CNS Unit-1
CNS Unit-1
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
CSE
TRAFFIC ANALYSIS:
ET
Suppose that we had a way of masking the contents of messages or other
information traffic so that opponents, evenif they captured the message, could not
extract the information from the message.
The common technique for masking contents is encryption.
If we had encryption protection in place, an opponent might still be able to observe
the pattern of these messages. The opponent could determine the location and
identity of communicating hosts and could observe the frequency and length of
messages being exchanged.
This information might be useful in guessing the nature of the communication that
was taking place.
Passive attacks are very difficult to detect, because they do not involve any
alteration of the data.
Typically, the message traffic is not sent and received in an apparently normal
fashion and the sender nor receiver is aware that a third party has read the
messages or observed the traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by means of
encryption.
Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active Attacks:
Active attacks involve some modification of the data stream or the creation of a false stream and can
be subdivided into four categories: masquerade, replay, modification of messages, and denial of
service.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
A masquerade attack is an attack that uses a fake identity, to gain unauthorized access to
personal computer information through legitimate access identification. For example,
authentication sequences can be captured and replayed after a valid authentication sequence
has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges
by impersonating an entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.
Modification of messages simply means that some portion of a valid message is altered, or
that messages are delayed or reordered, to produce an unauthorized effect.
For example, a message meaning “Allow John Smith to read confidential file accounts” is
modified to mean “Allow Fred Brown to read confidential file accounts.”
T
SACE
The denial of service prevents the normal use or management of communications facilities.
This attack may have a specific target; for example, an entity may suppress all messages
directed to a particular destination. Another form of service denial is the disruption of an entire
network, either by disabling the network or by overloading it with messages so as to degrade
performance.
SECURITY SERVICES:
Security service means a processing or communication service that is provided by a
system to give a specific kind of protection to system resources.
X.800 divides these services into
AUTHENTICATION
ACCESS CONTROL
DATA CONFIDENTIALITY
DATA INTEGRITY
NONREPUDIATION
AVAILABILI
TY AUTHENTICATION:
The authentication service is concerned with assuring that a communication is authentic. In the
case of a single message, its function of the authentication service is to assure the recipient
that the message is from the source that it claims to be from. In the case of an ongoing
interaction, such as the connection of a terminal to a host, two aspects are involved. First, at the
time of connection initiation, the service assures
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
that the two entities are authentic, that is, that each is the entity that it claims to be. Second, the
service must assure that the connection is not interfered with in such a way that a third party can
masquerade as one of the two legitimate parties for the purposes of unauthorized transmission or
reception.
Two specific authentication services are defined
Peer entity authentication
Data origin authentication
Peer entity authentication: Provides for the corroboration of the identity of a peer entities
involved in communication. It is used for providing authentication at the time of connection
establishment and during the process of data transmission.
Data origin authentication: Provides for the corroboration of the source of a data unit. It does
not provide protection against the duplication or modification of data units. This type of service
supportsapplications like electronic mail, where there are no prior interactions between the
communicating entities.
ACCESS CONTROL:
The prevention of unauthorized use of a resources. Access control is the ability to limit and
control the access to host systems and applications via communications links. To achieve this,
each entity trying to gain access must first be identified, or authenticated, so that access rights
can be tailored to the individual. DATA CONFIDENTIALITY:
Confidentiality is the protection of transmitted data from passive attacks. The protection of data
from unauthorized disclosure.
Types of confidentiality:
o Connection Confidentiality: The protection of all user data on a connection.
o Connectionless Confidentiality: The protection of all user data in a single data block
o Selective-Field Confidentiality: The confidentiality of selected fields within the user
data on a connection or in a single data block.
o Traffic-Flow Confidentiality: The protection of the information that might be derived
from observation of traffic flows.
DATA INTEGRITY: The assurance that data received are exactly as sent by an authorized
entity (i.e., contain no modification, insertion, deletion, or replay).
Types of integrity
Connection Integrity with Recovery: Provides for the integrity of all user data on a
connection and detects any modification, insertion, deletion, or replay of any data within
an entire data sequence, with recovery attempted.
Connection Integrity without Recovery as above, but provides only detection without
recovery.
