COMP4690, HKBU 1 Chapter 8 Application and System Development
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
COMP4690, HKBU 1
Chapter 8
Application and System Development
COMP4690, HKBU 2
Preface
Applications and computer systems are usually developed for functionality first, not security first.
But to get the best of both worlds, security and functionality would have to be developed at the same time.
Security should be interwoven into the core of a product.
COMP4690, HKBU 3
Software Lifecycle Development Process
Two principal goals of software development To produce a quality product that meets the
customer’s requirements To stay within the budget and time schedule
A succession of models has emerged over time incorporating improvements in the development process.
COMP4690, HKBU 4
Buffer Overflow
On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array.
Known as smash the stack. It can cause return from the routine to jump to
a random address. Attackers can control the program flow by
sending carefully crafted set of input.
COMP4690, HKBU 5
Process Memory Organization
Text
Data
Stack
LowerMemoryaddresses
HigherMemoryaddresses
Process Memory Regions
Text region Fixed by the program Includes code
(instructions) Read only
Data region Contains initialized
and uninitialized data Static variables are
stored here. Stack region
See next page!
COMP4690, HKBU 6
Stack
Stack is used to Dynamically allocate the local variables used in functions. Pass parameters to the functions. Return values from the function.
Stack pointer (SP) points to the top of the stack. The bottom of the stack is at a fixed address. Consists of logical stack frames that are pushed when
calling a function and popped when returning. Frame pointer (FP) points to a fixed location within a frame.
COMP4690, HKBU 7
Example
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
void main() {
function(1,2,3);
}
$ gcc –S –o example1.s example1.c
function:pushl %ebpmovl %esp,%ebpsubl $40,%espleaveret
……main:
pushl %ebpmovl %esp,%ebppushl $3pushl $2pushl $1call functionaddl $16,%esp
COMP4690, HKBU 8
Example
c
b
a
ret
sfp
buffer1
buffer2
Stack
COMP4690, HKBU 9
Buffer Overflow Result of stuffing more data into a buffer than it can handle. E.g:
void function(char *str) { char buffer[16]; strcpy(buffer,str);}
void main() { char large_string[256]; int i;
for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string);}
It copies a string without bounds checking by using strcpy() instead of strncpy().• Copy the contents of *str into buffer[] until a null character is found.
• Buffer[] (16 bytes) is much smaller than *str (256 bytes).• All 250 bytes after buffer in the stack are being overwritten with character ‘A’ (0x41)
• Include SFP, RET and even *str.• The return address becomes 0x41414141.• That’s why you get segmentation error when the function returns.
COMP4690, HKBU 10
Buffer Overflow Buffer overflow allows us to change the return address of a function. a hacker can change the return address, so that the flow control will pass to
his code. The code will be run under the username of the owner of the program. Usually a shell will be run. If the vulnerable program is owned by root, we can access the root account.
char shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}
COMP4690, HKBU 11
How to Avoid Buffer Overflow?
Modern Programming Languages Most modern programming languages are
essentially immune to this problem. Automatically resize arrays. E.g. Perl, Java Detect and prevent buffer overflows. E.g. Ada95, Java
C language provides no protection against such problems.
C++ can be easily used in ways to cause this problem.
COMP4690, HKBU 12
How to Avoid Buffer Overflow?
Careful Use of C/C++ Library Functions avoid using functions that do not check bounds,
unless the bounds will never get exceeded. Avoid strcpy(3), strcat(3), sprintf(3) and gets(3). These functions can be replaced with strncpy(3),
strncat(3), snprintf(3) and fgets(3). Strlen(3) should be avoided unless you can
guarantee that there will be a terminating NUL character.
COMP4690, HKBU 13
Optional References
Aleph One, “Smashing The Stack for Fun and Profit”, Phrack 49 Volume 7, Issue 49, File 14 of 16.
Taeho Oh, “Advanced buffer overflow exploit”.
COMP4690, HKBU 14
Chapter 9
Law, Investigation,
and Ethics
COMP4690, HKBU 15
Types of Computer Crime
Denial of Service and Distributed Denial of Service Theft of passwords Network intrusions Emanation eavesdropping Social engineering Illegal content of material Fraud Software piracy Dumpster diving
COMP4690, HKBU 16
Types of Computer Crime
Malicious code Spoofing of IP addresses Information warfare Espionage Destruction or the alteration of information Use of readily available attack scripts Masquerading Embezzlement Data-diddling Terrorism
COMP4690, HKBU 17
Types of law system
Common law system United states, united kingdom, Australia, Canada Legislative branch
Statutory law Administrative agencies
Administrative law Judicial branch
Common law Civil law system
France, Germany Islamic system
COMP4690, HKBU 18
Common Law System Criminal Law
Laws about individual conduct that violates government laws enacted for the protection of the public.
