Computer Security: Principles and #3-Feb

Practice
Fourth Edition ① Assignment I

Chapter 6
Malicious Software

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 ↑

& -
↑

e g
. S
↑

Malware
-
>
-

NIST 800-83 defines malware as: 8595

"8 ,

“a program that is inserted into a system, G

-
--
-
usually covertly, -
-

with the intent of compromising the confidentiality, integrity,

- -
-

or availability of the victim’s data, applications, or operating

-

·
&
-
-- -

system or otherwise annoying or disrupting the victim.”

-

-
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 C
195

Table 6.1 Malware Terminology (1 of 3)

Name Description
Advanced Persistent Cybercrime directed at business and political targets, using a wide variety of
Threat (APT) intrusion technologies and malware, applied persistently and effectively to specific
targets over an extended period, often attributed to state-sponsored organizations.

-
Adware Advertising that is integrated into software. It can result in pop-up ads or
redirection of a browser to a commercial site.

Loading…
Advertising

Attack kit Set of tools for generating new malware automatically using a variety of supplied
-

propagation and payload mechanisms.

Auto-rooter Malicious hacker tools used to break into new machines remotely.
-

Backdoor (trapdoor) Any mechanism that bypasses a normal security check; it may allow unauthorized
access to functionality in a program, or onto a compromised system.
Downloaders Code that installs other items on a machine that is under attack. It is normally
included in the malware code first inserted on to a compromised system to then
import a larger malware package.
Drive-by-download An attack using code on a compromised website that exploits a browser
-

Vulnerability to attack a client system when the site is viewed.

Exploits Code specific to a single vulnerability or set of vulnerabilities.
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Table 6.1 Malware Terminology (2 of 3)
Name Description
Flooders (DoS Used to generate a large volume of data to attack networked computer systems,
client) by carrying out some form of denial-of-service (DoS) attack.
Ss je
Keyloggers j&
Captures keystrokes on a compromised system.
M

Logic bomb Code inserted into malware by an intruder. A logic bomb lies dormant until a
-
Predefined condition is met; the code then triggers some payload.
- -

Macro virus A type of virus that uses macro or scripting code, typically embedded in a
· is
Document or document template, and triggered when the document is viewed or
macro
edited, to run and replicate itself into other such documents.
Mobile code Software (e.g., script and macro) that can be shipped unchanged to a
heterogeneous collection of platforms and execute with identical semantics.
Rootkit Set of hacker tools used after attacker has broken into a computer system and
gained root-level access.
, sjiisMokl
Spam &
Spammer programs Used to send large volumes of unwanted e-mail.
Spyware Software that collects information from a computer and transmits it to another
- system by monitoring keystrokes, screen data, and/or network traffic; or by
scanning files on the system for sensitive information.
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 6.1 Malware Terminology (3 of 3)
Name Description
Trojan horse A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms,
jiy w
sometimes by exploiting legitimate authorizations of a system entity that
invokes it.

Loading…
Virus Malware that, when executed, tries to replicate itself into other executable
J:
iS machine or script code; when it succeeds, the code is said to be infected.
· -
S: zil When the infected code is executed, the virus also executes.
Worm A computer program that can run independently and can propagate a
&S S
complete working version of itself onto other hosts on a network, by exploiting
.

software vulnerabilities in the target system, or using captured authorization

credentials.
Zombie, bot Program installed on an infected machine that is activated to launch attacks
; &155 , / on other machines.
↑

D* s
· P -

·
S
--
1

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
* je

Classification of Malware
• Classified into two broad categories:
– -Based first on how it spreads or propagates to reach the
> -
-

desired targets opt S

-

– Then on the actions or payloads it performs once a target

=>
- - -
-

is reached
-
-

• Also classified by: 2 S

– Those that need aO C host program (parasitic code such as

- viruses)
-

like
a
- .

