Software Security Assignment: XSS, SQL Injection, and Exploitation
VerifiedAdded on 2021/04/17
|21
|4257
|181
Homework Assignment
AI Summary
This assignment solution delves into the realm of software security, dissecting various vulnerabilities and exploitation techniques. It begins by analyzing a C code fragment, identifying vulnerabilities related to buffer overflows and format string bugs, and detailing how an attacker could exploit these flaws. The solution explores the effectiveness of security measures like StackGuard and bounds checkers and proposes methods for fixing the identified weaknesses. The assignment then shifts to Cross-Site Scripting (XSS), explaining its mechanics, the information an attacker can steal using XSS, and mitigation strategies. Following this, it addresses SQL injection attacks, describing how they work, identifying potential input variables susceptible to such attacks, and outlining mitigation techniques. The solution also includes an analysis of Kevin Mitnick's attack on Tsutomu Shimomura's systems, breaking down the attack into its phases. The assignment concludes with a discussion of practical challenges in symbolically exploring a target program.
Running Header: SOFTWARE SECURITY
Name
Institution
Date
Name
Institution
Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
SOFTWARE SECURITY 2
Question 1
a. Give a thorough description of the program’s vulnerability.
Answer:
Vulnerabilities of the program given are correlated to strings and buffer overflows
manipulations. As a result, this leads to vulnerability by use of malicious crafted input
values adapted to the environment and the architecture, which can yield to arbitrary
program execution.
The program has the following common errors
sprintf – it is vulnerable to overflows since it does not check buffer boundaries
printf – this is usually concerned with string formatting attacks, which results to
information leakage, overwriting of memory …. Exploitation of this error snprintf
fprintf, sprintf and printf,
b. How would an attacker exploit the vulnerability? Hint: describe in detail what the
injection vector would look like (and what retaddr and retloc the attacker may use).
Use symbolic values and addresses when needed (no need to write down the
shellcode).
Answer:
ISNOTREE matches the 't_l' component of the TREE structure with -1. -1 is the special
indicator in the case of non-tree nodes.
This is the first condition that has to be met:
2. fake->t_l = -1;
Unlinking of FOR (t_n) and BAK (t_p) take place at this point and rewritten as:
t1 = fake->t_p
t2 = fake->t_n
Question 1
a. Give a thorough description of the program’s vulnerability.
Answer:
Vulnerabilities of the program given are correlated to strings and buffer overflows
manipulations. As a result, this leads to vulnerability by use of malicious crafted input
values adapted to the environment and the architecture, which can yield to arbitrary
program execution.
The program has the following common errors
sprintf – it is vulnerable to overflows since it does not check buffer boundaries
printf – this is usually concerned with string formatting attacks, which results to
information leakage, overwriting of memory …. Exploitation of this error snprintf
fprintf, sprintf and printf,
b. How would an attacker exploit the vulnerability? Hint: describe in detail what the
injection vector would look like (and what retaddr and retloc the attacker may use).
Use symbolic values and addresses when needed (no need to write down the
shellcode).
Answer:
ISNOTREE matches the 't_l' component of the TREE structure with -1. -1 is the special
indicator in the case of non-tree nodes.
This is the first condition that has to be met:
2. fake->t_l = -1;
Unlinking of FOR (t_n) and BAK (t_p) take place at this point and rewritten as:
t1 = fake->t_p
t2 = fake->t_n
SOFTWARE SECURITY 3
t2->t_p = t1
t1->t_n = t2
It happens concurrently and written in pseudo-raw-assignments:
[t_n + (1 * sizeof (WORD))] = t_p
[t_p + (4 * sizeof (WORD))] = t_n
In this manner, both the arbitrary addresses and valid address are written simultaneously.
For the program, this can be used:
t_p = retloc - 4 * sizeof (WORD)
t_n = retaddr
*(retaddr + 8) will be overwritten with retloc and retloc will be overwritten with retaddr.
The code at retaddr, will not execute this address, because of code will have a small jump
over the bytes 8-11. Hence, the addresses will be interchange if that ideally fits the
situation.
c. Would StackGuard or a bounds checker fix the vulnerability? Explain clearly the
reasons.
Answer:
No. Since there are four different tricks that can be used to bypass StackGaurd protection
and stackshield. These trick are
i. Function argument control: here local variables may not be protected and this
condition presents a state that the above C program can be exploited. Using this
method local pointers are utilized to overwrite binary memory
ii. An alternate frame pointer is returned – on the first return one can gain control
over the frame pointer and before the following frame pointer one can gain access
to stack pointer thus directing where the function will return.
iii. Greater control over local variables – at least overwriting a major byte from the
frame pointer with a null will shift it, at most, 255 bytes before the stack space.
t2->t_p = t1
t1->t_n = t2
It happens concurrently and written in pseudo-raw-assignments:
[t_n + (1 * sizeof (WORD))] = t_p
[t_p + (4 * sizeof (WORD))] = t_n
In this manner, both the arbitrary addresses and valid address are written simultaneously.
For the program, this can be used:
t_p = retloc - 4 * sizeof (WORD)
t_n = retaddr
*(retaddr + 8) will be overwritten with retloc and retloc will be overwritten with retaddr.