Selective-Field Connection Integrity Provides for the integrity of selected fields within
the user data of a data block transferredover a connectionand takesthe formof
determination of whether the selected fields have been modified, inserted, deleted, or
replayed.
Connectionless Integrity Provides for the integrity of a single connectionless data block
and may take the form of detection of data modification. Additionally, a limited form of
replay detection may be provided.
Selective-Field Connectionless Integrity Provides for the integrityof selected fields
withina single connectionless data block; takes the form of determination of whether the
selected fields have been modified.
NONREPUDIATION:
It is assurance that someone cannotdenysomething. It is a method of guaranteeingmessage
transmission between parties. Provides protection against denial by one of the entities involved
in a communication of having participated in all or part of the communication.
Nonrepudiation, Origin: Proof that the message was sent by the specified party.
Nonrepudiation, Destination: Proof that the message was received by the specified
party.
AVAILABILITY:
Availability is the method with assure the information and communications will be ready for use
when excepted. Information is kept available to authorized persons when they need it. The
availability can be significantly affected by a variety of attacks which are susceptible to
authentication, encryption etc., whereas some attacks require physical action for preventing and
recovering from the loss of availability
SECURITY MECHANISMS:
Security mechanism are categorized into two types. They are,
SPECIFIC SECURITY MECHANISMS
PERVASIVE SECURITY
MECHANISMS SPECIFIC SECURITY
MECHANISMS:
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
These mechanisms are incorporated into the appropriate protocol layer in order to provide
some of the OSI security services.
Encipherment: It refers to the processof applying mathematical algorithmsto transform
data into a form that is not readily intelligible. The transformation and subsequent
recovery of the data depend on an algorithm and encryption keys.
Digital Signature: Data appended to, or a cryptographic transformation of, a data unit
must preserve the integrity of the data and prevents it from any unauthorized access.
Access Control: A variety of mechanisms that enforce access rights to resources.
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or
stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an entity by
means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
Routing Control: Enables selection of particular physically secure routes for certain
data and allows routing changes, especially when a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a data exchange.
PERVASIVE SECURITY MECHANISMS:
Mechanisms that are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to be correct with respect to some criteria.
Security Label: the bounding value of a resource which specifies the securityattributes
associated with that resource.
Event Detection: Detection of security-relevant events.
Security Audit Trail: Data collected and potentially used to facilitate a security audit, which
is an independent review and examination of system records and activities.
Security Recovery: Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.
SOME BASIC TERMINOLOGY:
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Requirements:
There are two requirements for secure use of conventional encryption:
1. We need a strong encryption algorithm
2. a secret key known only to sender / receiver: Sender and receiver must have obtained
copies of the secret key in a secure fashion and must keep the key secure
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Cryptanalysis:
CSE
An encryption scheme is unconditionally secure if the ciphertext generated by the
scheme does not contain enough information to determine uniquely the corresponding
plaintext, no matter how much ciphertext is available. That is, no matter how much time
an opponent has, it is impossible for him or her to decrypt the ciphertext simply because
the required information is not there.
An encryption scheme: computationally secure if The cost of breaking the cipher
exceeds the value of informationand the time required to break the cipher exceeds the
lifetime of information
SUBSTITUTION TECHNIQUES:
The two basic building blocks of all encryption techniques are substitution and transposition.
A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.
Caesar Cipher:
The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar.
The Caesar cipher involves replacing each letter of the alphabet with the letter standing three
places further down the alphabet. For example,
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Then the algorithm can be expressedas follows. For each plaintext letter p, substitute the
ciphertext letter
C
C=E(3,p)=(p+3) mod 26
A shift may be of any amount, so that the general Caesar algorithm is
C = E(k, p) = (p + k) mod 26
where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is
easily performed: simply try all the 25 possible keys. Following figure shows the results of
applying this strategy to the example ciphertext. In this case, the plaintext leaps out as
occupying the third line.
Three important characteristics of this problem enabled us to use a brute force cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily recognizable.
SACET
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
MONOALPHABETIC CIPHERS:
Monoalphabetic cipher is a substitution cipher in which for a given key, the cipher
alphabet for each plain alphabet is fixed throughout the encryption process. With only
25 possible keys, the Caesar cipher is far from secure. A dramatic increase in the key
space can be achieved by allowing an arbitrary substitution. Before proceeding, we
define the term permutation. A permutation
For example, if S = {a, b, c}, there are six permutations of S:
abc, acb, bac, bca, cab, cba
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
If the cryptanalyst knows the nature of the plaintext, then the analyst can exploit the
regularities of the language.
As a first step, the relative frequency of the letters can be determined and compared to a
standard frequency distribution for English, such as is shown in Figure. If the message
were long enough, this technique alone mightbe sufficient, but because thisis a relatively
short message, we cannot expect an exact match. A powerful tool is to look at the
frequency of two-letter combinations, known as digrams.
The following table shows the frequency of letters in the above sentences
Monoalphabetic ciphers are easy to break because they reflect the frequency data of the
original alphabet.
Playfair Cipher:
The best-known multiple-letter encryption cipher is the Playfair, which treats digrams in the
plaintext as single units and translates these units into ciphertext digrams. The Playfair
algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword.
In this case, the keyword is monarchy. The matrix is constructed by filling in the letters of the
keyword (minus duplicates) fromleft to right and fromtop to bottom, and then filling in the
remainder of the matrix with the remaining lettersin alphabetic order. The letters I and J count as
one letter. Plaintext is encrypted two letters at a time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler
letter, such as x, so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replace
by the letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. For example, mu
is encrypted as CM.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own
row and the column occupied by the other plaintext letter. Thus, hs becomes BP and ea
becomes IM (or JM, as the encipherer wishes).
The Playfair cipher is a great advance over simple monoalphabetic ciphers. For one thing,
whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so that identification of
individual digrams is more difficult. Despite thislevel of confidence in its security, the Playfair
cipher is relativelyeasy to break, because it still leaves much of the structure of the plaintext
language intact. A few hundred letters of ciphertext are generally sufficient.
Hill Cipher:
Another interesting multiletter cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929. This encryption algorithm takes m successive plaintext letters and substitutes
for them m ciphertext letters. The substitutionis determined by m linear equationsin which each
character is assigned a numericalvalue (a = 0, b = 1, c, z = 25).
For m = 3, the system can be described as
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
SACET
The periodic nature of the keyword can be eliminated by using a nonrepeating keyword that is
as long as the message itself. Vigenère proposed what is referred to as an autokey system, in
which a keyword is concatenated with the plaintext itself to provide a running key.
Vernam Cipher:
The ultimate defense against such a cryptanalysis is to choose a keyword that is as long as the
plaintext and has no statistical relationship to it. Such a system was introducedby an AT&T
engineer named Gilbert Vernam in 1918.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
One-Time Pad:
Joseph Mauborgne, proposed an improvement to the Vernam cipher that yields the
ultimate in security. Mauborgne suggested using a random key that is as long as the
message, so that the key need not be repeated. In addition, the key is to be used to
encrypt and decrypt a single message, and then is discarded. Each new message
requires a new key of the same length as the new message. Such a scheme, known as a
one-time pad, is unbreakable. It produces random output that bears no statistical
relationship to the plaintext. Because the ciphertext contains no information whatsoever
about the plaintext, there is simply no way to break the code.
An example should illustrate our point. Suppose that we are using a Vigenère
scheme with 27 characters in which the twenty-seventh character is the space character,
but with a one-time key that is as long as the message. Consider the ciphertext
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
We now show two different decryptions using two different keys:
SACET
Suppose that a cryptanalyst had managed to find these two keys. Two plausible
plaintexts are produced. How is the cryptanalyst to decide which is the correct decryption
(i.e., which is the correct key)? If the actual key were produced in a truly random fashion,
then the cryptanalyst cannot say that one of these two keys is more likely than the other.
Thus, there is no way to decide which key is correct and therefore which plaintext is
correct.
In fact, given any plaintext of equal length to the ciphertext, there is a key that
produces that plaintext. Therefore, if you did an exhaustive search of all possible keys,
you would end up with many legible plaintexts, with no way of knowing which was the
intended plaintext. Therefore, the code is unbreakable.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
1. There is the practical problem of making large quantities of random keys.
Any heavily used system might require millions of random characters on a regular
basis. Supplying truly random characters in this volume is a significant task.
