Differences between revisions 2 and 3
Revision 2 as of 2010-04-20 02:30:34
Size: 2270
Editor: host-216-229-236-29
Comment:
Revision 3 as of 2010-04-20 02:38:51
Size: 3195
Editor: host-216-229-236-29
Comment:
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:

=== Buffer Overflows and Design Flaws ===

=== Input Validation Attacks ===
  * Buffer Overflows and Design Flaws
 * Input Validation Attacks
Line 24: Line 21:
=== Heap/BSS/Data Overflows ===
 * Very similar to stack overflows
 * The heap is used by programs to allocate dynamic memory at runtime.
==== Countermeasures ====
 * Practice safe and secure coding standards.
 * Check your code.
 * Consider prohibiting the use of old C runtime buffer functions.
 * Employ stack execution protection.
 * Use compiler tools.
=== Format String Attacks ===
 * Overwrites portions of memory to give the hacker control over the CPU’s execution flow.
 * Takes advantage of misused functions, most notably, the printf() family of functions.
==== Countermeasures ====
 * Hard code the format specifier in your functions. In other words, be sure to utilize the complete printf() function.
=== Off-by-One Errors ===
 * When a programmer miscounts something in his conditional statement.
 * Eg. if (id < 0 || id > channels_alloc)
==== Countermeasures ====
 * Check all code carefully
=== Canonicalization Attacks ===
 * Canonicalization is the process for determining how various forms or characters of a word are resolved to a single name or character.
==== Countermeasures ====
 * Address the problem with the language you are writing in.
 * Be specific about what data your application will accept.
Line 25: Line 46:
 * Eavesdropping on network password exchange
    * Countermeasures
 * Man-in-the-middle attacks
    * Countermeasures

=== Remote Unauthenticated Exploits ===
 * Network Service Exploits
    * Countermeasures
 * End-User Application Exploits
    * Countermeasures
 * Device Driver Exploits
    * Countermeasures

=== Authenticated Attacks ===
 * Privilege Escalation
    * Countermeasures

=== Extracting and Cracking passwords ===
 * Grabbing the Password Hashes (with pwdump)
    * Countermeasures
 * Cracking passwords
    * Countermeasures
 * Dumping cached Passwords
    * Countermeasures

=== Remote Control and Back doors ===
 * Command-line Remote control tools
 * Graphical Remote control

=== Covering Tracks ===
 * Disable Auditing
 * Clear event log
 * Hiding files
    * Alternative Data Streams (ADS)
    * Countermeasures

=== General countermeasures ===
 * Filenames: Look for suspicious filenames left over
 * Registry Entries: Hunt down any rogue registry entries
 * Processes: Look for unnecessary processes running
 * Ports: Look for rogue connections

=== Windows Security Features ===
 * Firewall
 * Automated updates
 * Security center
 * Security policy and group policy
 * Bitlocker and the Encrypted File System (EFS)

=== Windows Resource Protection ===
 * Integrity Levels, UAC, and LoRIE
 * Data Execution Prevention (DEP)

=== Service Hardening ===
 * Service Resource Isolation
 * Least Privilege Services
 * Service Refactoring		 == Common Countermeasures ==
 * People:
   * Changing the Culture
   * Talk Softly
   * Carry a Big Stick
   * Security Improves Quality and Efficiency
   * Encode It into Governance
   * Measure, Measure, Measure
   * Accountability
 * Process:
   * Appoint a Security Liaison on the Development Team
   * Education, Education, Education
   * Threat Modeling
   * Code Checklists
   * Security in the Development Lifecycle
   * Security Testing
   * Audit or Final Security Review
   * Maintenance
 * Technology:
   * Managed Execution Environments
   * Input Validation Libraries
   * Platform Improvements
== Conclusion ==
 * Stack Buffer Overflows are easiest and most dangerous buffer overrun hacks.
 * printf() most misused function by Format string attacks.
 * Canonicalization - the process for determining how various forms or characters of a word are resolved to a single name or character.
 * Many common countermeasures.
== Quiz ==
 * What is considered the easiest buffer overrun hack?
 * Which function is the most misused by Format string attacks?
 * Name 3 common countermeasures.
== Answers ==
 * Stack Buffer Overflows
 * Printf()
 * Any of the 18 given

Back to Cptr427Winter2010

Hacking Exposed Chapter 10: Hacking Code

Common exploit techniques

  • Buffer Overflows and Design Flaws
  • Input Validation Attacks

Stack Buffer Overflows

  • Easiest and most devastating buffer overrun
  • A stack is the computer memory used when functions call other functions.
  • Occurs when a program writes to a memory address on the program's stack outside of the intended data structure

Countermeasures

  • Practice safe and secure coding standards.
  • Check your code.
  • Consider prohibiting the use of old C runtime buffer functions.
  • Employ stack execution protection.
  • Use compiler tools.

Heap/BSS/Data Overflows

  • Very similar to stack overflows
  • The heap is used by programs to allocate dynamic memory at runtime.

Countermeasures

  • Practice safe and secure coding standards.
  • Check your code.
  • Consider prohibiting the use of old C runtime buffer functions.
  • Employ stack execution protection.
  • Use compiler tools.

Format String Attacks

  • Overwrites portions of memory to give the hacker control over the CPU’s execution flow.
  • Takes advantage of misused functions, most notably, the printf() family of functions.

Countermeasures

  • Hard code the format specifier in your functions. In other words, be sure to utilize the complete printf() function.

Off-by-One Errors

  • When a programmer miscounts something in his conditional statement.

  • Eg. if (id < 0 || id > channels_alloc)

Countermeasures

  • Check all code carefully

Canonicalization Attacks

  • Canonicalization is the process for determining how various forms or characters of a word are resolved to a single name or character.

Countermeasures

  • Address the problem with the language you are writing in.
  • Be specific about what data your application will accept.

Common Countermeasures

  • People:
    • Changing the Culture
    • Talk Softly
    • Carry a Big Stick
    • Security Improves Quality and Efficiency
    • Encode It into Governance
    • Measure, Measure, Measure
    • Accountability
  • Process:
    • Appoint a Security Liaison on the Development Team
    • Education, Education, Education
    • Threat Modeling
    • Code Checklists
    • Security in the Development Lifecycle
    • Security Testing
    • Audit or Final Security Review
    • Maintenance
  • Technology:
    • Managed Execution Environments
    • Input Validation Libraries
    • Platform Improvements

Conclusion

  • Stack Buffer Overflows are easiest and most dangerous buffer overrun hacks.
  • printf() most misused function by Format string attacks.
  • Canonicalization - the process for determining how various forms or characters of a word are resolved to a single name or character.
  • Many common countermeasures.

Quiz

  • What is considered the easiest buffer overrun hack?
  • Which function is the most misused by Format string attacks?
  • Name 3 common countermeasures.

Answers

  • Stack Buffer Overflows
  • Printf()
  • Any of the 18 given

HackingExposedChapter10 (last edited 2010-04-20 02:38:51 by host-216-229-236-29)