The code at retaddr, will not execute this address, because of code will have a small jump
over the bytes 8-11. Hence, the addresses will be interchange if that ideally fits the
situation.
c. Would StackGuard or a bounds checker fix the vulnerability? Explain clearly the
reasons.
Answer:
No. Since there are four different tricks that can be used to bypass StackGaurd protection
and stackshield. These trick are
i. Function argument control: here local variables may not be protected and this
condition presents a state that the above C program can be exploited. Using this
method local pointers are utilized to overwrite binary memory
ii. An alternate frame pointer is returned – on the first return one can gain control
over the frame pointer and before the following frame pointer one can gain access
to stack pointer thus directing where the function will return.
iii. Greater control over local variables – at least overwriting a major byte from the
frame pointer with a null will shift it, at most, 255 bytes before the stack space.
SOFTWARE SECURITY 4
Normally, this is exploited creating a new stack that have a new return address,
but that would be ignored or detected.
iv. Pointing caller’s frame to GOT - In a normal compiled C code, when not utilizing
-fomit-frame-pointer every local variables are retrieved relative to the frame
pointer. In this case, if the attacker has the full control over it he\she can decide
where in the memory local variables are placed, this is the trick is the one used in
the above trick, but attackers do something else.
d. How can the program be fixed?
Answer:
Part one
The program can be fixed using the following two methods
Vulnerability
sprintf(lbuf, "%s", "Welcome: ");
Solution
int length = snprintf (buf, BUFFER_SIZE, “%S”, “Welcome”, suffix);
if (length >= BUFFER_SIZE) {
Part two:
Vulnerability
printf(lbuf);
Solution
$ gcc -mpreferred-stack-boundary=2 FormatString.c -o FormatString
$ ./FormatString %s
Welcome!
Normally, this is exploited creating a new stack that have a new return address,
but that would be ignored or detected.
iv. Pointing caller’s frame to GOT - In a normal compiled C code, when not utilizing
-fomit-frame-pointer every local variables are retrieved relative to the frame
pointer. In this case, if the attacker has the full control over it he\she can decide
where in the memory local variables are placed, this is the trick is the one used in
the above trick, but attackers do something else.
d. How can the program be fixed?
Answer:
Part one
The program can be fixed using the following two methods
Vulnerability
sprintf(lbuf, "%s", "Welcome: ");
Solution
int length = snprintf (buf, BUFFER_SIZE, “%S”, “Welcome”, suffix);
if (length >= BUFFER_SIZE) {
Part two:
Vulnerability
printf(lbuf);
Solution
$ gcc -mpreferred-stack-boundary=2 FormatString.c -o FormatString
$ ./FormatString %s
Welcome!
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
SOFTWARE SECURITY 5
$
Question 2
a. Cross Site Scripting is often abbreviated as XSS.
i. Briefly describe how Cross Site Scripting (XSS) works
Answer:
XSS alludes to user’s side code injection attack wherein a hacker can execute
maliciously crafted variables into a legitimate web application or site. XSS is
among the most uncontrolled of web application vulnerabilities and happens
when a web application influences utilization of unencoded or invalidated
client to enter inside the outputs it creates. a hacker by using XSS does not
focus on the victim directly. Rather, the attacker would exploit vulnerability
on the web application or site that the victim will browse, utilizing the
vulnerable site as a vehicle to convey a malevolent content to the victim's
browser.
ii. State what information an attacker can steal using XSS and why is it
useful.
Answer:
There are three major information am attacker can steal:
Credential – a hacker will be able to steal login credentials by cloning the
login page of the web application so as to serve the victims.
Sensitive data – XSS can be used to infiltrate sensitive data such us card
number or personally identification number.
$
Question 2
a. Cross Site Scripting is often abbreviated as XSS.
i. Briefly describe how Cross Site Scripting (XSS) works
Answer:
XSS alludes to user’s side code injection attack wherein a hacker can execute
maliciously crafted variables into a legitimate web application or site. XSS is
among the most uncontrolled of web application vulnerabilities and happens
when a web application influences utilization of unencoded or invalidated
client to enter inside the outputs it creates. a hacker by using XSS does not
focus on the victim directly. Rather, the attacker would exploit vulnerability
on the web application or site that the victim will browse, utilizing the
vulnerable site as a vehicle to convey a malevolent content to the victim's
browser.
ii. State what information an attacker can steal using XSS and why is it
useful.
Answer:
There are three major information am attacker can steal:
Credential – a hacker will be able to steal login credentials by cloning the
login page of the web application so as to serve the victims.
Sensitive data – XSS can be used to infiltrate sensitive data such us card
number or personally identification number.
SOFTWARE SECURITY 6
iii. How can the effects of XSS be mitigated? Please outline limitations as
well, if any
Answer:
To limit the dangers linked with XSS, programmers ought to encode all fields
while showing them in the browser. Defense mechanism strategy, guarantee
that cookies properties, (like, HttpOnly) and security headers, particularly
CSP, are set as needs accordingly. Lastly, often penetration tests would help
distinguish such errors and enhance the security status of the web applications.
b. SQL Injection is a popular way of attacking applications that use SQL
databases.
i. Briefly describe how SQL Injection works.
