Course 1: Overview of  Secure Programming, Section 6 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 200...
Course 1 Learning Plan <ul><li>Security overview and patching </li></ul><ul><li>Public vulnerability databases and resourc...
Learning objectives <ul><li>Be able to identify resources at risk </li></ul><ul><li>Understand how resources become at ris...
Resource Management: Outline <ul><li>Motivation  </li></ul><ul><li>Resource identification </li></ul><ul><li>Resource exha...
How Important is Availability? <ul><li>How important is it to have resources available at some specific times or all the t...
Availability Through Software <ul><li>Monitoring software that relaunches an application whenever it crashes or quits </li...
Denial of Service <ul><li>The unavailability of a needed resource, most often due to a malicious entity. </li></ul><ul><li...
Resource Identification <ul><li>Shared resources are exposed to resource exhaustion attacks </li></ul><ul><ul><li>Memory <...
Question <ul><li>Which one of these resources is susceptible to a resource exhaustion attack? </li></ul><ul><li>a) Electri...
Resource Exhaustion <ul><li>May happen whenever there are: </li></ul><ul><ul><li>A finite number of resources </li></ul></...
How Resource Exhaustion Happens <ul><li>Spend time processing requests from illegitimate (but possibly legitimate) users <...
Resource Exhaustion Enablers <ul><li>Expensive Tasks </li></ul><ul><ul><li>Algorithms </li></ul></ul><ul><ul><li>Encryptio...
Example:  Disk <ul><li>Risk:  Disk or partition is unavailable because it is completely filled </li></ul><ul><li>Threat: o...
Question <ul><li>Identify the correct resource exhaustion enablers: </li></ul><ul><li>a) Memory failures </li></ul><ul><li...
Question <ul><li>Identify the correct resource exhaustion enablers: </li></ul><ul><li>a) Memory failures </li></ul><ul><li...
CPU Exhaustion Attacks <ul><li>Uninterruptible tasks </li></ul><ul><li>Unwise operational order </li></ul><ul><ul><li>Perf...
Uninterruptible Tasks <ul><li>CAN-1999-1285 Linux 2.1.132 and earlier allows local users to cause a denial of service (res...
Unwise Operational Order <ul><li>A firewall’s job is to block traffic Don’t perform expensive operations on traffic you’re...
Asymmetric CPU Attacks <ul><li>Cryptographic algorithms are typically expensive </li></ul><ul><ul><li>Initiate communicati...
Algorithmic Complexity Attacks <ul><li>Exploit worst-case scenario of algorithms </li></ul><ul><ul><li>Hash algorithms (Cr...
Question <ul><li>Algorithmic complexity attacks work because: </li></ul><ul><li>a) they attack complex algorithms </li></u...
Question <ul><li>Algorithmic complexity attacks work because: </li></ul><ul><li>a) they attack complex algorithms </li></u...
Discussion <ul><li>How would you prevent or defend against: </li></ul><ul><ul><li>Uninterruptible tasks </li></ul></ul><ul...
Discussion Sample Answers <ul><li>How would you prevent or defend against: </li></ul><ul><ul><li>Uninterruptible tasks </l...
Network Application and Protocol Vulnerabilities <ul><li>Can produce: </li></ul><ul><ul><li>Memory exhaustion </li></ul></...
Ports and Thread Exhaustion <ul><li>In TCP/IP, an application uses a  ”port”, a positive number less than 65536. Example: ...
Ports example <ul><li>CAN-2002-0221 Etype Eserv 2.97 allows remote attackers to cause a denial of service (resource exhaus...
Threads Example <ul><li>Microsoft NT architecture: FTP and Web services on the same computer share a common thread pool Ex...
Sockets  <ul><li>Socket: Data structure to record which application talks to what </li></ul><ul><li>Internet sockets ( AF_...
Sockets example <ul><li>CVE-2001-0830 6tunnel 0.08 and earlier does not properly close sockets that were initiated by a cl...
