CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerCSE 543 - Computer Security(Fall 2006)Lecture 22 - Language-based securityNovember 16, 2006URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/1CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe Morris Worm•Robert Morris, a 23 doctoral student from Cornell•Wrote a small (99 line) program•November 3rd, 1988•Simply disabled the Internet•How it did it•Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words•Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related•Tries cracked passwords at related hosts (if necessary)•Uses whatever services are available to compromise other hosts•Scanned local interfaces for network information•Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)2CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerEngineering Disaster?•Millions of Bots•Compromised applications•Programming errors•Enable code insertion•What can we do to fix them?•Just starting to get serious...3CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerBuffer Overflows•One means by which the bad guys take over a host•install root kits•use as SPAM bots•use as zombies•launch other attacks•There are many attacks, but this is most prevalent•It all starts with some programmer mistake•e.g., bad softwareTEXTDATAHEAPSTACK0x000....0xfff....4CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerBuffer Overflows (continued.)•Stack frame•how local variables and program state is stored in most modern programming languages•The Attack•overwrite buffer on stack with new return pointer pointing to adversary code•Return from function lands program counter into bad guys downloaded code•Game over -- they now control that hostSPretabbufmyretevilevilevilevil5CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerBuffer Overflow Prevention•StackGuard•Push a ‘canary’ on the stack between the local vars and the return pointer•Overwrite of canary indicates a buffer overflow•Requires changes to the compiler•Q: Would this solve the problem?•Thorough summary:•www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf6CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerOther Input Problems•Function Pointers•Overwrite a local function pointer variable•Q: What can be done?•Heap overflow•Overflow a buffer on the heap•Integer Overflow•For signed 8-bit integers•127+1 = ??•Malformed Character Input•What does URL “<ipaddr>/scripts/..%c0%af../winnt/system32” decode to?7CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerJava World•Type Safe Language•No buffer/heap/ptr overflows•No unsafe casts•Still have integer overflows?•Java Virtual Machine•Interpret bytecodes (or compile together)•Security Manager (reference monitor for JVM)•Q: What is the trust model of a Java application?8Page CSE543 Computer and Network Security - Fall 2006 - Professor JaegerCcured•From C to Memory-safe C Translator–Find the minimum number of runtime checks to ensure memory safety•Classify Pointers–Safe –Wild•Need runtime checks for wild pointers•Runtime Checks–Similar to declassifiers in DLM–Written by hand, in general9Page CSE543 Computer and Network Security - Fall 2006 - Professor JaegerC Analysis•Assume Type Safety in Analysis–On what basis?–Trust that the programmer does not subvert•Is this a reasonable assumption?–Unsound analysis•False negatives are possible–Sound analysis•If no unsafe behavior relative to analysis can be assumed•Actually, lots of work in this area•Used in production code: Microsoft 10Page CSE543 Computer and Network Security - Fall 2006 - Professor JaegerSource Code Analysis•Shallow tools for bug finding–Prefix, Prefast -- Microsoft•Companies that will check your code–Coverity -- based on MC•Deep tools for verifying correctness–SLAM -- for device drivers•Add security to legacy code–Generate LSM–Generate reference monitor for X Server•Lots of other topics–Privilege separation–Domain transition–Error reporting11CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerEnforcing security policy•DAC•MAC•certificates•trust management•SELinux•anti-virus•IDS•firewalls•encryption•legal measures12E-StoreSoftware ApplicationCredit card companycredit cardorder formorder formcredit cardE-Storecustomercredit card?? ???credit cardLeak???Security PolicyDo not leak credit card information to E-store local storageLeak???None of these provide end-to-end confidentialityCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerInformation-flow control13•What is it?•Simple security & ★-property•Why?•Leandro Aragoncillo, e.g.•Problem: Information release•Solution: Information Flow Control•Stronger enforcement than reference monitors{NUC, EUR, US}{NUC, EUR} {NUC, US} {EUR, US}{NUC} {EUR} {US}Access to all compartmentsAccess to no compartmentsCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerLabel and monitor14•Key: •tag data •monitor flows•RMs tag actual data•all data/processes have label•central security monitor checks op-erations, data access against policy•Security-typed languages use virtual tags•data types are labeled•type checker validates flowsLabel all dataMonitor flowsCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerBuild on type safety•A type-safe language maintains the semantics of types. E.g. can’t add int’s to Object’s.•Type-safety is compositional. A function promises to maintain type safety.15Example 1Object obj;int i;obj = obj + i;Example 2String proc_obj(Object o);...main(){ Object obj; String s = proc_obj(obj);! ...}XCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerLabeling types•Key insight:label types with security levels •Security-typing is compositional16Example 1int{high} h1,h2;int{low} l;l = 5;h2 = l;h1 = h2 + 10;l = h2 + l;Example 2String{low} proc(Object{high} o);...main(){ Object{high} obj; String{low} s; s = proc_obj(obj); ...}XCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerImplicit flows17intLow mydata = 0;intLow mydata2 = 0;if (testHigh) mydata = 1;else
View Full Document
Unlocking...