The Logic Breaks Logic
People – Process – Technology, your Internet industry is based on these three words
as a base of everything including the software market.
Think for a second and you will realize that the Software industry is actually driven from the keyboard of a programmer and in reality it’s the logic design by the programmer.
So it’s [people] from the above trio, who are responsible for developing good logic behind the working piece of a code written in any programming language.
There is a saying, “C programs never die. They are just cast into the void.”
What does this mean? Now here’s food for thought:
“It’s 12.58 AM.... Do you know where your stack pointer is?”
Stacks play key role in programming any piece of code! Uhh.
A stack is an abstract data type frequently used in computer science. A stack of objects has the property that the last object placed on the stack will be the first object removed. This property is commonly referred to as last in, first out queue, or a LIFO. (insecure.org) Simply it’s a contiguous block of memory containing the data.
Question: How does software break? Why hackers and crackers easily break into your secure systems? Why web applications got hacked every second day?
Answer: logic breaks the logic.
How it happens is varies and depends on the software design and its programming language but the main tool to break the security systems is breaking the logic behind the screen.
Buffer Overflows
Different methods of breaking into systems could be reverse engineering the piece of software code
or finding buffer overflows.
“in some sense, programs wrap themselves around valuable data, making and
enforcing rules about who can get to the data and when.” What if someone breaks this logic?
A Stack is a dynamic piece of memory and it grows either downward, i.e towards low memory addresses, or upward. The stack pointer is usually a register that contains the top of the stack. The stack pointer contains the smallest address x such that any address smaller than x is considered garbage, and any address greater than or equal to x is considered valid.
In simple words, the Stack Pointer (SP) register is used to indicate the location of the last item put onto the stack. This is one way out of the two mentioned techniques for breaking the logic.
Buffer overflow is the result of stuffing more data into a buffer than it can handle. Buffer overflows [BoF] remain the crown jewel of the attacked and it’s likely to remain so for years to come. The most common form of BoF occurs due to the stack overflow.
Let’s see this example.
void function(char *str) {
char buffer[16];
strcpy(buffer,str);
}
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = ‘A’;
function(large_string);
}
This program has a function with a typical buffer overflow coding error. The function copies a supplied string without bounds checking by using strcpy() instead of strncpy(). Definitely segmentation violation will occur if we run this program.
Why did a segmentation violation occur? Simply strcpy() is copying the content of *str (larger_string[]) into buffer[] until a nul character is found on the string and the buffer is much smaller that the *str. The buffer we created was 16 bytes long and we tried to put more data into it which ends up in overflowing, it’s as simple as that.
So what happens if my buffer overflows? Yes, that’s the point where logic breaks the logic. If your buffers overflow, it allows the attacker to change the return address of the function call and, in this way, the attacker can change the flow of execution of the program.
And that’s the point where shell code plays a role. Shell codes are simply the piece of instruction we want to run after taking control of the program.
Now the problem is, it’s very easy to find the buffer overflow when you have the piece of code with you and you can pass on this code through different tools available in the market. But what if you don’t have the code?
Then be smart and reverse the application into a piece of programming code. How? That’s where the logic of reverse engineering begins.
And this is usually started as Black Box Analysis:
Black box analysis refers to analyzing a running program by probing it with various inputs. This kind of testing requires only a running program and does not make use of source code analysis of any kind. In the security paradigm, malicious input can be supplied to the program in an effort to cause it to break. If the program does break during a particular test, then a security problem may have been discovered.
Note that black box testing is possible even without access to binary code. That is, a program can be tested remotely over a network. All that is required is a program running somewhere that is accepting input. If the tester can supply input that the program consumes (and can observe the effect of the test), then black box testing is possible. This is one reason that real attackers often resort to black box techniques.
Black box testing is not as effective in obtaining knowledge of the code and its behavior, but black box testing is much easier to accomplish and usually requires much less expertise than white box testing. During black box testing, an analyst attempts to evaluate as many meaningful internal code paths as can be directly influenced and observed from outside the system.
This method of testing cannot exhaustively search a real program’s input space for problems because of theoretical constraints, but it does act more like an actual attack on target software in a real operational environment than a white box test usually can.
Because this testing happens on a live system, it is often an effective way of understanding and evaluating denial-of-service problems and can validate an application within its runtime environment (if possible), it can be used to determine whether a potential problem area is actually vulnerable in a real production system.
What if you attach any debugger while running the black box testing? This way the program will be
exercised and the debugger will be used to detect any failures or faulty behavior.
The Debugger
A debugger is a software program that attaches to and controls other software programs. It allows single stepping of code, debug tracing, setting breakpoints, and viewing variables and memory state in the target programs as it executes in a stepwise fashion.
