CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)

Feb 10, 20171 like649 views

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q. Instructor: Sam Bowne Class website: https://samsclass.info/127/127_S17.shtml

CNIT 127: Exploit Development 
 
Ch 4: Introduction to Format String
Bugs
Updated 2-9-17

Data Interpretation
• RAM contains bytes
• The same byte can be interpreted as
– An integer
– A character
– Part of an instruction
– Part of an address
– Part of a string
– Many, many more...

Most Important for Us
• %x Hexadecimal
• %8x Hexadecimal padded to 8 chars
• %10x Hexadecimal padded to 10 chars
• %100x Hexadecimal padded to 100 chars

Buffer Overflow
• This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
• C just does it, without complaining

Format String Without Arguments
• printf("%x.%x.%x.%x");
– There are no arguments to print!
– Should give an error message
– Instead, C just pulls the next 4 values from
the stack and prints them out
– Can read memory on the stack
– Information disclosure vulnerability

Explanation
• %x.%x.%x.%x -- read 4 words from stack
• %n.%n.%n.%n -- write 4 numbers to RAM
locations from the stack

%n Format String
• %n writes the number of characters
printed so far
• To the memory location pointed to by the
parameter
• Can write to arbitrary RAM locations
• Easy DoS
• Possible remote code execution

printf Family
• Format string bugs affect a whole family
of functions

Defenses Against Format String
Vulnerabilities
• Stack defenses don't stop format string
exploits
– Canary value
• ASLR and NX
– Can make exploitation more difficult
• Static code analysis tools
– Generally find format string bugs
• gcc
– Warnings, but no format string defenses

Steps
• Control a parameter
• Find a target RAM location
– That will control execution
• Write 4 bytes to target RAM location
• Insert shellcode
• Find the shellcode in RAM
• Write shellcode address to target RAM
location

Control a Parameter
• Insert four letters before the %x fields
• Controls the fourth parameter
– Note: sometimes it's much further down the
list, such as parameter 300

Target RAM Options
• Saved return address
– Like the Buffer Overflows we did previously
• Global Offset Table
– Used to find shared library functions
• Destructors table (DTORS)
– Called when a program exits
• C Library Hooks

Target RAM Options
• "atexit" structure (link Ch 4n)
• Any function pointer
• In Windows, the default unhandled
exception handler is easy to find and
exploit

Disassemble in gdb
• First it calls printf
• With a format string vulnerability
• Then it calls puts

Targeting the GOT
• Pointer to puts
• Change pointer to hijack execution

Writing to Target RAM
• We now control the destination address,
but not the value written there

CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)

View the Stack in gdb
• Choose an address in the NOP sled

Testing for Bad Characters
• Started at 11 = 0x0b
• x20 is bad

Testing for Bad Characters
• Started at 33 = 0x21
• No more bad characters

Generate Shellcode
• msfvenom -p linux/x86/shell_bind_tcp
• -b 'x00x09x0ax20'
• PrependFork=true
• -f python

Keep Total Length of Injection Constant
• May not be necessary, but it's a good habit

Final Check
• Address in NOP
sled
• Shellcode
intact

Shell (in gdb)
• Wait for the port to close
• Test it outside gdb

This document discusses 64-bit assembly programming. It covers 64-bit registers used in 64-bit assembly like RIP and RSP. It also discusses limitations of 64-bit addressing in different versions of Windows and how the operating system separates memory used by the OS and user programs. Common opcodes, syscalls, and using sections like .data and .text are described. Examples shown include simple programs, reading and writing data, and encoding text using Caesar cipher and XOR encryption.

CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne

CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne

The document discusses stack buffer overflows in Linux. It explains how functions use the stack, with arguments and return addresses pushed onto the stack. A stack buffer overflow occurs when a program writes past the end of a fixed-length buffer on the stack. This can overwrite the return address, allowing arbitrary code execution. The document demonstrates this by having a program read user input into a buffer without bounds checking. Entering more data than the buffer size crashes the program by overwriting the return address. This vulnerability can be exploited to gain control of a program's execution flow.

