Post on 23-Dec-2015
Security Analysis
What is it? Rapidly growing area of computer science. Concerned with whether or not a system and its
communications are secure.
Why do we study it? Difficult to say how a program will behave on a given
system by simply looking at a program and the programmers intentions.
Need formal methods for reasoning about the behaviour of systems.
C I A Confidentiality
Ability to hide data. (e.g. Encryption) Most obvious security idea → Attacked most often.
Integrity Ability to ensure that the data is accurate. (e.g. Quantum cryptography)
Availability Data is accessible to authorised viewers at all times. If its too inconvenient to use, it wont be!
A widely used idea in Security Analysis. (Note : The ideas of security analysis go beyond encryption. )
Types of Security Attacks. Software Exploits.
Careless programming / obscure interactions.• Buffer overflows (Alex will be talking about these).• Insecure communications (e.g. FTP, American Satellite).
Timing Attacks. Slow systems.
• Password checking• SMART Cards
Denial of Service Attacks. Aim is to crash target program / system.
• Aimed at a particular piece of software• Repeated requests → Resource starvation.
What are the solutions? Better Programming.
Helps us to counter timing attacks. Test the systems.
Formally using logics.• π-Calculus, λ-Calculus.
Brute force. There isn’t always a solution / problems
can take time to appear. Needham-Schroeder was in use for 18 years
Buffer Overflow.c (1)#include <stdio.h>
/* global variables */
int count, address;
int * ptr;
Buffer Overflow.c (1)#include <stdio.h>
/* global variables */
int count, address;
int * ptr;
void funct(void)
{
printf("This function is never called...\n");
}
Buffer Overflow.c (2)void fill_buffer()
{
int buffer[10];
ptr = buffer;
}
Buffer Overflow.c (2)void fill_buffer()
{
int buffer[10];
ptr = buffer;
for(count = 0; count < 12; count++)
{
*ptr = address;
ptr++;
}
}
Buffer Overflow.c (3)int main(void)
{
address = (int) &funct;
fill_buffer();
return 0;
}
Buffer Overflow.c (3)int main(void)
{
address = (int) &funct;
fill_buffer();
return 0;
}
Output:
This function is never called...
Segmentation Fault
Stack organisation
During a function call
??
Stack organisation
During a function call
??
000
FFF
Stack grows down-wards
Stack organisation
During a function call
??
Return address
000
FFF
Stack grows down-wards
Stack organisation
During a function call
??
Return address
??
000
FFF
Stack grows down-wards
Stack organisation
During a function call
??
Return address
??
buffer[10]
000
FFF
Stack grows down-wards
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000
FFF
Stack grows down-wards
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000
FFF
Stack grows down-wards
ptr
count = 0
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 0
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 1
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 2
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwardsptr
count = 3
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwardsptr
count = 4
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 5
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 6
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 7
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 8
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 9
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 10
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 11
Stack organisation
During a function call
??
Return address
??
buffer[10]
??000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 12
Stack organisation
During a function call
??
Return address
??
buffer[10]
000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 12
Stack organisation
During a function call
??
Return address
??
000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 12
Stack organisation
During a function call
??
Return address
000 000
FFFFFF
Stack grows down-wards
Pointer (ptr) copies upwards
ptr
count = 12
Stack organisation
During a function call
??
Return address
000
FFF
Pointer (ptr) copies upwards
ptr
return;
Stack organisation
During a function call
??
Return address
000
FFF
Pointer (ptr) copies upwards
ptr
return;
Stack organisation
During a function call
??
Return address
000
FFF
Pointer (ptr) copies upwards
ptr
return;
Stack organisation
During a function call
??
Return address
000
FFF
Pointer (ptr) copies upwards
ptr
return;
0x8048410
Stack organisation
During a function call
??
Return address
return;
0x8048410
Stack organisation
During a function callreturn;
0x8048410
Stack organisation
During a function callreturn;
0x8048410
Stack organisation
During a function callreturn;
0x8048410
Stack organisation
During a function callreturn;
0x8048410
Stack organisation
During a function callreturn;
0x8048410
void funct(void)
{
printf("This function is never called...\n");
}
Real Buffer Overflow Attacks You can’t write the functions yourself! strcpy() provides a similar opportunity Provide an unsuitably long input string Learn the stack organisation Write malicious code into the buffer itself Point the return address at your code Program executes code, then crashes
Solutions? Various approaches exist Security Analysis relatively successful One successful technique uses “canaries” But we’re not going to explain them here See the project report for more
information Also, links available (now) on the website
The End Please ask lots of
questions now... Not about canaries
though…
A Badly Written Password Checker
PassChecker(str given, str password){
If (length(given) != length(password)){
return 0;
}
for (i = 0; i < length(password); i++){
if{given[i] != password[i]){
return 0;
}
}
return 1;
}