web security firewalls, buffer overflows and proxy servers
DESCRIPTION
CSI/FBI Computer Crime and Security SurveyTRANSCRIPT
Web Security
Firewalls, Buffer overflows and proxy servers
system vulnerabilitiesAlmost all vulnerabilities come from bugs in the implementation of, or misconfigurations of, the OS and/or appsRarely, a problem with a protocol itselfVulnerabilities can lead to: Unauthorized access: attacker gains control of the
victim’s machine (attacker can log in, read files, and/or make changes to the system)
Denial of Service against host (attacker can crash the computer, disable services, etc.)
Denial of Service against network (attack can disrupt routing, flood the network, etc.)
CSI/FBI Computer Crime and Security Survey
Statistics
Statistics
buffer overflowson the stack
func_1(){ int a, b;
func_2();}
a, bc, d
func_2(){ int c, d;
func_3();}
func 1’s address
buf
func_3(){ char buf[100];
read_user_input(buf);}
func 2’s address
buffer overflowson the stack
func_1(){ int a, b;
func_2();}
a, bc, d
func_2(){ int c, d;
func_3();}
func 1’s address
buf
func_3(){ char buf[100];
read_user_input(buf);}
func 2’s address
evil_assembly_code()
buf’s address
Attacker is supplying input to buf… so buf gets a very carefully constructed string containing assembly code,and overwriting func 2’s address with buf’s address.When func3 returns, it will branch to buf instead of func2.
ExploitationsStack Based Exploitations Overwrite local variable near buffer to change
behavior of the program Overwrite return address in the stack frame
Heap Based Exploitations Overwrite Heap arrays to change behavior of the
application Overwrite malloc pointers who then overwrite a
function pointer (Microsoft JPEG GDI+ vulnerability)
Protection against overflows
Choice of programming language C and C++ provide no built-in protection, but STL has safe
libraries Java, .NET bytecode environments do runtime checking
(Safety vs perfdormance)Stack-smashing protection checks to make sure the stack hasn’t changed after a procedure callNX (no execute) permission setting on stack and heap (OpenBSD, Mac OSX)Address space layout randomization keeps hackers from designing overflow kits
firewallsRouters: easy to say “allow everything but…”Firewalls: easy to say “allow nothing but…”This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risksNote: the only difference between a router and a firewall is the design philosophy; do we prioritize security, or connectivity/performance? (configurability, logging)
Rest of the Internet Local siteFirewall
Firewall
Company netFirewall Webserver
Randomexternaluser
Remotecompanyuser
Internet
Firewall
typical firewall setup
DMZ
evil Internet
internal network
the firewall setupFirewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each otherThe DMZ relays services at the application level, e.g. mail forwarding, web proxyingThe DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); it’s easier to secure 20 machines than 20,000Now the internal network is “safe” (but not from internal attacks, modems, etc.)
Firewall DetailsRules based on IP Source Address IP Destination Address Encapsulated Protocol TCP/UDP destination port TCP/UDP source port
Eth
Des
tEt
h S r
cEt
h H
dr
IP D
est
IP S
r cIP
Hdr
TCP
DPo
r tTC
P SP
ort
TCP
Hd r
Data
Externalclient
External HTTP/TCP connection
Proxy
Firewall
Internal HTTP/TCP connection
Localserver
Proxy Firewall
Application ProxyChanges source address so that responses come to proxy from web serverProxy is more secure than internal nodesPerformance degradation
Firewalls Compared to Proxies
Pros Good Performance Easy to support new
protocols
Cons IP TCP/UDP
headers cant be trusted
Most attacks spoof IP TCP/UCP ports
Must look at other application signatures