1、Talking about security loopholes Richard S. Kraus reference to the core network security business objective is to protect the sustainability of the system and data security,This two of the main threats come from the worm outbreaks,hacking attacks,denial of service attacks,Trojan horse. Worms,hacker
2、attacks problems and loopholes closely linked to,if there is major security loopholes have emerged,the entire Internet will be faced with a major challenge. While traditional Trojan and little security loopholes,but recently many Trojan are clever use of the IE loophole let you browse the website at
3、 unknowingly were on the move. Security loopholes in the definition of a lot,I have here is a popular saying:can be used to stem the thought can not do,and are safety-related deficiencies. This shortcoming can be a matter of design,code realization of the problem. Different perspective of security l
4、oopholes In the classification of a specific procedure is safe from the many loopholes in classification. 1. Classification from the user groups: Public loopholes in the software category. If the loopholes in Windows,IE loophole,and so on. specialized software loophole. If Oracle loopholes,Apache,et
5、c. loopholes. 2. Data from the perspective include : could not reasonably be read and read data,including the memory of the data,documents the data,Users input data,the data in the database,network,data transmission and so on. designated can be written into the designated places (including the local
6、 paper,memory,databases,etc.) Input data can be implemented (including native implementation,according to Shell code execution,by SQL code execution,etc.) 3. From the point of view of the scope of the role are : Remote loopholes,an attacker could use the network and directly through the loopholes in
7、 the attack. Such loopholes great harm,an attacker can create a loophole through other peoples computers operate. Such loopholes and can easily lead to worm attacks on Windows. Local loopholes,the attacker must have the machine premise access permissions can be launched to attack the loopholes. Typi
8、cal of the local authority to upgrade loopholes,loopholes in the Unix system are widespread,allow ordinary users to access the highest administrator privileges. 4. Trigger conditions from the point of view can be divided into: Initiative trigger loopholes,an attacker can take the initiative to use t
9、he loopholes in the attack,If direct access to computers. Passive trigger loopholes must be computer operators can be carried out attacks with the use of the loophole. For example,the attacker made to a mail administrator,with a special jpg image files,if the administrator to open image files will l
10、ead to a picture of the software loophole was triggered,thereby system attacks,but if managers do not look at the pictures will not be affected by attacks. 5. On an operational perspective can be divided into: File operation type,mainly for the operation of the target file path can be controlled (e.
11、g.,parameters,configuration files,environment variables,the symbolic link HEC),this may lead to the following two questions: Content can be written into control,the contents of the documents can be forged. Upgrading or authority to directly alter the important data (such as revising the deposit and
12、lending data),this has many loopholes. If history Oracle TNS LOG document can be designated loopholes,could lead to any person may control the operation of the Oracle computer services; information content can be output Print content has been contained to a screen to record readable log files can be