– Those that are- independent, GC

self-contained programs
OS
(worms, trojans, and bots)
5)
-
– Malware that does not replicate (trojans and spam e-mail)
-

– Malware that does replicateC

-
-
(viruses and Cworms)
a
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 ·
Types of Malicious Software (Malware)
G 4G4T
,

• Propagation mechanisms include: &

S

%– -
-

- 5Infection of existing content by viruses that is subsequently spread to

- - - -

other systems
-

-
-

sig– ↳
Exploit of software vulnerabilities by worms or drive-by-downloads to
-
-
--
-

allow
- -
the malware to replicate
-–-
Social engineering attacks that convince users to bypass security
· - -
-

mechanisms to install Trojans or to respond to phishing attacks

-- -
-

• Payload actions performed by malware once it reaches a target system can

- -

include: eli)
· 2 ES1 ,

2
– Corruption of system or data files
-
-

– Theft of service/make the system a zombie agent of attack as part of a -

botnet
-

- – Theft of information from the system/keylogging

&

ad ·
– Stealthing/hiding its presence on the system
S -

E
-

-
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 9
Attack Kits
• Initially the development and deployment of malware required considerable
technical skill by software authors
– The development of virus-creation toolkits in the early 1990s and then
more general attack kits in the 2000s greatly assisted in the
development and deployment of malware

• Toolkits are often C

-
-
known as “crimeware”
– Include a variety of propagation mechanisms and payload modules that
even novices can deploy
– Variants that can be generated by attackers using these toolkits creates
a significant problem for those defending systems against them

C
• Examples are:
– Zeus
>

– Angler
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 31 ,

Attack Sources
• Another significant malware development is the change from
attackers being individuals often motivated to demonstrate their
technical competence to their peers to more organized and
dangerous attack sources such as:
-

O
& – Politically motivated attackers > - Els
-
-

② – Criminals -
59
. 3
-
-

3 – Organized crime
O Psyin sun i
-
-
19 i ↓
④ – Organizations that sell their services to companies and nations
-

-
----

⑤ – National government agencies

-
>
- /S ,

• This has significantly changed the resources available and motivation

-

behind the rise of malware and has led to development of a large

underground economy involving the sale of attack kits, access to
compromised hosts, and to stolen information
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 -
Advanced Persistent Threats (APTs)
· -19!

• Well-resourced, persistent application of a wide variety of

- -

Eis intrusion technologies and malware to selected targets

.,

Y
g -
I
-
- -

-
(usually business or political)
-
-

• Typically attributed to state-sponsored organizations and

--
-
&
criminal enterprises
-
-
5 Gius &9
·

-
, . .
5 0

•-
Differ from-
--
other types of attack by their careful target
-
-

selection
-
and stealthy
-
-
intrusion efforts over extended
periods of example APT attack

- &
-
-
include-
• High profile attacks> Aurora, RSA, APT1, and
=
Stuxnet

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 &

APT Characteristics (1 of 2)
i
·
• Advanced
=
-

– Used by the attackers of a wide variety of intrusion technologies

- - -
-

and malwareE
- -
-

-
including the development of custom malware if
- -

required

Loading…
– The individual components may not necessarily be technically
---
- -

advanced but are carefully selected to suit the chosen target

sig
-
-
-
S
•=
Persistent
> id zisodois S, -1-2 --

– Determined application of the attacks over an extended period

-
- -
-
-

against the chosen target in order to maximize the chance of

-

- -

success
& - -

– A variety of attacks may be progressively applied until the target

-
- -

is compromised
- ·Iss
55%

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
APT Characteristics (2 of 2)
E
•-
Threats -
>

– Threats to the selected targets as a result of the organized,

-

capable, and well-funded attackers intent to compromise the

-

specifically chosen targets

-

– The active involvement of people in the processC

-
-
greatly raises the
-

threat level from that due to automated attacks tools, and also the
-

likelihood of successful attacks

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 APT Attacks
>
-
jl

O
• Aim: -
Q ②
– Varies from theft of intellectual property or security and infrastructure
- -

related data to the physical disruption of infrastructure

-

-
• Techniques used:
-

– Social engineering
-
-

– Spear-phishing email
-

G
-

– Drive-by-downloads from selected compromised websites

-
- -
likely to be
visited by personnel in the target organization
-

G
-
• Intent: · % .

