Cit 380 securing computer systems
Download
1 / 27

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 232 Views
  • Updated On :

CIT 380: Securing Computer Systems. Software Security. Topics. Why Software? Vulnerability Databases Buffer Overflows Integer Overflows Attack Techniques Metasploit. The Problem is Software.

Related searches for CIT 380: Securing Computer Systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - Jimmy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cit 380 securing computer systems l.jpg

CIT 380: Securing Computer Systems

Software Security

CIT 380: Securing Computer Systems


Topics l.jpg
Topics

  • Why Software?

  • Vulnerability Databases

  • Buffer Overflows

  • Integer Overflows

  • Attack Techniques

  • Metasploit

CIT 380: Securing Computer Systems


The problem is software l.jpg
The Problem is Software

“Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.”

John Viega & Gary McGraw

CIT 380: Securing Computer Systems


Why is software security poor l.jpg
Why is Software Security poor?

  • Security is seen as something that gets in the way of software functionality.

  • Security is difficult to assess and quantify.

  • Security is often not a primary skill or interest of software developers.

  • Time spent on security is time not spent on adding new and interesting functionality.

CIT 380: Securing Computer Systems


The trinity of trouble l.jpg
The Trinity of Trouble

  • Complexity

    • Continually increasing.

    • Windows 3.1 (3mloc) to Windows XP (40mloc)

  • Extensibility

    • Plugins.

    • Mobile code.

  • Connectivity

    • Network access.

    • Wireless networking.

CIT 380: Securing Computer Systems


Software complexity l.jpg
Software Complexity

5-50 bugs per/kloc8

  • 5/kloc: rigorous quality assurance testing (QA)

  • 50/kloc: typical feature testing

CIT 380: Securing Computer Systems


Vulnerabilities l.jpg
Vulnerabilities

  • Vulnerability: A defect in software that allows security policy to be violated.

    • Confidentiality

    • Integrity

    • Availability

  • Exploit: A program that exercises a vulnerability.

CIT 380: Securing Computer Systems


Vulnerability databases l.jpg
Vulnerability Databases

  • Collect vulnerability reports.

    • Vendors maintain databases with patches for their own software.

    • Security firms maintain databases of vulnerabilities that they’ve discovered.

  • Well known vulnerability databases

    • CERT

    • CVE

    • NVD

    • OSVDB

CIT 380: Securing Computer Systems


Why vulnerability databases l.jpg
Why Vulnerability Databases?

  • Know about vulnerabilities to software that you have deployed so you can mitigate them.

  • Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries?

  • Learn about security problems to prevent when you’re programming.

CIT 380: Securing Computer Systems


Cve common vulnerabilities and exposures l.jpg
CVE: Common Vulnerabilities and Exposures

  • Problem: Different researchers and vendors call vulnerabilities by different names.

  • Solution: CVE, a dictionary that provides

    • A common public name for each vulnerability.

    • A common standardized description.

    • Allows different tools / databases to interoperate.

CIT 380: Securing Computer Systems


Cve 2002 1185 l.jpg
CVE-2002-1185

Name: CVE-2002-1185

Status: Entry

Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."

References

  • VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability

  • BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability

  • EEYE:AD20021211

  • MS:MS02-066

  • XF:ie-png-bo(10662)

  • BID:6216

  • OVAL:oval:org.mitre.oval:def:393

CIT 380: Securing Computer Systems


Nvd national vulnerability db l.jpg
NVD: National Vulnerability DB

Collects all publicly available government vulnerability resources.

  • HTML and XML output at http://nvd.nist.gov/

  • Uses CVE naming scheme.

  • Links to industry and govt reports.

  • Provides CVSS severity numbers.

  • Links to OVAL repository.

CIT 380: Securing Computer Systems


Buffer overflows l.jpg
Buffer Overflows

A program accepts too much input and stores it in a fixed length buffer that’s too small.

char A[8];

short B;

  • gets(A);

CIT 380: Securing Computer Systems


The stack l.jpg
The Stack

  • Stack is LIFO.

  • Every function call allocates a stack frame.

  • Return address is address where function was called from and will return to.