Answer:
So as to run malevolent SQL queries against a database server, a hacker
should first find an input in the web application that is incorporated within a
SQL query. Hence, a SQL Injection penetration to occur, the vulnerability site
needs to specifically incorporate client input inside a SQL statement. A hacker
would then be able to embed a payload that will be incorporated as a
component of the SQL query and keep running against the database server.
ii. Apart from username and password input fields, which variables are
candidates for SQL Injection?
Answer:
Contacts
Reports
iii. How can the effects of XSS be mitigated? Please outline limitations as
well, if any
Answer:
To limit the dangers linked with XSS, programmers ought to encode all fields
while showing them in the browser. Defense mechanism strategy, guarantee
that cookies properties, (like, HttpOnly) and security headers, particularly
CSP, are set as needs accordingly. Lastly, often penetration tests would help
distinguish such errors and enhance the security status of the web applications.
b. SQL Injection is a popular way of attacking applications that use SQL
databases.
i. Briefly describe how SQL Injection works.
Answer:
So as to run malevolent SQL queries against a database server, a hacker
should first find an input in the web application that is incorporated within a
SQL query. Hence, a SQL Injection penetration to occur, the vulnerability site
needs to specifically incorporate client input inside a SQL statement. A hacker
would then be able to embed a payload that will be incorporated as a
component of the SQL query and keep running against the database server.
ii. Apart from username and password input fields, which variables are
candidates for SQL Injection?
Answer:
Contacts
Reports
SOFTWARE SECURITY 7
Confidential information
iii. What techniques can an application programmer use to mitigate the
effects of SQL injection attacks? Please outline limitations as well, if any.
Answer:
Try not to utilize dynamic SQL when it can be avoided: utilized prepared
statements, parameterized stored or queries techniques rather at whatever
point conceivable.
Patch and refresh: vulnerabilities in databases and applications that attackers
can exploit utilizing SQL injection are consistently found, so it's imperative to
apply updates and patches as soon as practical’s.
Firewall: web application firewall should be considered either application
software based – to assist filtering through malicious information. Great ones
will have a thorough arrangement of default guidelines, and make it simple to
include new ones at whatever point needed. A web application firewall can be
especially valuable to give some security protection against a specific new
vulnerability before a patch is accessible.
Lessen the attack surface: any database functionality that is not necessary to
keep a hacker exploiting it one should get rid of.
iv. Construct an URL and the corresponding SQL query that delete all
entries from the customers
Answer:
Confidential information
iii. What techniques can an application programmer use to mitigate the
effects of SQL injection attacks? Please outline limitations as well, if any.
Answer:
Try not to utilize dynamic SQL when it can be avoided: utilized prepared
statements, parameterized stored or queries techniques rather at whatever
point conceivable.
Patch and refresh: vulnerabilities in databases and applications that attackers
can exploit utilizing SQL injection are consistently found, so it's imperative to
apply updates and patches as soon as practical’s.
Firewall: web application firewall should be considered either application
software based – to assist filtering through malicious information. Great ones
will have a thorough arrangement of default guidelines, and make it simple to
include new ones at whatever point needed. A web application firewall can be
especially valuable to give some security protection against a specific new
vulnerability before a patch is accessible.
Lessen the attack surface: any database functionality that is not necessary to
keep a hacker exploiting it one should get rid of.
iv. Construct an URL and the corresponding SQL query that delete all
entries from the customers
Answer:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 8
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%20';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%27';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3b';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3d';
Question three
a. Is it possible to successfully exploit this vulnerability? In other words, is it possible
to provide specific input to such a program to take advantage of its vulnerability
and thus execute arbitrary code (for instance, spawning a shell), on x86-32
architectures? If yes, explain how you would exploit it (high-level steps). If not,
explain why and what you would change in the code to make it exploitable.
Answer:
Yes. One can easily inject malicious code into memory of running application with the
vulnerability buffer overflow. The program is vulnerable since it reads the content from
badfile copy it to buffer. Thus the malicious program can be stored in binary form hence
the vulnerable program will duplicate the malicious code to the buffer
b. Assuming the above assembly snippet (shown in Question 3 (b)) will be placed on
the stack, what does the assembly code do? Add comments to each line and draw the
stack layout before and after the considered instruction is executed. Note: you
should clearly point out the direction the stack is growing towards.
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%20';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%27';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3b';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3d';
Question three
a. Is it possible to successfully exploit this vulnerability? In other words, is it possible
to provide specific input to such a program to take advantage of its vulnerability
and thus execute arbitrary code (for instance, spawning a shell), on x86-32
architectures? If yes, explain how you would exploit it (high-level steps). If not,
explain why and what you would change in the code to make it exploitable.
Answer:
Yes. One can easily inject malicious code into memory of running application with the
vulnerability buffer overflow. The program is vulnerable since it reads the content from
badfile copy it to buffer. Thus the malicious program can be stored in binary form hence
the vulnerable program will duplicate the malicious code to the buffer
b. Assuming the above assembly snippet (shown in Question 3 (b)) will be placed on
the stack, what does the assembly code do? Add comments to each line and draw the
stack layout before and after the considered instruction is executed. Note: you
should clearly point out the direction the stack is growing towards.
