About: Attack patterns is a research topic. Over the lifetime, 602 publications have been published within this topic receiving 9332 citations.
Papers published on a yearly basis
•31 Jul 2005
TL;DR: It is demonstrated that many real-world applications, including FTP, SSH, Telnet, and HTTP servers, are vulnerable to non-control-data attacks, and the importance of future research efforts to address this realistic threat is emphasized.
Abstract: Most memory corruption attacks and Internet worms follow a familiar pattern known as the control-data attack. Hence, many defensive techniques are designed to protect program control flow integrity. Although earlier work did suggest the existence of attacks that do not alter control flow, such attacks are generally believed to be rare against real-world software. The key contribution of this paper is to show that non-control-data attacks are realistic. We demonstrate that many real-world applications, including FTP, SSH, Telnet, and HTTP servers, are vulnerable to such attacks. In each case, the generated attack results in a security compromise equivalent to that due to the control-data attack exploiting the same security bug. Non-control-data attacks corrupt a variety of application data including user identity data, configuration data, user input data, and decision-making data. The success of these attacks and the variety of applications and target data suggest that potential attack patterns are diverse. Attackers are currently focused on control-data attacks, but it is clear that when control flow protection techniques shut them down, they have incentives to study and employ non-control-data attacks. This paper emphasizes the importance of future research efforts to address this realistic threat.
TL;DR: An overview of the most exploited vulnerabilities in existing hardware, software, and network layers is presented and critiques of existing state-of-the-art mitigation techniques as why they do or don't work are described.
•01 Jan 2012
TL;DR: A heuristic analysis of Android's system behavior is conducted to identify attack patterns, classify different adversary models, and point out the challenges to be tackled, and a system-centric and policy-driven runtime monitoring of communication channels between applications at multiple layers is proposed.
Abstract: Android's security framework has been an appealing subject of research in the last few years. Android has been shown to be vulnerable to application-level privilege escalation attacks, such as confused deputy attacks, and more recently, attacks by colluding applications. While most of the proposed approaches aim at solving confused deputy attacks, there is still no solution that simultaneously addresses collusion attacks. In this paper, we investigate the problem of designing and implementing a practical security framework for Android to protect against confused deputy and collusion attacks. We realize that defeating collusion attacks calls for a rather system-centric solution as opposed to application-dependent policy enforcement. To support our design decisions, we conduct a heuristic analysis of Android's system behavior (with popular apps) to identify attack patterns, classify different adversary models, and point out the challenges to be tackled. Then we propose a solution for a system-centric and policy-driven runtime monitoring of communication channels between applications at multiple layers: 1) at the middleware we control IPCs between applications and indirect communication via Android system components. Moreover, inspired by the approach in QUIRE, we establish semantic links between IPCs and enable the reference monitor to verify the call-chain; 2) at the kernel level we realize mandatory access control on the file system (including Unix domain sockets) and local Internet sockets. To allow for runtime, dynamic low-level policy enforcement, we provide a callback channel between the kernel and the middleware. Finally, we evaluate the efficiency and effectiveness of our framework on known confused deputy and collusion attacks, and discuss future directions.
01 Jan 2004
TL;DR: This book discusses Reverse Engineering and Program Understanding, Reverse Engineering Tools and Concepts, and Buffer Overflows and Embedded Systems, as well as Specific Techniques and Attacks for Server Software.
Abstract: Attack Patterns. Foreword. Preface. What This Book Is About. How to Use This Book. But Isn't This Too Dangerous? Acknowledgments. 1. Software-The Root of the Problem. A Brief History of Software. Bad Software Is Ubiquitous. The Trinity of Trouble. The Future of Software. What Is Software Security? Conclusion. 2. Attack Patterns. A Taxonomy. An Open-Systems View. Tour of an Exploit. Attack Patterns: Blueprints for Disaster. An Example Exploit: Microsoft's Broken C++ Compiler. Applying Attack Patterns. Attack Pattern Boxes. Conclusion. 3. Reverse Engineering and Program Understanding. Into the House of Logic. Should Reverse Engineering Be Illegal? Reverse Engineering Tools and Concepts. Methods of the Reverser. Writing Interactive Disassembler (IDA) Plugins. Decompiling and Disassembling Software. Decompilation in Practice: Reversing helpctr.exe. Automatic, Bulk Auditing for Vulnerabilities. Writing Your Own Cracking Tools. Building a Basic Code Coverage Tool. Conclusion. 4. Exploiting Server Software. The Trusted Input Problem. The Privilege Escalation Problem. Finding Injection Points. Input Path Tracing. Exploiting Trust through Configuration. Specific Techniques and Attacks for Server Software. Conclusion. 5. Exploiting Client Software. Client-side Programs as Attack Targets. In-band Signals. Cross-site Scripting (XSS). Clients Scripts and Malicious Code. Content-Based Attacks. Backwash Attacks: Leveraging Client-side Buffer. Conclusion. 6. Crafting (Malicious) Input. The Defender's Dilemma. Intrusion Detection (Not). Partition Analysis. Tracing Code. Reversing Parser Code. Example: Reversing I-Planet Server 6.0 through the Front Door. Misclassification. Building "Equivalent" Requests. Audit Poisoning. Conclusion. 7. Buffer Overflow. Buffer Overflow 101. Injection Vectors: Input Rides Again. Buffer Overflows and Embedded Systems. Database Buffer Overflows. Buffer Overflows and Java?! Content-Based Buffer Overflow. Audit Truncation and Filters with Buffer Overflow. Causing Overflow and Environment Variables. The Multiple Operation Problem. Finding Potential Buffer Overflows. Stack Overflow. Arithmetic Errors in Memory Management. Format String Vulnerabilities. Heap Overflows. Buffer Overflows and C++. Payloads. Payloads on RISC Architectures. Multiplatform Payloads. Prolog/Epilog Code to Protect Functions. Conclusion. 8. Rootkits. Subversive Programs. A Simple Windows XP Kernel Rootkit. Call Hooking. Trojan Executable Redirection. Hiding Files and Directories. Patching Binary Code. The Hardware Virus. Low-Level Disk Access. Adding Network Support to a Driver. Interrupts. Key Logging. Advanced Rootkit Topics. Conclusion. References. Index.
•26 Sep 2008
TL;DR: In this article, an information layer agent consults a knowledge base comprising information associated with known attack patterns, including state-action mappings, to determine if events indicate attacks, perform clustering analysis to determine whether they represent known or unknown attack patterns and initiate appropriate responses to prevent and/or mitigate the attack.
Abstract: Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses.