cit 380 securing computer systems
Download
Skip this Video
Download Presentation
CIT 380: Securing Computer Systems

Loading in 2 Seconds...

play fullscreen
1 / 27

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 235 Views
  • Uploaded on

CIT 380: Securing Computer Systems. Software Security. Topics. Why Software? Vulnerability Databases Buffer Overflows Integer Overflows Attack Techniques Metasploit. The Problem is Software.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - Jimmy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 380 securing computer systems

CIT 380: Securing Computer Systems

Software Security

CIT 380: Securing Computer Systems

topics
Topics
  • Why Software?
  • Vulnerability Databases
  • Buffer Overflows
  • Integer Overflows
  • Attack Techniques
  • Metasploit

CIT 380: Securing Computer Systems

the problem is software
The Problem is Software

“Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.”

John Viega & Gary McGraw

CIT 380: Securing Computer Systems

why is software security poor
Why is Software Security poor?
  • Security is seen as something that gets in the way of software functionality.
  • Security is difficult to assess and quantify.
  • Security is often not a primary skill or interest of software developers.
  • Time spent on security is time not spent on adding new and interesting functionality.

CIT 380: Securing Computer Systems

the trinity of trouble
The Trinity of Trouble
  • Complexity
    • Continually increasing.
    • Windows 3.1 (3mloc) to Windows XP (40mloc)
  • Extensibility
    • Plugins.
    • Mobile code.
  • Connectivity
    • Network access.
    • Wireless networking.

CIT 380: Securing Computer Systems

software complexity
Software Complexity

5-50 bugs per/kloc8

  • 5/kloc: rigorous quality assurance testing (QA)
  • 50/kloc: typical feature testing

CIT 380: Securing Computer Systems

vulnerabilities
Vulnerabilities
  • Vulnerability: A defect in software that allows security policy to be violated.
    • Confidentiality
    • Integrity
    • Availability
  • Exploit: A program that exercises a vulnerability.

CIT 380: Securing Computer Systems

vulnerability databases
Vulnerability Databases
  • Collect vulnerability reports.
    • Vendors maintain databases with patches for their own software.
    • Security firms maintain databases of vulnerabilities that they’ve discovered.
  • Well known vulnerability databases
    • CERT
    • CVE
    • NVD
    • OSVDB

CIT 380: Securing Computer Systems

why vulnerability databases
Why Vulnerability Databases?
  • Know about vulnerabilities to software that you have deployed so you can mitigate them.
  • Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries?
  • Learn about security problems to prevent when you’re programming.

CIT 380: Securing Computer Systems

cve common vulnerabilities and exposures
CVE: Common Vulnerabilities and Exposures
  • Problem: Different researchers and vendors call vulnerabilities by different names.
  • Solution: CVE, a dictionary that provides
    • A common public name for each vulnerability.
    • A common standardized description.
    • Allows different tools / databases to interoperate.

CIT 380: Securing Computer Systems

cve 2002 1185
CVE-2002-1185

Name: CVE-2002-1185

Status: Entry

Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."

References

  • VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability
  • BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability
  • EEYE:AD20021211
  • MS:MS02-066
  • XF:ie-png-bo(10662)
  • BID:6216
  • OVAL:oval:org.mitre.oval:def:393

CIT 380: Securing Computer Systems

nvd national vulnerability db
NVD: National Vulnerability DB

Collects all publicly available government vulnerability resources.

  • HTML and XML output at http://nvd.nist.gov/
  • Uses CVE naming scheme.
  • Links to industry and govt reports.
  • Provides CVSS severity numbers.
  • Links to OVAL repository.

CIT 380: Securing Computer Systems

buffer overflows
Buffer Overflows

A program accepts too much input and stores it in a fixed length buffer that’s too small.

char A[8];

short B;

  • gets(A);

CIT 380: Securing Computer Systems

the stack
The Stack
  • Stack is LIFO.
  • Every function call allocates a stack frame.
  • Return address is address where function was called from and will return to.

