Software Security I Overview Introduction Buffer Overflow SQL Injection Cross Site Scripting Source SearchsoftwareQuality techtarget com CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Introduction Some of the most common and widely exploited software vulnerabilities are variants of Buffer Overflow SQL IInjection j ti Cross Site Scripting Best countermeasure Awareness smart programming not allowing them to occur at all These flaws typically occur as a consequence of insufficient checking and validation of data and error codes in programs CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Introduction Software quality and reliability is concerned with the accidental failure of a program as a result of some theoretically random unanticipated input or system interaction Solution testing This usually involves variations of likely inputs and common errors with the intent of minimizing the number of bugs that would be seen in general use BUT the problem is not really the total number of bugs but how often even one is triggered gg Input keyboard y mouse entryy files network connections data supplied pp to the p program g in the execution environment values supplied by an O S to the program CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Buffer Overflow Buffer Overrun caused as a result of a programming error allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack heap global data examples of consequences of overwriting adjacent memory locations corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Buffer Overflow Basics impact of buffer overflow problem has been felt since 1988 when the Morris worm attack was carried out still a problem due to both a legacy of buggy code in widely deployed operating systems and applications and programs that do not anticipate a certain type of faulty malicious input 1988 the Morris worm 2001 the Code Red worm exploits a buffer overflow in MS IIS 5 0 2003 the Slammer worm exploits a buffer overflow in MS SQL Server 2000 2004 the Sasser worm exploits p a buffer overflow in MS Windows 2007 2009 CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Buffer Overflow Example a consider this code fragment in a 3 variables assume they are saved in adjacent memory locations f from hi highest h t tto lowest l t int main int argc argc char argv int valid FALSE char str1 8 char str2 8 next t tag str1 t t 1 gets str2 if strncmp str1 str2 8 0 valid TRUE printf buffer1 str1 s str2 s valid d n i str1 str2 valid i str1 START problem the gets function from the traditional C library does not include any checking on the amount of data copies It will read the next line from the program s standard input until the first new line cc g o buffer1 buffer1 c buffer1 buffer1 START buffer1 str1 START str2 START valid 1 buffer1 EVILINPUTVALUE b ff 1 str1 TVALUE buffer1 t 1 TVALUE str2 EVILINPUTVALUE valid 0 buffer1 BADINPUTBADINPUT buffer1 str1 BADINPUT str2 BADINPUTBADINPUT valid 1 b CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Buffer Overflow At the basic machine level all of the data manipulated by machine instructions are stored in either the processor s registers or in memory The data Th d t are simply i l arrays off b bytes t Th Their i iinterpretation t t ti iis entirely ti l determined by the function of the instructions accessing them Modern high high level level programming languages like Java Java ADA ADA Python Python and many others have a very strong notion of the type of variables and what constitutes permissible operations on them thus they do not suffer from buffer overflows But this flexibility and safety comes at a cost in resource use both at compile time and in additional code that must executed at run time to impose checks such as that on buffer limits CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I Buffer Overflow to exploit a buffer overflow an attacker must identify a buffer overflow vulnerability in some program understand how buffer is stored in memory and determine potential for corruption defend by preventing or at least detecting and aborting such attacks test a wider range of inputs use dynamically sized buffers compile time defense aiming to harden programs to resist attacks in new programs choosing appropriate programming language including additional code that may catch detect corruption run time defense aiming to detect and abort attacks in existing programs alter properties of regions of memory make predicting the location of targeted buffers sufficiently difficult to thwart many types of attacks CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I SQL Injection Attacks Injection attacks flaws relating to invalid input handling which then influences program execution often ft when h passed d as a parameter t to t a helper h l program or other th utility or subsystem most often occurs in scripting languages perl perl PHP PHP python etc etc SQL Injection most widely exploited injection attack CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security I SQL Injection Example name REQUEST name REQUEST name query SELECT FROM suppliers WHERE name name result mysql query query This takes a name provided as input to the script typically from a form field It then uses this value to construct a request q to retrieve the records relating g to that name from the database If a suitable name is provided for example Peter then the code works as intended retrieving the desired record However an input such