Professional Documents
Culture Documents
com
CHAPTER 1
INTRODUCTION
Network security consists of the policies to prevent and monitor unauthorized access,
misuse, modification, or denial of a computer network and network-accessible resources.
Network security involves the authorization of access to data in a network, which is controlled
by the administrator. Users choose or are assigned an ID and password or other authenticating
information that allows them access to information and programs within their authority. Network
security covers a variety of computer networks that are used in everyday jobs conducting
transactions and communications among businesses. It secures the network, as well as protecting
and overseeing operations being done. The most common and simple way of protecting a
network resource is by assigning it a unique name and a corresponding password.
1.1 OBJECTIVE
The Objective of this system is to forestall code injection attacks which are used by most
of the intruders and hackers to break into a website. To forestall the attack split memory
technique is used, it follows the separation of code and data into different memory spaces. Code
injection attacks may result in the injection of attack code into the data space. However, the
injected code in the data space cannot be fetched for execution as instructions are only retrieved
from the code space. Apart from this, address space layout randomization is also followed to
prevent code injection attacks. Address space layout randomization deals with storing the
contents in the memory randomly instead of storing the entire content in a single memory
location. It prevents the attacker obtaining the entire information as the data are stored as patches
in different parts of memory.
By Students3k.com
CHAPTER 2
SYSTEM ANALYSIS
By Students3k.com
in a single memory location. The intruder or an attacker can be tracked by knowing their
location, IP address,date and time of the attack etc, that are not available in the existing system.
2.2.1 Advantages of Proposed System
Some of the advantages of the proposed system are as follows
Economical Feasibility.
Technical Feasibility.
Social Feasibility.
By Students3k.com
By Students3k.com
CHAPTER 3
SYSTEM SPECIFICATION
Processor
RAM
512 MB.
80 GB.
Keyboard
101 Keys.
Mouse
PS 2 or USB.
Monitor
SVGA/color.
Operating System
Windows XP.
IDE
Web Technologies
Asp.net 3.5.
Language
C#.
Database
By Students3k.com
CHAPTER 4
SOFTWARE DESCRIPTION
4.1 ASP.NET
ASP.NET is a unified Web development model that includes the services necessary for
you to build enterprise-class Web applications with a minimum of coding. You can code your
applications in any language compatible with the common language runtime (CLR), including
Microsoft Visual Basic and C#. These languages enable you to develop ASP.NET applications
that benefit from the common language runtime, type safety, inheritance, and so on.
Event-based
Separation of layout (HTML) and logic (e.g. C#)
Compiled languages instead of interpreted languages
GUI can be composed interactively with Visual Studio .NET
Better state management
Namespaces
ASP.NET uses a concept called namespaces. Namespaces are hierarchical object models
that support various properties and methods. For example, HTML server controls reside in
"System.web.UI.HtmlControls"
namespace,
web
server
controls
reside
in
By Students3k.com
4.2 C#
C# (pronounced see sharp) is a multi-paradigm programming language encompassing
strong typing, imperative, declarative, functional, generic, object-oriented (class-based), and
component-oriented programming disciplines. It was developed by Microsoft within its .NET
initiative. C# is one of the programming languages designed for the Common Language
Infrastructure.
4.2.1 Features of C#
C# is intended to be a simple, modern, general-purpose, object-oriented programming
language. The main features are as follows
By Students3k.com
CHAPTER 5
PROJECT DESCRIPTION
administrator to detect the intruder with their IP address, system name, path, location etc. It
allows the administrator to take necessary action on the intruder.
5.3 MODULE DESCRIPTION
5.3.1 Authentication Phase
This is the first module of all applications which contains the user registration and login
and administrators login. In the previous stages, an unknown user also can block the valid user
account without knowing the password of the account holder. This is one type of intruder. In the
first phase if the user wrongly types the password simultaneously (more than 3 times) then the
login will be transferred to a temporary (fake) account page. The intruder does not know that he
is in a fake page as it resembles original page.
By Students3k.com
By Students3k.com
Injects
Intruder
Code
Forestalling
Code Injection
Attacks
Executable
Code
From
execution
Figure 5.4.1 Level 0 DFD: Overview of forestalling code injection
Description
Intruder injects code into the Forestalling Code Injection system by means of URL or
injecting code in to the execution, but it is not executed. As Code injection is prevented in this
system, executable code is not affected by the intruder.
