 So let's get right to it. We're about right at the end of our looking at the tax on Looking at a tax on the network and how we can And how we can What trust we should have in the network layer so we talked about last week about operating system finger actually be able to tell What operating system or remote post is using or likely what operating system they're using Just based on the characteristics of the packets that they're sending We are setting up Yeah, so yeah, so that's all kinds of weird tricks and techniques that so tools like n-map They basically think that was a repository of all these network tricks that we talked about the scan host look at what ports are open And also to see what operating system is running there Yeah, so all kinds of cool stuff But the key question we want to look at is do the attack We looked at that work on both the IP layer and the UDP layer. Do they apply to the TCP layer? So can we? spoof UDP spoof TCP packets So what can we spoof? What was that? Yeah, what can we spoof? Right so we looked at IP level and looked at UDP and we can spoof a UDP packet to make it looks like it comes from any other host Right, so can we do the same thing with TCP? What fields can we control? Why do we need to guess the sequence number? Yeah, so one way to think about it is yes, we can spoof we can create any packet right you can create a TCP packet We can set we know we can spoof the source IP address We can set up any reports we want but if we want to establish let's say I want to pretend to establish a connection to a remote server from me the attacker as some client Well Actually, let's draw that diagram. Although. I don't think these diagram Okay, that's weird. I definitely did not record that if I do this This is a new change in quick time behavior Yes Although good question Okay, so you can't see my screen because I have to do this Okay, we will adapt and overcome okay, so you can see that There's gonna be a really bad diagram Okay, so we are a so we have some clients We have a server you can see this right? And we have I know you thought my handwriting and graphics were bad Watch me draw on a PowerPoint slide Okay Where the attacker we want to spoof a connection From the attacker to the server and make it seem like that TCP connection is coming from the client So can we spoof the initial sim packet? Yeah, what do we do? We create a sim packet with the source IP of see the client We set the destination IP 3s We set the destination port to be whatever port we're trying to talk to you. It's a port 80 or whatever The client port to some random thing What do we also have to generate in the packet that we said Yes, we have to generate a sequence number, right? So inside there. There'll be some sequence number So we'll send this packet out it gets a s Yeah, it thinks that sees trying to initiate a tcp connection doesn't establish tcp connection No So what is s going to do now? Send a syn app packet back So it's going to send back a syn app packet and So what are the fields going to be on that packet? So what's the destination IP going to be? Rising over to the client that the source IP is going to be s The ports are going to be whatever we set them as but flipped around and it will create its own sequence number It's going to put the sequence number and then the acknowledgement number It's going to increment our sequence number. So that packet is then going to get set across the network to see Right, so we want to then initiate this connection and actually establish a three-way handshake So a the question is do we see that packet? No, not in this diagram, right? We're not on any of the local networks We don't control any of the routers in between or the switches in between So we don't see that So What's our goal as an attacker? How can't could we actually create a three-way handshake there? I did Well, we need to know what the So what so what's the packet we want to craft here from a So we need an act packet and what do we need to be true about this act? It needs to have the sequence sequence number in their act number incremented R. Yes, but a little bit around so they're going to come up with a sequence number We'll call it sequence s and sequence s. So that's going to be an our acknowledgement number sequence s plus one And that's in our act field and then our sequence number will be whatever we set but we control that so This is what this whole thing hinges upon so we can guess what the server's Sequence number that it shows then we will be able to initiate So what are the odds of this happening That actually be much more feasible Right, so it's one into the 32 chances of getting it right assuming what Well, we have a very interesting which so there's a couple things that could happen here, right? So if C is up and on line when it gets this sin act back from an s What would it said? Reset it's a go away. I'm not talking to you in which case s would turn down So actually one thing we need to do is either choose a server that's not online It won't respond or we can actually try to toss C to turn it off line So it won't respond with the reset back that's that's one issue the other issue is Right, so assuming that the sequence number that the server generates is uniformly random Right that it's choosing a random number from out of the two to thirty two possibilities Then you will have a problem. Yeah, it's a sequence number random per Initiated trust or is that dependent on the hardware itself? It's dependent on the operating system the operating system gets to choose what it wants for the sequence numbers Yeah, and so this is the goal, so this looks So this is the key idea of how we can Spoof a TCP connection, but it all comes down to knowing the server sequence number and that really is fundamentally the key here And okay, so we basically went over all this So we either need to drop the syn act and get sent back or we need to guess correctly the sequence number and so Diagram so we can We're now see we're gonna take down B We're gonna send a packet to a spoofing it as if it came from B a is gonna respond with a syn act and if we can somehow get that sequence number so There was an RFC that said how Operating systems should be generating their sequence numbers such that they're sufficiently random, but some implementations were still faulty from this, so The really cool idea is to look at this