security engineering 1. agenda today types of security problems integrating security into software...
Post on 21-Dec-2015
220 views
TRANSCRIPT
Security Engineering 1
Agenda Today
• Types of Security Problems
• Integrating Security into Software Process
• Security Toolbag
Threats and Vulnerabilities
• Two major categories of computer security risks are:– Threats
• Threats are a person, thing, or event which will compromise the system
• All systems have potential threats• Some examples of threats are:
– Natural and Physical – These imperil the physical plant and the state of the actual equipment
– Unintentional – These are the dangers brought on by ignorance
– Intentional – These are malicious attacks against a system
Threats and Vulnerabilities (Continued)
– Vulnerabilities• Vulnerabilities are perceived threats
– If they were exploited, the system would no longer be reliable
– The more vulnerabilities can be perceived, the more threats can be determined
• Every system is vulnerable to attack• Some examples of vulnerabilities are
– Physical & Natural – Natural disasters and environmental threats can adversely impact a facility and its IT resources
– Hardware & Software – IT resources can start malfunctioning
– Media – Disks, tapes, printouts, etc. can be stolen or damaged
– Network – Machines can be remotely breached
– Human – Users can make errors which will put data in jeopardy
Malicious Logic
• Trojan Horse
• Virus
• Worms
• Rabbits (Bacteria)
• Logic Bomb
Example
• Shell script on a UNIX system:cp /bin/sh /tmp/.xyzzychmod u+s,o+x /tmp/.xyzzyrm ./lsls $*
• Place in program called “ls” and trick someone into executing it
• You now have a setuid-to-them shell!
Trojan Horse
• Program with an overt purpose (known to user) and a covert purpose (unknown to user)– Often called a Trojan
• Example: previous script is Trojan horse– Overt purpose: list files in directory– Covert purpose: create setuid shell
Example: NetBus
• Designed for Windows NT system• Victim uploads and installs this
– Usually disguised as a game program, or in one
• Acts as a server, accepting and executing commands for remote administrator– This includes intercepting keystrokes and
mouse motions and sending them to attacker– Also allows attacker to upload, download files
Replicating Trojan Horse
• Trojan horse that makes copies of itself– Also called propagating Trojan horse– Early version of animal game used this to delete
copies of itself
• Hard to detect– 1976: Karger and Schell suggested modifying
compiler to include Trojan horse that copied itself into specific programs including later version of the compiler
– 1980s: Thompson implements this
Viruses
– designed to replicate themselves• removable storage media, email, file transfer
– intended to cause damage– need a host program
• attach to and modify host• execute as part of host
– virus detection• check program length (virus can hide or compress
program)• check for virus “signature” (viruses use encryption)
First Reports
• Brain (Pakistani) virus (1986)– Written for IBM PCs– Alters boot sectors of floppies, spreads to
other floppies
• MacMag Peace virus (1987)– Written for Macintosh– Prints “universal message of peace” on March
2, 1988 and deletes itself
Types of Viruses
• Boot sector infectors• Executable infectors• Multipartite viruses• TSR viruses• Stealth viruses• Encrypted viruses• Polymorphic viruses• Macro viruses
Boot Sector Infectors
• A virus that inserts itself into the boot sector of a disk– Section of disk containing code– Executed when system first “sees” the disk
• Including at boot time …
• Example: Brain virus– Moves disk interrupt vector from 13H to 6DH– Sets new interrupt vector to invoke Brain virus– When new floppy seen, check for 1234H at location 4
• If not there, copies itself onto disk after saving original boot block
Executable Infectors
• A virus that infects executable programs– Can infect either .EXE or .COM on PCs– May prepend itself (as shown) or put itself anywhere,
fixing up binary so it is executed at some point
Header Executable code and data
0 100 1000
Header Executable code and data
0 100 1000 1100
Virus code
200
First program instruction to be executed
Multipartite Viruses
• A virus that can infect either boot sectors or executables
• Typically, two parts– One part boot sector infector– Other part executable infector
TSR Viruses
• A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed– TSR is “Terminate and Stay Resident”
• Examples: Brain, Jerusalem viruses– Stay in memory after program or disk mount is
completed
Stealth Viruses
• A virus that conceals infection of files• Example: IDF virus modifies DOS service
