ShellCode

Shell Code: creates a shell which allows it to execute any code the attacker wants.

Whose privileges are used when attacker code is executed?
・The hose program’s
・System service or OS root privileges

Return-to-libc: the return address is overwritten to point to a standard library function.

Heap Overflows: data stored in the heap is overwritten, data can be tables of function pointers.

OpenSSL Heartbleed Vulnerability: read much more of the buffer than just the data, which may include sensitive data.

Stack protection

Canary for tamper detection
– injected code, return address, canary, passwordok, userid, password
No code execution on stack

Thwarting Buffer Overflow Attacks
– Address space layout randomization(ASLR)
randomizes stack, heap, libc, etc. This makes it harder for the attacker to find important locations(e.g., libc function address).

Use a non-executable stack coupled with ASLR. This solution uses OS/hardware support.

argc, argv, return address, allowlogin, pwdstr, targetpwd

Heap Overflow

Buffer overflows that occur in the heap data area
-typical heap manipulation function: malloc()/free()

Higher Address: Stack
Lower Address: Heap

char* p = malloc(256);
memset(p, 'A', 1024);

Overwrite the function pointer in the adjacent buffer
Before heap overflow, after heap overflow

Programming language choice is crucial
the language…
should be strongly typed
should do automatic bounds checks
should do automatic memory management
Examples of safe languages: Java, C++, Python

Defense Against Buffer Overflow Attacks
why are some languages safe?
buffer overflow becomes impossible due to runtime system checks
the drawback of secure languages
possible performance degradation

Using unsafe languages:
check input (All input is EVIL)
use safer functions that do bounds checking
use automatic tools to analyze code for potential unsafe funtions

Defense Against buffer Overflow attacks
Analysis tools…
can flag potentially unsafe functions/contructs
can help mitigate security lapses, but it is really hard to eliminate all buffer overflows

Attacker Code Execution

We type a correct password of less than 12 characters:
The login request is allowed.
Now let us type “BadPassWd” when we are asked to provide the password:
The login request is rejected.

We can carefully overflow the return address so it contains the value of an address where we put some code we want executed.

ShellCode
create a shell which allows it to execute any code the attacker wants

Whose privileges are used when attacker code is executed?
-the host program’s
-system service or OS root privileges

National Vulnerability Database(NVD)

Variations of buffer overflow
-return-to-libc: the return address is overwritten to point to a standard library function
-heap overlows: data stored in the heap is overwritten. data can be tables of function pointers.
-OpenSSL Heartbleed vulnerability: read much more of the buffer than just the data, which may include sensitive data.

Software Security

-software vulnerabilities and how attackers explit them
-defenses against attacks that try to exploit buffer overflows
-secure programming: code “defensively”, expecting it to be exploited. Do not trust the “inputs” that come from user of the software system.

e.g. Buffer overflow – a common and persistent vulnerability
stack buffer overflows,
stacks are used… in function/procedure calls, for allocation of memory for local variables, parameters, control information(return address)

#include <stdio.h>
#include <strings.h>

int main(int argc, char *argv[]){
	int allow_login = 0;
	char pwdstr[12];
	char targetpwd[12] = "MyPwd123";
	gets(pwdstr);
	if (strncmp(pwdstr, targetpwd, 12) == 0)
		allow_login = 1;
	if (allow_login == 0)
		printf("Login request rejected");
	else
		printf("Login request allowed");
}

Vulnerabilities and attacks

-thread actors exploit vulnerabilites to launch attacks
-attacks lead to compromises or security breaches
-vulnerabilites can be found in software, networks, and humans

Cofidentiality, Integrity, Availability -> CIA

what should the good guys do?
prevention, detection, response, recovery and remediation
policy vs. mechanism

Why cyber security

We worry about security when…
we have something of value and there is a risk it could be harmed

individual store a lot of sensitive data online
society rely on the internet, nefarious parties could profit by controlling it

Smart Grid rely on cyber systems
whoever controls the grid controls the community infrastructure

Business and government proprietary information is often stored don the internet
unauthorized access could be economically or politically disasterous

What is the security mindset?
Threads, vulnerabilities and attacks
Cybercriminals: want to profit from sensitive data from financial gain
Hacktivists: activist who do not like something you are or something you do
Nation-states: Countries do it for political advantage or for espionage

Information Securities

Security Topics

Security basics
Security management and risk assessment
Software security
Operating systems security
Database security
Cryptography algorithms and protocols
Network authentication and secure network applications
Malware
Network threats and defenses
Web security
Mobile security
Legal and ethical issues
Privacy

programming experience with C or Java is recommended.
Knowledge of linear algebra and discrete mathematics is also recommended.

Asynchronous

@IBAction func simpleAsynchronousDownload(_ sender: UIBarButtonItem){
	let  url = URL(string: BigImages.shark.rawValue)

	let downloadQueue = DispatchQueue(label: "download", attributes: [])

	downloadQueue.async {() -> Void in

		let imgData = try? Data(contentsOf: url!)

		let image = UIImage(data: imgData!)

		DispatchQueue.main.async(execute: {()-> Void in
			self.photoView.image = image
		})
	}
}

func withBigImage(completionHandler handler: @escaping(_ image: UIImage) -> Void){
	
	DispatchQueue.global(qos: .userInitiated).async{() -> Void in
		if let url = URL(string: BigImages.whale.rawValue), let imgData = try? Data(contentsOf: url), let img = UIImage(data: imgData){

			// all set and done, run the completion closure!
			DispatchQueue.main.async(execute: {() -> Void in
				handler(img)
			})
		}

	}
}

GCD Threads

Grand Central Dispatch makes asynchronous programming easier and safer by hiding threads from developer.

Types of Queues
sync, async

Main Queue

dispatch_get_global_queue()
dispatch_async()

let q = dispatch_get_global_queue(QOS_CLASS_USER_INTERACTIVE, 0)

dispatch_async(q) { () -> Void in
	print("tic")
}
print("tac")

will it crash?

let downloadQueue = dispatch_queue_create("download", nil)

dispatch_async(downloadQueue)() -> Void in
	let imgData = NSData(contentsOfURL:url!)

	let image = UIImage(data:imgData!)

	self.photoView.image = image

@IBAction func synchronousDownload(_ sender: UIBarButtonItem){
	let url = URL(string: BigImages.seaLion.rawValue)
	let imgData = try? Data(contentsOf: url!)
	let image = UIImage(data: imgData!)

	photoView.image = image
}