cs161 midterm 1 review
play

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room - PowerPoint PPT Presentation

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and


  1. CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture

  2. Security Analysis and Threat Model • Basic security properties – CIA • Threat model A. We want perfect security B. Security is about risk analysis and economics Answer is B.

  3. Software Vulnerabilities • Bufger overfmow vulnerabilities and attacks • Integer overfmow vulnerabilities and attacks • Format string vulnerabilities and attacks • Arc injection/return-to-libc/ROP vulnerabilities and attacks • General control hijacking attacks • Data hijacking attacks

  4. General Control Hijacking expected code Control Flow Pointer return address frame pointer function pointer as local variable exception Handler shellcode, jump to address longjmp pointer library (return function pointer in to libc) heap Overwrite Step: Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest. Activate Step: Find some way to activate that modifjed Control Flow Pointer. Dawn Song 4

  5. Instances of Control Hijacking Location Control Flow How to in Pointer activate Memory Stack Return Address Return from function (stack frame) Stack Frame Pointer Return from Ret Addr Frame Ptr function exception handers Stack Function Reference and local fn ptrs Pointers as call function buf local variables pointer Stack Exception T rigger A A E E H Handler Exception H ( ( Object vtable Object vtable ) ) P P Heap Function Reference and T method T method ptr FP1: ptr FP1: pointer in heap call function #1 method #2 method #2 #1 FP2: FP2: method (i.e. method of pointer method FP3: FP3: #3 #3 an object) data data buf buf Anywhe setjmp and Call longjmp longjmp saved longjmp re pointer program state … bufger other data buf Dawn Song 5

  6. Data Hijacking odifying data in a way not intended Example: Authentication variab arguments arguments arguments return address return address return address stack frame pointer stack frame pointer stack frame pointer authentication_variable authentication_variable authentication_variable bufger bufger bufger Exploited Situation: Normal Situation: User types in a password which is stored in the bufger, and if the User types in a password which is long enough to overfmow bufger and into the authentication_variable. The user is now user is successfully authenticated, the authentication_variable is Dawn Song 6 set. unintentionally authenticated.

  7. Stack and Format Strings • Function behavior is controlled by the format string • Retrieves parameters from stack as requested: “%” • Example: A Address of the format printf(“Number %d has no address, number %d has: string stack top … %08x\n”, I, a, &a) i Value of variable I <&a> <a> a Value of variable a <i> A &a Address of variable a … stack bottom

  8. SW Vuln. Defenses • Non-execute (NX) • Stack canaries • ASLR • Bounds check • Which defenses are efgective against what attacks?

  9. Efgectiveness and Limitations • Defense against bufger overfmow attacks * When Applicable Defenses/Mitigations Code Injection Code Injection Arc Injection Arc Injection Stack Non-Execute (NX)* ASLR Stack Non-Execute (NX)* ASLR ASLR StacKGuard(Canaries) ASLR StacKGuard(Canaries) StacKGuard(Canaries) ProPolice StacKGuard(Canaries) ProPolice /GS /GS libsafe libsafe Heap Non-Execute (NX)* ASLR Heap Non-Execute (NX)* ASLR ASLR ASLR PointGuard PointGuard Exceptio Non-Execute (NX)* ASLR Exceptio Non-Execute (NX)* ASLR ASLR SAFESEH and SEHOP n ASLR n SAFESEH and SEHOP Handler Handler s s Dawn Song 9

  10. Fuzzing • Random fuzzing • Mutation-based fuzzing • Generation-based fuzzing • Code coverage – line, branch and path coverage • Example problem: given a program, calculate how many inputs can achieve a full line/branch/path coverage (e.g., Discussion 5)

  11. Coverage Metrics Lines

  12. Coverage Metrics Lines

  13. Coverage Metrics Lines Branche s

  14. Coverage Metrics Lines Branche s

  15. Coverage Metrics Paths Lines Branche s

  16. Coverage Metrics Paths Lines Branche s

  17. Coverage Metrics Paths Lines Branche s

  18. Quiz on Line Coverage How many lines are in this How many test cases (pairs of code? values for (a,b)) are needed to achieve 100% line coverage? 1 1 2 2 3 3 4 4

  19. Quiz on Branch Coverage How many branches are in How many test cases (pairs of this code? values for (a,b) are needed to achieve 100% branch coverage? 1 1 2 2 3 3 4 4

  20. Quiz on Path Coverage How many paths are in this How many test cases (pairs of code? values for (a,b) are needed to achieve 100% path coverage? 1 1 2 2 3 3 4 4

  21. Completeness of Coverage Metrics Which of the following coverage results guarantee the bug will be found? 100% line coverage 100% branch coverage 100% path coverage None of the above

  22. Properties of Coverage Metrics • A numeric measure of an analysis • An objective basis for comparing difgerent analyses • A way to evaluate if no progress is made (no coverage metrics are increasing) Important: Metrics are not suffjcient conditions for completeness. 100% coverage does not mean all sources of vulnerabilities have been evaluated.

  23. Symbolic Execution • Path predicates • Security vulnerabilities as assertion violations • How to use symbolic execution to fjnd bugs • Constraint-based automatic test case generation • Challenges for symbolic execution

  24. Assertion Violation as Satisfjability In the appropriate theory, the formula input < UINT_MAX - 2 && len == input + 3 && ! (len < 10) && ! (len % 2 == 0) && !(len < UINT_MAX – 1) is satisfjed by the assignment err input UINT_MAX - 3 len UINT_MAX

  25. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? F T n nF nT ER R

  26. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? 2 n F T n nF nT ER R

  27. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? 2 n F T n Number of predicates can be nF nT exponential in the number of branches. ER R

  28. T opics Covered in Midterm 2 • Static analysis • Program Verifjcation • Security principles and architectures • Malware • Other topics after midterm 2

Recommend


More recommend