CNIT 127: 4: Format string bugsSam Bowne

127 Ch 2: Stack overflows on LinuxSam Bowne

This chapter discusses stack overflows in Linux. It explains buffers, the stack, functions and how the stack is used. It shows how a stack buffer overflow can be exploited by overwriting the return address on the stack to redirect program flow. The document demonstrates this by having a program read user input into a buffer without bounds checking, allowing input longer than the buffer to overwrite the return address and cause a crash. gdb is used to debug the program and examine the stack.

CNIT 127: Ch 18: Source Code AuditingSam Bowne

CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne

CNIT 127: 3: ShellcodeSam Bowne

CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne

CNIT 127 14: Protection MechanismsSam Bowne

CNIT 127 Ch 3: ShellcodeSam Bowne

This document discusses shellcode and system calls. It provides an overview of protection rings, syscalls, assembler, and other topics needed to understand writing shellcode. It then demonstrates how to write simple shellcode that uses the exit syscall to terminate a program. More complex shellcode is discussed that uses fork and execve syscalls to spawn a shell process upon execution, allowing an attacker to gain an interactive shell. The key steps of writing shellcode are outlined.

CNIT 127 Lecture 7: Intro to 64-Bit AssemblerSam Bowne

This document discusses a lecture on 64-bit assembler. It covers 64-bit registers like RIP and RSP, Windows limitations on addressing over 48 bits, how operating systems separate user and system areas, using syscall to replace INT 80 for system calls, common opcodes, and examples of simple 64-bit assembly programs using read, write, and caesar cipher encryption. It also provides resources for learning more about x64 assembly programming.

CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne

CNIT 126 5: IDA ProSam Bowne

IDA Pro is a disassembler that has both graph and text viewing modes. It uses colors to represent different types of jumps in graph mode and allows navigation between functions, cross-references, imports, and other views. The program can recognize functions and arguments, graph cross-references and call flows, and allows renaming locations, adding comments, and other customizations to enhance the disassembly. Plug-ins can also extend IDA's capabilities.

CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne

This document discusses Windows stack-based buffer overflow exploitation techniques and defenses. It covers the Thread Environment Block (TEB) and Process Environment Block (PEB), which store thread and process-level data. Stack-based overflows are explained, including overwriting return addresses and structured exception handlers (SEH). Methods to defeat Address Space Layout Randomization (ASLR) are provided. Windows Server 2003 introduced protections, while Windows Server 2008 added further defenses like SEHOP and SAFESEH.

CNIT 127 Ch 3: ShellcodeSam Bowne

This document discusses shellcode and system calls. It provides an overview of protection rings, syscalls, assembler, and other topics related to writing shellcode. It then demonstrates how to write simple shellcode to call the exit syscall using nasm and ld. It discusses replacing instructions to remove null bytes. Finally, it introduces how to go beyond simple exit shellcode to spawn an interactive shell using the fork and execve system calls.

CNIT 127 Ch 4: Introduction to format string bugsSam Bowne

This document discusses format string vulnerabilities. It explains that format strings can be used to read arbitrary memory locations on the stack, allowing information disclosure. It also describes how uncontrolled format strings can be exploited to write to arbitrary memory addresses, enabling denial of service attacks or potentially remote code execution. The key steps of a format string exploit are outlined: controlling a write operation, finding a target memory location like the return address or GOT, writing shellcode to memory, and changing the target location to point to the shellcode.

