SlideShare une entreprise Scribd logo

Software security

Roman Oliynykov
Roman Oliynykov

Slides for my lecture "Software security: vulnerabilities, exploits and possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).

Formation
1  sur  48
Software security Vulnerabilities, exploits and November 14th, possible countermeasures 2012 Roman Oliynykov Associated Professor of Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Kharkov Ukraine ROliynykov@gmail.com
Lecture outline  List of topics I suppose you already understand  Importance of secure software for customers on the modern highly competitive consumer electronics market  Example of vulnerable network daemon for Linux, and exploit for it (buffer overflow demo)  Possible countermeasures against software vulnerabilities together with new hackers’ tricks against them  Need for permanent attention for software security
For this lecture I suppose you understand C programming language source code  main terms of operation system architecture (process, address space, stack, heap, etc.)  x86 assembler language source code (preferably AT&T notation)  basics of Linux (command line)  network utilities (ping, telnet)
Importance of secure software for customers on the modern highly competitive consumer electronics market
Importance of secure software  A smartphone is a mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone [Wikipedia]  Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
Financial threats to smartphone users via malware  Invisible to user automatic premium number calls and SMS  Mobile banking application credentials theft via:  mobile banking application attacks (Zeus malware for mobiles, etc.)  access to bank card readers connected to the smartphone via microphone port, NFC chip, etc.
Other threats to smartphone users via malware  Privacy threats (spying) for remote transmission to the hacker group:  voice recording  video and photo  contact list, sms, etc.  customer location via GPS data, etc.  Customer incrimination to be a source of the cybercrime attack when his/her smartphone is a part of the botnet
New attacks on smartphones: ‘visual malware’ Automated malicious software based on camera photos for 3D model creation of indoor environment and stealing data of financial documents, information on monitors, etc.
Importance of secure software  A Smart TV is the phrase used to describe the current trend of integration of the Internet and Web 2.0 features into modern television sets and set-top boxes, as well as the technological convergence between computers and these television sets [Wikipedia]  Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
Threats to Smart TV users: almost the same  Financial:  banking application credentials theft  Privacy threats (spying) for remote transmission to the hacker group from customer’s house:  voice recording  video and photo  blackmails for confidential recording at user’s home  Family digital data lost (photos, videos, contacts, etc. - example)  Customer incrimination to be a source of the cybercrime attack when his/her Smart TV is a part of the botnet or hacker’s proxy node
Example of vulnerable network daemon (service) for Linux, and exploit for it
netcalcd – vulnerable daemon (service) for Linux (x86)  intentionally written for this lecture and contains intentionally man-made vulnerabilities  processes simple network text requests for basic calculations  prints debug information about its stack on the server console
netcalcd normal operation
netcalcd normal operation
netcacld source code: part of the main() function
netcacld source code: process_request() function
netcacld source code: get_result() function
netcacld source code in asm: get_result() function
Vulnerability in get_result() function strcpy( &dst, &src ) in contrast to strncpy( &dst, &src, sizeof (dst) ) takes into account only destination string length (buffer size) and copies data until finds termination zero in src
netcalcd stack after strcpy() call with malicious data (hacker’s code) from the network
netcalcd normal operation
Running exploit against netcalcd
netcalcd buffer overflow in get_result()
Open ports on the victim computer: before and after
Victim computer successfully cracked
What’s inside exploit and how it works?
Exploit: usual C program for Windows sending block of data (shellcode):
Shellcode in the example: relocatable binary code can be run at any user address Protect the running code in the stack, find absolute address it is run at and decode the rest part of the shellcode
Why encode the main part of the shellcode?
After encoding the rest part of the shellcode runs web server at port 8801 or does everything intruder wants to do with the vulnerable process privileges
How to protect our software against such an attack?
Possible countermeasures against buffer overflow  write secure code based on secure functions calls and all necessary user input verification (the most important recommendation)  make your operation system to use Address Space Layout Randomization (ASLR)  make your operation system use processor NX bit (on x86 platform)  keep on canary words in your compiler  run the code with the least necessary privileges
Write secure code based on secure functions calls strcpy( &dst, &src ) fills destination buffer without taking into account its size; strncpy( &dst, &src, sizeof( dst ) ) won’t write outside the destination buffer (but it’s possible the lost of terminating zero)
Write secure code based on secure functions calls And many other recommendations for writing secure code…
Security check of existing projects: automated tools But no guarantee that all vulnerabilities are discovered
Address Space Layout Randomization computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space [wikipedia] Each running time stack, heap, etc. are put at random addresses in the process address space
Address Space Layout Randomization (example) It’s difficult to guess correct return address to be written on the stack smashing. But it is possible: only16 less bits of address are changed Running code addresses are NOT changed
ASLR appeared:  Linux kernel support: 2.6.12 (released June 2005)  Microsoft's Windows Vista (released January 2007), Windows Server 2008, Windows 7, and later have ASLR enabled by default  Android 4.0 Ice Cream Sandwich provides ASLR …
ASLR evasion techniques  brute force address search attempt  return into code on non-randomized memory  jmp *esp (ret address points to such bytes in code)  etc.
Make your operation system use processor NX bit (on x86 platform) NX bit, which stands for Never eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data
NX bit protection evasion: return-to-libc attack  no code in the stack (no processor exception)  return address is overwritten and points to the existing code  intruder calls standard function and passes arbitrary arguments to it  in Windows it is possible to call a sequence of functions due to _stdcall_ convention
Never switch off canary words in your compiler Canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows
Canary words  Implementation:  GCC Stack-Smashing Protector (ProPolice)  Microsoft Visual Studio 2003 and higher ( /GS )  etc.  What cannot be handled:  buffer overflows in the heap (intruder uses pointers to functions in virtual method tables of dynamic objects)
There is no universal silver bullet for security If a system switched on and running we may have up-do-date security solutions only Security is a process, not a state
Conclusions (I)  Security is important (and sometimes is a crucial factor) for consumer acceptance  Secure code is a major element of the secure system  Writing secure code is much more effective than later security improvement
Conclusions (II)  Effective methods for security level improvement for existing applications:  Address Space Layout Randomization (ASLR)  NX bit on x86 processors  canary words in your compiler  code running with the least necessary privileges
Conclusions (III)  All acceptable security features of the operation system should be used  There is no universal “silver bullet” for security  Security is a process, not a state
Questions?

