Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Cybersecurity: Understanding and Mitigating Common Malware Attacks, Schemi e mappe concettuali di Sicurezza Dei Sistemi Informativi

An overview of various types of malware attacks, including rootkits, signature evasion, buffer overflows, and web vulnerabilities. It also suggests mitigation strategies for each type of attack. Topics covered include stack canaries, ret2libc, aslr, stack randomization, format strings, and csrf. The document also discusses network protocol attacks and secure network architectures.

Tipologia: Schemi e mappe concettuali

2020/2021

Caricato il 26/09/2022

francofranco123stella
francofranco123stella 🇮🇹

1 documento

1 / 4

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Malware
Rootkit: you cannot conclude that the machine has not been compromised through network traffic
tools. Because the malware can hide its own traffic from tools running on the compromised
machine. You could inspect network traffic using an external machine as a MitM between your
machine and the router. If it’s a BIOS rootkit, change PC, otherwise reinstall Os or swap HD.
Avoid Signature detection: Employing polymorphism/metamorphism/obfuscation/packing. The idea
is to modify the payload of the malware, so as to evade the known signature, without changing its
malicious behavior.
Known malware downloaded over HTTP: From the point of view of the company’s IT department,
enforcing all traffic to pass via a proxy and scan the payload with an AV could have prevented that.
Also, an AV on the endpoint given it was known malware. From the point of view of the software
house, deliver the update over HTTPS and\or implement a form of digital signature check of any
update package.
Memory errors
BOF -> String of arbitrary length copied in stack buffer; SOLUTION: scanf (“%15s”,s);
FS -> supplied directly from untrusted user through CLI; SOLUTION: printf(“%s”,s);
ASLR
Stack non ex.
Stack canary
Buffer overflows
No, address of the stack
randomized
No, we can’t jump to our
shellcode
No, see below
Format Strings
No
No
Yes
Solution
(attacker pov)
Must have a leak
Ret2libc => execute
system function in libc
to obtain a shell
Read the value (e.g. w a
disass.) and include it in
the exploit
Solution
(victim pov)
Do not leak
ASLR
Random value at
runtime + pushed on a
register
STACK CANARY: The underlined code implements a stack canary as a mitigation against stack-based
buffer overflows. When writing past the end of a stack-allocated buffer, one would overwrite the
variable x before overwriting the saved EIP. Before returning from the function, the content of the
variable x is checked against the original value: if they differ, a buffer overflow is detected and the
program aborts without returning from the function (i.e., without triggering the exploit). In this case, the
stack canary is a static value (0xBAAAAAAD): if the binary is available, it is enough to retrieve this
value by reverse engineering the program; then, during the exploitation it is enough to overwrite the
stack canary with this (known) value. To fix this issue, the stack canary should be randomized at the
program startup and placed in a register.
RET2LIBC: Write string ‘/bin/secret’ in buffer, overwrite sEIP with address of system(), then overwrite 8
bytes more for the system() EIP to exit and for the pointer to the buffer, so that when jumping into the
system() function, this pointer will be where system() expects the parameter and will complete
execution.
If ASLR randomizes only the libraries and the stack\heap, using ROP with gadgets in the text section. If
the binary is PIE, we can bypass ASLR only if there’s another vulnerability which gives a leak of some
stack or libc address. In this case, we could use the format string vuln as a leak, but we would have
already sent the input to the program --- thus, in this case we have no way to bypass ASLR to exploit
the buffer overflow, unless we use more advanced techniques that are out of the scope of this course.
pf3
pf4

Anteprima parziale del testo

Scarica Cybersecurity: Understanding and Mitigating Common Malware Attacks e più Schemi e mappe concettuali in PDF di Sicurezza Dei Sistemi Informativi solo su Docsity!

Malware

● Rootkit: you cannot conclude that the machine has not been compromised through network traffic tools. Because the malware can hide its own traffic from tools running on the compromised machine. You could inspect network traffic using an external machine as a MitM between your machine and the router. If it’s a BIOS rootkit, change PC, otherwise reinstall Os or swap HD. ● Avoid Signature detection: Employing polymorphism/metamorphism/obfuscation/packing. The idea is to modify the payload of the malware, so as to evade the known signature, without changing its malicious behavior. ● Known malware downloaded over HTTP: From the point of view of the company’s IT department, enforcing all traffic to pass via a proxy and scan the payload with an AV could have prevented that. Also, an AV on the endpoint given it was known malware. From the point of view of the software house, deliver the update over HTTPS and\or implement a form of digital signature check of any update package.