SOFTWARE SECURITY 9
Answer:
1 int
2 main(void)
3 {
4
5 __asm__( /* perform jumps to the assembler C code and read and write C
variables*/
6 "jmp ahead\n"
7 "back:\n"
8 " popl %ebx\n" /* restore the caller base pointer*/
9 " movl %ebx, 0x8(%ebx)\n" /*
10 " movl $0x0, %eax\n"
11 " movb %al, 0x7(%ebx)\n"
12 " movl %eax, 0xc(%ebx)\n"
13 " movl %eax, %edx\n"
14 " movl $0xb, %eax\n"
15 " leal 0x8(%ebx), %ecx\n"
16 " int $0x80\n"
17 "ahead:\n"
18 " call back\n" /* transfers the control from caller to the subroutines*/
19 " .string \"/bin/sh\""
20 );
21 }.
Answer:
1 int
2 main(void)
3 {
4
5 __asm__( /* perform jumps to the assembler C code and read and write C
variables*/
6 "jmp ahead\n"
7 "back:\n"
8 " popl %ebx\n" /* restore the caller base pointer*/
9 " movl %ebx, 0x8(%ebx)\n" /*
10 " movl $0x0, %eax\n"
11 " movb %al, 0x7(%ebx)\n"
12 " movl %eax, 0xc(%ebx)\n"
13 " movl %eax, %edx\n"
14 " movl $0xb, %eax\n"
15 " leal 0x8(%ebx), %ecx\n"
16 " int $0x80\n"
17 "ahead:\n"
18 " call back\n" /* transfers the control from caller to the subroutines*/
19 " .string \"/bin/sh\""
20 );
21 }.
SOFTWARE SECURITY 10
Question 4
Describe in detail the attack that Kevin Mitnick launched against Tsutomu Shimomura’s
systems in San Diego on December 25th 1994. Please break down the answer by starting off
with a summary (worth 1 mark) of the attack, followed by the four phases we outlined in
the lectures (worth 6 marks each).
Answer:
Summary
As a hacker, Kevin Mitnick was an irritation. He broke into computers for 15 years, analyzed the
system, stole things, and after that broke into yet more telephone and computers. In this way, on
December 25, 1994, when he broke into detailed computer framework in his San Diego home
utilizing never seen before, complex hacking technique and afterward stole some fancy mobile
phone tools, Shimomura made it a personal challenge. The trail led Mitnick, Shimomura turned
into a cybersleuth, set to get Kevin. As Tsutomu Shimomura's closes the trap on Kelvin to face
justice it is an exclusive story of the last hours of Shimomura's quest for justice.
Detailed step of Kelvin Mitnick against Tsutomu Shimomura’s systems in San Diego
Information gathering: Prior to the hacking, Mitnick was in a position to determine the TCP
sequence number generator's characteristic of X-Terminal and a relationship in the connection
between Server and X-Terminal. Kelvin sent SYN request to X-Terminal and got ACK /SYN
reaction. Afterward, he sent RESET response to maintain the X-Terminal from being topped off.
For twenty times, he repeated the same. He discovered there was a pattern between two
consecutive TCP sequence numbers. He found that the numbers were not arbitrary by any means.
The last number was greater than the previous one by 128000.
Question 4
Describe in detail the attack that Kevin Mitnick launched against Tsutomu Shimomura’s
systems in San Diego on December 25th 1994. Please break down the answer by starting off
with a summary (worth 1 mark) of the attack, followed by the four phases we outlined in
the lectures (worth 6 marks each).
Answer:
Summary
As a hacker, Kevin Mitnick was an irritation. He broke into computers for 15 years, analyzed the
system, stole things, and after that broke into yet more telephone and computers. In this way, on
December 25, 1994, when he broke into detailed computer framework in his San Diego home
utilizing never seen before, complex hacking technique and afterward stole some fancy mobile
phone tools, Shimomura made it a personal challenge. The trail led Mitnick, Shimomura turned
into a cybersleuth, set to get Kevin. As Tsutomu Shimomura's closes the trap on Kelvin to face
justice it is an exclusive story of the last hours of Shimomura's quest for justice.
Detailed step of Kelvin Mitnick against Tsutomu Shimomura’s systems in San Diego
Information gathering: Prior to the hacking, Mitnick was in a position to determine the TCP
sequence number generator's characteristic of X-Terminal and a relationship in the connection
between Server and X-Terminal. Kelvin sent SYN request to X-Terminal and got ACK /SYN
reaction. Afterward, he sent RESET response to maintain the X-Terminal from being topped off.
For twenty times, he repeated the same. He discovered there was a pattern between two
consecutive TCP sequence numbers. He found that the numbers were not arbitrary by any means.
The last number was greater than the previous one by 128000.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
SOFTWARE SECURITY 11
The flood: Kelvin kept the Server silent by topping the Server off with half-open SYN request for
from spoofing IP address. Making half-open SYN request for, Kelvin utilized routable yet not
dynamic IP address. Since his intention was not to achieve three-way handshake with the Server,
half-open ACK request for occupied the Server's memory speedier. The outcome is that the
Server did not respond to some other request. This was a sort of Denial of Service attack.
