What happens if we use
“illegal” offsets??
First of all, what is an array?
An
array is a regular order or arrangement containing a fixed number of
contiguously storage elements (that is, there are no gaps between
elements) of the same data type
(although they may have
different values). For example, you could have an array of integers,
an array of characters or an array of anything that has a defined
data type.
For example, we
could store the first 10 prime numbers (1, 2, 3, 5, 7, 11, 13, 17,
19, 23) in RAM by storing them as individual integer variables one
for each number. Using the following c declaration:
Since an
array is a fixed number of contiguous storage all of the same data
type, in RAM (assuming that the first contiguous block was at
address 2000) it would look like this (2-bytes per integer):
Another
example
An array
which contains 5 integer values of type
int
called example could be represented this way:
example
The
blank panels represent an element of the array (the array’s
objects). These particular objects or elements, are the type
int.
They are also in sequential order. By being in sequential order, if
the computer knows where the first element is, then it is relatively
easy for it to find the second, the third, and so forth. Also since
this is an array of type int, we are asking for 4-bytes per element
(4*5=20 contiguous bytes of RAM)
Note: The
array did not begin with the number 1. Rather it began with the
number 0. Each element is offset from the beginning of
an array starting at 0.
Why is
the first element labeled 0?
Because it
is zero elements away from the beginning of the array. This means
that the second element is actually 1 away from the beginning the
array. The third element is 2 away from the beginning of the array
and so forth.
Get the
picture?
Any array
of size N has an offset range of 0 to N-1. In our case the range is
from 0 to 4.
Please
note: Arrays can have more than one dimension. A one-dimensional
array is called a vector or pointer, which contains
the address of a location in memory; a two-dimensional array
is called a matrix, that is, an array of rows and columns.
What is an address?
It is
a location of data, usually in main memory or on a disk. It is an
array of storage boxes, each of which is one byte in length. Each
box has an address—a unique number assigned to it, which makes it
easier to locate.
What is a string?
A string is
a sequence of data values, usually bytes, which stand for characters
(a
“character string”). A character string differs from a name in that
it does not represent anything. For example, a bit string is a
sequence of bits.
A
character string is usually defined by enclosing the characters in
single or double quotes:
WASHINGTON would be a name, but 'WASHINGTON' and "WASHINGTON" would
be character strings.
The
length of a character string is usually the number of characters in
it:
The
character string "WASHINGTON" has a length of 10 (the quote marks
are not included).
What
is an offset?
An
offset (subscript) is an index or position in an array, string, or
block of memory—usually a non-negative integer.
For
example: 0, 1, 2, 3…
It is
a value added to a base address to create a second address.
For
example, if B represents address 100, then the _expression,
B+5
would
indicate the address 105. The 5 in the _expression is the
offset.
Let’s take
an array and figure out the offset by using the following formula :
ELEMENT
ADDRESS = BASE ADDRESS OF THE ARRAY+ (OFFSET # * 4)
*Remember
we have to multiply the offset by 4 since we are using integers.
Therefore the 4 bytes * 4 elements = 16 continguous bytes of RAM
needed!
First,
let’s say our base address starts at 100.
int
example[4] ={1,3,5,7}
Element
number/position/index Addresses Reference
1 100 to
103 example[0]
2 100+4=104 (to 107)
example[1]
3 104+4=108 (to 111)
example[2]
4 108+4=112 (to 115)
example[3]
RAM
Allocation:
|
100 example[0] |
101 example[0] |
102 example[0] |
103 example[0] |
|
00000000 |
00000000 |
00000000 |
0000001 |
|
104 example[1] |
105 example[1] |
106 example[1] |
107 example[1] |
|
00000000
108 example[2]
00000000
112 example[3]
00000000
1122222 |
00000000
109 example[2]
00000000
113 example[3]
00000000 |
00000000
110 example[2]
00000000
114 example[3]
00000000 |
00000011
111 example[2]
00000101
115 example[3]
00000111 |
|
100 to 103 example[0] |
104 to 107 example[1] |
108 to 111 example[2] |
112 to 115 example[3] |
|
1 |
3 |
5 |
7 |
|
Offset Address:
We would
follow the same procedure for a float and character array. Except
that for a character array we multiply the offset by 1 (1 byte of
storage) and then add it to the base address.
Okay, now that we know what offsets are and how do they work,
what happens if we use “illegal” offsets?
Illegal offsets are alterations than can cause malicious
fragmentation, most commonly known as computer viruses. Many
attackers, for example, send illegal offsets within a TCP packet.
TCP stands for Transmission Control Protocol. Is a
connection-oriented protocol that utilizes various flags to indicate
that a connection is being started or ended, or that there’s a high
priority on the data that it carries.
Attackers altered the TCP flags in a way that firewalls or intrusion
detection systems are unable to detect them.
What are flags?
Flags
are a bit of information that signals a particular condition or
status. For example, a record might contain an error flag to
indicate that the record consists of incorrect data.