Memory errors

BOF -> String of arbitrary length copied in stack buffer; SOLUTION: scanf (“%15s”,s); FS -> supplied directly from untrusted user through CLI; SOLUTION: printf(“%s”,s); ASLR Stack non ex. Stack canary Buffer overflows No, address of the stack randomized No, we can’t jump to our shellcode No, see below Format Strings No No Yes Solution (attacker pov) Must have a leak Ret2libc => execute system function in libc to obtain a shell Read the value (e.g. w a disass.) and include it in the exploit Solution (victim pov) Do not leak ASLR Random value at runtime + pushed on a register ● STACK CANARY: The underlined code implements a stack canary as a mitigation against stack-based buffer overflows. When writing past the end of a stack-allocated buffer, one would overwrite the variable x before overwriting the saved EIP. Before returning from the function, the content of the variable x is checked against the original value: if they differ, a buffer overflow is detected and the program aborts without returning from the function (i.e., without triggering the exploit). In this case, the stack canary is a static value (0xBAAAAAAD): if the binary is available, it is enough to retrieve this value by reverse engineering the program; then, during the exploitation it is enough to overwrite the stack canary with this (known) value. To fix this issue, the stack canary should be randomized at the program startup and placed in a register. ● RET2LIBC: Write string ‘/bin/secret’ in buffer, overwrite sEIP with address of system(), then overwrite 8 bytes more for the system() EIP to exit and for the pointer to the buffer, so that when jumping into the system() function, this pointer will be where system() expects the parameter and will complete execution. ● If ASLR randomizes only the libraries and the stack\heap, using ROP with gadgets in the text section. If the binary is PIE, we can bypass ASLR only if there’s another vulnerability which gives a leak of some stack or libc address. In this case, we could use the format string vuln as a leak, but we would have already sent the input to the program --- thus, in this case we have no way to bypass ASLR to exploit the buffer overflow, unless we use more advanced techniques that are out of the scope of this course.

Web vulnerabilities

Yes Remove No Stored XSS There exists a way for a user to store data on the web app that will be retrieved at a later time. WRT R-XSS no payload on victim’s request Escaping/filtering/CSP The above code does not allow to store information on the server that can be exploited Reflected XSS An attacker can supply a ... containing e.g., , and the web server would print that script tag to the browser, and the browser will run the code from the URL Escaping/filtering/CSP Various reasons… (Static strings, user-input values are html-escaped...) CSRF An attacker can send a link to a victim and let the victim … by just visiting the link CSRF token with every legitimate request and check cookie(tk)==param(tk) Others (below) There is no state-changing action in the page that needs to be protected against CSRF SQL injection There must be a data flow from a user-controlled HTTP variable (parameter, cookie, or other header fields) to a SQL query, without appropriate filtering and validation. If this happens, the SQL structure of the query can be modified Escaping/filtering and/or restrict at DB level the privileges of the user to only perform SELECTs involving the needed tables db.escape() or htmlentities() No queries / all queries are prepared statements ● The CSP is meant to limit the provenance of the resources embedded in a webpage, such as scripts, fonts, images or stylesheet, form targets, ….; It is mainly used as a mitigation against XSS (or similar) vulnerabilities as it can define some scripts or origins as trusted or not for serving scripts. ● To authenticate as an existing user, an attacker can simply change the value of the cookie Username to any existing username (send HTTP request with cookie: username=xxx and use API as intended). To fix this, encrypt the cookie with a key stored on the server (with a nonce and an expiration to avoid replay attacks) + store the session data somewhere (e.g., file, database, …) indexed by a random value and set the random value in the cookie instead of the username ● There’s a reflected XSS vuln. when there exists a per-request data flow that originates from client’s rendered page and ends up on client’s rendered page as a result of the server response ● In a blind injection the data retrieved by the modified SQL query is not displayed back to the attacker. This can still be exploited: changes can be blindly executed in the database, or by using side-effects of queries the attacker can guess the answers ● CSFR: The website must allow an authenticated user to perform a state-changing action via a request (be it a GET or a POST request), which is authenticated using cookies (ambient credentials, sent automatically by the browser for every request). Furthermore, the website does not implement any technique to validate whether the request is initiated from the same website or from a different website (i.e., whether the request is intentional or not), such as by using CSRF tokens or validating the Origin header. If the conditions hold, a malicious actor can lure the user to go to an attacker-controlled website which will trigger a GET or a POST request to the vulnerable endpoint from the user’s browser and on behalf of the authenticated user. ● Add an anti-CSRF token as a POST parameter. Requires the API client to perform a request before the POST to retrieve the CSRF token. Alternatively (and better), refactor the application so that the client sends the token via a HTTP header and not via a cookie, so that it isn’t an ambient credential. Another option could be the use of same-site cookies.

