Académique Documents
Professionnel Documents
Culture Documents
Application Security
Slide 2
Part 1
Software Security
In previous lessons belong to BCSE training program, you were introduced with knowledge of
security and systematic safety.
Today I am representing to you about another important knowledge field, which are
understandings of software vulnerabilities
Slide 3
Main content
1. Fundamental concepts
2. Analysis of basic vulnerabilities
3. Practical examples
4. Prevention solutions
5. Some advanced technologies
Let’s start with the first part: Fundamental concept to be grasped and classification of software
vulnerabilities
Slide 5
As you know, software can only operate when gaining an appropriate environment and
foundation – this is operating system
Before studying software and vulnerabilities, we should grasp basic knowledge about operating
system.
Let’s look at this chart describing architect of a very popular operating system – Window
operating system – we can see that, this operating system is divided into 2 basic components;
these are User Mode and Kernel Mode with many dynamic link libraries, supplying API with
using software in order to implement its functions.
Dynamic link libraries in User Mode are linked to ntdll.dll, through which connection between
user mode and kernel mode is created.
Slide 6
User Mode:
Application layer (User Mode) of operating system
Application software: MS Word, IE, Firefox, Yahoo Messenger, etc.
Permission: Ring 3
Let’s study more detailed about User mode and Kernel mode
The first and the most important one is kernel mode
This is core of operating system
Include Drivers, applications at low level, etc
Permission : Ring 0
And about User mode
This is application of operating system
MS Word, IE, Firefox, Yahoo Messenger…
Include application software: MS Word, IE, Firefox, Yahoo Messenger
Permission : Ring 3
Slide 7
Ring -1 (Virtualization)
This chart is about permission share in Window operating system, including 4 levels: from Ring
0 to Ring 3
Slide 8
Memory diagram
Windows
8x86
32 bit
System dll
Stack
Heap
Another important part of the operating system is data memory management during operation
process.
We are considering Window operating system, run on 8x86 mircoprocessing
On Random Access Memory (RAM), information about dynamic link libraries of the system (dll
of window that we have just mentioned in some previous slides) are stored during operation
process, in data storages serving to operation of application – Stack and Heap
Slide 9
Memory management
8086
Real Mode (Segment:Register).
Can indentify address of 20 bits 64KB.
80286 - …
Virtual Address Mode
Use Flat address Mechanism with 32 Bit
Pagination mechanism, enabling management of big physical
memory
Fractional management is still maintained but transferred to
operating system.
Windows: 4KB (User Mode) và 4MB (Kernel Mode).
In different mircoprocessing generations, the data memory managements are different as well.
AT 8086, data memory management depended on its actual address and can indentify address
with 20 bite, equivalent to maximally 64Kb
At 80286 -
Use Virtual Address Mode
Use Flat address Mechanism with 32 Bite, equivalent to maximally 4Gb
Have pagination mechanism, enabling management of big physical data memory
Fractional management is still maintained but transferred to operating system.
Slide 10
Classification of vulnerabilities
Structure of system
Application Vulnerability
o Kernel Vulnerability
Management of memory
Buffer overflow vulnerabilities
•Stack Overflow
•Heap Overflow
After studying basic knowledge of operating system – the foundation enabling software operate,
we are moving to the next content of lesson.
Based on different evaluation criteria, we have different methods of classification.
Based on structure of system, we can divide into 2 types
Application Vulnerability.
Kernel Vulnerability.
Based on management of data memory, we can divide into
Buffer overflow
Let’s study buffer overflow, which is one of common error but highly dangerous.
Firstly, we should know definition of buffer
Buffer is one data area (on RAM) which is provided during implementation of application.
And Buffer overflow fault (BoF) is one fault of software when recording enormous data amount
compared to actual size of buffer
Slide 12
Let’s look at this code section and answer to a question: Does this function get fault?
Slide 13
void demo_function(int i)
{
byte buffer[8];
strcpy(buffer,”AAAAAAAA…AAA”);
}
Will Compiler flag this faulty ?
? Will it be executed as expectation of
programmer?
