IS 430 Chapter 3

Memory Allocation Examples

Stack: Most local variables and data

Heap: anything from malloc() or similar calls

Static: things like string literals

Code: 1's and 0s of your instructions

program counter

pointer or register that indicates the next instruction

program fault

trying to execute something that does not correspond to a valid instruction or trying to execute a privileged instruction when not in the proper mode

Buffer Overflows

Occur when data is written beyond the space allocated for

How attackers could cause damage?

An attackers inputs are expected to go into regions of memory allocated for data, but those inputs are instead allowed to overwrite memory holding executable code.

Buffer

a space in which data can be held. it resides in memory.

local data

data used strictly within one precedure

shared, common, or global data

shared between two or more procedures

Privilege Escalation

executing attack code with higher system permissions

stack frame

stack pointer

Attacker can produce effects from an overflow attack by

Overwrite the program counter

Overwrite part of the code

Overwrite program counter and data

Four types of Buffer Overflow

User Data

User Code

System Data

System Code

heap

provides space for dynamic data

stack smashing

overflowing some element of the stack to execute unintended instructions.

data driven attack

relies on data provided by user. for example stack smashing

Overflow Countermeasures

Stay within bounds

Check lengths before writing

Confirm array subscripts are within limits

Monitor input to accept only as can be handled

Limit privileges of the program

Harm from Buffer overflows

Overwrite:

Another piece of your programs's data

An instruction in your program

Data or code belonging to another program/OS

Overwriting instructions gives attackers program's execution privileges

Overwriting OS gives attackers OS execution privileges

Two keys features of buffer overflow attacks

1) attacker can write directly to particular memory addresses

2) language or compiler allows inappropriate operations on certain data types.

static code analyzer

analyzes source code to detect unsafe conditions

Separation

To protect from attacks, separating sensitive areas from running code and its buffers and data space.

canary layer

wrapping each stack frame in a protective layer

Address Space Layout Randomization (ASLR)

Reduce the chance that an attacker can guess or rely on the location of things like system code of the next stack frame.

Mediation

Verifying that the subject is authorized to perform the operation on an object

Preventing Incomplete Mediation

Validate all input

Limit user's access to sensitive data and functions

Complete mediation using a reference monitor

Reference monitor Properties

1) small and simple enough to give confidence of correctness

2) unbypassable

3) always invoked.

These three properties give us complete mediation

Time Of Check/Time Of Use

concerns mediation that is performed with a "bait and switch" in the middle. It exploits the delay between the actions: check and use.

Countermeasures for TOCTTOU

- access checking software must own the request data until the requested action is complete.

- ensure serial integrity, allow no interruption during validation

- Validation routine can seal the request to detect modification

Undocumented access point

undocumented entry point or execution mode (backdoor)

off-by-one error

miscalculating the condition to end a loop or overlooking that an array has certain elements.

Integer Overflow

occurs because a storage location is of fixed, finite size and therefore can contain only integers up to a certain limit.

unterminated null-terminated string

An attacker intentionally feeds an overly long string into a processing program to see if and how program will fail.

null-terminated string

the end of the string is denoted by null byte, or 0x00.

Parameter length

too many parameters

wrong output type or size

A calling and called procedure need to agree on the type of and size of data values exchanged.

too-long string

input a string longer than it can handle

Unsafe Utility Program

library of utility routines to assist with common activities

Race condition

situation in which program behavior depends on the order in which two procedures execute

Security implication of race conditions

can cause inconsistent, undesired and therefore wrong outcomes, a failure of integrity

Malware

programs planted by an agent with malicious intent to cause unanticipated or undesired effects

Virus

program that replicate itself and pass on malicious code to nonmalicious programs by modifying them

Worm

a program that spreads copies of itself through a network

Trojan Horse

code that contains unexpected, undocumented, additional functionality

Rabbit

Code that replicates itself without limit to exhaust resources

Logic bomb

Code that triggers action when a predetermined condition occurs

Time bomb

Code that triggers action when a predetermined time occurs

Dropper

Transfer agent code only to drop other malicious code, such as virus or Trojan horse

Hostile mobile code agent

code communicated semi-autonomously by programs transmitted through the web

Script attack, JavaScript, active code attack

Malicious code communicated in JavaScript, ActiveX, or another scripting language, downloaded as part of displaying a web page

RAT (Remote Access Trojan)

Trojan horse that, once planted, gives access from remote location

Spyware

program that intercepts and covertly communicates data on the user

Bot

semi-autonomous agent under control of controller

Zombie

code or entire computer under control of a program

Harm from Malicious code to users and systems

Sending email to user contacts

Deleting or encrypting files

Modifying system info

stealing sensitive info

attaching to critical system files

Hide copies of malware in multiple locations

Malware Activation

One-time execution

Boot sector viruses

Memory-resident viruses

Application files

Code libraries

Virus detection mechanisms

Known string patterns in files or memory

Execution patterns

Storage patterns

Malware countermeasures for users

use software acquired from reliable sources

Test software in an isolated environment

Only open safe attachments

Treat every website as potentially harmful

Create and maintain backups

countermeasures for developers

Modular code: single purpose, small, simple, independent

Encapsulation (hides a components implementation details)

Information hiding

Mutual suspicion

Confinement (damage does not spread to other systems)

Genetic diversity

Design principles for security

Least privilege

Economy of mechanism

Open design

Complete mediation

Permission based

Separation of privilege

Least common mechanism

Ease of use

unit testing

component functions properly with types of input expected (predetermined set of data)

API Integration testing

verifying that system components work together as described in system

function test

evaluates system to determine whether functions are actually performed by the integrated system.

performance test

compares the system with the remainder of these software and hardware requirements

acceptance test

system is checked against customer requirements

installation test

system still functions as it should

regression testing

After a change to a system takes place, retesting to ensure functionality, performance, and protection.

Other countermeasures

Good:

Proofs of program correctness

defensive programming

design by contract

Bad:

penetrate and patch

security by obscurity