The protocol allows for an amplification-based DDoS attack, with an amplification factor of up to 256, (the attacker can amplify its bandwidth of a 256 factor because the server replies with 256 times the size of the (unauthenticated) request). The scenario is the following: attacker on network A spoofs its IP address with the victim’s one, and sends many requests to server B running this protocol. B will reply to the spoofed IP (i.e., to the victim) with 256 times the data sent to B by the attacker, possibly saturating the victim’s bandwidth. The scenario requires that the attacker spoofs its IP address, and the attacker wouldn’t be able to complete the initial TCP handshake (modulo vulnerabilities in the TCP implementation, e.g., non-random initial sequence numbers) and trigger the amplification behavior. The attacker would send a SYN packet to the “amplificator” service, which responds to the victim with a “SYN-ACK”. The victim will not reply back with an “ACK” (having not initiated the connection) ~> no amplification takes place. ● A SYN flooding attack sends a stream of TCP “initial SYN” packets to the targeted server. Each packet appears to represent a request to establish a new connection. An attack that employs a large botnet, for example, might not use spoofing. : For each incoming SYN packet, the server both responds and consumes memory because it records information (state) associated with the impending new connection. The attack primarily aims to exhaust the server’s available memory for keeping this state. Solve it by using SYN cookies ● The AS and DB are now in a remote location. As we don’t want to expose them over the Internet, we need to set up a VPN between our network and the central branch. Basically we can accomplish this by setting up a VPN between the remote location and placing the VPN client in Z_SERV to bridge the Z_SERV network with the remote network (or assuming to set up a firewall-to-firewall VPN with the appropriate policies). As the overall network structure is unchanged, except for the VPN tunnel, the firewall policies would be the same. ● DDoS: The attacker uses a network of (usually compromised) machines to flood the victim with large amounts of unrequested network packets. The attacker needs access to many machines with sizable internet connections. Typically, trojans on compromised machines forming a botnet. Overall, there is no solution to this class of attacks. These attacks can only be mitigated by acting against botnets or by cleaning up infections on compromised machines. ● Detect ARP spoofing: in general, it is enough to detect duplicate ARP responses with different MAC addresses at the network switches. Alternatively, given the fact that the target is the gateway and that the network admin controls the gateway, detect any ARP response with the IP address of the gateway and raise an alarm. Prevent: If we only consider ARP spoofing from the gateway, the switches can block any ARP response with the gateway’s IP address and from a MAC address different from the gateway’s own address. More in general, assuming that the network is configured with DHCP, network switches can listen for DHCP traffic at each port, and store the (IP, mac) tuple in a centralized way (clients can move between switches\ports without renewing the DHCP lease). Then, drop each ARP packet that does not match this tuple. In any case, preventing this attack imposes an increased load on the network switches. ● Prevent DHCP poisoning: Tag each physical port of the switch as server or client , where the client ports are the ones where the guests’ computers connect. Allow client ports to send only “DHCP request” packets and limit “DHCP offer” packets to server ports, regardless the source or destination IP or MAC address ● Against MITM: ○ From the application point of view: use HTTPS with a certificate trusted by the browsers of the employee computers (BONUS: in this case it is important also to enable HSTS to prevent the customer to try to downgrade the communication to unencrypted HTTP or to train the employees to always check whether the communication is encrypted). ○ From the network point of view: various techniques; for example, 802.1x to authenticate clients connected to ethernet ports or attempt, … (in general this approach is complementary to the use of HTTPS).