1、Talking about security loopholes Richard S. Kraus reference to the core network security business objective is to protect the sustainability of the system and data security, This two of the main threats .e from the worm outbreaks, hacking attacks, denial of service attacks, Trojan horse. Worms, hack
2、er attacks problems and loopholes closely linked to, if there is major security loopholes have emerged, the entire Internet will be faced with a major challenge. While traditional Trojan and little security loopholes, but recently many Trojan are clever use of the IE loophole let you browse the webs
3、ite at unknowingly were on the move. Security loopholes in the definition of a lot, I have here is a popular saying: can be used to stem the thought can not do, and are safety-related deficiencies. This short.ing can be a matter of design, code realization of the problem. Different perspective of se
4、curity loopholes In the classification of a specific procedure is safe from the many loopholes in classification. 1. Classification from the user groups: Public loopholes in the software category. If the loopholes in Windows, IE loophole, and so on. specialized software loophole. If Oracle loopholes
5、, Apache, etc. loopholes. 2. Data from the perspective include : could not reasonably be read and read data, including the memory of the data, documents the data, Users input data, the data in the database, network, data transmission and so on. designated can be written into the designated places (i
6、ncluding the local paper, memory, databases, etc.) Input data can be implemented (including native implementation, according to Shell code execution, by SQL code execution, etc.) 3. From the point of view of the scope of the role are : Remote loopholes, an attacker could use the network and directly
7、 through the loopholes in the attack. Such loopholes great harm, an attacker can create a loophole through other peoples .puters operate. Such loopholes and can easily lead to worm attacks on Windows. Local loopholes, the attacker must have the machine premise access permissions can be launched to a
8、ttack the loopholes. Typical of the local authority to upgrade loopholes, loopholes in the Unix system are widespread, allow ordinary users to access the highest administrator privileges. 4. Trigger conditions from the point of view can be divided into: Initiative trigger loopholes, an attacker can
9、take the initiative to use the loopholes in the attack, If direct access to .puters. Passive trigger loopholes must be .puter operators can be carried out attacks with the use of the loophole. For example, the attacker made to a mail administrator, with a special jpg image files, if the administrato
10、r to open image files will lead to a picture of the software loophole was triggered, thereby system attacks, but if managers do not look at the pictures will not be affected by attacks. 5. On an operational perspective can be divided into: File operation type, mainly for the operation of the target
11、file path can be controlled (e.g., parameters, configuration files, environment variables, the symbolic link HEC), this may lead to the following two questions: Content can be written into control, the contents of the documents can be forged. Upgrading or authority to directly alter the important da
12、ta (such as revising the deposit and lending data), this has many loopholes. If history Oracle TNS LOG document can be designated loopholes, could lead to any person may control the operation of the Oracle .puter services; information content can be output Print content has been contained to a scree
