The Logic Breaks Logic

       Hehe...People Think It...

People – Process – Technology, your Internet industry is based on these three words as a base of everything including the software market.

Think for a second and you will realize that the Software industry is actually driven from the keyboard of a programmer and in reality it’s the logic design by the programmer.

So it’s [people] from the above trio, which is responsible for developing good logic behind the working piece of a code written in any programming language.

There is saying, “C programs never die. They are just cast into void.”

Means what? Now it’s a food for your thought:

“It’s 12.58 AM…. Do you know where your stack pointer is?”

Stacks plays key role in programming any piece of code! Uhh.

A stack is an abstract data type frequently used in computer science. A stack of objects has the property that the last object placed on the stack will be the first object removed. This property is commonly referred to as last in, first out queue, or a LIFO. (insecure.org) Simply it’s a contiguous block of memory containing the data.

Question: How does software break? Why hackers and crackers easily break into your secure systems?
Why web applications got hacked every second day?

Answer: logic breaks the logic.

How it happens is varies and depends on the software design and its programming language but the main tool to break the security systems is breaking the logic behind the screen.

Buffer Overflows

Different methods of breaking into systems could be reverse engineering the piece of software code or finding buffer overflows.

I read somewhere that “in some sense, programs wrap themselves around valuable data, making and enforcing rules about who can get to the data and when.” What if someone breaks this logic?

Ah I forgot where my stack pointer was. Lets recall it.

Stack is a dynamic piece of memory and it grows either downward i.e towards low memory addresses or upward. The stack pointer is usually a register that contains the top of the stack. The stack pointer contains the smallest address x such that any address smaller than x is considered garbage, and any address greater than or equal to x is considered valid.

In simple words the Stack Pointer (SP) register is used to indicate the location of the last item put onto the stack. This is one way out of the two mentioned techniques for breaking the logic?Buffer overflow is the result of stuffing more data into a buffer than it can handle. Buffer overflows [BoF] remain the crown jewel of the attacked and it’s likely to remain so for years to come. The most common form of BoF occurs due to the stack overflow.

Figure 2. bof

Let’s see this example.

void function(char *str) {

char buffer[16];

strcpy(buffer,str);

}

void main() {

char large_string[256];

int i;

for( i = 0; i < 255; i++)

large_string[i] = ‘A’;

function(large_string);

}

This program has a function with a typical buffer overflow coding error. The function copies a supplied string without bounds checking by using strcpy() instead of strncpy(). Definitely segmentation violation will occur if we run this program.

Why segmentation violation occurred? Simply strcpy() is coping the content of *str (larger_string[]) into buffer[] until a nul character is found on the string and the buffer is much smaller that the *str. Buffer we created was of 16 bytes long and we tried to put more data into it which ends up in overflowing, its simple as it is.

So what buddy if my buffer overflows? Yes that’s the point where logic breaks the logic. If your buffers overflow it allows the attacker to change the return address of the function call and in this way attacker can change the flow of execution of the program.

And that’s the point where shell code plays a role. Shell codes are simply the piece of instruction we want to run after taking control of the program.

Now the problem is, its very easy to find the buffer overflow when you have the piece of code with you and you can pass on this code through different tools available in market. But what if you don’t have the code?

Then be smart and reverse the application into piece of programming code. How? That’s where the logic of reverse engineering begins.

And this is usually started as Black Box Analysis:

Black box analysis refers to analyzing a running program by probing it with various inputs. This kind of testing requires only a running program and does not make use of source code analysis of any kind. In the security paradigm, malicious input can be supplied to the program in an effort to cause it to break. If the program does break during a particular test, then a security problem may have been discovered.

Note that black box testing is possible even without access to binary code. That is, a program can be tested remotely over a network. All that is required is a program running somewhere that is accepting input. If the tester can supply input that the program consumes (and can observe the effect of the test), then black box testing is possible. This is one reason that real attackers often resort to black box techniques.

Black box testing is not as effective in obtaining knowledge of the code and its behavior, but black box testing is much easier to accomplish and usually requires much less expertise than white box testing. During black box testing, an analyst attempts to evaluate as many meaningful internal code paths as can be directly influenced and observed from outside the system.

This method of testing cannot exhaustively search a real program’s input space for problems because of theoretical constraints, but a this does act more like an actual attack on target software in a real operational environment than a white box test usually can.

Because this testing happens on a live system, it is often an effective way of understanding and evaluating denial-of-service problems and can validate an application within its runtime environment (if possible), it can be used to determine whether a potential problem area is actually vulnerable in a real production system.

What if you attach any debugger while running the black box testing? This way the program will be exercised and the debugger will be used to detect any failures or faulty behavior.

The Debugger

A debugger is a software program that attaches to and controls other software programs. Allows single stepping of code, debug tracing, setting breakpoints, and viewing variables and memory state in the target programs as it execute in a stepwise fashion.

Conclusion

Anyhow regardless of the method of testing you are using I must highlight following as key areas to focus in breaking the code but not limited to:

• Functions that do improper or no bounds check

• Functions that pass through or consume user-supplied data in a format string

• Functions meant to enforce bounds checking in a format string

• Routines that get user input using a loop

• Low level byte copy operations

• Routines that use pointer arithmetic on user-supplied buffers

• Trusted system calls that take dynamic input

You need logic to break the logic embedded into the piece of software code.

References

Insecure.org

How to break the software codeAbout the ArticleThe article is illustrated By hackalllife.blogspot.com