DOCSLIB.ORG

Generic Detection of Code Injection Attacks Using Network-Level Emulation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Generic Detection of Code Injection Attacks using Network-level Emulation Michalis Polychronakis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of Crete Heraklion, October 2009 Generic Detection of Code Injection Attacks using Network-level Emulation A dissertation submitted by Michalis Polychronakis in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of Crete The dissertation of Michalis Polychronakis is approved: Committee: Evangelos P. Markatos Professor, University of Crete – Thesis Advisor Angelos Bilas Associate Professor, University of Crete Vasilios A. Siris Assistant Professor, Athens Univ. of Economics and Business Angelos Keromytis Associate Professor, Columbia University Maria Papadopouli Assistant Professor, University of Crete Athanasios Mouchtaris Assistant Professor, University of Crete Sotiris Ioannidis Associate Researcher, FORTH-ICS Department: Dimitris Plexousakis Professor, University of Crete – Chairman of the Department Heraklion, October 2009 Abstract Code injection attacks against server and client applications have become the primary method of malware spreading. A promising approach for the detection of previously unknown code injection attacks at the network level, irrespective of the particular ex- ploitation method used or the vulnerability being exploited, is to identify the malicious code that is part of the attack vector, also known as shellcode. Initial implementations of this approach attempt to identify the presence of shellcode in network inputs using detection algorithms based on static code analysis. However, static analysis cannot effectively handle malicious code that employs advanced obfuscation methods such as anti-disassembly tricks or self-modifying code, and thus these detection methods can be easily evaded. In this dissertation we present network-level emulation, a generic code injection attack detection method based on dynamic code analysis using emulation. Our pro- totype attack detection system, called Nemu, uses a CPU emulator to dynamically analyze valid instruction sequences in the inspected traffic. Based on runtime behav- ioral heuristics, the system identifies inherent patterns exhibited during the execution of the shellcode, and thus can detect the presence of malicious code in arbitrary in- puts. We have developed heuristics that cover the most widely used shellcode types, including self-decrypting and non-self-contained polymorphic shellcode, plain or meta- morphic shellcode, and memory-scanning shellcode. Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks. At the same time, the actual execution of the attack code on a CPU emulator makes the detector robust to evasion techniques like indirect jumps and self-modifications. Furthermore, each input is inspected autonomously, which makes the approach effective against targeted attacks. Our experimental evaluation with publicly available shellcode construction en- gines, attack toolkits, and real attacks captured in the wild, shows that Nemu is more robust to obfuscation