Punishment can include financial penalties and imprisonment. Civil Law
Laws about wrongs against an individual or organization that results in damage or loss.
Punishment cannot include imprisonment. Administrative/Regulatory Law
Laws about regulatory standards that regulate performance and conducts.
Punishment can include financial penalties and/or imprisonment.
COMP4690, HKBU 19
Intellectual Property Laws Different than the three main categories Trade secret
Something that is proprietary to that company and important for its survival and profitability
Must be confidential and protected with certain security precautions and actions Require the employees to sign a nondisclosure agreement contract to promise not to
share the company’s trade secrets with competitors Copyright
Protect the right of an author to control the public distribution, reproduction, display, and adaptation of his original work
Protect pictorial, graphic, musical, dramatic, literary, motion picture, sculptural, sound recording
Protect the expression of the idea of the resource, instead of the resource itself Trademark
Protect a word, name, symbol, sound, shape, color, device, or combination Patent
Provide the owner of the patent with a legally enforceable right to exclude others from practicing the invention covered by the patent for a specified period of time
COMP4690, HKBU 20
Internal Protection of IP
The resources protected by one of the previously mentioned laws needs to be identified and integrated into the company’s data classification scheme.
Employees must be informed of the level of secrecy or confidentiality of the resource. And their expected behavior, pertaining to that resource, must be explained.
COMP4690, HKBU 21
Computer Crime Investigations
It’s very challenging to fight cybercrime. The ease of committing a cybercrime The relative anonymity available to the attacker The difficulty in tracking down the attacker The information is intangible The investigation may interfere with the normal
conduct of the business of an organization Difficult in gathering the evidence Usually an expert or specialist is required
COMP4690, HKBU 22
Computer Crime Investigations When a company endures a computer crime, they should leave
the environment and evidence unaltered and contact the authorities.
It would be best to have a procedure for dealing with a cybercrime.
Incident response team List of outside agencies and resources to contact or report to List of computer or forensics experts to contact Steps on how to secure and preserve evidence Steps on how to search for evidence List of items that should be included on the report A list that indicates how the different systems should be treated
in this type of situation
COMP4690, HKBU 23
Proper Collection of Evidence Make a sound image of the attacked system, and perform
forensic analysis on this copy Dump the memory of the system to a file before doing any work
on the system or powering it down Keep a proper chain of custody of the evidence
it is important to follow very strict and organized procedures when collecting and tagging evidence
When copies of data need to be made, it must meet certain standards. The copies must be able to be independently verified and tamperproof.
Each piece of evidence should be marked in some way with the date, time, initials of the collector, case number
The piece of evidence should then be sealed in a container the container should be sealed with evidence tape.
Media should be write-protected and storage should be dust free.
COMP4690, HKBU 24
What is Admissible in Court? Most of the time, computer related documents are considered
hearsay, meaning the evidence is secondhand evidence. It is important that computer logs are generated and collected as
a normal part of the business and not just this one time for court. It is important to show that the logs, and all evidence, have not
been tampered with in any way. Privacy issue: if an employee is suspected and being charged of
a computer crime, he might claim that his files on the computer he uses is personal and not available to law enforcement and the courts. It’s important for companies to have employees sign contracts
pertaining to the acceptable use of the company’s computers and equipment, and to establish that a use has no right to privacy when he is using company equipment.
COMP4690, HKBU 25
Evidence Life Cycle
The evidence life cycle includes Collection and identification Storage, preservation, and transportation Presentation in court Being returned to victim or owner
COMP4690, HKBU 26
Types of Evidence Best evidence: the primary evidence used in a trial; documentary evidence such
as contracts Secondary evidence: not viewed as reliable and strong in proving innocence or
guilt when compared to best evidence; E.g., oral evidence, witness testimony, copies of original documents
Direct evidence: can prove a fact all by itself instead of needing backup information to refer to. E.g., witness testimony
Conclusive evidence: irrefutable and cannot be contradicted. Very strong all by itself and does not require corroboration.
Circumstantial evidence: can prove an intermediate fact that can then be used to deduce or assume the existence of another fact
Corroborative evidence: supporting evidence used to help prove an ideal or point, used as a supplementary tool to help prove a primary piece of evidence
Opinion evidence: expert may offer an opinion based on personal expertise and facts
Hearsay evidence: oral or written evidence that is presented in court that is secondhand and that has no firsthand proof of accuracy or reliability
COMP4690, HKBU 27
Ethics
Certified professionals are morally and legally held to a higher standard of ethical conduct.
Ethics should be incorporated into an organizational policy and further developed into an organizational ethical computing policy.
(ISC)2 Code of Ethics https://www.isc2.org/cgi-bin/content.cgi?category=12
Internet Activities Board (IAB) Ethics RFC1087: Ethics and the Internet
Related Documents
