Studied by 3 people
Countermeasures of Buffer Overflow Attacks
Array bounds checking
Non-executable stack/heap
Safe C library
Compiler solutions, e.g., StackGuard, RAD
Type safe language, e.g., Java
Static source code analysis
Anomaly Detection
Code Randomization
Memory Address Obfuscation/ASLR
Array bounds checking
Fundamental solution for all kinds of buffer overflow attacks.
High run-time overhead.
Non-executable memory
Memory used by a process (program in execution) consists of different segments.
Program counter should point to the code segment, not to heap, stack, or data segments.
TF
Making these segments non-executable makes it impossible for an attacker to execute their malicious code that they manage to get into some stack or heap allocated buffer.
T
Modern architecture introduces ____ to help OS manage execution permission.
the NX bit
Non executable Stack
Does not block buffer overflows, but prevents the shellcode from being executed
To compile a C program, just use the -z noexecstack option to mark the stack segment non-executable.
Shellcode:
sequence of machine code, or executable instructions, that is injected into a computer's memory with the intent to take control of a running program.
StackGuard
Put a canary word before each return address in each stack frame.
TF
When a buffer overflow attack is launched, only the return address will be overwritten
F
Random canary:
Choose random string at startup
Insert canary string into every stack frame.
Verify canary before returning from function
TF
To corrupt random canary, attacker must learn current random strong.
T
Low performance overhead
Weakness: Change the layout of the stack frame of a function. this mechanism
TF
Low performance overhead is not compatible with some programs, e.g., debugger.
T
RAD
When a function is called, a copy of its return address is saved in a well-protected area.
(Return Address Defender)
Low performance overhead
TF
RAD is a region of memory that isn’t difficult to corrupt
F
When the function finished, before returning to its caller:
the callee checks the return address in its stack frame to see whether the RAD has a copy of that address. If no such address in the RAD, then a buffer overflow attack is alarmed.
TF
RAD does not alter the structure of the stack frame, therefore, it is not compatible with unmodified debuggers.
F
Weakness of RAD
Only protect return address
Type Safe Language
Static source code analysis
Analyze source code to find potential program statements that could result in buffer overflow vulnerabilities.
Weakness of static source code analysis
False positives/negatives
Difficulty to obtain source code
Limited understanding of runtime behavior.
Anomaly Detection
A technique used to identify
Code randomization
Involves randomization of the code that is executed in a process
Encrypts instructions of a process and decrypts instructions when they are prepared to be executed.
Because attackers don’t know the key to encrypt their code, their injected code can not be decrypted correctly.
Weakness of code randomization
Main assumption is that most attackers use injected code
Performance overhead
Memory address obfuscation
Introduction of random length gaps
ASLR
Address Space Layout Randomization
Randomizes layout of process components in main memory; hence attackers can only guess.
Random length gaps introduced by memory address obfuscation
Padding in stack frames
Padding between malloc allocations
Padding between variables and static data structures
random length gaps in code segments
DEP
Data Execution Prevention
EIP control
movement restricted.
Can’t jump to heap or stack
How can an attacker defeat DEP
Borrow bits and pieces of code that already exist in executable regions of the process
Orchestrating Code Execution
Assume a series of cards where each card indicated an operation to be performed.
The code for that operation is present in the executable regions of the process memory. (Binary or shared library)
TF
An example of orchestrating code execution is breaking complex parts down into simpler cards
T
Trusted code
applets that originate from a trusted source could be trusted
introduced in Java 1.1
applets could be digitally signed
unsigned applets and applets signed by an untrusted principle restricted to sandbox
Signed applets
Containing a signature that the browser should perify through a remotely running, independent certificate authority server
Policy file
A configuration file used by Java Runtime Environment to determine the granted permissions for each java program.
Fine grained access control
Every code has access to the system resources based on what is defined in the policy file
Introduced in Java 2
TF
Protection domains are determined by the policy file
F
3 pillars of Java security
Security Manager
Class Loaders
Bytecode Verifier
Security manager
ensured that the permissions specified in the policy file are not overriden
implements a checkPermission() method, which returns a yes or a no based on the code source and the permissions granted for that code source in the policy file.
Class loaders
separate name spaces
classes belong to the same name space
Established the protection domain for a loaded class
Enforce a search order that prevents trusted system classes from being replaced by classes from less trusted sources
TF
A class in one name space cannot access a class in another name space
T
Class loading process
Every class loader has a “parent” class loader
Bytecode Verifier
Checks the code to ensure that:
Variables are initialized before they are used.
Rules for accessing private data and methods are not violated
Local variable accesses fall within the runtime stack.
The runtime stack does not overflow.
No “illegal” data conversions will occur
Bytecode instructions will have appropriately-typed parameters
illegal data conversions are stopped due to:
The verifier will not allow integers to serve as pointers
This ensures that variables will not be granted access to restricted memory areas.