Generous Protocols and Algorithms <ul><li>A Protocol or Algorithm that allocates resources based on (perhaps initially) an...
TCP/IP Generosity <ul><li>The TCP/IP protocol allocates memory at the beginning stage of a communication, upon reception o...
Generosity in Stateful Protocols <ul><li>Protocols that maintain state information are necessarily more vulnerable to DoS ...
Amplification <ul><li>Form of generosity </li></ul><ul><li>Example:  ICMP ping </li></ul><ul><ul><li>Request-response prot...
Question <ul><li>Can you name another amplification mechanism used by attackers? </li></ul><ul><li>a) Challenge-response m...
Question <ul><li>Can you name another amplification mechanism used by attackers? </li></ul><ul><li>a) Challenge-response m...
Work-Around for Generosity <ul><li>Quickly expire transactions (connections, etc...) that block while waiting on input </l...
Exercise <ul><li>Name the vulnerability in this pseudo-code, and explain why it is vulnerable: </li></ul><ul><li>1 Wait fo...
Exercise <ul><li>Name the vulnerability in this pseudo-code, and explain why it is vulnerable: </li></ul><ul><li>That is a...
Memory Management Problems <ul><li>Memory leaks (very common) </li></ul><ul><ul><li>Memory that is never freed, for every ...
Memory Management Problems (cont.) <ul><li>Use of freed memory </li></ul><ul><ul><li>CAN-2002-1490   NetBSD 1.4 through 1....
Memory Management Problems (cont.) <ul><li>Information leakage </li></ul><ul><ul><li>CAN-2003-0048  PuTTY 0.53b and earlie...
Notes About Information Leakage <ul><li>Overwrite sensitive memory to prevent leakage </li></ul><ul><li>Compilers may remo...
Memory Management Problems (cont.) <ul><li>Invalid memory references </li></ul><ul><ul><li>CAN-2002-1294  The Microsoft Ja...
Memory Management Problems (cont.) <ul><li>Memory exposures </li></ul><ul><ul><li>CAN-2002-1125  FreeBSD port programs tha...
Exhausting Memory for Data Structures <ul><li>Process and other tables </li></ul><ul><li>Buffer pools </li></ul><ul><li>Fi...
Human Resource Exhaustion <ul><li>Typical street scenario: </li></ul><ul><ul><li>Some people distract the person guarding ...
Discussion <ul><li>Discuss the similarities between SPAM and human resource exhaustion attacks. </li></ul>
True or False? <ul><li>Denial of service attacks are all caused by resource exhaustion </li></ul><ul><li>All shared resour...
Questions?
About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, ...
Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim...
Upcoming SlideShare
Loading in …5
×

6.Resource Exhaustion

2,231 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,231
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • An example of an amplification attack is broadcast ICMP ping with a spoofed source address.
  • Notes on Logging limits and Quotas in Windows, from Alan Krassowski: For logging, if you go to Control Panel, Administrative Tools, Services, Event Viewer, then right click on one of the event logs, such as Application, Security or System, you can see the Log Size group box. Typically, a maximum size is specified, and oldest events are overwritten as needed. Alternatively, one can set a maximum event age. Win32 Event Logging functions are defined here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/event_logging_functions.asp With these, you can programmatically clear and backup event logs with BackupEventLog() and ClearEventLog(), in addition to simple reporting to them using ReportEvent(). Apps can also define their own event types or even their own event logs if they wish. For example, in addition to the 3 I mentioned above, my Exchange box also has a Directory Service log, a DNS Server log and a File Replication Service log. The Cluster API also contains some functions like LogEvent() for manipulating the cluster log, but I&apos;m not very familiar with how to control size or age here. I doubt many of Symantec&apos;s apps use the Cluster API, but the Exchange product does a little. For disks on Windows 2000 and above systems, right-click on a hard-disk in Explorer, then go to the Quota property page. You can get pretty granular with Quota Entries on a per-user basis. The IDiskQuotaControl COM interface allows programmatic control over setting disk quotas. There&apos;s also GetDiskFreeSpaceEx() Win32 call, that respects any applicable per-user quotas. I think these are NTFS-specific.
