compiler techniques Flashcards
Vulnerability:
A weakness which allows an attacker to reduce a system’s information
assurance.
Exploit:
A technique that takes advantage of a vulnerability, and used by the attacker
to attack a system
Payload:
A custom code that the attacker wants the system to execute
are there increased vulnerabilities per year
yes
what is the significance of Vulnerabilities
Taking longer time to remediate
Huge financial and business cost
what are memory safety violations
buffer overflows and over reads
dangling pointers
what are input validation errors
format string attacks
SQL injection
code injection
cross site scripting in web apps
what are race conditions
time-to-check-to-time-of-use bugs
Symlink races
what are privilege confusion bugs
cross site request foregery in web apps
clickjacking
ftp bounce attack
what is privilege escalation
privilege escalation
what is a side channel attack
timing attack
adware
Display unwanted
advertisement
Ransomware
Block user’s data
until a ransom is paid.
Spyware
gather information
about the user and
send it to attacker
Crimeware
designed
specifically to
automate
cybercrime
Worms
Propagate to different
computers without
user intervention
Viruses
Propagate to different
computers. Needs to
be triggered by a user
Trojans
Pretend to do
something useful,
but mask malicious
behaviors
Rootkits
Obtains root
privileges to
compromise
the computer
Backdoor
Allow a remote
party to gain access
to the computer
Why is C good
One of the most common language
Used in many implementations of operating systems, compilers and system
libraries
More efficient compared to other high-level languages, like Java and C#.
Why is C baed
A major source of software bugs:
Mainly due to more flexible handling of pointers/references.
Lack of strong typing;
Manual memory management. Easier for programmers to make mistakes.
char
(8-bit): characters
int
(16-bit or 32-bit): signed integers.
For 32-bit int, value range is −2^31 − 1, 2^31 (one bit reserved for
representing ‘sign’).
long
(32-bit or 64-bit): signed integers.
For 64-bit long, value range is −2^63 − 1, 2^63
float
(32-bit): single precision floating points
double
(64-bit): double precision floating points
pointer
Contain memory addresses. Syntax: add “*” to the type name. E.g., int* denotes a type which is a pointer to a memory location containing data of type int. int* x is the same as int *x
&
Get the memory location of a variable
Array
The name of the array is a pointer
For a n-element array, index starts at 0 and ends at 𝑛-1
String
An array of char’s
A string must end with a NULL (or `\0’). So an array of char with length 𝑛
can hold only strings of length 𝑛−1. (The last character in the array is
reserved for NULL.)
char* strcpy (char* dest, char* src)
Copy string src to dest
No checks on whether either or both arguments are NULL.
No checks on the length of the destination string.
int strlen (char* str)
Return the length of the string st
char* strcat (char* dest, char* src)
Append the string src to the end of the string dest.
malloc
Allocates a block of memory
Takes one argument specifying the size (in bytes) of the memory block to
be allocated.
If successful, pointer to the memory block is returned; otherwise, the
NULL value is returned
Memory layout (for many languages)
code area
static data
stack
heap
Code area
: fixed size and read only
Static data
: statically allocated data
variables/constants
Stack:
parameters and local variables of methods
as they are invoked
Each invocation of a method creates one
frame (activation record) which is pushed
onto the stack
Heap
: dynamically allocated data
class instances/data array
Stack and heap grow towards each other
Stack in depth
Store local variables (including method parameters) and
intermediate computation results
A stack is subdivided into multiple frames:
A method is invoked: a new frame is pushed onto the stack to store
local variables and intermediate results for this method;
A method exits: its frame is popped off, exposing the frame of its caller
beneath it
Inside a frame for one function
Two pointers: BP: base pointer. Fixed at the frame base SP: stack pointer. Current pointer in frame A frame consists of the following parts: Function parameters Return address of the caller function When the function is finished, execution continues at this return address Stack pointer of the caller function Local variables Intermediate operands dynamically grows and shrinks
what is buffer overflow
More input are placed into a buffer than the capacity allocated, overwriting
other information
what If the buffer is on stack, heap, global data, overwriting adjacent memory
locations:
corruption of program data
unexpected transfer of control
memory access violation
execution of code chosen by attacker
name the common buffer overflow attack mechanisms
1988 Morris Worm
2001 Code Red
2003 Slammer
2004 Sasser
what is the problem with strcpy
does not check boundaries
what is stack smashing
(1) Inject the malicious code into the memory of the target program
(2) Find a buffer on the runtime stack of the program, and overwrite the return
address with the malicious address.
(3) When the function is completed, it jumps to the malicious address and runs the
malicious code.
How to set the malicious return address?
Need the absolute address of malicious code, which is sometimes infeasible.
Guess the return address.
Incorrect address can cause system crash
Unmapped address, protected kernel code, data segmentation
Improve the guess chance
Insert many NOP instructions before the malicious code
NOP: does nothing but advancing to the next instruction
Injecting ShellCode
The worst thing the attacker can do
Run any command he wants
Run a shellcode: a program whose only goal is to launch a shell
Convert shellcode from C to assembly code, and then store binary to a buffer
Morris Worm
History
Released on 2 November 1988 by Robert Tappan Morris, a graduate
student at Cornell University
Launched from the computer system of MIT, trying to confuse the
public that this is written by MIT students, not Cornell.
Buffer overflow in sendmail, fingerd network protocol, rsh/rexec, etc.
Impact
~6,000 UNIX machines infected (10% of computers in Internet)
Cost: $100,000 - $10,000,000
Morris’ life
Tried and convicted of violation of Computer Fraud and Abuse Act.
Sentenced to three years’ probation, 400 hours of community service,
and a fine of $13,326
Had to quit PhD at Cornell. Completed PhD in 1999 at Harvard.
Became a tenured professor at MIT in 2006. Elected to the National
Academy of Engineering in 2019
Following Morris Worm
Code Red (2001)
Targeting Microsoft’s IIS web server. Affected 359,000 machines in 14 hours
SQL Slammer (2003)
Targeting Microsoft’s SQL Server and Desktop Engine database. Affected 75,000 victims in 10 minutes
Sasser (2005)
Targeting LSASS in Windows XP and 2000. Affected around 500,000 machines
Author: 18-year-old German Sven Jaschan. Received 21-month suspended sentence
Conficker (2008)
Targeting Windows RPC. Affected around 10 million machines
Stuxnet (2010)
Targeting industrial control systems, and responsible for causing substantial damage to the nuclear
program of Iran
Flame (2012)
Targeting cyber espionage in Middle Eastern countries
