To: Department of Homeland Security



To: Department of Homeland Security

From: Altin Dastmalchi, Avi Springer, James Xiao, Eiman Zolfaghari, Ted Zuvich

Date: October 24, 2005

Re: Buffer Overflow Attack

Introduction

As requested, our team has conducted an analysis of cyber-security vulnerabilities in the U.S. economy, specifically with regard to the threat of buffer overflow attacks. The following memo summarizes an experimental buffer overflow attack we conducted and some policy implications that stem from our analysis of the experiment.

The Attack [Avi Springer, James Xiao]

The central processing units (CPUs) upon which much of the critical infrastructure of the U.S. economy relies operate by processing and moving data. CPUs record data in memory structures called “stacks.” These stacks have “buffers,” limits as to the amount of data they can store. Buffers create security vulnerabilities since, if an unauthorized programmer or hacker is able to feed more information into a buffer than it is designed to hold, the programmer can overwrite valid data entered by the CPU’s authorized programmers, replacing the valid data with his own code. If this code, referred to as an “exploit”, “EGG”, or “sploit”, supplants the valid code in a program that was originally written to have administrative privilege, the hacker can gain control of the target computer.

During our experimental buffer overflow attack on a target computer at the University of California, San Diego, our team was successful in its attempts to gain control of the CPU. We started our attack by searching for a program on the target computer that was both vulnerable to a buffer overflow attack and installed on the target computer with administrative privileges. This task was easy for us since we were given \tmp\target1 as our target program.

Once we isolated a target, we created an exploit program for the attack. There are basically two parts in this program. The first part is assembly language shell code (very low level computer code) customized for our target machine. This was the “EGG” that we were attempting to insert into the target program on the target system. Our shell code was created in such a way that it had a slightly larger size than the buffer in the target program, and it ended with the address of the buffer of the target program[1].

In the second part of our attack, we called our target program and passed our EGG into it as a parameter. Once the target program began running, it copied the EGG into one of its buffers. Since our EGG was slightly bigger than the buffer in the target, it overflowed the execution stack on the target program and control passed to the EGG that we inserted. Once our EGG was in control, our shell code inside it had administrator privileges (inherited from the target program). At this point, the entire system was effectively under our control.

In short, the attack exposed a large vulnerability on the target computer system. If it had been attempted with malicious intention we would have been able to perform some very destructive actions upon the entire computer and possibly with other networked resources.

The most difficult part of mounting a buffer overflow attack is finding the location or “address” of the buffer in the program one wishes to attack. Unfortunately for those interested in preserving system security, this task is not very difficult at all. In our experiment, we were easily able to find the buffer address because we had access to the source code of the program we targeted. In the real world too, source codes for free operating systems and their utilities are often publicly available, and in many cases, commercial operating systems are derived from these publicly available versions [2]. This increases the probability that hackers will be able to locate buffer addresses of targeted programs.

One of the most effective and easily implemented defenses to protect against buffer overflow attacks works by making it more difficult for hackers to locate the buffer address. Such a defense is called “address space layout randomization” (ASLR). ASLR works by placing the starting point of a program at a random location and arranging various portions of the program in random configurations, making it much harder to locate the buffer address. ASLR is widely available and not very costly considering the potential danger presented by buffer overflow attacks. It is not foolproof, and there may be ways around it, but ASLR certain complicates the situation for any potential attacker. The sections below attempt to further quantify the costs and dangers of buffer overflow attacks.

Damage Potential [Ted Zuvich]

The analysis of the potential for damage concerns itself with three different potential targets: 1) a personal home computer, 2) a hypothetical corporate computer used for letters and correspondence by Wal-Mart's Corporate VP for Ordering Stuff from China, and 3) a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. When analyzing the potential impact of a buffer overflow attack, it is important to remember that if an attacker gets root access, the attacker can access, record, or destroy any file on the computer.

In an attack on a private home computer, the hacker can gain access to personal information, such as:

• Credit card numbers

• Banking information

• Tax records

• Password logs

• Lists of valid email addresses (potential follow-on victims)

Losses in this type of attack would probably be limited to credit card maximums, loss of any funds in banking, and possible identity theft issues. These issues are very serious for the individual involved. The individual may recover some losses that are covered by FDIC or limited by credit card liability laws, but someone (either the bank or the insurance) ends up paying for the loss.

In 2003, the average case of identity theft cost about $500 (and 30 hours of labor) per victim for a total of $5 billion, and business lost an estimated $47.6 billion[3]. These figures do not include dollar losses from such scams as phishing (using fraudulent emails to collect personal information), spyware (using hidden software to gather information about what a computer user is viewing or doing), adware (using hidden software to target advertising or messaging at a computer user based on past browsing behavior), etc. Given that a thoroughly compromised home computer is approximately equivalent to an identity theft, this is probably a reasonable number.

