470 likes | 585 Views
Security Analysis. What is it? Rapidly growing area of computer science. Concerned with whether or not a system and its communications are secure. Why do we study it? Difficult to say how a program will behave on a given system by simply looking at a program and the programmers intentions.
E N D
Security Analysis • What is it? • Rapidly growing area of computer science. • Concerned with whether or not a system and its communications are secure. • Why do we study it? • Difficult to say how a program will behave on a given system by simply looking at a program and the programmers intentions. • Need formal methods for reasoning about the behaviour of systems.
C I A • Confidentiality • Ability to hide data. (e.g. Encryption) • Most obvious security idea → Attacked most often. • Integrity • Ability to ensure that the data is accurate. (e.g. Quantum cryptography) • Availability • Data is accessible to authorised viewers at all times. • If its too inconvenient to use, it wont be! A widely used idea in Security Analysis. (Note : The ideas of security analysis go beyond encryption. )
Types of Security Attacks. • Software Exploits. • Careless programming / obscure interactions. • Buffer overflows (Alex will be talking about these). • Insecure communications (e.g. FTP, American Satellite). • Timing Attacks. • Slow systems. • Password checking • SMART Cards • Denial of Service Attacks. • Aim is to crash target program / system. • Aimed at a particular piece of software • Repeated requests → Resource starvation.
What are the solutions? • Better Programming. • Helps us to counter timing attacks. • Test the systems. • Formally using logics. • π-Calculus, λ-Calculus. • Brute force. • There isn’t always a solution / problems can take time to appear. • Needham-Schroeder was in use for 18 years
Buffer Overflow.c (1) #include <stdio.h> /* global variables */ int count, address; int * ptr;
Buffer Overflow.c (1) #include <stdio.h> /* global variables */ int count, address; int * ptr; void funct(void) { printf("This function is never called...\n"); }
Buffer Overflow.c (2) void fill_buffer() { int buffer[10]; ptr = buffer; }
Buffer Overflow.c (2) void fill_buffer() { int buffer[10]; ptr = buffer; for(count = 0; count < 12; count++) { *ptr = address; ptr++; } }
Buffer Overflow.c (3) int main(void) { address = (int) &funct; fill_buffer(); return 0; }
Buffer Overflow.c (3) int main(void) { address = (int) &funct; fill_buffer(); return 0; } Output: This function is never called... Segmentation Fault
During a function call Stack organisation
During a function call Stack organisation FFF Stack grows down-wards 000
During a function call Stack organisation FFF Stack grows down-wards 000
During a function call Stack organisation FFF Stack grows down-wards 000
During a function call Stack organisation FFF Stack grows down-wards 000
During a function call Stack organisation FFF Stack grows down-wards 000
During a function call ptr Stack organisation FFF Stack grows down-wards 000 count = 0
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 0
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 1
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 2
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 3
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 4
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 5
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 6
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 7
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 8
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 9
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 10
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 11
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 12
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 12
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 12
During a function call ptr Stack organisation FFF FFF Stack grows down-wards Pointer (ptr) copies upwards 000 000 count = 12
During a function call ptr Stack organisation FFF Pointer (ptr) copies upwards 000 return;
During a function call ptr Stack organisation FFF Pointer (ptr) copies upwards 000 return;
During a function call ptr Stack organisation FFF Pointer (ptr) copies upwards 000 return;
During a function call ptr Stack organisation FFF Pointer (ptr) copies upwards 0x8048410 000 return;
During a function call Stack organisation 0x8048410 return;
During a function call Stack organisation 0x8048410 return;
During a function call Stack organisation 0x8048410 return;
During a function call Stack organisation 0x8048410 return;
During a function call Stack organisation 0x8048410 return;
During a function call Stack organisation void funct(void) { printf("This function is never called...\n"); } 0x8048410 return;
Real Buffer Overflow Attacks • You can’t write the functions yourself! • strcpy() provides a similar opportunity • Provide an unsuitably long input string • Learn the stack organisation • Write malicious code into the buffer itself • Point the return address at your code • Program executes code, then crashes
Solutions? • Various approaches exist • Security Analysis relatively successful • One successful technique uses “canaries” • But we’re not going to explain them here • See the project report for more information • Also, links available (now) on the website
The End • Please ask lots of questions now... • Not about canaries though…
A Badly Written Password Checker PassChecker(str given, str password){ If (length(given) != length(password)){ return 0; } for (i = 0; i < length(password); i++){ if{given[i] != password[i]){ return 0; } } return 1; }