10
By Students3k.com
Intruder
Code Injection
Attack
Injects Code
Address Space
Authorized
Access
Tracking
Code
& Data
Authentication
Memory Split
Preventing
code Injection
Ip Address,
location, time
date.
Detection
Administrator
User
Intruders code is
not executed
Transaction
Database
Fake Database
Executable
Code
Access the
records
By Students3k.com
Description
Code injection can be prevented with Address space layout randomization phase,
preventing code injection phase. In this intruders attack by means of URL is prevented by ASLR
phase. The intruders cant guess by means of the URL displayed in the Address bar. In the code
injection prevention, the system will run code only when it is inserted from the Administrators IP
address and host name. Thus intruders code is not executed and prevented from huge disaster to
the website.
12
By Students3k.com
ASLR
IP
Injected Code
Executable code
Preventing
code Injection
Dictionary
Attack
Code
Separate
Storage
Code
Authentication
Split Memory
Code Segment
Design
Normal Page
Data Segment
Fake Page
Full Access
Limited Access
Tracking
Reports
Host
name
IP
Transaction
IP
Design
Host
name
Details
Fake Database
Code
Database
Viewing
records
Administrator
Figure 5.4.3 Level 2 DFD: Tracking and Split Memory
13
By Students3k.com
Description
In the tracking phase when intruder perform dictionary attack he is directed to the fake
page. In fake page intruders details are tracked by means of his IP address, location, network
path, host name, etc.,.. Tracked information is send to the administrators view to perform further
actions. Also the memory is split into two segements as code and data segments.
5.5 DATABASE DESIGN
The database design is a must for any application developed especially more for the data
store projects. Since the chatting method involves storing the message in the table, proper
handling of the table is a must.
In this system, login table is designed to be unique in accepting the username and the
length of the username and password should be greater than zero.
5.5.1 Honey Pot Database
To create an account for the user by the administrator
By Students3k.com
15
By Students3k.com
Forestalling Code
Injection
Types of intrusions
Split
Memory
Authentication
Address space
Attacks by intruder
Attacking code
memory to get the
information by
unauthorized
Inserting malicious
code to the website
without admins
permission
Inserting wrong
data or url to the
address space
16
By Students3k.com
17
By Students3k.com
CHAPTER 6
SYSTEM TESTING
6.1 UNIT TESTING
Unit testing verification efforts on the smallest unit of software design, module. This is
known as Module Testing. After testing each every field in the modules, the modules of the
project is tested separately. Unit testing focuses verification efforts on the smallest unit of
software design and field. For example, Username and Password are entered in correct manner
and checked. While filling the details in the register form certain fields are left as empty and
checked. The submit button successfully stores the data in the database. This is done for each and
ecery module individually.
6.2 INTEGRATION TESTING
Integration testing is done to take unit - tested modules and build a program structure
that has been dictated by design. All the modules were integrated after the completion of unit
test.The modules are integrated by moving downward through the control hierarchy, beginning
with the main module. After the successful integration of the modules, the system was found to
be running with no errors. Here, on clicking the submit button the details are updated on to the
database, also an email with user name and password is sent to the user;s mail ID. Similarly
transaction ID is generated, stored in the data base and it is sent to the users mail ID. Thus all
the modules are integrated and are tested successfully.
6.3 VALIDATION TESTING
Validation testing provides the assurance that software meets all functional, behavioural
and performance requirements. Validation testing can be defined as the software functions in a
manner that is expected by the user. This testing verifies that all elements combine properly and
that overall system function and performance is achieved. After the integration of the modules,
the validation test was carried out over by the system. It was found that all the modules work
well together and meet the overall system function and performance.
18
By Students3k.com
CHAPTER 7
SYSTEM IMPLEMENTATION
A software application in general is implemented after navigating the complete life cycle
method of a project. Various life cycle processes such as requirement analysis, design phase,
verification, testing and finally followed by the implementation phase results in a successful
project management. The software application which is basically a web based application has
been successfully implemented after passing various life cycle processes mentioned above.
