UNIT 1

CSS
What is Computer Security?
Computer security, cybersecurity or information technology security (IT security) is the
protection of computer systems and networks from information disclosure, theft of or damage to
their hardware, software, or electronic data, as well as from the disruption or misdirection of the
services they provide.

It is used to:
1) Prevent theft of information.
2) Prevent theft of hardware.
3) Prevent disruption of service.
It includes controlling physical access to the hardware, as well as protecting against the harm
that may come via network access, data, and code injection, intentionally or accidentally.
What are computer security Goals?
The objective of Computer security is to protect information from being stolen, compromised
or attacked. Computer security can be measured by at least one of three goals-
1.Protect the confidentiality of data.
2.Preserve the integrity of data.
3. Promote the availability of data for authorized users.
These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security
programs. The CIA triad is a security model that is designed to guide policies for information
security within the premises of an organization or company. This model is also referred to as
the AIC (Availability, Integrity, and Confidentiality) triad to avoid the confusion with the
Central Intelligence Agency. The elements of the triad are considered the three most crucial
components of security.
The CIA criteria are one that most of the organizations and companies use when they have
installed a new application, creates a database or when guaranteeing access to some data. For
data to be completely secure, all of these security goals must come into effect. These are
security policies that all work together, and therefore it can be wrong to overlook one policy.

The CIA triad are-

Cyber Security Goals
1. Confidentiality
Confidentiality is roughly equivalent to privacy and avoids the unauthorized disclosure of
information. It involves the protection of data, providing access for those who are allowed to
see it while disallowing others from learning anything about its content. It prevents essential
information from reaching the wrong people while making sure that the right people can get it.
Data encryption is a good example to ensure confidentiality.

Tools for Confidentiality

Encryption
Encryption is a method of transforming information to make it unreadable for unauthorized
users by using an algorithm. The transformation of data uses a secret key (an encryption key)
so that the transformed data can only be read by using another secret key (decryption key). It
protects sensitive data such as credit card numbers by encoding and transforming data into
unreadable cipher text. This encrypted data can only be read by decrypting it. Asymmetric-key
and symmetric-key are the two primary types of encryption.
Access control
Access control defines rules and policies for limiting access to a system or to physical or virtual
resources. It is a process by which users are granted access and certain privileges to systems,
resources or information. In access control systems, users need to present credentials before
they can be granted access such as a person's name or a computer's serial number. In physical
systems, these credentials may come in many forms, but credentials that can't be transferred
provide the most security.
Authentication
An authentication is a process that ensures and confirms a user's identity or role that someone
has. It can be done in a number of different ways, but it is usually based on a combination of-
something the person has (like a smart card or a radio key for storing secret keys),
something the person knows (like a password),
something the person is (like a human with a fingerprint).
Authentication is the necessity of every organizations because it enables organizations to keep
their networks secure by permitting only authenticated users to access its protected resources.
These resources may include computer systems, networks, databases, websites and other
network-based applications or services.
Authorization
Authorization is a security mechanism which gives permission to do or have something. It is
used to determine a person or system is allowed access to resources, based on an access control
policy, including computer programs, files, services, data and application features. It is
normally preceded by authentication for user identity verification. System administrators are
typically assigned permission levels covering all system and user resources. During
authorization, a system verifies an authenticated user's access rules and either grants or refuses
resource access.
Physical Security
Physical security describes measures designed to deny the unauthorized access of IT assets like
facilities, equipment, personnel, resources and other properties from damage. It protects these
assets from physical threats including theft, vandalism, fire and natural disasters.

2. Integrity
Integrity refers to the methods for ensuring that data is real, accurate and safeguarded from
unauthorized user modification. It is the property that information has not be altered in an
unauthorized way, and that source of the information is genuine.
Tools for Integrity
Backups
Backup is the periodic archiving of data. It is a process of making copies of data or data files
to use in the event when the original data or data files are lost or destroyed. It is also used to
make copies for historical purposes, such as for longitudinal studies, statistics or for historical
records or to meet the requirements of a data retention policy. Many applications especially in
a Windows environment, produce backup files using the .BAK file extension.

