necessary background on
play

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION - PowerPoint PPT Presentation

Nov 14, 2023 •491 likes •901 views

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

  1. 1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES

  2. Outline 2  Memory safety attacks  Buffer overruns  Format string vulnerabilities  Web application vulnerabilities  SQL injections  Cross-site scripting attacks

  3. Buffer Overflows 3

  4. Buffer Overrun Example 4 Frame 2 Frame 1 sfp ret str sfp ret str local local void lame (void) { char small[30]; gets(small); printf("%s\n", small); }

  5. Input Validation 5 Classifying vulnerabilities:  Buffer overflows can be viewed as an example of improper input validation  Another related type of vulnerability is information leaks  Other notable examples:  Format string vulnerabilities  SQL injection attacks  Cross-site scripting attacks  Mechanisms to prevent attacks  Better input validation  Safe programming techniques  Techniques for detecting potential buffer overflows in code  Static analysis  Runtime analysis  Fuzzing/penetration testing  Write-box fuzzing  etc. 

  6. Secure Programming Techniques 6  Validate all input  Easier said than done  Why is that?  Avoid buffer overflows  Use safe string manipulation functions  Careful length checking  Avoid statically declared arrays  etc.  Or use a memory-safe language  Java or C#  JavaScript (not type-safe)

  7. Validating Input 7  Determine acceptable input, check for match --- don’t just check against list of “non - matches”  Limit maximum length  Watch out for special characters, escape chars.  Check bounds on integer values  Check for negative inputs  Check for large inputs that might cause overflow!

  8. Avoid strcpy , … 8  We have seen that strcpy is unsafe  strcpy(buf, str) simply copies memory contents into buf starting from *str until “ \ 0” is encountered, ignoring the size of buf  Avoid strcpy (), strcat (), gets (), etc.  Use strncpy (), strncat (), instead  Still, computing proper bounds is difficult in practice  Easy to mess up, off-by-one errors are common

  9. Static and Dynamic Analysis 9 Static analysis: run on the source code prior to deployment; check for known flaws  e.g., flawfinder, cqual  Or Prefix/Prefast  Or Coverity or Fortify tools  Will look at some more recent work in this course as well as older stuff  Dynamic analysis: try to catch (potential) buffer overflows during program execution  Soundness  Precision  Comparison?  Static analysis very useful, but not perfect  False positives  False negatives  Dynamic analysis can be better (in tandem with static analysis), but can slow down execution  Historically of great importance, drove adoption of type-safe languages such as Java and C# 

  10. Dynamic analysis: Libsafe 10  Very simple example of what can be done at runtime  Intercepts all calls to, e.g., strcpy (dest, src)  Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src)  If so, executes strcpy ; otherwise, terminates application

  11. Preventing Buffer Overflows 11  Operating system support:  Can mark stack segment as non-executable  Randomize stack location  Problems:  Does not defend against `return-to-libc ’ exploit  Overflow sets ret-addr to address of libc function  Does not prevent general buffer overflow flaws, or heap overflow  Basic heap overflows can be helped with ALSR

  12. Heap-based Buffer Overruns and Heap Spraying 12  Buffer overruns consist of two steps  Introduce the payload  Cause the program to jump to it  Can put the payload/shellcode in the heap  Arbitrary amounts of code  Doesn’t work with heap randomization  Location of the payload changes every time  Heap spraying:  Allocate multiple copies of the payload  When the jump happens, it hits the payload with a high probability

  13. StackGuard 13  Embed random “canaries” in stack frames and verify their integrity prior to function return  This is actually used!  Helpful, but not foolproof… Frame 2 Frame 1 sfp ret str sfp ret str local canary local canary

  14. More Methods … 14  Address obfuscation  Encrypt return address on stack by XORing with random string. Decrypt just before returning from function  Attacker needs decryption key to set return address to desired value