We have just seen that how one program, that we write, can get buffer overflow fault.
This is an example about very popular software which also gets these cases of breaking during
implementation process.
This picture is about Microsoft Office Word - very popular software of text editor.
If vulnerabilities on word are exploited and used by hacker to attack computer of victim, the
consequences will be very huge
Slide 15
We have just studied about vulnerabilities of buffer overflow, and these are dangers of the
vulnerabilities:
Buffer overflow vulnerability is fault of buffer overflow of software, which enables Hacker to
take advantage to set-up malware and control the system.
Buffer overflow vulnerability enables Hacker to force the software to implement a function
which is not designed previously
Slide 16
Threats
Speeding up spread and destruction of Worm
Code Red (2001) – flaw in IIS
Conficker (2009) – RPC flaw
Stuxnet (2010)
Flame (2012)
Losing control of system
Being stolen with sensitive information
Reducing efficiency of system
To continue, we will study about methods of attacking and exploiting some software
vulnerabilities, specifically buffer overflow vulnerability
Slide 18
Shellcode
Command series
written in machine
code which can be
executed
Implement simple
missions
Stack Frame
Parent(){
// …
Children(“hello”);
Children2(“continue’);
}
Children(char* in){
char *bar;
char c[12];
strcpy(c,in);
return;
}
Stack Overflow
Children(“AAAAAAAA…AAAAAAAAA”);
When input data is a series with a length more than 12, the extent of buffer will be declared to
it.
We can see that the input series is recorded overflowing the below of stack, overlapping
memory area used for other purposes of the program.
And the program breaks.
Slide 21
Exploit vulnerabilities
Replace
address
sent back
with
Shellcode
address
DEMO
Winamp
Vulnerability
Service software
You have just been introduced about basic understandings of foundations of operating system,
definition of software vulnerabilities and actual software vulnerability detected and exploited.
In the next part, I will talk about vulnerabilities on service software.
Slide 24
As you know, service software are software providing services on internet such as Web service,
Mail server
Some services mentioned at the next are FTP, MIRC, RPC.
.
These software can be attacked without interaction of user.
This is really dangerous because patients do not indentify the danger they are coping to and
absolutely do not know that they are being attacked.
Besides, one of reasons causing service software become easy targets for attacker to exploit
vulnerabilities on them is that these software are opened with ports on the system without any
prevention of Firewall.
Slide 25
GET /default.ida?NNNN…NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN…NNNN HTTP/1.0
\\a\..\ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccc
Vulnerability
Web browser
One of popular software connected to Internet and being another important target of
exploitation of vulnerability is web browser.
Slide 29
Web browser
We have known relatively many different web browser with different engines such as IE of
mircosoft, Chrome of Google, safari of Apples and FireFox, etc which have been known as
popular web browser
Despite different features, under security aspect, all web browser have a same characteristic
that are latent vulnerabilities.
Exploitation of latent of web browser is more difficult than that of service web because
exportation of fault of the browser requires interaction of user.
Slide 30
One example of suffer overflow vulnerabilities detected on Google Chrome web browser is
suffer overflow in “Save as” function.
This is a vulnerability detected in 2008 by Mr. Le Duc Anh, who was then student participating
internship in Bkis Network Security Centre.
Cause of this fault is that when user use Save as” function to save 1 website, this title card is a
series with a great length
Slide 31
Another example is fault happened on IE browser, in Media Encoder when dealing with a buffer
variable with a great size
Slide 32
DEMO
Chrome
IE 7
Vulnerabilities
Software with FILE format
However, it is dangerous that almost user do not see threats from word of pdf file
For them, these are very normal things and have no ability of damaging them.
Slide 35
DEMO
Microsoft Word 2003.
Microsoft Excel 2003.
PDF Launch
These are demo of exploitation of some faults about file format of software
*Microsoft Word 2003.
*Microsoft Excel 2003.
*PDF Launch
Slide 36
Vulnerabilities
Windows Kernel
Blue Screen of Death –All of us certainly get this situation at least one time.
Thus, what is cause of this “dealth”. Let’s study.