interrupt handler as follows:– Request for file length: return length of
uninfected file– Request to open file: temporarily disinfect file,
and reinfect on closing– Request to load file for execution: load
infected file
Encrypted Viruses
• A virus that is enciphered except for a small deciphering routine– Detecting virus by signature now much harder as
most of virus is enciphered
Virus code Enciphered virus codeDecipheringroutine
Deciphering k ey
Polymorphic Viruses
• A virus that changes its form each time it inserts itself into another program
• Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine
• At instruction level: substitute instructions• At algorithm level: different algorithms to achieve
the same purpose• Toolkits to make these exist (Mutation Engine,
Trident Polymorphic Engine)
Example
• These are different instructions (with different bit patterns) but have the same effect:– add 0 to register– subtract 0 from register– xor 0 with register– no-op
• Polymorphic virus would pick randomly from among these instructions
Macro Viruses
• A virus composed of a sequence of instructions that are interpreted rather than executed directly
• Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus 1-2-3 spreadsheet virus)
• Independent of machine architecture– But their effects may be machine dependent
Example
• Melissa– Infected Microsoft Word 97 and Word 98 documents
• Windows and Macintosh systems
– Invoked when program opens infected file– Installs itself as “open” macro and copies itself into
Normal template• This way, infects any files that are opened in future
– Invokes mail program, sends itself to everyone in user’s address book
Computer Worms
• A program that copies itself from one computer to another
• Origins: distributed computations– Schoch and Hupp: animations, broadcast messages– Segment: part of program copied onto workstation– Segment processes data, communicates with worm’s
controller– Any activity on workstation caused segment to shut
down
Example: Internet Worm of 1988
• Targeted Berkeley, Sun UNIX systems– Used virus-like attack to inject instructions into
running program and run them– To recover, had to disconnect system from Internet
and reboot– To prevent re-infection, several critical programs had
to be patched, recompiled, and reinstalled
• Analysts had to disassemble it to uncover function
• Disabled several thousand systems in 6 or so hours
Rabbits, Bacteria
• A program that absorbs all of some class of resources
• Example: for UNIX system, shell commands:while truedo
mkdir xchdir x
done
• Exhausts either disk space or file allocation table (inode) space
Logic Bombs
• A program that performs an action that violates the site security policy when some external event occurs
• Example: program that deletes company’s payroll records when one particular record is deleted– The “particular record” is usually that of the person
writing the logic bomb– Idea is if (when) he or she is fired, and the payroll
record deleted, the company loses all those records
Buffer overflow
• The most important avenue for vulnerabilities
• Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format
Normal Stack State
Modified Stack State
Authentication
• Four classic ways to authenticate:1. something you know (passwords)
2. something you have (smartcard)
3. something you are (fingerprint)
4. something you do (usage signature)
• None of these is perfect
Identity theft
• Fastest rising crime in the US
• FBI won’t help unless losses above $100,000.
• Someone can steal an identity with just a social security number!!!
Passwords• Account - person using the system• Username - Identity of account (public)
– limited characters, alphanumeric & special characters– typically related to real name of user (not always), certain
names reserved – unique on system– fixed at account creation
• Passwords – Verification of identity (private)– Less limited length and characters– Fixed until changed– Non-unique passwords – (both users have bad password)
Password Security
• Password security depends on ONLY you knowing the password– Secure selection– Secure handling – Secure storage
Password Attacks
• Easy to Hard– Given password– Grab password– Generate password– Guess password
Denial of Service Attack (DoS)
• Attempts to "flood" a network, thereby preventing legitimate network traffic;
Remote Execution
• remote execution– upload and start code on remote machine– mobile agent: may migrate among machines
• unlike worm, relies on legitimate servers for migration
Eavesdropping
• Reads plain text communicated through a channel.