Recommandé

Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Secure software design
Secure software designSecure software design
Secure software designAshis Kumar Chanda
 

Recommandé

Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Secure software design
Secure software designSecure software design
Secure software designAshis Kumar Chanda
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Spyware powerpoint
Spyware powerpointSpyware powerpoint
Spyware powerpointgalaxy201
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Software Security
Software SecuritySoftware Security
Software SecurityRoman Oliynykov
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Ransomware
RansomwareRansomware
RansomwareAkshita Pillai
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptOECLIB Odisha Electronics Control Library
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
My life plans
My life plansMy life plans
My life plansVIVIANA GUERRERO
 
Kupyna
KupynaKupyna
KupynaRoman Oliynykov
 

Contenu connexe

Tendances

Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Spyware powerpoint
Spyware powerpointSpyware powerpoint
Spyware powerpointgalaxy201
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

Tendances (20)

Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Key management
Key managementKey management
Key management
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Network security
Network securityNetwork security
Network security
 
Spyware powerpoint
Spyware powerpointSpyware powerpoint
Spyware powerpoint
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
Software Security
Software SecuritySoftware Security
Software Security
 
Application Security
Application SecurityApplication Security
Application Security
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Network security
Network securityNetwork security
Network security
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Ransomware
RansomwareRansomware
Ransomware
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

En vedette

Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkRoman Oliynykov
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishRoman Oliynykov
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphersRoman Oliynykov
 
AES effecitve software implementation
AES effecitve software implementationAES effecitve software implementation
AES effecitve software implementationRoman Oliynykov
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Roman Oliynykov
 
Presentation Software
Presentation SoftwarePresentation Software
Presentation Softwaregueste5c836
 
Desktop Publishing
Desktop PublishingDesktop Publishing
Desktop Publishingbjoe777
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Graphics software
Graphics softwareGraphics software
Graphics softwareMohd Arif
 
Desktop publishing (power point)
Desktop publishing (power point)Desktop publishing (power point)
Desktop publishing (power point)kuromi12
 
Wired and wireless technologies
Wired and wireless technologiesWired and wireless technologies
Wired and wireless technologiesAkhil Sabu
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design PatternSanae BEKKAR
 

En vedette (20)

My life plans
My life plansMy life plans
My life plans
 
Kupyna
KupynaKupyna
Kupyna
 
Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin framework
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in English
 
Kalyna
KalynaKalyna
Kalyna
 
Software Design Patterns
Software Design PatternsSoftware Design Patterns
Software Design Patterns
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphers
 
Desktop Publishing
Desktop PublishingDesktop Publishing
Desktop Publishing
 
AES effecitve software implementation
AES effecitve software implementationAES effecitve software implementation
AES effecitve software implementation
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...
 