Checksums
A checksum is a numerical value used to verify the integrity of a file or a data transfer. In other
words, it is the computation of a function that maps the contents of a file to a numerical value.
They are typically used to compare two sets of data to make sure that they are the same. A
checksum function depends on the entire contents of a file. It is designed in a way that even a
small change to the input file (such as flipping a single bit) likely to results in different output
value.
Data Correcting Codes
It is a method for storing data in such a way that small changes can be easily detected and
automatically corrected.

3. Availability
Availability is the property in which information is accessible and modifiable in a timely
fashion by those authorized to do so. It is the guarantee of reliable and constant access to our
sensitive data by authorized people.
Tools for Availability
Physical Protections
Computational Redundancies
Physical Protections
Physical safeguard means to keep information available even in the event of physical
challenges. It ensures sensitive information and critical information technology are housed in
secure areas.
Computational redundancies
It is applied as fault tolerant against accidental faults. It protects computers and storage devices
that serve as fallbacks in the case of failures.
Which components of the computer system needs to be secure?
The components of computer system that needs to be secure are:
1) Hardware- It is the physical part of the computer, like the system memory and disk
drive.
2) Software- It is the program that offers service to the user and administrator, like OS,
MS word etc.
3) Firmware- It is permanent software that runs the processes of the computer and is
mostly invisible to the user, like the start-up functions that make elements of the
hardware work together.
What is Computer Security Problem?
Two factors which contribute to computer security problem:
1)Lots of buggy software.
2) Money can be made from finding and exploiting vulnerabilities.
There is marketplace for vulnerabilities, marketplace for owned machines(PPI) and many
methods to profit from owned client machines.
Computer Attacks
Active attacks: An Active attack attempts to alter system resources or effect their operations.
Active attack involve some modification of the data stream or creation of false statement.
Types of active attacks are as following:
1. Masquerade –
Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other form of active attacks.

2. Modification of messages –
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorised effect. For example, a message meaning
 “Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.

3. Repudiation –
This attack is done by either sender or receiver. The sender or receiver can deny
later that he/she has send or receive a message. For example, customer ask his
Bank “To transfer an amount to someone” and later on the sender(customer) deny
that he had made such a request. This is repudiation.
4. Replay –
It involves the passive capture of a message and its subsequent the transmission to
produce an authorized effect.

5. Denial of Service –
It prevents normal use of communication facilities. This attack may have a
specific target. For example, an entity may suppress all messages directed to a
particular destination. Another form of service denial is the disruption of an entire
network wither by disabling the network or by overloading it by messages so as to
degrade performance.
Passive attacks:
A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring
of transmission. The goal of the opponent is to obtain information is being transmitted. Types
of Passive attacks are as following:
1. The release of message content –
Telephonic conversation, an electronic mail message or a transferred file may
contain sensitive or confidential information. We would like to prevent an
opponent from learning the contents of these transmissions.

2. Traffic analysis –
Suppose that we had a way of masking (encryption) of information, so that the
attacker even if captured the message could not extract any information from the
message.
The opponent could determine the location and identity of communicating host and
could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was
taking place.

Difference between Active and Passive Attacks

What are the types of Computer Attacks?
A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to
alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.
We are living in a digital era. Now a day, most of the people use computer and internet. Due
to the dependency on digital things, the illegal computer activity is growing and changing like
any type of crime.
Computer-attacks can be classified into the following categories:
Types of Computer Attacks
Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-

1. Injection attacks
It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.
Example- SQL Injection, code Injection, log Injection, XML Injection etc.
2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting traffic
to the attacker?s computer or any other computer. The DNS spoofing attacks can go on for a
long period of time without being detected and can cause serious security issues.
3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have access
to all of the user data.
4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a trustworthy
entity in electronic communication.
5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.
6. Denial of Service
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-
Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured
in bit per second.
Protocol attacks- It consumes actual server resources, and is measured in a packet.
Application layer attacks- Its goal is to crash the web server and is measured in request per
second.
7. Dictionary attacks
This type of attack stored the list of a commonly used password and validated them to get
original password.
8. URL Interpretation
It is a type of attack where we can change the certain parts of a URL, and one can make a web
server to deliver web pages for which he is not authorized to browse.
9. File Inclusion attacks
It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.
10. Man in the middle attacks
It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.

System-based attacks
These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-

1. Virus
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.
2. Worm
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email attachments
that appear to be from trusted senders.

3. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It appears
to be a normal application but when opened/executed some malicious code will run in the
background.
4. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.
5. Bots
• The term botnet is derived from the words robot and network.
• A bot in this case is a device infected by malicious code, which then becomes part of
a network, or net, of infected devices controlled by a single attacker or attack group.
A botnet is a collection of internet-connected devices infected by malware that allow hackers
to control them. Cyber criminals use botnets to instigate botnet attacks, which include
malicious activities such as credentials leaks, unauthorized access, data theft and DDoS attacks

Sample Attacks
Discuss various attacks in computer security?
1) Denial of Service attack and Distributed denial of service.
 In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks
to make a machine or network resource unavailable to its intended users by temporarily
or indefinitely disrupting services of a host connected to the Internet.
Services: 1 hour (20$), 24 hours (100$)

Distributed Denial of service attack

2) Click fraud
3) Spam- Spamming is the use of messaging systems to send multiple unsolicited messages
(spam) to large numbers of recipients for the purpose of commercial advertising, for the
purpose of non-commercial advertising, for any prohibited purpose (especially the
fraudulent purpose of phishing), or simply sending the same message over and over to the
same user.
4) Silent Banker
It is a trojan horse. It records keystrokes , capture, screens and steals confidential
banking credential and sends them to a remote attacker

5) Trojan horse
6) Virus
7) Backdoor
8) Worm
9) Bandwidth linking- Network bandwidth denial-of-service (DoS) attacks seek to
consume the available bandwidth or router resources at or near a target host or
 network, such that legitimate traffic cannot reach its destination. ... In wireless
networks, such attacks can also be carried out through radio jamming.
10) Phishing- Phishing is the fraudulent attempt to obtain sensitive information or data,
such as usernames, passwords, credit card numbers, or other sensitive details by
impersonating oneself as a trustworthy entity in a digital communication.[1][2] Typically
carried out by email spoofing,[3] instant messaging,[4] and text messaging, phishing
often directs users to enter personal information at a fake website which matches
the look and feel of the legitimate site.
11) Email Spoofing
12) Man-in-the-middle attack
It is a general term for when a perpetrator positions himself in a conversation between
a user and an application either to eavesdrop or to impersonate one of the parties,
making it appear as if a normal exchange is going underway.
13) Ransomeware- It is a type of malware from cryptovirology that threatens to publish the
victim’s data or perpetually block access to it unless a ransom is paid.
Cryptovirology- It is a field that studies how to use cryptography to design powerful
malicious software.
14) Logic Bomb- It is piece of code intentionally inserted into a software system that will
set off a malicious function when specific conditions are met.
Eg- Deleted important files in 400 branches. Password proteted doen’t mean it cannot
be attacked.
15) Stuxnet
Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in
development since at least 2005. Stuxnet targets supervisory control and data acquisition
systems and is believed to be responsible for causing substantial damage to the nuclear
program of Iran.
Security Policies
Security policies are a formal set of rules which is issued by an organization to ensure that the
user who are authorized to access company technology and information assets comply with
rules and guidelines related to the security of information. It is a written document in the
organization which is responsible for how to protect the organizations from threats and how to
handles them when they will occur. A security policy also considered to be a "living document"
which means that the document is never finished, but it is continuously updated as requirements
of the technology and employee changes.

Need of Security policies-

1) It increases efficiency.

The best thing about having a policy is being able to increase the level of consistency which
saves time, money and resources. The policy should inform the employees about their
individual duties, and telling them what they can do and what they cannot do with the
organization sensitive information.

2) It upholds discipline and accountability

When any human mistake will occur, and system security is compromised, then the security
policy of the organization will back up any disciplinary action and also supporting a case in a
court of law. The organization policies act as a contract which proves that an organization has
taken steps to protect its intellectual property, as well as its customers and clients.

3) It can make or break a business deal

It is not necessary for companies to provide a copy of their information security policy to other
vendors during a business deal that involves the transference of their sensitive information. It
is true in a case of bigger businesses which ensures their own security interests are protected
when dealing with smaller businesses which have less high-end security systems in place.

4) It helps to educate employees on security literacy

A well-written security policy can also be seen as an educational document which informs the
readers about their importance of responsibility in protecting the organization sensitive data. It
involves on choosing the right passwords, to providing guidelines for file transfers and data
storage which increases employee's overall awareness of security and how it can be
strengthened.

We use security policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies to suit our specific
environment.

