Software Security IOverview Introduction Buffer Overflow SQL Injection Cross-Site ScriptingSource: SearchsoftwareQuality.techtarget.comCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSource: SearchsoftwareQuality.techtarget.comSoftware Security IIntroduction Some of the most common and widely exploited software vulnerabilities are variants of:– Buffer OverflowSQL I j ti–SQL Injection– Cross-Site Scripting Best countermeasure– Awareness, smart programming – not allowing them to occur at all These flaws typically occur as a consequence of insufficient checking and validation of data and error codes in programsCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IIntroduction Software quality and reliability is concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input or system interaction Solution - testing. This usually involves variations of likely inputs and common errors, with the intent of minimizing the number of bugs that would be seen in general usebe seen in general use BUT – the problem is not really the total number of bugs, but how often even one is triggeredgg Input–keyboard/ mouse entryyy– files– network connections–data supplied to the program in the execution environmentCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawriepp p g– values supplied by an O/S to the programSoftware Security IBuffer Overflow/ Buffer Overrun caused as a result of a programming error allows more data to be stored than capacity available in a fixed sized buffer– buffer can be on stack, heap, global data examples of consequences of overwriting adjacent memory locations:– corruption of program data– unexpected transfer of control– memory access violation– execution of code chosen by attackerCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IBuffer Overflow Basicsimpact of buffer overflow problem has been felt since 1988 when the Morrisimpact of buffer overflow problem has been felt since 1988 when the Morris worm attack was carried outstill a problem due to both a legacy of buggy code in widely deployedstill a problem due to both a legacy of buggy code in widely deployed operating systems and applications – and programs that do not anticipate a certain type of faulty/ malicious input1988 the Morris worm2001 the Code Red worm exploits a buffer overflow in MS IIS 5.02003 the Slammer worm exploits a buffer overflow in MS SQL Server 20002004 the Sasser worm exploits a buffer overflow in MS Windowsp2007CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrie2009Software Security IBuffer Overflow Exampleint main(intargc char *argv[]) {(a) consider this code fragment in (a)3 variablesint main(int argc, char *argv[]) { int valid = FALSE; char str1[8]; char str2[8];tt(t1)3 variables assume they are saved in adjacent memory locations (f hi h t t l t) nexttag(str1); gets(str2); if (strncmp(str1, str2, 8) == 0) valid = TRUE; printf("buffer1: str1(%s), str2(%s),i( )\i)(from highest to lowest) str1(START)valid(%d)\n", str1, str2, valid);}$ cc -g -o buffer1 buffer1.c$ /buffer1 problem: the gets( ) function (from the traditional C library) does not include any checking on the amount of$ ./buffer1STARTbuffer1: str1(START), str2(START), valid(1)$ ./buffer1EVILINPUTVALUEb ff 1 t 1(TVALUE)checking on the amount of data copies. It will read the next line from the program’s standard input until the first new linebuffer1: str1(TVALUE),str2(EVILINPUTVALUE), valid(0)$ ./buffer1BADINPUTBADINPUTbuffer1: str1(BADINPUT),CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrienew linestr2(BADINPUTBADINPUT), valid(1)(b)Software Security IBuffer Overflow At the basic machine level, all of the data manipulated by machine instructions are stored in either the processor’s registers or in memory. Th dt i l fbt Thiit tti i ti lThe data are simply arrays of bytes. Their interpretation is entirely determined by the function of the instructions accessing them. Modern highlevel programming languages like Java ADA Python andModern high-level programming languages like Java, ADA, Python, and many others, have a very strong notion of the type of variables, and what constitutes permissible operations on them – thus they do not suffer from buffer overflows.  But this flexibility and safety comes at a cost in resource use, both at compile time, and in additional code that must executed at run-time to impose checks such as that on buffer limits. CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSoftware Security IBuffer Overflow to exploit a buffer overflow an attacker:– must identify a buffer overflow vulnerability in some program– understand how buffer is stored in memory and determine potential for corruption defend by preventing or at least detecting and aborting such attacks:– test a wider range of inputs– use dynamically sized buffers – compile time defense – aiming to harden programs to resist attacks in newprograms• choosing appropriate programming language• including additional code that may catch/detect corruption– run-time defense – aiming to detect and abort attacks in existing programs• alter properties of regions of memory• make predicting the location of targeted buffers sufficiently difficult to thwart CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawriemany types of attacksSoftware Security ISQL Injection Attacks Injection attacks– flaws relating to invalid input handling which then influences program executionft h d t t h lth•often when passed as a parameter to a helper program or other utility or subsystemmost often occurs in scripting languages