Understanding Computer Security and Software Vulnerabilities

Slide Note
Embed
Share

Computer security, also known as cybersecurity or IT security, encompasses the protection of information systems from theft and damage. This overview delves into software security, control-flow attacks, memory vulnerabilities, and the historical impact of events like the Morris Worm. Various aspects such as encryption, access control, buffer overflow vulnerabilities, and the consequences of cyber threats are explored, shedding light on the critical importance of safeguarding digital assets.

chriss
chriss Follow

Uploaded on Sep 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Software Security Overview Mao Bing Department of Computer Science NanJing University

  2. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 2

  3. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 3

  4. Computer Security Computer security, also known as cybersecurity or IT security, is the ...protection of information systems from theft (secrecy/confidentiality) or damage (integrity) to the hardware, the software, and to the information on them, ... Gasser, Morrie (1988) 4

  5. How Many Vulnerabilities? 5

  6. Before Morris Worm, Computer Security is: Encryption & Decryption Access Control DAC MAC Logic Bomb Back Door 6

  7. Until 1988 Access Control Encryption & Decryption Computer Security Logic Bomb Back Door 7

  8. Morris Worm Author: Robert Tappan Morris Generating IP address(Randomly) Address detection Attack, & Infection Y Y Is the Is the host real? Vulnerability exist? N N 8

  9. Morris Worm Vulnerability: Buffer Overflow Attack & Infection Hijack control flow & execute SHELLCODE Add the virus to the head or tail of the program 9

  10. Effect of Morris Worm The U.S. Government Accountability Office put the cost of the damage at $100,000 10,000,000. Around 6,000 major UNIX machines were infected by the Morris worm(about 60,000 computers attached to the Internet). Prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University. 10

  11. What changes do Morris Worm bring to Computer Security? A real Buffer Overflow Attack Software Security 11

  12. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 12

  13. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 13

  14. Anatomy of a Program in Memory support process execution (LIFO) 14

  15. Stack The stack is used for: passing arguments, storing return information, saving registers, and for local storage. 15

  16. Procedure Call The compiled code for a function has three parts: the setup where the stack frame is initialized; the body where the actual computation of the procedure is performed; and the finish where the stack state is restored and the procedure returns. Set up(real): push ebp movl esp, ebp set %ebp as frame pointer Call(virtual): push return addr. jump to func saved old ebp Finish(real): pop ebp ret Ret(virtual): pop return addr. jump to the addr. restore %ebp ret 16

  17. Stack Frame Structure The key of the Buffer Overflow Attack!!! 17

  18. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 18

  19. Vulnerability Metrics: Buffer Overflow 19

  20. Buffer Overflow & Morris Worm Aside from being the first computer worm to be distributed via the Internet, the worms attack was a classic stack smash against the fingerd daemon. char buf[512]; int is_authorized; func(){ ; gets(buf); } Morris recounts his thoughts on the overflow attack: I had heard of the potential for exploits via overflow of the data segment buffers overwriting the next variable. That is, people were worried about code like this: 20

  21. Buffer Overflow large_string: AAAAAAAAAAA .. AAAAAA7c80dfdd0804874 . . . x argument Return addr shellcode \xdd\xdf\x80\x7c\xff\xff\xff\xff \xdb\x53\x87\x7c\x63\xce\x86\x7c \xc6\x3a\x87\x7c\xfa\x20\x87\x7c \xc6\x3a\x87\x7c\x63\x3e\x86\x7c \x44\x21\x86\x7c\xea\xd4\x83\x7c old %ebp Saved registers offset = x buffer Other data 21

  22. Buffer Overflow Attack Step Find memory space to host the shellcode Determining the buffer size to write exactly int EIP Vulnerability program Success Get shellcode and finalize the exploit Jump to the shellcode in a reliable way 22

  23. Defense Vulnerability Return Address Malicious code 23

  24. Defense(Vulnerability): Writing Correct Code Writing correct code is a laudable but remarkably expensive proposition , especially when writing in a language such as C that has error-prone idioms such as null-terminated strings and a culture that favors performance over correctness. No Function 1 gets(char[]) 2 char *fgets(char *string, int n, FILE *stream) 3 char *strcpy( char *dest, const char *src ) 24

  25. Defense(Return Address): StackGuard StackGuard is a compiler technique for providing code pointer integrity checking to the return address in function activation records. StackGuard is implemented as a small patch to gcc that enhances the code generator for emitting code to set up and tear down functions. The enhanced setup code places a canary 4 word next to the return address on the stack. 25