techniques compared to previous proposals, while it can effectively detect a broad range of different shellcode implementations without any prior exploit-specific information. At the same time, extensive testing using benign generated and real data did not produce any false positives. To assess the effectiveness of our approach under realistic conditions we deployed Nemu in several production networks. Over the course of more than one year of con- tinuous operation, Nemu detected more than 1.2 million attacks against real systems. We provide a thorough analysis of the captured attacks, focusing on the structure and operation of the shellcode, as well as the overall attack activity in relation to the different targeted services. The large and diverse set of the detected attacks combined with the zero false positive rate over the whole monitoring period demonstrate the effectiveness and practicality of our approach. Finally, we identify challenges faced by existing network trace anonymization schemes for safely sharing attack traces that contain self-decrypting shellcode. To alleviate this problem, we present an anonymization method that identifies and prop- erly sanitizes sensitive information contained in the encrypted part of the shellcode that is otherwise not exposed on the wire. Thesis Advisor: Prof. Evangelos Markatos iv ÈeÖÐÐhÝh µ eÒaÒØÐÓÒ dikØÙakôÒ efaÖÑÓgôÒ eÔijè×eic kakìbÓÙÐÓÙ kôdika ´ Çi code injection attacks aÔÓØeÐÓÔÒ ÔÐèÓÒ ØhÒ kÔÖia ÑèjÓdÓ didÓ×hc kakìbÓÙÐÓÙ ÐÓgi×ÑikÓÔ ´ Ç malwareµº µ ÔÓÙ ÔeÖièÕeØai ×ØhÒ eÔÐje×h eÐÒai Ñia ÓÔi×Ñìc ØÓÙ kakìbÓÙÐÓÙ kôdika ´ eÒØ shellcode ÙÔÓ×ÕìÑeÒh ÔÖÓ×èggi×h gia ØhÒ aÒÐÕÒeÙ×h ÔÖÛØÓeÑfaÒiÞìÑeÒÛÒ eÔijè×eÛÒ ×ØÓ diadÐk¹ ØÙÓº AÖÕikèc ÙÐÓÔÓi ×eic aÙØ c Øhc ÑejìdÓÙ ba×ÐÞÓÒØai ×ØhÒ ØeÕÒik Øhc ×ØaØik c aÒÐÙ×hc kôdikaº Ï×Øì×Ó¸ Ói ØeÕÒikèc aÙØèc deÒ eÐÒai aÔÓØeÐe×ÑaØikèc ×ØÓÒ eÒØÓÔi×¹ Ñì kakìbÓÙÐÓÙ kôdika ÔÓÙ ÕÖh×iÑÓÔÓieÐ eÜeÐigÑèÒec ØeÕÒikèc aÔìkÖÙÝhc ìÔÛc Ó aÙ¹ ØÓØÖÓÔÓÔÓiÓÔÑeÒÓc kôdikacº Ïc ÑèÖÓc Øhc ÔÖÓ×Ôjeiac eÜeÔÖe×hc Ñiac aÔÓØeÐe×ÑaØik c ÑejìdÓÙ aÒÐÕÒeÙ×hc ÔÖÛØÓeÑfaÒiÞìÑeÒÛÒ eÔijè×eÛÒ¸ ÔÖÓØeÐÒÓÙÑe ØhÒ ØeÕÒik Øhc eÜÓÑÓÐÛ×hc kôdika ×¹ µº À ØeÕÒik ba×ÐÞeØai ×Øh dÙÒaÑik Ó eÔÐÔedÓ ØÓÙ dikØÔÓÙ ´ Ø network-level emulation aÒÐÙ×h kôdika ÕaÑhÐÓÔ eÔiÔèdÓÙ Ñe Øh ÕÖ ×h eÒìc eÜÓÑÓiÛØ keÒØÖik c ÑÓÒdac eÔeܹ ´ µº À ÙÐÓÔÓÐh×h eÒìc ×Ù×Ø ÑaØÓc aÒÐÕÒeÙ×hc eÔijè×eÛÒ ÔÓÙ eÖga×Ðac CPU emulator ¸ aÒaÐÔei dÙÒaÑik ègkÙ¹ ØhÒ ÔaÖaÔÒÛ ÑèjÓdÓ¸ ØÓ ÓÔÓÐÓ ÓÒÓÑÞÓÙÑe ÕÖh×iÑÓÔÓieÐ Nemu Öec akÓÐÓÙjÐec eÒØÓÐôÒ ÔÓÙ ÔeÖièÕÓÒØai ×Øa dedÓÑèÒa dikØÔÓÙ ÙÔì aÒÐÙ×hº ÉÖh×i¹ ÑÓÔÓiôÒØac eÙÖh×Øikèc ÑejìdÓÙc aÒÐÕÒeÙ×hc ÕaÖakØhÖi×ØikôÒ ×ÙÑÔeÖifÓÖôÒ ÔÓÙ ekdh¹ ÐôÒÓÒØai kaØ ØhÒ ekØèÐe×h ØÓÙ kakìbÓÙÐÓÙ kôdika¸ ØÓ ×Ô×ØhÑa ÑÔÓÖeÐ Òa aÒiÕÒeÔ×ei ØhÒ ÔÔaÖÜh diafÓÖeØikôÒ ØÔÔÛÒ kakìbÓÙÐÓÙ kôdika ×e dedÓÑèÒa dikØÔÓÙº Çi eÙÖh×Øikèc ÑèjÓdÓi ÔÓÙ èÕÓÙÑe aÒaÔØÔÜei aÒiÕÒeÔÓÙÒ Ñe akÖÐbeia ØÓÙc ÔiÓ eÙÖèÛc diadedÓÑèÒÓÙc ØÔÔÓÙc eÔijè×eÛÒ ìÔÛc Ói ÔÓÐÙÑÓÖfikèc kai Ói ÑeØaÑÓÖfikèc eÔijè×eicº À ØeÕÒik de ba×ÐÞeØai ×Øh ÕÖ ×h ÙÔÓgÖafôÒ¸ ÓÔìØe ÑÔÓÖeÐ Òa aÒiÕÒeÔei eÔijè¹ ×eic ÔÓÙ deÒ ØaÒ ÔÖÓhgÓÙÑèÒÛc gÒÛ×Øècº ÌaÙØìÕÖÓÒa¸ h ÔÖagÑaØik ekØèÐe×h ØÓÙ kakìbÓÙÐÓÙ kôdika Øhc eÔÐje×hc ×ØÓÒ eÜÓÑÓiÛØ kaji×Ø Øh ÑèjÓdÓ aÒjekØik ×e eܹ eÐigÑèÒec ØeÕÒikèc aÔìkÖÙÝhc kôdikaº EÔiÔÐèÓÒ¸ kje eÐ×ÓdÓc eÐègÕeØai aÙØìÒÓÑa¸ gegÓÒìc ÔÓÙ kaji×Ø Øh ÑèjÓdÓ aÔÓØeÐe×ÑaØik ×ØhÒ aÒÐÕÒeÙ×h ×ØÓÕeÙÑèÒÛÒ eÔijè¹ ×eÛÒº À ÔeiÖaÑaØik aÜiÓÐìgh×h Øhc ÑejìdÓÙ Ñe èÒa ÑegÐÓ eÔÖÓc deigÑØÛÒ ÔÖagÑaØikôÒ eÐÒai ÔiÓ aÒjekØikì ×e eÜeÐigÑèÒec ØeÕÒikèc ×Ù×kìØi×hc jè×eÛÒ èdeiÜe ìØi ØÓ eÔi Nemu ×e ×ÔgkÖi×h Ñe ÔÖÓhgÓÔÑeÒec ÑejìdÓÙcº EkØeÒeÐc dÓkiÑèc Ñe ÔÖagÑaØik kai ØeÕÒhØ dedÓÑèÒa èdeiÜaÒ ìØi h ÔÖÓØeiÒìÑeÒh ÑèjÓdÓc deÒ ÔaÖgei e×faÐÑèÒec aÒiÕÒeÔ×eicº Gia Òa ekØiÑ ×ÓÙÑe ØhÒ aÔÓØeÐe×ÑaØikìØhØa Øhc ÔÖÓ×èggi× c Ñac ÙÔì ÔÖagÑaØikèc ×ÙÒj kec¸ ØÓ ×Ô×ØhÑa egkaØa×Øjhke ×e dÐkØÙa ÓÖgaÒi×ÑôÒ ìÔÓÙ eÜèØaÞe Øa ÔÖagÑaØik dedÓÑèÒa ÅeØ aÔì èÒa kai ÔÐèÓÒ ÕÖìÒÓ ×ÙÒeÕÓÔc ÐeiØÓÙÖgÐac¸ ØÓ aÒÐÕÒeÙ×e ÔeÖi×¹ dikØÔÓÙº Nemu ×ìØeÖec aÔì ½º¾ ekaØÓÑÑÔÖia eÔijè×eic eÒaÒØÐÓÒ ÔÖagÑaØikôÒ ÙÔÓÐÓgi×ØôÒ ×Øa ÔaÖaÔÒÛ dÐkØÙaº ÈaÖÓÙ×iÞÓÙÑe Ñia ekØeÒ aÒÐÙ×h ØÛÒ eÔijè×eÛÒ ÔÓÙ aÒiÕÒeÔjhkaÒ¸ e×ØiÞÓÒ¹ Øac ×Øh dÓÑ kai Øh ÐeiØÓÙÖgÐa ØÓÙ kakìbÓÙÐÓÙ kôdika Øhc eÔÐje×hc¸ kajôc kai ×Øh ×ÙÒÓÐik dÖa×ØhÖiìØhØa ×e ×Õè×h Ñe Øic dikØÙakèc ÙÔhÖe×Ðec ÔÓÙ dèÕjhkaÒ eÔijè×eicº EÔìÔØhc: ÃajhghØ c EÙggeÐÓc ÅaÖkaØÓc vi Acknowledgments I want to thank many people who in one way or another have contributed to this work by sharing time, ideas, knowledge, experience, enthusiasm, drinks, and love. Without their help, this thesis simply would never have finished. I am grateful to my advisor Prof. Evangelos Markatos for being a great mentor and a real teacher. Since the days I began working at FORTH as an undergraduate, his endless energy and positive attitude always gave me the strength to go on. I am also indebted to Kostas Anagnostakis for his invaluable advice and 24/7 support. A huge thanks to them for providing me with such a great research experience. Above all, I am really lucky to have made two true friends. The members of my committee—Angelos Bilas, Vasilis Siris, Angelos Keromytis, Sotiris Ioannidis, Maria Papadopouli, and Athanasios Mouchtaris—have provided valuable suggestions and feedback. I thank them for the time they devoted for re- viewing my thesis and for agreeing to serve on the committee on a very short notice. The years at CSD and the DCS Lab at FORTH-ICS are unforgettable. The fun I had with Manos Moschous, Giorgos Dimitriou, Spiros Antonatos, Dimitris Koukis, Elias Athanasopoulos, Dimitris Antoniadis, Christos Papachristos, Perik- lis Akritidis, Manolis Stamatogiannakis, Antonis Papadogiannakis, Iasonas Polakis, Manos Athanatos, Vasilis Papas, Alexandros Kapravelos, Giorgos Vasiliadis, Nikos Nikiforakis, Michalis Foukarakis, and all the other colleagues at the lab was unprece- dented. Thank you guys! I am particularly grateful to Niels Provos who encouraged me to pursue an in- ternship at Google, and has ever since been providing invaluable knowledge and wise guidance. I would also like to thank Panayiotis Mavrommatis, Therese Pasquesi, and all my friends and colleagues in Mountain View. A big shout out to my friends Chrisa Farsari, Nikos Spernovasilis, Kristi Plousaki, Antonis Fouskis, Eva Syntichaki, Giorgos Lyronis, Lena Sarri, Theodoros Tziatzios, Nikos Thanos, Eleni Milaki, Chara Chrisoulaki. I am grateful to my parents,
Recommended publications
  • Maldet: How to Detect the Malware?

