/jul 9, 2019

Summer Reading: Dive Into the Security Classics

By Dan Murphy

Shakespeare. Brontë. Dickens. In literature, the classics have long been a staple of summer reading lists. Computer security has its own share of classics – reference points that serve as a foundation for understanding the field’s ever-changing chessboard of attack and defense. This list of computer security summer reading can be enjoyed either lounging on the beach with sand beneath your toes, or curled up in bed with your face lit by the blue-filtered midnight glow of a tablet. Whether you are a new developer interested in learning more about computer security, or a seasoned practitioner looking to revisit some of the seminal works in the field, I hope that you enjoy the articles below as much as I did when I first stumbled across them!

Smashing the Stack for Fun and Profit

http://phrack.org/issues/49/14.html

Aleph One’s Smashing the Stack for Fun and Profit was truly eye-opening when it was first introduced. Sometimes the answer to “what does this block of code do?” can be “anything the caller wants it to!” This concept lives on in more modern incarnations like XSS and SQL injection, but Smashing the Stack is the granddaddy of code injection. I originally encountered it independently, and was pleasantly surprised years later when it resurfaced as legitimate assigned reading for a grad class. Taking the time to write some shell code is valuable to understanding the fundamentals of how code executes, and is a great puzzle. Check out https://travisf.net/smashing-the-stack-today for tips on recreating the environment today.

OG ODBC

http://www.phrack.org/issues/54/8.html

Under the inauspicious heading of “ODBC and MS SQL server 6.5,” this article explores a simple concept: what could happen if a web application copies the strings received from HTML form elements directly to SQL statements? We all know how that one ended. Twenty years later, there are more than 37 million Google hits for “sql injection.” By now, Bobby Tables is applying for his first job after graduating from “University’); DROP TABLE applicants; --”, and still getting results!

Dawn of XSS

https://resources.sei.cmu.edu/asset_files/WhitePaper/2000_019_001_496188.pdf

CERT advisory CA-2000-02, since consigned to PDF archive, contains the following quote: “Because one source is injecting code into pages sent by another source, this vulnerability has also been described as ‘cross-site’ scripting.” The humble window.alert() function has been igniting developers’ limbic systems ever since with joy and terror, the latter being more common if you’re seeing it in prod.  Of course, XSS is much more dangerous than simply popping modals – untold millions of cookies have been exfiltrated since the line “malicious exploitation of this vulnerability has not been reported” was written in the advisory.

Tick TOC Tick TOU

https://www.usenix.org/legacy/events/fast05/tech/full_papers/wei/wei.pdf

Another class of attacks worth some summer reading is Time-of-Check to Time-of-Use. Sometimes the security put in place to thwart an attack has a race condition that can still allow an attacker to circumvent it. TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study is a great introduction to the concept, with some specific examples. You can get a more hands-on appreciation by doing (spoiler alert!) Level 2 of overthewire.org’s Leviathan challenge at http://overthewire.org/wargames/leviathan/. While the specifics for these classes of attacks have changed, the concepts are still very relevant: this spring (May 2019), a high-profile Docker bug – attributed to a TOCTOU flaw – allowed containers to break out and overwrite any file on the host as root (see: https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system and https://seclists.org/oss-sec/2019/q2/131).

Once Upon a Free

http://phrack.org/issues/57/9.html

Another tale of simple mistakes with direct consequences is contained within the bytes of Once Upon a Free. A dereference of an invalid pointer can be made much more insidious by controlling the contents of the memory being referenced, and how it gets used. By being aware of the implementation of an allocation scheme, an attack can predict and exploit a simple use of an invalid pointer to great effect. The write-up in https://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/ goes deep on an Internet Explorer vulnerability. Earlier this year, there was a very scary Chrome zero-day that built on use-after-free: https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/. One of the most interesting takeaways in these write-ups is the exploit code in JavaScript. You may not be writing C/C++ code, but almost all major browsers are implemented in native code, and it is important to understand what happens under the covers.

The Geometry of Innocent Flesh on the Bone

https://hovav.net/ucsd/dist/geometry.pdf

With stacks smashed and buffers overflowing with shell code, vendors introduced techniques to make stacks non-executable and limit the impact of code injection. But what it if were possible to hijack execution without injecting actual code? In The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), Hovav Shacham shows how small gaps in the intended behavior of a system can be built upon to produce a system that produces dramatic results. There are signs in the Veracode restrooms that read “Employees must wash hands before returning to libc.” They still manage to make me grin every now and then.

Related Posts

By Dan Murphy

Dan Murphy has more than 20 years of experience working in computer security, and is currently the software architect for Veracode’s dynamic analysis business line. Dan has had a life-long interest in secure (and insecure!) software, sparked by explorations of bulletin boards as a pre-teen, and an early job as a teenager securing networks and servers at an Internet Service Provider. Prior to joining Veracode, Dan was part of the leadership team that spun out mobile security startup Blue Cedar from Mocana, a San Francisco-based cybersecurity firm. For many years before that he worked at Cisco Systems and Nortel Networks in the deep-inspection firewall and Virtual Private Network (VPN) spaces, and is one of the original authors of the Cisco AnyConnect VPN client, still in use by millions of users today.