13、 generated by the core users reading papers,Such loopholes in the history of the Unix system crontab subsystem seen many times,ordinary users can read the shadow of protected documents; Memory coverage,mainly for memory modules can be specified,write content may designate such persons will be able t
14、o attack to enforce the code (buffer overflow,format string loopholes,PTrace loopholes,Windows history of the hardware debugging registers users can write loopholes),or directly alter the memory of secrets data. logic errors,such wide gaps exist,but very few changes,so it is difficult to discern,can
15、 be broken down as follows : loopholes competitive conditions (usually for the design,typical of Ptrace loopholes,The existence of widespread document timing of competition) wrong tactic,usually in design. If the history of the FreeBSD Smart IO loopholes. Algorithm (usually code or design to achieve
16、),If the history of Microsoft Windows 95/98 sharing password can easily access loopholes. Imperfections of the design,such as TCP / IP protocol of the three-step handshake SYN FLOOD led to a denial of service attack. realize the mistakes (usually no problem for the design,but the presence of coding
17、logic wrong,If history betting system pseudo-random algorithm) External orders,Typical of external commands can be controlled (via the PATH variable,SHELL importation of special characters,etc.) and SQL injection issues. 6. From time series can be divided into: has long found loopholes:manufacturers
18、 already issued a patch or repair methods many people know already. Such loopholes are usually a lot of people have had to repair macro perspective harm rather small. recently discovered loophole:manufacturers just made patch or repair methods,the people still do not know more. Compared to greater d
19、anger loopholes,if the worm appeared fool or the use of procedures,so will result in a large number of systems have been attacked. 0day:not open the loophole in the private transactions. Usually such loopholes to the public will not have any impact,but it will allow an attacker to the target by aimi
20、ng precision attacks,harm is very great. Different perspective on the use of the loopholes If a defect should not be used to stem the original can not do what the (safety-related),one would not be called security vulnerability,security loopholes and gaps inevitably closely linked to use. Perspective
21、 use of the loopholes is: Data Perspective:visit had not visited the data,including reading and writing. This is usually an attackers core purpose,but can cause very serious disaster (such as banking data can be written). Competence Perspective:Major Powers to bypass or permissions. Permissions are
22、usually in order to obtain the desired data manipulation capabilities. Usability perspective:access to certain services on the system of control authority,this may lead to some important services to stop attacks and lead to a denial of service attack. Authentication bypass:usually use certification
23、system and the loopholes will not authorize to access. Authentication is usually bypassed for permissions or direct data access services. Code execution perspective:mainly procedures for the importation of the contents as to implement the code,obtain remote system access permissions or local system
24、of higher authority. This angle is SQL injection,memory type games pointer loopholes (buffer overflow,format string,Plastic overflow etc.),the main driving. This angle is usually bypassing the authentication system,permissions,and data preparation for the reading. Loopholes explore methods must Firs