13、n to record readable log files can be generated by the core users reading papers, Such loopholes in the history of the Unix system crontab subsystem seen many times, ordinary users can read the shadow of protected documents; Memory coverage, mainly for memory modules can be specified, write content
14、may designate such persons will be able to attack to enforce the code (buffer overflow, format string loopholes, PTrace loopholes, Windows 2000 history of the hardware debugging registers users can write loopholes), or directly alter the memory of secrets data. logic errors, such wide gaps exist, bu
15、t very few changes, so it is difficult to discern, can be broken down as follows : loopholes .petitive conditions (usually for the design, typical of Ptrace loopholes, The existence of widespread document timing of .petition) wrong tactic, usually in design. If the history of the FreeBSD Smart IO lo
16、opholes. Algorithm (usually code or design to achieve), If the history of Microsoft Windows 95/98 sharing password can easily access loopholes. Imperfections of the design, such as TCP / IP protocol of the three-step handshake SYN FLOOD led to a denial of service attack. realize the mistakes (usuall
17、y no problem for the design, but the presence of coding logic wrong, If history betting system pseudo-random algorithm) External orders, Typical of external .mands can be controlled (via the PATH variable, SHELL importation of special characters, etc.) and SQL injection issues. 6. From time series c
18、an be divided into: has long found loopholes: manufacturers already issued a patch or repair methods many people know already. Such loopholes are usually a lot of people have had to repair macro perspective harm rather small. recently discovered loophole: manufacturers just made patch or repair meth
19、ods, the people still do not know more. .pared to greater danger loopholes, if the worm appeared fool or the use of procedures, so will result in a large number of systems have been attacked. 0day: not open the loophole in the private transactions. Usually such loopholes to the public will not have
20、any impact, but it will allow an attacker to the target by aiming precision attacks, harm is very great. Different perspective on the use of the loopholes If a defect should not be used to stem the original can not do what the (safety-related), one would not be called security vulnerability, securit
21、y loopholes and gaps inevitably closely linked to use. Perspective use of the loopholes is: Data Perspective: visit had not visited the data, including reading and writing. This is usually an attackers core purpose, but can cause very serious disaster (such as banking data can be written). .petence
22、Perspective: Major Powers to bypass or permissions. Permissions are usually in order to obtain the desired data manipulation capabilities. Usability perspective: access to certain services on the system of control authority, this may lead to some important services to stop attacks and lead to a deni
23、al of service attack. Authentication bypass: usually use certification system and the loopholes will not authorize to access. Authentication is usually bypassed for permissions or direct data access services. Code execution perspective: mainly procedures for the importation of the contents as to imp
24、lement the code, obtain remote system access permissions or local system of higher authority. This angle is SQL injection, memory type games pointer loopholes (buffer overflow, format string, Plastic overflow etc.), the main driving. This angle is usually bypassing the authentication system, permiss