CNIT 126 5: IDA Pro Sam Bowne

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne

CNIT 121: 10 Enterprise ServicesSam Bowne

More Related Content

What's hot (20)

CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne

CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne

CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne

CNIT 127: 4: Format string bugsSam Bowne

127 Ch 2: Stack overflows on LinuxSam Bowne

CNIT 127: Ch 18: Source Code AuditingSam Bowne

CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne

CNIT 127: 3: ShellcodeSam Bowne

CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne

CNIT 127 14: Protection MechanismsSam Bowne

CNIT 127 Ch 3: ShellcodeSam Bowne

CNIT 127 Lecture 7: Intro to 64-Bit AssemblerSam Bowne

CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne

CNIT 126 5: IDA ProSam Bowne

CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne

CNIT 127 Ch 3: ShellcodeSam Bowne

CNIT 127 Ch 4: Introduction to format string bugsSam Bowne

CNIT 126 5: IDA Pro Sam Bowne

CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne

CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne

CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne

CNIT 127: 4: Format string bugsSam Bowne

127 Ch 2: Stack overflows on LinuxSam Bowne

CNIT 127: Ch 18: Source Code AuditingSam Bowne

CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne

CNIT 127: 3: ShellcodeSam Bowne

CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne

CNIT 127 14: Protection MechanismsSam Bowne

CNIT 127 Ch 3: ShellcodeSam Bowne

CNIT 127 Lecture 7: Intro to 64-Bit AssemblerSam Bowne

CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne

CNIT 126 5: IDA ProSam Bowne

CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne

CNIT 127 Ch 3: ShellcodeSam Bowne

CNIT 127 Ch 4: Introduction to format string bugsSam Bowne

CNIT 126 5: IDA Pro Sam Bowne

Viewers also liked (20)

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne

CNIT 121: 10 Enterprise ServicesSam Bowne

CNIT 127 Ch 6: The Wild World of WindowsSam Bowne

Practical Malware Analysis Ch13Sam Bowne

Practical Malware Analysis: Ch 9: OllyDbgSam Bowne

This document provides an overview of using the OllyDbg debugger to analyze malware. It discusses OllyDbg's history and interface, how to load and debug malware using OllyDbg, setting breakpoints, tracing code execution, patching code, and analyzing shellcode. The key points are that OllyDbg is an effective tool for debugging malware, it allows setting different breakpoint types, tracing helps record execution, and shellcode can be directly analyzed by pasting it into OllyDbg memory.

CNIT 121: 8 Forensic DuplicationSam Bowne

This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.

CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne

Ch 2: TCP/IP Concepts ReviewSam Bowne

This document provides an overview of TCP/IP concepts and networking fundamentals. It describes the four layers of the TCP/IP protocol stack - application, transport, internet and network. It explains key TCP and UDP concepts like ports, flags, and segments. It also covers IP addressing fundamentals like classes, subnetting, and planning address assignments. Binary, hexadecimal and base64 numbering systems are defined.

Ch 6: EnumerationSam Bowne

Ch 12: CryptographySam Bowne

This document summarizes cryptography concepts including symmetric and asymmetric encryption algorithms, hashing algorithms, and attacks on cryptosystems. Symmetric algorithms like AES and Blowfish use a single key for encryption and decryption while asymmetric algorithms like RSA and ECC use public/private key pairs. Hashing algorithms like SHA-1 produce a digest to ensure message integrity. Cryptanalysis studies breaking encryption while brute force involves testing all possible keys.

Ch 11: Hacking Wireless NetworksSam Bowne

Ch 13: Network Protection SystemsSam Bowne

Ch 10: Hacking Web ServersSam Bowne

Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne

This document discusses using virtual machines for safe dynamic malware analysis. It recommends using a virtual machine to run malware in a protected environment isolated from the host system. Specific virtualization software discussed includes VMware Player, Workstation and Fusion along with VirtualBox and Hyper-V. The document outlines techniques for configuring networking and taking snapshots in virtual machines for malware analysis. It also introduces tools for dynamic analysis within virtual machines like Process Monitor, Process Explorer, Regshot, INetSim and Wireshark that can monitor the behavior and network activity of malware samples.