25、t remove security vulnerabilities in software BUG in a subset,all software testing tools have security loopholes to explore practical. Now that the hackers used to explore the various loopholes that there are means available to the model are: fuzz testing (black box testing),by constructing procedur
26、es may lead to problems of structural input data for automatic testing. FOSS audit (White Box),now have a series of tools that can assist in the detection of the safety procedures BUG. The most simple is your hands the latest version of the C language compiler. IDA anti-compilation of the audit (gra
27、y box testing),and above the source audit are very similar. The only difference is that many times you can obtain software,but you can not get to the source code audit,But IDA is a very powerful anti-Series platform,let you based on the code (the source code is in fact equivalent) conducted a safety
28、 audit. dynamic tracking,is the record of proceedings under different conditions and the implementation of all security issues related to the operation (such as file operations),then sequence analysis of these operations if there are problems,it is competitive category loopholes found one of the maj
29、or ways. Other tracking tainted spread also belongs to this category. patch,the software manufacturers out of the question usually addressed in the patch. By comparing the patch before and after the source document (or the anti-coding) to be aware of the specific details of loopholes. More tools wit
30、h which both relate to a crucial point:Artificial need to find a comprehensive analysis of the flow path coverage. Analysis methods varied analysis and design documents,source code analysis,analysis of the anti-code compilation,dynamic debugging procedures. Grading loopholes loopholes in the inspect
31、ion harm should close the loopholes and the use of the hazards related Often people are not aware of all the Buffer Overflow Vulnerability loopholes are high-risk. A long-distance loophole example and better delineation:Remote access can be an OS,application procedures,version information. open unne
32、cessary or dangerous in the service,remote access to sensitive information systems. Remote can be restricted for the documents,data reading. remotely important or restricted documents,data reading. may be limited for long-range document,data revisions. Remote can be restricted for important document
33、s,data changes. Remote can be conducted without limitation in the important documents,data changes,or for general service denial of service attacks. Remotely as a normal user or executing orders for system and network-level denial of service attacks. may be remote management of user identities to th
34、e enforcement of the order (limited,it is not easy to use). can be remote management of user identities to the enforcement of the order (not restricted,accessible).Almost all local loopholes lead to code execution,classified above the 10 points system for:initiative remote trigger code execution (su
35、ch as IE loophole). passive trigger remote code execution (such as Word gaps / charting software loopholes). DEMO a firewall segregation (peacekeeping operation only allows the Department of visits) networks were operating a Unix server;operating systems only root users and users may oracle landing
36、operating system running Apache (nobody authority),Oracle (oracle user rights) services. An attackers purpose is to amend the Oracle database table billing data. Its possible attacks steps: 1. Access peacekeeping operation of the network. Access to a peacekeeping operation of the IP address in order