Slide 38
Driver flaws
I have just introduced you about definition of software vulnerabilities with their latent threats.
Thus, what is cause for these software vulnerabilities and how to prevent, fight and restrict
hazards of them.
Slide 40
Causes
Secure programming
Decentralization policy
Security policy of the entire system
Not updating patches
Prevention
From causes mentioned above, we can give some methods of preventing and fighting
appearance of vulnerabilities and their exploitation as follows:
- Being trained about safe programming
- Appropriate permission share policy
- Use of IDS, IPS…methods
- Update patching regularly and automatically
Slide 42
The next session will mention about some advanced technologies of exploitation of software
vulnerabilities
Slide 43
Safe SEH
Microsoft uses algorithm to check the
accuracy of SHE address
This algorithm is not completed, which
leads to possibility of Bypass SafeSEH
DEP
Data Execution Prevention (DEP)
2 modes:
hardware-enforced DEP
Software-enforced DEP
DEP can run in 2 regimes, hardware-enforced DEP enables marking data memory pages which
are areas not allowed execution.
And software-enforced DEP with more restricted protection characteristic for CPU not
supported with DEP.
Slide 47
ASRL
Changes continuously address of storage
areas, making the address returned
useless.
Random algorithm of Microsoft has not
been completed, which leads to
possibility of being bypassed in some
cases
A higher and more effective protection method is ASRL Address space layout randomization
- This is a technology which changes continuously address of storage areas, making the address
returned useless.
- However, random algorithm of Microsoft has not been completed, which leads to possibility of
being bypassed in some cases.
Slide 48
Part II
Remote Access Security
In part 2 of our lecture, I will present threats when we make Remote access security
Slide 49
Remote Access
Remote Desktop
49
Tr 49
Remote Desktop consists of the following components, which are discussed in detail in
this section:
Remote Desktop Protocol
Client software
Remote Desktop Connection
Remote Desktop Web Connection
The Remote Desktop Protocol (RDP) is a presentation-layer protocol that allows a
Windows-based terminal (WBT) or other Windows-based client to communicate with a
Windows XP Professional–based computer. RDP works across any TCP/IP connection,
including local area network (LAN), wide area network (WAN), dial-up, Integrated
Services Digital Network (ISDN), digital subscriber line (DSL), or virtual private network
(VPN) connections. RDP delivers to the client computer the display and input
capabilities for applications running on a Windows XP Professional–based computer.
---------------
One popular application that we use for remote access is Remote Desktop – this application
enables us to access to one computer running window operating system.
Ứng dụng sử dụng giao thức RDP This application uses RDP protocol .
Slide 50
Tr 50
RDP servers are built into Windows operating systems; an RDP server for Unix and OS
X also exists. By default, the server listens on TCP port 3389 and UDP port 3389
--------------
RDP server is built on window operating system and has version on unix and os x
Defaulted set-up of RDP is on 3389 gate.
As the chart above, we can see the operation method of remote desktop application.
Client authenticates information of user and password to control remote computer.
Actions on keyboard and moute from client are sent to remote computer and respective
programs will be implemented there and then returned with images of destop to lient computer
As the information above, we know that the gate defaulted for this protocol is 3389. Thus, there
is a threat that it can brute force username and password in order to gain control of remote
computer.
Slide 51
Solutions
VPN
Strong password
Tr 51
To deal with the threat above, we can use VPN: it increases safety level than allowing everyone
to connect to remote computer.
Part III
Email Security
The part 3 of our lecture, I will talk about another important issue, that is email security
Email has become an important thing in work and life and used popularly by everyone,
however, not many people can recognize clearly threats of using email.
Slide 53
Mail – Definition
Before studying latent threats about safety loss of using email, let’s stuty operation of email.
Applications of sending and receiving email work with protocol STMP at gate 25, POP3 at 110
gate or IMAP at 143 gate.
Slide 54
This is operation diagram showing process when 1 email is sent from people A to people B
When A sends email to B, this email is sent from server SMTP of A to server SMTP of B
Next, the email is sent to server POP3 or IMAP of B
Slide 55
PGP
One safe and popular application of sending and receiving email is PGP - Pretty Good Privacy
It uses method of public coding, providing ability of using electronic signature, code of content
and other information of email.