Ch 5: Port ScanningSam Bowne

CNIT 128 5: Mobile malwareSam Bowne

CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne

This document discusses embedded operating systems and their vulnerabilities. It begins with an introduction to embedded OSs, what they are, and where they are used. It then describes several specific embedded OSs like Windows CE, VxWorks, and various Linux-based systems. It outlines some common vulnerabilities of embedded OSs like being unpatchable and having shared code with more widely used systems. Examples are given of attacks on embedded systems controlling infrastructure. The document concludes with best practices for securing embedded OSs like inventorying all systems, least privileges, encryption, and keeping systems up to date.

CNIT 123: Ch 13: Network Protection SystemsSam Bowne

Routers, firewalls, intrusion detection systems, honeypots, and other security devices can be used to protect networks. Routers direct network traffic using routing protocols and access lists. Firewalls control access to internal networks using packet filtering, stateful inspection, and application inspection. Intrusion detection systems monitor network traffic for suspicious activity and generate alerts. Honeypots are decoy systems used to attract and study hackers without exposing real systems to risk. These security devices provide layered defenses to enhance network protection.

Exploit Frameworksphanleson

This lab document describes using the Metasploit framework to perform exploits against Windows systems. It consists of six sections: installing Metasploit, adding a remote user to Windows XP, gaining remote command shell access to Windows XP, using DLL injection to open a remote VNC connection, remotely installing a rootkit on Windows, and setting up the Metasploit web interface. The document provides background on exploit frameworks and payloads, and guides students through exercises to complete each section.

CNIT 140: Flashing FirmwareSam Bowne

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne

CNIT 121: 10 Enterprise ServicesSam Bowne

CNIT 127 Ch 6: The Wild World of WindowsSam Bowne

Practical Malware Analysis Ch13Sam Bowne

Practical Malware Analysis: Ch 9: OllyDbgSam Bowne

CNIT 121: 8 Forensic DuplicationSam Bowne

CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne

Ch 2: TCP/IP Concepts ReviewSam Bowne

Ch 6: EnumerationSam Bowne

Ch 12: CryptographySam Bowne

Ch 11: Hacking Wireless NetworksSam Bowne

Ch 13: Network Protection SystemsSam Bowne

Ch 10: Hacking Web ServersSam Bowne

Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne

Ch 5: Port ScanningSam Bowne

CNIT 128 5: Mobile malwareSam Bowne

CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne

CNIT 123: Ch 13: Network Protection SystemsSam Bowne

Exploit Frameworksphanleson

CNIT 140: Flashing FirmwareSam Bowne

Similar to CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17) (20)

CNIT 127 Ch 4: Introduction to format string bugsSam Bowne

2.Format Stringsphanleson

This document discusses format string vulnerabilities in programming. It begins by explaining what a format string is in C and how it can be exploited if the format string is controlled by an attacker. It then provides examples of format string vulnerabilities, how to define them, and their importance. The document analyzes a specific vulnerability in the cfingerd 1.4.3 program and discusses how to prevent format string vulnerabilities through safe programming practices.

Format stringVu Review

This document discusses format string vulnerabilities in C programs. It explains that if a program passes user input directly to a printf statement, an attacker can craft the input as a format string to control how the printf function operates. This allows viewing memory, crashing programs, and writing arbitrary values to memory by abusing how printf interprets format specifiers like %s, %x and %n. Countermeasures include compiler checks on format string usage and address space randomization.

Format String AttackMayur Mallya

The document discusses format string attacks, which exploit vulnerabilities in C functions that use unchecked user input as the format string parameter. A malicious user can use special format string tokens like %s and %x to print data from the call stack or write to arbitrary memory locations using %n. This allows attackers to execute arbitrary code, read sensitive data, or crash applications. The document provides examples of how format strings work and how buffer overflows can be caused when more data is written than the buffer can hold, overwriting adjacent memory.

