Isys20261 lecture 08

Computer Security Management(ISYS20261)Lecture 8 - Network-based Attacks (3)

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Last week …

• IP address spoofing

• Man-in-the-middle attack

• Denial-of-service attack (DoS)– SYN flooding

– Smurf attack

– Distributed Denial of Service attack (DDoS)


Today ...

• OS-based attacks

• Buffer overflows

• Stack smashing

• Dangling and wild pointers

• Password attacks


OS-based attacks

• Attackers often look for – Unpatched operating systems

– Badly designed application software

• Why?– known vulnerabilities can easily be exploited

• Attacker can then steal, copy, or manipulate data

• Once the OS and services running on the system have been identified the attacker can mount a number of attacks:– Stack smashing

– Buffer overflows

– Password attacks

– Etc.


Buffer overflows

• Program tries to write data beyond the bounds of allocated memory

• If not detected and managed by the program data is written in an unexpected location, causing unexpected results

• Problems:– Often the program will abort

– The overflow can cause data to be written to a memory-mapped file

– Overflow can cause security problems through stack-smashing attacks

• Example: // ... int *ptr; int idx=500; ptr = new int[500]; ptr[idx]=255;

// ...


Processes in memory

executable code

global and static variables

code segment

data segment

stack segment

call stack

heapprocess

memory


Heap attacks

• Buffer overflow occurs in the dynamically allocated data in the heap at runtime

• Memory on the heap is dynamically allocated by the application at run-time and typically contains program data

• Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures

• Can be used for example to mount a denial-of-service attack


Stacks

• Stack: data structure that works on the last-in-first-out (LIFO) principle

17

255

99

0

45

166

Storagefor ndataitems

pop

255

99

0

45

166


17

255

99

0

45

166


push17


Stack overflow

• Trying to push a data item onto a stack that is full:

17

0

128

255

99

0

45

166


push17


Stack underflow

• Trying to pop a data item from an empty stack:


push


Call stack (1)

• Stores information about the active subroutines (functions) of a computer program

• Keeps track of the point to which each active subroutine should return control when it finishes executing

• Stores also local variables and parameters (arguments)

• Implementation is machine dependent

• Stores special data structures called stack frames or activation records


Call stack (2)

return address

parameters

local variables

return address

parameters

local variables

stack pointer

frame pointer

stack frame for function n

stack frame for function n+1


Stack smashing attack

• Tries to insert arbitrary code into the program to be executed

• Attacker purposely overflows a stack to get access to forbidden regions of computer memory

• Often used to redirect thread of control to shell, which can then be used to execute commands on the target system


Dangling and wild pointers

• Pointers that do not point to a valid object of the appropriate type

• Dangling pointers arise when an object is deleted or deallocated, without modifying the value of the pointer, so that the pointer still points to the memory location of the deallocated memory

• If system reallocate the previously freed memory to another process and the original program dereferences the dangling pointer, unpredictable behaviour may result, as the memory may now contain completely different data

• Wild pointers arise when a pointer is used prior to initialisation to some known state

• They show the same erratic behaviour as dangling pointers, though they are less likely to stay undetected


Password attacks

• Passwords are most common form of authentication of users to an OS

• Password attacks are most common mode of attack against an OS

• Often default passwords are unchanged: if known it is easy to break into system

• Other methods– Guessing

– Dictionary attack

– Brute-force attack


Password guessing

• Passwords are sequences of symbols associated with a user name

• Provide a mechanism for identification and authentication of a particular user

• Unique and grant privileges only to the account's owner

• If users can choose their own password sequences they tent to use sequences they can remember easily, e.g. pet names, birth places, etc.

• Attacker can easily guess passwords!

• Password policy: set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly


Dictionary attack

• Steal password file from the target machine

• Parsing a word file (dictionary)

• Encrypting or hashing that word (depending on the target system)

• Comparing the result to the encrypted or hashed password from the victim machine

• If the comparison matches: password found

• Difficult if the correct algorithm is not known or if attacker has not access to the encrypted password file


Brute-force attack

• Similar to dictionary attack but uses all possible combinations of letters, numbers, and special characters

• Computationally expensive

• Unlikely to succeed unless password is very small


Next week …

… we will continue to look at web application attacks

Isys20261 lecture 08

Documents

Transcript of Isys20261 lecture 08