  • For example, you might be able to mitigate SSL resource exhaustion attacks by rate limiting or blocking connections that are tying up resources.
  • SecureZeroMemory and spc_memset use the volatile keyword to prevent the compiler from removing the call to zero memory. Note that AllocateUserPhysicalPages and VirtualLock don’t prevent writing memory to hibernate files or crash dumps. Refer to chapter 13 of Secure Programming Cookbook which covers this information for Windows and UNIX. See also Writing Secure Code, 2 nd edition for information on AllocateUserPhysicalPages and VirtualLock Debug versions of programs should probably not disable core dumps. In UNIX, shell scripts can limit core dumps by calling ‘ulimit –c 0’. This also limits core dumps for programs that the shell starts
  • Interesting note: Reverse turning tests are being used to slip encrypted viruses with pictorial passwords past virus scanners.
  • 6.Resource Exhaustion

    1. 1. Course 1: Overview of Secure Programming, Section 6 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 2004; updated August 12, 2004 </li></ul><ul><li>Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center </li></ul><ul><li>Copyright (2004) Purdue Research Foundation. All rights reserved. </li></ul>
    2. 2. Course 1 Learning Plan <ul><li>Security overview and patching </li></ul><ul><li>Public vulnerability databases and resources </li></ul><ul><li>Secure software engineering </li></ul><ul><li>Security assessment and testing </li></ul><ul><li>Shell and environment </li></ul><ul><li>Resource management </li></ul><ul><li>Trust management </li></ul>
    3. 3. Learning objectives <ul><li>Be able to identify resources at risk </li></ul><ul><li>Understand how resources become at risk from denial-of-service attacks </li></ul><ul><li>Be able to decide which resources need to be exposed </li></ul><ul><li>Understand how to mitigate resource exhaustion risks </li></ul>
    4. 4. Resource Management: Outline <ul><li>Motivation </li></ul><ul><li>Resource identification </li></ul><ul><li>Resource exhaustion </li></ul><ul><ul><li>CPU exhaustion </li></ul></ul><ul><ul><li>Network applications and protocols vulnerabilities </li></ul></ul><ul><ul><li>Generous Protocols and Algorithms </li></ul></ul><ul><ul><li>Other asymmetric attacks </li></ul></ul><ul><li>Memory Management </li></ul>
    5. 5. How Important is Availability? <ul><li>How important is it to have resources available at some specific times or all the time? </li></ul><ul><li>Market for 99.99% availability systems or even &quot;5 nines&quot; (99.999%) </li></ul><ul><ul><li>Worth a lot of money for some businesses </li></ul></ul><ul><ul><li>Redundant hardware, fault-resistant software </li></ul></ul><ul><li>Problem: Infrastructure, hardware, software usually designed for functionality and performance in normal situations, not robustness vs. worst-case scenarios </li></ul><ul><ul><li>Malicious people can engineer worst-case scenarios to come true </li></ul></ul>
    6. 6. Availability Through Software <ul><li>Monitoring software that relaunches an application whenever it crashes or quits </li></ul><ul><li>Redundant software installations on different partitions </li></ul><ul><li>Disk images (e.g., Ghost) </li></ul><ul><li>Virtual machines that reload running images (VMWare) </li></ul><ul><li>The above are just mitigating setups that don't fix the original problem and can still cause interruptions </li></ul><ul><ul><li>Perfect software is not possible, but better software is </li></ul></ul>