as a graph of the delta between the Previous two sequence numbers and the previous three sequence numbers So to visually graph how distinct are the past three sequence numbers from each other So windows 2000 XP is fairly random You can see windows 95 98 there's a lot like Points here, so this really reduces your search space So all you have to do is get one sequence number from the server or a few and just keep guessing and trying to make these connections Linux is much more random. If anybody knows more about free free BSE much more spread out in how they're generating sequence numbers they And so Cisco so Cisco routers Actually funny enough the Cisco has an operating system called iOS just like But they thought that wouldn't be a big deal and so you could see like also They had a huge problem. They started looking at this and easily get the whole sequence numbers And then after they fixed it if you can see it's much more distributed max. Oh sex is pretty good HP also had this kind of pattern here where you could use the points were not super distributed and After they quote-quote fix it It's pretty pretty concentrated. So anyways, these are just kind of ways to be thinking about how to So the really the key point here is that at server side sequence number is really the key TCP Impersonation so if you can't guess that then you can say yes, I know who I'm talking to but without that You can generate a TCP connection So this is spoofing so we can spoof and pretend to be somebody else to initiate a connection another thing we may want to do is to inject so let's say So So somebody's tell that from one machine to the other and you want to inject a command in there from the client to say add my public key to their SSH whatever logs or At this back door to put a reverse shallow So in that case rather than Wanting to spoof a brand new connection. We want to inject into a currently ongoing connection So what do we need to do for this to happen? We need yes, we need to see what the numbers of both sides to make sure we're injecting in the correct place What else do we need source IP test IP? Yeah, we actually the source we need to make sure the IPs are the IPs are correct. Yes, what else? Ports, so remember the client next generates a random port number that it's coming from at tuples We need to make sure that tuple that we have is correct So that actually adds a slight I mean an extra challenge because you have to guess what port the client is going to the server on So usually only do this when you actually man in the middle and see the traffic It's much harder to just randomly guess and inject something into there But you can do it and it actually so there's a couple interesting things you can do So one thing you could just insert data into the data stream Another thing is you just reset the connection. So we're just going to send a reset packet and break the connection But you have to as we just said so the same sequence numbers on whole side of the client the server You have to use the correct sequence numbers and you can sometimes guess but You're going to be much better off with your e-throbbing. So this is Kind of bringing this all home This is when we talk about our poisoning on the local area network You can route all traffic through you once you do that then you can do these kind of games of injecting into a TCP string Without exactly yes without being our local network it makes it much much harder But the trick is that now you have to think about when your security when you're on a network Who's on that local area network with you and do you trust that? Right, so when you're on the Wi-Fi at Starbucks, do you trust all those people sitting around you? So okay, so the basic idea I think that at a high level this is pretty straightforward, but there's some interesting dynamics that arise here Because you get into this crazy situation where you've successfully injected so So you basically have to wait until the connection is quiet So you want to wait until there's no data being transmitted that way You're not going to get your sequence number messed up by some of the old sending a packet through as you so Everybody's favorite All right, so we have C we have our s They are on some kind of switch and let's say I'm just an attacker like literally right here Right, so so I'm a I mean this doesn't make any sense, but let's say there's a switch here. I don't know how to race on this thing So I'm like drawing in PowerPoint But so we have so we're there you can see all the packets so they've already established a free way and shake and Let's say the client to the server is that sequence number a hundred and the server To the client is that actually this doesn't matter as much will say it's a 50. So I want to Well, let's see if I'm here let's say this is a web connection I want to do is inject some JavaScript code into this web page. That's going to I don't know explain a A bug in the client's browser, which will then get me execution local execution on their machine It's like a move from a network sniffer an attacker attack code execution on their machine So the servers as we know so you've written a web server right the client's going to make the HTTP requests and the server is going to respond So what we're going to want to do let's say we're in the state here where These are the sequence numbers. So the attacker is going to send create a fake packet with IP address from s to c the port's number is exactly the same And the sequence number is the same and so here the sequence number it's going to say 50 So here's my let's say 100 by payload. So what is c going to send now as an acknowledgement? 