Trusted relationship hijacking: Kelvin sent ACK request for to X-Terminal as a Server with
spoofed IP address. He utilized an arbitrary number as the Server's TCP series number. An
ACK/SYN sent X-Terminal response to the Server. Since, the Server had been silenced,
SYN/ACK response was not received. During the data gathering step, Mitnick could produce the
TCP sequence number that X-Terminal made for the Server. Kelvin spoofed his IP as the
Server's IP, sent an SYN response to X-Terminal to achieve three-way handshake. Due to the
returned TCP sequence number was right, X-Terminal enabled Kelvin to interface with it. They
was an establishment of a connection. The computers of Shimomura ware hacked by completing
this step.
Remote command pump: Kelvin had planned to make a secondary passage on Shimomura
computer so he could return later without repeating the hijack. From his computer, he pumped
commands to Shimomura's computer. They were "reverberate + >>/.rhosts" to be prices. They +
+ enabled any computers interface with X-Terminal without being confirmed.
Question five
Part one
a. Give 2 practical challenges associated with symbolically exploring a target program.
Answer:
The flood: Kelvin kept the Server silent by topping the Server off with half-open SYN request for
from spoofing IP address. Making half-open SYN request for, Kelvin utilized routable yet not
dynamic IP address. Since his intention was not to achieve three-way handshake with the Server,
half-open ACK request for occupied the Server's memory speedier. The outcome is that the
Server did not respond to some other request. This was a sort of Denial of Service attack.
Trusted relationship hijacking: Kelvin sent ACK request for to X-Terminal as a Server with
spoofed IP address. He utilized an arbitrary number as the Server's TCP series number. An
ACK/SYN sent X-Terminal response to the Server. Since, the Server had been silenced,
SYN/ACK response was not received. During the data gathering step, Mitnick could produce the
TCP sequence number that X-Terminal made for the Server. Kelvin spoofed his IP as the
Server's IP, sent an SYN response to X-Terminal to achieve three-way handshake. Due to the
returned TCP sequence number was right, X-Terminal enabled Kelvin to interface with it. They
was an establishment of a connection. The computers of Shimomura ware hacked by completing
this step.
Remote command pump: Kelvin had planned to make a secondary passage on Shimomura
computer so he could return later without repeating the hijack. From his computer, he pumped
commands to Shimomura's computer. They were "reverberate + >>/.rhosts" to be prices. They +
+ enabled any computers interface with X-Terminal without being confirmed.
Question five
Part one
a. Give 2 practical challenges associated with symbolically exploring a target program.
Answer:
SOFTWARE SECURITY 12
1. How to successfully explore the vast number of application path in real-world
programs.
2. The path guidance technique are in most cases ad-hoc and ineffective.
b. For each of the 2 challenges given in the previous point, explain commonly
employed approaches for addressing them.
Answer:
1. To tackle the challenge of path exploration developers use unified technique to guide
symbolic path.
2. Coverage-Optimized Search – utilizes heuristics to work out which condition has
better opportunity to cover new code fast.
Consider the function calc depicted below. Let us assume its input x is represented
by a symbolic value and that calc is explored using a symbolic execution engine.
a. Provide the symbolic expression of variable x at line 9.
Answer:
Y = ++30
b. Provide the full path condition at line 11
Answer:
If y is equal to 50
c. Provide the list of line numbers which cause state forking
Answer:
7 and 12
d. A SAT/SMT solver is queried to produce a concrete input for reaching line 11.
Answer:
1. How to successfully explore the vast number of application path in real-world
programs.
2. The path guidance technique are in most cases ad-hoc and ineffective.
b. For each of the 2 challenges given in the previous point, explain commonly
employed approaches for addressing them.
Answer:
1. To tackle the challenge of path exploration developers use unified technique to guide
symbolic path.
2. Coverage-Optimized Search – utilizes heuristics to work out which condition has
better opportunity to cover new code fast.
Consider the function calc depicted below. Let us assume its input x is represented
by a symbolic value and that calc is explored using a symbolic execution engine.
a. Provide the symbolic expression of variable x at line 9.
Answer:
Y = ++30
b. Provide the full path condition at line 11
Answer:
If y is equal to 50
c. Provide the list of line numbers which cause state forking
Answer:
7 and 12
d. A SAT/SMT solver is queried to produce a concrete input for reaching line 11.
Answer:
SOFTWARE SECURITY 13
Y < X > 100
3. Vulnerabilities, exploitation, and mitigation techniques.
a. Explain what exploitation technique(s) DEP (or NX) prevents.
Answer:
Prevents execution of codes in the stack
b. Explain why taint analysis is useful in exploit generation
Answer:
The method does not need compilation or a special source code and therefore
works on the product software.
c. Explain what heap spraying is and which exploit mitigation it tries to
circumvent.
Answer:
This is an approach utilized to simplify arbitrary code execution and tries to
bypass (EMET) Microsoft's Enhanced Mitigation Experience Toolkit.
d. Explain what a write-4 exploit primitive is and how it can be used to execute
code.
Answer:
Write-4 – is writing 4 bytes to an arbitrary address, which exist autonomously of
program specific implementations. Fast it rapidly tests the bug before continuing
to safeguard it mechanism, the principal of the bug lies in
the peek_stack() function.
e. Explain what a use-after-free vulnerability is and how attackers can take
advantage of it.
Y < X > 100
3. Vulnerabilities, exploitation, and mitigation techniques.
a. Explain what exploitation technique(s) DEP (or NX) prevents.