  15. More Input Validation Flaws 15

  16. Format String Vulnerabilities 16  What is the difference between printf(buf); and printf (“%s”, buf); ?  What if buf holds %x ?  Look at memory, and what printf expects…

  17. Format String Exploits 17 Technique: #include <stdio.h>   Declare a variable of type int in line int main() { 4 and call it bytes_formatted int bytes_formatted=0;  Line 6 the format string specifies char that 20 characters should be formatted in hexadecimal (“%.20x”) buffer[28 ]=”ABCDEFGHIJKLMNOPQRSTUVWXYZ”; using buffer  When this is done, due to the “%n” printf (“%.20x%n”,buffer,&bytes_formatted); specifier write the value 20 to printf( bytes_formatted “ \nThe number of bytes formatted in the previous printf statement Result:  was %d\ n”, bytes_formatted);  This means that we have written a return 0; value to another memory location }  Very definition of violating memory safety  May be possible to gain control over a program’s execution

  18. Other Input Validation Bugs 18  Integer overflow…  Consider the code: strncpy(msg+offset, str, slen); where the adversary may control offset  By setting the value high enough, it will wrap around and be treated as a negative integer!  Write into the msg buffer instead of after it

  19. 19 Web Application Vulnerabilities

  20. SQL Injection Attacks 20  Affect applications that use untrusted input as part of an SQL query to a back-end database  Specific case of a more general problem: using untrusted input in commands

  21. SQL Injection: Example 21  Consider a browser form, e.g.:  When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10

  22. Example Continued … 22  Upon receiving the request, a Java program might produce an SQL query as follows: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month") ;  A normal query would look like: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10

  23. Example Continued … 23  What if the user makes a modified http request: https://www.pizza.com/show_orders?month=0%20OR%201%3D1  (Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)  This has the effect of setting request.getParameter (“month”) equal to the string 0 OR 1=1

  24. Example Continued 24  So the script generates the following SQL query: SELECT pizza, quantity, order_day FROM orders ( WHERE userid=4123 ) AND order_month=0 OR 1=1  Since AND takes precedence over OR, the above always evaluates to TRUE  The attacker gets every entry in the database!

  25. Even Worse … 25  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 OR 1=0 UNION SELECT cardholder, number, exp_date FROM creditcards  Attacker gets the entire credit card database as well!

  26. More Damage … 26  SQL queries can encode multiple commands, separated by ‘;’  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; DROP TABLE creditcards  Credit card table deleted!  DoS attack

  27. More Damage … 27  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; INSERT INTO admin VALUES („hacker‟, ...)  User (with chosen password) entered as an administrator!  Database owned!

  28. May Need to be More Clever … 28  Consider the following script for text queries: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= „ " + request.getParameter (“topping") + “‟”  Previous attacks will not work directly, since the commands will be quoted  But easy to deal with this…

  29. Example Continued … 29  Craft an http request where request.getParameter (“topping”) is set to abc ‟; DROP TABLE creditcards; --  The effect is to generate the SQL query: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND toppings=„ abc ‟; DROP TABLE creditcards ; -- ‟  (‘ -- ’ represents an SQL comment)

  30. 30 Source : http://xkcd.com/327/

  31. Solutions? 31  Blacklisting  Whitelisting  Encoding routines  Prepared statements/bind variables  Mitigate the impact of SQL injection

Recommend

Tracer Study Public Workshop August 27, 2019 Background Background Background Background

Tracer Study Public Workshop August 27, 2019 Background Background Background Background

Tracer Study Public Workshop August 27, 2019 Background Background Background Background Historic drought in US southwest since 2000, yet population has continued to grow. See:

339 views • 13 slides
Background The Community Network Background Background The Vision Increase community use of

Background The Community Network Background Background The Vision Increase community use of

Background The Community Network Background Background The Vision Increase community use of schools Opportunities for communities and neighbourhoods to identify needs/wants Provision of services to children and families in their