2. Even more daunting is the problem of key distribution and protection. For
every message to be sent, a key of equal length is needed by both sender and
receiver. Thus, a mammoth key distribution problem exists.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Because of these difficulties, the one-time pad is of limited utility and is useful
primarily for low-bandwidth channels requiring very high security.
Transposition Techniques:
A very different kind of mapping is achieved by performing some sort of permutation on the
plaintext letters. This technique is referred to as a transposition cipher.
RAIL FENCE TECHNIQUE:
The simplest such cipher is the rail fence technique, in which the plaintext is written down as
a sequence of diagonals and then read off as a sequence of rows.
For example, to encipher the message “meet me after the toga party” with a rail fence of
depth 2 we write the following:
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
danger. A gray symbol with a question mark means that there is no rating due to a
lack of sufficient data. Figure(a) shows that WOT provides a safe rating for each
website in the search.
UNIFORM RESOURCE LOCATOR (URL) FILTERING:
URL filters check hyperlinks and URL for specific commands, keywords, and malicious code.
This type of filtering is usually utilized by web and email scanning engines. Both Internet
Explorer (IE), Chrome, and Firefox provide phishing filters. Phishing and malware protection is
accomplished by checking the site that is being visited against lists of reported phishing and
malware sites. These lists are automatically downloaded and updated by browsers. So when the
Phishing and Malware Protection features are enabled, browsers can provide warnings.
The Location of a List of Phishing Sites:
PhishTank (http://www.phishtank.com/) is a collaborative clearing house for data and
information about phishing on the Internet. One can also query or browse this phishing site list.
The Configurations of Phishing Protection Features Employed in Firefox and Internet
Explorer (IE): Firefox provides options for security by checking the two items in the green box.
When installing Firefox, these options are enabled by default. The IE8 configuration is by
checking the SmartScreen in the Advanced Tab of Internet Options. SmartScreen in enabled by
default during the installation process.
The Manner in Which Phishing Site Warnings Are Displayed in IE and Firefox:
IE7 not only clearly labels it as such in the red area at the top of the page, but in addition
indicating that HTTPS is not used. A site like Paypal would definitely have a secure site.
Unfortunately, it is probably too late for an individual that reaches this point, since the malicious
scripts will undoubtedly be loaded into their machine when the site is accessed. IE8 provides a
clear warning on the screen.
The Use of a Browser Filter to Block a Phishing Site:
Since a browser may not be able to download its phishing site list in time, a phishing/ malware
site may still evade the filtering process. A user should always take precautions, since a
phishing websi te may emerge any moment and in this situation the browser filter is always an
afterthought.
THE OBFUSCATED URL AND THE REDIRECTION TECHNIQUE:
Two of the most common techniques employed in phishing are the confusing/obfuscated URL and
the redirection technique.
For example, the following URLs appear to be an ebay site since ebay is prominently displayed
in the listing.
http://ebay.hut2.ru
The other technique is redirection, which is illustrated in the following
URL:
http://www.paypal.com/url.php?url = “http://phishing.com”
In this case Paypal appears to be the site, but then it is redirected to phishing.com. This latter
technique is an effective phishing approach, since it appears that a legitimate site is being
visited while, in fact, redirection to a phishing site is actually taking place.
WEB-BASED ATTACKS:
The vulnerabilities in web-based attacks are manifested in a variety of ways. For example,
the inadequate validation of user input may occur in one of the following attacks: Cross-
Site Scripting (XSS or CSS), HTTP Response Splitting or SQL Injection.
HTTP RESPONSE SPLITTING ATTACKS:
HTTP response splitting occurs when:
o Data enters a web application through an untrusted source, most frequently an
HTTP request.
o The data is included in an HTTP response header sent to a web user without
being validated for malicious characters.
At its root, the attack is straightforward: an attacker passes malicious data to a
vulnerable application, and the application includes the data in an HTTP response header.
HTTP response splitting attacks may happen where the server script embeds user data
in HTTP response headers without appropriate sanitation.
This typically happens when the script embeds user data in the redirection URL of a
redirection response (HTTP status code 3xx), or when the script embeds user data in a
cookie value or name when the response sets a cookie.
Attacker uses a web server, which has a vulnerability enabling HTTP response splitting,
and a proxy/cache server in a HTTP response splitting attack.