Identity Spoofing (IP Address Spoofing)
• Packets appears to be generated by a valid IP address but they are actually generated by a hacker.
Social Engineering
• Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.
Problem Sources
1. Requirements definitions, omissions, and mistakes
2. System design flaws
3. Hardware implementation flaws, such as wiring and chip flaws
4. Software implementation errors, program bugs, and compiler bugs
5. System use and operation errors and inadvertent mistakes
6. Willful system misuse
7. Hardware, communication, or other equipment malfunction
8. Environmental problems and natural causes.
9. Evolution, maintenance, faulty upgrades, and decommissions
Security Defects
• We live in an age with constant threat of security breaches– Holes in web software– Flaws in server software
• Security defects very easy to make– Blaster worm defect only two lines long– One line error can be catastrophic
• Here we look at 19 common security defects (sins of security)
Sin 1 : Buffer Overruns
• You’ve heard this one many times…
• Occurs when a program allows input to write beyond the end of the allocated buffer– Program might crash or allow attacker to gain
control– Still possible in languages like C#, Java since
they use libraries written in C/C++ but more unlikely
Spotting Buffer Overflows
• Look for input read from the network, a file, the user interface, or the command line
• Transfer of data from input to internal structures
• Use of unsafe string handling calls
• Use of arithmetic to calculate an allocation size or remaining buffer size
Sin 2 : Format String Problems
• A C/C++ type of problem• First mentioned June 23, 2000
• Pretty simple, what could go wrong?
void main(int argc, char * argv[]){
printf(argv[1]);}
Format String
• What if the program is invoked as :
bug.exe “%x %x”
• Output something like:
12FFC0 4011E5The %x specifier reads the stack4 bytes at a time and outputs them
Leaks important info to the attacker
Format String
• Another obscure format string: %n
unsigned int bytes;
printf(“%s%n\n”, argv[1], &bytes);
printf(“Input is %d characters long.\n”, bytes);
Usage:
bug.exe “Hello“
Hello
Input is 5 characters long
The %n specifier writes4 bytes at a time based on the lengthof the previous argument
Carefully crafted, allows an attackerto place own data into the stack
Sin 3 : Integer Overflows
• When an unsigned integer gets too big for the number of bits allocated, it overflows back to 0– For signed integers, positive numbers suddenly
become negative numbers
• “Obvious” errors where integers are multiplied/added/etc. and overflow– Result can be very bad and unpredictable behavior if
relational operators suddenly behave the opposite of how they are supposed to
• Also many less obvious errors
Casting• Implicit type casting is a frequent cause of
integer overflows
• Most languages require the same types to be compared so an up-cast is done
const long MAX_LEN = 0x7FFF;
short len = strlen(input);
if (len < MAX_LEN)
{
// Do stuff
}
If a short is 2 bytes andinput > 32767, then len becomesa negative number
Casting
• Signed int to Larger signed int– Smaller value is sign-extended
• 0x7F to an int becomes 0x0000007F• 0x80 to an int becomes 0xFFFFFF80
• Signed int to Larger unsigned int– Positive numbers behave as expected– Negatives unexpected
• (char) -1 becomes 0xFFFFFFFFF or 4,294,967,295
Overflow Problem
• Problem here to detect whether two unsigned 16-bit numbers would overflow when added?
bool IsValidAddition(unsigned short x, unsigned short y)
{
if (x + y < x)
return false;
return true;
}
Overflow Problem in C#?