– To infect the target with sophisticated malware with multiple propagation

- - -

mechanisms and payloads

-

– Once they have gained initial access to systems in the target

organization a further range of attack tools are used to maintain and
extend their access
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Viruses
-

⑤
E 105
•-
Piece of software that infects programs
.

- -
· S– Modifies them to include a copy of the virus
-
-

s - T sa % &'

[&
– Replicates and goes on to infect other content
-

-
-

assis,–-
-

S
Easily spread through network environments
#

/
·j # 45
Ed
• When attached to an executable program a G virus can do
.

=
--

anything that the program is permitted to do

---
· &,
&

-
/
– Executes secretly when the host program is run
I

%9
Ei
51 &

--
-
-

• Specific to operating system and hardware

- -

– Takes advantage of their details and weaknesses

-
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 24ge

Virus Components
S,T
• Infection mechanism ·
>
-

/gu4)
– Means by which a virus spreads or propagates
↑

– Also referred to as the infection vector 594)

=
%
called
y

· • Trigger-
, &1/1 , 5
5,/

– Event or condition that determines when the payload is

- - -

activated or delivered
-

– Sometimes known as a logic bomb

-

S
• Payload >
-

– What the virus does (besides spreading)

-

– May involve damage or benign but noticeable activity

-
=
19 & Sis Dj

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 MBR
· boot infctor 55 3
,

Virus Classifications (1 of 2)
.

& booting
-

ri
i

&I
-

Classification by target
Jod

II
E
S
!
-
• Boot sector infector
- -
& 9S1,1
– Infects a master boot record or boot record and spreads when a
-- S

- - -
- -

system is booted from the disk containing the virus

s• -
-
- -
%
&

·S: 555519dis .

File infector
,

I
& -

⑤
– Infects files that the operating system or shell considers to be
executable
- ⑤

dist
• Macro virus
②
=
– Infects files with macro or scripting code that is interpreted by an
-
-

application
-

• Multipartite virus
③
– Infects files in E
multiple ways
-
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Virus Classifications (2 of 2)
/
Classification by concealment strategy
-
• Encrypted virus
s

– A portion of the virus creates a random encryption key and encrypts the
- - - -

remainder of the virus

-

I
&
-

• Stealth virus
1

– A form of virus explicitly designed to hide itself from detection by anti-virus

- - -

software
-

i
,
• Polymorphic virus Se
jet's !

– A virus that mutates with every infection

-

dis• Metamorphic virus · it is

– A virus that mutates and rewrites itself completely at each iteration and
- - --

may change behavior as well as appearance

-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 -4)

Worms
28% XS
• Program that actively seeks out more machines to infect and each infected
- -

machine serves as an automated launching pad for attacks on other

-
-

machines · to Di ; 5 .

• Exploits software vulnerabilities in client or server programs

- -

• Can use network connections to spread from system to system

- &

• Spreads through shared media (USB drives, CD, DVD data disks)
- um m u

• E-mail worms spread in macro or script code included in attachments and

-
- -
-

instant messenger file transfers

-

& ge
-

Iis
-
j
• Upon activation the worm may replicate and propagate again
- - -

• Usually carries some form of payload

>
-
-

X
• First known implementation was done in Xerox Palo Alto Labs in the early
1980s
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 -15 1

Target Discovery
e &
• Scanning (or fingerprinting)
–&First function in the propagation phase for a network
- -
- -
worm
-

– Searches
-
for other systems to infect
-
gli
• Random
S

Sis
– Each compromised host probes random
- -
-
-
addresses in
-

the IP address space-

-
using a different seed
-

– This produces a high volume of Internet traffic which

-590 - - - -

SI may cause generalized disruption even before the

-

· = -- -

5 Do actual attack is launched

.