    7. 7. Denial of Service <ul><li>The unavailability of a needed resource, most often due to a malicious entity. </li></ul><ul><li>Sometimes not the primary goal </li></ul><ul><ul><li>Side effect of another attack </li></ul></ul><ul><ul><li>Failure to achieve worse results </li></ul></ul><ul><li>Perhaps used to evade traceability, law enforcement or accountability </li></ul><ul><ul><li>disable logging mechanisms </li></ul></ul><ul><ul><li>disable detection and alert systems </li></ul></ul><ul><ul><ul><li>submerge human with messages, human may disable the attacked defense mechanism! </li></ul></ul></ul>
    8. 8. Resource Identification <ul><li>Shared resources are exposed to resource exhaustion attacks </li></ul><ul><ul><li>Memory </li></ul></ul><ul><ul><li>Hard Drive space </li></ul></ul><ul><ul><li>Bandwidth </li></ul></ul><ul><ul><li>CPU </li></ul></ul><ul><ul><li>Entropy (for random number generation) </li></ul></ul><ul><ul><li>Database engines </li></ul></ul><ul><ul><li>Servers </li></ul></ul><ul><ul><li>Analysts </li></ul></ul><ul><ul><li>Wireless Mice, Keyboards </li></ul></ul><ul><ul><li>Wireless NICs </li></ul></ul>
    9. 9. Question <ul><li>Which one of these resources is susceptible to a resource exhaustion attack? </li></ul><ul><li>a) Electric power </li></ul><ul><li>b) Chair </li></ul><ul><li>c) Trackpad </li></ul>
    10. 10. Resource Exhaustion <ul><li>May happen whenever there are: </li></ul><ul><ul><li>A finite number of resources </li></ul></ul><ul><ul><li>A finite rate (e.g., processing) </li></ul></ul><ul><li>Hard to defend against some variants </li></ul><ul><ul><li>Sometimes a balancing act </li></ul></ul><ul><ul><li>Analogy: By staying home, the risk of meeting unpleasant people is removed, but the cure may be worse than the risk. </li></ul></ul>
    11. 11. How Resource Exhaustion Happens <ul><li>Spend time processing requests from illegitimate (but possibly legitimate) users </li></ul><ul><li>Allow legitimate users to hog resources </li></ul><ul><li>Improperly free resources no longer needed </li></ul><ul><li>Sometimes design errors, sometimes implementation </li></ul>
    12. 12. Resource Exhaustion Enablers <ul><li>Expensive Tasks </li></ul><ul><ul><li>Algorithms </li></ul></ul><ul><ul><li>Encryption, Compression and Encoding </li></ul></ul><ul><ul><ul><li>e.g., DVDs are expensive to compress </li></ul></ul></ul><ul><li>Generous Protocols and Algorithms </li></ul><ul><ul><li>Anonymous or unauthenticated allocation of computer resources </li></ul></ul><ul><ul><li>Amplifiers (broadcasts, subscriptions, distributed systems) </li></ul></ul><ul><li>Coding errors turned into vulnerabilities </li></ul><ul><ul><li>Memory Leaks and other memory management errors </li></ul></ul><ul><li>Design errors </li></ul><ul><ul><li>Absence of policies, restrictions, access control, partitions or compartments, backups, failover or redundant systems </li></ul></ul>
    13. 13. Example: Disk <ul><li>Risk: Disk or partition is unavailable because it is completely filled </li></ul><ul><li>Threat: one user can rob all others of disk space (including the use of a partition) </li></ul><ul><li>Resource managed by the operating system </li></ul><ul><li>Enabling factors </li></ul><ul><ul><li>Missing or no quotas specified by OS for users and processes </li></ul></ul><ul><ul><ul><li>/tmp directory </li></ul></ul></ul><ul><ul><ul><ul><li>fill up the disk (or partition) with temp files </li></ul></ul></ul></ul><ul><ul><ul><li>/var directory </li></ul></ul></ul><ul><ul><ul><ul><li>use up the disk (or partition) with logs </li></ul></ul></ul></ul>
    14. 14. Question <ul><li>Identify the correct resource exhaustion enablers: </li></ul><ul><li>a) Memory failures </li></ul><ul><li>b) Generous protocols and algorithms </li></ul><ul><li>c) Expensive hardware </li></ul>
    15. 15. Question <ul><li>Identify the correct resource exhaustion enablers: </li></ul><ul><li>a) Memory failures </li></ul><ul><li>b) Generous protocols and algorithms </li></ul><ul><li>c) Expensive hardware </li></ul>