C format string vulnerabilitysluge

This document discusses format string vulnerabilities in C and C++ programs. It begins with an overview of format string vulnerabilities, including how they allow attackers to perform unauthorized reads and writes of memory. It then covers various types of format string attacks and examples of exploits. The document concludes with recommendations for mitigations, such as using format specifiers consistently, compiler flags to validate formats, and techniques like address space layout randomization.

Exploitation Crash CourseUTD Computer Security Group

This document provides an introduction to software exploitation on Linux 32-bit systems. It covers common exploitation techniques like buffer overflows, format strings, and ret2libc attacks. It discusses the Linux memory layout and stack structure. It explains buffer overflows on the stack and heap, and how to leverage them to alter control flow and execute arbitrary code. It also covers the format string vulnerability and how to leak information or write to arbitrary memory locations. Tools mentioned include GDB, exploit-exercises, and Python. Overall it serves as a crash course on the basic techniques and concepts for Linux exploitation.

[MOSUT] Format String AttacksAj MaChInE

This document discusses format string attacks and how they can be exploited. It provides an example (fsa.c) of a program with a format string vulnerability. By compiling the program without protections and disabling ASLR, an attacker can view the program stack using different format strings. This allows viewing memory at any location and overwriting arbitrary memory by exploiting the %n field. So a format string vulnerability can be used to overwrite return addresses and execute shellcode.

Format string vunerabilitynuc13us

The document discusses format string vulnerabilities, which occur when user-supplied input containing format specifiers is used without validation in functions like printf(). Format strings allow viewing process memory, crashing programs, or overwriting memory locations like the instruction pointer. While buffer overflows have thousands of exploits, format string vulnerabilities are less common but easier to find due to programmer mistakes. Exploiting format strings can lead to privilege escalation, crashes, or arbitrary code execution. Examples of past vulnerabilities are discussed.

Buffer overflow tutorialhughpearse

This document provides instructions for conducting a buffer overflow attack on a vulnerable C program to alter its execution flow. It explains how functions are called and stored on the stack, and how overflowing a buffer can overwrite the return address to point to attacker-chosen code. The document demonstrates compiling a sample program, running it under a debugger to find addresses, and using a Python script to send an overly long input exploiting the buffer overflow to execute a secret function.

E-Commerce Security - Application attacks - Server Attacksphanleson

Format String ExploitationUTD Computer Security Group

The document discusses format string vulnerabilities and how they can be exploited to leak information from memory or write arbitrary values to memory by manipulating printf formatting strings. It provides an example of a simple vulnerable C program and how it can be exploited to leak variable values or overwrite values by precisely controlling the number of formatting characters printed. It then discusses how this technique can be used to exploit the Echoserver program by overwriting return addresses or loading shellcode into non-stack memory locations.

Fuzzing - Part 1UTD Computer Security Group

Control hijackingPrachi Gulihar

This document discusses control hijacking attacks that aim to take control of a victim's machine by exploiting vulnerabilities in programs. It covers different types of attacks like buffer overflow attacks, integer overflow attacks, and format string vulnerabilities. These attacks work by injecting attack code or parameters to abuse vulnerabilities and modify memory to redirect the control flow. The document also discusses defenses like choosing programming languages with strong typing and automatic checks, auditing software, and adding runtime checks using techniques like stack canaries to detect exploits and prevent code execution.

Shellcode injectionDhaval Kapil

Software to the slaughterQuinn Wilton

Software SecurityRoman Oliynykov

This document provides an outline for a lecture on software security. It introduces the lecturer, Roman Oliynykov, and covers various topics related to software vulnerabilities like buffer overflows, heap overflows, integer overflows, and format string vulnerabilities. It provides examples of vulnerable code and exploits, and recommendations for writing more secure code to avoid these vulnerabilities.

Heap Base ExploitationUTD Computer Security Group

AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)

When good code goes badSensePost

$printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);$ $printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);$

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);Joel Porquet

Guest-lecture given at UC Davis during my interview day in May of 2018. Description: Using the printf() function is one of the very first steps every beginner learns when taking a programming class. It is also one of the most ubiquitous functions in software programs, across the many languages that define it. But how many programmers actually know how this common function works behind the scenes? During this lecture, I will trace a brief history of printf(), delve into the nuts of bolts of a simple implementation through interactive coding, and branch out into interesting facts related to this function.

