Games Raffaella Gentilini University of Perugia Convegno Italiano Logica Computazionale (CILC2011) 1 / 20 Mean-Payoff Games Exact Solutions Approximation

1.53k views • 59 slides
Money Changes Everything II: Creating Price Transparency in New York State Paul F. Macielak,

Money Changes Everything II: Creating Price Transparency in New York State Paul F. Macielak,

Money Changes Everything II: Creating Price Transparency in New York State Paul F. Macielak, Esq. November 12, 2013 Transparency is a two-way street. While patients indeed have a right to expect fair and accurate payment for services

481 views • 11 slides
Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters, Rabbits Part 7: Husbandry Standards Course Objectives By the end of this presentation, you should be able to, as appropriate for guinea pigs, hamsters or rabbits: 1.

571 views • 33 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
What is Data? Part 2: Patterns &amp; Associations INFO-1301, Quantitative Reasoning 1 University

What is Data? Part 2: Patterns &amp; Associations INFO-1301, Quantitative Reasoning 1 University

What is Data? Part 2: Patterns &amp; Associations INFO-1301, Quantitative Reasoning 1 University of Colorado Boulder August 29, 2016 Prof. Michael Paul Prof. William Aspray Overview This lecture will look at examples of relationships

571 views • 30 slides
Algorithmic Bias I: Biases and their Consequences Joshua A. Kroll Postdoctoral Research Scholar

Algorithmic Bias I: Biases and their Consequences Joshua A. Kroll Postdoctoral Research Scholar

Algorithmic Bias I: Biases and their Consequences Joshua A. Kroll Postdoctoral Research Scholar UC Berkeley School of Information 2019 ACM Africa Summer School on Machine Learning for Data Mining and Search 14-18 January 2019 Pe People

775 views • 62 slides
alloy oy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design

alloy oy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design

alloy oy Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design February 11, 2002 co course ad rse admin in new version of bill new version of bills notes online s notes online schedule today: Alloy

599 views • 34 slides
An Efficient Softcore Multiplier Architecture for Xilinx FPGAs 22 nd IEEE Symposium on Computer

An Efficient Softcore Multiplier Architecture for Xilinx FPGAs 22 nd IEEE Symposium on Computer

An Efficient Softcore Multiplier Architecture for Xilinx FPGAs 22 nd IEEE Symposium on Computer Arithmetic Martin Kumm, Shahid Abbas and Peter Zipf University of Kassel, Germany CONTENTS 1. State-of-the-art 2. Proposed multiplier 3.

327 views • 29 slides

More recommend