Presentation Software
Presentation SoftwarePresentation Software
Presentation Software
 
Desktop Publishing
Desktop PublishingDesktop Publishing
Desktop Publishing
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Graphics software
Graphics softwareGraphics software
Graphics software
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Desktop publishing (power point)
Desktop publishing (power point)Desktop publishing (power point)
Desktop publishing (power point)
 
Wired and wireless technologies
Wired and wireless technologiesWired and wireless technologies
Wired and wireless technologies
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design Pattern
 

Similaire à Software security

Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)LeClubQualiteLogicielle
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
[Codientu.org] design of a microcontroller based circuit for software protection
[Codientu.org] design of a microcontroller based circuit for software protection[Codientu.org] design of a microcontroller based circuit for software protection
[Codientu.org] design of a microcontroller based circuit for software protectionHieu Le Dinh
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
Embedded
EmbeddedEmbedded
EmbeddedAbindas
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
An Overview of Cyber Attack and Computer Network Operations Si.docx
An Overview of Cyber Attack and Computer Network Operations Si.docxAn Overview of Cyber Attack and Computer Network Operations Si.docx
An Overview of Cyber Attack and Computer Network Operations Si.docxnettletondevon
 

Similaire à Software security (20)

Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
[Codientu.org] design of a microcontroller based circuit for software protection
[Codientu.org] design of a microcontroller based circuit for software protection[Codientu.org] design of a microcontroller based circuit for software protection
[Codientu.org] design of a microcontroller based circuit for software protection
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
Embedded
EmbeddedEmbedded
Embedded
 
9(1)
9(1)9(1)
9(1)
 
Inception framework
Inception frameworkInception framework
Inception framework
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
An Overview of Cyber Attack and Computer Network Operations Si.docx
An Overview of Cyber Attack and Computer Network Operations Si.docxAn Overview of Cyber Attack and Computer Network Operations Si.docx
An Overview of Cyber Attack and Computer Network Operations Si.docx
 

Dernier

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 

Dernier (20)