User is provided with 1 public key and 1 private key
Supporting facilities are normally integrated and mailed to client or used separately
Slide 57
Threat
Spam
Use email to advertise
Send mail bomb
Sender does not know receiver
Receiver has to get troublesome
Not good mail configuration will lead to spam
After studying operation method and some applications of sending and receiving email, we will
move to the next session that is latent threat of using email.
Firstly, we will mention one problem that anyone certainly has ever had, that is spam
Use email to advertise
Send mail bomb
Sender does not know receiver
Receiver has to get troublesome
Not good mail configuration will lead to spam
Slide 58
Threats
Hoax ( a o)
Method: send announcement about warn of virus,
security problem, etc
Spreading through anxiousness and shortage of
understanding of users.
Level: rather dangerous
Part IV
Application Security Baselines
Security Checklist
Security Checklist
• System investigation
• Network infrastructure
• Application, software
• Service
• Use demand
• Use procedure
• Network security components
Security Checklist
For example:
Windows patching against to Blaster and Sasser
Oracle patching against to 80 vulnerabilities (10/2005)
Patching are given quickly to mend vulnerabilities and may be
have not checked yet.
When having too much menders, manufacture will gather them and give SP
Slide 68
The next Checklist needed to implement in order to ensure safety for system is Security
Checklist– Network Hardening
Close unnecessary services
- Network service
- Application
- Gate
- Protocol
Slide 69
Part V
Network Security Analysis Tool
In part 5 of our lecture, I will present content of Network Security Analysis Tool
Slide 71
Content
Content
Signals of backdoor
Open gate for control command
Create connection to strange IP to receive
command
Your computer can be infected with backdoor. In real, backdoors will implement tasks as
follows:
Open gate for control command
Create connection to strange IP to receive command
Slide 75
Netstat
Fport
TcpView
Netstat
Available in windows
line interface
Easy to use
Client Server
LISTEN
SYN_SENT
SYN_RCVD
ESTABLISHED
FIN_WAIT_1
CLOSE_WAIT
FIN_WAIT_2 LAST_ACK
TIME_WAIT
CLOSED
At closing connection
Client is in situation of FIN_WAIT_1 and sends FIN M package to server. Server changes to
situation of CLOSE_WAIT and sends back with ACK M+1. Then, server changes to situation of
CLOSE_ACK and sends FIN N package to Client.
After receiving ACK M+1 package, Client changes to situation of FIN_WAIT_2.
After receiving FIN package, Client changes to situation of TIME_WAIT and sends ACK N+1
package to server
Server changes to situation of CLOSED – finishing work session of the connection
Slide 80
TcpView
After finding information about connection, service gate, we need to consider IP address to
which the computer is connected.
In order to find information about IP address, we can use whois services
On links in the slide.
Slide 83
Content
Port 4444?
Close
Scanning gates means checking whether one or many computer open(s) one or many service
gate(s) or not.
On this diagram, computer A wants to check whether computer B is opening 4444 gate or not.
. If computer B does not open 4444 gate, the Close result will be sent to computer A
Slide 85
SuperScan
Nmap
SuperScan
http://www.softpedia.com/get/Network-
Tools/Network-IP-
Scanner/SuperScan.shtml
Supports few scanning technology
Supports banner grabbing
Friendly graphic interface
SuperScan
This is interface of SuperScan with information about establishment of configuration for 1 work
session, including IP address, IP band needed to scan; the results of scanning process are
addresses having gates open and these gates.
Slide 88
Scanning - Technology
TCP Scan:
Connect Scan
SYN Scan
XMAS Scan
ACK Scan
FTP Scan
UDP Scan
SYN Scan
SYN
SYN/ACK
RST
As you know, TCP protocol has mechanism of shaking hand with 3 steps during establishment of
connection.
When Client sends SYN package with a certain Port data to Server, if this server sends back with
SYN/ACK package, the client will know that Port on Server is opened; and if Server sends
backs with RST/SYN, it means that Port on Server is closed.