Function Arguments

Return Address

Buffer 1

(Local Variable 1)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems


Smashing the stack l.jpg
Smashing the Stack

  • Program accepts input into local variable 1.

  • Attacker sends too much data for buffer, overwriting the return address.

  • Attacker data contains machine code for shell.

  • Return address overwritten with address of machine code.

  • When function returns, attacker’s code is executed.

Function Arguments

Pointer to machine code.

Machine code

exec(/bin/bash)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems


Nop slide l.jpg
NOP Slide

  • Attacker includes NOPs in front of executable code in case address isn’t precise.

  • If pointer points at NOPs, execution will continue to machine code.

  • IDS attempt to detect buffer overflows by looking for long strings of NOPs (x90).

Function Arguments

Pointer to machine code.

NOP

NOP

NOP

Machine code

exec(/bin/bash)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems


Integer overflow l.jpg
Integer Overflow

An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero.

CIT 380: Securing Computer Systems


32 bit integer quiz l.jpg
32-bit Integer Quiz

  • What two non-zero integers x and y satisfy the equation x * y = 0?

  • What negative integer (-x) has no corresponding positive integer (x)?

  • List two integers x and y, such that x + y < 0.

CIT 380: Securing Computer Systems


Quiz answers l.jpg
Quiz Answers

  • 65536 * 65536 = 0

    or 256 * 16777256 = 0

    or any x * y = 232

    2. -2147483648

  • 2147483647 + 1 = -2147483648

CIT 380: Securing Computer Systems


Are integer overflows important l.jpg
Are Integer Overflows Important?

Broward County November 2004 election

  • Amendment 4 vote was reported as tied.

  • Software from ES&S Systems reported a large negative number of votes.

  • Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.

CIT 380: Securing Computer Systems


Fuzz testing l.jpg
Fuzz Testing

Black-box input based testing technique.

  • Uses random data.

  • Easily automated.

  • If application crashes or hangs, it fails.

    Results of 1995 study9.

  • 15-43% of utilities from commerical UNIX systems failed.

  • 9% of Linux utilities failed.

  • 6% of GNU utilities failed.

  • 50% of X-Windows utilities failed.

CIT 380: Securing Computer Systems


Metasploit l.jpg
Metasploit

Modular exploit system

  • Exploit collection: over 100 exploits.

  • Payloads: machine code to run

  • Command line and web interfaces.

    Payloads

  • Bind shell: opens shell backdoor on port.

  • Reverse shell: send shell back to attacker.

  • Windows VNC: remote desktop access.

  • Create user: add new administrative user.

CIT 380: Securing Computer Systems


Metasploit23 l.jpg
Metasploit

  • http://www.metasploit.com/

CIT 380: Securing Computer Systems


Using metasploit l.jpg
Using Metasploit

  • Select an exploit

    use exploit_name

  • Enter the target

    set RHOST ip_address_of_target

  • Select the payload

    set payload payload_name

    set LHOST ip_address_of_your_host

  • Run

    exploit

CIT 380: Securing Computer Systems


Advantages of metasploit l.jpg
Advantages of Metasploit

  • Ease of use

    • One interface to many exploits.

  • Flexibility

    • Can choose whatever payload you need.

  • Faster development time

    • Payloads already written.

  • Reliability

    • Framework and payloads are well tested.

CIT 380: Securing Computer Systems


Uses of metasploit l.jpg
Uses of Metasploit

  • Vulnerability verification

    • Scanners report possible vulnerabilities.

    • Metasploit will give you remote access.

  • IDS/IPS testing

    • Test IDS/IPS with real exploit code.

  • Penetration testing

    • Easy to develop custom exploits for pen testing.

  • Convincing management

    • Remote access is more convincing than a report.

CIT 380: Securing Computer Systems


References l.jpg
References

  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

  • Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

  • Mark Graff and Kenneth van Wyk, Secure Coding: Principles & Practices, O’Reilly, 2003.

  • Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.

  • Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, 2005.

  • Michael Howard, David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003.

  • Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.

  • Gary McGraw, Software Security, Addison-Wesley, 2006.

  • John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.

  • David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html, 2003.

CIT 380: Securing Computer Systems


ad