Project 1 for Software Vulnerabilities - Computer and Network Security | CS 475, Study Guides, Projects, Research of Cryptography and System Security

Material Type: Project; Professor: Greenstadt; Class: Computer and Network Security; Subject: Computer Science; University: Drexel University; Term: Winter 2009;

Typology: Study Guides, Projects, Research

Pre 2010

Uploaded on 08/18/2009

koofers-user-76e-1
koofers-user-76e-1 🇺🇸

8 documents

1 / 38

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 475: Lecture 3
Software Vulnerabilities
Rachel Greenstadt
January 13, 2009
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26

Partial preview of the text

Download Project 1 for Software Vulnerabilities - Computer and Network Security | CS 475 and more Study Guides, Projects, Research Cryptography and System Security in PDF only on Docsity!

CS 475: Lecture 3

Software Vulnerabilities

Rachel Greenstadt

January 13, 2009

Reminders

Project 1 out today (details on website)

Form groups, start early

Study participation due today (EC)

Blog participation due Thursday

Security review assignment due Thursday

History : Morris Worm

Worm was released in 1988 by Robert Morris

Graduate student at Cornell, son of NSA chief scientist

Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service

Now an EECS professor at MIT (advised my Masters’ thesis)

Worm was intended to propagate slowly and harmlessly measure the size of the Internet

Due to a coding error, it created new copies as fast as it could and overloaded infected machines

$10-100M worth of damage

Buffer Overflows and

Morris Work

One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems

By sending special string to finger daemon, worm caused it to execute code creating a new worm copy

Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy)

CERT formed to deal with the new threat of software vulnerabilities

Memory buffer

vulnerabilities

Buffer is a data storage area inside computer memory (stack or heap)

Intended to hold pre-defined amount of data

If more data is stuffed into it, it spills into adjacent memory

If executable code is supplied as “data”, victim’s machine may be fooled into executing it – we’ll see how

Code will self-propagate or give attacker control over machine

First generation exploits: stack smashing

Second gen: heaps, function pointers, off-by-one

Third generation: format strings and heap management structures

Linux process memory layout

unused

0x

run time heap

shared libraries

user stack

0x

%esp

brk

Loaded

from exec

What if buffer is overstuffed?

  • Memory pointed to by str is copied onto the stack
  • *void func(char str) { char buf[128]; strcpy(buf, str); /strcpy does not check sizeof buf / do-something(buf); }

If a string longer than 128 byes is written into buf

it will overwrite adjacent memory locations:

Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Executing Attack Code

Suppose buffer contains attacker-created string

For example, *str contains a string read from

the network as input to network daemon

When function exits, code in the buffer will be

executed, giving attacker a shell

Root shell if the victim program is setuid root