Answer:
Prevents execution of codes in the stack
b. Explain why taint analysis is useful in exploit generation
Answer:
The method does not need compilation or a special source code and therefore
works on the product software.
c. Explain what heap spraying is and which exploit mitigation it tries to
circumvent.
Answer:
This is an approach utilized to simplify arbitrary code execution and tries to
bypass (EMET) Microsoft's Enhanced Mitigation Experience Toolkit.
d. Explain what a write-4 exploit primitive is and how it can be used to execute
code.
Answer:
Write-4 – is writing 4 bytes to an arbitrary address, which exist autonomously of
program specific implementations. Fast it rapidly tests the bug before continuing
to safeguard it mechanism, the principal of the bug lies in
the peek_stack() function.
e. Explain what a use-after-free vulnerability is and how attackers can take
advantage of it.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 14
Answer:
This refers to the process of accessing the memory after it has been, which results
the application to crash. This enables the attackers to have full remote code or
arbitrary code execution.
Part B
Malicious software.
a. What is a botnet and what is a botnet C&C server?
Answer:
C & C (Command and control) servers are computers that direct commands to
botnets while bonnets are a number of Internet-linked gadgets, each one of is
running one or more bots.
b. How are botnets usually created (cite at least 2 different ways)
Answer:
Connecting several computing devices and it is created when a software from
a malware penetrates a device.
c. Describe in detail how a drive-by download attack works and what it is
used for.
Answer:
First, the attacker crates a malicious content to execute the attack. Secondly,
the attacker hosts the malicious content he or she wants to distribute and lastly
the hacker launches the drive-by download after she exploits the necessary
vulnerabilities.
d. Describe in detail the domain flux technique
Answer:
This refers to the process of accessing the memory after it has been, which results
the application to crash. This enables the attackers to have full remote code or
arbitrary code execution.
Part B
Malicious software.
a. What is a botnet and what is a botnet C&C server?
Answer:
C & C (Command and control) servers are computers that direct commands to
botnets while bonnets are a number of Internet-linked gadgets, each one of is
running one or more bots.
b. How are botnets usually created (cite at least 2 different ways)
Answer:
Connecting several computing devices and it is created when a software from
a malware penetrates a device.
c. Describe in detail how a drive-by download attack works and what it is
used for.
Answer:
First, the attacker crates a malicious content to execute the attack. Secondly,
the attacker hosts the malicious content he or she wants to distribute and lastly
the hacker launches the drive-by download after she exploits the necessary
vulnerabilities.
d. Describe in detail the domain flux technique
SOFTWARE SECURITY 15
Answer:
It is DNS technique utilized by botnets to hide malware and phishing delivery
website behind an ever-changing network of penetrated hosts acting as
proxies.
e. Describe in detail the fast flux technique.
Answer:
It is a technique used by hacker to prevent host server IP address key
identified.
f. Describe the main ideas behind BotMiner
Answer:
Observation: bots, which are part of botnets, takes similar actions.
Finds device that correlate actions and communication over the time
Analysis is done using both C-plane and A-plane
Correlates C-plane
Generate a report
g. State what a rootkit is and describe at least one of its hooking techniques,
highlighting pros and cons.
Answer:
A collection of typically malicious, computer software, designed to allow
access to a software or computer that is not otherwise authorized to a user and
frequently guises its existence or the existence of other software.
Code-hooking technique it enhance performance and it disadvantage it present
vulnerabilities that attackers can exploit.
Answer:
It is DNS technique utilized by botnets to hide malware and phishing delivery
website behind an ever-changing network of penetrated hosts acting as
proxies.
e. Describe in detail the fast flux technique.
Answer:
It is a technique used by hacker to prevent host server IP address key
identified.
f. Describe the main ideas behind BotMiner
Answer:
Observation: bots, which are part of botnets, takes similar actions.
Finds device that correlate actions and communication over the time
Analysis is done using both C-plane and A-plane
Correlates C-plane
Generate a report
g. State what a rootkit is and describe at least one of its hooking techniques,
highlighting pros and cons.
Answer:
A collection of typically malicious, computer software, designed to allow
access to a software or computer that is not otherwise authorized to a user and
frequently guises its existence or the existence of other software.
Code-hooking technique it enhance performance and it disadvantage it present
vulnerabilities that attackers can exploit.
SOFTWARE SECURITY 16
h. What does DKOM stand for and what is a DKOM attack (provide at
least an example of such an attack
Answer:
DKOM- Direct kernel object manipulation is common rootkit technique to
hide possibly damaging files, third-party processes, intermediate connections,
and drivers from the task manager and event scheduler.
Scheduler E-DKOM Attack is an example of DKOM attack that targets OS
scheduler to halt one or more processes, which run in Linux system.
Question 6
Write an essay on how to create and maintain a software Security
Development Lifecycle (SDL). Include in your discussion how to classify
risks and rank threats to application software. Marks will be awarded for
a well-structured essay covering aspects presented throughout the
module.
Answer:
Undertaking Secure Software Development Life Cycle Project characterizes security
programming development process. This piece of the venture is an overview of the life cycle.
Overall flow: This piece of the SDLC Project characterizes periods of the life cycle and give
proposals and best practices for selection.
