CMSC 426/626: Secure CodingWhere can errors occur?Flaw ClassificationsStudy of Buffer Overflow AttackBuffer OverflowsProgram SegmentsWhere to Inject CodeJump to Attacker’s CodeBuffer Overflow DetailsBuffer Overflow DefensesSlide 11Slide 12Race ConditionsRace condition: What is it?Slide 15Slide 16Race conditions, contd.Good Practices in ImplementationSlide 19Slide 20Slide 21Slide 22Slide 23Implementation, Don’tsSlide 25Slide 26To be ContinuedCMSC 426/626: Secure CodingKrishna M. SivalingamSources: From Secure Coding, Mark and van Wyk, O’Reilly, 2003www.cert.org/secure-codingWhere can errors occur?During entire software lifecycleSecurity Architecture/Design stageMan-in-the-middle attackRace condition attackReplay attackImplementation StageBuffer overflow attackParsing error attackBack door attacks (aka Trapdoors)Code Maintenance StageFlaw ClassificationsLandwehr’s SchemeBishop’s SchemeAslam’s SchemeDu/Mathur’s classificationFlaws are Intentional and InadvertentInadvertent Flaw ClassificationsValidation ErrorDomain ErrorSerialization and AliasingInadequate Authentication and IdentificationBoundary Condition ViolationOther exploitable logic errorStudy of Buffer Overflow AttackCowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." Proceedings of DARPA Information Survivability Conference and Expo (DISCEX), 1999http://insecure.org/stf/mudge_buffer_overflow_tutorial.htmlBuffer OverflowsInject attack code by overflowing the bufferUsually involves adding code based on target machines’ CPU opcodesExecute code with all the privileges of the vulnerable programThus, if program is running as root, attacker can run at will any code as rootTypically, manage to invoke execve /bin/sh or similar to get a root shellProgram SegmentsAn executing program consists of:CodeInitialized DataGlobal variablesStackHeap (for dynamic allocation)Remember that local variables, return address, etc. are stored in the stack when a function is invokedWhen a local variable is over-run, it can alter return address, etc.Where to Inject CodeOn the stack (automatic variables)On the heap (malloc or calloc variables)In static data areasExecutable code need not be restricted to the overflowing buffer – code can be injected elsewhereOne can also use existing codeFor example, if exec(arg) exists in program, modify running code by making arg point to “/bin/sh”Jump to Attacker’s CodeActivation RecordOverflow into return address on the stack and make it point at the code.Function pointersOverflow into “void (*foo())()” and it point at the codeSetjmp and longjmp commands, that are used for checkpointing and recoveryAlter address given to longjmp to point to attacker’s codeBuffer Overflow DetailsLook at Mudge’s sample buffer overflow attackBuffer Overflow DefensesWriting Correct CodeVulnerable programs continue to emerge on a regular basisC has many error-prone idioms and a culture that favors performance over correctness.Static Analysis Tools Fortify – looks for vulnerable constructsToo many false positivesFrom Crispin Cowan’s SANS 2000 Talk on WebCrispin Cowan’s SANS 2000 Talk on WebBuffer Overflow DefensesNon-executable buffersNon executable data segmentsOptimizing compiles emit code into program data segmentsNon executable stack segmentsHighly effective against code injection on the stack but not against code injections on the heap or static variables.Buffer Overflow DefensesArray Bound CheckingCan run 12x-30x slowera[3] is checked but *(a+3) is notType safe languages: Java or MLThere are millions of lines of C code in operating systems and security system applicationsAttack the Java Virtual Machine which is a C programStackGuard program: Adds a “canary” value, which is a 32-bit random # or a known string terminator (CR, LF, ‘\0’, etc.)Compiler adds canary and system can check for this value at runtimeEntire RedHat system has been recompiled with this and shown to be less vulnerableRace Conditionshttp://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdfhttp://citeseer.ist.psu.edu/bishop96checking.htmlhttp://www.mirrors.wiretapped.net/security/development/secure-programming/bishop-dilger-1996-checking-for-race-conditions-in-file-accesses.pdfRace condition: What is it?Consider a setuid program, owned by rootUserA is presently executing the program, hence is running it as rootAssume that the program wants to write to a file. The system must check whether UserA has the right privileges on this file, checked as follows:if (access(filename, W_OK) == 0){if ((fd = open(filename, O_WRONLY)) == NULL){perror(filename);return(0);}/* now write to the file */Race condition: What is it?In the time between verifying access and opening the file, if the file referred to changes, then its access will not have been checkedCalled TOCTTOU (Time-of-check-To-Time-of-Use) binding flawFor example, if access is originally checked on /tmp/X AND before execution of write statement: /tmp/X is deleted ANDHard link from /etc/passwd is created to /tmp/XThen, process will write to /etc/passwd!Present in xterm program, while logging sessionsSource: Bishop and Dilger’s 1996 paper in Computing SystemsRace conditions, contd.Similar attack possible on binmail programBinmail appends mail to an existing mail spool fileE.g. /usr/spool/mail/jklBinmail verifies if file exists (and is not a symbolic link)Before binmail writes to file, jkl is deleted AND made a hard link to /etc/passwdNow, binmail appends data to /etc/passwdAttacker can create a new account with no password and root privilegesNote that binding flaws do not arise when file descriptors are used!Good Practices in ImplementationInform YourselfFollow Vulnerability Discussions and Alerts (eg. www.cert.org)Read books and papers on secure coding practices, analyses of software flaws, etc.Explore open source softwareExamples of how to and how not to write codeGood Practices in ImplementationHandle Data with CautionCleanse data: Examine input data for malicious intent (altering character sets, using dis-allowed characters)Perform bounds checkingCheck array
View Full Document