  26. Defense(Malicious Code): Non-Executable Data DEP large_string: AAAAAAAAAAA .. AAAAAA7c80dfdd0804874 . . . No Executable x argument Return addr shellcode \xdd\xdf\x80\x7c\xff\xff\xff\xff \xdb\x53\x87\x7c\x63\xce\x86\x7c \xc6\x3a\x87\x7c\xfa\x20\x87\x7c \xc6\x3a\x87\x7c\x63\x3e\x86\x7c \x44\x21\x86\x7c\xea\xd4\x83\x7c old %ebp Saved registers offset = x buffer Other data 26

  27. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 27

  28. Return-to-libc(RILC) 28

  29. Return-to-libc(RILC) large_string: AAAAAAAAAAA .. AAAAAA 7c80dfdd 0804874 . . . x argument Return addr abs_0 .text:7c80dfdd mov edx, edi .text:7c80dff0 mov eax, edi .text:7c80dff2 sar edx, 1Fh .text:7c80dff5 xor eax, edx .text:7c80dff7 sub eax, edx .text:7c80dff9 retn old %ebp Saved registers offset = x buffer Other data 29

  30. Limitations 1. Expressive power 2. Easy to be defensive function2() function 1() Malicious Behavior An Exploit function3() . functionN() 30

  31. Return Oriented Programming 31

  32. Return Oriented Programming payload: Gadget4 0x7C80DFDD: pop ebx ret Gadget3: 0x7C8753DB: inc ebx dec ecx ret 0x7C80DFDD Gadget2: 0x7C86CE63 pop edi ESP 0x7C8753DB ret ESP data:edi ESP 0x7C83D4EA Gadget1: 0x7C8720FA: pop esi ESP data:esi ret ESP 0x7C8720FA ESP 32

  33. Enough gadgets for attack? movl $0x0f000000, (%edi) xchg %ebp, %eax inc %ebp ret The set of gadgets described is Turing complete by inspection, so return-oriented programs can do anything possible with x86 code. (The Geometry of Innocent Flesh on the Bone:Return-into-libc without Function Calls (on the x86) Hovav Shacham, ACM CCS 2007) f7 c7 07 00 00 00 0f 95 45 c3 c7 07 00 00 00 0f 95 45 c3 test $0x00000007, %edi setnzb -61(%ebp) 33

  34. ROP: Contribution 1. Describe an efficient algorithm for analyzing libc to recover the instruction sequences that can be used in attack 2. Bypass StackGuard & DEP 3. But 34

  35. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 35

  36. Address Space Layout Randomization High address Code Segment 0x7C80DFDD: pop ebx ret shellcode 0x7C83D4EA: pushad 0x7C83D4EA push edi ret 0x7C862144 0x7C863E63 0x7C863E63: pop ebp ret 0x7C86CE64 0x7C8720FA 0x7C86CE63: pop edi ret 0x7C86CE64 0x7C86CE63 0x7C8720FA: pop esi ret 0x7C8753DB 0x7C8753DB: inc ebx 0xFFFFFFFF dec ecx ret 0x7C80DFDD 36

  37. Address Space Layout Randomization High address Randomization 0x8F7EDFDD: pop ebx ret shellcode 0x8F8AD4EA: pushad 0x7C83D4EA push edi ret 0x7C862144 0x7C863E63 0x8F9D3E63: pop ebp ret 0x7C86CE64 0x7C8720FA 0x8FA6CE63: pop edi ret 0x7C86CE64 0x7C86CE63 0x8FD320FA: pop esi ret 0x7C8753DB 0x8FD353DB: inc ebx 0xFFFFFFFF dec ecx ret 0x7C80DFDD 37

  38. Just-in-time Code Reuse Re-Randomization Isomeron, NDSS 15 38

  39. Control Flow Integrity CFI idea: During program execution, whenever a machine-code instruction transfers control, it targets a valid destination, as determined by a Control Flow Graph (CFG) created ahead of time. 1: sum = 0 2: i = 1 (1) (2) (3) (4) (5) (6) (7) sum = 0 i = 1 while (i<N) do i = i+1 if(i%2 == 0) 3: while (i<N) do 4: I = i+1 5: if(i%2==0) continue; sum = sum + i endwhile (8) print (sum) 7: sum=sum+i 8: print(sum) 39

  40. Control Flow Integrity Jump to the destination only if the tag is equal to 12345678 40

  41. Control Flow Integrity Control Flow Integrity provides: Provably correct mechanisms that prevent powerful attackers from succeeding by protecting against all control flow integrity attacks. Issues: Performance overhead(average/max: 15%/46%) Compatibility issues limit its adoption Build CFG statically Rewrite binary Verify CFI instrumentation Perform ID checks at run time 41

  42. Practical Control Flow Integrity BinCFI(2013 s USENIX) CCFIR(2013 S&P) CCFIR(2013 S&P) CCFI(2015 CCS) 42

  43. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 43

  44. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 44

  45. Source Code of do_authentication() 45

  46. Data-Oriented Programming 46

  47. DOP Example 1 2 3 4 5 6 7 8 9 struct server{ int total, *cur_max, typ;} *srv; int connect_limit = MAXCONN; int *size, *type; char buf[MAXLEN]; size = &buf[10]; type = &buf[14] ... while(connect_limit--) { readData(sockfd, buf); // stack bof if(*type == NONE ) break; if(*type == STREAM) // condition *size = *(srv->cur_max); // dereference else{ srv->typ = *type; // assignment srv->total += *size; // addition } ... (handling) ... } 10 11 12 12 13 13 14 Code 1: Vulnerable code with data-oriented gadgets 47

  48. Target Code2: A function increments the integer field of a linked-list by a given value. It can be simulated by chaining data-oriented gadgets in Code 1. struct node { node int var; node *next; var node+4 } *list; next *node var *(node+4) next 48

  49. DOP Example type &STREAM size &list srv &list type &list size &addend srv &srv - 8 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. } while(connect_limit--) { readData(sockfd, buf); if(*type == NONE ) break; if(*type == STREAM) *size = *(srv->cur_max); list = list->next; else { srv->typ = *type; srv->total += *size; } 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. } while(connect_limit--) { readData(sockfd, buf); if(*type == NONE ) if(list == NULL) break; break; if(*type == STREAM) *size = *(srv->cur_max); else { srv->typ = *type; srv = list; srv->total += *size; list->var += addend; } 49

  50. DOP Example 1 2 3 4 5 struct node {int var; node *next;} void updateList(struct node *list, int addend) { for(; list != NULL; list = list->next) list->var += addend } 50

Related


Software Security Principles and Practices: Enhancing Program Code Security

Software Security Principles and Practices: Enhancing Program Code Security

abcde
Understanding Security Threats and Vulnerabilities in Computer Systems

Understanding Security Threats and Vulnerabilities in Computer Systems

nathanlo
Understanding Computer Security Threats and Vulnerabilities

Understanding Computer Security Threats and Vulnerabilities

malmstrom_t
Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Basic Web Security Model for Secure Electronic Commerce

Basic Web Security Model for Secure Electronic Commerce

ezikiel
Understanding the Importance of OWASP Dependency-Check Project

Understanding the Importance of OWASP Dependency-Check Project

gwilk
Understanding Spectre and Meltdown Security Flaws

Understanding Spectre and Meltdown Security Flaws

maniyah
Practical Computer Security Course Overview

Practical Computer Security Course Overview

winkler_m
Understanding Cloud Security Threats and Vulnerabilities

Understanding Cloud Security Threats and Vulnerabilities

mesa_i
Addressing Software Security, Economic, and Liability Issues

Addressing Software Security, Economic, and Liability Issues

langille_a
Overview of Computer Hardware Components and Software Functions

Overview of Computer Hardware Components and Software Functions

ainhoa
Understanding Software Processes and Models

Understanding Software Processes and Models

fatima
Understanding Security Testing and Architecture

Understanding Security Testing and Architecture

nataleaei
Understanding the Essence of Software Development Process

Understanding the Essence of Software Development Process

katiely
Understanding Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

Understanding Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

ely_wi
Server-Side Technologies and Security Vulnerabilities in Mobile Services

Server-Side Technologies and Security Vulnerabilities in Mobile Services

alaysha
Understanding Computer Software and Operating Systems

Understanding Computer Software and Operating Systems

faris
Importance of Security in Web Development

Importance of Security in Web Development

kharmync
Understanding Spectre and Meltdown Security Vulnerabilities

Understanding Spectre and Meltdown Security Vulnerabilities

mcsherry_k
Understanding Web Application Vulnerabilities in Information Warfare

Understanding Web Application Vulnerabilities in Information Warfare

vanvliet_h
Addressing 5G Signaling Protocol Vulnerabilities

Addressing 5G Signaling Protocol Vulnerabilities

lyon
Understanding Cyber Security and Risks

Understanding Cyber Security and Risks

kathryn
Factors Influencing Adoption of Security Tools in Software Development

Factors Influencing Adoption of Security Tools in Software Development

thackery
Understanding Computer Organization and Architecture

Understanding Computer Organization and Architecture

alexei

More Related Content