37、 to visit through the firewall to protect the UNIX server. 2. Apache services using a Remote Buffer Overflow Vulnerability direct access to a nobodys competence hell visit. 3. Using a certain operating system suid procedure of the loophole to upgrade their competence to root privileges. 4. Oracle sy
38、sdba landing into the database (local landing without a password). 5. Revised target table data. Over five down for process analysis:Step 1:Authentication bypass Step 2:Remote loopholes code execution (native),Authentication bypassing Step 3:permissions,authentication bypass Step 4:Authentication by
39、pass Step 5:write data安全漏洞杂谈Richard S. Kraus 网络安全核心目的是保障业务系统可持续性和数据安全性,而这两点重要威胁来自于蠕虫暴发、黑客袭击、回绝服务袭击、木马。蠕虫、黑客袭击问题都和漏洞紧密联系在一起,一旦有重大安全漏洞浮现,整个互联网就会晤临一次重大挑战。虽然老式木马和安全漏洞关系不大,但近来诸多木马都巧妙运用了IE漏洞,让你在浏览网页时不知不觉就中了招。 安全漏洞定义已有诸多了,我这里给出一种通俗说法就是:可以被运用来干“原本觉得”不能干事,并且和安全有关缺陷。这个缺陷可以是设计上问题、程序代码实现上问题。一、不同角度看安全漏洞分类 对一种特定程
40、序安全漏洞可以从多方面进行分类: 1. 从顾客群体分类: 大众类软件漏洞。如Windows漏洞、IE漏洞等等。 专用软件漏洞。如Oracle漏洞、Apache漏洞等等。 2.从数据角度看分为: 能读按理不能读数据,涉及内存中数据、文献中数据、顾客输入数据、数据库中数据、网络上传播数据等等。 能把指定内容写入指定地方(这个地方涉及文献、内存、数据库等) 输入数据能被执行(涉及按机器码执行、按Shell代码执行、按SQL代码执行等等) 3.从作用范畴角度看分为: 远程漏洞,袭击者可以运用并直接通过网络发起袭击漏洞。此类漏洞危害极大,袭击者能随心所欲通过此漏洞操作她人电脑。并且此类漏洞很容易导致蠕虫
41、袭击,在Windows。 本地漏洞,袭击者必要在本机拥有访问权限前提下才干发起袭击漏洞。比较典型是本地权限提高漏洞,此类漏洞在Unix系统中广泛存在,能让普通顾客获得最高管理员权限。 4.从触发条件上看可以分为: 积极触发漏洞,袭击者可以积极运用该漏洞进行袭击,如直接访问她人计算机。 被动触发漏洞,必要要计算机操作人员配合才干进行袭击运用漏洞。例如袭击者给管理员发一封邮件,带了一种特殊jpg图片文献,如果管理员打开图片文献就会导致看图软件某个漏洞被触发,从而系统被袭击,但如果管理员不看这个图片则不会受袭击。 5.从操作角度看可分为: 文献操作类型,重要为操作目的文献途径可被控制(如通过参数、配
42、备文献、环境变量、符号链接灯),这样就也许导致下面两个问题: 写入内容可被控制,从而可伪造文献内容,导致权限提高或直接修改重要数据(如修改内存数据),此类漏洞有诸多,如历史上Oracle TNS LOG文献可指定漏洞,可导致任何人可控制运营Oracle服务计算机; 内容信息可被输出,包括内容被打印到屏幕、记录到可读日记文献、产生可被顾客读core文献等等,此类漏洞在历史上Unix系统中crontab子系统中浮现过诸多次,普通顾客能读受保护shadow文献; 内存覆盖,重要为内存单元可指定,写入内容可指定,这样就能执行袭击者想执行代码(缓冲区溢出、格式串漏洞、PTrace漏洞、历史上Window
43、s硬件调试寄存器顾客可写漏洞)或直接修改内存中机密数据。 逻辑错误,此类漏洞广泛存在,但很少有范式,因此难以查觉,可细分为: 条件竞争漏洞(普通为设计问题,典型有Ptrace漏洞、广泛存在文献操作时序竞争) 方略错误,普通为设计问题,如历史上FreeBSDSmart IO漏洞。 算法问题(普通为设计问题或代码实现问题),如历史上微软Windows 95/98共享口令可容易获取漏洞。 设计不完善,如TCP/IP合同中3步握手导致了SYN FLOOD回绝服务袭击。 实现中错误(普通为设计没有问题,但编码人员浮现了逻辑错误,如历史上博彩系统伪随机算法实现问题) 外部命令执行问题,典型有外部命令可被控
44、制(通过PATH变量,输入中SHELL特殊字符等等)和SQL注入问题。 6. 从时序上看可分为: 已发现好久漏洞:厂商已经发布补丁或修补办法,诸多人都已经懂得。此类漏洞普通诸多人已经进行了修补,宏观上看危害比较小。 刚发现漏洞:厂商刚发补丁或修补办法,懂得人还不多。相对于上一种漏洞其危害性较大,如果此时浮现了蠕虫或傻瓜化运用程序,那么会导致大批系统受到袭击。 0day:还没有公开漏洞,在私下交易中。此类漏洞普通对大众不会有什么影响,但会导致袭击者瞄准目的受到精准袭击,危害也是非常之大。二、不同角度看待漏洞运用 如果一种缺陷不能被运用来干“原本”不能干事(安全有关),那么就不能被称为安全漏洞,因
45、此安全漏洞必然和漏洞运用紧密联系在一起。 漏洞运用视角有: 数据视角:访问本来不可访问数据,涉及读和写。这一条普通是袭击者核心目,并且可导致非常严重劫难(如银行数据可被人写)。 权限视角:重要为权限绕过或权限提高。普通权限提高都是为了获得盼望数据操作能力。 可用性视角:获得对系统某些服务控制权限,这也许导致某些重要服务被袭击者停止而导致回绝服务袭击。 认证绕过:普通运用认证系统漏洞而不用受权就能进入系统。普通认证绕过都是为权限提高或直接数据访问服务。 代码执行角度:重要是让程序将输入内容作为代码来执行,从而获得远程系统访问权限或本地系统更高权限。这个角度是SQL注入、内存指针游戏类漏洞(缓冲区
46、溢出、格式串、整形溢出等等)等重要驱动。这个角度普通为绕过系统认证、权限提高、数据读取做准备。三、漏洞发掘办法 一方面必要清除安全漏洞是软件BUG一种子集,一切软件测试手段都对安全漏洞发掘实用。当前“黑客”用各种漏洞发掘手段里有模式可循有: fuzz测试(黑盒测试),通过构造也许导致程序浮现问题方式构造输入数据进行自动测试。 源码审计(白盒测试),当前有了一系列工具都能协助发现程序中安全BUG,最简朴就是你手上最新版本C语言编译器。 IDA反汇编审计(灰盒测试),这和上面源码审计非常类似,唯一不同是诸多时候你能获得软件,但你无法拿到源码来审计,但IDA是一种非常强大反汇编平台,能让你基于汇编码
47、(其实也是源码等价物)进行安全审计。 动态跟踪分析,就是记录程序在不同条件下执行所有和安全问题有关操作(如文献操作),然后分析这些操作序列与否存在问题,这是竞争条件类漏洞发现重要途径之一,其她污点传播跟踪也属于此类。 补丁比较,厂商软件出了问题普通都会在补丁中解决,通过对比补丁先后文献源码(或反汇编码)就能理解到漏洞详细细节。 以上手段中无论是用哪种都涉及到一种核心点:需要通过人工分析来找到全面流程覆盖途径。分析手法各种各样,有分析设计文档、分析源码、分析反汇编代码、动态调试程序等。四、漏洞级别评估 考察漏洞危害性应当紧密和运用该漏洞带来危害有关,并不是普通人们结识所有缓冲区溢出漏洞都是高危漏洞。以远程漏洞为例,比较好划分办法为: 可远程获取OS、应用程序版本信息。 开放了不必要或危险得服务,可远程获取系统敏感信息。 可远程进行受限文献、数据读取。 可远程进行重要或不受限文献、数据读取。 可远程进行受限文献、数据修改。 可远程进行受限重要文献、数据修改。 可远程进行不受限得重要文献、数据修改,或对普通服务进行回绝服务袭击。 可远程以普通顾客身份执行命令或进行系统、网络级回绝服务袭击。 可远程以管理顾客身份执行命令(受限、不太容易运用)。 可远程以管理顾客身份执行命令(不受限、
浙ICP备2021020529号-1 | 浙B2-20240490 