150 right c is going to say Hey, I've seen up to 150 and then s is going to get that packet and it's going to say send the acknowledgement back saying I've only set up to a hundred like my sequence number is a hundred and I'm going to get that the other side's going to keep saying I'm at 150 and they'll keep doing this until what packet is dropped And then they're like, yes, that's what I thought we are at So you've actually desynced the connection here between the two So you either have to actively man in the middle and change all the packets, which you usually don't have And so that's where it gets really interesting as you get into this scenario where these sides are desynced so they see different things about it Let me show an example. So here's like a basic example spoof tcp segment And you can see this like act storm going on where they're continually going Acting each other back and forth being like, no, no, no, this is the one until Something stops and then they're like and then the connection goes quiet Now at this point they can't ever send data to each other because there are different points in their street Yeah This is a spoofing data from 10 to 20. So this is The spoofed packet. So it's a push which means there's some data in there. I believe that means it's 21 bytes in there Okay, and so that's what they're finding back for. I don't want to go into too much detail Later So these are the these are the two Main things to consider about so this is really important. You're trying to consider the security of let's say a service like a writing that Uses some tcp connection. Can you trust that IP address? well Maybe right if you trust your local network, then you can trust that IP address Uh, but the other thing to think about I always want to think about is the one thing, you know, we've seen can we violate the commonality or integrity of tcp connections Which in certain scenarios we can not in every scenario The other thing we want to think about is what about the availability is what the tax against availability? and what do we really need for a Denial service attack He's kind of only on some sort of leave up. Yes. We need some kind of lever. We need some lever We need a 5x or 10x Something right you don't just need more bots or more computers or more bandwidth because that doesn't scale and so Think about this way your client and you send a sin package to the server. What does the server do? Sends a sin act back and what is the op so think about the operating system colonel has server He gets a sin in what does it do Passes a sin act back. Well, what else does it do? What does it have to keep track of so that you can recognize that final hack? It has to keep track of the sequence number that it created It has to probably keep track and associate that with the socket so the IP the remote IP the remote source the local port Right, so it's going to store all this information per sin package that it gets how long should it keep that data around for Yeah, told a timeout right because maybe that maybe the other machine went down Maybe that machine Didn't send that maybe it doesn't want to talk. Maybe the patent got dropped who knows So it has to but there's no, you know fixed Good, this is exactly how long you should wait And this actually leads to one of the really common denial of service attack, which is a sin flooding attack So think about this as an attacker. What data do you have to store to send out a sin package? Zero you store zero data Now it takes an attacker zero data to store something all I have to do is send packets But now the server has to store let's say out of 20 bytes per connection or something That's great effort. So I may be able to overload the server's memory if the server doesn't have enough memory Nowadays memory is pretty plentiful so that may not happen as much but You still have the operating system will probably have a limit on how many open sockets or open half open connections it has So you'll flood that limit. So no new legitimate connections can come in And what can you put as your source IP when you're doing this? Anything doesn't have to be your source IP because you don't care where those packets go Right. So this has the added event that not only can you um Not only can you force and maybe you take the server offline because you're forcing it to consume resources But you actually can spoof any IP address. So literally they don't know where you're coming from at all Every packet you send can have a different source IP address and source port And you just make them think there's so many people that are trying to connect to them Space card have some sort of cut off The attackers uh another think that you're trying to take down this out The usually it's in the operating system. So the network card really deals It depends but usually only deals with Setting out like on a physical wire and getting stuff in and when the packet comes in An ethernet frame right and that comes in and then sends it up the operating system and the operating system deals with it But there has to be some sort of cut off right that says These are too many packets Yeah Then at that point The server right so now no new packets can come in so no new Connections can get this out. So yeah, wherever you get that limit here You're gonna hit it in the operating system because you don't need enough to flood like the actual physical link so Yeah The attacker would have to choose If they want you to one source ID Then they have to choose multiple Source parts because they need to create new connections for each one So that's probably one of them to 65,000. So if I would just randomize IP addresses and randomize So just keep sending out As fast as you can So what what is the what is the defender going to restrict? web port numbers Right. So if you put a firewall rule into block port 80 your web server Then nobody can access your web server and I would But the random ports no the random ports on the destination is the source before it's coming from And real because real operating system generates random source ports when they connect to you Because that's what establishes that socket so You can't really put a rule there that like you can't use weird ports because any that port value the source port can be anything And that's also I can't block by IP because every packet it comes in can come from a different IP and so yeah, that's That's what's I really like about this kind of attack So how'd you go about me trying to stop this so You could try and rate limiting Using more memory Right now if you're rate limiting now you're rate limiting how many customers then goes your website, which sucks right So how would you solve this? Yeah, but what if uh, so big providers like let's say help ASU do an example, right? ASU we all get added through like a single IP address Right, so if your site is popular on ASU students, you'll see tons of IP addresses going from one Tons of sin packets coming from one IP address And the back guys changing their IP address every packet they send right so That doesn't even really stop them You need to