25、ions, and data preparation for the reading. Loopholes explore methods must First remove security vulnerabilities in software BUG in a subset, all software testing tools have security loopholes to explore practical. Now that the hackers used to explore the various loopholes that there are means avail
26、able to the model are: fuzz testing (black box testing), by constructing procedures may lead to problems of structural input data for automatic testing. FOSS audit (White Box), now have a series of tools that can assist in the detection of the safety procedures BUG. The most simple is your hands the
27、 latest version of the C language .piler. IDA anti-.pilation of the audit (gray box testing), and above the source audit are very similar. The only difference is that many times you can obtain software, but you can not get to the source code audit, But IDA is a very powerful anti-Series platform, le
28、t you based on the code (the source code is in fact equivalent) conducted a safety audit. dynamic tracking, is the record of proceedings under different conditions and the implementation of all security issues related to the operation (such as file operations), then sequence analysis of these operat
29、ions if there are problems, it is .petitive category loopholes found one of the major ways. Other tracking tainted spread also belongs to this category. patch, the software manufacturers out of the question usually addressed in the patch. By .paring the patch before and after the source document (or
30、 the anti-coding) to be aware of the specific details of loopholes. More tools with which both relate to a crucial point: Artificial need to find a .prehensive analysis of the flow path coverage. Analysis methods varied analysis and design documents, source code analysis, analysis of the anti-code .
31、pilation, dynamic debugging procedures. Grading loopholes loopholes in the inspection harm should close the loopholes and the use of the hazards related Often people are not aware of all the Buffer Overflow Vulnerability loopholes are high-risk. A long-distance loophole example and better delineatio
32、n: Remote access can be an OS, application procedures, version information. open unnecessary or dangerous in the service, remote access to sensitive information systems. Remote can be restricted for the documents, data reading. remotely important or restricted documents, data reading. may be limited
33、 for long-range document, data revisions. Remote can be restricted for important documents, data changes. Remote can be conducted without limitation in the important documents, data changes, or for general service denial of service attacks. Remotely as a normal user or executing orders for system an
34、d network-level denial of service attacks. may be remote management of user identities to the enforcement of the order (limited, it is not easy to use). can be remote management of user identities to the enforcement of the order (not restricted, accessible).Almost all local loopholes lead to code ex
35、ecution, classified above the 10 points system for: initiative remote trigger code execution (such as IE loophole). passive trigger remote code execution (such as Word gaps / charting software loopholes). DEMO a firewall segregation (peacekeeping operation only allows the Department of visits) netwo
36、rks were operating a Unix server; operating systems only root users and users may oracle landing operating system running Apache (nobody authority), Oracle (oracle user rights) services. An attackers purpose is to amend the Oracle database table billing data. Its possible attacks steps: 1. Access pe