CNIT 127 Ch 4: Introduction to format string bugsSam Bowne

2.Format Stringsphanleson

Format stringVu Review

Format String AttackMayur Mallya

C format string vulnerabilitysluge

Exploitation Crash CourseUTD Computer Security Group

[MOSUT] Format String AttacksAj MaChInE

Format string vunerabilitynuc13us

Buffer overflow tutorialhughpearse

E-Commerce Security - Application attacks - Server Attacksphanleson

Format String ExploitationUTD Computer Security Group

Fuzzing - Part 1UTD Computer Security Group

Control hijackingPrachi Gulihar

Shellcode injectionDhaval Kapil

Software to the slaughterQuinn Wilton

Software SecurityRoman Oliynykov

Heap Base ExploitationUTD Computer Security Group

AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)

When good code goes badSensePost

$printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);$ $printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);$

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);Joel Porquet

More from Sam Bowne (20)

Introduction to the Class & CISSP CertificationSam Bowne

CyberwarSam Bowne

The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.

3: DNS vulnerabilities Sam Bowne

- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions. - Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers. - Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.

8. Software Development SecuritySam Bowne

This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.

4 Mapping the ApplicationSam Bowne

3. Attacking iOS Applications (Part 2)Sam Bowne

This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.

12 Elliptic CurvesSam Bowne

This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.

11. Diffie-HellmanSam Bowne

2a Analyzing iOS Apps Part 1Sam Bowne

9 Writing Secure Android ApplicationsSam Bowne

This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.

12 Investigating Windows Systems (Part 2 of 3)Sam Bowne

The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.

10 RSASam Bowne

This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.

12 Investigating Windows Systems (Part 1 of 3Sam Bowne

This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.

9. Hard ProblemsSam Bowne

This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.

8 Android Implementation Issues (Part 1)Sam Bowne

This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.

11 Analysis MethodologySam Bowne

This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.

8. Authenticated EncryptionSam Bowne

This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes: 1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag. 2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication. 3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer. 4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.

7. Attacking Android Applications (Part 2)Sam Bowne

This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.

7. Attacking Android Applications (Part 1)Sam Bowne

This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.

5. Stream CiphersSam Bowne

The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.

Introduction to the Class & CISSP CertificationSam Bowne

CyberwarSam Bowne

3: DNS vulnerabilities Sam Bowne

8. Software Development SecuritySam Bowne

4 Mapping the ApplicationSam Bowne

3. Attacking iOS Applications (Part 2)Sam Bowne

12 Elliptic CurvesSam Bowne

11. Diffie-HellmanSam Bowne

2a Analyzing iOS Apps Part 1Sam Bowne

9 Writing Secure Android ApplicationsSam Bowne

12 Investigating Windows Systems (Part 2 of 3)Sam Bowne

10 RSASam Bowne

12 Investigating Windows Systems (Part 1 of 3Sam Bowne

9. Hard ProblemsSam Bowne

8 Android Implementation Issues (Part 1)Sam Bowne

11 Analysis MethodologySam Bowne

8. Authenticated EncryptionSam Bowne

7. Attacking Android Applications (Part 2)Sam Bowne

7. Attacking Android Applications (Part 1)Sam Bowne

5. Stream CiphersSam Bowne

Recently uploaded (20)

How to Configure Subcontracting in Odoo 18 ManufacturingCeline George

Unit 4 Reverse Engineering Tools Functionalities & Use-Cases.pdfChatanBawankar

How to Manage Allow Ship Later for Sold Product in odoo Point of SaleCeline George

TechSoup Introduction to Generative AI and Copilot - 2025.05.22.pdfTechSoup

he Grant Preparation Playbook: Building a System for Grant SuccessTechSoup

Learn what it takes to successfully prepare for grants, apply with confidence, and build a sustainable funding system. This workshop offers a structured approach to grant readiness by covering essential document collection, aligning programs with funder's priorities, and leveraging in-kind contributions to strengthen your budget. You'll also get a step-by-step framework to keep your grant efforts on track year-round, plus insights from nonprofits that have navigated this process successfully.