have trusted IPs trusted IPs You want to get a list of all your customers before you do business with them online? But that is a way to go It depends on the business in the business context, right because a Let's say this is like a VPN service here company You could whitelist all the employees that are allowed to access it and just blacklist everyone else Yeah, that's definitely a way to change what do you think you really need a public facing Um service that you know clearly you can't just block that But they can't change it like that can change the like the address to be Same as the like trusted like the others, right? If they know what the yeah, so it's about your threat model if you assume If you assume that the attacker doesn't have the inside knowledge of your system and know which one of your employees are good Or are Was really more trusted than Yeah, they'd have to send two to the 32 packets to try to see which ones come back Timeouts Timeouts decrease the timeouts right decrease the timeouts So these half open connections are live are a lot shorter live Then you may have problems with people on mobile devices who are trying to access your site and can't access it People on satellite connections, right because the bandwidth can be high there But the latency kind of takes for a package has to literally travel from the earth to the satellite back down to the earth What's the core problem rather than storing the source IP destination IP ports in the first in packet They can store if the server can store it on the act that they receive and first If they just store the sequence number in the first scene message And then if it gets a act reply to its in-act if it gets an Reply in that act in that it can take the source and port and all and then it knows that Connected to connection has been established. It's not someone who was Yes, I have a little idea the way to think about it is a lot of the The solutions we've thrown out aren't really solving the fundamental underlying issue of the fact that The attacker spends nothing But you have to now spend 20 bytes or whatever they send and so yeah, that's kind of uh Yeah, these are all I think the ideas we threw out. So this is uh sim cookies is basically this idea of a way of putting the information that you need into The sequence number that you send so that you can validate when this act comes back That you actually sent that original sin Exactly you store I think significantly less And then when they complete the three-way handshake Because at that point they had to store your source IP this The destination IP the source port the destination port you have equal um equal resource usage here, so I I'm not going to go into the details of the sin cookies. You can look this up here But essentially this is the idea is you are able to the servers able to verify if they have the hack Like yes, this was generated by me. I generated this This snack and so I will now establish a connection So you can actually I don't believe this is enabled by default, but you can't enable this on a dino linux machine There's an option to enable this And so this is kind of a general class of problems that are referred to as state attacks where the problem being that You as an attacker can cost some remote server to store some state on your behalf Without you actually having any skin in the game Um, so this is things like memory of a socket descriptor so every time you do a connection The operating system allocates some memory to your socket so that your socket can communicate with the user space program For this used to be a big one with apache So apache used to be a forking and exacting web server So a lot of you wrote good web servers for your c-program when they got a new connection They would fork a new process and then handle that connection Right, so forking creates a brand new process in the operating system There are hard limits on how many process Processes you can have in an operating system. So as an attacker you can just make a bunch of connections keep them open And then now no new connections are coming With threading it's a little bit harder because threads are a lot more lightweight, but you can still get to the similar issues here You can yeah, you can not never acknowledge any Of the data that's coming from the other server So they have to store off everything in their memory that they're trying to send you And if you never acknowledge it, then you are forcing them to store this information Another one I really like is Similar idea to this is called a slow-lorious attack. The idea is you To take down a web server you just send like Like the HTTP request incredibly slow like every half second you send like a character like h And so you keep this connection open for a long time because the server doesn't close the connection And you make several of these and you can like bring down the websites from this Is that lords isn't dr. Seuss lords? What is lorax? I think it's L-o-r-i-s it's after an animal like a real animal Yeah, but like tinier I don't know look at that I showed you but I guess I won't record so cool so So there's this is a whole Area of security obviously network security. There are tons of things that we did talk about of You know ipv6 how to protect dns sec I mean there's tons of different technologies in here. You can go crazy In a good way about setting all the cool stuff here But we really had to get this this over with so we could Understand I use the network what kind of threats they're going to be vulnerable to And if you I would feel very bad if you took this class and didn't know anything about networks, so Yeah, so basically I mean, this is so we're at now at the end of Network insecurity So any questions? Talk about applications All right The path that you wanted in ip to take across the network you used to be able to do. Okay. That's okay. Yeah There's a source rabbit. So basically the source node would say this actually was And we know the old way of doing email addresses It's like username app and then you would specify the path to your computer. So it would be foo Bang like an exclamation point bar bang my server And so that would say how to route literally from your machine which machines to route this email address through Because you had to manually configure all that stuff Like in the address. So yes But that's that's so that's Yes, so they