SlideShare a Scribd company logo

Hacking in C: Understanding Software Vulnerabilities

U
UIKKATTANT22ECR106

Why Learn C? It is one of the most popular programming language in the world If you know C, you will have no problem learning other popular programming languages such as Java, Python, C++, C#, etc, as the syntax is similar C is very fast, compared to other programming languages, like Java and Python C is very versatile; it can be used in both applications and technologies

Software
1 of 16
Download to read offline
Hacking in C hic 1
About this course: topics & goals • Standard ways in which software can be exploited – understanding how such attacks work – understanding what makes these attacks possible – doing some attacks in practice • Root cause analysis: why are things so easy to hack? • This involves understanding – programming languages, compilers, and operating systems, and the abstractions that they provide – the languages, representations, and interpretations involved – the potential for trouble – in the form of software vulnerabilities - all this introduces hic 2
Hacking in C • security problems in machine code compiled from C(++) source code running on standard CPU and operating system. • to understand this, we need to know how – the data representations involved – the memory management that the programmer has to do hic 3
Prerequisites • Imperatief Programmeren – we won’t use C++, but C – biggest change: using printf instead of >> ? • Processoren – what is the functionality that a typical CPU offers, on which we have to run our software written in higher-level languages? Eg. fetch-execute cycle of the CPU, with Program Counter (PC) registers where in the code we are, which is modified for a JUMP instruction and incremented for the other instructions hic 4
Lectures & lab sessions • Lectures Mondays 13:45-15:30 in HG00.304 • Lab sessions Thursdays 10:45-12:30 in HG00.137 & HG00.625 Aanstaande woensdag: als je al bekend met Linux command line ga dan naar HG00.625 • All course material will be on http://www.cs.ru.nl/~erikpoll/hic hic 5
Lab exercises Weekly lab session with weekly programming/hacking exercise • Exercises to be done in pairs • Doing the exercises is obligatory to take part in the exam; • Exercises will be lightly graded to provide feedback, with nsi-regeling: you can have only one exercise niet-serieus-ingeleverd • You learn stuff in the exercises that you won't learn at the lectures, and vv. • Beware: exercises of one week will build on knowledge & skills from the previous week • Also: turning up for the lab sesions might be crucial to sort out practical problems (with C, gcc, Linux, ...) hic 6
Lab exercises We use • C as programming language, not C++ • Linux from the command line aka shell • the compiler gcc So no fancy graphical user interfaces (GUIs) for the operating system (OS) or the compiler Why? • GUIs are nice, but hide what OS and compiler are doing • the command line is clumsy at first, – using commands instead of pointing & clicking but gives great power – we can write shell scripts: programs that interact with the OS hic 7
‘to hack’ NB several meaning and connotations, incl. 1. To write software in a clever way – to really exploit all the capabilities a system offers 2. To break into a computer system. 3. To fix some problem in a quickly & ugly way Focus of this course 1 & 2. hic 8
How do you break into a computer system? 1. Using user credentials – username/password How do you get those? – default passwords hic 9
Default passwords exploited by Mirai botnet hic 10
Default passwords exploited by Mirai botnet hic 11
How do you break into a computer system? 1. Using user credentials – username/password How do you get those? – default passwords – phishing – brute forcing – eavesdropping, • on unsecured network connection, • with keylogger hardware or software keylogger – using stolen password files • which may need to be brute forced, if passwords are hashed – ... 2 Using flaws in the software – Focus of this course & web security next quarter hic 12
Security problems in software Terminology can be confusing: (security) weakness, flaw, vulnerability, bug, error, coding defect, ... Important distinction: 1. security weakness/flaw: something that is wrong or could be better 2. security vulnerability weakness/flaw that can actually be exploited by an attacker, This requires the flaw to be 1. accessible - attacker has to be able to get at it 2. exploitable – attacker has to be able to do some damage with it Eg by unplugging your network connection, many vulnerabilities become flaws Warning: there is no standardised terminology for the distinction above! hic 13
Software security prices (2015) hic 14
design vs implementation flaws Software vulnerabilities can be introduced at different “levels” • design flaws – fundamental error in the design • implementation flaws or coding error – introduced when implementing The precise border is not precise it can be debatable whether a flaws is a design or implementation flaw To understand implementation flaws, we need to look 'under the hood' of how a programming language works hic 15 focus of this course
To understand implementation flaws hic 16

Recommended

ProgFund_Lecture_1_Introduction_to_Programming.pdf
ProgFund_Lecture_1_Introduction_to_Programming.pdfProgFund_Lecture_1_Introduction_to_Programming.pdf
ProgFund_Lecture_1_Introduction_to_Programming.pdflailoesakhan
 
Comso c++
Comso c++Comso c++
Comso c++Mi L
 
01 introduction to cpp
01 introduction to cpp01 introduction to cpp
01 introduction to cppManzoor ALam
 
01CHAP_1.PPT
01CHAP_1.PPT01CHAP_1.PPT
01CHAP_1.PPTManoRanjani30
 
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika Tripathi
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika TripathiComputer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika Tripathi
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika TripathiProf. (Dr.) Anand K. Tripathi
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Programming Paradigm & Languages
Programming Paradigm & LanguagesProgramming Paradigm & Languages
Programming Paradigm & LanguagesGaditek
 