TechSoup - Microsoft Discontinuation of Selected Cloud Donated Offers 2025.05...TechSoup

Education Funding Equity in North Carolina: Looking Beyond IncomeEducationNC

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsiemaillard

Taxonomy and Systematics: Classification and Diversity of Insects.pptxArshad Shaikh

Classification and Taxonomy of Insects: Insect classification and taxonomy involve grouping insects based on their shared characteristics and evolutionary relationships. Insects are classified into a hierarchical system, including Kingdom (Animalia), Phylum (Arthropoda), Class (Insecta), Order, Family, Genus, and Species. Taxonomists use morphological, molecular, and behavioral traits to identify and categorize insects, enabling researchers to understand their diversity, evolution, and ecological roles. Accurate classification is essential for pest management, conservation, and understanding ecosystem dynamics.

Unit 1 Tools Beneficial for Monitoring the Debugging Process.pdfChatanBawankar

How to Configure Credit Card in Odoo 18 AccountingCeline George

Low Vison introduction from Aligarh Muslim UniversityAligarh Muslim University, Aligarh, Uttar Pradesh, India

EDI as Scientific Problem, Professor Nira Chamberlain OBEAssociation for Project Management

APM Event hosted by the South Wales and West of England Network on 20 May 2025 Speaker: Professor Nira Chamberlain OBE At the heart of Project Management lies its people. Project success is driven by effective decision-making drawing on the diverse strengths of the whole team. “Ensuring project management continues to work on improving its levels of diversity and inclusion is key to ensuring that it reflects wider society, bringing in new talent from all backgrounds to develop a stronger profession with a broad range of voices.” APM Salary and Market Trends Survey 2023 Chapter 3. In this talk, held on 20 May 2025, Professor Nira Chamberlain showed the insight gained from treating Equality, Diversity & Inclusion as a pure scientific problem and its relevance to project management. What is Diversity? What is Inclusion? What is Equality? What are the differences between these three terms? Do we measure Equality, Diversity & Inclusion (EDI) the same or should we measure them differently? What impact and relevance will this on the project management community? In 2021, an All-Party Parliamentary Group (APPG) investigating Diversity in STEM concluded that the way we measure EDI does not reflect the lived experience of underrepresented groups. In 2024 the APPG started a formal investigation into the issue. This may impact the way APM and other organisations measure EDI moving forward. https://www.apm.org.uk/news/project-management-teams-the-science-of-equality-diversity-and-inclusion/

NA FASE REGIONAL DO TL – 1.º CICLO. .Colégio Santa Teresinha

How to create and manage blogs in odoo 18Celine George

Geographical-Diversity-of-India.pptx/7th class /new ncert /samyans academySandeep Swamy

Decision Tree-ID3,C4.5,CART,Regression TreeGlobal Academy of Technology

0b - THE ROMANTIC ERA: FEELINGS AND IDENTITY.pptxJulián Jesús Pérez Fernández

Flower Identification Class-10 by Kushal Lamichhane.pdfkushallamichhame

Philosophical Basis of Curriculum DesigningAnkit Choudhary

The philosophical basis of curriculum refers to the foundational beliefs and values that shape the goals, content, structure, and methods of education. Major educational philosophies—idealism, realism, pragmatism, and existentialism—guide how knowledge is selected, organized, and delivered to learners. In the digital age, understanding these philosophies helps educators and content creators design curriculum materials that are purposeful, learner-centred, and adaptable for online environments. By aligning educational content with philosophical principles and presenting it through interactive and multimedia formats.