web security firewalls, buffer overflows and proxy servers

20
Web Security Firewalls, Buffer overflows and proxy servers

Upload: sherman-manning

Post on 18-Jan-2018

245 views

Category:

Documents


0 download

DESCRIPTION

CSI/FBI Computer Crime and Security Survey

TRANSCRIPT

Page 1: Web Security Firewalls, Buffer overflows and proxy servers

Web Security

Firewalls, Buffer overflows and proxy servers

Page 2: Web Security Firewalls, Buffer overflows and proxy servers

system vulnerabilitiesAlmost all vulnerabilities come from bugs in the implementation of, or misconfigurations of, the OS and/or appsRarely, a problem with a protocol itselfVulnerabilities can lead to: Unauthorized access: attacker gains control of the

victim’s machine (attacker can log in, read files, and/or make changes to the system)

Denial of Service against host (attacker can crash the computer, disable services, etc.)

Denial of Service against network (attack can disrupt routing, flood the network, etc.)

Page 3: Web Security Firewalls, Buffer overflows and proxy servers

CSI/FBI Computer Crime and Security Survey

Page 4: Web Security Firewalls, Buffer overflows and proxy servers

Statistics

Page 5: Web Security Firewalls, Buffer overflows and proxy servers

Statistics

Page 6: Web Security Firewalls, Buffer overflows and proxy servers
Page 7: Web Security Firewalls, Buffer overflows and proxy servers

buffer overflowson the stack

func_1(){ int a, b;

func_2();}

a, bc, d

func_2(){ int c, d;

func_3();}

func 1’s address

buf

func_3(){ char buf[100];

read_user_input(buf);}

func 2’s address

Page 8: Web Security Firewalls, Buffer overflows and proxy servers

buffer overflowson the stack

func_1(){ int a, b;

func_2();}

a, bc, d

func_2(){ int c, d;

func_3();}

func 1’s address

buf

func_3(){ char buf[100];

read_user_input(buf);}

func 2’s address

evil_assembly_code()

buf’s address

Attacker is supplying input to buf… so buf gets a very carefully constructed string containing assembly code,and overwriting func 2’s address with buf’s address.When func3 returns, it will branch to buf instead of func2.

Page 9: Web Security Firewalls, Buffer overflows and proxy servers
Page 10: Web Security Firewalls, Buffer overflows and proxy servers

ExploitationsStack Based Exploitations Overwrite local variable near buffer to change

behavior of the program Overwrite return address in the stack frame

Heap Based Exploitations Overwrite Heap arrays to change behavior of the

application Overwrite malloc pointers who then overwrite a

function pointer (Microsoft JPEG GDI+ vulnerability)

Page 11: Web Security Firewalls, Buffer overflows and proxy servers

Protection against overflows

Choice of programming language C and C++ provide no built-in protection, but STL has safe

libraries Java, .NET bytecode environments do runtime checking

(Safety vs perfdormance)Stack-smashing protection checks to make sure the stack hasn’t changed after a procedure callNX (no execute) permission setting on stack and heap (OpenBSD, Mac OSX)Address space layout randomization keeps hackers from designing overflow kits

Page 12: Web Security Firewalls, Buffer overflows and proxy servers

firewallsRouters: easy to say “allow everything but…”Firewalls: easy to say “allow nothing but…”This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risksNote: the only difference between a router and a firewall is the design philosophy; do we prioritize security, or connectivity/performance? (configurability, logging)

Page 13: Web Security Firewalls, Buffer overflows and proxy servers

Rest of the Internet Local siteFirewall

Firewall

Page 14: Web Security Firewalls, Buffer overflows and proxy servers

Company netFirewall Webserver

Randomexternaluser

Remotecompanyuser

Internet

Firewall

Page 15: Web Security Firewalls, Buffer overflows and proxy servers

typical firewall setup

DMZ

evil Internet

internal network

Page 16: Web Security Firewalls, Buffer overflows and proxy servers

the firewall setupFirewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each otherThe DMZ relays services at the application level, e.g. mail forwarding, web proxyingThe DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); it’s easier to secure 20 machines than 20,000Now the internal network is “safe” (but not from internal attacks, modems, etc.)

Page 17: Web Security Firewalls, Buffer overflows and proxy servers

Firewall DetailsRules based on IP Source Address IP Destination Address Encapsulated Protocol TCP/UDP destination port TCP/UDP source port

Eth

Des

tEt

h S r

cEt

h H

dr

IP D

est

IP S

r cIP

Hdr

TCP

DPo

r tTC

P SP

ort

TCP

Hd r

Data

Page 18: Web Security Firewalls, Buffer overflows and proxy servers

Externalclient

External HTTP/TCP connection

Proxy

Firewall

Internal HTTP/TCP connection

Localserver

Proxy Firewall

Page 19: Web Security Firewalls, Buffer overflows and proxy servers

Application ProxyChanges source address so that responses come to proxy from web serverProxy is more secure than internal nodesPerformance degradation

Page 20: Web Security Firewalls, Buffer overflows and proxy servers

Firewalls Compared to Proxies

Pros Good Performance Easy to support new

protocols

Cons IP TCP/UDP

headers cant be trusted

Most attacks spoof IP TCP/UCP ports

Must look at other application signatures