Highlighted Topics

Question 1

SQL Injections

Answer 1

Injection might happen when queries are built using (e.g. concatenating) the parameters provided by the users

Question 2

SQL Injection Example

Answer 2

$query = “SELECT ssn FROM employees WHERE name = ‘“ + username +”’ ”

Question 3

SQL Injection Solutions

Answer 3

Prepare statement allows for the clear separation of what is to be considered data and what is to be considered code
1) query is parsed and location of the parameters are identified
2) the parameters are bound to their actual value

Question 4

SQL Injection Solution Example

Answer 4

1) perpare(“… name = ? AND username = ?”);
2) bind_param(“ss”, $name, $password);

Question 5

Cross-Site Scripting (XSS)

Answer 5

Used to bypass JavaScript’s same-origin policy – malicious JavaScript code that is injected, stored on the server, and then executed.

Since it is stored on the server, the browser interprets the code as the same origin as the server

Question 6

XSS Prevention

Answer 6

1) Input Sanitation
2) Output Encoding
3) User Frameworks with Built-it XSS Prevention

Question 7

XXS Prevention: Input Sanitization

Answer 7

Implement robust input sanitization to strip out or encode potentially harmful characters from user inputs

Cannot be trivial since characters can be encoded (e.g. < is read as < and > is read as >)

Question 8

XSS Prevention: Output Encoding

Answer 8

Ensure any data output to a page is treated as data, not executable code

Encode special characters (<, >, &, “, ‘) to their HTML or URL encoded equivalents

Question 9

XSS Prevention: Frameworks

Answer 9

Leverage modern development frameworks and libraries that automatically handle input sanitization and output encoding to reduce XSS vulnerabilities

Question 10

Cross-Site Request Forgery (CSRF)

Answer 10

An attacker induces users to perform action that they do not intend to perform on a web application in which they are currently authenticated (normally using website redirection)

Question 11

CSRF Countermeasure

Answer 11

Anit-CSRF Tokens which are unique to each user session and embed this token in forms and requests to verify that the submission is intentional and originates from the legitimate user interface

Question 12

Anit-CSRF Tokens: SameSite = Strict

Answer 12

Browser does not include cookies in any cross-site request

Question 13

Anit-CSRF Tokens: SameSite = Lax

Answer 13

Allows cookies to be added to request triggered by cross-site top-level navigation

Question 14

What is setuid?

Answer 14

If stored in setuid file, the permissions of the corresponding process will be equalivalent to the presmission of the owner of the file program

real user ID = user who started the process
effective user ID = owner

Question 15

Spatial Memory Safety Errors

Answer 15

Out-of-bound Write/Read which can lead to software crashes if non-writable/readable/allocated memory is accessed

Question 16

Out-of-Bound Read/Write

Answer 16

The software reads/writes data past the end/before the beginning of the intended buffer

Read: can lead to memory disclosure (leak)
Write: can lead to memory corruption

Question 17

Temporal Memory Safety Errors

Answer 17

Memory is accessed at the ‘wrong’ time
1) Use After Free
2) Accessing uninitialized variables
3) Double free

Question 18

Use After Free

Answer 18

Software reuses memory after it has been freed. Two pointers incorrectly point to the same region.

Can lead to Memory Disclosure or Memory Corruption

Question 19

Memory Safety Errors Exploitation

Answer 19

Spatial/temporal memory safety errors can be used to “leak” secrets from program (e.g. heartbleed)

Can be used to achieve arbitrary code execution

Question 20

Memory Safety Causing
Code Execution

Answer 20

1) Use an out-of-bound write or corrupt a code pointer
2) Make corrupted pointer point to some attacker-controlled data which will then be executed

Question 21

push

Answer 21

Write a value on the top of the stack

Rewriting push rax:
sub rsp, 8
mob qword ptr [rsp], rax

OR

sub rsp, 8
*rsp = rax

Question 22

pop

Answer 22

Read a value from the top of the stack

Rewriting pop rax:
mov rax, qword ptr [rsp]
add rsp, 8

OR

rax = *rsp
add rsp, 8

Question 23

call

Answer 23

Jump to a location, write the return address on the stack

Rewrite call 0x112230
push <address of following instruction>
jmp 0x112230

OR

sub rsp, 8
*rsp = <following>
jmp 0x112230</following>

Question 24

ret

Answer 24

Return from a call

Rewrite ret
pop rip

OR

jmp qword ptr [rsp]
add rsp, 8

Question 25

Address Space Layout Randomization (ASLR)

Answer 25

Addresses the assumption that "We know where the address of the attacker-controlled memory is" Implemented by operating system and randomizes the position of: heap, stack, dynamically-linked libraries, and program's main code

Question 26

ASLR Exploitation

Answer 26

Can disabled by "leaking" memory content (e.g. out-of-bound read) especially since common ASLR implementations only shift the entire memory layout by an offset

Question 27

Non-Executable Memory (NX)

Answer 27

Address the assumption that "The attacker-controlled memory is executable" No memory page is both writable and executable. The CPU enforces that if the program attempts to execute data in an non-executable memory page an exception is raised

Question 28

NX Exploitation

Answer 28

If there exists a "win" function already in the code then we can use Code Reuse/Return Oriented Programming (ROP)

Question 29

Return Oriented Programming (ROP)

Answer 29

Re-use gadgets (such as pop rdi; ret) We can set the stack so that the execution "jumps" from one gadget to the next one

Question 30

Control Flow Integrity (CFI)

Answer 30

Enforce that the flow of execution of the program only takes a legitimate path (e.g. ret can only return to its caller) Hard to 1) cover all possible corner cases and uncommon behaviors legitimate programs may have 2) be efficient since it requires CPU supports

Question 31

Why is C memory unsafe?

Answer 31

1) Low-level memory access: arbitrarily create pointers at arbitrary locations 2) NO runtime check on the validity of the access memory 3) Manual memory management: need to manually allocate/de-allocate memory buffer (e.g. malloc() and free())

Question 32

Why is Java memory safe?

Answer 32

1) Automated memory management: if memory is needed, the garbage collector will run and frees memory of memory buffers that cannot be accessed anymore 2) Does not allow arbitrary memory access: accessing null throws a NullPoitnerException (especially since all variable need to be initialized_ 3) Runtime array bounds checking: cannot access array out of bounds without throwing ArrayIndexOfBoundsException

Question 33

Drawbacks of Java

Answer 33

1) Performance impact from added checks 2) Require virtual machine and a large "runtime" library 3) No direct control over memory allocation/free 4) Does not allow fine-tuned memory management

Question 34

Reasons to use C

Answer 34

1) allows specifying how memory should be accessed and managed 2) allows low-level interaction with peripherals 3) allows writing highly-optimized code 4) is compatible with older systems

Question 35

Google's Rule of 2

Answer 35

Can only have at most two of these things be true: 1) code which processes untrustworthy input 2) code written in an unsafe language 3) code which runs with no sandbox (e.g. browser process)

Question 36

Security Principles: Updates & Andriod

Answer 36

Apps are automatically updated in background Many system components can be updated without a "full" system update

Question 37

Security Principles: Defense in Depth

Answer 37

Multiple layers of security controls are placed throughout a system Prevents single vulnerabilities from leading to compromise of the entire OS or other apps

Question 38

Android Permissions

Answer 38

Prior to 6, it was all or nothing. Now there are three types of permissions: 1) install-time permissions: cannot be revoked 2) runtime-permissions: need to be approved at runtime 3) special permissions: enabled in ad-hoc ways (accessibility, device administrator)