Possible motivations for a terrorist to attack a random personal computer include the possibility of obtaining funds, the possibility of obtain space for a web-host, or the establishment of “web-zombie” (a computer used to launch attacks on other computers). A terrorist may also try to attack a specific personal computer, such as the personal computer of the spouse of the Assistant to the Secretary of Defense. Such a computer might feasibly contain some very interesting and sensitive information.

If an overflow buffer attack were successfully launched on a corporate computer, the potential losses are in the millions or billions of dollars, depending on the company. Any such disruption would probably be short, but the losses would still be immense. There is also the potential for “lurker” activity, corporate espionage. Imagine a scenario where a hacker just “watched” the computer, and used it to make favorable business deals, rather than doing a one-time destructive attack.

To put some numbers to the issue, Wal-Mart bought $12 billion in merchandise in 2002[4]. Assuming that an attack could compromize operations for even one day leads to a conservative estimate of nearly $33 million in potential damages. Per day. In 2004, they purchased $18 billion[5] in apparel and other goods. This represents a potential loss of $50 million per day of disrupted operations. This is simply the cost to Wal-Mart – imagine the impact on small company who is informed via official email (from the compromised computer) that their contract is cancelled, or that Wal-Mart needs 50000 more units than originally discussed.

Given Wal-Mart’s emphasis on being the lowest-priced vendor of goods, this trend will probably continue. Given this sort of number, its probably reasonable for Wal-Mart to have a very high interest in computer security.

In addition, there is the potential to compromise data for any suppliers/customers information stored on the computer as well: contact info, account numbers, telephone numbers, contract terms, etc. It may very well be the case that obtaining this information would allow the hacker to compromise other computers as well. Thus, it is important than any such computer is encrypted and/or secured from hackers.

Exact numbers on the dollar value per day of trades executed at a firm such as Charles Schwab are difficult to determine. However, Charles Schwab averaged 235500 trades per day[6] in September 2005. Assuming that each of these trades represents a relatively modest $3000 transaction (either buying or selling)[7], then the potential impact is the loss of more than $705 million in transactions per day. This is a significant economic impact, although it is not a straight dollar loss – it is simply a loss of trade volume. On the other hand, Charles Schwab charges anywhere from $9.95 to $29.95 per trade[8], so the potential impact to them for loss of trading is approximately $4.7 million per day in lost commissions.

The follow on economic impact could also be substantial -- imagine a person placing a trade to raise money to cover a draft at another bank. If the trade is late or delayed, the person may be responsible for late/overdraft fees at the next bank, or fail to purchase their house, etc. Consider also the possibility of placing large, spurious trade orders (“sell 10 million shares of XYZ company”). Any such order could damage Charles Schwab, whichever company’s stock was involved in the trade, and whichever account the trade transaction got billed to.

Estimated Terrorist Threat [Altin Dastmalchi, Eiman Zolfaghari]

There are many groups of people who are dedicated to the destruction of the same systems we Americans are dependant on, both inside and outside our borders. Regardless of their reason for existence, and how they came about, their potentially destructive actions can negatively impact the lives of even the most innocent of our people with the simple click of a button. Because of this potential danger, it is imperative that we secure our systems and infrastructure. Vital systems such as air traffic control, the power grid, the treasury, and the Internet are the backbone of our society’s infrastructure, and they must be protected.

With the advent of the Internet and the Information Revolution, all these systems have a portion of them that are connected to the Internet and also have their own intranet, or internal private network. As a result, anyone, including a malicious user, could potentially access these networks and cause damage. One way to cause this damage is with the vulnerability our paper discusses: the buffer overrun.

Scalability of the buffer overrun attack is very plausible. In fact, one could create code that would automate the process of creating the EGG program itself, by automatically looking for which part of the computer system has a vulnerability, and after finding it, exploiting it. This would allow for one malicious user to cause damage to potentially millions of systems. The technical barriers to perform such actions are fairly low and thus scalable as well: an attacker needs only a computer, an internet connection, and one or two fairly determined programmers, regardless of location. Financially, there is little to no cost to perform such actions. A computer can be bought for several hundred dollars (or stolen for free), internet access for free at your local coffee shop or library, and programmers that believe in the ideology and aims of the criminals/terrorists can be convinced to hack the system at little or no cost.