    Maldet: How to Detect the Malware?

    International Journal of Computer Applications (0975 – 8887) Volume 123 – No.6, August 2015 MalDet: How to Detect the Malware? Samridhi Sharma Shabnam Parveen Department of CSE, Assistant Professor, Department of CSE, Seth Jai Parkash Mukand Lal Institute of Seth Jai Parkash Mukand Lal Institute of Engineering and Technology, Engineering and Technology, Harayana, India. Harayana, India. ABSTRACT to violate the privacy and security of a system. According to Malware is malicious software. This software used to the Symantec Internet Threat Report 499,811 new malware interrupt computer functionality. Protecting the internet is samples were received in the second half of 2007 detection. probably a enormous task that the contemporary epoch of So it becomes necessary to detect the malware. computers have seen. Day by day the threat levels large thus This paper is organized as follows: Section two has covered making the network susceptible to attacks. Many novel the recent state of the malware security. Section three strategies are brought into the field of cyber security to guard discusses about the malware classification, section four websites from attacks. But still malware has remained a grave presents the malware dectector. Section five studies reason of anxiety to web developers and server administrators. mechanism of malware detection, and finally section six With this war takes place amid the security community and explains malware normalization process. malicious software developers, the security specialists use all possible techniques, methods and strategies to discontinue and 2. RELATED WORK eliminate the threats while the malware developers utilize new Technology has turn out to be an building block in recent types of malwares that avoid implemented security features.
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
  • A Solution to Php Code Injection Attacks and Web

    A Solution to Php Code Injection Attacks and Web

    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
  • Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA).
  • Defeating Web Code Injection Attacks Using Web Element Attribute Mutation