    16. 16. CPU Exhaustion Attacks <ul><li>Uninterruptible tasks </li></ul><ul><li>Unwise operational order </li></ul><ul><ul><li>Perform a series of complex operations first, before checking the request's validity </li></ul></ul><ul><li>Asymmetric attacks </li></ul><ul><ul><li>Cost for attacker is much smaller than for defender </li></ul></ul><ul><ul><li>Algorithmic complexity attacks </li></ul></ul>
    17. 17. Uninterruptible Tasks <ul><li>CAN-1999-1285 Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed. </li></ul><ul><li>CPU not available until random numbers have all been calculated </li></ul>
    18. 18. Unwise Operational Order <ul><li>A firewall’s job is to block traffic Don’t perform expensive operations on traffic you’re blocking anyway! </li></ul><ul><li>CAN-2002-1203 IBM SecureWay Firewall before 4.2.2 performs extra processing before determining that a packet is invalid and dropping it, which allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed TCP packets without any flags set. </li></ul>
    19. 19. Asymmetric CPU Attacks <ul><li>Cryptographic algorithms are typically expensive </li></ul><ul><ul><li>Initiate communications so server generates keys, etc... </li></ul></ul><ul><li>Don’t know if message is good until decrypted </li></ul><ul><ul><li>Send random messages </li></ul></ul><ul><li>IPSEC design vulnerability </li></ul>
    20. 20. Algorithmic Complexity Attacks <ul><li>Exploit worst-case scenario of algorithms </li></ul><ul><ul><li>Hash algorithms (Crosby and Wallach 2003) </li></ul></ul><ul><ul><ul><li>Data structure pollution </li></ul></ul></ul><ul><ul><ul><li>Bro IDS (Intrusion Detection System) dropping 70% packets </li></ul></ul></ul><ul><ul><ul><li>Normally O(N), becomes O(N 2 ) with malicious input </li></ul></ul></ul><ul><ul><ul><ul><li>if N is 1000, cost is 1000 times higher than expected! </li></ul></ul></ul></ul><ul><ul><li>Quicksort: O(N 2 ) instead of O(NlogN) </li></ul></ul><ul><ul><li>Python regular expression engine </li></ul></ul><ul><ul><ul><li>Exponential blowout with malicious input </li></ul></ul></ul><ul><ul><li>Fix: use algorithms that are not vulnerable </li></ul></ul><ul><ul><ul><li>&quot;universal hash algorithms&quot; designed to avoid the vulnerability </li></ul></ul></ul><ul><ul><ul><li>Please see http://www.cs.rice.edu/~scrosby/hash/ </li></ul></ul></ul>
    21. 21. Question <ul><li>Algorithmic complexity attacks work because: </li></ul><ul><li>a) they attack complex algorithms </li></ul><ul><li>b) they exploit the worst-case behavior of algorithms </li></ul><ul><li>c) there were errors in the implementation of the algorithms </li></ul>
    22. 22. Question <ul><li>Algorithmic complexity attacks work because: </li></ul><ul><li>a) they attack complex algorithms </li></ul><ul><li>b) they exploit the worst-case behavior of algorithms </li></ul><ul><li>c) there were errors in the implementation of the algorithms </li></ul>
    23. 23. Discussion <ul><li>How would you prevent or defend against: </li></ul><ul><ul><li>Uninterruptible tasks </li></ul></ul><ul><ul><li>Unwise operational order </li></ul></ul><ul><ul><li>Asymmetric attacks </li></ul></ul>
    24. 24. Discussion Sample Answers <ul><li>How would you prevent or defend against: </li></ul><ul><ul><li>Uninterruptible tasks </li></ul></ul><ul><ul><ul><li>Limit CPU slices per user </li></ul></ul></ul><ul><ul><ul><ul><li>move part of algorithm out of kernel space </li></ul></ul></ul></ul><ul><ul><li>Unwise operational order </li></ul></ul><ul><ul><ul><li>Do not invest in something that may be worthless until you know for sure you have to (may not be initially obvious) </li></ul></ul></ul><ul><ul><li>Asymmetric attacks </li></ul></ul><ul><ul><ul><li>Limit the rate of the expensive events/origin </li></ul></ul></ul>
    25. 25. Network Application and Protocol Vulnerabilities <ul><li>Can produce: </li></ul><ul><ul><li>Memory exhaustion </li></ul></ul><ul><ul><li>Numbered resource (e.g., ports) exhaustion </li></ul></ul><ul><ul><li>Bandwidth exhaustion... </li></ul></ul>
