Tuesday, September 9, 2008

Software Issues

Buffer Overflow: is an application error that occurs when more data is sent to a program than it is designed to handle. The attacker can use this to make the machine execute instructions that were not originally intended. Buffer overflows can be quite dangerous and are one of the most prevalent errors reported on security lists.

Here is a small example of a buffer overflow, but more often something like this example will not occur. The error will be exploited to do something more malicious, like to execute other commands on the machine.



Direct link

Examples: virtual mugging
Slammer Worm

Command Injection: occurs when input is passed directly to an interpreter. Here's a video example:



Direct link

Cross-site Scripting (XSS): occurs when an application running on a web server gathers data from a user in order to steal it.

Failure to handle errors: occurs when a program encounters a problem that it is not prepared to handle. It is up to the programmer to make the program handle all anticipated errors. The programmer should make sure that should the program encounter an error, that it report what the error was before it ends execution.

Failure to protect network traffic Since sensitive information (usernames, passwords, emails, chats) often crosses the network, care should be taken to protect it.





Wireshark Fullscreen

Failure to Store/Protect Data: programmers should keep secret information out of programs (passwords, keys, other sensitive information). Hard coded information can be extracted out of the executable if someone knows how to do this:



Direct Link

Failure to use cryptographically strong random numbers. If the numbers used to encrypt data are easy to guess, then cryptography is useless to hide the information.

Example: Debian OpenSSL

Format string problems occurs whenever the input to certain print functions is not sanitized before it is passed to the function. This could allow an attacker to figure out things about the program and where parts of it lie in memory.



Direct link

Neglecting change control. Developers must be sure that the working system given to a customer represents their intent and that all future updates are well tested and approved.

Improper file access. Users should not have access to sensitive files unless they are the administrators of the machine in question.

Improper use of SSL. If SSL is misconfigured it could allow access to data in an unencrypted state and dangerously give a false sense of security.

Information Leakage besides the direct human factor (``loose lips sink ships'') from a software point of view information could be inadvertently leaked as well. An example of this could be timing attacks. For example, suppose it takes a password authentication program x seconds if the user successfully enters his/her username and password, y seconds if the password is incorrect but the username is correct and z seconds if the username and password are both incorrect. From this, an attacker can indirectly verify the validity of a username and launch a more educated attack on the password system.

Integer bugs exists when an integer used as a variable to indicate the amount of memory is to be allocated is not checked before memory allocation.

Race conditions. Sometimes programs do not execute at the exact time that we think they should. Sometimes processes can stall or slow down while running. An attacker could take advantage of this by switching a file before it is accessed.

SQL Injection occurs when the attacker places commands into the input form that are then executed. It may be used to gain access to sensitive data, to delete data or for other means.

Trusting Network Address Resolution. Unfortunately as we learned earlier, it is not always a good idea to trust protocols like ARP and DNS. We learned that there exist flaws in these protocols that could allow an attacker to insert himself/herself in the middle of the conversation. Here is a video of DNS spoofing.

Unauthenticated Key Exchange. If you do not authenticate the entity with which you are obtaining the key, there is no way to verify its identity.

Use of magic URLs and hidden forms. Unfortunately sometimes a URL contains sensitive information that should not be there. This can be observed by an attacker as the http request goes by. Even though a hidden form might be used by a webprogrammer, an attacker can simply view the source of the webpage in order to gain the sensitive information.

Use of weak password-based systems. If the password is easy to guess, what's the point?



Direct link

Finished product (3 min later)

No comments: