Security Analysis

1
Security Analysis

• What is it?
• Rapidly growing area of computer science.
• Concerned with whether or not a system and its
  communications are secure.
• Why do we study it?
• Difficult to say how a program will behave on a
  given system by simply looking at a program and
  the programmers intentions.
• Need formal methods for reasoning about the
  behaviour of systems.

2
C I A

• Confidentiality
• Ability to hide data. (e.g. Encryption)
• Most obvious security idea ? Attacked most often.
• Integrity
• Ability to ensure that the data is accurate.
• (e.g. Quantum cryptography)
• Availability
• Data is accessible to authorised viewers at all
  times.
• If its too inconvenient to use, it wont be!
• A widely used idea in Security Analysis.
• (Note The ideas of security analysis go beyond
  encryption. )

3
Types of Security Attacks.

• Software Exploits.
• Careless programming / obscure interactions.
• Buffer overflows (Alex will be talking about
  these).
• Insecure communications (e.g. FTP, American
  Satellite).
• Timing Attacks.
• Slow systems.
• Password checking
• SMART Cards
• Denial of Service Attacks.
• Aim is to crash target program / system.
• Aimed at a particular piece of software
• Repeated requests ? Resource starvation.

4
What are the solutions?

• Better Programming.
• Helps us to counter timing attacks.
• Test the systems.
• Formally using logics.
• p-Calculus, ?-Calculus.
• Brute force.
• There isnt always a solution / problems can take
  time to appear.
• Needham-Schroeder was in use for 18 years

5
Buffer Overflow.c (1)

• include ltstdio.hgt
• / global variables /
• int count, address
• int ptr

6
Buffer Overflow.c (1)

• include ltstdio.hgt
• / global variables /
• int count, address
• int ptr
• void funct(void)
• printf("This function is never called...\n")

7
Buffer Overflow.c (2)

• void fill_buffer()
• int buffer10
• ptr buffer

8
Buffer Overflow.c (2)

• void fill_buffer()
• int buffer10
• ptr buffer
• for(count 0 count lt 12 count)
• ptr address
• ptr

9
Buffer Overflow.c (3)

• int main(void)
• address (int) funct
• fill_buffer()
• return 0

10
Buffer Overflow.c (3)

• int main(void)
• address (int) funct
• fill_buffer()
• return 0
• Output
• This function is never called...
• Segmentation Fault

11
Stack organisation

• During a function call

??
12
Stack organisation

• During a function call

FFF
??
Stack grows down-wards
000
13
Stack organisation

• During a function call

FFF
??
Return address
Stack grows down-wards
000
14
Stack organisation

• During a function call

FFF
??
Return address
??
Stack grows down-wards
000
15
Stack organisation

• During a function call

FFF
??
Return address
??
buffer10
Stack grows down-wards
000
16
Stack organisation

• During a function call

FFF
??
Return address
??
buffer10
??
Stack grows down-wards
000
17
Stack organisation

• During a function call

FFF
??
Return address
??
buffer10
??
Stack grows down-wards
000
count 0
18
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 0
19
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 1
20
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 2
21
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 3
22
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 4
23
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 5
24
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 6
25
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 7
26
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 8
27
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 9
28
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 10
29
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 11
30
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 12
31
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
buffer10
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 12
32
Stack organisation

• During a function call

FFF
FFF
??
Return address
??
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 12
33
Stack organisation

• During a function call

FFF
FFF
??
Return address
Stack grows down-wards
Pointer (ptr) copies upwards
000
000
count 12
34
Stack organisation

• During a function call

FFF
??
Return address
Pointer (ptr) copies upwards
000
return
35
Stack organisation

• During a function call

FFF
??
Return address
Pointer (ptr) copies upwards
000
return
36
Stack organisation

• During a function call

FFF
??
Return address
Pointer (ptr) copies upwards
000
return
37
Stack organisation

• During a function call

FFF
??
Return address
Pointer (ptr) copies upwards
0x8048410
000
return
38
Stack organisation

• During a function call

??
Return address
0x8048410
return
39
Stack organisation

• During a function call

0x8048410
return
40
Stack organisation

• During a function call

0x8048410
return
41
Stack organisation

• During a function call

0x8048410
return
42
Stack organisation

• During a function call

0x8048410
return
43
Stack organisation

• During a function call

void funct(void) printf("This function is
never called...\n")
0x8048410
return
44
Real Buffer Overflow Attacks

• You cant write the functions yourself!
• strcpy() provides a similar opportunity
• Provide an unsuitably long input string
• Learn the stack organisation
• Write malicious code into the buffer itself
• Point the return address at your code
• Program executes code, then crashes

45
Solutions?

• Various approaches exist
• Security Analysis relatively successful
• One successful technique uses canaries
• But were not going to explain them here
• See the project report for more information
• Also, links available (now) on the website

46
The End

• Please ask lots of questions now...
• Not about canaries though