the source ground. I mean it'd be interesting that would be interesting kind of research exploratory studies that look at like Do routers like all these I mean if you look at these tcp and ip options, they're insane I mean they all this kind of stuff and so do switches and actually Respect these I would guess a lot of them. No, but some of them. Yes, and maybe there's some security problems lurking there that people have overlooked so yeah All right Cool. So now we're gonna get into annotations, which is I think I shouldn't say favorites. This is one of my favorites. I'm talking about all my favorites, but this is another one of my favorites. So the idea is you want to look at how we could break the security of the application and We're going to be focused a lot in here on binary applications as we'll get into but It's really any types of applications and the ideas and concepts here that we're going to here Translate into a lot of different types of applications, whether they're java or python or whatever And so the way to think about So yeah, this is pretty straightforward We want to break security want to violate confidentiality violate integrity violate availability and so For this we need to be sure that we understand the application what it's supposed to do And so we need to think about applications. So the other way is so When you're thinking about how to break an application Right when you write your your You've written many applications up to this point, correct? Of course projects for work Right So I think it really helps to think about well, what are all the things that influence your application? Right, so what's the main? I mean, what's what are some things that influence the application? user input user input input from the user. Yeah, what kind of user input? standard in standard input command line arguments Files that the program opens and reads from almost like these are all abandoned stuff that you have to do What else What was that gooey interactions? Yeah, so a gooey interface with clicking on stuff Memory So saving like storing state of programs state you get stored on the disk. It's going to be loaded later Right, which is another could be another form of user input. It doesn't have to be from a user. It could be another program or whatever right network Dependencies so any other libraries that that loads. What about the code of the application? Does that matter? Controls a lot what it does Just random code anyway Right the code the data that you have with the program which includes files all that or something that you've embedded in the program itself um, let's see more further examples maybe What was that? The order of execution definitely influences the haters you may look at a program and say, oh, yes It does x y and z but actually because you're threatening does y z x and it does x twice Right what you didn't expect. Yeah Garbage collection if you have any garbage collection or anything else that's running that can influence your program Yeah, and so So it's a couple ways to think about this and and really So what we're trying to do is we're trying to get an application and do something that wasn't designed to do Right we're trying to violate the security of an application So we need to think through what are all the ways that we can actually do that Right, so that's part of what we're thinking about here is what are all the ways we can influence the execution of an application And so one thing that's actually interesting that we Didn't hit on so let's do the environments to sit down like a Unix Linux machine Channel term or I would just say I mean the Unix environment like your path variables your your it's in your I mean It rsa, right? Yeah, so on Unix systems, right your environment is literally key value stores. I mean like list of key value pairs that that contains I mean that Program so that's used to influence their execution So for instance when you bash and you use cd tilde, it looks up what the home variable is in your environment and goes there When you just type in ls Bash uses the path parameter the path environment variable capital d a d h to figure out In which directory that ls command is that you want to execute Um And so this obviously clearly can influence the execution of your program if you're reading from environment variables Underneath the operating system or underneath the Application that you have running is the operating system. So And that's going to manage like we said that's going to manage all your socket connections It's going to manage your open files for you Or remember you don't actually read directly to and from the hard drive the operating system is mediating all of that Oh, this is a good one. We need to talk about this other other These in the system. So you have either process communication To send data between two applications. So that could be other input to an application Yeah, so the interesting thing. So when we think about the terminal here The important thing is that conceptually in your mind ssha into a server basically gives you a terminal Right. So even though you are remote in the sense that you're not physically at the keyboard in front of that machine You have Essentially local access to it as if you were sitting on the terminal right Whereas if you're completely remote, so I guess what's the So what's the difference if you as an attacker Are let's say at a terminal Or at the network Do you have the same capabilities for the differences? So you'll time out from the network where you wouldn't necessarily from Take if you uh Ah, so we're considering all those local so ssh and the terminal Or exactly the same thing Remote would be this application is listening on a socket and I can send data to it over that socket Yeah Right. So when on the terminal I can influence what other applications execute on this machine Right. Whereas when I'm remote I can't do that. All I can do is Send network data to that application So it's actually a really important thing to think about of how What capabilities does an attacker do when you fundamentally if you're a We'll call it a local attacker if you're a local attacker you have much more capabilities than if you're a remote attacker right because you can Influence a lot of these things right You can Maybe giving your permissions on the system change the file system right add files to lead files Whereas