HTTP response splitting is the attacker’s ability to send a single HTTP request that forces the
web
server to form an output stream, which is then interpreted by the target as two HTTP
responses instead of one response.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
CS
FIGURE: Attacker uses a.com web server, which has a vulnerability enabling HTTP
response splitting, and a proxy/cache server in a HTTP response splitting attack. A
victim will retrieve the cached second response when accessing the a.com.
Steps
1. An attacker sends two HTTP requests to the proxy server.
2. The proxy server forwards two HTTP requests to the a.com web server.
3. The a.com web server sends back one HTTP response to each request and the
proxy only accepts the first response message.
4. The proxy server interprets the accepted response as two HTTP response messages
1. The first request is matched to the first response. A first HTTP response, which
is a 302 (redirection) response.
2. The second request (http://a.com/index.html) is matched to the second
response. A second HTTP response, which is a 200 response, has a content
comprised of 26 bytes of HTML.
5. A victim sends a request to http://a.com/index.html.
6. The victim receives the second response message. The problem is that the content in
the second response can be any script that will be executed by the browser.
CROSS-SITE REQUEST FORGERY (CSRF OR XSRF):
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they're currently authenticated.
CSRF attacks specifically target state-changing requests, not theft of data, since the
attacker has no way to see the response to the forged request. With a little help of social
engineering (such as sending a link via email or chat), an attacker may trick the users of
a web application into executing actions of the attacker's choosing. If the victim is a
normal user, a successful CSRF attack can force the user to perform state changing
requests like transferring funds, changing their email address, and so forth. If the victim is
an administrative account, CSRF can compromise the entire webapplication.
Cookies are small files which are stored on a user's computer. They are
designed to hold a modest amount of data specific to a particular client and website, and
can be accessed either by the web server or the client computer.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
CSE
SACET
FIGURE(b) The attacker employs the user name: administrator’ #.
SQL INJECTION DEFENSE TECHNIQUES:
SQL injection can be protected by filtering the query to eliminate malicious syntax, which involves the
employment of some tools in order to
a) scan the source code using, e.g., Microsoft SQL Source Code Analysis Tool,
b) scan the URL using e.g., Microsoft UrlScan,
c) scan the whole site using e.g., HP Scrawlr, and
d) sanitize user input forms through secure programming.
Buffer Overflow:
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data Storage area) than it was intended to hold. Since buffers are created to contain
a finite amount of data, the extra information - which has to go somewhere - can overflowinto
adjacent buffers, corrupting or overwriting the valid data held in them. It may occur accidentally
through programming error; buffer overflow is an increasingly common type of security attack on
data integrity.
In buffer Overflow attacks, the extra data may contain codes designed to trigger specific
actions, in effect sending newinstructions to the attacked computer that could, for example,
damage the user's files, change data, or disclose confidential information. Buffer overflow attacks
are said to have arisenbecause the C programming language supplied the framework, and poor
programming practice supplied the vulnerability. Vulnerability to buffer overflow attack was
discovered in Microsoft Outlook and Outlook Express. A programming flow made it possible for
an attacker to compromise the integrity of the target computer by simply it sending an e-mail
message.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Unlike the typical e-mail virus, users could not protect themselves by not Opening.
attached files; in fact, the user did not even have to open the message to enable the attack. The
programs message header mechanisms had a defect that made it possible for senders to
overflow the area with extraneous data, which allowed them to execute whatever type of code
they desired on the recipient's computers. Because the process was activated as soon as the
recipient downloaded the message from the server, this type of buffer overflow attack was very
difficult to defend. Microsoft has since created a patch to eliminate the vulnerability. Buffer
overflow vulnerabilitiesare one of the most common vulnerabilities. These kinds of vulnerabilities
are perfect for remote access attacks because theygive the attacker a great opportunity to
launch and execute their attack code on the target computer. A buffer overflow attack occurs
when the attacker intentionally enters more data than a program was written to handle. The data
runs over and overflows the section of memory that was set aside to accept it. The extra data
overwrites on top on another portion of memory that was meant to hold something else, like part
of the program's instructions. This allows an attacker to overwrite data that controls the program
and can takeover control of the program to execute the attacker's code instead of the program.