• Following code throws a compiler error, how would you fix it?
byte a, b;
a = 255;
b = 1;
byte c = (a + b);
ERROR: Cannot implicitly convert type ‘int’ to ‘byte’
Spotting the Overflow Sin
• Anything doing arithmetic• Especially if input provided by the user• Focus especially on array index calculations
• Redemption– Use size_t type in C/C++– Use unsigned integers if appropriate, easier to verify– Avoid “clever” code in favor of straightforward code
Sin 4 : SQL Injection
• How do bad guys get credit card numbers from sites?– Break into server using exploit like buffer
overrun– Go through open port with sysadmin
password– SQL injection attacks
SQL Injection Example
• PHP code
$id = $_REQUEST[“id”];
$pass = $_REQUEST[“password”];
$qry = “SELECT ccnum FROM cust WHERE id = $id AND pass=$pass”;
SQL Injection Example
• PHP code
$id = $_REQUEST[“id”];
$pass = $_REQUEST[“password”];
$qry = “SELECT ccnum FROM cust WHERE id = ‘$id’ AND pass=‘$pass’”;
User inputs id of user to attackFor password, enters: ‘ OR 1=1 –
-- is the comment operator, to ignore whatever comes afterwards
Spotting the Sin
• Takes user input
• Does not check user input for validity
• Uses user input data to query a database
• Uses string concatenation or string replacement to build the SQL query or uses the SQL Exec command
Sin 5 : Command Injection
• In 1994, one could get a root shell on an SGI computer running IRIX by sending the following to a printer:
FRED; xterm&
• Code:
char buf[1024];snprintf(buf, “system lpr –P %s”, user_input, sizeof(buf) -1);system(buf);
Spotting the Sin
• Look for calls to system(), exec()
• Java too:– Class.forName(String name);
• Dynamically load and run Java code
– Runtime.exec()
• Redemption– Check the data to make sure it is ok
Sin 6 : Failing to Handle Errors
• Not properly handling errors.
• May result into inadvertent access to the system by the hacker.
Sin 7 : Cross Site Scripting
• Somewhat misnamed, as crossing sites is not always necessary to exploit this bug
• Sin is straightforward:– Web app takes input from a user– Input is stored or echoed back to the user
– That’s it
PHP Example<?php
if($_SERVER['REQUEST_METHOD'] != "POST"){
header("Content-Type: text/html");print("<HTML><HEAD><TITLE>My Page</TITLE>");
print("</HEAD>");print("<BODY>");print("<FORM method=post action='cssSin.php'>");print("Enter your comment.<p>");print("<INPUT type=text name='comment'>");print("<INPUT type=submit value='Submit'>");print("</FORM>");
print("<HR>");print("<B>Here is the comment log:</B><p>");
PHP Example
$f = fopen("c:\\comments.txt","r");print("<UL>");while (!feof($f)){
$line = fgets($f,2000);print("<li>" . $line . "</LI>");
}fclose($f);print("</UL>");
}else {
$comment = $_REQUEST['comment'];
$f = fopen("c:\\comments.txt", "a");fprintf($f, "\n" . $comment);fclose($f);
print("Thank you, your comment has been saved.");}
?>
CSS Problem
• Malicious user can inject script code that is then executed when another user views that page
• Even if the input is merely echoed, a malicious user might:– Lure victim to their page– Get victim to click on a link which refers victim to the
vulnerable site with the CSS bug– Script code is run under domain of the server and
could get cookies or modify any elements of the DOM like tweak all links to point to porn sites
Spotting the Sin
• The web app takes input from a header, form, or query string
• App does not check the input for validity• App echoes back data from a user into the
browser
• Redemption– Restrict input to valid input onl– HTML encode the output ; < > etc.