Slide 90
XMAS Scan
RST
Client will send TCP packages with a certain Port quantity needed to scan, containing many Flag
data such as FIN, URG, PSH. If Server sends back with RST package, we know that Port on
Server is closed.
Slide 91
UDP Scan
UDP Packet
ICMP unreachable
When UDP Scan is used, the UDP package will be sent; if the result sent back is empty, it means
that gate is opened.
If the ICMP is unreachable, it means that gate is closed.
Slide 93
Nmap
http://insecure.org/nmap
A strong tool of scanning gate
Support many scanning technologies
Support banner grabbing
Supporting detection of operating system
Provide results with high accuracy
Command line interface and graphic
interface
Nmap
Content
Sniff – Definition
Tools
Software
Wireshark
Ettercap => Cain & abel
TcpDump, WinDump…
Some hardware products
Establish Security Monitoring system
Wireshark
http://www.wireshark.org
Support well in network using hub
Support in analyzing many protocols
Strong abilities of analysis and statistics
Let’s study about the first and a strong tool, that is wireshark
Wireshark supports >800 protocols
It supports well in network using hub
Support in analyzing many protocols
It has strong abilities of analyzing and statisticing
Slide 100
Wireshark
This is interface of wirashark when it is implementing sniff actions and analyzing packages
We can see information about order number of packages, time of packages, address of source
address and destination address; as well as information about protocol and other detailed
information of package.
Slide 101
Technologies
Inline mode
Wired LAN Sniffing
For Hub: Promiscuous mode
Fore Switch: Arp Spoofing
Wireless Lan Sniffing : Monitor mode
In terms of the network using hub, when 1 package is sent to hub by any computer, the package
will be forwarded to all remaining computers connected to the hub
That the sniff actions for packages sent between A and B using the same hub of C is merely
connection to hub
Slide 103
If Computer C wants to overhear in network, firstly it needs to change respective MAC address
with address of IP A.A.A.A and B.B.B.B into its MAC address.
When Computer B sends package to Computer A, this package will be sent to Computer C
instead of Computer A.
Computer C will record it and forward it to Computer A
Similarly, when A sends package to B, this package is also moved to C before C forwards it to B.
Thus, A and B still exchange with each other without realizing these package exchanged
between them are moved to C.
Slide 105
Ettercap
http://ettercap.sourceforge.net
Provide ability of sniffing in the network
using switch
Support in analyzing many protocols to
get sensitive information such as
username and password.
Ettercap
Preventing sniffing
Code
Arp watch
VLAN
Static arp table
Applications
Steal information
Dealing with accidents about network
Detect intrusion
Checking protocol used in the network
Content
Level of danger
Solutions
Regularly update
WSUS
Use investigation tools as follows
Microsoft Baseline Security Analyzer
Secunia Personal Software Inspector
Retina Network Security Scanner
http://www.microsoft.com/technet/secu
rity/tools/mbsahome.mspx
Scan pitching of Microsoft
Scan security policy
Support local or scans computers in
domain.
Secunia Personal Software Inspector is a tool scanning software vulnerabilities of many various
brands.
It’s advantages are being simple and easy to use and following applications by real time.
This software only scans on computer set-up
Slide 116
http://www.eeye.com/Retina/
Scan software vulnerabilities on computer
Scan security policy of the system.
Support scanning local and scanning through
network
Support with 2 types of scanning :
With Username / Password
Without Username/Password
Conclusion
Thus, I have just shown you understandings about checking connection on computer as well as
necessary knowledge about scanning gate, analyzing network data and scanning computer
vulnerabilities
Slide 120
Review questions
Give necessary information when considering and analyzing
validity of network connection?
Definitions of scanning gates and applications of scanning
gates.
Present some basic technologies of scanning gates
Indicate basic difference between sniffing technology in
network using hub and in network using switch
Present arp poisoning technology
Give some solutions for restricting sniffing
Give main applications of analyzing data transmitted in the
network
Give some software scanning computer vulnerabilities