-
-

· 1955
& (bridis 24 (

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 --

Worm Technology
• Multiplatform - -

• Multi-exploit >
- Dis s
,

• Ultrafast spreading >

-
s , is

• Polymorphic Sugi
>
-
, s

• Metamorphic >
- I
,

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 ·, () 04/)

Malvertising
&s
• Places malware on websites without actually compromising them
-

&& / &%
• The attacker pays for advertisements that are highly likely to be placed on
-- -

their intended target websites and incorporate malware in them

--

• Using these malicious ads, attackers can infect visitors to sites displaying
is - -

-
them ·leving Ess i I
%

• The malware code may be dynamically generated to either reduce the

- - -
-

chance of detection or to only infect specific systems

- - - -

• Has grown rapidly in recent years because they are easy to place on desired
- - -

websites with few questions asked and are hard to track

-

& hist, 09 ve

• Attackers can place these ads for as little as a few hours, when they expect
- -

their intended victims could be browsing the targeted websites, greatly

-
- -

reducing their visibility

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 &I wa

Clickjacking
• Also known as a user-interface (UI) redress attack
-

• Using a similar technique, keystrokes can also be

- -
-

hijacked
-

– A user can be led to believe they are typing in the

&
-
-

password to their email or bank account, but are

- -
=>

instead typing into an invisible frame controlled by

- -- -

the attacker
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Social Engineering
• “Tricking” users to assist in the compromise of their own systems
-
-

• Spam
-

– Unsolicited bulk e-mail

-

– Significant carrier of malware

– Used for phishing attacks
• Trojan horse
-

– Program or utility containing harmful hidden code

– Used to accomplish functions that the attacker could not accomplish
directly
• Mobile phone Trojans
-

– First appeared in 2004 (Skuller)

– Target is the smartphone

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 stop
here
&.
go
&
: I#

13 Feb
&
5% &..&
-

Ransomware
Gemm
• WannaCry
– Infected a large number of systems in many countries in May 2017
– When installed on infected systems, it encrypted a large number of files
and then demanded a ransom payment in Bitcoins to recover them
– Recovery of this information was generally only possible if the
organization had good backups and an appropriate incident response
and disaster recovery plan
– Targets widened beyond personal computer systems to include mobile
devices and Linux servers
– Tactics such as threatening to publish sensitive personal information, or
to permanently destroy the encryption key after a short period of time,
are sometimes used to increase the pressure on the victim to pay up

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 saleig%38 .

Attack Agents Bots

• Takes over another Internet attached computer and uses that computer to
- -
-

launch or manage attacks

-

• Botnet - collection of bots capable of acting in a coordinated manner

-
- -

• =>
Uses:
– Distributed denial-of-service (DDoS) attacks
-

– Spamming
-

– Sniffing traffic
-

– Keylogging
-

– Spreading new malware

– Installing advertisement add-ons and browser helper objects (BHOs)
– Attacking IRC chat networks
– Manipulating online polls/games

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 .
9
-S

Remote Control Facility

-&
&

• Distinguishes a bot from a worm

- -
-
– Worm propagates itself and activates itself
- - -

– Bot is initially controlled from some central facility

-- -

• Typical means of implementing the remote control facility

is on an IRC server
– Bots join a specific channel on this server and treat
incoming messages as commands
– More recent botnets use covert communication
channels via protocols such as HTTP
– Distributed control mechanisms use peer-to-peer
protocols to avoid a single point of failure
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 6 s

Information Theft Keyloggers and

Spyware
• Keylogger
-

– Captures keystrokes to allow attacker to monitor sensitive

-
-

information
-

– Typically uses some form of filtering mechanism that only returns

- -

information close to keywords (“login”, “password”)