What type of flags should be set in a TCP packet?
At
least one of the following flags should be set in a TCP packet; each
one takes up to 1 bit of storage.
|
SYN (Synchronization) |
Initiate a TCP connection. |
|
ACK (Acknowledgment) |
Indicates that the value in the acknowledgment number
field is valid. |
|
FIN (Finish) |
Smoothly end a TCP connection. |
|
RST (Reset) |
Quickly end a TCP connection. |
|
PSH (Push) |
Tells the receiver to pass on the data as quickly as
possible. |
|
URG (Urgent) |
Indicates that the urgent pointer is valid. |
Note: Besides the six flag bits described here, TCP packets have two
additional bits which are reserved for future use. These are
commonly referred to as the "reserved bits".
What constitutes a normal flag combination?
The
following are normal flag combinations:
|
SYN, SYN ACK, ACK |
Every packet in a connection must have the ACK bit set,
except for the initial SYN packet. |
|
FIN ACK, ACK |
These are used during the smooth ending of a connection. |
|
PSH FIN ACK |
Is
also seen at the start of a smooth termination. |
|
RST or RST ACK |
Can be used to quickly end an existing connection. |
What are the abnormal flag combinations (viruses) an attacker may
send to a computer?
The
following are examples of abnormal flag combinations:
|
SYN FIN |
Is
the best known illegal combination. Remember: SYN
is used to start a connection, and FIN is used to
end a connection. Therefore, any SYN FIN packets
are malicious. |
|
SYN FIN PSH,
SYN FIN RST,
SYN FIN RST PSH |
Attackers who know that certain intrusion detection
systems may be looking for packets with only the SYN
and FIN bits set, not additional bits set use
these packets, which are definitely malicious.
|
|
FIN |
FIN packets are used for port scans and network
mapping. Packets must never contain just a FIN
flag. |
|
Null |
These packets have no flags set. It is illegal to have a
packet with zero flags set. |
Visit
the
following links for more
detail information:
numeric
arrays tutorial: 4.20 what are offsets and how do they
work?
http://www.securityfocus.com/infocus/1200
http://www.cs.wright.edu/pmateti/InternetSecurity/Lectures/Ipexploits/
http://www.giac.com/practical/EAVazquezJr.html
http://www.web.ask.com/redir?bpg=http%2f%2fweb.ask.com%2fweb%
Review Questions
1.
Which one of the following is a position in an array, string, or
block of memory?
Base Address
B+5
Offset
Array
String
(answer: c)
2.
Which one of the following malicious fragmentation is most
commonly knows as?
Fragmentation
Computer Viruses
Flags
TCP
Illegal Offsets
(answer: b)
3. Which
one of the following is a bit of information that signals a
particular condition?
Record
Error
Firewall
Flag
Detection
System
(answer: d)
4. If my
base address were 23456 and int example[4] ={0,4,8,12} What would my
address be for the third offset?
Answer:
|
23456 example[0] |
23457 example[0] |
23458 example[0] |
23459 example[0] |
|
00000000 |
00000000 |
00000000 |
00000000 |
|
23460 example[1] |
23461 example[1] |
23462 example[1] |
23463 example[1] |
|
00000000 |
00000000 |
00000000 |
00000100 |
|
23464 example[2] |
23465 example[2] |
23466 example[2] |
23467 example[2 |
|
00000000 |
00000000 |
00000000 |
00001000 |
|
23468 example[3] |
23469 example[3] |
23470 example[3] |
23471 example[3] |
|
00000000 |
00000000 |
00000000 |
00001100 |
|
23456 to 23459
example[0] |
23460 to 23463 example[1] |
23464 to 23467 example[2] |
23468 to 23471 example[3] |
|
0 |
4 |
8 |
12 |
Offset Address:
My third
offset is actually offset number 2, not 3. Offsets always start at 0
not at 1. Therefore my address for the third offset will be 23464.
5.
What would happen if I had a character instead of an integer in
the previous problem? Explain.
Answer:
Instead of
multiplying the offset number by 4, I would have to multiply it by 1
to get the address of the third offset.
Offset
Address:
0 23456 + (0*1) =23456
1 23456 + (1*1) =23457
2 23456 + (2* 1) =23458
3 23456 + (3*1) =23459
My
answer would then be 23458 because offset 2 is my third offset.
6. What
type of fragmentation can illegal offsets cause?
(Answer:
malicious fragmentation)
7. What
does TCP stand for?
(Answer:
Transmission Control Protocol)
8. What
are some examples of normal flag combinations?
(Answer:
SYN, SYN ACK, ACK; FIN ACK, ACK; PSH FIN ACK; RST/RST ACK)
9.
Describe some abnormal flag combinations an attacker may send to a
computer.
(Answer:
SYN FIN; SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH; FIN; NULL)
CIS3355:
Business Data Structures