Sin 8 : Failing to Protect Network Traffic
• Mostly skipping
• Network vulnerable to– Eavesdropping– Replay– Spoofing– Tampering– Hijacking
• Use SSL / TLS for session security
Sin 9 : Magic URLs and Hidden Form Fields
• Magic URLs:– http://www.xyz.com/?val=1&q=foo&user=n58– http://www.xyz.com/?id=TKSJDARJ$J14$J==
• Hidden Form Fields to pass variables
<form action = “ …”
<input type=text name=“product”>
<input type=hidden name=“price” value=“300”>
</form>
Redemption
• Use SSL or store data on server side
• Session variables, encrypted
Sin 10 : Improper Use of SSL and TLS
• If server authentication not done properly, attacker can eavesdrop or modify conversations– Especially vulnerable when key associated
with certificate
• Feeling that site is impenetrable simply because it uses SSL – Still can have overflow, SQL injection, etc…
Sin 11 : Use of Weak Passwords
• People hate passwords, it is a battle to force people to use strong passwords
• Consider password content policy– Length, characters, reset frequency…– Password storage?
• Storage in the clear is bad
– How to recover a lost password?• Paris Hilton T-Mobile Sidekick phone hijack• Broke into server side by getting username and asking
for a password reset– Challenge question: “What is the name of your favorite pet?”
Guidelines for Password Resets
• Locking users out of accounts for too many bad password attempts may result in DoS
• Recommendations– Limit number of attempts to reasonable number like
20/hour– Slow down authentication process after certain
number of bad attempts– Make users provide multiple pieces of information to
reset a password, might require “thing they have” like a ID card
– Use more obscure questions
Tenex Bug
• TENEX Operating System pseudocode to validate:
For i = 0 to len(typed_password) if i >= len(actual_password) fail; if typed_password[i] != actual_password[i] fail;if i < len(actual_password) fail;Success;
Flaw: Attacker could put candidate password in memory overlappingpage boundaries. First letter on one page, second letter on the next, if thefirst letter was correct there was a pause while the page for the second letterloaded
Sin 12 : Failing to Store and Protect Data Securely
• Unix: tendency to give permissions to all• Windows: Access Control Lists can be mind
boggling as which objects to consider what can be controlled– Don’t take the easy way out and give out too many
permissions
• Don’t embed secret data in code– E.g. passwords– Use DPAPI or KeyChain or at least store passwords
somewhere not hard-coded in the app
Sin 13 : Information Leakage
• Attacker gets information, implicitly or explicitly, that could provide more information for the attacker to reach their goal
• Examples:– Name of server software, versions– Debugging information (e.g. left on in PHP)– Error messages that reveal code structure
Sin 14: Improper File Access
• Watch out for race conditions among accessing files– Perl:
#!/usr/bin/perl
my $file = “$ENV{HOME}/.config”;
read_config($file) if –r $file;
Between the file check and read, the file may disappear if there are multiple processes handling this file
• Manipulation of pathnames to overwrite important files
Sin 15 : Trusting Network Name Resolution
• Not too difficult to have an unsecure name server, e.g. might use WINS
• Skipping
• Might ensure connections running over SSL
Sin 16 : Race Conditions
• Common bug in multi-threaded applications, which includes web apps
• Actual bug from a DB web application, sometimes the queries were UPDATE to a shared field
try{
sqlComm.sqlConn.Open();comm.ExecuteNonQuery();sqlComm.sqlConn.Close();
}catch(Exception f){
sqlComm.sqlConn.Close();}
Sin 16 : Race Conditions
• Lock access to any query for mutual exclusion
lock(sqlComm.sqlConn){
try{
sqlComm.sqlConn.Open();comm.ExecuteNonQuery();sqlComm.sqlConn.Close();
}catch(Exception f){
sqlComm.sqlConn.Close();}
}
Spotting the Sin
• Multiple threads or processes that write to the same source
• Creating files or directories in common areas
• Signal handlers
Sin 17 : Unauthenticated Key Exchange
Sin 18 : Cryptographically Strong Random Numbers
• Seeds for pseudo-random number generators may not be that difficult to regenerate, then use to test a sequence of random values and determine what the next “random” number will be
• Can try true random number generators– Mouse, keyboard, etc.
Sin 19 : Poor Usability
• Poor usability can also mean poor security– Always clicking “OK” when given lots of
dialogs– Cryptic error or status messages