WSU - Fall 06 - CS 3830-0 - Final

1.
Social engineering is the brand new art to steal private informations like passwords, credit cards numbers, SSN, or PIN numbers, through the manipulation of individuals, deceiving them to believe in things that are not true (Cognitive Biases). Then using those informations either to gain access to private transactions, or to break in private places like bank accounts (we could define it a e-burglary), or to escalate privileges in a system for further attacks.
Probably at today [Dec. 2006] the most used technique is the so-called phishing, which pretends to come from a legitimate source to deceive the user in releasing private informations. If I well remember it began with the infamous 411 / 419 Nigeria' Scams.
Usually the email pretends to come from a bank manager who discovered a "dormient account", or from a marine in Iraq who discovered a huge amount of cash in a terrorist camp; or from a widow "suffering of cancer, with few months left" willing to leave her capital for "humanitarian purposes". All of those need help to export the money so they ask for your name, address and bank account to wire the cash. Another variant is an email from apparently your bank which asks you to login "to update your account" - Latter developments include the Spanish Lottery and the Australian Lotto. For example sincerely yours last month won seven times the Australia Lotto, if it was true I could be richer of 5 millions.
Thin is the line with Pretexting, which however goes on the telephons, pretending to come from "technical support", coworkers, police, bank, etc.
Other techniques are the trojans horses, gimmes, quid-pro-quo, plus the brand new re-packaging schema, the change on an larger check, etc. etc.
Bible in this field is "The Art of Deception" by the ol' vet Kevin Mitnick.

2.
We define a race condition the need of concurrent programs to access the same resource at the same time. For instance several stations could try to access at the same time: a printer (although modern operative systems have a spooler queue); or a Cd player, or a backup unit, and so on.
A typical case is the "fork bomb", an intrusive program which clones itself in a child, which spawns itself, etc. Just at the 4th step there are already 16 instances running. In few more steps it sucks all the available RAM, exposing the system to crash or be breached.
You can protect the system allowing only a quota of programs to be run by the same user.

3.
By code review we mean the check either for bugs or for conceptual errors, aimed to improve security, thus code quality. There is code reviewing software that checks for buffer overflows, format strings exploits, memory leaks, and race conditions. Reviewing line-by-line today is considered obsolete.
On the other side software testing is used to improve first quality, then security as consequence. It is made on behalf of the stakeholders, the most to check congruency in the logic, in the classes, in the excution, aimed to find errors.
However it is very thin the border line between the two, which primed intense debates on which is a subset of the other.

4.
The problem in Java is that the block catch following a try does not usually do anything of interesting. It just catches the exception, then goes on as nothing happened. This is a very common malpractice among beginners and also many experienced developers.
We distinguish between checked and unchecked exceptions. "C++ and C# do not have checked exceptions at all; all exceptions in these languages are unchecked" [1]
Another Java problem is that after the catch the block finally is always executed, which could lead to unexepected behaviors. While C# forbids control passing statements. "Unexpected exceptions can directly lead to denial of service vulnerabilities if they can be triggered by input from an untrusted party" [2].
Nope, C++ shows vulnerabilities as well. Known author Tom Cargill in his article "Exception Handling: A False Sense of Security" about C++ states: "The really hard part of using exceptions is to write all the intervening code in such a way that an arbitrary exception can propagate from its throw site to its handler, arriving safely and without damaging other parts of the program along the way." [C++ Report] On the other side Pablo Nogueira at University of Nottingham explicitly contraddicts Cargill in his Review.
Also Microsoft (surprise! surprise!) declares the unsafeness of Visual C++, showing that in an expression up on the stack, the Catch block runs after the finally block [3] (ain't it fun?).
So, as usual, it's a Religion War.

5.
Buffer underflow vulnerabilities have been reported in: These are only some examples of flaws in this field. All of them lead either to crash the machine, or arbitrary code execution, or denial of service attack.

6.
The most secure file systems in *nix environments are: ext3, ReiserFS, Reiser4 because they allow the journaling of the transactions, which come useful in case of crash; NTFS does not.
Those *nix FS-es support encryption as well, I am not familiar with Microsoft products, I heard it does but I never been so masochistic to try.

7.
According to several online reports, Oracle is the most affected by flaws. Strange enough MS SQL Server is more solid but this is related to SQL Server 2000 not SQL Server 7.
MySQL has been hardened against the injections, and is the most used database on the Web, however it is the only one which likes to expand the comments, that is a potential way to breach.
Some one however pointed out that MS SQL Server should be spelled "SYBASE is one of the best purchases that Microsoft has ever made which they later called innovation".
Remedy is to separate the SQL from the application; all SQL statements should reside in stored procedures, then to sanitize all the input strings before passing them to the database engine.

8.
First, a variable declared as float or double, if used with an insane cast, could lead to integer overflow.
On last July [2006]: A vulnerability was reported in FreeBSD when running on AMD processors. A local user may be able to obtain sensitive information. The Linux kernel is also affected.
On "7th generation" and "8th generation" processors manufactured by AMD, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set (whereas other processors store this information regardless of the ES bit). [4]
"This allows a process to determine portions of the state of floating point instructions of other processes". [5]
About a month ago Microsoft released an "Updated Sage.dll File Corrects Floating-Point Math Errors" [6].

9.


10.
The principle I most follow is Practice Defense in Depth.
In protecting network and computers it allows me to spread recursive layers of security, so that if the first layer fails or is hijacked, there are further defenses.
In writing code I use it to breakdown the structure of the flow until I reach atomicity.
However I do not use it alone but also mixed with Secure the Weakest Link and other techniques I am not going to disclose in here.
You would like to give a look at Defense in Depth Strategies.pdf [ download] on my FTP server, but the whole folder is worth a visit.

9 Dec. 2006
Vincenzo Maggio