Programming Paradigm & Languages
Programming Paradigm & LanguagesProgramming Paradigm & Languages
Programming Paradigm & LanguagesGaditek
 

Recommended

ProgFund_Lecture_1_Introduction_to_Programming.pdf
ProgFund_Lecture_1_Introduction_to_Programming.pdfProgFund_Lecture_1_Introduction_to_Programming.pdf
ProgFund_Lecture_1_Introduction_to_Programming.pdflailoesakhan
 
Comso c++
Comso c++Comso c++
Comso c++Mi L
 
01 introduction to cpp
01 introduction to cpp01 introduction to cpp
01 introduction to cppManzoor ALam
 
01CHAP_1.PPT
01CHAP_1.PPT01CHAP_1.PPT
01CHAP_1.PPTManoRanjani30
 
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika Tripathi
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika TripathiComputer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika Tripathi
Computer Programming By Prof.(Dr.) Anand K. Tripathi ,Mrs Monika TripathiProf. (Dr.) Anand K. Tripathi
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Programming Paradigm & Languages
Programming Paradigm & LanguagesProgramming Paradigm & Languages
Programming Paradigm & LanguagesGaditek
 
Programming Paradigm & Languages
Programming Paradigm & LanguagesProgramming Paradigm & Languages
Programming Paradigm & LanguagesGaditek
 
Embedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptxEmbedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptxlematadese670
 
Software
SoftwareSoftware
Softwarewardjo
 
Introducing systems analysis, design & development Concepts
Introducing systems analysis, design & development ConceptsIntroducing systems analysis, design & development Concepts
Introducing systems analysis, design & development ConceptsShafiul Azam Chowdhury
 
Unit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptxUnit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptxshashiden1
 
Ic lecture8
Ic lecture8 Ic lecture8
Ic lecture8 AttaullahRahimoon
 
DevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 SlidesDevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 SlidesAlex Cruise
 
Introduction to Computer Programming
Introduction to Computer ProgrammingIntroduction to Computer Programming
Introduction to Computer ProgrammingAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
C# Fundamental
C# FundamentalC# Fundamental
C# FundamentalThilini munasinghe
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Week 5
Week 5Week 5
Week 5A VD
 
Week 5
Week 5Week 5
Week 5A VD
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Intro. to prog. c++
Intro. to prog. c++Intro. to prog. c++
Intro. to prog. c++KurdGul
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Programming using C++ - slides.pptx
Programming using C++ - slides.pptxProgramming using C++ - slides.pptx
Programming using C++ - slides.pptxHeadoftheDepartment
 
Programming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages ConceptsProgramming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages Conceptsimtiazalijoono
 
Python_Module_1.pdf
Python_Module_1.pdfPython_Module_1.pdf
Python_Module_1.pdfR.K.College of engg & Tech
 
Safetty systems intro_embedded_c
Safetty systems intro_embedded_cSafetty systems intro_embedded_c
Safetty systems intro_embedded_cMaria Cida Rosa
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

More Related Content

Similar to Hacking in C: Understanding Software Vulnerabilities

Embedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptxEmbedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptxlematadese670
 
Software
SoftwareSoftware
Softwarewardjo
 
Introducing systems analysis, design & development Concepts
Introducing systems analysis, design & development ConceptsIntroducing systems analysis, design & development Concepts
Introducing systems analysis, design & development ConceptsShafiul Azam Chowdhury
 
Unit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptxUnit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptxshashiden1
 
DevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 SlidesDevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 SlidesAlex Cruise
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Week 5
Week 5Week 5
Week 5A VD
 
Week 5
Week 5Week 5
Week 5A VD
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Intro. to prog. c++
Intro. to prog. c++Intro. to prog. c++
Intro. to prog. c++KurdGul
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Programming using C++ - slides.pptx
Programming using C++ - slides.pptxProgramming using C++ - slides.pptx
Programming using C++ - slides.pptxHeadoftheDepartment
 
Programming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages ConceptsProgramming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages Conceptsimtiazalijoono
 
Safetty systems intro_embedded_c
Safetty systems intro_embedded_cSafetty systems intro_embedded_c
Safetty systems intro_embedded_cMaria Cida Rosa
 

Similar to Hacking in C: Understanding Software Vulnerabilities (20)

Embedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptxEmbedded programming Embedded programming (1).pptx
Embedded programming Embedded programming (1).pptx
 
Software
SoftwareSoftware
Software
 
Introducing systems analysis, design & development Concepts
Introducing systems analysis, design & development ConceptsIntroducing systems analysis, design & development Concepts
Introducing systems analysis, design & development Concepts
 
Unit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptxUnit 1 introduction to c++.pptx
Unit 1 introduction to c++.pptx
 
Ic lecture8
Ic lecture8 Ic lecture8
Ic lecture8
 
DevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 SlidesDevOps Days Vancouver 2014 Slides
DevOps Days Vancouver 2014 Slides
 