Security Awareness Training: This part gives rules to security mindfulness preparing. These
preparation are to improve the affectability of security of programming designers.
h. What does DKOM stand for and what is a DKOM attack (provide at
least an example of such an attack
Answer:
DKOM- Direct kernel object manipulation is common rootkit technique to
hide possibly damaging files, third-party processes, intermediate connections,
and drivers from the task manager and event scheduler.
Scheduler E-DKOM Attack is an example of DKOM attack that targets OS
scheduler to halt one or more processes, which run in Linux system.
Question 6
Write an essay on how to create and maintain a software Security
Development Lifecycle (SDL). Include in your discussion how to classify
risks and rank threats to application software. Marks will be awarded for
a well-structured essay covering aspects presented throughout the
module.
Answer:
Undertaking Secure Software Development Life Cycle Project characterizes security
programming development process. This piece of the venture is an overview of the life cycle.
Overall flow: This piece of the SDLC Project characterizes periods of the life cycle and give
proposals and best practices for selection.
Security Awareness Training: This part gives rules to security mindfulness preparing. These
preparation are to improve the affectability of security of programming designers.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
SOFTWARE SECURITY 17
Security Requirement: This piece of SDLC plans to gain security prerequisites by recognizing
the practical execution, position in industry or general security necessities (eg, consistence
necessities)
Security Design: This piece of SDLC will manual for convey a feasible security configuration to
the execution group by considering potential specialized security dangers. So that by keeping
away from the early identifications of security chances, the cost to manufacture secure items is in
charge. Security Implementation: The objective of this sub-task of SDLC is to:
(1) Let execution groups do secure coding. The key is to give group a chance to comprehend
security highlights of the dialect and structure they utilize, and comply with the yield of the
SDLC security outline
(2) Let execution groups recognize and settle absconds in heritage codes. The key is to receive
robotized, proficient tech (eg. IAST) by giving rules and best practices.
Security Test: Security testing is a procedure expected to uncover defects in the security
components of a data framework that ensure information and keep up usefulness as proposed
Average security necessities may incorporate particular components of secrecy, honesty,
validation, accessibility, approval, and non-renouncement. Real security necessities tried rely
upon the security prerequisites executed by the framework. Because of the sensible restrictions
of security testing, passing security testing is not an indication that no blemishes exist or that the
framework enough fulfills the security requirements. This part of the SDLC venture will give
some best practice and valuable tips for security testing to help a.) Beginners can begin security
test effectively; b.) Professionals can use for reference.
Security Requirement: This piece of SDLC plans to gain security prerequisites by recognizing
the practical execution, position in industry or general security necessities (eg, consistence
necessities)
Security Design: This piece of SDLC will manual for convey a feasible security configuration to
the execution group by considering potential specialized security dangers. So that by keeping
away from the early identifications of security chances, the cost to manufacture secure items is in
charge. Security Implementation: The objective of this sub-task of SDLC is to:
(1) Let execution groups do secure coding. The key is to give group a chance to comprehend
security highlights of the dialect and structure they utilize, and comply with the yield of the
SDLC security outline
(2) Let execution groups recognize and settle absconds in heritage codes. The key is to receive
robotized, proficient tech (eg. IAST) by giving rules and best practices.
Security Test: Security testing is a procedure expected to uncover defects in the security
components of a data framework that ensure information and keep up usefulness as proposed
Average security necessities may incorporate particular components of secrecy, honesty,
validation, accessibility, approval, and non-renouncement. Real security necessities tried rely
upon the security prerequisites executed by the framework. Because of the sensible restrictions
of security testing, passing security testing is not an indication that no blemishes exist or that the
framework enough fulfills the security requirements. This part of the SDLC venture will give
some best practice and valuable tips for security testing to help a.) Beginners can begin security
test effectively; b.) Professionals can use for reference.
SOFTWARE SECURITY 18
Security Deployment and SecDevOps: In this period of the S-SDLC center around security
reviewing before arrangement and security observing. The sub-undertaking will inquire about on
build up a suitable security standard for arrangement and devops
the procedure of occurrence reaction and related tech.
SecDevOps
Question seven
a. Dealing with untrusted code (code centric/base access control/code access security
Answer:
In the Microsoft .NET system, is Microsoft prevents untrusted code from executing
privileged actions. At the point when the CLR loads an assembly, it will acquire proof for
the assembly and utilize this to distinguish the code group that the group belongs to. This
code group contains a consent set (at least one authorizations). Code that plays out
special actions will play out a code get to request which will cause the CLR to stroll up
the call stack and inspect the authorization set allowed to the get together of every
strategy in the call stack.
b. Application integrity including dealing with code origin
Answer:
The .NET Framework provides part based security and additionally (CAS) code access
security, both of which are actualized utilizing a typical foundation provided by the CLR
(common language runtime). In the realm of unmanaged code, most applications execute
with the consents of the principal or client. Accordingly, computer frameworks can be
harmed and private information compromised when vindictive or error filled
programming is controlled by a client with higher privileges.
Security Deployment and SecDevOps: In this period of the S-SDLC center around security
reviewing before arrangement and security observing. The sub-undertaking will inquire about on
build up a suitable security standard for arrangement and devops
the procedure of occurrence reaction and related tech.