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 

Software security

  • 1. Software security Vulnerabilities, exploits and November 14th, possible countermeasures 2012 Roman Oliynykov Associated Professor of Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Kharkov Ukraine ROliynykov@gmail.com
  • 2. Lecture outline  List of topics I suppose you already understand  Importance of secure software for customers on the modern highly competitive consumer electronics market  Example of vulnerable network daemon for Linux, and exploit for it (buffer overflow demo)  Possible countermeasures against software vulnerabilities together with new hackers’ tricks against them  Need for permanent attention for software security
  • 3. For this lecture I suppose you understand C programming language source code  main terms of operation system architecture (process, address space, stack, heap, etc.)  x86 assembler language source code (preferably AT&T notation)  basics of Linux (command line)  network utilities (ping, telnet)
  • 4. Importance of secure software for customers on the modern highly competitive consumer electronics market
  • 5. Importance of secure software  A smartphone is a mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone [Wikipedia]  Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
  • 6. Financial threats to smartphone users via malware  Invisible to user automatic premium number calls and SMS  Mobile banking application credentials theft via:  mobile banking application attacks (Zeus malware for mobiles, etc.)  access to bank card readers connected to the smartphone via microphone port, NFC chip, etc.
  • 7. Other threats to smartphone users via malware  Privacy threats (spying) for remote transmission to the hacker group:  voice recording  video and photo  contact list, sms, etc.  customer location via GPS data, etc.  Customer incrimination to be a source of the cybercrime attack when his/her smartphone is a part of the botnet
  • 8. New attacks on smartphones: ‘visual malware’ Automated malicious software based on camera photos for 3D model creation of indoor environment and stealing data of financial documents, information on monitors, etc.
  • 9. Importance of secure software  A Smart TV is the phrase used to describe the current trend of integration of the Internet and Web 2.0 features into modern television sets and set-top boxes, as well as the technological convergence between computers and these television sets [Wikipedia]  Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
  • 10. Threats to Smart TV users: almost the same  Financial:  banking application credentials theft  Privacy threats (spying) for remote transmission to the hacker group from customer’s house:  voice recording  video and photo  blackmails for confidential recording at user’s home  Family digital data lost (photos, videos, contacts, etc. - example)  Customer incrimination to be a source of the cybercrime attack when his/her Smart TV is a part of the botnet or hacker’s proxy node
  • 11. Example of vulnerable network daemon (service) for Linux, and exploit for it
  • 12. netcalcd – vulnerable daemon (service) for Linux (x86)  intentionally written for this lecture and contains intentionally man-made vulnerabilities  processes simple network text requests for basic calculations  prints debug information about its stack on the server console
  • 15. netcacld source code: part of the main() function
  • 18. netcacld source code in asm: get_result() function
  • 19. Vulnerability in get_result() function strcpy( &dst, &src ) in contrast to strncpy( &dst, &src, sizeof (dst) ) takes into account only destination string length (buffer size) and copies data until finds termination zero in src
  • 20. netcalcd stack after strcpy() call with malicious data (hacker’s code) from the network
  • 23. netcalcd buffer overflow in get_result()
  • 24. Open ports on the victim computer: before and after
  • 26. What’s inside exploit and how it works?
  • 27. Exploit: usual C program for Windows sending block of data (shellcode):
  • 28. Shellcode in the example: relocatable binary code can be run at any user address Protect the running code in the stack, find absolute address it is run at and decode the rest part of the shellcode
  • 29. Why encode the main part of the shellcode?
  • 30. After encoding the rest part of the shellcode runs web server at port 8801 or does everything intruder wants to do with the vulnerable process privileges
  • 31. How to protect our software against such an attack?
  • 32. Possible countermeasures against buffer overflow  write secure code based on secure functions calls and all necessary user input verification (the most important recommendation)  make your operation system to use Address Space Layout Randomization (ASLR)  make your operation system use processor NX bit (on x86 platform)  keep on canary words in your compiler  run the code with the least necessary privileges
  • 33. Write secure code based on secure functions calls strcpy( &dst, &src ) fills destination buffer without taking into account its size; strncpy( &dst, &src, sizeof( dst ) ) won’t write outside the destination buffer (but it’s possible the lost of terminating zero)
  • 34. Write secure code based on secure functions calls And many other recommendations for writing secure code…
  • 35. Security check of existing projects: automated tools But no guarantee that all vulnerabilities are discovered
  • 36. Address Space Layout Randomization computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space [wikipedia] Each running time stack, heap, etc. are put at random addresses in the process address space
  • 37. Address Space Layout Randomization (example) It’s difficult to guess correct return address to be written on the stack smashing. But it is possible: only16 less bits of address are changed Running code addresses are NOT changed
  • 38. ASLR appeared:  Linux kernel support: 2.6.12 (released June 2005)  Microsoft's Windows Vista (released January 2007), Windows Server 2008, Windows 7, and later have ASLR enabled by default  Android 4.0 Ice Cream Sandwich provides ASLR …
  • 39. ASLR evasion techniques  brute force address search attempt  return into code on non-randomized memory  jmp *esp (ret address points to such bytes in code)  etc.
  • 40. Make your operation system use processor NX bit (on x86 platform) NX bit, which stands for Never eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data
  • 41. NX bit protection evasion: return-to-libc attack  no code in the stack (no processor exception)  return address is overwritten and points to the existing code  intruder calls standard function and passes arbitrary arguments to it  in Windows it is possible to call a sequence of functions due to _stdcall_ convention
  • 42. Never switch off canary words in your compiler Canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows
  • 43. Canary words  Implementation:  GCC Stack-Smashing Protector (ProPolice)  Microsoft Visual Studio 2003 and higher ( /GS )  etc.  What cannot be handled:  buffer overflows in the heap (intruder uses pointers to functions in virtual method tables of dynamic objects)
  • 44. There is no universal silver bullet for security If a system switched on and running we may have up-do-date security solutions only Security is a process, not a state
  • 45. Conclusions (I)  Security is important (and sometimes is a crucial factor) for consumer acceptance  Secure code is a major element of the secure system  Writing secure code is much more effective than later security improvement
  • 46. Conclusions (II)  Effective methods for security level improvement for existing applications:  Address Space Layout Randomization (ASLR)  NX bit on x86 processors  canary words in your compiler  code running with the least necessary privileges
  • 47. Conclusions (III)  All acceptable security features of the operation system should be used  There is no universal “silver bullet” for security  Security is a process, not a state