Write short note on server-side attack and insider attack?

Server-side attack
 1) It is launched directly from an attacker(the client) to a listening service.
2) It seeks to compromise and breach the data and applications that are present on a server.
3) It exploits vulnerabilities in installed services.

Insider Attacks

1) It is a malicious attack executed on a network or computer system by a person with

authorized system access.
2) Insiders that perform attacks have a distinct advantage over external attackers because
they have authorized system access and also may be familiar with network architecture
and system policies/procedures.
3) In addition, there may be less security against insider attacks because many
organizations focus on protection from external attacks.

Explain Marketplace for vulnerabilities?

The vulnerabilities in computer means weakness or flaw existing in a system.

The marketplace for vulnerabilities means a place/market to sell or purchase vulnerabilities.

People are getting more and more interested because money can be made from this. There are
bug bounty programs like

Option 1: bug bounty programs

• Google Vulnerability Reward Program: up to 100K $

• Microsoft Bounty Program: up to 100K $
• Mozilla Bug Bounty program: 500$ - 3000$
• Pwn2Own competition: 15K $

This is white hat hacking.

Option 2:

• This is also for good reason they collect information about vulnerability and inform the
company.
• ZDI, iDefense: 2K – 25K $

Option 3: black market

What is Zero day vulnerability attack?

A zero-day (0day) exploit is a cyber attack targeting a software vulnerability which is unknown to the
software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties
interested in mitigating it, quickly creates an exploit, and uses it for an attack. Such attacks are highly likely
to succeed because defenses are not in place. This makes zero-day attacks a severe security threat.

Typical targets for a zero-day exploit include:

1. Government departments.

2. Large enterprises.

3. Individuals with access to valuable business data, such as intellectual property.

4. Large numbers of home users who use a vulnerable system, such as a browser or operating
system. Hackers can use vulnerabilities to compromise computers and build massive botnets.

5. Hardware devices, firmware and Internet of Things (IoT).

6. In some cases governments use zero-day exploits to attack individuals, organizations or countries
who threaten their natural security.

Ex- Stuxnet, Sony zero day attack, RSA, Operation Aurora.

How can we defend Zero day vulnerability?

1) Vulnerability Scanning
Vulnerability scanning, by definition, helps businesses identify known vulnerabilities and
security misconfigurations. Eg – Penetration testing.
2) Deployment of a Managed, Intuitive WAF
Modern-day Web Application Firewall (WAF)

3) Keep all system patched and upto date.

4) Deploy Intrusion detection and prevention system.

5) Implement IPsec, the IP security protocol to apply encryption and authentication to

network traffic.
Control Hijacking

A control-hijacking attack overwrites some data structures in a victim program

that affect its control flow, and eventually hijacks the control of the program and
possibly the underlying system. ... It causes some of that data to leak out into
other buffers, which can corrupt or overwrite whatever data they were holding.

Types

1) Buffer overflow attacks

2) Integer overflow attacks

3) Format string vulnerabilities

Buffer overflow

A buffer overflow occurs when data written to a buffer also corrupts data values
in memory addresses adjacent to the destination buffer due to insufficient bounds
checking. This can occur when copying data from one buffer to another without
first checking that the data fits within the destination buffer.
Example
In the following example expressed in C, a program has two variables which are
adjacent in memory: an 8-byte-long string buffer, A, and a two-byte big-
endian integer, B.

char A[8] = "";

unsigned short B = 1979;

Initially, A contains nothing but zero bytes, and B contains the number 1979.

variable name A B

Value [null string] 1979

hex value 00 00 00 00 00 00 00 00 07 BB
Now, the program attempts to store the null-terminated
string "excessive" with ASCII encoding in the A buffer.

strcpy(A, "excessive");

"excessive" is 9 characters long and encodes to 10 bytes including the null

terminator, but A can take only 8 bytes. By failing to check the length of the
string, it also overwrites the value of B:

variable name A B

Value 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 25856

Hex 65 78 63 65 73 73 69 76 65 00

B's value has now been inadvertently replaced by a number formed from part of
the character string. In this example "e" followed by a zero byte would become
25856.
Writing data past the end of allocated memory can sometimes be detected by the
operating system to generate a segmentation fault error that terminates the
process.
To prevent the buffer overflow from happening in this example, the call
to strcpy could be replaced with strlcpy, which takes the maximum capacity of A
(including a null-termination character) as an additional parameter and ensures
that no more than this amount of data is written to A:

strlcpy(A, "excessive", sizeof(A));

When available, the strlcpy library function is preferred over strncpy which does
not null-terminate the destination buffer if the source string's length is greater
than or equal to the size of the buffer (the third argument passed to the function),
therefore A may not be null-terminated and cannot be treated as a valid C-style
string.