37、acekeeping operation of the network. Access to a peacekeeping operation of the IP address in order to visit through the firewall to protect the UNIX server. 2. Apache services using a Remote Buffer Overflow Vulnerability direct access to a nobodys .petence hell visit. 3. Using a certain operating sy
38、stem suid procedure of the loophole to upgrade their .petence to root privileges. 4. Oracle sysdba landing into the database (local landing without a password). 5. Revised target table data. Over five down for process analysis: Step 1: Authentication bypass Step 2: Remote loopholes code execution (n
39、ative), Authentication bypassing Step 3: permissions, authentication bypass Step 4: Authentication bypass Step 5: write data安全漏洞杂谈Richard S. Kraus 网络安全的核心目标是保障业务系统的可持续性和数据的安全性,而这两点的主要威胁来自于蠕虫的暴发、黑客的攻击、拒绝服务攻击、木马。蠕虫、黑客攻击问题都和漏洞紧密联系在一起,一旦有重大安全漏洞出现,整个互联网就会面临一次重大挑战。虽然传统木马和安全漏洞关系不大,但最近很多木马都巧妙的利用了IE的漏洞,让你在浏览
40、网页时不知不觉的就中了招。 安全漏洞的定义已经有很多了,我这里给出一个通俗的说法就是:能够被利用来干“原本以为”不能干的事,并且和安全相关的缺陷。这个缺陷可以是设计上的问题、程序代码实现上的问题。一、不同角度看安全漏洞的分类 对一个特定程序的安全漏洞可以从多方面进行分类: 1. 从用户群体分类: 大众类软件的漏洞。如Windows的漏洞、IE的漏洞等等。 专用软件的漏洞。如Oracle漏洞、Apache漏洞等等。 2.从数据角度看分为: 能读按理不能读的数据,包括内存中的数据、文件中的数据、用户输入的数据、数据库中的数据、网络上传输的数据等等。 能把指定的内容写入指定的地方(这个地方包括文件、
41、内存、数据库等) 输入的数据能被执行(包括按机器码执行、按Shell代码执行、按SQL代码执行等等) 3.从作用范围角度看分为: 远程漏洞,攻击者可以利用并直接通过网络发起攻击的漏洞。这类漏洞危害极大,攻击者能随心所欲的通过此漏洞操作他人的电脑。并且此类漏洞很容易导致蠕虫攻击,在Windows。 本地漏洞,攻击者必须在本机拥有访问权限前提下才能发起攻击的漏洞。比较典型的是本地权限提升漏洞,这类漏洞在Unix系统中广泛存在,能让普通用户获得最高管理员权限。 4.从触发条件上看可以分为: 主动触发漏洞,攻击者可以主动利用该漏洞进行攻击,如直接访问他人计算机。 被动触发漏洞,必须要计算机的操作人员配
42、合才能进行攻击利用的漏洞。比如攻击者给管理员发一封邮件,带了一个特殊的jpg图片文件,如果管理员打开图片文件就会导致看图软件的某个漏洞被触发,从而系统被攻击,但如果管理员不看这个图片则不会受攻击。 5.从操作角度看可分为: 文件操作类型,主要为操作的目标文件路径可被控制(如通过参数、配置文件、环境变量、符号链接灯),这样就可能导致下面两个问题: 写入内容可被控制,从而可伪造文件内容,导致权限提升或直接修改重要数据(如修改内存数据),这类漏洞有很多,如历史上Oracle TNS LOG文件可指定漏洞,可导致任何人可控制运行Oracle服务的计算机; 内容信息可被输出,包含内容被打印到屏幕、记录到
43、可读的日志文件、产生可被用户读的core文件等等,这类漏洞在历史上Unix系统中的crontab子系统中出现过很多次,普通用户能读受保护的shadow文件; 内存覆盖,主要为内存单元可指定,写入内容可指定,这样就能执行攻击者想执行的代码(缓冲区溢出、格式串漏洞、PTrace漏洞、历史上Windows2000的硬件调试寄存器用户可写漏洞)或直接修改内存中的机密数据。 逻辑错误,这类漏洞广泛存在,但很少有范式,所以难以查觉,可细分为: 条件竞争漏洞(通常为设计问题,典型的有Ptrace漏洞、广泛存在的文件操作时序竞争) 策略错误,通常为设计问题,如历史上FreeBSD的Smart IO漏洞。 算法
44、问题(通常为设计问题或代码实现问题),如历史上微软的Windows 95/98的共享口令可轻易获取漏洞。 设计的不完善,如TCP/IP协议中的3步握手导致了SYN FLOOD拒绝服务攻击。 实现中的错误(通常为设计没有问题,但编码人员出现了逻辑错误,如历史上博彩系统的伪随机算法实现问题) 外部命令执行问题,典型的有外部命令可被控制(通过PATH变量,输入中的SHELL特殊字符等等)和SQL注入问题。 6. 从时序上看可分为: 已发现很久的漏洞:厂商已经发布补丁或修补方法,很多人都已经知道。这类漏洞通常很多人已经进行了修补,宏观上看危害比较小。 刚发现的漏洞:厂商刚发补丁或修补方法,知道的人还不
45、多。相对于上一种漏洞其危害性较大,如果此时出现了蠕虫或傻瓜化的利用程序,那么会导致大批系统受到攻击。 0day:还没有公开的漏洞,在私下交易中的。这类漏洞通常对大众不会有什么影响,但会导致攻击者瞄准的目标受到精确攻击,危害也是非常之大。二、不同角度看待漏洞利用 如果一个缺陷不能被利用来干“原本”不能干的事(安全相关的),那么就不能被称为安全漏洞,所以安全漏洞必然和漏洞利用紧密联系在一起。 漏洞利用的视角有: 数据视角:访问本来不可访问的数据,包括读和写。这一条通常是攻击者的核心目的,而且可造成非常严重的灾难(如银行数据可被人写)。 权限视角:主要为权限绕过或权限提升。通常权限提升都是为了获得期
46、望的数据操作能力。 可用性视角:获得对系统某些服务的控制权限,这可能导致某些重要服务被攻击者停止而导致拒绝服务攻击。 认证绕过:通常利用认证系统的漏洞而不用受权就能进入系统。通常认证绕过都是为权限提升或直接的数据访问服务的。 代码执行角度:主要是让程序将输入的内容作为代码来执行,从而获得远程系统的访问权限或本地系统的更高权限。这个角度是SQL注入、内存指针游戏类漏洞(缓冲区溢出、格式串、整形溢出等等)等的主要驱动。这个角度通常为绕过系统认证、权限提升、数据读取做准备的。三、漏洞发掘方法 首先必须清除安全漏洞是软件BUG的一个子集,一切软件测试的手段都对安全漏洞发掘实用。现在“黑客”用的各种漏洞
47、发掘手段里有模式可循的有: fuzz测试(黑盒测试),通过构造可能导致程序出现问题的方式构造输入数据进行自动测试。 源码审计(白盒测试),现在有了一系列的工具都能协助发现程序中的安全BUG,最简单的就是你手上最新版本的C语言编译器。 IDA反汇编审计(灰盒测试),这和上面的源码审计非常类似,唯一不同的是很多时候你能获得软件,但你无法拿到源码来审计,但IDA是一个非常强大的反汇编平台,能让你基于汇编码(其实也是源码的等价物)进行安全审计。 动态跟踪分析,就是记录程序在不同条件下执行的全部和安全问题相关的操作(如文件操作),然后分析这些操作序列是否存在问题,这是竞争条件类漏洞发现的主要途径之一,其他的污点传播跟踪也属于这类。 补丁比较,厂商的软件出了问题通常都会在补丁中解决,通过对比补丁前后文件的源码(或反汇编码)就能了解到漏洞的具体细节。 以上手段中无论是用哪种都涉及到一个关键点:需要通过人工分析来找到全面的流程覆盖路径。分析手法多种多样,有分析设计文档、分析源码、分析反汇编代码、动态调试程序等。四、漏洞等级评定 考察漏洞的危害性应该紧密的和利用该漏洞带来的危害相关,并不是通常大家认识的所有缓冲区溢出漏洞都是高危漏洞。以远程漏洞为例,比较好的划分方法为: 可远程获取OS、应用程序版本信息。 开放了不必要或危险得服务,可远程获取系统敏感信息。
浙ICP备2021020529号-1 | 浙B2-20240490 