As the software is to be implemented in a high standard industrial sector, various factors
such as application environment, user management, security, reliability and finally performance
are taken as key factors throughout the design phase. These factors are analyzed step by step and
the positive as well as negative outcomes are noted down before the final implementation.
Security and authentication is maintained in both user level as well as the management
level. The data is stored in Microsoft sql server 2005, which is highly reliable and simpler to use,
the user level security is managed with the help of password options and sessions, which finally
ensures that all the transactions are made securely. The forms are designed in such a way that it
is attractive, convenient and informative. Forms are designed in C#.NET with various features,
which make the console output more pleasing. As the outputs are the most important sources of
information to the users, better design will improve the systems convenience and effectiveness.
The applications validations are made, taken into account of the entry levels available in
various modules. Possible restrictions like number formatting, date formatting and confirmations
for both save and update options ensures the correct data to be fed into the database. Thus all the
aspects are charted out and the complete project study is practically implemented successfully
for the end users.
19
By Students3k.com
CHAPTER 8
CONCLUSION AND FUTURE ENHANCEMENTS
8.1 CONCLUSION
The system is successfully implemented through virtual split of memory and there by
forestalling the code injection attacks. Instead of maintaining single memory space, the memory
is split into two as data and code. Even though an intruder injects a code, the code is injected
only in the data segment and not in the code segment. Thus the code in the data segment remains
unexecuted as the codes are executed only from the code segment. Also the tracking mode
enables the administrator to detect the intruder with their specifications. The system is
implemented in a security application (like banking security); results show the system is
effective in forestalling wide range of code injection attacks.
20
By Students3k.com
APPENDIX
A-I SOURCE CODE
Home.aspx
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class Home : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
}
}
static int count=0;
protected void log1_Authenticate(object sender, AuthenticateEventArgs e)
{
if (log1.UserName == "Admin" && log1.Password == "Admin")
{
Response.Redirect("Adminhome.aspx");
21
By Students3k.com
}
else if (YourValidationFunction(log1.UserName, log1.Password))
{
Session["User"]=log1.UserName;
e.Authenticated = true;
Response.Redirect("userhome.aspx");
log1.TitleText = "Successfully Logged In";
}
else
{
e.Authenticated = false;
count++;
if (count >= 3)
{
count = 0;
Session["User"] = log1.UserName;
Server.Transfer("MainPage.aspx");
}
}
}
SqlConnection strConnection = new
SqlConnection("server=.\\SQLEXPRESS;database=honeypot;integrated security=true;");
private bool YourValidationFunction(string UserName, string Password)
{
bool boolReturnValue = false;
String SQLQuery = "SELECT UserName, Password FROM Register";
SqlCommand command = new SqlCommand(SQLQuery, strConnection);
SqlDataReader Dr;
strConnection.Open();
Dr = command.ExecuteReader();
while (Dr.Read())
22
By Students3k.com
{
if ((UserName == Dr["UserName"].ToString()) & (Password ==
{
boolReturnValue = true;
}
}
Dr.Close();
return boolReturnValue;
}
protected void lnkRegis_Click(object sender, EventArgs e)
{
Response.Redirect("AdUserAcc.aspx");
}
}
Accountinfo.aspx
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class AccountInfo : System.Web.UI.Page
23
Dr["Password"].ToString()))
By Students3k.com
{
protected void Page_Load(object sender, EventArgs e)
{
if (Session["User"] == null)
{
Response.Redirect("Home.aspx");
}
}
SqlConnection con = new
SqlConnection("server=.\\SQLEXPRESS;database=honeypot;integrated security=true;");