    26. 26. Ports and Thread Exhaustion <ul><li>In TCP/IP, an application uses a ”port”, a positive number less than 65536. Example: port 80 for web servers. </li></ul><ul><li>Passive FTP: FTP server reserves a random port (above 1024) for use by a client and waits for the client to connect there. </li></ul><ul><li>What if client doesn’t connect ever? </li></ul>
    27. 27. Ports example <ul><li>CAN-2002-0221 Etype Eserv 2.97 allows remote attackers to cause a denial of service (resource exhaustion) via a large number of PASV commands that consume ports 1024 through 5000, which prevents the server from accepting valid PASV. </li></ul>
    28. 28. Threads Example <ul><li>Microsoft NT architecture: FTP and Web services on the same computer share a common thread pool Exhausting the FTP thread pool will cause failed connection requests for the Web service. </li></ul><ul><li>CVE-1999-1148 IIS processes passive FTP connection requests by assigning a thread to each port waiting for a client to connect </li></ul>
    29. 29. Sockets <ul><li>Socket: Data structure to record which application talks to what </li></ul><ul><li>Internet sockets ( AF_INET ): </li></ul><ul><ul><li>Which application reserved which port </li></ul></ul><ul><ul><li>One IP address, one port = one socket you can listen to </li></ul></ul><ul><ul><li>Incoming connections are recorded with additional sockets </li></ul></ul><ul><ul><li>Number of sockets -1 = number of clients </li></ul></ul>
    30. 30. Sockets example <ul><li>CVE-2001-0830 6tunnel 0.08 and earlier does not properly close sockets that were initiated by a client, which allows remote attackers to cause a denial of service (resource exhaustion) by repeatedly connecting to and disconnecting from the server. </li></ul>
    31. 31. Generous Protocols and Algorithms <ul><li>A Protocol or Algorithm that allocates resources based on (perhaps initially) anonymous or unauthenticated requests </li></ul><ul><li>Can you name one? </li></ul>
    32. 32. TCP/IP Generosity <ul><li>The TCP/IP protocol allocates memory at the beginning stage of a communication, upon reception of a packet with the “SYN” flag, to keep track of communications (e.g., socket). </li></ul><ul><li>Early TCP/IP implementations kept the memory allocated for a very long time... </li></ul><ul><li>SYN flood attack: The sending of numerous SYN packets until all the memory available for keeping track of new connections has been consumed. </li></ul>
    33. 33. Generosity in Stateful Protocols <ul><li>Protocols that maintain state information are necessarily more vulnerable to DoS attacks. </li></ul><ul><ul><li>Above a certain treshold, quality of service breaks down </li></ul></ul><ul><ul><ul><li>Connectionless protocols show progressive degradation with load </li></ul></ul></ul><ul><li>Conversion of stateful into stateless protocols </li></ul><ul><ul><li>Not easy in all cases, but can solve SYN flood </li></ul></ul><ul><ul><li>Idea: encrypt the state data, and return it to client </li></ul></ul><ul><ul><ul><li>No memory usage </li></ul></ul></ul><ul><ul><ul><li>Increased CPU and bandwidth usage trade-off </li></ul></ul></ul><ul><ul><li>Reference: Aura and Nikander 1997 </li></ul></ul>
    34. 34. Amplification <ul><li>Form of generosity </li></ul><ul><li>Example: ICMP ping </li></ul><ul><ul><li>Request-response protocol </li></ul></ul><ul><ul><li>Unauthenticated </li></ul></ul><ul><ul><li>Can send request to a broadcast address </li></ul></ul><ul><ul><ul><li>All computers respond! </li></ul></ul></ul><ul><ul><ul><ul><li>To who? A spoofed IP address == Smurf attack </li></ul></ul></ul></ul><ul><ul><ul><li>Bandwidth can be completely consumed by the response </li></ul></ul></ul><ul><ul><ul><ul><li>Overwhelm victim destination computer </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Other victims </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>hosts on affected networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>networks in between broadcast and destination </li></ul></ul></ul></ul></ul>