Java Security APIs
JCE - Java Cryptography classes
JSSE - Java Secure Sockets Extension
JAAS - Java Authentication and Authorization Services
HTTP
Hypertext transfer protocol
Browser sends HTTP requests to the server
Methods: GET, POST, …
Get: To retrieve a resource (html, image, script, CSS,…)
Post: To submit a form (login, register, …)
Server replies with an HTTP response
Stateless request/response protocol
Each request is independent of previous requests
Cookies
A name/value pair created by a website to store information on your computer
TF
Http is a state protocol. Cookies make it stateless
F
TF
Cookies are stored in the server
F
JavaScript
embedded in web pages and executed inside browser
How XSS works
2 stages
Run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject malicious code (payload) into a web page that the victim visits
After, victim must visit web page with malicious code. .
Most common XSS Attack tags
<script> tag
<body> events
What does <script> tag refer to?
External JavaScript code or
can embed the code within the script tag itself.
What are <body> events?
JavaScript event attributes such as onload and onerror can be used in many different tags.
TF
An XSS payload can be delivered inside the <script> by using event attributes
F
Client-side scripting is:
powerful and flexible, and can access several resources
What resources can client-side scripting access?
Local files on the client-side host (read/write local files)
Webpage resources maintained by the browser (Cookies, Document Object Model objects)
Steal private info
control what users see
impersonate user.
Types of XSS Attacks
Reflected XSS
Stored XSS
DOM-based XSS
Reflected XSS
1
Not saved permanently, but the malicious code will be reflected back to user.
Found in phishing attacks.
Stored XSS
Malicious script comes from website’s database.
DOM-based XSS
A convention for representing and working with objects in an HTML or XML document.
Impact of Reflected XSS Attacks
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user.
What can attackers do with Reflected XSS attacks?
View any info that the user is able to view.
Modify any info the user can modify.
What does a DOM-Based XSS attack result in
Steal the cookies of the user
Change the page’s behavior as the attacker like
Sandbox
A security mechanism for separating/limiting running programs
Same Origin Policy (SoP)
Browser must have a security policy to provide separation among mutually untrusted scripts.
Origin = domain name + protocol + port. (All three must be equal for origin to be considered the same.
What does Same original policy control?
Manipulating browser windows
URLs requested via the XmlHttpRequest
manipulating frames and documents
manipulating cookies
Problems with SOP
Poorly enforced on some browsers
Limitations if site hosts unrelated pages
Can be bypassed in XSS attacks
TF
SOP is mainly poorly enforced on new browsers
F
Preventing XSS
Secure input handling is needed
2 fundamentally different ways of performing secure input handling
Encoding
Validation
Encoding
escape user input so that the browser interprets it as data, not code.
Involves transforming special characters in user input into their respective HTML entities. E.g., ‘<‘ becomes “<” and ‘>‘ becomes “>”
Validation
Sanitize the user input so that the browser interprets it as code without malicious intent.
Classification strategies:
Blacklisting: specify what isn’t allowed
Whitelisting: specify what is allowed
Popular encoding libraries
OWASP
ESAPI
Microsoft AntiXSS and PHP’s (htmlspecialchars()
Validate outcome:
input identified as malicious can be either rejected or sanitized.
Functional programming
Programming paradigm that threats computation as the evaluation of mathematical functions.
Pure functional programming
No side effects-
output of a function depends only on its input
Function does not change anything in the evaluation
Can be evaluated in any order (many times, never, etc)
More complex function based on recursion
No for/while cycle
Natural problem decomposition - mathematical induction
Lambda calculus
Formal theory of computation older than TM (Turing Machine)
Based on mathemetical recursive function theory.
Lisp
List Processing
early practical programming language
second oldest higher level language after Fortran
TF
Lisp is older than Fortran
F
ML
Meta language
Lisp with types, used in compilers
Haskell
First name of Curry
standard for functional programming research
List of functional languages
LISP
Common LISP
Scheme
PLT Scheme
Racket
Clojure
ML (Meta Language) is a general-purpose functional programming language.
Haskell
Scala
Caml
OCaml
F#
Erlang
Miranda
REPL
Read-Eval-Print Loop
Racket Built-In Datatypes
Booleans:
Numbers
Characters
Strings
Bytes and Byte Strings
Boolean
Racket Syntax
Almost everything is an expression
TF
All expressions in Racket Syntax are represented as lists
T
TF
Lists are always evaluated in Racket
F
The first element of every list in Racket is:
Assumed by the compiler to be a function
S-Expression
Symbolic expression
Notation for nested list (tree-structured data), invented for and popularized by the programming language Lisp.
TF
Conventions for user defined names are less strict than traditional imperatives languages, like the C-family.
T
What happens when we apply cons to 2 atoms?
Returns a dotted pair (cons cell)
TF
A dotted pair is a list
F
car and cdr
Take a list apart
Inverse of cons
car
Retrieves the first element of a list or pair.
cdr
Retrieves the rest of the elements of a list or pair after the first element.
append
Used to concatenate lists together. It takes one or more lists as arguments and returns a new list containing all the elements of the input lists concatenated together.
map
Note 
Flashcard (80)