This week’s lecture was given by Brad Antoniewicz, another security expert from McAfee. And while previous presenters have been on the defense side of security, Mr. Antoniewicz is on the attack side. In other words, his job is to to try to find vulnerabilities in systems rather than try to protect against them. Two sides of the same coin, obviously, but it’s worth pointing out.
Hacking
Every presenter has offered their own, slightly different definitions of terms. Here’s how this week’s presenter describes hacking: manipulating software to expose vulnerabilities.
He breaks this down into two main types of exploits:
- Software exploits: Manipulating software to gain access, as in taking advantage of a stack overflow.
- Configuration exploits: Taking advantage of a setting or configuration, like a weak password or a disabled firewall.
A major caveat that the presenter begins with is this: think before acting. Governments, universities, businesses, and other organizations take hacking very seriously. The stuff he goes onto describe gets people into legal and other types of trouble, and so one should be thoughtful about what they’re doing and what the consequences might be.
Trends
This lecture was originally delivered in 2015. At that time, Mr. Antoniewicz said that previously, hackers tended to focus on the perimeter surrounding an organization’s technical assets, like its website or network firewall. Organizations have responded by “hardening” that perimeter, which has result in hackers increasingly targeting the interior of an organization’s systems. This method of attack takes a variety of forms, and includes practices such as phishing, social engineering, etc.
WinDbg
WinDbg is a debugger built for Windows which operates similarly to GDB on Unix and Unix-like systems.
Based on the examples provided by the presenter, using WinDbg is similar to using GDB on Unix. One starts by setting a breakpoint at the beginning of execution of a program or block of code and then pausing execution to inspect memory, assembly instructions, and so on. Much of the discussion of assembly was familiar thanks in part to the assembly class I took at Oregon State.
Metasploit
Metasploit is an open-source tool which is used for penetration testing, which is undertaken to evaluate the security of a particular network. It’s used for aiding professionals, but is available to anyone and can be used for nefarious purposes.
Labs
There were two labs (or lab-like modules) in this week’s presentations. I’ve broken them up into two parts.
Part A
The first part focused on stack overflows, which occurs when a process tries to use more space than was allocated to it. In addition to causing a program to crash because of bad code, a stack overflow can be used as an exploit in a strategy called stack smashing. This refers to the process of forcing a stack overflow to exploit the result. This is generally done with a very long string as input. If the underlying code attempts to use more space than was allocated for that string, then a stack overflow can result.
Controlling the stack allows someone to control the entire state of the program. For example, overwriting a return address would allow someone to change the course of the execution of a program and pass control to a new location.
Lab B
The other location that programs use to store data is called the heap. Like the stack, the heap can be exploited to allow other code to be executed.
One way that this is done is to take advantage of a so-called “use after free” vulnerability. This process is based on the following steps:
- Free an object
- Replace the object with your own
- Position your shellcode where it will be executed
- Use the object again
The example that the presenter provided involved using a browser and JavaScript. The key to this vulnerability is the fact that browsers are having to process JavaScript (which is not compiled) rather than compiled binaries (like those used for C++ and other compiled languages).