1 / 28

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES. By: Eric Chien and Peter Szor Presented by: Jesus Morales. Introduction & Overview. Security exploits + Computer viruses = very complex attacks. Types of Vulnerabilities: Stack Buffer Overflows

reed-lyons
Download Presentation

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BLENDED ATTACKS EXPLOITS, VULNERABILITIESAND BUFFER-OVERFLOW TECHNIQUES INCOMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales

  2. Introduction & Overview • Security exploits + Computer viruses = very complex attacks. • Types of Vulnerabilities: • Stack Buffer Overflows • Heap Overflows • Function Pointers • Input Validation • URL Encoding and Canonicalization • MIME Header Parsing • Format String Attacks

  3. Blended Attack • What is a blended attack? • Also known as blended threat. • Virus exploits a system or application security flaw to infect new systems. • Infection vector: one or more vulnerabilities.

  4. Let’s begin with a bit of controversy • A security or an anti-virus issue? • Some security people think: • A computer virus is not part of security. • No relation between computer security and computer viruses. • Example: CodeRed. • Authors answer: a mixed approach. • Multi-layered security solutions.

  5. Buffer Overflow • What is? Buffer overflow is when a program tries to store data into a buffer and the data is larger than the buffer size.

  6. Buffer Overflow Generations • First Generation: overwriting stack memory. • Second Generation: heaps, function pointers and off-by-one exploits. • Third Generation: format string attacks, vulnerabilities in heap structure management, and input validation.

  7. First Generation: Stack Buffer Overflow (Cont.) • Causes of Stack-based Overflow Vulnerabilities • Lack of verification of the amount of data written into a buffer (strcpy) • Better to use: strncpy or strlcpy. • Careful with strncpy! • If count too large, still buffer overflow. • Typical: off-by-ones.

  8. Second Generation: Off-By-Ones Overflows • Cause: errors counting the size of the buffer. • Consequence: single byte overflow.

  9. Second Generation: Off-By-Ones Overflows (Cont.) • Example: Set the overflow byte to 0x00.

  10. Second Generation: Heap Overflow • A heap is dynamically allocated memory. • Out of the stack. • No return addresses to overwrite. • Common misconception: the heap is safe. • This is not the case: • Potentially more difficult to redirect execution. • Buffer overflows and exploitation still possible.

  11. Second Generation: Heap Overflow (Cont.) • A program with a heap overflow void main(int argc, char **argv) { char *buffer = (char *) malloc(16); char *input = (char *) malloc(16); strcpy(buffer,”AAAAAAAAAAAAAAA”); // Use a non-bounds checked function strcpy(input,argv[1]); printf(“%s”,buffer); }

  12. Second Generation: Heap Overflow (Cont.) • With valid input size memory looks as follows: • With input too large (A series of B’s):

  13. Second Generation: Heap Overflow (Cont.) • Exploiting the Overflow

  14. Second Generation: Heap Overflow (Cont.) • No overflow: • Overflow with buffer equal to: XXXXXXXXXXXXXXXX00300ECB and argv[1] is C:\AUTOEXEC.BAT, memory appears as:

  15. Second Generation: Function Pointers (Cont.) • Occur mainly in call backs • If function pointer in memory follows a buffer: risk of being overwritten if the buffer is unchecked. • Our friend strcpy again.

  16. Second Generation: Function Pointers (Cont.)

  17. Second Generation: Function Pointers (Cont.) • The memory looks as follows: • Afterwards (argv[1]: ABCDEFGHIJKLMNOP004013B0):

  18. Third Generation: Input Validation • Exploits take advantage of improperly validated input. • Problems with Web Servers and E-mail Clients. • We’ll see two types: • URL Canonicalization. • MIME Header Parsing.

  19. URL Canonicalization • Canonicalization: when a resource can be represented in more than one way. • Canonicalization is the process of converting data that has more than one possible representation into a "standard" canonical representation. (wikipedia.org) • Where is the vulnerability? • A decision is based on a URL • Not all possible URL representations are taken into account.

  20. URL Canonicalization (Cont.) • Example: Web server. • Allows access only to /user and subdirectories. • Validation: examines the URL for string /user. • The following URL: http://domain.tld/user/../../autoexec.bat would give access to root.

  21. MIME Header Parsing • Internet Explorer parses a file containing MIME encoded files by examining the header. • MIME files are associated with a particular application (e.g., audio/basic is associated with Windows Media Player) • Each MIME type has associated settings (icons, show extension? Automatically pass file to application? )

  22. MIME Header Parsing (Cont.) • Example of MIME header: • Audio/x-wav file will be passed automatically to the application based on the context type. • When finally determining what the associated application is, the file extension is (.EXE) used. It is passed to the OS for execution.

  23. In-the-Wild • Morris Worm • Is a buffer overflow attack against the fingered program. • 512 byte buffer. • Function gets with no bounds checking. • Linux/ADM • Buffer overflow technique to attack BIND servers. • Malformed IQUERY with long request body. • Hits a return address. • CodeRed • URL canonicalization and stack overflow exploits. • GET request with the worm in its body.

  24. In-the-Wild (Cont.) • Win32/Badtrans.B@mm • MIME header exploit. • Win32/Nimda.A@mm • MIME exploit • VBS/Bubbleboy • Uses ActiveX safe for scripting exploit • Win32/Bebla • MIME exploit

  25. Current Security • Blended attacks are effective because most security products cannot prevent the threats. • Traditional anti-virus does not scan memory (CodeRed resides entirely in memory) • Firewalls mitigate the problem, but not solve it. • Host based IDS: hard to provide solutions for a wide variety of platforms within a diversified network. • Counter-attacks have ethical and legal problems.

  26. Solutions • Anti-virus scanners should implement memory scanning. • Scan incoming network data to prevent threats injected through the network via IDS. • Anti-virus should also scan incoming data through the network to prevent corrupted files from entering the system. • Behavior blocking technology.

  27. The solutions will be deployed into a network of products. These products communicate with each other and correlate data. Suspicious activity is monitored, tracked and recorded. If the threat is confirmed it can be contained/aborted and the logs investigated. In the Future

  28. Thank You. Questions?

More Related