I I 3YSTEMS AND NTERNET NFRASTRUCTURE 3ECURITY ETWORK AND 3ECURITY 2ESEARCH ENTER EPARTMENT OF OMPUTER 3CIENCE AND NGINEERING 0ENNSYLVANIA 3TATE 5NIVERSITY 5NIVERSITY 0ARK 0 CMPSC443 Introduction to Computer and Network Security Module Programming Language Security Professor Patrick McDaniel Spring 2009 CMPSC443 Introduction to Computer and Network Security Page 1 Engineering Disaster Millions of Bots Compromised applications Programming errors Enable code insertion What can we do to fix them Just starting to get serious CMPSC443 Introduction to Computer and Network Security Page 2 Buffer Overflows 0x000 One means by which the bad guys TEXT take over a host DATA install root kits use as SPAM bots use as zombies launch other attacks HEAP There are many attacks but this is most prevalent It starts with programmer mistake STACK e g bad software 0xfff CMPSC443 Introduction to Computer and Network Security Page 3 Stack Smashing Smashing the Stack for Fun and Profit by Aleph One void sample function char bufferA 50 bufferB 16 printf Where do you live n gets bufferA strcpy bufferB bufferA How to exploit this to open a shell main printf Hello World n sample function printf All Done n CMPSC443 Introduction to Computer and Network Security Page 4 Buffer Overflow How it works Previous Function Func Parameters Stack Frame Return Address Local Var Buffer New Rtn Evil Code Evil Code Evil Code Evil Code Local Var CMPSC443 Introduction to Computer and Network Security Page 5 Exploit execve bin sh 0xNastyCode bufferA 0xff77001122 bufferA 0xNastyCode void sample function char bufferA 50 bufferB 16 printf Where do you live n gets bufferA strcpy bufferB bufferA 0xff77001122 bufferB 0xNastyCode 0xMainAddr retAddr 0xff77001122 CMPSC443 Introduction to Computer and Network Security main printf Hello World n sample function printf All Done n Page 6 Buffer Overflow Prevention StackGuard Push a canary on the stack between the local vars and the return pointer Overwrite of canary indicates a buffer overflow Requires changes to the compiler Q Would this solve the problem Thorough summary www blackhat com presentations bhusa 04 bh us 04 silberman bh us 04silberman paper pdf CMPSC443 Introduction to Computer and Network Security Page 7 Other Input Problems Function Pointers Overwrite a local function pointer variable Q What can be done Heap overflow Overflow a buffer on the heap Integer Overflow For signed 8 bit integers 127 1 Malformed Character Input What does URL ipaddr scripts c0 af winnt system32 decode to CMPSC443 Introduction to Computer and Network Security Page 8 Java World Type Safe Language No buffer heap ptr overflows No unsafe casts Still have integer overflows Java Virtual Machine Interpret bytecode or compile together Security Manager reference monitor for JVM Q What is the trust model of a Java application CMPSC443 Introduction to Computer and Network Security Page 9 Ccured From C to Memory safe C Translator Find the minimum number of runtime checks to ensure memory safety Classify Pointers Safe Wild Need runtime checks for wild pointers Runtime Checks Similar to declassifiers in DLM Written by hand in general CMPSC443 Introduction to Computer and Network Security Page 10 C Analysis Assume Type Safety in Analysis On what basis Trust that the programmer does not subvert Is this a reasonable assumption Unsound analysis False negatives are possible Sound analysis If no unsafe behavior relative to analysis can be assumed False positives are possible Actually lots of work in this area Used in production code Microsoft CMPSC443 Introduction to Computer and Network Security Page 11 Source Code Analysis Shallow tools for bug finding Prefix Prefast Microsoft Companies that will check your code Coverity based on MC Deep tools for verifying correctness SLAM for device drivers Add security to legacy code Generate LSM Generate reference monitor for X Server Lots of other topics Privilege separation domain transition error reporting CMPSC443 Introduction to Computer and Network Security Page 12 Driver Verification Example void LeakSample BOOLEAN Option1 NTSTATUS Status KIRQL OldIrql BufInfo pBufInfo KeAcquireSpinLock MyLock OldIrql if Option1 pBufInfo ExAllocatePoolWithTag NonPagedPool sizeof BufInfo fuB if NULL pBufInfo return STATUS NO MEMORY KeReleaseSpinLock MyLock OldIrql return STATUS SUCCESS PREfast catches this Memory leak of spin lock resource CMPSC443 Introduction to Computer and Network Security Page 13 Driver Verification Example void LeakSample BOOLEAN Option1 NTSTATUS Status KIRQL OldIrql BufInfo pBufInfo KeAcquireSpinLock MyLock OldIrql if Option1 pBufInfo ExAllocatePoolWithTag NonPagedPool sizeof BufInfo fuB if NULL pBufInfo KeReleaseSpinLock MyLock OldIrql return STATUS NO MEMORY KeReleaseSpinLock MyLock OldIrql return STATUS SUCCESS Make sure lock is released match Acquires with Releases CMPSC443 Introduction to Computer and Network Security Page 14 Security Typed Languages Key tag data monitor flows RMs tag actual data all data processes have label central security monitor checks operations data access against policy Security typed languages use Label all data virtual tags data types are labeled type checker validates flows Monitor flows CMPSC443 Introduction to Computer and Network Security Page 15 Build on type safety A type safe language maintains the semantics of types E g can t add int s to Object s Type safety is compositional A function promises to maintain type safety CMPSC443 Introduction to Computer and Network Security Example 1 Object obj int i obj obj i X Example 2 String proc obj Object o main Object obj String s proc obj obj Page 16 Labeling types Example 1 Example 2 int high h1 h2 int low l l 5 h2 l h1 h2 10 l h2 l String low proc obj Object high o main Object high obj String low s s proc obj obj X Key insight label types with security levels Security typing is compositional CMPSC443 Introduction to Computer and Network Security Page 17 Explicit Flow Prevention public class SecretMessages principal alice principal bob String alice aliceInstructions String bob bobInstructions public SecretMessages String alice ai String bob bi aliceInstructions ai bobInstructions bi public String bob leak bobInstructions aliceInstructions return bobInstructions CMPSC443 Introduction to Computer and Network Security Page 18 Implicit Flow Prevention public class SecretMessages label alice label bob String alice aliceInstructions String bob bobInstructions public SecretMessages String alice