There are two types of Buffer-Overflow:

1) Heap-based buffer overflow-A heap based overflow conditionis a buffer

overflow, where the buffer is allocated in the heap portion of memory.
 2) Stack-based buffer overflow- A stack based buffer overflow is a condition
where the buffer is allocated on the stack.

Stack Overflow

Stack buffer overflow or stack buffer overrun occurs when a program writes
to a memory address on the program's call stack outside of the intended data
structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are
caused when a program writes more data to a buffer located on the stack than
what is actually allocated for that buffer. This almost always results in corruption
of adjacent data on the stack, and in cases where the overflow was triggered by
mistake, will often cause the program to crash or operate incorrectly. Stack buffer
overflow is a type of the more general programming malfunction known as buffer
overflow (or buffer overrun).

A. - Before data is B. - "hello" is the first C. - "AAAAAAAAAAAAAA

copied. command line AAAAAA\x08\x35\xC0\x80"
argument. is the first command line
argument.

Notice in figure C above, when an argument larger than 11 bytes is supplied on

the command line foo() overwrites local stack data, the saved frame pointer, and
most importantly, the return address. When foo() returns it pops the return
address off the stack and jumps to that address (i.e. starts executing instructions
from that address). Thus, the attacker has overwritten the return address with a
pointer to the stack buffer char c[12] , which now contains attacker-supplied data.
In an actual stack buffer overflow exploit the string of "A"'s would instead
be shellcode suitable to the platform and desired function. If this program had
special privileges (e.g. the SUID bit set to run as the superuser), then the attacker
could use this vulnerability to gain superuser privileges on the affected
machine.[3]

Integer Overflow
An integer overflow occurs when an arithmetic operation attempts to create a
numeric value that is outside of the range that can be represented with a given
number of digits – either higher than the maximum or lower than the minimum
representable value.
The most common result of an overflow is that the least significant representable
digits of the result are stored; the result is said to wrap around the maximum
(i.e. modulo a power of the radix, usually two in modern computers, but
sometimes ten or another radix).
An overflow condition may give results leading to unintended behavior. In
particular, if the possibility has not been anticipated, overflow can compromise a
program's reliability and security.
Format String Vulnerability and Prevention with Example

A format string is an ASCII string that contains text and format parameters.
Example:
// A statement with format string
printf("my name is : %s\n", "Akash");

// Output
// My name is : Akash
There are several format strings that specify output in C and many other
programming languages but our focus is on C.

Format string vulnerabilities are a class of bug that take advantage of an easily
avoidable programmer error. If the programmer passes an attacker-controlled buffer
as an argument to a printf (or any of the related functions, including sprintf, fprintf,
etc), the attacker can perform writes to arbitrary memory addresses. The following
program contains such an error:

// A simple C program with format

// string vulnerability
#include<stdio.h>
int main(int argc, char** argv)
{
char buffer[100];
strncpy(buffer, argv[1], 100);

// We are passing command line

// argument to printf
printf(buffer);