if you're connecting to that application over the network as a remote attacker All you can do is talk to that application. So you May not be able to influence files depends on what the application lets you do But all of these things this is the way you should be thinking about Whenever you're trying to break any kind of application you need to be thinking about where does it get its input? Right back to this diagram. Is it getting its input from the user? Is it getting it from the file system? Is it getting it from the network? Is it getting it from another application? Where is the data coming from? Because that's how you can influence The application and that's where the vulnerabilities lie so If you could just name the applications code you already win Right, you could make it do whatever you want to do Right, so we usually assume you can't just change the code So we'll get on the CTF our challenge So that's more about yeah, so that would be taking in code on the network And the application executing it as code so I've been treating it as data. It's executing it as new code and so yeah, that's the would be the injection vulnerability there so So basically that's the final we're learning this class is vulnerability analysis, but like part time and skill of looking at a piece of code or an application or a service and identifying security vulnerabilities in there and these can be these are important things to consider so There are a lot of dimensions to think about vulnerabilities. So Some vulnerabilities can be design level vulnerabilities. So that are fundamental to the so Um, everybody's familiar with the software development life cycle rough, you know, I think of it now kind of as wishful thinking in terms of the software engineering, but like I've seen software development close to personal, but You have this like you have a design and then you implement the design and then you test it and then you deploy it And then you maintain it Right and so vulnerability is going to occur at all of these levels. So you can have design level vulnerabilities in which the design is fundamentally flawed. It's maybe The design doesn't have an authentication mechanism, but the business people are like, wait, everyone can now go into our admin functionality and change things and they say wow, that wasn't part of the specification They're going to be implementation vulnerabilities as we'll see so taking in code from the internet and executing it is definitely an implementation vulnerability Right that should not exist. It's not necessarily part of the functionality of the application And deployment vulnerabilities. So the idea is the application is 100 secure But when you deploy it into a specific environment, it then becomes insecure. So for instance You have an appy web server and your policy is only Whatever the root user should be able to change the web page And you mess up and misconfigure The var of the html directory so that everyone can read and write into it Then anyone can edit your your files, right? So it's not it's not a bug in Apache or Linux. It's The deployment And so going to a little more detail. So design vulnerabilities, so these are also called the other way way I like to think about these are sometimes Like logic flaws so Any kind of you know rungious trust assumptions or What's another good example? Oh, so here's a good one. So this will come up again when we go to the web, but there's some So everybody has on shopped online before Just checking Uh, so the What some web applications and some polio application will do is they will Send you the quantity. So when you look at your the checkout page Right, it'll say the quantity so you can change it if you want one of those items two of those items Which literally a dropout box But that that is all stored on the client and the client has complete control of it So you can change that to something like negative two And send it back And some of them will accept that and then give you a credit for those items that you're trying to purchase And so therefore you can like buy $10,000 worth of stuff for one dollar right and so Um, so it's a flaw in the design and this application so The other interesting part here is the confused deputy problem Uh, so this is let's say on a Windows machine you have a policy that only Internet explorers should be able to access the network That seemed like a reasonable maybe corporate policy to lock down your computers. Maybe not to internet explorer, but Ah, whatever. It actually doesn't matter for this example, but I understand your concern Uh Would it make sense, right? We're limiting access. We're saying like this way if you download some random Executable from a email that you found and you double click on it It can't just steal all your data and send it over the network, right? Because it can't make a network connection The problem is is that on Windows the many operating systems Is an application can essentially ask internet explorers to make a web request on their behalf and so The malware would then steal all your data and then say hey internet explorer Could you go to attacker.com slash all that personal data? And then internet explorer would go. Yeah, and then the deputy would go Ah, the only internet explorer is allowed to access the network And it would look and be like oh internet explorer wants to access this. It's totally good right so kind of just it's a Really difficult problem of how do you If you want some policy that says only internet explorer only Something x should be able to do that. How do you actually? Enforce that intent because it's really you're trying to say trusted applications You don't want to be able to use that but when applications can influence each other It's hard to know who's doing what so That's a really interesting problem Implementation vulnerabilities. So this is where we spend a lot of our time off. So this is going to be This is what I love doing. So this is uh develop So there will always be implementation vulnerabilities. We have as we said earlier and developers writing code They're going to write security bugs and security problems so I think of it. It's actually really hard. I think with a good definition But the idea is applications not able to correctly handle some unexpected events So for instance that applications Was not able to correctly handle Python code Right if you