CMSC 426/626: Secure CodingWhere can errors occur?Flaw ClassificationsStudy of Buffer Overflow AttackBuffer OverflowsProgram SegmentsWhere to Inject CodeJump to Attacker’s CodeBuffer Overflow DetailsBuffer Overflow DefensesSlide 11Slide 12Race ConditionsRace condition: What is it?Slide 15Slide 16Race conditions, contd.Good Practices in ImplementationSlide 19Slide 20Slide 21Slide 22Slide 23Implementation, Don’tsSlide 25Slide 26To be ContinuedCMSC 426/626: Secure CodingKrishna M. SivalingamSources: From Secure Coding, Mark and van Wyk, O’Reilly, 2003www.cert.org/secure-codingWhere can errors occur?During entire software lifecycleSecurity Architecture/Design stageMan-in-the-middle attackRace condition attackReplay attackImplementation StageBuffer overflow attackParsing error attackBack door attacks (aka Trapdoors)Code Maintenance StageFlaw ClassificationsLandwehr’s SchemeBishop’s SchemeAslam’s SchemeDu/Mathur’s classificationFlaws are Intentional and InadvertentInadvertent Flaw ClassificationsValidation ErrorDomain ErrorSerialization and AliasingInadequate Authentication and IdentificationBoundary Condition ViolationOther exploitable logic errorStudy of Buffer Overflow AttackCowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." Proceedings of DARPA Information Survivability Conference and Expo (DISCEX), 1999http://insecure.org/stf/mudge_buffer_overflow_tutorial.htmlBuffer OverflowsInject attack code by overflowing the bufferUsually involves adding code based on target machines’ CPU opcodesExecute code with all the privileges of the vulnerable programThus, if program is running as root, attacker can run at will any code as rootTypically, manage to invoke execve /bin/sh or similar to get a root shellProgram SegmentsAn executing program consists of:CodeInitialized DataGlobal variablesStackHeap (for dynamic allocation)Remember that local variables, return address, etc. are stored in the stack when a function is invokedWhen a local variable is over-run, it can alter return address, etc.Where to Inject CodeOn the stack (automatic variables)On the heap (malloc or calloc variables)In static data areasExecutable code need not be restricted to the overflowing buffer – code can be injected elsewhereOne can also use existing codeFor example, if exec(arg) exists in program, modify running code by making arg point to “/bin/sh”Jump to Attacker’s CodeActivation RecordOverflow into return address on the stack and make it point at the code.Function pointersOverflow into “void (*foo())()” and it point at the codeSetjmp and longjmp commands, that are used for checkpointing and recoveryAlter address given to longjmp to point to attacker’s codeBuffer Overflow DetailsLook at Mudge’s sample buffer overflow attackBuffer Overflow DefensesWriting Correct CodeVulnerable programs continue to emerge on a regular basisC has many error-prone idioms and a culture that favors performance over correctness.Static Analysis Tools Fortify – looks for vulnerable constructsToo many false positivesFrom Crispin Cowan’s SANS 2000 Talk on WebCrispin Cowan’s SANS 2000 Talk on WebBuffer Overflow DefensesNon-executable buffersNon executable data segmentsOptimizing compiles emit code into program data segmentsNon executable stack segmentsHighly effective against code injection on the stack but not against code injections on the heap or static variables.Buffer Overflow DefensesArray Bound CheckingCan run 12x-30x slowera[3] is checked but *(a+3) is notType safe languages: Java or MLThere are millions of lines of C code in operating systems and security system applicationsAttack the Java Virtual Machine which is a C programStackGuard program: Adds a “canary” value, which is a 32-bit random # or a known string terminator (CR, LF, ‘\0’, etc.)Compiler adds canary and system can check for this value at runtimeEntire RedHat system has been recompiled with this and shown to be less vulnerableRace Conditionshttp://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdfhttp://citeseer.ist.psu.edu/bishop96checking.htmlhttp://www.mirrors.wiretapped.net/security/development/secure-programming/bishop-dilger-1996-checking-for-race-conditions-in-file-accesses.pdfRace condition: What is it?Consider a setuid program, owned by rootUserA is presently executing the program, hence is running it as rootAssume that the program wants to write to a file. The system must check whether UserA has the right privileges on this file, checked as follows:if (access(filename, W_OK) == 0){if ((fd = open(filename, O_WRONLY)) == NULL){perror(filename);return(0);}/* now write to the file */Race condition: What is it?In the time between verifying access and opening the file, if the file referred to changes, then its access will not have been checkedCalled TOCTTOU (Time-of-check-To-Time-of-Use) binding flawFor example, if access is originally checked on /tmp/X AND before execution of write statement: /tmp/X is deleted ANDHard link from /etc/passwd is created to /tmp/XThen, process will write to /etc/passwd!Present in xterm program, while logging sessionsSource: Bishop and Dilger’s 1996 paper in Computing SystemsRace conditions, contd.Similar attack possible on binmail programBinmail appends mail to an existing mail spool fileE.g. /usr/spool/mail/jklBinmail verifies if file exists (and is not a symbolic link)Before binmail writes to file, jkl is deleted AND made a hard link to /etc/passwdNow, binmail appends data to /etc/passwdAttacker can create a new account with no password and root privilegesNote that binding flaws do not arise when file descriptors are used!Good Practices in ImplementationInform YourselfFollow Vulnerability Discussions and Alerts (eg. www.cert.org)Read books and papers on secure coding practices, analyses of software flaws, etc.Explore open source softwareExamples of how to and how not to write codeGood Practices in ImplementationHandle Data with CautionCleanse data: Examine input data for malicious intent (altering character sets, using dis-allowed characters)Perform bounds checkingCheck array