Function Arguments

Return Address

Buffer 1

(Local Variable 1)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems

smashing the stack
Smashing the Stack
  • Program accepts input into local variable 1.
  • Attacker sends too much data for buffer, overwriting the return address.
  • Attacker data contains machine code for shell.
  • Return address overwritten with address of machine code.
  • When function returns, attacker’s code is executed.

Function Arguments

Pointer to machine code.

Machine code

exec(/bin/bash)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems

nop slide
NOP Slide
  • Attacker includes NOPs in front of executable code in case address isn’t precise.
  • If pointer points at NOPs, execution will continue to machine code.
  • IDS attempt to detect buffer overflows by looking for long strings of NOPs (x90).

Function Arguments

Pointer to machine code.

NOP

NOP

NOP

Machine code

exec(/bin/bash)

Buffer 2

(Local Variable 2)

Writes

go up

CIT 380: Securing Computer Systems

integer overflow
Integer Overflow

An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero.

CIT 380: Securing Computer Systems

32 bit integer quiz
32-bit Integer Quiz
  • What two non-zero integers x and y satisfy the equation x * y = 0?
  • What negative integer (-x) has no corresponding positive integer (x)?
  • List two integers x and y, such that x + y < 0.

CIT 380: Securing Computer Systems

quiz answers
Quiz Answers
  • 65536 * 65536 = 0

or 256 * 16777256 = 0

or any x * y = 232

2. -2147483648

  • 2147483647 + 1 = -2147483648

CIT 380: Securing Computer Systems

are integer overflows important
Are Integer Overflows Important?

Broward County November 2004 election

  • Amendment 4 vote was reported as tied.
  • Software from ES&S Systems reported a large negative number of votes.
  • Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.

CIT 380: Securing Computer Systems

fuzz testing
Fuzz Testing

Black-box input based testing technique.

  • Uses random data.
  • Easily automated.
  • If application crashes or hangs, it fails.

Results of 1995 study9.

  • 15-43% of utilities from commerical UNIX systems failed.
  • 9% of Linux utilities failed.
  • 6% of GNU utilities failed.
  • 50% of X-Windows utilities failed.

CIT 380: Securing Computer Systems

metasploit
Metasploit

Modular exploit system

  • Exploit collection: over 100 exploits.
  • Payloads: machine code to run
  • Command line and web interfaces.

Payloads

  • Bind shell: opens shell backdoor on port.
  • Reverse shell: send shell back to attacker.
  • Windows VNC: remote desktop access.
  • Create user: add new administrative user.

CIT 380: Securing Computer Systems

metasploit23
Metasploit
  • http://www.metasploit.com/

CIT 380: Securing Computer Systems

using metasploit
Using Metasploit
  • Select an exploit

use exploit_name

  • Enter the target

set RHOST ip_address_of_target

  • Select the payload

set payload payload_name

set LHOST ip_address_of_your_host

  • Run

exploit

CIT 380: Securing Computer Systems

advantages of metasploit
Advantages of Metasploit
  • Ease of use
    • One interface to many exploits.
  • Flexibility
    • Can choose whatever payload you need.
  • Faster development time
    • Payloads already written.
  • Reliability
    • Framework and payloads are well tested.

CIT 380: Securing Computer Systems

uses of metasploit
Uses of Metasploit
  • Vulnerability verification
    • Scanners report possible vulnerabilities.
    • Metasploit will give you remote access.
  • IDS/IPS testing
    • Test IDS/IPS with real exploit code.
  • Penetration testing
    • Easy to develop custom exploits for pen testing.
  • Convincing management
    • Remote access is more convincing than a report.

CIT 380: Securing Computer Systems

references
References
  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
  • Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
  • Mark Graff and Kenneth van Wyk, Secure Coding: Principles & Practices, O’Reilly, 2003.
  • Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.
  • Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, 2005.
  • Michael Howard, David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003.
  • Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.
  • Gary McGraw, Software Security, Addison-Wesley, 2006.
  • John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.
  • David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html, 2003.

CIT 380: Securing Computer Systems

ad