Upload
ali-gholami
View
49
Download
1
Embed Size (px)
Citation preview
1
Software Vulnerability
A. Gholami && M. Khajavi
2
• Vulnerability o Intersectiono Managemento Classificationo V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
VulnerabilitySystem
InformationAttacker
Attack Surface
3
• Vulnerability o Intersectiono Managemento Classificationo V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
SystemFlaw
AttackerAccess
AttackerCapability
Vulnerability
4
• Vulnerability Intersectiono Managemento Classificationo V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
IdentifyingMitigatingRemediatingClassifying
5
• Vulnerability Intersection Managemento Classificationo V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
• Humidity• Dust• Unprotected Storage
Hardware
• Insufficient Testing• Lack Of Audit TrailSoftware
• Unprotected Communication Lines• Insecure Network ArchitectureNetwork
• Inadequate Security Awareness• Inadequate Recruiting ProcessPersonnel
6
• Vulnerability Intersection Management Classificationo V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Access is removed A security fix is deployed The attacker is disabled
7
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
• Deliberate Risk Taking• Organizations are encouraged
to assess the security risks
ISO 27000ISO
International Standard Organization
8
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitionso Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Open Group
IBM
Oracle
ETC.
% (Threat Capability) > % (Resistance)
9
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Groupo ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
ENISA
European
Network
Information
Security
Agency
Design error compromising the security of the system.
10
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
?Buffer
11
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Buffer zone?? [region separating two areas]
Buffer gas? [non flammable gas]
Buffer solution!? [controlling the Ph.]
Buffer
Compute
r Science
Data Buffer
12
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Data buffer(computer science)
Area 1 Area 2Buffer storage is limited!
Input Device
[mouse]Keyboard][electronic
chipset data]
MemoryHard Disk Storage
13
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
14
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Insufficient bounds checking
Getting input data
Copying data from one buffer to another
15
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
First Examplechar A[8] = "";unsigned short B = 1979;
strcpy (A, "excessive");
16
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Solution for boundary overrunning
Bounds Checking!
strncpy (A, "excessive", sizeof(A));
17
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Second Exampleint main(){ char buff[3]; int pass = 0;
printf("\n Enter the password : \n"); gets(buff);
if(strcmp(buff, “Khu")) printf ("\n Wrong Password \n"); else{ printf ("\n Correct Password \n"); pass = 1; } if(pass) { /* Now Give root or admin rights to user*/ printf ("\n Root privileges given to the user \n"); } return 0;}
18
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Let’s the run the program with correct password ‘Khu’ :
Enter the password:KhuCorrect Password
Root privileges given to the user
19
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
gets() function does checkthe array bounds
Enter the password:Tes
Root privileges given to the user
t
NOT
Wrong Password
20
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Call Stack
21
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
An Example
22
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stacko Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Another Example
23
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
If the call stack pointer exceeds the stack bound
Stack Overflow
24
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflowo Infinite Recursion
o Tail Call Optimization
Call stack size
Programming Language
Machine Architecture
Available Memory
25
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflow Infinite Recursion
o Tail Call Optimization
int function(){ function(); return 0;}
Infinite recursion
Each address
Special case in recursion also called “tail recursive”
On The Stack 4 bytes
26
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflow Infinite Recursion
o Tail Call Optimization
If a function
Returns the result of
calling itself
As its last operation
Tail recursion
27
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflow Infinite Recursion
o Tail Call Optimization
Exampleunsigned fac_tailrec (unsigned acc, unsigned n){ if (n < 2) return acc; return fac_tailrec (n * acc, n - 1);}
unsigned fac_tailrec (unsigned acc, unsigned n){TOP: if (n < 2) return acc; acc = n * acc; n = n - 1; goto TOP;}
28
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflow Infinite Recursion
o Tail Call Optimization
Let’s make it clear ;)unsigned fac (unsigned n){ unsigned acc = 1;
for (true ; n > 1 ; --n) acc *= n;
return acc;}
29
• Vulnerability Intersection Management Classification V-Window
• ISO 27K
• Definitions Open Group ENISA
• Buffer Overflow
• Call Stack Structure
• Stack Overflow Infinite Recursion
Tail Call Optimization
Finished, We Guess!