Software Security IIOverview Command Injection Validating Input Input Fuzzing CybercrimeCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSource: http://mashable.comSoftware Security IIperl finger CGI scriptCGI: This CGI script retrieves the desired info from the server, based on what is passed to it as the value of user as a parameterCGI:  Finger:1#!/usr/bin/perl From where is the value of user passed? 1 #!/usr/bin/perl 2 # finger.cgi - finger CGI script using Perl5 CGI module 3 4 use CGI; 5 use CGI::Carp qw(fatalsToBrowser);pq 6 $q = new CGI; # create query object 7 8 # display HTML header 9 print $q->header,$i10 $q->start html('Finger User'),11 $q->h1('Finger User');12 print "<pre>";1314 # get name of user and display their finger details14 # get name of user and display their finger details15 $user = $q->param("user");16 print `/usr/bin/finger -sh $user`;1718 # display HTML footerCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrie18 # display HTML footer19 print "</pre>";20 print $q->end_html;Software Security IIFinger Form (for example) Invokes cgi script Takes user as input User is passed as parameter to finger.cgiCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IICommand Injection If the user is legit –then it’s all good … But instead if a command is the input – this will be passed to finger.cgi …– e.g. list all the users in this directory (finger.cgi thinks the command is coming from a Web server)f metacharacters often used in commands14 # get name of user and display their finger details15 $user = $q->param("user");qp16 die "The specified user contains illegal characters!"17 unless ($user =~ /^\w+$/);18 print `/usr/bin/finger -sh $user`;a solution: to add a test that ensures that the user input contains only expected tokens (e.g. alphanumerics and not metacharacters) CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IIRecall (SQL Injection) Data may be altered to conform to what is expected –by ‘escaping’ metacharacters – and thus rendering the input safe (making the input usable)$name = $_REQUEST['name']; $$$query = “SELECT * FROM suppliers WHERE name = '" . $name . "';"$result = mysql_query($query); $name = $_REQUEST['name'];$query = “SELECT * FROM suppliers WHERE name = '" .mysql real escape string($name) "' "mysql real escape string($name) . "';"$result = mysql_query($query);CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IIValidating Input Given that the programmer cannot control the content of input data, it is necessary to ensure that such data conform with any assumption made about the data e g for textual data contain only alphanumeric data or–e.g. for textual, data contain only alphanumeric data or – for numeric, only int and double 2 possible principles can be followed:– compare input data with known dangerous valuesaccept onl kno n safe data–accept only known safe dataWhich is better and why?CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IIInput Fuzzing good alternative is called fuzzing developed by Dr. Barton Miller (U of Wisconsin, Madison) in 1989 software testing technique that uses randomly generated data as inputs to a program range of inputs may be very large (textual, graphic, random network requests , gp y yg(,g p ,q,random parameter values passed to system functions etc.) the intent is to determine where the program/ functiontl h dl ll h b l i t–correctly handles all such abnormal inputs– crashes– fails to respond appropriately–identifiesreliability(or lack of) and security deficienciesidentifies reliability (or lack of) and security deficiencies Fuzzing – simple, (but effective) and low costs (to generate these inputs)CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrie Limitations?Software Security IIComputer Crime vs. Cybersecurity The term cybercrime has a connotation of the use of networks specifically, whereas computer crime may or may not involve networks. Th U S D t t f J ti t i t i b d thThe U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity, as follows:– Computers as targets: to acquire information stored on that computer system withoutauthorization or payment (theft of service)system without authorization or payment (theft of service)– Computers as storage devices: as a passive storage medium, e.g. for stolen password lists, credit card or calling card numbers, proprietarystolen password lists, credit card or calling card numbers, proprietary corporate information, pornographic image files, or "warez" (pirated commercial software).– Computers as communications tools: often traditional crimes committed online, e.g. the illegal sale of prescription drugs, controlled substances, alcohol, etc..CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IIExamples of Cybercrime  theft of intellectual property theft of other (proprietary) info including customer records, financial records DOS attacks virus, worms, and other malware attacks fraud (over the Net) illegal generation of spam email webpage defacement intentional exposure of private or sensitive infopp spyware (but not including adware)othersCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieothersSoftware Security IIIntellectual Property Intellectual property is any intangible asset that consists of human knowledge and ideasTh l l t ti i i tifi thi h i th i i f thThe legal protection is against infringement, which is the