SecDevOps
Question seven
a. Dealing with untrusted code (code centric/base access control/code access security
Answer:
In the Microsoft .NET system, is Microsoft prevents untrusted code from executing
privileged actions. At the point when the CLR loads an assembly, it will acquire proof for
the assembly and utilize this to distinguish the code group that the group belongs to. This
code group contains a consent set (at least one authorizations). Code that plays out
special actions will play out a code get to request which will cause the CLR to stroll up
the call stack and inspect the authorization set allowed to the get together of every
strategy in the call stack.
b. Application integrity including dealing with code origin
Answer:
The .NET Framework provides part based security and additionally (CAS) code access
security, both of which are actualized utilizing a typical foundation provided by the CLR
(common language runtime). In the realm of unmanaged code, most applications execute
with the consents of the principal or client. Accordingly, computer frameworks can be
harmed and private information compromised when vindictive or error filled
programming is controlled by a client with higher privileges.
SOFTWARE SECURITY 19
c. Using cryptography
Answer:
.NET Framework gives executions of numerous standard cryptographic algorithms. The
algorithms have the safest default properties and are easy to use. Likewise, the .NET
Framework cryptography model objects inheritance, configuration is extremely
extensible and stream design.
d. Software deployment and maintenance
Answer:
Microsoft.NET has VPModule.msi file that installs an HttpModule that is called
Microsoft.Web.ValidatePathModule.dll on target PCs. The installation likewise updates
the Machine.config files with another HttpModule section. With VPModule.msi, one can
execute Microsoft.Web.ValidatePathModule.dll on computers that are running ASP.NET.
In the event that a person is overseeing computers in an Active Directory catalog service
condition, one can utilize the Software Installation and Maintenance feature of Group
Policy to send the VPModule.msi on target PCs.
e. Reverse engineering
Answer:
Legitimately endorsed technique for replicating technology which (rather than beginning
from scratch) starts with an existing product and works in reverse to figure out what it
does and how it does. The product's essential rule or core idea is resolved, the following
stage is to recreate similar outcomes by utilizing diverse instruments to avoid any
(legitimately forbidden) patent encroachment. A typical practice around the world,
c. Using cryptography
Answer:
.NET Framework gives executions of numerous standard cryptographic algorithms. The
algorithms have the safest default properties and are easy to use. Likewise, the .NET
Framework cryptography model objects inheritance, configuration is extremely
extensible and stream design.
d. Software deployment and maintenance
Answer:
Microsoft.NET has VPModule.msi file that installs an HttpModule that is called
Microsoft.Web.ValidatePathModule.dll on target PCs. The installation likewise updates
the Machine.config files with another HttpModule section. With VPModule.msi, one can
execute Microsoft.Web.ValidatePathModule.dll on computers that are running ASP.NET.
In the event that a person is overseeing computers in an Active Directory catalog service
condition, one can utilize the Software Installation and Maintenance feature of Group
Policy to send the VPModule.msi on target PCs.
e. Reverse engineering
Answer:
Legitimately endorsed technique for replicating technology which (rather than beginning
from scratch) starts with an existing product and works in reverse to figure out what it
does and how it does. The product's essential rule or core idea is resolved, the following
stage is to recreate similar outcomes by utilizing diverse instruments to avoid any
(legitimately forbidden) patent encroachment. A typical practice around the world,
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 20
reverse engineering is responsible for ubiquitous 'IBM Compatible' PCs and is referred as
copying in the programming industry.
References
reverse engineering is responsible for ubiquitous 'IBM Compatible' PCs and is referred as
copying in the programming industry.
References
SOFTWARE SECURITY 21
Dominguez, D. J., Scoggins, J. W., Newman, R. K., & Kronholm, U. S. (2017). U.S. Patent
Application No. 15/392,563.
Hoffman, P., & Benton, M. (2015). C++: The Crash Course to Learn C++ Programming and
Computer Hacking (c plus plus, C++ for beginners, programming computer, hacking the
system, how to... Coding, CSS, Java, PHP) Volume 9.
McGraw, G. (2015). Software security and the building security in maturity model
(BSIMM). Journal of Computing Sciences in Colleges, 30(3), 7-8.
Piessens, F., & Verbauwhede, I. (2016, March). Software security: Vulnerabilities and
countermeasures for two attacker models. In Proceedings of the 2016 Conference on
Design, Automation & Test in Europe (pp. 990-999). EDA Consortium.
Dominguez, D. J., Scoggins, J. W., Newman, R. K., & Kronholm, U. S. (2017). U.S. Patent
Application No. 15/392,563.
Hoffman, P., & Benton, M. (2015). C++: The Crash Course to Learn C++ Programming and
Computer Hacking (c plus plus, C++ for beginners, programming computer, hacking the
system, how to... Coding, CSS, Java, PHP) Volume 9.
McGraw, G. (2015). Software security and the building security in maturity model
(BSIMM). Journal of Computing Sciences in Colleges, 30(3), 7-8.
Piessens, F., & Verbauwhede, I. (2016, March). Software security: Vulnerabilities and
countermeasures for two attacker models. In Proceedings of the 2016 Conference on
Design, Automation & Test in Europe (pp. 990-999). EDA Consortium.
1 out of 21
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.