send an application or if you set like the Apache web server python code, it's not going to execute it If you set a php or c code, it's also not going to execute it Right, so that's clearly a error condition so Other things to think about is unexpected errors or exceptions So a lot of times if you have like a multi-stage workflow Right like do a and then See what's a good example Yeah It's trying to be a workflow vulnerability problem. Let's say okay. This is your phone. Let's say you have a very poorly coded bank account management software So that like takes money out of one account And then or no deposits it first in one account and then takes the money out of the other account when you're transferring money Right, so if I was an attacker and I want to transfer a million dollars from my account a to my account b It's first going to transfer a million dollars into account b And then it's going to transfer a million dollars out of account a and then it's going to throw an error Because account a doesn't have the funds is what it should do, right? But if it's not coded correctly, it doesn't go back and reverse that previous transaction Now i'm up a million dollars and the application of bank is is uh screwed so other things we talked about of inter Interleaving of events. So this happens a lot in multi-threaded pro and parallel programming is it's Often very difficult. I'm sure we've all written some multi-threaded applications where it's hard to envision Air cases of interleaving of events, but when systems are executing long enough These things will happen and sometimes the attacker can influence them to happen, which is really cool We'll see in the case of sql. So sorry the case of uh cross-executing unfiltered output. So This is a case where the output Um The output that the application generates can be used to compromise the security of the web of the website But we'll look at that in much more detail Yeah, so deploying vulnerabilities are I mean one of them most common. This is actually, uh, there's a lot of Overprivileged applications. So installing an application as admin when it doesn't need to be or shouldn't be My great one is default username passwords So i'll get to share i'll share a vulnerability that one of our master's students found recently that's in face But this was in sdm controller so this controller Shipped with a default password of of course admin admin, but the documentation says hey, you should change this, you know Immediately, right? So what do you do? You change it And then he found out even after you changed it You could still log in through the rest interface with admin admin because they were using a cache To cache the the password credentials and they didn't invalidate the cache or even have a large timeout on the cache And so you could just log in with those basic credentials So this is a super interesting case of where even though like there are good mechanisms for changing the password It was still a broken easy to guess default credentials So this is a really really important idea as we discuss earlier in that diagram of remote versus local attacks right, so fundamentally a local attacker can mess with the so if we go back to our fund diagram Right a local attacker can essentially change almost all of these things right a local attacker on the terminal can Change the environment that the application is running in And maybe depending on their permissions change files in the file system They can create another process to interact with that and create many other applications Whereas a network attacker fundamentally can only talk to that application through whatever protocol it's talking on and you fundamentally can't change or add files And usually the way we think about kind of the exploitation life cycle is you would start as a remote attacker You would use some vulnerability of that remote application to get you presents locally on the machine Usually that presence you'll be running as the web server or whatever the application was that you just attacked And then from there you use another vulnerability Usually in the operating system or something to then get yourself root or add them privileges on the machine And at that point you kind of own everything so so yeah, the worst in terms of the worst kinds of attacks, so there was a vulnerability and Ruby on Rails that allowed remote unauthenticated code injection So basically you could send one request to any Ruby on Rails web server and it would execute whatever code you wanted And obviously that's insanely bad Right, so this is So local attackers have more power but they're a lot more difficult to get local access to a machine questions on this so What's the thing like with an application? How does your application come to be? Is this only as a thought in your brain? It's coded Somebody's got to code it. You gotta translate. We haven't got the point where you translate brainplays into binary code yet But maybe someday Right. Do you write ones and zeros? Do you have a keyboard? What's the actual cpu speed? Yeah, ones and zeros and assembly a very specific your architecture language, like x86 as we'll look at, right? So we don't want to do that because it's a pain. Has anybody written assembly code? Yeah, is it fun? No, it was. You're going to be looking at a lot more, so you should change your attitudes. You know, I love assembly code. It's the best thing that's ever happened to you. So some process translates that application. Our high-level language, a compiler, depending on what we're doing it, it did usually some kind of executable form and saves it to a file, right? So then when the application is loaded, so this is a couple different procedures here, right? So we have, we write our language, we compile it, and then it turns it into a file on our disk. At that point it is not an application, it's just bytes on our drive, right? There's a whole, the other procedure is then we want to execute it. How does the application turn those sequence of bytes on the disk into a running process, right? That actually gets CPU out. So the application needs to be loaded in memory, so we're going to take those bytes from the disk, load it into memory in the proper locations, as we'll see, and then the operating system basically passes control over to the application and it starts executing. And then it hopefully doesn't run forever