Software Security
Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing of input allowing an attacker to –Read data –Write data –Execute programs
Example 1 int main (int argc, char *argv[]) {char password_ok = 0; if (strcmp(password,"bgu_cse")==0) password_ok=1; else password_ok=1; if (password_ok==1) {...} }
Example 2 int main (i) {int j; char tmp; char password_ok = 0; const char *password = “bgu_cse”; for (j=0; j<7; j++) { tmp = receive_next_password_char(); if (tmp != password[j]) { send (error_message); return password_ok; } password_ok=1; if (password_ok==1) {...} }
Example 3 int main (int argc, char *argv[]) {char password_ok; char password[8]; password_ok = 0; strcpy (password,argv[1]); if (strcmp(password,"bgu_cse")==0) password_ok=1; if (password_ok==1) {...} }
Buffer Overflow Up to 2005 the most common security hole The length of an input buffer is not checked Arbitrary data is appended to legal input Data can be written to memory More importantly: program flow control can be hijacked by attacker Examples: Microsoft IIS version 5.0 (see Blaster vulnerability.
Buffer Overflow stages Send user-controlled data that overflows buffer Include an overflow of a flow-control memory location Use new code –The code can be supplied by the attacker –The code can already exist as part of the attacked software –Injected code is written in machine code to be executed
Buffer Overflow on Stack Local Variables Return Address Parameters Stack Single function memory Stack growth String growth
Function pointers The C language has pointers to functions void (* Pfunc) () declares a variable that points to a function that returns void Function pointers are used when different functions are called according to input/changing state etc. An overflowing buffer next to a function pointer can cause similar problems to stack smashing
Counter Measures Language level –Languages/Libraries that check buffer limits –No buffer overflows in Java or C# –Exchange “unsafe” standard functions with safe counterparts –Block return address overwrite Source code level Compilation level – –Bounds checking at compiler level –Separate stack for return addresses –Canary values between locals and return addresses
Counter Measures (cont.) Operating system level: –Non-executable stack (NX bit) –Mapping standard functions to addresses beginning with 0x00 –First measure does not block arbitrary calls to program functions.
Overflow and pointers void func1 (char *external) { int a, *b; char*array; … strcpy (array, external); … *b = a; } a b array overflow PC Stored execution pointer Exploit code
Stages of pointer based overflow Send user-controlled data that overflows buffer Include exploit code in the overflow Carefully set values of variables a and b When program runs *b=a instruction, the stored pointer for execution that b points to is changed to beginning of exploit code Program execution jumps to exploit code
Heap overflow A program stores data in three places –Data segment for static variables –Stack segments for a function’s local variables –Heap for dynamically allocated memory Memory in heap allocated by instructions such as malloc or new Buffer overflow in heap allows “pointer based” exploit Heap operation depends on platform
Heap A program performs two operations with dynamic memory –It allocates memory –It frees allocated memory The heap manages memory Fragmentation of memory blocks – one of the main problems of managing dynamic memory Solution – merge free blocks together when possible
Example: heap as linked list Heap consists of doubly linked list of memory blocks Each block –Previous pointer –Next pointer –Size – number of words –Used flag – 0 if the block is free and 1 if it’s used
Example: Initialization Null NextPrevSizeUsed
Example: allocation of block Null9920 NextPrevSizeUsed 1 Data 4Null
Data 4Null 1 Data 4 Example: another allocation NextPrevSizeUsed heap heap next heap next next
Null Data 4Null 0 Data 4 Example: free a block NextPrevSizeUsed ptr next next prev= ptr next prev ptr next= ptr next next ptr ptr next 1 Data 4
Null Data 4Null 0 Data 12 Example: free a block NextPrevSizeUsed ptr next next prev= ptr next prev ptr next= ptr next next ptr ptr next
Null Data 4Null 0 Data 4 Exploit: heap overflow NextPrevSizeUsed ptr next next prev= ptr next prev ptr next= ptr next next ptr ptr next 1 Data 4 Pointer to Exploit code Pointer to Execution address Overflow
Cross Site Scripting
HTTP Basic function –A web client requests a page –Requests are identified by URL –A web server serves the page In this basic scheme, content is dull Enhancements –Client supplies data to web application (server) –Server returns answers as function of data –Client executes local scripts
Client side scripts Javascript Active-X VBscript Executing scripts is essential for most web applications, e.g. gmail Client allows remote entity (server) to run software (script) on client machine The scripts are therefore limited to browser context: passwords, cookies etc.
Cross site The client allows a trusted server (e.g. gmail) to invoke a script When surfing to another site, that site can’t run scripts that use the trusted site’s data (e.g. password). Cross site scripting: attacker runs a script as if it came from the trusted site. Google ads on different sites learn user preferences and serve appropriate ads
Example
Example – source HTML
Cross Site Scripting Attack (XSS) Web server is vulnerable to attack –Sends scripts to client –Doesn’t check source or content of script –Example – echoing client URL back to the client without checking –Example – serving content provided by an attacker (e.g. forum) Client is target of attack –Executes script
XSS – what is at stake? Script can read any data in the web site’s context –Cookies –Passwords –Keystrokes Script can pass this data to attacker –Directly in URL –Indirectly by opening a side channel (e.g. loading one out of a pair of pictures to signisl a bit 0 or 1)
XSS-Attack: Reflected Attack Click on this great link attack code 1. Attacker sends malicious code 2. Client user sends code (unwittingly) to server 3. Server reflects code to client 4. Browser executes script attack code attack code Attacker Client Web Server !!! attack code !!! Source: Eurosec project
XSS-Attack: Stored Attack Post Forum Message: Subject: GET Money for FREE !!! Body: attack code 1. Attacker sends malicious code 2. Server stores message Did you know this? User requests message 4. Message is delivered by server 5. Browser executes script in message GET Money for FREE !!! attack code Get /forum.jsp?fid=122&mid=2241 Attacker Client Web Server GET Money for FREE !!! attack code !!! attack code !!! Re: Error message on startup..... I found a solution!..... Can anybody help?..... Error message on startup..... Source: Eurosec project
Where script is executed... Source: [IE] & [code] [N4] &{[code]}; [N4] [IE] [N4] [code] "> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <div style="background-image: url(javascript:[code]);"> [IE] [Mozilla] [IE] [N4] [code] [IE] <object classid="clsid:..." codebase="javascript:[code]"> [code]//--> [code] " onmouseover="[code]"> <script>[code]</script>; <div datafld="b" dataformatas="html" datasrc="#X"> [UTF-8; IE, Opera] [\xC0][\xBC]script>[code][\xC0][\xBC]/script>
Countermeasures - Server Fairly easy –Canonicalization of user supplied data (Unicode and other translations are turned into canonical representation) –Do not reflect scripts –Do not store scripts –Check all data, including hidden HTTP fields: referrer, method etc. Harder (site wishes to serve user supplied scripts) –Check that user supplied data does no harm –How exactly?
Countermeasures - Client Easy –Canonicalization of server data –Block all scripts Effect – very boring surfing experience Tainting objects –Do not send sensitive data (e.g. cookies) to any site other than original site –Do not send any data changed (“tainted”) by sensitive data Limitations –Some data, such as keystrokes is difficult to classify –Indirect information passing, such as the picture method may bypass such measures. –Performance hit