In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control
information in order to change the flow of control in the program. The usual way of taking
advantages of this is to modify the control informationto give authority to code provided by the
attacker to take control.
The stack is a section of memory used for temporary storage of information. In a stack-
based buffer overflow attack, the attacker adds more data than expected to the stack,
overwriting data. For example, "Let's say that a program is executing and reaches the stage
where it expects to use a postal coder or zip code, which it gets from a Web-based form that
customers filled Out. " The longest postal code is fewer than twelve characters, but on the web
form, the attacker typed in the letter "A" 256 times, followedby Some other commands. The data
overflows the buffer allotted for the zip code and the attacker's commands fall into the stack.
After a function is called, the address of the instruction following the function call is pushed onto
the stack to be saved so that the function knows where to return control when it is finished.
A buffer overflowallows the attacker to change the return address of a function to a point in
memory where they have already inserted executable code. Then control can be transferred to the
malicious attack code contained With the buffer, called the payload. The payload is normally a
command to allow remote access or some other command that would get the attacker closer to
having control of the system. The best defense against any of these attacks is to have perfect
programs. In ideal circumstances. every input in every program would do bounds checksto allow
onlya given number of characters. The refore, the best way to deal with buffer overflow problems
is to not allow them to occur in the first place.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
Format String:
Buffer overflows aren't the only type of bug that can control a process. Another fairly
common programming error is the situation in which a user can control the format parameter to a
function, such as printf () or syslog (). These functions take a format string as a parameter that
describes how the other parameters should be interpreted. For example, the string specifies that
a parameter should be displayed as a signed decimal integer, while %s specifies that a
parameter should be displayed as an ASCII string. Format strings give you a lot of control over
how data is to be interpreted, and this control can sometimes be abused to read and write
memory in arbitrary locations.
To take advantage of format string vulnerability, an attacker gets a computer to display a
string of text characters with formatting commands. By carefully manipulating the formatting
commands, the attacker can trick the computer into running a program. "Format string bugs are
the new trend in computer security vulnerabilities." In the C programming language there are a
number of functions which accept a format string as an argument. These functions include fprintf,
printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf, setproctitle, syslog and others.
C
SACET
Format String Vulnerability Attacks:
Format string vulnerability attacks fall into three categories :
a) Denial Of service
b) Reading
c) Writing
Format string vulnerability denial of service attacks are characterized by utilizing multiple
instances of the %s format specifier to read data off of the stack until the program
attempts to read data from an illegal address, which will cause the program to crash.
printf (userName);
The attacker could insert a sequence of format strings, making the program show the
memory address where a lot of other data are stored, then, the attacker increases the
possibility that the program will read an illegal address, crashing the program and causing
its non-availability.
printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
Format string vulnerabilityreading attacks typically utilize the %x format specifier to print
sections of memory that do not normally have access to.
Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to
overwrite the Instruction Pointer and force execution of user-supplied shell code.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
CSE
Figure(b) Sending Data over TCP
TCP Session hijacking is when a hacker takes over a TCP session between two machines.
Since most authentications only occur at the start of a TCP session, this allows the hacker to
gain access to a machine.
A popular method is using source-routed IP packets. This allows a hacker at point A on the
network to participate in a conversation between B and C by encouraging the IP packets to pass
through its machine. If source-routing is turned Off, the hacker can use “blind" hijacking see
figure (c), whereby it guesses the responses of the two machines. Thus, the hacker can send a
command, but can never see the However, a common command would be to set a password
allowing access from somewhere else on the net. A hacker can also be "inline" between B and
C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle
attack".
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
UDP Hijacking:
UDP which stands for User Datagram Protocol is defined as a connectionless protocol. It offers
a direct way to send and receive datagram’s over an IP network. UDP doesn’t use sequence
numbers like TCP. It is mainly used for broadcasting messages across the network or for doing
DNS queries. Hijacking a session over a User Datagram Protocol (UDP) is exactly the same as
over TCP, except that UDP attackers do not have to worry about the overhead of
managingsequence numbers and other TCP mechanisms. Since UDP is connectionless,
injecting data into a session without being detected i s extremely easy.
[Type text]
Sri Mittapalli College of Engineering,Thummalapalem CSE
[Type text]