    Defeating Web Code Injection Attacks Using Web Element Attribute Mutation

    Session 1: New Moving Target Defenses MTD’17, October 30, 2017, Dallas, TX, USA WebMTD: Defeating Web Code Injection Attacks using Web Element Attribute Mutation Amirreza Niakanlahiji Jafar Haadi Jafarian UNC Charlotte University of Colorado Denver [email protected] [email protected] ABSTRACT injection and server-side script injection, they are still one of the Existing mitigation techniques for Web code injection attacks have most common attack vectors on Web applications; examples are the not been widely adopted, primarily due to incurring impractical recently discovered XSS vulnerabilities on Amazon [4] and Ebay overheads on the developer, Web applications, or Web browsers. [7] Websites. According to OWASP [21], XSS, the most prevalent They either substantially increase Web server/client execution time, type of Web code injection attacks, is the third Web application enforce restrictive coding practices on developers, fail to support security risk. legacy Web applications, demand browser code modification, or Methodologies for countering code injection attacks could be fail to provide browser backward compatibility. Moving Target De- broadly divided into two categories: (I) input validation techniques fense (MTD) is a novel proactive class of techniques that aim to that prevent injection of malicious code, but are highly suscepti- defeat attacks by imposing uncertainty in attack reconnaissance ble to evasion [23]; and, (II) code differentiation techniques that and planning. This uncertainty is achieved by frequent and ran- prevent execution of injected code, including BEEP [15] , ISR [17], dom mutation (randomization) of system configuration in a manner CSP [25], Noncespaces [27] and xJS [2]. However, as demonstrated that is not traceable (predictable) by attackers.
  • Arbitrary Code Injection Through Self-Propagating Worms in Von Neumann Architecture Devices

    Arbitrary Code Injection Through Self-Propagating Worms in Von Neumann Architecture Devices

    Arbitrary Code Injection through Self-propagating Worms in Von Neumann Architecture Devices Thanassis Giannetsos1, Tassos Dimitriou1, Ioannis Krontiris2 and Neeli R. Prasad3 1Athens Information Tech. 19.5 km Markopoulo Ave. Athens, Greece 2Computer Science Dep. University of Mannheim D-68161 Mannheim, Germany 3Department of Communication Aalborg University Fr. Bajers Vej 7A5, DK-9220,Denmark Email: [email protected], [email protected], [email protected], [email protected] Malicious code (or malware) is de¯ned as software designed to execute attacks on software systems and ful¯ll the harmful intents of an attacker. As lightweight embedded devices become more ubiquitous and increasingly networked, they present a new and very disturbing target for malware developers. In this paper, we demonstrate how to execute malware on wireless sensor nodes that are based on the Von Neumann architecture. We achieve this by exploiting a bu®er overflow vulnerability to smash the call stack and intrude a remote node over the radio channel. By breaking the malware into multiple packets, the attacker can inject arbitrarily long malicious code to the node and completely take control of it. Then we proceed to show how the malware can be crafted to become a self-replicating worm that broadcasts itself and infects the network in a hop-by-hop manner. To our knowledge, this is the ¯rst instance of a self-propagating worm that provides a detailed analysis along with instructions in order to execute arbitrary malicious code. We also provide a complete implementation of our attack, measure its e®ectiveness in terms of time taken for the worm to propagate to the entire sensor network and, ¯nally, suggest possible countermeasures.
  • A Review of Fuzzing Tools and Methods 1 Introduction

    A Review of Fuzzing Tools and Methods 1 Introduction

    A Review of Fuzzing Tools and Methods James Fell, [email protected] Originally published in PenTest Magazine on 10th March 2017 1 Introduction Identifying vulnerabilities in software has long been an important research problem in the field of information security. Over the last decade, improvements have been made to programming languages, compilers and software engineering methods aimed at reducing the number of vulnerabilities in software [26]. In addition, exploit mitigation features such as Data Execution Prevention (DEP) [65] and Address Space Layout Randomisation (ASLR) [66] have been added to operating systems aimed at making it more difficult to exploit the vulnerabilities that do exist. Nevertheless, it is fair to say that all software applications of any significant size and complexity are still likely to contain undetected vulnerabilities and it is also frequently possible for skilled attackers to bypass any defences that are implemented at the operating system level [6, 7, 12, 66]. There are many classes of vulnerabilities that occur in software [64]. Ultimately they are all caused by mistakes that are made by programmers. Some of the most common vulnerabilities in binaries are stack based and heap based buffer overflows, integer overflows, format string bugs, off-by-one vulnerabilities, double free and use-after-free bugs [5]. These can all lead to an attacker hijacking the path of execution and causing his own arbitrary code to be executed by the victim. In the case of software running with elevated privileges this can lead to the complete compromise of the host system on which it is running.
  • Software Vulnerabilities Principles, Exploitability, Detection and Mitigation

    Software Vulnerabilities Principles, Exploitability, Detection and Mitigation

    Software vulnerabilities principles, exploitability, detection and mitigation Laurent Mounier and Marie-Laure Potet Verimag/Université Grenoble Alpes GDR Sécurité – Cyber in Saclay (Winter School in CyberSecurity) February 2021 Software vulnerabilities . are everywhere . and keep going . 2 / 35 Outline Software vulnerabilities (what & why ?) Programming languages (security) issues Exploiting a sofwtare vulnerability Software vulnerabilities mitigation Conclusion Example 1: password authentication Is this code “secure” ? boolean verify (char[] input, char[] passwd , byte len) { // No more than triesLeft attempts if (triesLeft < 0) return false ; // no authentication // Main comparison for (short i=0; i <= len; i++) if (input[i] != passwd[i]) { triesLeft-- ; return false ; // no authentication } // Comparison is successful triesLeft = maxTries ; return true ; // authentication is successful } functional property: verify(input; passwd; len) , input[0::len] = passwd[0::len] What do we want to protect ? Against what ? I confidentiality of passwd, information leakage ? I control-flow integrity of the code I no unexpected runtime behaviour, etc. 3 / 35 Example 2: make ‘python -c ’print "A"*5000’‘ run make with a long argument crash (in recent Ubuntu versions) Why do we need to bother about crashes (wrt. security) ? crash = consequence of an unexpected run-time error not trapped/foreseen by the programmer, nor by the compiler/interpreter ) some part of the execution: I may take place outside the program scope/semantics I but can be controled/exploited by an attacker (∼ “weird machine”) out of scope execution runtime error crash normal execution possibly exploitable ... security breach ! ,! may break all security properties ... from simple denial-of-service to arbitrary code execution Rk: may also happen silently (without any crash !) 4 / 35 Back to the context: computer system security what does security mean ? I a set of general security properties: CIA Confidentiality, Integrity, Availability (+ Non Repudiation + Anonymity + .
  • Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine

    Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine

    Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine Pontus Johnson KTH Royal Institute of Technology Stockholm, Sweden [email protected] Abstract and Weyuker in [4], “Turing’s construction of a universal computer in 1936 provided reason to believe that, at least in The universal Turing machine is generally considered to be principle, an all-purpose computer would be possible, and the simplest, most abstract model of a computer. This paper was thus an anticipation of the modern digital computer.” Or, reports on the discovery of an accidental arbitrary code execu- in the words of Stephen Wolfram [16], ‘what launched the tion vulnerability in Marvin Minsky’s 1967 implementation whole computer revolution is the remarkable fact that uni- of the universal Turing machine. By submitting crafted data, versal systems with fixed underlying rules can be built that the machine may be coerced into executing user-provided can in effect perform any possible computation.” Not only code. The article presents the discovered vulnerability in de- the universality, but also the simplicity of the universal Tur- tail and discusses its potential implications. To the best of our ing machine has attracted interest. In 1956, Claude Shannon knowledge, an arbitrary code execution vulnerability has not explored some minimal forms of the universal Turing ma- previously been reported for such a simple system. chine [13], and posed the challenge to find even smaller such machines. That exploration has continued to this day [16]. 1 Introduction A common strategy for understanding a problem is to re- duce it to its minimal form.
  • 13 Templates-Generics.Pdf

