1Software SecurityCMSC 433Bill PughSoftware Security• Making sure that if your software ismisused, it doesn’t do any of the vastnumber of things you didn’t intend forthe software to do2On trusting trust• You can hide a trojan horse in acompiler– or in the operating systemCompiler• Code generateCode(AST method) { if (method.getName() .equals(“authenticateLogin)) { return ... code with trap door ...; .. generate code normally3Slightly cool, but not veryinteresting• Get spotted in a code auditCompiler• Code generateCode(AST method) { if (method.getName() .equals(“authenticateLogin”)) { return .. code with trap door.. } if (method.getName() .equals(“generateCode”)) { return ... code with special code gen ...; .. generate code normally}4Trusted code base• Trusted code base is the code that, ifcompromised, causes all of yoursecurity to fail• Typically, includes all your software,your compiler, your operating system, ...• Feeling comfy?Software defects• Traditional approach to correctness– define precondition– show that if precondition satisfied, outputsatisfied postcondition• Didn’t examine what happened if inputdidn’t satisfy precondition5#1 source of security defects• Untrusted, unverified and unexpectedinput leading to a program doingsomething completed unexpected– unexpected by developer– intended by attacker• of all the untrusted input problems, # 1is buffer overruns in C/C++.Buffer overflows• In C, arrays are just locations inmemory• if you write past the allocated end of thearray, you write into something else• possibly other variables, return address• can both rewrite return address anddeliver payload6gets() is evil• Impossible to use gets() correctlychar buf[20];gets(buf);C String functionschar buf[20];char * prefix = “http://”;strcpy(buf,prefix);strncat(buf, path, sizeof(buf));7sprintf• char buf[80];sprintf(buf, “%s - %d\n”, path, errno);safe copy#define MAX_BUF 256void doStuff(char * in) {short len;char buf[MAX_BUF];len = strlen(in);if (len > MAX_BUF) return;strcpy(buf, in);.. do stuff with buf ...}8Some Sins• Buffer Overflows• Format String problems• Integer overflows• SQL injection• Command injection• Failure to handle errors• Cross-site scripting• Failing to protect network traffic• Use of "magic" URLs and hidden formsMore sins• Improper use of SSL• Use of weak password-based systems• Failing to store and protect data• Information leakage• Improper file access• Trusting network address information• Race conditions• Unauthenticated key exchange• Failing to use cryptographically strongrandom numbers• Poor
View Full Document