Introduction to Computer Programming
Introduction to Computer ProgrammingIntroduction to Computer Programming
Introduction to Computer Programming
 
C# Fundamental
C# FundamentalC# Fundamental
C# Fundamental
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Week 5
Week 5Week 5
Week 5
 
Week 5
Week 5Week 5
Week 5
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Intro. to prog. c++
Intro. to prog. c++Intro. to prog. c++
Intro. to prog. c++
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Programming using C++ - slides.pptx
Programming using C++ - slides.pptxProgramming using C++ - slides.pptx
Programming using C++ - slides.pptx
 
Programming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages ConceptsProgramming Fundamentals and Programming Languages Concepts
Programming Fundamentals and Programming Languages Concepts
 
Python_Module_1.pdf
Python_Module_1.pdfPython_Module_1.pdf
Python_Module_1.pdf
 
Safetty systems intro_embedded_c
Safetty systems intro_embedded_cSafetty systems intro_embedded_c
Safetty systems intro_embedded_c
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 

Hacking in C: Understanding Software Vulnerabilities

  • 2. About this course: topics & goals • Standard ways in which software can be exploited – understanding how such attacks work – understanding what makes these attacks possible – doing some attacks in practice • Root cause analysis: why are things so easy to hack? • This involves understanding – programming languages, compilers, and operating systems, and the abstractions that they provide – the languages, representations, and interpretations involved – the potential for trouble – in the form of software vulnerabilities - all this introduces hic 2
  • 3. Hacking in C • security problems in machine code compiled from C(++) source code running on standard CPU and operating system. • to understand this, we need to know how – the data representations involved – the memory management that the programmer has to do hic 3
  • 4. Prerequisites • Imperatief Programmeren – we won’t use C++, but C – biggest change: using printf instead of >> ? • Processoren – what is the functionality that a typical CPU offers, on which we have to run our software written in higher-level languages? Eg. fetch-execute cycle of the CPU, with Program Counter (PC) registers where in the code we are, which is modified for a JUMP instruction and incremented for the other instructions hic 4
  • 5. Lectures & lab sessions • Lectures Mondays 13:45-15:30 in HG00.304 • Lab sessions Thursdays 10:45-12:30 in HG00.137 & HG00.625 Aanstaande woensdag: als je al bekend met Linux command line ga dan naar HG00.625 • All course material will be on http://www.cs.ru.nl/~erikpoll/hic hic 5
  • 6. Lab exercises Weekly lab session with weekly programming/hacking exercise • Exercises to be done in pairs • Doing the exercises is obligatory to take part in the exam; • Exercises will be lightly graded to provide feedback, with nsi-regeling: you can have only one exercise niet-serieus-ingeleverd • You learn stuff in the exercises that you won't learn at the lectures, and vv. • Beware: exercises of one week will build on knowledge & skills from the previous week • Also: turning up for the lab sesions might be crucial to sort out practical problems (with C, gcc, Linux, ...) hic 6
  • 7. Lab exercises We use • C as programming language, not C++ • Linux from the command line aka shell • the compiler gcc So no fancy graphical user interfaces (GUIs) for the operating system (OS) or the compiler Why? • GUIs are nice, but hide what OS and compiler are doing • the command line is clumsy at first, – using commands instead of pointing & clicking but gives great power – we can write shell scripts: programs that interact with the OS hic 7
  • 8. ‘to hack’ NB several meaning and connotations, incl. 1. To write software in a clever way – to really exploit all the capabilities a system offers 2. To break into a computer system. 3. To fix some problem in a quickly & ugly way Focus of this course 1 & 2. hic 8
  • 9. How do you break into a computer system? 1. Using user credentials – username/password How do you get those? – default passwords hic 9
  • 10. Default passwords exploited by Mirai botnet hic 10
  • 11. Default passwords exploited by Mirai botnet hic 11
  • 12. How do you break into a computer system? 1. Using user credentials – username/password How do you get those? – default passwords – phishing – brute forcing – eavesdropping, • on unsecured network connection, • with keylogger hardware or software keylogger – using stolen password files • which may need to be brute forced, if passwords are hashed – ... 2 Using flaws in the software – Focus of this course & web security next quarter hic 12
  • 13. Security problems in software Terminology can be confusing: (security) weakness, flaw, vulnerability, bug, error, coding defect, ... Important distinction: 1. security weakness/flaw: something that is wrong or could be better 2. security vulnerability weakness/flaw that can actually be exploited by an attacker, This requires the flaw to be 1. accessible - attacker has to be able to get at it 2. exploitable – attacker has to be able to do some damage with it Eg by unplugging your network connection, many vulnerabilities become flaws Warning: there is no standardised terminology for the distinction above! hic 13
  • 14. Software security prices (2015) hic 14
  • 15. design vs implementation flaws Software vulnerabilities can be introduced at different “levels” • design flaws – fundamental error in the design • implementation flaws or coding error – introduced when implementing The precise border is not precise it can be debatable whether a flaws is a design or implementation flaw To understand implementation flaws, we need to look 'under the hood' of how a programming language works hic 15 focus of this course