580 views • 33 slides
AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows

AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows

AN INTRODUCTION TO BACKGROUND SETTINGS: Allows you to change background BACKGROUND SETTINGS: Allows you to change background color BACKGROUND SETTINGS: Allows you to change background templates INTERACTIVE PEN TOOL: Chose thickness and color for

810 views • 29 slides
BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE

BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE

CHUCK REEVES @MANCHUCK BACKGROUND JOB PROCESSING DO'S AND DON'TS BACKGROUND JOB PROCESSING - DO'S AND DON'TS IMAGE PROCESSOR UPLOAD IMAGE PROCESS IMAGE ENTERS QUEUE ZendCon 2016 BACKGROUND JOB PROCESSING - DO'S AND DON'TS THE PROBLEM

817 views • 35 slides
Background Body background Subtle patterns background textures List marker (see

Background Body background Subtle patterns background textures List marker (see

Background Body background Subtle patterns background textures List marker (see snippets) Default: window size Advantage: grows and shrinks easily Disadvantage: harder to design Making body fixed width Advantage:

277 views • 4 slides
FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment

FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment

FLAME 2014/11/1 Background Complex Systems or Networks Background Design Experiment Unpredictable Circuitry Background Incompatible parts Background Our Goal Characterize and standardize circuits to organize standard parts correctly

847 views • 63 slides
Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley

Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley

Being Open Georgia Gkioxari Background Background GREECE Background GREECE UC Berkeley Background 2010: Greece UC Berkeley 2016: PhD with Jitendra Malik 2016-2018: PostDoc at FAIR Now: Research Scientist at FAIR

585 views • 23 slides
Background Background Background Background Design Task Museum! Museum! Design step1

Background Background Background Background Design Task Museum! Museum! Design step1

Background Background Background Background Design Task Museum! Museum! Design step1 Define the city step2 Build a database for the city Design How to build a bio-database Design Specific enzyme cutting sites Design

674 views • 38 slides
Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and

Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and

Mediation: Background and Basics David A. Kenny davidakenny.net Overview Background and Early History Steps Indirect Effect Broadening Mediation Analysis Taking Assumptions Seriously My Current Work 2 Background and

497 views • 46 slides
Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background:

Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background:

Neural Photo Editing Andrew Brock Introduction Background: VAEs Background: VAEs Background: GANs Background: GANs The IAN Model Multiscale Dilated Conv Blocks Image credit: http://liangchiehchen.com/fg/deeplab_aspp.jpg Multiscale Dilated

355 views • 17 slides
Reducing the pupil premium gap Background Background But this does not show .. The

Reducing the pupil premium gap Background Background But this does not show .. The

Northfleet School for Girls Reducing the pupil premium gap Background Background But this does not show .. The Story! Year % 5A*-C with PPG Gap English and Maths 2012 50% -32% 2013 64% -43% 2014 52% -21% Why do PPG

551 views • 34 slides
Background Background The impact of Musculoskeletal Conditions and Chronic Widespread Pain

Background Background The impact of Musculoskeletal Conditions and Chronic Widespread Pain

Outline What t ar are th the most rel elevant t en envi vironmenta tal fac facto tors in in rel elation to to hea ealth? Background Cristina Bostan 2 , Cornelia Oberhauser 1 , Alarcos Cieza 1,2 Objectives 1 Chair of Public

267 views • 5 slides
Assessment 2016 Background and objectives Background With programming in over 160

Assessment 2016 Background and objectives Background With programming in over 160

UNICEF Solar Powered Water System Assessment 2016 Background and objectives Background With programming in over 160 countries, a number of solar solutions has been implemented in various which varying results and outcomes There is the

505 views • 18 slides
B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii

B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii

B A B AR B A B AR Beam Background Beam Background Simulation Simulation Steven Robertson 2 nd Hawaii Super B Factory Workshop April 21, 2005 Motivation Motivation EMC EMC y g r Beam background conditions result in Beam background

