Transcript Slide 1
Information Securtiy
2 1
MALWARE SOFTWARE FLAWS
GVHD: Trần Thị Quế Nguyệt Trần Phú 50701818 Nguyễn Vũ Anh Minh 50701475
1
2
Bad software
The NASA Mars Lander, which cost $165 million, crashed into Mars due to a software error in converting between English and metric units of measure.
The Denver airport baggage handling system. Bugs in this software delayed the airport opening by 11 months at a cost of about $1 million per day.
3
Let’s estimate !!!
The number of bugs in software at 5 per 1,000 lines of code (LOC).
Each of executable file which contains, perhaps, 10,000 LOC.
=> So we get about 50 bugs.
A typical computer might have 3,000 executable files, on average.
=> There are about 150,000 bugs for a single computer.
To be continued . . . A medium-sized corporate network with 30,000 nodes.
And we get about 4.5 billion bugs in the network.
But don’t worry . . .
Now suppose that only 10% of these bugs are security critical and that only 10% of these security-critical bugs are remotely exploitable.
CONCLUSION:
there are “only” 45 million serious security flaws due to bad software in this network!
4
Let’s estimate !!!
5
SOFTWARE FLAWS
1 Buffer overflow 2 Incomplete mediation 3 Race conditions 6
Buffer overflow
Define:
In computer programming, a
buffer overflow
is an anomalous condition where a program somehow writes data beyond the allocated end of a buffer in memory. Buffer overflows usually arise as a consequence of a bug. And buffer overflows are also a commonly exploited computer security risk .
7
Buffer overflow
The 1st level “Stack smashing attacks”
Overflowing data will cause a computer to crash.
Trudy could take advantage of this to launch a denial of service (DoS) attack.
8
Buffer overflow
The 2nd level
The authentication decision resides in a single bit. If a buffer overflow overwrites this authentication bit, then Trudy can authenticate herself as, say, Alice.
9
Buffer overflow
The 3rd level
* The
text
section is for code.
* The
data
section holds static variables.
* The
heap
is for dynamic data.
* The
stack
can be viewed as “scratch paper” for the processor. For example, dynamic local variables, parameters to functions, and the return address of a function call are all stored on the stack.
* The
stack pointer
, or SP, indicates the top of the stack.
10
Buffer overflow
The 3rd level void func(int a, int b){ char buffer[10]; } void main(){ func(1,2); }
11
Buffer overflow
The 4th level
* First, she may not know the precise address of the evil code she has inserted, and.
* Second, she may not know the precise location of the return address on the stack.
12
Stack smashing prevention
3 popular ways:
- Eliminate all buffer overflows from software.
- Detect buffer overflows as they occur and respond accordingly.
- Not allow code to execute on the stack. In this section, we’ll briefly discuss each of these options.
13
Stack smashing prevention
1. Eliminate all buffer overflows from software.
* Using “safe” programming languages such as JAVAor C# will eliminate most buffer overflows at the source.
14
Stack smashing prevention
2. Runtime stack checking.
* Using a specific value that is used is the constant 0x000aff0d, that value is called “ canary ”.
* Microsoft recently added a canary feature to its C++ compiler. Any program that was compiled with the
/GS
compiler flag would use a canary (or called “ security cookie ”) in order to detect a buffer overflow.
15
Stack smashing prevention
3. Make the stack non-executable.
* Some hardware (and many operating systems) support the “no execute” or NX bit.
* “
Return to libc” –
(page 35) J. Koziol et al.,
The Shellcoder’s Handbook
,Wiley, 2004.
http://www.mediafire.com/?w4gv972a38et59y
16
Incomplete Mediation
Example:
http:
//
www.things.com
/
orders
/
final&custID=112& num=55A&qty=20&price=10&shipping=5&total=205
AND
http:
//
www.things.com
/
orders
/
final&custID=112& num=55A&qty=20&price=10&shipping=5&total=25 - Recent research has revealed numerous buffer overflows in the Linux kernel, and most of these are due to incomplete mediation.
- There are tools available to help find likely cases of incomplete mediation.
17
Race conditions
(Electronics + Computing) 1. File systems 2. Networking 3. Life-critical systems
Race conditions were among the flaws in the Therac-25 radiation therapy machine, which led to the death of three patients and injuries to several more.
The Energy Management System provided by GE Energy and used by Ohio-based FirstEnergy Corp.
4. Computer security TOCTTOU
(
Race conditions (TOCTTOU)
19
Race conditions (TOCTTOU)
if ( access ( "file" , exit ( 1 ); W_OK ) != 0 ) { } // After the access check // fd = open ( "file" , O_WRONLY ); // Actually writing over /etc/passwd write ( fd , buffer , sizeof ( buffer )); symlink ( "file" , "/etc/passwd" ); // Before the open, "file" points to the // password database // 20
Race conditions (TOCTTOU)
- Race conditions are probably fairly common.
- But attacks based on race conditions require careful timing, which makes them much more difficult to exploit than buffer overflow. - In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.
21
Race conditions ( Prevention )
if ( access ( "file" , exit ( 1 ); W_OK ) != 0 ) { } fd = open ( "file" , O_WRONLY ); write ( fd , buffer , sizeof ( buffer )); fd = open ( "file" , O_WRONLY ); if ( accessat ( fd , exit(1) ; } W_OK ) != 0 ) { write ( fd , buffer , sizeof ( buffer ));
File handles
VS
File names
22
I A N T
23
V I R U S
MALWARE
1 Malware 3 Example 2 Future of Malware 4 Attack 5 Malware Detection 24
AGENDA
another system from to
Malware
25
Example of malware
1 Brain 3 2 Morris Worm Code Red 4 4 SQL slammer 5 Trojan 26
Brain
27
Morris Worm
Disk containing the source code for the Morris Worm held at the Boston Museum of Science • First internet worm • Written by Rebert Tappan Morris – Cornel Uni.
• Nov 2, 1988 • What can it do?
• effects 28
Code Red
• • • Jul 13, 2001 Microsoft IIS Server Action depend on the day of the month 29
SQL Slammer
• • • A computer worm caused DDOS Burn out the available bandwidth on internet Affected systems 30
Trojan
31
Malware Detection
Signature Detection Change Detection Anomaly Detection 32
Future of Malware
• Polymorphic • Metamorphic 33
Miscellaneous software-based attacks • • • • Salami attacks Linearization attacks Time bombs Trusting software 34
35