Program Flaws Program flaws are unintentional But still create security risks We'l consider 3 types of flaws Buffer overflow(smashing the stack) Incomplete mediation Race conditions Many other flaws can occur These are most common 16 復里大软件学院 LiT
16 LiJT Program Flaws • Program flaws are unintentional – But still create security risks • We’ll consider 3 types of flaws – Buffer overflow (smashing the stack) – Incomplete mediation – Race conditions • Many other flaws can occur • These are most common
Cobo Buffer Overflow-the first enemy Cause by bad programming practices Most common security vulnerability 9 of 13 Cert advisories from 1998 at least half of 1999 CErT advisories (8/17) 18 of 28 CERT advisories from 2003 Most of the exploits based on buffer overflows aim at forcing the execution of malicious code Problems Access an array without boundary checking String specification in C/C++(end with NULL 17 復里大软件学院 LiT
17 LiJT Buffer Overflow-the first enemy • Cause by bad programming practices • Most common security vulnerability – 9 of 13 CERT advisories from 1998 – at least half of 1999 CERT advisories (8/17) – 18 of 28 CERT advisories from 2003 • Most of the exploits based on buffer overflows aim at forcing the execution of malicious code. • Problems – Access an array without boundary checking – String specification in C/C++ (end with NULL)
Typical Attack Scenario Users enter data into a Web form Web form is sent to server Server writes data to buffer, without checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by anyone with an Internet connection 18 復里大软件学院 LiT
18 LiJT Typical Attack Scenario • Users enter data into a Web form • Web form is sent to server • Server writes data to buffer, without checking length of input data • Data overflows from buffer • Sometimes, overflow can enable an attack • Web form attack could be carried out by anyone with an Internet connection
Buffer Overflow irt main(( irt buffer [10] bfer20]=37;} Q: What happens when this is executed? A: Depending on what resides in memory at location"buffer[20] Might overwrite user data or code Might overwrite system data or code 19 復里大软件学院 LiT
19 LiJT Buffer Overflow • Q: What happens when this is executed? • A: Depending on what resides in memory at location “buffer[20]” – Might overwrite user data or code – Might overwrite system data or code int m ain(){ intb uffer[1 0]; buffer[2 0] = 37; }
Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag allowing anyone to authenticate Boolean flag buffer F OURISC In some cases, attacker need not be so lucky as to have overflow overwrite flag 復里大软件学院 LiT
20 LiJT Simple Buffer Overflow • Consider boolean flag for authentication • Buffer overflow could overwrite flag allowing anyone to authenticate! buffer F OU R SC … TF Boolean flag • In some cases, attacker need not be so lucky as to have overflow overwrite flag