Software Security CS461/ECE422 Spring 2012

Reading Material Chapter 12 of the text

Outline Review common vulnerabilities in programs Input Checking Program Logic Errors Errors Interacting with the OS Output handling

Software Vulnerabilities Generally a result of poor programming practices. OWASP top 10 Web Application Security risks – SP_Top_Ten_Project SP_Top_Ten_Project – A good number are developer bugs

Security in Design and Architecture Security concerns must be considered up front Security impacts system architecture – Perhaps re-architect to ameliorate security concerns – Security architecture can be used to drive testing – True even for projects with no “security features” Leaving security to the test phase (or later) is not a good idea to say the least

Defensive Programming or Secure Coding Mostly good software engineering – Except when considering security must consider a malicious actor – Traditional software engineering concentrates dealing with errors due to accidents Goal – Continued functioning of software in spite of unforeseeable usage of said software. Conflicts with time to market

Make No Assumptions! Don’t assume the user won’t enter more than 512 characters on the command line Don’t that there will always be enough disk space OR codify and enforce your assumptions

Handling User Input This is where the user (malicious or innocent) can directly impact the program – Always verify the user input – White list expected results Input can come from a number of places – Text entry – Configuration files – Environment variables – Network

Injection Attacks Error in input handling that results in unexpected execution flow Often occurs in scripting languages – Script writer expects user input to be data – But user inputs text that will be interpreted as code

Unsafe Perl Script

Running Script With user = lpb Finger user Login Name lpbLawrie Brown With user=‘xxx; echo attack success; ls finger*’ Finger User attack success finger.cgifinger.html Command injection. Running arbitrary commands at the privilege of the web user id.

Safer Script counter attack by validating input – compare to pattern that rejects invalid input – see example additions to script:

SQL Injection Or why is this XKCD comic funny –

SQL Injection another widely exploited injection attack when input used in SQL query to database – similar to command injection – SQL meta-characters are the concern – must check and validate input for these

Code Injection further variant input includes code that is then executed – see PHP remote code injection vulnerability variable + global field variables + remote include – this type of attack is widely exploited

04/10/0716 Cross Site Scripting (XSS) Goal – Inject malicious code into web pages viewed by others.  Sites that allow HTML formatted user input to be stored, e.g. Blog comments, wiki entries.  Enter the following into a form that then shows the original query in the response. confirm("Do you hate purple dinosaurs?");

XSS Example cf. guestbooks, wikis, blogs etc where comment includes script code – e.g. to collect cookie details of viewing users need to validate data supplied – including handling various possible encodings attacks both input and output handling

Alternate Encodings

Input Checks Example of evading input checks – Samy’s explanation of his Myspace worm – Canonicalize input before performing checks – Map the multiple versions of ‘A’ to a particular value Issue for numeric values too – Is the number 16 bits or 32? – Signed or unsigned? Negative number or large positive

Input Fuzzing Generate “random” inputs to test programs – Environment variables – Input strings – Network values Could be completely randomized or somewhat structured – Minifuzz – ShareFuzz – Spike – MuDynamics Standard component of Microsoft’s Software Development Lifecycle

More Fuzz - SPIKE An input language for creating variant network packets From WireShark output, make it easy to express new packets – a_binary(“ ”) Data: – a_block_size_big-endian_word(“Blockname”); Data: – a_block_start(“Blockname”) a_binary(“ ”) Data: – a_block_end(“Blockname”); Data:

Writing Correct/Safe Code Is your algorithm correct? – Incorrect use of random number generators Bad seeds E.g. Code Red and Netscape TCP session hijacking – How random is the sequence number? Leaving in test code – Used by Morris Worm

Is there a bug in the compiler? Ken Thompson Trojan compiler example Required for higher levels of Common Criteria – Correspondence of design, source, and object code.

Correct Use of Memory Memory Leak – Run process out of memory. DoS Free/Allocation errors – Heap overflow, can enable arbitrary execution Could be solved by – Heap randomization – Tools to track heap utilization Valgrind Duma

Race Conditions and Shared Memory Multiple threads of control accessing a common memory location – Subtle (and not so subtle) errors in synchronization are possible – Multiple writers – Writing while another thread is reading – Deadlocks Errors vary from invocation to invocation Attacker could attempt to trigger a latent threading error

Environment Variables Another way for the program to get input – And should be treated as such Generally set up for the user – Sysadmin creates a profile for the user that initializes the environment Environment variables read by compiled programs and scripted program

Example Vulnerable Scripts using PATH or IFS environment variables cause script to execute attackers program with privileges granted to script – SetUID root scripts would be attractive almost impossible to prevent in some form – Though the use of IFS has been restricted in most modern shells

Path Attack On Libraries Dynamic libraries are loaded at invocation time Loader must search the system to find the libraries needed by the executable – LD_LIBRARY_PATH – Flexibility vs attack avenue

Least Privilege Ideally run a program with as many privileges and access rights as it needs but no more – What’s the hard in too much access? Root in Unix Web servers and file access – What files does the web server process need to read? Need to write? How long does a program need special privilege? – E.g., a low port network service program Divide program into sets of processes – Move the privilege required elements into smaller, simpler processes

System Calls and Standard Library Functions programs use system calls and standard library functions for common operations – and make assumptions about their operation – if incorrect behavior is not what is expected may be a result of system optimizing access to shared resources by buffering, re-sequencing, modifying requests – can conflict with program goals

Secure File Shredder

Race Conditions Files can be used to synchronize access to OS resources between processes If [ ! –e $file ] then touch $file else echo “You don’t have the lock” fi Time of check to time of use (TOCTOU)

Temporary Files Many programs create temporary intermediate files – Can create unique names based on process id – How could an attacker leverage this? do { filename = tempnam(NULL, “foo”); fd = open(filename, ….) free(filename); } while (fd == -1);

Output Checking Example 1 – Active display VT100 command characters Or X-terminal display hijack Example 2 – Cross Site Scripting Generate display from stored data Data is interpreted as command

Summary Useful to look at common software vulnerabilities – Know common issues to avoid going forward Even more important to consider security in the design architecture – More likely to catch/avoid problems if you think from the security perspective up front – Someone will be thinking from the security perspective eventually