SqlCommand cmd;
string em;
protected void lnkView_Click(object sender, EventArgs e)
{
cmd = new SqlCommand("select * from register where username=
'"+Session["User"].ToString()+"' ", con);
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
em = dr[5].ToString();
ListBox1.Items.Add("User Name " + dr[0].ToString());
ListBox1.Items.Add("A/c NO " + dr[2].ToString());
ListBox1.Items.Add("Res Address " + dr[3].ToString());
ListBox1.Items.Add("Res Phone " + dr[4].ToString());
ListBox1.Items.Add("Email id " + dr[5].ToString());
Int64 bal = Convert.ToInt64(dr[6].ToString());
string accno = dr[2].ToString();
dr.Close();
SqlCommand cmd1 = new SqlCommand("select sum(amount) from transaction1 where
fromacc= '" + accno.ToString() + "' group by fromacc", con);
24
By Students3k.com
Mainpage.aspx
using System;
using System.Collections;
25
By Students3k.com
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
public partial class MainPage : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void logout_Click(object sender, EventArgs e)
{
Response.Redirect("Home.aspx");
}
protected void lnk1_Click(object sender, EventArgs e)
{
Server.Transfer("Userinfo.aspx");
}
protected void lnk2_Click(object sender, EventArgs e)
{
Server.Transfer("DataReport.aspx");
}
}
26
By Students3k.com
Transfer.aspx
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class Transfer : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btnBack_Click(object sender, EventArgs e)
{
Response.Write("<script>alert('Your Transaction Cancelled..')</script>");
con.Open();
cmd = new SqlCommand("truncate table temptrans", con);
cmd.ExecuteNonQuery();
con.Close();
Response.Redirect("UserHome.aspx");
}
SqlConnection con = new
SqlConnection("server=.\\SQLEXPRESS;database=honeypot;integrated security=true;");
SqlCommand cmd;
27
By Students3k.com
By Students3k.com
}
con.Close();
Response.Write("<script>alert('Your Transaction ID Sent to your mail id..')</script>");
Response.Write("<script>alert('Enter Transaction ID Correctly and Transfer the
Money..')</script>");
}
protected void btnConfirm_Click(object sender, EventArgs e)
{
con.Open();
cmd = new SqlCommand("select * from temptrans where transid='" + txtTransid.Text + "'",
con);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
Response.Write("<script>alert('Amount Transferred Successfully..')</script>");
con.Close();
con.Open();
cmd = new SqlCommand("insert into transaction1 values('" + txtAcc1.Text + "','" + txtAcc2.Text
+ "'," + txtAmount.Text + ")", con);
cmd.ExecuteNonQuery();
con.Close();
con.Open();
cmd = new SqlCommand("truncate table temptrans", con);
cmd.ExecuteNonQuery();
con.Close();
}
else
{
Response.Write("<script>alert('Your Transaction ID is wrongly entered. Pls Check Your Mail
Again.')</script>");
}
29
By Students3k.com
con.Close();
}
}
Dataprocessing.aspx
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
public partial class DataProcessing : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Session["User"] == null)
{
Response.Redirect("Home.aspx");
}
if (!Page.IsPostBack)
{
lbl1.Text = "Welcome " + Convert.ToString(Session["User"]);
}
}
30
By Students3k.com
Data Report.aspx
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
using System.Net;
31
By Students3k.com
By Students3k.com
GridView1.EditIndex = e.NewEditIndex;
bind();
}
protected void GridView1_RowUpdating(object sender, GridViewUpdateEventArgs e)
{
string sdata = ((TextBox)GridView1.Rows[e.RowIndex].Cells[2].Controls[0]).Text;
con.Open();
cmd = new SqlCommand("update upload set data ='" + sdata + "' where uname ='" +
Convert.ToString(Session["User"]) + "' and hname='" + Dns.GetHostName().ToString() + "'",
con);
int i = cmd.ExecuteNonQuery();
if (i >= 1)
{
Response.Write("<script>alert('updated')</script>");
}
else
{
Response.Write("<script>alert('updated')</script>");
}
con.Close();
bind();
}
protected void GridView1_RowCancelingEdit(object sender, GridViewCancelEditEventArgs e)
{
GridView1.EditIndex = -1;
bind();
}
}
Fake.aspx
using System;
33
By Students3k.com