547 views • 30 slides
Background Presenter: Josh Andre Background Sources Animal:

Background Presenter: Josh Andre Background Sources Animal:

10/23/13 Background Presenter: Josh Andre Background Sources Animal: organ meats, fish, poultry, cheese Oxida&lt;on States: Plant: Ranges from Cr

533 views • 9 slides
Let us know who you are . Background survey 1. Major 2. Primary background (biology,

Let us know who you are . Background survey 1. Major 2. Primary background (biology,

Let us know who you are . Background survey 1. Major 2. Primary background (biology, computation, other) 3. Programming experience (how much, what language) Registered/not-registered/waiting-list Genome 373: Genomic Informatics

802 views • 42 slides
Background and Campaign The Result What Now? Conclusions Background and Campaign The Result

Background and Campaign The Result What Now? Conclusions Background and Campaign The Result

Background and Campaign The Result What Now? Conclusions Background and Campaign The Result What Now? Conclusions Brexit: What happened? What now? Dr Thomas J. Leeper 13 March 2018 Research funded by ESRC UK in a Changing Europe Initiative

758 views • 59 slides
investigation of pen as structural self vetoing material for cryogenic low background experiments

investigation of pen as structural self vetoing material for cryogenic low background experiments

Felix Fischer March 13 , 2018 IMPRS Mini-Workshop, Mnchen investigation of pen as structural self vetoing material for cryogenic low background experiments Low Background Reduction &amp; identification of background events New generation of

789 views • 41 slides
4. In the Background dialog box that appears, click the Choose button to the right of Image to

4. In the Background dialog box that appears, click the Choose button to the right of Image to

There are several ways to customize your Google Slides presentation using themes, backgrounds, and animations. Add a theme or background image Themes, background images, and layouts can be used to convey a consistent message throughout a

651 views • 5 slides
Outline 1. Background about SPHMMC 2. Background about CASH 3. Implementation of CASH at

Outline 1. Background about SPHMMC 2. Background about CASH 3. Implementation of CASH at

Outline 1. Background about SPHMMC 2. Background about CASH 3. Implementation of CASH at SPHMMC 4. Successes of CASH 5. Enabling factors 6. Challenges 7. Way forward 1. Background of SPHMMC SPHMMC was established in 1968 by the

442 views • 22 slides
Efficient Lighting: Background and Discussion May 29, 2014 2 Agenda Introductions

Efficient Lighting: Background and Discussion May 29, 2014 2 Agenda Introductions

Efficient Lighting: Background and Discussion May 29, 2014 2 Agenda Introductions Roadmap Background Consumer Research Background References Library Discussion Framework 3 Roadmap Background Stakeholders

414 views • 14 slides
An American Bullfrog in Brazil Lauren V. Ash University of Vermont June 4, 2019 Background The

An American Bullfrog in Brazil Lauren V. Ash University of Vermont June 4, 2019 Background The

An American Bullfrog in Brazil Lauren V. Ash University of Vermont June 4, 2019 Background The American Bullfrog ( Lithobates catesbeianus ) Background Hoverman et al. 2011 Background High viral loads? Background Are invasive Bullfrogs in

649 views • 20 slides
1 Background Background 4 Background: Physical Activity in the United States Background:

1 Background Background 4 Background: Physical Activity in the United States Background:

Interprofessional Geriatrics Training Program Interprofessional Geriatrics Training Program Optimizing Physical Activity in Older Adults HRSA GERIATRIC WORKFORCE ENHANCEMENT FUNDED PROGRAM Grant EngageIL.com 1 #U1QHP2870 Acknowledgements

649 views • 29 slides
OPT Information Session Overview Background Eligibility Duration Types of

OPT Information Session Overview Background Eligibility Duration Types of

OPT Information Session Overview Background Eligibility Duration Types of employment When you should apply Application Process During OPT Special Scenarios Resources Background Background Optional Practical

549 views • 32 slides

More recommend