    35. 35. Question <ul><li>Can you name another amplification mechanism used by attackers? </li></ul><ul><li>a) Challenge-response mechanism </li></ul><ul><li>b) Encryption </li></ul><ul><li>c) Distributed Denial-of-Service attacks </li></ul>
    36. 36. Question <ul><li>Can you name another amplification mechanism used by attackers? </li></ul><ul><li>a) Challenge-response mechanism </li></ul><ul><li>b) Encryption </li></ul><ul><li>c) Distributed Denial-of-Service attacks </li></ul><ul><li>In DDoS attacks, amplification is provided by numerous &quot;zombie&quot; (compromised) computers obeying remote commands. </li></ul>
    37. 37. Work-Around for Generosity <ul><li>Quickly expire transactions (connections, etc...) that block while waiting on input </li></ul><ul><ul><li>especially anonymous users </li></ul></ul>
    38. 38. Exercise <ul><li>Name the vulnerability in this pseudo-code, and explain why it is vulnerable: </li></ul><ul><li>1 Wait for client connection 2 Validate input 3 Create user object 4 Match user against potential dates 5 Prepare report 6 Verify that user paid subscription; if so send back report, if not send bill 7 Repeat (i.e. go to line 1) </li></ul>
    39. 39. Exercise <ul><li>Name the vulnerability in this pseudo-code, and explain why it is vulnerable: </li></ul><ul><li>That is an unwise operational ordering. It can result in a resource exhaustion because expensive operations are performed before a request validity check. </li></ul>
    40. 40. Memory Management Problems <ul><li>Memory leaks (very common) </li></ul><ul><ul><li>Memory that is never freed, for every request </li></ul></ul><ul><ul><li>CAN-2003-0032 Memory leak in libmcrypt before 2.5.5 allows attackers to cause a denial of service (memory exhaustion) </li></ul></ul><ul><li>Double free </li></ul><ul><ul><li>CVE-2002-0059 The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a &quot;double free&quot;), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data. </li></ul></ul>
    41. 41. Memory Management Problems (cont.) <ul><li>Use of freed memory </li></ul><ul><ul><li>CAN-2002-1490 NetBSD 1.4 through 1.6 beta allows local users to cause a denial of service (kernel panic) via a series of calls to the TIOCSCTTY ioctl, which causes an integer overflow in a structure counter and sets the counter to zero, which frees memory that is still in use by other processes. </li></ul></ul><ul><li>Freeing wrong memory </li></ul><ul><ul><li>CAN-2003-0525 The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM... </li></ul></ul>
    42. 42. Memory Management Problems (cont.) <ul><li>Information leakage </li></ul><ul><ul><li>CAN-2003-0048 PuTTY 0.53b and earlier did not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. </li></ul></ul><ul><ul><li>CAN-2003-0047 SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords... </li></ul></ul><ul><ul><li>CAN-2003-0001 Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes... </li></ul></ul>
    43. 43. Notes About Information Leakage <ul><li>Overwrite sensitive memory to prevent leakage </li></ul><ul><li>Compilers may remove calls to bzero and memset during optimization </li></ul><ul><ul><li>Use SecureZeroMemory in Windows </li></ul></ul><ul><ul><li>Use spc_memset from Secure Programming Cookbook </li></ul></ul><ul><li>Use memory locking to prevent passwords and keys from being saved to disk (virtual memory, swap space) </li></ul><ul><ul><li>mlock </li></ul></ul><ul><ul><li>AllocateUserPhysicalPages and VirtualLock </li></ul></ul><ul><li>Disable crash dumps (core files) </li></ul><ul><ul><li>setrlimit(RLIMIT_CORE, …) </li></ul></ul>