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
using System.IO;
using Steganography;
using System.Drawing;
public partial class Fake : System.Web.UI.UserControl
{
protected void Page_Load(object sender, EventArgs e)
{
}
SqlConnection con = new
SqlConnection("server=.\\SQLEXPRESS;database=honeypot;integrated security=true;");
SqlCommand cmd;
protected void lnkView_Click(object sender, EventArgs e)
{
FileStream File = new FileStream("c:\\new.txt", FileMode.OpenOrCreate, FileAccess.Write,
FileShare.Write);
StreamWriter sr1 = new StreamWriter(File);
sr1.Write("*url");
sr1.Write(Request.Url.AbsoluteUri);
sr1.Write("*");
34
By Students3k.com
sr1.Write(Request.UserHostName);
sr1.Write("*");
sr1.Write(Request.ApplicationPath);
sr1.Write("*");
sr1.Write(Request.FilePath);
sr1.Write("*");
sr1.Write(Request.PhysicalApplicationPath);
sr1.Write("*");
sr1.Write(Request.UserHostAddress);
sr1.Write("*");
sr1.Write(Request.Url.Host);
sr1.Write("*");
sr1.Write(System.Net.Dns.GetHostName());
sr1.Write("*");
sr1.Write(DateTime.Now.ToString());
sr1.Write("<br>");
sr1.Close();
FileStream file1 = new FileStream("c:/new.txt", FileMode.Open, FileAccess.Read);
StreamReader sr11 = new StreamReader(file1);
string pic = "C:/splash.bmp";
string message = sr11.ReadToEnd();
string password = "sa";
string stegoFile = "C:/m2.bmp ";
try
{
ICoverFile cover = new BMPCoverFile(pic);
cover.CreateStegoFile(stegoFile, message, password);
Result("Message hidden successfully");
System.Drawing.Image stegoPic = new Bitmap(stegoFile);
stegoPic.Dispose();
}
35
By Students3k.com
By Students3k.com
}
private void Result(string message)
{
Response.Write(message);
}
protected void ListBox1_SelectedIndexChanged(object sender, EventArgs e)
{
}
}
37
By Students3k.com
38
By Students3k.com
Admin login
Here the admin can login to the system by specifying the correct user name and password.
On entering the correct details, the admin will be redirected to the next page.
Figure 9.2 Admin Login
39
By Students3k.com
40
By Students3k.com
41
By Students3k.com
User Registration
42
By Students3k.com
User Login
43
By Students3k.com
44
By Students3k.com
45
By Students3k.com
By Students3k.com
After Updating
47
By Students3k.com
By Students3k.com
Intruders entry
By Students3k.com
If user enters wrong password three times then the system redirects to the fake page as
given below. The operations are restricted to the intruder.
By Students3k.com
51
By Students3k.com
REFERENCES
[1] A Detailed Description of the Data Execution Prevention Feature in Windows xp Service
Pack 2, Windows xp Tablet pc ed. 2005, and Windows Server 2003,
[2] Intel Corporation, IA-32 Intel Architecture Software Developers Manual Volume 3A:
System Programming Guide, Part 1. Intel Corp., publication number 253668, 2006.
[3]
Buffer
Overflow
Attacks
Bypassing
(nx/xd
bits)Part
2:
Code
Injection,
Proc.
Seventh
USENIX
Security
Conf.,
pp.
63-78,
http://
citeseer.ist.psu.edu/cowan98stackguard.html, 1998.
[5] J. Wilander and M. Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer
Overflow Prevention, Proc. 10th Network and Distributed System Security Symposium, pp.
149-162,citeseer.ist.psu.edu/wilander03comparison.html, Feb. 2003.
[6] J. von Neumann, First, Draft of a Report on the EDVAC, 1945, reprinted in, The Origins of
Digital Computers Selected Papers, second ed., pp. 355-364, Springer, 1975.
[7] P.C. van Oorschot, A. Somayaji, and G. Wurster, Hardware-Assisted Circumvention of
Self-Hashing Software Tamper Resistance, IEEE Trans. Dependable and Secure Computing,
vol. 2, no. 2, pp. 82-92, Apr. 2005.
[8] H.H. Aiken, Proposed Automatic Calculating Machine, 1937, reprinted in, The Origins of
Digital Computers Selected Papers, second ed., pp. 191-198, Springer, 1975.
[9] H.H. Aiken and G.M. Hopper, The Automatic Sequence Controlled Calculator, 1946,
reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 199-218,
Springer, 1975.
[10] Skape and Skywing, Bypassing Windows Hardware-Enforced, Uninformed, vol. 2,
http://www.uninformed.org, Sept. 2005.
52