60 likes | 71 Views
Agenda. Last words on buffer overflows Overview of a few more techniques Defenses Attacks on network protocols. Stack-based overflow: more techniques. Injected code can be in The overflowed buffer itself An environment variable Another buffer (which is not overflowed)
E N D
Agenda • Last words on buffer overflows • Overview of a few more techniques • Defenses • Attacks on network protocols SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Stack-based overflow: more techniques • Injected code can be in • The overflowed buffer itself • An environment variable • Another buffer (which is not overflowed) • Intrusion detection systems • Check for non-ASCII bytes in buffers • Attackers then use polymorphic shellcodes • Non-executable stack • “Return to libc” technique • Point return address to, say, system(), execve() • Feed system() with a string pointing to a shell SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Other Overflow Attacks • Heap and BSS overflow • I need more time on this • Use one dynamically allocated variable to overflow another • This will change the way the program behaves • Format string vulnerabilities • Printf() … • Off-by-one overflow SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Buffer-overflow defenses • Write correct code • Code auditing (by humans) • Static code analysis: quite effective • Use fault-injection tools, Non-executable stack • Array-bound checking (with compiler) • Code pointer integrity checking • StackShield, StackGuard, PointGuard • Read Phrack Magazine 56 (5), May 2000 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Other things • Password cracking • Dictionary attacks • Exhaustive brute-force attacks • Hash lookup tables • Password probability matrix • WEP attacks • Offline brute-force attacks • Keystream reuse • IP redirection • Fluhrer, Mantin, and Shamir (FMS) attack SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Some network protocol attacks & techniques • SYN-flooding • TCP/IP Hijacking • RST hijacking • The ping of death • Ping flooding, amplification attacks • Port scanning • Stealth SYN scan • FIN, X-mas, Null scans • Spoofing decoys • Idle scanning • IP Spoofing and defenses against it SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo