Secure Coding Techniques " ... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents of security" - Benjamin Franklin

Three Critical Programming Errors* accepting input from users without validating and sanitizing the input “… the number one killer of healthy software” Monster Mitigations [2011, The MITRE Corporation] allowing data placed in buffers to exceed the length of the buffer “Buffer overflows are Mother Nature's little reminder of that law of physics that says: if you try to put more stuff into a container than it can hold, you're going to make a mess.” Classic Buffer Overflow [2011, The MITRE Corporation] handling integers incorrectly “In the real world, 255+1=256. But to a computer program, sometimes 255+1=0, or 0-1=65535, or maybe 40,000+40,000=14464. […] When programmers forget that computers don't do math like people, bad things ensue - anywhere from crashes, faulty price calculations, infinite loops, and execution of code.” Integer Overflow [2011, The MITRE Corporation] *Responsible for 90% of the critical security vulnerabilities in 2006; SANS Institute. ** 2011 CWE/SANS Top 25 Most Dangerous Software Errors [2011, The MITRE Corporation]

March 23, 2017 – Three days, $833,000 acquiring 51 different bugs March 23, 2017 – Three days, $833,000 acquiring 51 different bugs. Targets: Microsoft, Apple, Adobe and Mozilla with extra incentives for SYSTEM or ROOT level privileges. [Pwn2Own, hosted by Zero Day Initiative, Trend Micro @ CanSecWest.] Mozilla Firefox - an integer overflow and an uninitialized buffer in the Windows kernel to escalate privileges Apple Safari - an info disclosure, 4 different type confusion bugs, and use-after-free vulnerability to escalate to root Adobe Reader - an info leak in Reader followed by a UAF to get code execution. Then leveraged a UAF in the kernel to gain SYSTEM-level privileges. Microsoft Edge - an arbitrary write in Chakra and a logic bug within the sandbox to escape the sandbox. Microsoft Windows - an integer overflow in the kernel to escalate privileges.

March 25, 2017 – Final Day: escaping the virtual machine, getting root, and how to go from guest to root. [Pwn2Own, hosted by Zero Day Initiative, Trend Micro @ CanSecWest.] a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. Virtual Machine Escapes (Guest-to-Host) category: a Windows kernel UAF, a VMWare Workstation info leak, and an uninitialized buffer in Workstation to go guest-to-host. [VMware Tools were not installed in the guest.]

Buffer Overflows data can be stored: - in the program area - on the stack - in the heap in many systems, a memory area is either writable or executable but not both e.g. cannot write into program area → “heap error” buffer overflows in this configuration (program data area) are rare main … … data area 1 sr1 … data area 2 sr2 … JSR XXX DC.L data data area 3

Static Buffer Overflow (stack frame configuration) calling program: define return area push parameters on stack call routine parameter cleanup called program: set up stack frame with local area save registers … do stuff restore registers collapse frame return saved registers local area A6 → A6 old PC (return) parameters return area SP →

Static Buffer Overflow the local area of the routine contains the buffer for a string routine depends on a null terminated string BUT does not calculate the length of the string OR calculates string length but doesn’t verify it against the maximum length user input overflows the buffer intentional vs unintentional SP → saved registers local area A6 → A6 old PC (return) parameters

Static Buffer Overflow What would you like to do? replace the return address with the address of your routine trash the pointer/return for denial of service put payload in local area and execute now or later remember, you can use the frame pointer to do address calculations and local area does not “disappear” payload in local area modifies parameter on previously stacked frame

Heap-based Buffer Overflows heaps are dynamically allocated can overwrite key data can overwrite function pointers in memory can inject code and manipulate pointer to cause execution MS adds cookies to the heap. If cookies are missing/corrupt, raise a heap buffer s/w exception. hdr 1[nxt,prev,s,u] memory space 1 hdr 2[nxt,prev,s,u] memory space 2 header free free memory

Heap-based Buffer Overflows hdr 1[nxt,prev,s,u] memory space 1 hdr 2 memory space 2 header free free memory

Buffer Overflows Attacker’s goal: run own code with privilege To achieve the goal: attack code must be available in the original program’s address space inject the code (payload) on the stack (local variables) on the heap (malloc’d variables) in the static data area (DC,DS) already on user’s machine original program must jump to the attack code modify code addresses

Reading: Three Programming Errors Most Frequently Responsible for Critical Security Vulnerabilities [SANS, ©2007] Secure Coding Guide – Types of Security Vulnerabilities [© 2014 Apple Inc.] Understanding Pool Corruption Part 1 – Buffer Overflows (optional) [@2016 Microsoft] Pool is kernel mode memory used as a storage space for drivers (software that allows your computer to communicate with hardware or devices). If a driver uses more space than is allocated (a buffer overflow), they will write into the next driver’s space and corrupt that driver’s data. When this corrupted memory is run, things will not go well (typically, a blue screen). @RISK: The Consensus Security Vulnerability Alert: March 23, 2017 @RISK provides a weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) explanations of how recent attacks worked.