    13 Templates-Generics.Pdf

    CS 242 2012 Generic programming in OO Languages Reading Text: Sections 9.4.1 and 9.4.3 J Koskinen, Metaprogramming in C++, Sections 2 – 5 Gilad Bracha, Generics in the Java Programming Language Questions • If subtyping and inheritance are so great, why do we need type parameterization in object- oriented languages? • The great polymorphism debate – Subtype polymorphism • Apply f(Object x) to any y : C <: Object – Parametric polymorphism • Apply generic <T> f(T x) to any y : C Do these serve similar or different purposes? Outline • C++ Templates – Polymorphism vs Overloading – C++ Template specialization – Example: Standard Template Library (STL) – C++ Template metaprogramming • Java Generics – Subtyping versus generics – Static type checking for generics – Implementation of Java generics Polymorphism vs Overloading • Parametric polymorphism – Single algorithm may be given many types – Type variable may be replaced by any type – f :: tt => f :: IntInt, f :: BoolBool, ... • Overloading – A single symbol may refer to more than one algorithm – Each algorithm may have different type – Choice of algorithm determined by type context – Types of symbol may be arbitrarily different – + has types int*intint, real*realreal, ... Polymorphism: Haskell vs C++ • Haskell polymorphic function – Declarations (generally) require no type information – Type inference uses type variables – Type inference substitutes for variables as needed to instantiate polymorphic code • C++ function template – Programmer declares argument, result types of fctns – Programmers
  • Security Threat Intelligence Report

    Security Threat Intelligence Report

    Security Threat Intelligence Report December 2020 In this issue COVID-19 vaccine manufacturers and supply chain targeted RansomEXX ransomware targeting Linux systems Botnet targets Linux servers, Linux IoT devices NSA top 25 vulnerabilities exploited by Chinese APT groups VMware zero-day vulnerability exploited in the wild Security Threat Intelligence Report About this report Message from Mark Hughes Fusing a range of public and proprietary information feeds, Cyber criminals are opportunists, and including DXC’s global network with COVID-19 vaccines shipping in of security operations centers and cyber intelligence services, multiple countries, attackers are targeting this report delivers an overview manufacturers and their supply chains in an of major incidents, insights into effort to monetize ransomware attacks at key trends and strategic threat awareness. the worst possible time and steal intellectual property and patient data. This month’s report also documents This report is a part of DXC Labs | Security, which provides insights the expanding attacks against Linux, Windows, and internet of and thought leadership to the things (IoT) devices. Also, the SolarWinds hack is top of mind for security industry. everyone. This is a rapidly evolving situation, and we will share Intelligence cutoff date: more details next month. For the most up to date information, November 30, 2020 refer to CISA guidance. Mark Hughes Senior Vice President Offerings & Strategic Partners DXC Technology Table of Threat Updates contents RansomEXX ransomware targeting
  • Check Point Threat Intelligence Bulletin

    Check Point Threat Intelligence Bulletin

    November 2-8, 2020 YOUR CHECK POINT THREAT INTELLIGENCE REPORT TOP ATTACKS AND BREACHES Check Point Research has alerted against a wave of ransomware attacks targeting Israeli companies and corporations, using known ransomware families such as REvil and Ryuk, as well as a new family called ‘Pay2Key’. The ransomware is capable of rapid lateral movement within the company network. Check Point SandBlast Agent provides protection against these threats (Ransomware.Win32.Pay2Key; Ransomware.Win32.REvil) Luxottica, the world's largest eyewear company, has admitted it has been breached. The giant’s appointment scheduling application has been hacked, leading to the exposure of protected health information (PHI) for patients of eye care practices such as LensCrafters, Target Optical and EyeMed. Japanese game developer Capcom has suffered a breach leading to the shutdown of some its systems, possibly by the Ragnar Locker ransomware. Attackers claim that 1TB of sensitive data has been stolen. Check Point SandBlast Agent provides protection against this threat (Ransomware.Win32.Ragnar) The Italian liquor company Campari Group has been hit by the Ragnar Locker ransomware, leading to the theft of 2TB of unencrypted files. The attackers are demanding a $15 million ransom to retrieve the files. Check Point Research has uncovered an attack operation targeting the Sangoma and Asterisk VoIP phone systems at nearly 1,200 organizations. The attackers, most likely located in Gaza and the West Bank, target SIP servers to execute telecom fraud, sell phone number and gain access to the organizations’ VoIP servers. Check Point IPS provides protection against this threat (SIPVicious Security Scanner; Sangoma FreePBX Authentication Bypass (CVE- 2019-19006); Command Injection Over HTTP) North Korean surveillance campaign targeting the aerospace and defense sectors in Australia, Israel, Russia and India is spreading a new spyware called Torisma via fake job offers sent through social media.