A terrorist organization could have several plausible aims that could be accomplished with a computer attack, ranging anywhere from destroying the economy, publicity, money, or economic goals[9]. Both public and private computer systems can be exploited to do this. In fact, a large portion of the US economy relies on the transactions done by various big financial institutions such as Citibank Group or Goldman Sachs. If these systems’ networks were attacked, the US economy would be immediately affected. There is also the potential that a group may wish to exacerbate an already existing emergency situation. Think 9/11 plus shutting down New York City’s entire power grid and cell phone networks. If just one machine on the power grid that was accessible through the Internet had a buffer overrun vulnerability, one could take over that machine and with it potentially take control of the power grid system. There is also the potential that groups will use these vulnerabilities in systems as scare tactics, to make believe that a system is about to get attacked, yet not actually go through with it. The more robust the system becomes, the less meaningful such scare tactics will be.

It is difficult to predict what evils people will do next, thus it is imperative that all systems that are vital to our society assume that there will always be new creative attempts to exploit the system. By maintaining this ideology, the possibility of any given threat is less likely. In addition, these systems must always maintain high internet security.

Feasibility and Cost of Defense [Ted Zuvich]

Individual computer users have little incentive or ability[10] to worry about computer security (fellow report writers probably excepted). OS manufacturers such as Microsoft have some incentive to improve their security, because they may lose customers if they develop a reputation for security that is too “poor.” Their incentive level is not as high as it could be, however, because they are not liable for financial losses caused by a compromised home computer. Their primary motivation would be the loss of reputation and subsequent loss of sales. Companies like Norton also do not have high incentive to truly innovate in this field, because if security as “great”, they would not have a business. They are also not primary OS vendors.

We believe that the primary policy tool for improving defenses against cyber attacks should be the imposition of legal liability for security flaws. Legal liability would give organizations great incentive for defending against cyber attacks. Compared with other possible policy levers, such as creating regulations mandating that organizations invest in certain types of security, legal liability would provide organizations with direct financial incentive to constantly monitor and defend against the most current threats. This would have to be carefully studied, because it if fraught with the potential for costly legal battles.

Table One (below) summarizes the incentives issue.

Table One: Incentives Analysis for Buffer Overflow Attack

| |Home |Corporate |Financial |

|Incentives for installing |Protect financial data such as |Loss of revenue, potential order |Loss of revenue; loss of “face” |

|defenses |credit card numbers, tax forms, |failure or deliberate alteration. |and reputation (note that a # of |

| |bank statements, passwords for |Potentially large financial |customers at Goldman Sachs grilled|

| |online banking. Protect privacy |damage. |them about security measures) |

| |information. | | |

|Adequacy of incentives |Average. Strong dis-incentive for |Strong. |Very strong. |

| |computer owners to install | | |

| |complicated protection schemes. | | |

| |Not a lot of incentive for vendors | | |

| |to provide home computer users with| | |

| |strong defenses. | | |

|Additional protection cost |Adequate. |High. |High. |

|effectiveness | | | |

|Lowest Cost Provider |Probably Microsoft ( and other OS |Corporate IT. |Corporate IT. |

| |vendors), considering the | | |

| |installation base of Windows. You | | |

| |cannot count on individual owners | | |

| |to protect their computers | | |

| |adequately. | | |

|Potential Policy Levers |Liability. Could publish legal |Difficult to imagine a policy |Possible regulatory action and |

| |definition of “secure” and force |lever that could force a |legal liability with respect to |

| |manufacturers to accept liability |corporation to upgrade its own |financial transactions. |

| |for failure to meet that standard. |security. Its incentives are | |

| |Possible tax incentives to vendors.|primarily financial. | |

Conclusions

In conclusion, our analysis has led us to believe that the threat of cyber attacks such as buffer overflows make some portions of our financial and economic infrastructure vulnerable to damage by criminal and/or terrorist groups. A successful attack would have substantial impact on our private citizens, our business community, our economy, and our government. Given that defenses to at least some forms of cyber attacks are available at relatively low cost (compared with the potential damage of an attack), it seems obvious that greater effort and resources should be invested in such defenses. Securing ourselves before an attack is much more cost-effective than after the damage has been done. To ensure this, US law makers can implement carefully considered but strict means that make organizations legally liable for the consequences of attacks to their systems, that could have been prevented by better defenses. This would be the best policy approach for bolstering defenses.

-----------------------

[1] The size difference is normally decided by the gap between the return address of the stack call and the address of the buffer we are trying to overflow on the target computer system, in our experiment it's 16 bytes.

[2](see “Smashing the Stack for Fun and Profit”, .

[3] Federal Trade Commission –Identity Theft Survey Report .

[4] The Wal-Mart You Don't Know

[5] Wal-Mart, others look to exports from India, by Steve Matthews, Bloomberg News, Posted on: Tuesday, July 12, 2005

[6] []

[7] )[Still Clicking, ]

[8] []

[9] (see [] )

[10] Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, Alma Whitten, J.D. Tygar, . Demonstrates the difficulties in using a modest security system even given motivated, educated users.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download