i. Buffer-Overflow:

• This is a stackbased buffer overflow, also known as smashing the stack. Stack smashing has been called the attack of the decade for the 1990s.
• Assume a Web form that asks the user to enter data, such as name, age and date of birth. The entered information is then sent to a server and the server writes the data entered to a buffer that can hold N characters.
• If the server software does not verify that the length of the data is at most N characters, then a buffer overflow might occur. It might seem that a buffer overflow may cause less harm but it is not the case.
• It is likely that any overflowing data will overwrite something important and cause the computer to crash. If so then attacker Trudy might be able to use this flaw to launch a denial of service (DoS) attack.
• The problem can be explained using a software that is used for authentication. The authentication decision resides in a single bit. If a buffer overflow overwrites this authentication bit, then Trudy can authenticate herself as Alice the actual user.
• This is shown in the figure 1 below where the "F" in the position of the boolean flag indicates failed authentication.

Figure 1

• If a buffer overflow overwrites the memory position where the boolean flag is stored, Trudy can overwrite "F" with "T" and the software will believe that Trudy has been authenticated. This attack is shown in figure 2.

Figure 2

• Example: Consider a C source code given below-

int main()

{

int buffer [10];

buffer [20] =37;

}

• When this code is executed, a buffer overflow occurs. The impact of this buffer overflow depends on what resides in memory at the location corresponding to buffer [20].
• The buffer overflow might overwrite user data or code, or it could overwrite system data or code, or it might overwrite unused space.

ii. Incomplete mediation:

• In C program a function strcpy(buffer, input) copies the contents of the input string input to the array buffer. A buffer overflow will occur if the length of input is greater than the length of buffer.

• To prevent such a buffer overflow, the program validates the input by checking the length of input before attempting to write it to buffer. Failure to do so is an example of incomplete mediation.

• Example: Input data to a web form is often transferred to the server by embedding it in a URL.

Suppose the input is validated on the client before constructing the required URL say

www.kt280.com/orders/final&custID=111&num=55A&qty=5&price=60&shipping=4&total=300

• This URL is interpreted to mean that the customer with ID number 111 has ordered 5 books of item number 55, at a cost of rs60 each, with a rs5 shipping charge, giving a total cost of rs300.
• Since the input is checked on the client, the developer of the server software believes it would be wasted effort to check it again on the server.
• However, instead of using the client software, Trudy can directly send a URL to the server. Suppose Trudy sends the following URL to the server:

www.kt280.com/orders/final&custID=111&num=55A&qty=5&price=60&shipping=4&total=30

• If the server doesn't bother to validate the input, Trudy can obtain the same order as above, but for the bargain basement price of rs30 instead of the legitimate price of rs300.
• There have been numerous buffer overflows in the Linux kernel, and most of these were due to incomplete mediation.
• There are tools available to help find likely cases of incomplete mediation, but they are not a cure-all since this problem can be subtle, and therefore difficult to detect automatically.

iii. Race-Condition:

• Race conditions arise when a security-critical process occurs in stages instead of “all at once”.
• In such cases, an attacker may be able to make a change between the stages and thereby break the security.
• The term race condition refers to a race between the attacker and the next stage of the process, although it is not so much a race as a matter of careful timing for the attacker.
• Example: The race condition considered here can be implemented by the Unix command mkdir, which creates a new directory.
• The creation of the directory is done in stages where a stage that determines authorization is followed by a stage that transfers ownership.
• If Trudy can make a change after the authorization stage but before the transfer of ownership, then she can become the owner of some directory that she should not be able to access.
• The working of mkdir is shown in the below figure 3.Here mkdir is not atomic and that is the source of the race condition.

Figure 3

• Trudy can exploit this particular mkdir race condition if she can somehow implement the attack that is shown in figure 4.

Figure 4

• In the attack above, after the space for the new directory is allocated to Trudy, a link is established from the password file.
• Trudy is not authorized to access to this newly created space, before ownership of the new directory is transferred to Trudy.
• This attack is not really a race, but instead it requires careful timing by Trudy.
• Race conditions are probably fairly common and with the trend towards increased parallelism they can become even more prevalent.
• Each race condition is unique, so there is no standard formula for such an attack while they are certainly more difficult to exploit.
• Real-world attacks based on race conditions require careful timing which makes it more difficult to exploit than buffer overflow.
• Race conditions can be prevented by making the security-critical processes atomic, which is easy to say but difficult to implement