People – Process – Technology, your Internet industry is based on these three words
as a base of everything including the software market.
Think for a second and you will realize that the Software industry is actually driven from the keyboard of a programmer and in reality it’s the logic design by the programmer.
So it’s [people] from the above trio, who are responsible for developing good logic behind the working piece of a code written in any programming language.
There is a saying, “C programs never die. They are just cast into the void.”
What does this mean? Now here’s food for thought:
“It’s 12.58 AM.... Do you know where your stack pointer is?”
Stacks play key role in programming any piece of code! Uhh.
A stack is an abstract data type frequently used in computer science. A stack of objects has the property that the last object placed on the stack will be the first object removed. This property is commonly referred to as last in, first out queue, or a LIFO. (insecure.org) Simply it’s a contiguous block of memory containing the data.
Question: How does software break? Why hackers and crackers easily break into your secure systems? Why web applications got hacked every second day?
Answer: logic breaks the logic.
How it happens is varies and depends on the software design and its programming language but the main tool to break the security systems is breaking the logic behind the screen.
Buffer Overflows
Different methods of breaking into systems could be reverse engineering the piece of software code
or finding buffer overflows.
“in some sense, programs wrap themselves around valuable data, making and
enforcing rules about who can get to the data and when.” What if someone breaks this logic?
A Stack is a dynamic piece of memory and it grows either downward, i.e towards low memory addresses, or upward. The stack pointer is usually a register that contains the top of the stack. The stack pointer contains the smallest address x such that any address smaller than x is considered garbage, and any address greater than or equal to x is considered valid.
In simple words, the Stack Pointer (SP) register is used to indicate the location of the last item put onto the stack. This is one way out of the two mentioned techniques for breaking the logic.
Buffer overflow is the result of stuffing more data into a buffer than it can handle. Buffer overflows [BoF] remain the crown jewel of the attacked and it’s likely to remain so for years to come. The most common form of BoF occurs due to the stack overflow.
Let’s see this example.
void function(char *str) {
char buffer[16];
strcpy(buffer,str);
}
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = ‘A’;
function(large_string);
}
This program has a function with a typical buffer overflow coding error. The function copies a supplied string without bounds checking by using strcpy() instead of strncpy(). Definitely segmentation violation will occur if we run this program.
Why did a segmentation violation occur? Simply strcpy() is copying the content of *str (larger_string[]) into buffer[] until a nul character is found on the string and the buffer is much smaller that the *str. The buffer we created was 16 bytes long and we tried to put more data into it which ends up in overflowing, it’s as simple as that.
So what happens if my buffer overflows? Yes, that’s the point where logic breaks the logic. If your buffers overflow, it allows the attacker to change the return address of the function call and, in this way, the attacker can change the flow of execution of the program.
And that’s the point where shell code plays a role. Shell codes are simply the piece of instruction we want to run after taking control of the program.
Now the problem is, it’s very easy to find the buffer overflow when you have the piece of code with you and you can pass on this code through different tools available in the market. But what if you don’t have the code?
Then be smart and reverse the application into a piece of programming code. How? That’s where the logic of reverse engineering begins.
And this is usually started as Black Box Analysis:
Black box analysis refers to analyzing a running program by probing it with various inputs. This kind of testing requires only a running program and does not make use of source code analysis of any kind. In the security paradigm, malicious input can be supplied to the program in an effort to cause it to break. If the program does break during a particular test, then a security problem may have been discovered.
Note that black box testing is possible even without access to binary code. That is, a program can be tested remotely over a network. All that is required is a program running somewhere that is accepting input. If the tester can supply input that the program consumes (and can observe the effect of the test), then black box testing is possible. This is one reason that real attackers often resort to black box techniques.
Black box testing is not as effective in obtaining knowledge of the code and its behavior, but black box testing is much easier to accomplish and usually requires much less expertise than white box testing. During black box testing, an analyst attempts to evaluate as many meaningful internal code paths as can be directly influenced and observed from outside the system.
This method of testing cannot exhaustively search a real program’s input space for problems because of theoretical constraints, but it does act more like an actual attack on target software in a real operational environment than a white box test usually can.
Because this testing happens on a live system, it is often an effective way of understanding and evaluating denial-of-service problems and can validate an application within its runtime environment (if possible), it can be used to determine whether a potential problem area is actually vulnerable in a real production system.
What if you attach any debugger while running the black box testing? This way the program will be
exercised and the debugger will be used to detect any failures or faulty behavior.
The Debugger
A debugger is a software program that attaches to and controls other software programs. It allows single stepping of code, debug tracing, setting breakpoints, and viewing variables and memory state in the target programs as it executes in a stepwise fashion.