    44. 44. Memory Management Problems (cont.) <ul><li>Invalid memory references </li></ul><ul><ul><li>CAN-2002-1294 The Microsoft Java implementation, as used in Internet Explorer, can provide HTML object references to applets via Javascript, which allows remote attackers to cause a denial of service (crash due to illegal memory accesses) ... </li></ul></ul><ul><ul><li>CAN-2002-1289 The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to read restricted process memory, cause a denial of service (crash), and possibly execute arbitrary code via the getNativeServices function, which creates an instance of the com.ms.awt.peer.INativeServices (INativeServices) class, whose methods do not verify the memory addresses that are passed as parameters. </li></ul></ul>
    45. 45. Memory Management Problems (cont.) <ul><li>Memory exposures </li></ul><ul><ul><li>CAN-2002-1125 FreeBSD port programs that use libkvm for FreeBSD 4.6.2-RELEASE and earlier, including (1) asmon, (2) ascpu, (3) bubblemon, (4) wmmon, and (5) wmnet2, leave open file descriptors for /dev/mem and /dev/kmem, which allows local users to read kernel memory. </li></ul></ul><ul><ul><li>CAN-2002-0973 Integer signedness error in several system calls for FreeBSD 4.6.1 RELEASE-p10 and earlier may allow attackers to access sensitive kernel memory via large negative values to the (1) accept, (2) getsockname, and (3) getpeername system calls, and the (4) vesa FBIO_GETPALETTE ioctl. </li></ul></ul>
    46. 46. Exhausting Memory for Data Structures <ul><li>Process and other tables </li></ul><ul><li>Buffer pools </li></ul><ul><li>File descriptors </li></ul><ul><li>Sockets </li></ul><ul><li>Etc... </li></ul>
    47. 47. Human Resource Exhaustion <ul><li>Typical street scenario: </li></ul><ul><ul><li>Some people distract the person guarding assets while others steal things or otherwise violate policies </li></ul></ul><ul><li>Information security: </li></ul><ul><ul><li>Create many alerts and warnings so that an analyst or user is overwhelmed and can't identify the dangerous ones. </li></ul></ul><ul><ul><ul><li>IDS flooding tools available </li></ul></ul></ul><ul><ul><ul><ul><li>&quot;Stick&quot; (Giovanni 2001) </li></ul></ul></ul></ul><ul><ul><li>Attack against online support and services </li></ul></ul><ul><ul><ul><li>Chat bots (Gabriolovich and Gontmahker 2003) </li></ul></ul></ul><ul><ul><ul><ul><li>Defense: Reverse Turing Tests </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Recognizing distorted letters in an image </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Riddles </li></ul></ul></ul></ul></ul>
    48. 48. Discussion <ul><li>Discuss the similarities between SPAM and human resource exhaustion attacks. </li></ul>
    49. 49. True or False? <ul><li>Denial of service attacks are all caused by resource exhaustion </li></ul><ul><li>All shared resources risk being exhausted </li></ul><ul><li>Lower resource cost to the attacker than the defender is indicative of a resource exhaustion vulnerability </li></ul>
    50. 50. Questions?
    51. 51. About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. </li></ul><ul><ul><li>You must give the original author and other contributors credit </li></ul></ul><ul><ul><li>The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes </li></ul></ul><ul><ul><li>For any reuse or distribution, you must make clear to others the terms of use for this work </li></ul></ul><ul><ul><li>Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification </li></ul></ul><ul><ul><li>For other uses please contact the Purdue Office of Technology Commercialization. </li></ul></ul><ul><li>Developed thanks to the support of Symantec Corporation </li></ul>
    52. 52. Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera </li></ul>

    ×