- - => >
-

I
• Spyware
S
↑

- M
--
I
s .
T
– Subverts the compromised machine to allow monitoring of a
- -

wide range of activity on the system

--

▪ Monitoring history and content of browsing activity

- -

▪ Redirecting certain -
-
Web page requests to fake sites
▪ Dynamically modifying data exchanged between the browser
- - - -

and certain Web sites of interest

-
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 ·SS
Malware Countermeasure Approaches
• Ideal solution to the threat of malware is prevention
-

G
• Four main elements of prevention:
-

– Policy
-
- -

– Awareness
-
-
541
– Vulnerability mitigation
-
is
>
-

– Threat mitigation
-
-
E
↑

• If prevention fails, technical mechanisms can be used to support the

following threat mitigation options:
– Detection
-- *x
– Identification
- >
-

– Removal > H)y)

&

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 · Siste .
J i
Generations of Anti-Virus Software
• First generation: simple scanners
- -

– Requires a malware signature to identify the malware

– Limited to the detection of known malware
• Second generation: heuristic scanners -
- -

Loading…
– Uses heuristic rules to search for probable malware instances
– Another approach is integrity checking
• Third generation: activity traps
- -
>
-

– Memory-resident programs that identify malware by its actions rather

than its structure in an infected program
• Fourth generation: full-featured protection
-
5
>
-
-

– Packages consisting of a variety of anti-virus techniques used in

conjunction
– Include scanning and activity trap components and access control
capability
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Sandbox Analysis
• Running potentially malicious code in an emulated
sandbox or on a virtual machine
• Allows the code to execute in a controlled environment
where its behavior can be closely monitored without
threatening the security of a real system
• Running potentially malicious software in such
environments enables the detection of complex
encrypted, polymorphic, or metamorphic malware
• The most difficult design issue with sandbox analysis is
to determine how long to run each interpretation

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Host-Based Behavior-Blocking Software
• Integrates with the operating system of a host computer and
monitors program behavior in real time for malicious action
– Blocks potentially malicious actions before they have a
chance to affect the system
– Blocks software in real time so it has an advantage over
anti-virus detection techniques such as fingerprinting or
heuristics

• Limitations
– Because malicious code must run on the target machine
before all its behaviors can be identified, it can cause harm
before it has been detected and blocked

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Computer Security: Principles and
Practice
Fourth Edition

20 -
Feb
-

Chapter 10
Buffer Overflow

Copyright
Copyright ©
© 2018,
2018, 2015,
2015, 2012 Pearson Education,
2012 Pearson Education, Inc.
Inc. All
All Rights
Rights Reserved
Reserved
 Buffer Overflow (1 of 2) c dis
(
get (

• A very common
-
attack mechanism Y
His > &5
Mis

– First widely used by the Morris Worm in 1988

-

• Prevention techniques known - is "i S

- ,
↑

7
3&
s
overflow 85 0
• Still of major concern
-
-
-
·

>
Es
,
– Legacy of buggy code in widely deployed operating
Si
-

9
systems and applications
·
P
.
,

– Continued careless programming practices by

programmers

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Buffer Overflow (2 of 2)

&
A buffer overflow, also known as a buffer overrun, is defined
-

in the NIST Glossary of Key Information Security Terms

as follows:
8

I I
“A condition at an interface under which more input can be
- -
-

placed into a buffer or data holding area than the capacity

- -

allocated, overwriting other information. Attackers exploitJ

---- - -
-

such a condition to crash a system or to insert specially

-

crafted code that allows them to gain control of the system.”

-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 I
-s
&

Buffer Overflow Basics

/
.
-
• Programming error C
-
-
when a • Consequences:
process attempts to store data
- -
-
– Corruption of program
.. data
-

beyond the limits of a fixed-sized

--

I
-
- -
dr s -

buffer
-
-
– Unexpected transfer of
8 --
-

• Overwrites adjacent memory control *-

&
Ji
-
-

S
- -

locations
-
g – Memory access violations
& -
- -
85Access
– Locations could hold other assi
-

--
"g – Execution of code chosen
-
- -

program variables, ·
I

-
-
by attacker
-
-

parameters, or program
-
-

control flow data

-
-

0
•C
Buffer could be located on the
stack, in the heap, or in the data
=
-

section of the process

-
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Figure 10.1 Basic Buffer Overflow
Example

local
variable
/ .

-!

4 sr

X
Str2 Bis ple

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.2 Basic Buffer Overflow Stack
Values

X =
4

C
!

jjjos 6

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Buffer Overflow Attacks
↓i Y
,

·
• To exploit a buffer overflow an attacker needs:
- -

– To identify a buffer overflow vulnerability in some program

-
- -

that can be triggered using externally sourced data under

----
the attacker’s control
-

– To
-
understand how that buffer
- -
is stored in memory and
determine potential for corruption
-
-

! sa's
• Identifying vulnerable programs can be done by: -

:i S i
I

-
y – Inspection of program source
-

E – Tracing the execution of programs as- they process

,

-
-

- -

oversized input
-
-

– Using tools such asG

-
-
-
fuzzing to automatically identify
-

potentially vulnerable programs

-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Stack Buffer Overflows

X
• Occur when buffer is located on stack
2
another
>
-
name

C smashing
For buffer
– Also referred to as stack
stack .

– Used by Morris Worm

– Exploits included an unchecked buffer overflow -

• Are still being widely exploited

• Stack frame
– When one function calls another it needs somewhere to
- -

save the return address

– Also needs locations to save the parameters to be passed
-

in to the called function and to possibly save register

- -

values
-

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.3 Example Stack Frame With
Functions P and Q

X
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.4 Program Loading Into Process
Memory

· Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.5 Basic Stack Overflow Example

X
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.6 Basic Stack Overflow Stack
Values

X His

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.7 Another Stack Overflow
Example

X
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 10.2 Some Common Unsafe C
Standard Library Routines
-
gets(char *str)
sprintf(char *str, char *format, ...)
strcat(char *dest, char *src)
strcpy(char *dest, char *src)
vsprintf(char *str, char *fmt, va_list ap)
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
read line from standard input into str
create str according to supplied format and
variables
append contents of string src to string dest
copy contents of string src to string dest
create str according to supplied format and
variables
Shellcode
98 %39 6
,
.

• Code supplied by attacker

– Often saved in buffer being overflowed
-

– Traditionally transferred control to a user command-line

- -

interpreter (shell)
-
Remote(SS1
Access % s
overfloodI

• Machine code
-

– Specific to processor and operating system

- -

– Traditionally needed good assembly language skills to create

-
-

– More recently a number of sites and tools have been

developed that automate this process

• Metasploit Project &

- sil
i Dogs
-
: ·
a
·– Provides useful information to people who perform penetration,
& -- -
-

IDS signature development, and exploit research

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.8 Example UNIX Shellcode
- -

↳ from user

&
convert from
C

- - - to assembly to know

3 Arrgs address then referse

C to c
language .

startee
-

j
&

Assembly language .

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 10.9 Example Stack Overflow
Attack

limit Access

root
N, C
As
imputy
output
A posi

,
g
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 -
Stack Overflow Variants
• Target program can be:
– A trusted system utility
– Network service
daemon
– Commonly used library
code
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
• Shellcode functions
– Launch a remote shell when
connected to
– Create a reverse shell that
connects back to the hacker
– Use local exploits that establish a
-
shell
– Flush firewall rules that currently
-
block other attacks
– Break out of a chroot (restricted
execution) environment, giving full
access to the system
 ⑳ving
Buffer Overflow Defenses
• Buffer overflows are widely exploited

• Two
-
broad defense approaches
–-Compile-time
▪ Aim to harden programs to resist attacks in new
- -

programs
–#Run-time
▪ Aim to detect and abort attacks in existing
--

programs

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved