fundamental vulnerabilities causes - acis€¦ · notas: notas: pág. 2 fundamental vulnerabilities...

Notas:

Notas:

Pág. 1

Fundamental Vulnerabilities Causes

Copyright Universidad de los Andes 2006 – Especialización en Seguridad

FundamentalVulnerability

[email protected]

Contents

• How are vulnerabilities created?• Fundamental vulnerabilities causes• Programming for survivability

Notas:

Notas:

Pág. 2



How are vulnerabilities created?

• Most are variations on known themes– Buffer overflows,– Timing windows (TOCTOU),

• Reuse of vulnerable code– Two reasons: legacy and costs

• Few things are truly new

BIND security

1990 Cache poisoning discovered by Mockapetris and Bellovin,

1995 Cache poisoning paper publishedWe have observed that if BIND would just do what the DNS specifications say it should do, stop crashing, and start checking its inputs, then most of the existing security holes in DNS as practiced would go away. To be sure, attackers would still have a pretty easy time co-opting DNS in their break-in attempts. Our aim has been to get BIND to the point where its only vulnerabilities are due to the DNS protocol, and not the implementation – Paul Vixie

1997 CA-1997-22 with cache poisoning fixes1998 CA-1998-05 on three implementation vulnerabilities1999 CA-1999-14 Multiple vulnerabilities in BIND2000-2005 Several more BIND vulnerabilities reported

Notas:

Notas:

Pág. 3



DNSSEC

1995We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet – Paul Vixie

1997 RFC 2065, DNS Security Extensions1997 TIS reference implementation beta1997 Experimental prototype available for export by John

Gilmore1998 DARPA grant to ISC for DNSsec effort1999 Target date for implementationA2000 Implementation is part of current distribution2006 still not widely deployed

Host resolution services(attack target groupings)

Manual process

Manual process Manual

process

Lookup process (hosts, lmhosts,…),

DNS network settings (DHCP rogue

servers)…

Domain hijacking (wait for expiration date), similar

domain name registration, google bombing (page rank

escalation), adwords, …

DNS cache poisoning, DNS spoofing, DNS ID spoofing with sniffing, the birthday

attack,…

DNS cache poisoning, DNS spoofing, DNS ID spoofing with sniffing, the birthday

attack,…

Notas:

Notas:

Pág. 4



Where the software engineering process can fail?

• Specification,• Design,• Implementation,• Testing,• Maintenance,

Hyatt Sky Bridges(Kansas City 1981, 114 deaths, 200 injured)

Notas:

Notas:

Pág. 5



Hyatt Sky Bridges(design change… by builder)

A hackers toolkit(land attack)

“el-pinzas”Ana

“la víctima”

SYN

SYN-ACK

Notas:

Notas:

Pág. 6



A hackers toolkit(land attack)(.)

• The problem is that source, destination ports and addresses are the same!

• RFC 793 (TCP Protocol Specification) is ambiguous:

– p. 36: send RST to terminate connection– p. 69: reply with empty packet having current

sequence number t+1 and ACK number s+1—but it receives packet and ACK number is incorrect. So it repeats this … system hangs or runs very slowly, depending on whether interrupts are disabled

Testing

• Incorrect answers may “look right”– Similarly, incorrect code may look right

• The tester must know the correct behavior– Programmer should not be the tester

• “Correct” results may still be due to flawed logic which will fail some other way

• Easy to have inadequate tests• Requirements can be misunderstood• Security is an “emergent” property

– Derive from the interactions among the parts» the weakest link property is definitive

Notas:

Notas:

Pág. 7



The weakest-link property

Contents


Notas:

Notas:

Pág. 8



Fundamental Vulnerability Causes

• Basic programming practices– Buffer overflows, lack of type-safety

• Privileged programs• Trusting untrustworthy information• Timing windows• Improper use of algorithms• Other

Fundamental Vulnerability Causes(basic programming practices) (buffer overflows)

• What can we do?– It’s a pervasive problem

» Algol (1968), MULTICS-PL/I and ADA included “mandatory array-bound checking”,

• Unfortunately ADA causes brain-cancer in laboratory rats

• I am asking for jail for K&R– See section 1.9

Notas:

Notas:

Pág. 9



Buffer Overflow attacks(C++ / C)

• Ghosts from your past will haunt you!

Process Memory Organization

Code

Data

Heap

Stack

Code (or text segment) includes instructions and read-only data

Contains (un) initialized data andstatic / global variables

LIFO structure to supportprocess execution

Notas:

Notas:

Pág. 10



A very simple (and vulnerable) password checking program

A very simple (and vulnerable) password checking program (.)

Storage for PwStatus (4B)

Caller ebp - Frame pointer OS (4B)

Return address of main() – OS (4B)

…

Storage for PwStatus (4B)



…

Storage for Password (12B)

Caller ebp - Frame pointer main() (4B)

Return address - main() – OS (4B)

SP

SP

Notas:

Notas:

Pág. 11



A very simple (and vulnerable) password checking program (..)

SP

Storage for PwStatus (4B)“/0” – NULL (last 3 Bytes unchanged)



…

Storage for Password (12B) “123456789012”

Caller ebp - Frame pointer main() (4B)“3456”

Return address - main() – OS (4B)“7890”

A very simple (and vulnerable) password checking program (…)

SP

Storage for PwStatus (4B)NULL (no changes)



…

Storage for Password (12B) “123456789012”

Caller ebp - Frame pointer main() (4B)“3456”

Return address - main() – OS (4B)“u�@/0”

Notas:

Notas:

Pág. 12



Code Red attack(a buffer overflow with code injection)

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u68

58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819

0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Check “Smashing the stackfor fun or profit” – Aleph One

Fundamental Vulnerability Causes(basic programming practices) (lack of type-safety)

• What is the result of 32,768+1?

Answer: -32,767

If you use a 2-complement 16-bits field

Notas:

Notas:

Pág. 13



Fundamental Vulnerability Causes(basic programming practices) (lack of type-safety)(.)

• On Saturday December 25, 2004, COMAIR (Delta airlines) halted all operations and grounded 1,100 flights because of an int overflow,

– More than 32,768 flights that season,

• The CEO was fired!– It was a DOC bug (Denial Of Career),

Fundamental Vulnerability Causes(privileged programs)

• “With great power comes great responsibility” Spiderman

• Compartmentalized security

Notas:

Notas:

Pág. 14



Fundamental Vulnerability Causes(trusting untrustworthy information)

• Already seen on our buffer overflow example,

• Untrustworthy Information can be:– User data,

» v.g. sql injection, XSS scripting,

– Writable directories and files,– User input,

» Specially unicode,

– Active content,– Controllable data,

» Protocol data

Fundamental Vulnerability Causes(trusting untrustworthy information) (Active Content)

Taken from “2600 – The HackerQuarterly” – Sprint 2006

Notas:

Notas:

Pág. 15



Fundamental Vulnerability Causes(flawed logic exploited by W32.Blaster.Worm)

Used to extract the hostname from a larger string

Taken from “Secure Codingin C and C++” – Robert Seacord

Fundamental Vulnerability Causes(timing windows - TOCTOU)

• First documented in august 2004 (?)– VU#132110 – Apache http server v2.0.48

• With some patience, the attacker can cause a DoS event,

• TOCTOU because of Time of Check is different from Time Of Use

– Main reason for “software aging”

Notas:

Notas:

Pág. 16



Fundamental Vulnerability Causes(timing windows - TOCTOU) (.)

Race window: an external process can replace some_file with other file

- A link (hard or symbolic)

Fundamental Vulnerability Causes(improper use of algorithms)

• Checksums (CRC vs. MD5)• Random number generators• More generally don’t understand the

technology– V.g. biometric technology

Notas:

Notas:

Pág. 17



Error modeling in biometric systems

SOURCE: IDEX

matching score

frequency

0 100

Non-matchingprints

Matching prints

Acceptance threshold

FARFRR

Fundamental Vulnerability Causes(other)

• Incorrect assumptions• Design errors• Requirement errors• User interface

– Usability problems» Why Johnny can’t encrypt: A usability evaluation of

PGP. Alma Whitten – J.D. Tygar

– Insecure default configuration– Documentation problem

Notas:

Notas:

Pág. 18



Contents


Programming for survivability

• Consider other points of view– Add to your “use cases” some “misuse cases” or

even “abuse cases”,– Remember “hacking is aikido”,

• Identify security risks:– STRIDE (Spoofing, Tampering, Repudiation,

Information Disclosure, Denial of Service and Elevation of privilege),

• Follow the principle of least privilege– Yo, spiderman!

Notas:

Notas:

Pág. 19



Programming for survivability (.)

• Assume hostile environment– Users control much of a program’s behavior– Be aware of the source of all the data your program

uses– Permit only safe input rather than blocking bad input– Assume that flaws will lead to a full compromise

• Design for Survivability:– Separate or compartmentalize,– Overprovision,– Minimize publicly visible systems / services,

• Cryptography is a powerful tool, but it is harder than you think

Programming for survivability (..)

• Testing for security is just like testing for quality,

• Security must be evaluated based on the way it fails, not in the way it works,

Notas:

Notas:

Pág. 20



Some final reflections…(processes)

• “product quality cannot be ensured without first guaranteeing the quality of the process by which the product is developed”

• Two software lifecycle process models– SEI CMM (Carnegie Mellon University),– General Electric six-σ,

• But just because a process is efficient, repeatable, and applied in a consistent, disciplined way, there is no guarantee that the process is actually good, or for our purposes, “security-enhancing”,

– Remember Kodak six-σ,– ISO 9000 defines and standardize,– ISO 27001 “lock”

» and ISO 17799 gives ideas,

Some final reflections…(formal methods)

• Correct software is: “Software which does what is supposed to do”

Secure software is: “Software that doesn’t do what’s not supposed to do”… or even better… “cannot be forced to do what’s not supposed to do”

Notas:

Notas:

Pág. 21



Some final reflections…(actual solutions - patching)

• Life goes in circles– Application firewalls,– Patch and patch…– Four years from

“trustworthy computing initiative”

» Yesterday I applied 11 patches to protect against 21 holes,

• FIAT: Fix-It Again Tony

Taken from “Security Vulnerabilitiesin software systems – a quantitativeperspective” - Alhazmi

Some final reflections…(historical behavior) (windows)

0

10

20

30

40

50

60

Jul-9

8

Oct

-98

Jan-

99

Apr

-99

Jul-9

9

Oct

-99

Jan-

00

Apr

-00

Jul-0

0

Oct

-00

Jan-

01

Apr

-01

Jul-0

1

Oct

-01

Jan-

02

Apr

-02

Jul-0

2

Oct

-02

Jan-

03

Apr

-03

Jul-0

3

Oct

-03

Jan-

04

Vuln

erab

iltie

s

Windows XP Shared Windows 98

Notas:

Notas:

Pág. 22




Some final reflections…(historical behavior) (Linux)

020406080

100120140160180

Mar-00

Jul-0

0

Nov-00

Mar-01

Jul-0

1

Nov-01

Mar-02

Jul-0

2

Nov-02

Mar-03

Jul-0

3

Nov-03

Mar-04

Jul-0

4

Nov-04

Redhat 6.2 Redhat 7.1 Shared

Some final reflections…(historical behavior) (OpenBSD)

W^X: no buffer overflows!

Notas:

Notas:

Pág. 23



Some final reflections…(be prepare for Vista)

Time

Vuln

erab

ilitie

s

Phase 2Phase 1 Phase 3


Complexity is the enemy of security

• Lines of code– Windows 3.1 (1992): 3 millions,– Windows 95 (1995): 15 millions,– Windows 98 (1999): 18 millions,– NT 3.5 (1992): 4 millions,– NT 4.0 (1996): 16.5 millions,– Windows 2000 (2001): 35 millions,– Windows XP (2002): 40 millions,– Windows Vista (2006): 50 millions,– Solaris: 7 – 8 millions,– Linux (even with X y Apache): 5 millions,– NetBSD 3.8: 3 millions,

• Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity.

Notas:

Notas:

Pág. 24



Some interesting developments(server-based computing)

• AJAX, “Rubby on Rails”,• Citrix + vmware + multicore processors

fundamental vulnerabilities causes - acis€¦ · notas: notas: pág. 2 fundamental vulnerabilities...

Documents