unless that's what you want, and then it will terminate. Questions on this? And so the idea is, so what's the difference between an interpreter and a compiler? What's the what thing? Line by line, operation, maybe runtime, operation, it compiles the code on the client. I don't know how you use one of the definitions. What's the difference between a compiler and a, what's a compiler do? So you need a compiler as a translator, right? So it takes in like your C code and outputs either assembly or x86 binary code, right? So it's a translator, so it translates completely from one to the other. Where an interpreter essentially is interpreting instructions as it's going through it, right? So, and of course this line gets blurry because you have like Java, which is an interpretive language because it's interpreting the JDM byte codes, but you do have a Java compiler that compiles your Java file to a JDM byte code instructions, but it's not actually executed by the CPU, right? The CPU is executing the Java virtual machine that's interpreting the instructions. I think it's even more confusing and blurry because the Java VM, when it detects a hotspot it will actually compile right there your Java code, your Java byte code to x86 or whatever code and then start executing that. So these lines are very boring. I think is the key point here. Yeah, so like Python is a good example of an interpretive language where the Python program is running is analyzing your Python code and interpreting it and doing whatever it needs to do. Typically we think about them as like compiled programs are usually going to be faster. Interpreted programs are usually slower. It's not always 100% the case. JavaScript can be pretty fast even though it can be coded in terrible ways. So on compilation we have a lot of steps in here. This is just kind of a brief overview for those that aren't familiar. We first have a pre-processing that goes through and processes all the pound defined, pound includes this before we even have any of that. And then the compiler then takes that C code, turns that into assembly. Then we have an assembler which, so we have CVP is the C preprocessor, GCC compiler. So you can actually use GCC if you haven't used this dash capital S which will generate the assembly file for you of your code. So won't do the last step of actually translating that to x86 code. Important thing for the rest of this course is where are you living? I think mostly exclusively, I think almost exclusively we may add some challenges later but at 32 bits we're gonna get x86, 32 bits. So if you're on a 64 bit system you use the dash M32 flag when you're compiling these things. But I think most places where I have GCC commands, I think I've included that but if not, there's just one. So the assembler then takes that assembly file, turns it into a binary object at that point. So it, as we'll see, we'll look at Elf in a little bit. It contains metadata about how to load this file into memory, where various things are, and symbols, information about the symbols, any debugging information, if we want debugging information about what lines in the program map to what lines in our source file, all that information is stored in here in the compilation processes. And so our most applications, like one big giant binary that you execute since these earlier, we talked about applications. Do you have a library? Yeah, a linker or a library, right? So there's a couple different things that may need to happen. So A, we may want to compile our C code into different object files first. Maybe we work on like a large C or C++ code base. I did, it was horrible. Is, I mean, the fun part was whenever you change a header file and then have to wait like 15 minutes for everything to compile, that was like the worst of the best times. But anyways, the point is that you have different object files that are all compiled from your assembly code. You need to combine them together because they'll have function calls to each other. So it's the job of the linker to grab all these and link them together. T thing that will definitely come up again, there's two different types of linking. One is static linking, where the binaries your object files are literally all compiled into one binary. The other kind is dynamic linking, which is usually when you're like a .so file. So that's loaded on demand when the application needs it. So what's, what are some of the pros and cons there? Concepts to a specific function and a shared object is gonna be static, right? Say it again, say it again, sorry. The offset to a specific function and a shared object library is always gonna be a static offset from the beginning of the file. I don't know, that's a good question. Okay. I think, you may be right, but also I don't know. I think it depends exactly on how the dynamic linking works. I think it looks it up at runtime when it loads that library. Like it looks at the symbols of the library. That's happening at linking stage, right? Which always happens. It happens at the static, for static linking, yes. It matches up. So one thing to think about. So for static linking, you have all, so everything's all within the same binary. So you know exactly where all your methods are. So this is, I don't know the flat out of that to do static linking, but like libc is a library that gets loaded. So you can have a very small executable if you have dynamic linking. You can have a large executable if you have static linking if you're using libc. But what happens if there's a vulnerability in a libc function? Yeah, so when you update it and fix it, all the new applications will use that new version of libc that are dynamically linked. All the versions that are statically linked now still have the old version. You have to actually update those applications. On the flip side of that note, everybody, as they may have heard the term, it's on Windows, but it's somewhere on DLLL. Yeah, it's when somebody on your system updates some shared library and now it's incompatible with your version. And so your application breaks because they updated the library to something that your application doesn't support. So you have this interesting trade off between, there's definitely security benefits for dynamic linking. There's downsides for static linking. So anyways, we will dig into the ELF file format. We're gonna go ELF Crazy on Monday.