Tadayoshi KohnoCSE P 590 / CSE M 590 (Spring 2010)Computer Security and PrivacyThanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...Goals for TodaySoftware Security (Continued)• More attacks / issues• Defensive directionsCryptography (Intro)• Background / history / context / overviewResearch: IMDsTOCTOUTOCTOU == Time of Check to Time of UseGoal: Open only regular files (not symlink, etc)Attacker can change meaning of path between stat and open (and access files he or she shouldn’t)int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); }Integer Overflow and Implicit CastIf len is negative, may copy huge amounts of input into bufchar buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); }void *memcpy(void *dst, const void * src, size_t n);typedef unsigned int size_t;(from www-inst.eecs.berkeley.edu—implflaws.pdf)Integer Overflow and Implicit CastWhat if len is large (e.g., len = 0xFFFFFFFF)?Then len + 5 = 4 (on many platforms)Result: Allocate a 4-byte buffer, then read a lot of data into that buffer.(from www-inst.eecs.berkeley.edu—implflaws.pdf)size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len);NextRandomnessTiming AttacksRandomness issuesMany applications (especially security ones) require randomnessExplicit uses:• Generate secret cryptographic keys• Generate random initialization vectors for encryptionOther “non-obvious” uses:• Generate passwords for new users• Shuffle the order of votes (in an electronic voting machine)• Shuffle cards (for an online gambling site)C’s rand() FunctionC has a built-in random function: rand()unsigned long int next = 1; /* rand: return pseudo-random integer on 0..32767 */ int rand(void) {next = next * 1103515245 + 12345;return (unsigned int)(next/65536) % 32768;} /* srand: set seed for rand() */void srand(unsigned int seed) { next = seed;} Problem: don’t use rand() for security-critical applications!• Given a few sample outputs, you can predict subsequent onesProblems in PracticeOne institution used (something like) rand() to generate passwords for new users• Given your password, you could predict the passwords of other usersKerberos (1988 - 1996)• Random number generator improperly seeded• Possible to trivially break into machines that rely upon Kerberos for authenticationOnline gambling websites• Random numbers to shuffle cards• Real money at stake• But what if poor choice of random numbers?Images from http://www.cigital.com/news/index.php?pg=art&artid=20Images from http://www.cigital.com/news/index.php?pg=art&artid=20Images from http://www.cigital.com/news/index.php?pg=art&artid=20Big news... CNN, etc..Other ProblemsLive CDs, diskless clients• May boot up in same state every timeVirtual Machines• Save state: Opportunity for attacker to inspect the pseudorandom number generator’s state• Restart: May use same “psuedorandom” value more than onceObtaining Pseudorandom NumbersFor security applications, want “cryptographically secure pseudorandom numbers”Libraries include:• OpenSSL• Microsoft’s Crypto APILinux:• /dev/random• /dev/urandomInternally:• Pool from multiple sources (interrupt timers, keyboard, ...)• Physical sources (radioactive decay, ...)Timing AttacksAssume there are no “typical” bugs in the software• No buffer overflow bugs• No format string vulnerabilities• Good choice of randomness• Good designThe software may still be vulnerable to timing attacks• Software exhibits input-dependent timingsComplex and hard to fully protect againstPassword CheckerFunctional requirements• PwdCheck(RealPwd, CandidatePwd) should:– Return TRUE if RealPwd matches CandidatePwd– Return FALSE otherwise • RealPwd and CandidatePwd are both 8 characters longImplementation (like TENEX system)Clearly meets functional descriptionPwdCheck(RealPwd, CandidatePwd) // both 8 charsfor i = 1 to 8 doif (RealPwd[i] != CandidatePwd[i]) thenreturn FALSEreturn TRUEAttacker ModelPwdCheck(RealPwd, CandidatePwd) // both 8 charsfor i = 1 to 8 doif (RealPwd[i] != CandidatePwd[i]) thenreturn FALSEreturn TRUEAttacker can guess CandidatePwds through some standard interfaceNaive: Try all 2568 = 18,446,744,073,709,551,616 possibilitiesAttacker ModelPwdCheck(RealPwd, CandidatePwd) // both 8 charsfor i = 1 to 8 doif (RealPwd[i] != CandidatePwd[i]) thenreturn FALSEreturn TRUEAttacker can guess CandidatePwds through some standard interfaceNaive: Try all 2568 = 18,446,744,073,709,551,616 possibilitiesBetter: Time how long it takes to reject a CandidatePasswd. Then try all possibilities for first character, then second, then third, ....• Total tries: 256*8 = 2048Other ExamplesPlenty of other examples of timings attacks• AES cache misses– AES is the “Advanced Encryption Standard”– It is used in SSH, SSL, IPsec, PGP, ...• RSA exponentiation time– RSA is a famous public-key encryption scheme– It’s also used in many cryptographic protocols and productsNextDefensive directionsToward Preventing Buffer OverflowUse safe programming languages, e.g., Java and C#• What about legacy C code?Static/dynamic analysis of source code to find overflowsBlack-box testing with long stringsMark stack as non-executableRandomize stack location or encrypt return address on stack by XORing with random string• Attacker won’t know what address to use in his or her stringRun-time checking of array and buffer bounds• StackGuard, libsafe, many other toolsExample companies: Fortify, CoverityNon-Executable StackNX bit for pages in memory• Modern Intel and AMD processors support• Modern OS support as wellSome applications need executable stack• For example, LISP interpretersDoes not defend against return-to-libc exploits• Overwrite return address with the address of an existing library function (can still be harmful)…nor against heap overflows…nor changing stack internal variables (auth flag, ...)Embed “canaries” in
View Full Document