1Software SecurityCMSC 433Bill Pugh2Software Security• Making sure that if your software ismisused, it doesn’t do any of the vastnumber of things you didn’t intend forthe software to do3On trusting trust• You can hide a trojan horse in acompiler– or in the operating system4Compiler• Code generateCode(AST method) { if (method.getName() .equals(“authenticateLogin)) { return ... code with trap door ...; .. generate code normally5Slightly cool, but not veryinteresting• Get spotted in a code audit6Compiler• Code generateCode(AST method) { if (method.getName() .equals(“authenticateLogin”)) { return .. code with trap door.. } if (method.getName() .equals(“generateCode”)) { return ... code with special code gen ...; .. generate code normally}7Trusted code base• Trusted code base is the code that, ifcompromised, causes all of yoursecurity to fail• Typically, includes all your software,your compiler, your operating system, ...• Feeling comfy?8Software defects• Traditional approach to correctness– define precondition– show that if precondition satisfied, outputsatisfied postcondition• Didn’t examine what happened if inputdidn’t satisfy precondition9#1 source of security defects• Untrusted, unverified and unexpectedinput leading to a program doingsomething completed unexpected– unexpected by developer– intended by attacker• of all the untrusted input problems, # 1is buffer overruns in C/C++.10Buffer overflows• In C, arrays are just locations inmemory• if you write past the allocated end of thearray, you write into something else• possibly other variables, return address• can both rewrite return address anddeliver payload• http://insecure.org/stf/smashstack.html11Stack layoutint main(int argc, char *argv[]) { int value; char buf1[80]; … }argvargcreturn addressframe pointerbuf1value12gets() is evil• Impossible to use gets() correctlychar buf[20];gets(buf);13C String functionschar buf[20];char * prefix = “http://”;strcpy(buf,prefix);strncat(buf, path, sizeof(buf));14C String functionschar buf[20];char * prefix = “http://”;strcpy(buf,prefix);strncat(buf, path, sizeof(buf) - strlen(buf));15sprintf• char buf[80];sprintf(buf, “%s - %d\n”, path, errno);16safe copy#define MAX_BUF 256void doStuff(char * in) {short len;char buf[MAX_BUF];len = strlen(in);if (len > MAX_BUF) return;strcpy(buf, in);.. do stuff with buf ...}17Huh…?• C doesn't seem to give any warningswhen invoking a function that returns anunsigned long long• and assign the result to somethingsmaller– like a signed short or a char• Even with -Wall and -pendantic-errors18Format String• Using untrusted/unchecked string as aformat string– printf(s); // just print s, no formatting needed• what if s is “%d”– it prints the value of a value on the stack19The little known %n• One of the least known and mostdangerous format specified– %n expects the corresponding parameterto be the address of an int value– writes the number of characters written sofar into that address• sprintf(buf, “%d%n”, x, &y)– stores into y the number of charactersneeded to represent x20Now we have a wayto update memory• Some hackers are very clever• Figured out how to turn severalinstances of this into an exploit– force a program to execute an arbitarypayload21References• Newsham, Tim. Format StringAttacks.– http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf• scut. Exploiting Format StringVulnerabilities.– http://julianor.tripod.com/teso-fs1-1.pdf22Integer overflows• In C/C++/Java, no warnings orexceptions if an integer value overflowsthe range of values it can hold• In C (and C++), no warnings when anassignment of a integer value involvestwo incompatible ranges– e.g., stores an unsigned long in an int23Integer overflows, continued• Even if you are careful, and check tosee if x+y > max– if x+y overflows, you won’t catch it.24Insecure Randomness• In Java 1.4 and earlier, new Random usescurrentTimeMillis() as a seed• Imagine an on-line Texas hold’em pokergame– assume you have access to a copy of theimplementation• You see your hole cards and the communalcards– Can check: would Random(1165336371231)have generated those cards?25How fast can you check?• Takes less than 2 seconds to check3,600,000 possibilities• handles any Random() created in thelast hour26Actual exploit• There was an actual exploit for this– developed by a white hat team– http://seclists.org/bugtraq/1999/Sep/0102.html• Poker implemented in Delphi Pascal– 32 bit random number generator• only 2^32 possible decks, much less than the52! decks that should be possible– Checked 200,000 possible seeds– Required 3 community cards (the first flop)27Solution?• In Java 5 and above, new Random()uses System.nanoTime– nanoTime often has only microsecondresolution– In 2 seconds, can check 4 seconds worthof possible seeds, assuming microsecondresolution.• using one processor28SecureRandom• java.se curity.Se cureRa n dom– been around since at least Java 1.2• Uses secure seed and secure randomnumber generator– as secure as we know how to generate29SQL InjectionResultSet getEmployees(String data) { Statement stmt = connection.createStatement(); stmt.execute( “select * from employees where id = “ + data); return statement.getResultSet();}30where does dat a come from?• Does it come from a web form?• Are you expecting something like:– “457”• What happens if you get:– “457; delete from employees”31Cross site scripting• Anything that allows untrusted andunchecked content to be injected into aweb page (e.g., the response from aweb server)– http://en.wikipedia.org/wiki/Cross_site_scripting• Primarily a problem when browsers acton responses from a web server– e.g., execute embedded Javascript32Hypothetical example• Add a review to a book on Amazon• The “review” contains executableJavascript• The “review” is now included verbatimon the Amazon page for that book.• When a web page containing that“review” is viewed– the embedded JavaScript is executed andclicks on “Buy now with 1-click”333 types of Cross-site scripting• Local– using DOM to inject content into another web pagethat displays a local HTML file• hard to find, but dangerous because JavaScriptexecuting on a local page may be treated as trustedJavascript• Reflected– A URL that when
View Full Document
Unlocking...