return 0;
}
Since printf has a variable number of arguments, it must use the format string to
determine the number of arguments. In the case above, the attacker can pass the
string “%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p” and fool the printf
into thinking it has 15 arguments. It will naively print the next 15 addresses on the
stack, thinking they are its arguments:
$ ./a.out "%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p"
0xffffdddd 0x64 0xf7ec1289 0xffffdbdf 0xffffdbde (nil) 0xffffdcc4
0xffffdc64 (nil) 0x25207025 0x70252070 0x20702520 0x25207025
0x70252070 0x20702520
At about 10 arguments up the stack, we can see a repeating pattern of 0x252070 –
those are our %ps on the stack! We start our string with AAAA to see this more
explicitly:
$ ./a.out "AAAA%p %p %p %p %p %p %p %p %p %p"
AAAA0xffffdde8 0x64 0xf7ec1289 0xffffdbef 0xffffdbee (nil)
0xffffdcd4 0xffffdc74 (nil) 0x41414141
The 0x41414141 is the hex representation of AAAA. We now have a way to pass an
arbitrary value (in this case, we’re passing 0x41414141) as an argument to printf. At
this point we will take advantage of another format string feature: in a format
specifier, we can also select a specific argument. For example, printf(“%2$x”, 1, 2, 3)
will print 2. In general, we can do printf(“%$x”) to select an arbitrary argument to
printf. In our case, we see that 0x41414141 is the 10th argument to printf, so we can
simplify our string1:
$ ./a.out 'AAAA%10$p'
AAAA0x41414141
Preventing Format String Vulnerabilities
 Always specify a format string as part of program, not as an input. Most format
string vulnerabilities are solved by specifying “%s” as format string and not
using the data string as format string
 If possible, make the format string a constant. Extract all the variable parts as
other arguments to the call. Difficult to do with some internationalization libraries
 If the above two practices are not possible, use defenses such
as Format_Guard . Rare at design time.
 Perhaps a way to keep using a legacy application and keep costs down.
Increase trust that a third-party application will be safe.
How can we control hijacking attacks?
Hijacking attacks can be controlled through:
Platform Defences
1. Fix bugs:
– Audit software
• Automated tools: Coverity, Prefast/Prefix.
– Rewrite software in a type safe languange (Java, ML)
• Difficult for existing (legacy) code …
2. Concede overflow, but prevent code execution. Making memory as non-executable.
3. Add runtime code to detect overflows exploits
– Halt process when overflow exploit detected
– StackGuard, LibSafe, …
Run Time Defences
In run-time defences, we tests for stack integrity. We embed “canaries” in stack frame and
verify their integrity prior to function return. There are two types of canaries:
1. Random canary:
 In random canary random string is chosen at program startup.
 It is inserted into every stack frame.
 Then canary is verified before returning from function:
a. Exit program if canary is changed.
b. Turns potential exploit into DoS.
To corrupt, attacker must learn current random string.
2. Terminatory canary:
a. String functions will not copy beyond terminator.
b. Attacker cannot use string functions to corrupt stack.
Heap Protection
a. It protects function pointers and setjump buffers by encrypting them.
b. It has less effective and more noticeable performance effects.
What is Data Execution Prevention(DEP)?
Marking memory as non-execute (DEP)
Prevent attack code execution by marking stack and heap as non-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott
– NX bit in every Page Table Entry (PTE)
• Deployment: – Linux (via PaX project); OpenBSD
– Windows: since XP SP2 (DEP)
• Visual Studio: /NXCompat[:NO]
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `Return Oriented Programming’ exploits
What is Return -Oriented Programming attack? How to prevent ROP exploit?
Return-Oriented Programming is a security exploit technique used by attackers to execute code
on their target system. By obtaining control of the call stack, the attacker can control the flow
of existing trusted software running on the computer and manipulate it to their own ends.
It is a security exploit technique that allows an attacker to execute code in the presence of
security defences such DEP.
Prevention from ROP exploit
1. Randomization
ASLR: (Address Space Layout Randomization)
– Map shared libraries to rand location in process memory ⇒ Attacker cannot jump directly
to exec function
– Deployment: (/DynamicBase)
• Windows 7: 8 bits of randomness for DLLs – aligned to 64K page in a 16MB region ⇒ 256
choices
• Windows 8: 24 bits of randomness on 64-bit processors
• Other randomization methods: – Sys-call randomization: randomize sys-call id’s
– Instruction Set Randomization (ISR)

What is JiT spraying?

JIT spraying is a class of computer security exploit that circumvents the protection of address
space layout randomization (ASLR) and data execution prevention (DEP) by exploiting the
behavior of just-in-time compilation. It has been used to exploit PDF format and Adobe Flash.
A just-in-time compiler (JIT) by definition produces code as its data. Since the purpose is to
produce executable data, a JIT compiler is one of the few types of programs that can not be run
in a no-executable-data environment. Because of this, JIT compilers are normally exempt from
data execution prevention. A JIT spray attack does heap spraying with the generated code.
To produce exploit code from JIT, the input program, usually JavaScript or ActionScript, typically
contains numerous constant values that can be erroneously executed as code.

Explain heap spray attack with its techniques?