CS计算机代考程序代写 SQL chain algorithm Processes, vulnerabilities, and authentication

Processes, vulnerabilities, and authentication

UNIX process hierarchy

pstree -p | less -S

pstree -pu jedi

lsof -p 31009
Hardware

Kernel

Process 1 Process 2 Process 3

System calls

Interprocess Communication

● Sockets
– Datagram or stream

● Pipes
– Named or unnamed

● Other ways for processes to communicate
– Command line arguments, shared memory, file I/O,

etc.

What is a vulnerability?

● Management information stored in-band with
regular information?

● Programming the weird machine?
● A failure to properly sanitize inputs?

Can be local or remote, sometimes
something else

● Send malicious input over a network socket to
take control of a remote machine

● Give malicious input to a privileged local
process to get escalated privileges for yourself

● Confuse the logic of an accounting mechanism
● Break the separation between web sites in a

browser to get access to someone’s bank
credentials

Plagiarized from
https://sites.psu.edu/thedeepweb/2015/09/1
7/captain-crunch-and-his-toy-whistle/

Other examples of logic bugs or
more general vulnerabilities?

● Werewolves had a couple
● Amazon shopping cart (there was an IEEE

Symposium on Security and Privacy paper
about this, but I can’t find it)

● Pouring salt water or putting tabs from
construction sites in Coke machines

● Getting a code out of a locked locker
● Other examples you guys know of?

SQL command injection

SELECT * where username = ‘$u’ and password = ‘$p’

$u = crandall
$p = abc123

SELECT * where username = ‘crandall’ and password =
‘abc123’

SQL command injection

SELECT * where username = ‘$u’ and password = ‘$p’

$u = bla’ or ‘1’ = ‘1’ —
$p = idontknow

SELECT * where username = ‘bla’ or ‘1’ = ‘1’ –‘ and
password = ‘idontknow’

SQL command injection

SELECT * where username = ‘$u’ and password = ‘$p’

$u = bla’ or ‘1’ = ‘1’ —
$p = idontknow

SELECT * where username = ‘bla’ or ‘1’ = ‘1’ –‘ and
password = ‘idontknow’

Wassermann and Su, POPL 2006

Cross-site Scripting (XSS)

Send a message in the WebCT platform:

Hi Professor Crandall, I had a question about the
homework. When is it due? p.s.

Werewolves command injection

system(“echo $s > /path/to/pipe“)

$s = hi; chmod 777 ~/server.py

echo hi; chmod 777 ~/server.py >
/path/to/pipe

Buffer overflows

https://en.wikipedia.org/wiki/Stack_buffer_overflow

Format string vulnerabilities

scanf(“%s”, string)
printf(string)

%500x%500x%12x\xbf\xff\xff\x2c%n

Memory corruption

● Buffer overflows on the stack and heap, format
strings, double free()’s, etc.

● Easily the most well-studied vulnerability/exploit
type

● Goal is often to execute code in memory
● See Shacham’s ACM CCS 2007 paper for Return

Oriented Programming
– Even with just existing code in memory, you can build a

Turing-complete machine

https://hstar.me/2019/06/first-rop/

Race conditions

● Often called Time-of-Check-to-Time-of-Use
(TOCTTOU)

if (!access(“/home/jedi/s”, W_OK))
{
F = open(“/home/jedi/s”, O_WRITE);
… /* Write to the file */
}
else
{
perror(“You don’t have permission to write to that file!”)
}

Werewolves race condition

touch moderatoronlylogfile.txt
chmod og-rw moderatoronlylogfile.txt

Authentication in general

● Bishop: “Authentication is the binding of an
identity to a principal. Network-based
authentication mechanisms require a principal
to authenticate to a single system, either local
or remote. The authentication is then
propagated.”

Authentication in general
(continued)

● Bishop: “Authentication consists of an entity, the
user, trying to convince a different entity, the
verifier, of the user’s identity. The user does so
by claiming to know some information, to
possess something, to have some particular set
of physical characteristics, or to be in a specific
location.”

● Informally: something you know, something you
have, something you are

2FA = 2-Factor Authentication

● Two of these:
– Something you know
– Something you have
– Something you are

● E.g., bank card plus PIN
● For Internet services, typically the first two
● Helps protect against phishing, for example

Basic Linux authentication

● Ties you (the identity) to your user ID (the
principal), which is in turn tied to subjects (e.g.,
processes) and objects (e.g., files)

● Based on hashing
– Also salting
– Also shadowed password hashes

SHA-512

password

/etc/passwd

/etc/shadow

Salt

Compare

hash

hash

username

Match? Yes or no.

Passwords

● Should be high entropy, algorithmic complexity
● Should be easy to remember

These requirements are in
conflict with each other!

Password managers help.

Plagiarized from https://i.imgsafe.org/2bf87cbfe2.png

Time-memory tradeoff

● Rainbow tables can store lots of hash results
compactly (precomputation)

● Just check if a user’s hash might be in a hash
chain, only recalculate it if so

● As a fall-back, just try every possible password
(brute force)

Salting helps against
precomputation.

Good passwords, system-imposed
delays, shadowing help against

brute force.

Shadowing the password file

Phishing

Image plagiarized from https://citizenlab.org/wp-
content/uploads/2017/02/Ponytail-Figure-1.png

Phishing

● Wide range of sophistication in terms of the
social engineering aspect
– One end of the spectrum: “Plez logg in and changer

you password, maam!”
– Other end of the spectrum: “The attached PDF is

my notes from the meeting yesterday, it was nice to
see you again!” (from someone you saw at a
conference the day before)

2FA helps protect against phishing
(but state actors can easily spoof your
cell phone and get SMS messages)

File permissions

-rwxr-x—

● First is special designations (symlink, directory)
● Next triplet is user (u)
● Triplet after is group (g)
● Last triplet is others (o)
● r = read, w = write, x = execute
● Sometimes you’ll see other things, like s for Set

UID

Preview…

● Processes (subjects) act on files (objects)
● Processes are tied to principles (users)
● File permissions are checked when the file is

opened (and added to the file descriptor table of
the process), not with every access!

man …

● ls (ls -l is a useful flag), cd, pwd, chown, chgrp,
chmod, stat, id, w, who, last, kill, ps, pstree,
netstat, cat, less, sudo, watch, screen, fuser

Some more things to read up on

● FIFO pipes (can be unnamed or named)
● The /proc/ filesystem
● Character devices (e.g., PTY, PTS, TTY)

Resources

● http://www.cs.unm.edu/~crandall/linuxcommand
cheatsheet.txt

● Matt Bishop’s Computer Security: Art and
Practice, Chapter 12

● https://citizenlab.org/

http://www.cs.unm.edu/~crandall/linuxcommandcheatsheet.txt
http://www.cs.unm.edu/~crandall/linuxcommandcheatsheet.txt
https://citizenlab.org/

Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Slide 42
Slide 43
Slide 44