Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control

Fall 2008CS 334: Computer SecuritySlide #2 Why Program Security? Because program flaws are the gateway through which many attacks are launched: –Intrusion detection, network security (e.g. firewalls) are necessary because computers (and specifically the programs they run) are vulnerable to attack. Because understanding how programs are attacked can help you to write more secure code.

Fall 2008CS 334: Computer SecuritySlide #3 Secure Programs How do we define the term secure program? –Program that meets specification? Specifications can be incorrect, incomplete, or vague Consider example in text (p. 96) of “locked” computers that all used same keys How do we identify secure programs? –# of faults discovered and fixed during design, development, etc?

Fall 2008CS 334: Computer SecuritySlide #4 History: Fixing Faults Software engineering research has shown that software that has many faults early on is likely to have many others waiting to be found ``Penetrate and Patch’’: Analysts search for and repair faults –Badness: pressure to repair specific fault often causes tunnel vision (failure to consider context) –Faults often have non-obvious side effects in places other than immediate area of fault –Fixed faults can cause system performance or operation to suffer

Fall 2008CS 334: Computer SecuritySlide #5 Secure Programs Often (somewhat vaguely) based on the notion of expectation: does a program behave as the designer and users expect? Program security flaw: unexpected behavior –Lots of terminology(vulnerability, flaw, faults, failures, etc) –Who cares: only need to know cause (what fault caused the problem) and effect (what failure is visible to user)

Fall 2008CS 334: Computer SecuritySlide #6 Intention Textbooks makes big deal out of notion of malicious versus non-malicious Misleading: –Buffer overflow is non-malicious? Yes, because the flaw is often the result of an accidental oversight of the programmer No, because a buffer overflow attack can be, well, not good

Fall 2008CS 334: Computer SecuritySlide #7 Three Types of Vulnerabilities Buffer Overflow Incomplete Mediation Time-of-check to Time-of-Use (TOCTOU) Errors

Fall 2008CS 334: Computer SecuritySlide #8 Buffer Overflow Simply put, trying to squeeze too much stuff into too small a space Defn: a buffer (or array or string) is a space in which data can be held –Usually, programmer needs to have declared size of the buffer beforehand (but not always) –Also, size cannot always be determined through static analysis (may be run-time decision)

Fall 2008CS 334: Computer SecuritySlide #9 Buffer Overflow Is this access out of bounds? Upshot: compiler cannot identify all out-of- bounds accesses Hope that language run-time flags this (if bad). Many don’t (e.g. C)

Fall 2008CS 334: Computer SecuritySlide #10 Buffer Overflow Effect of overflow is that data outside buffer is overwritten Exact effect depends on what is overwritten –User’s data? –User’s program code? –System data? –System program code?

Fall 2008CS 334: Computer SecuritySlide #11 Buffer Overflow Details You read about them (“Smashing the Stack for Fun and Profit”). Two parts: –Buffer overrun operation that modifies control flow –Execution of the payload Other good references are –Pincus and Baker “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns” –DilDog “The Tao of Windows Buffer Overruns”

Fall 2008CS 334: Computer SecuritySlide #12 Trampolining Allows attacker to apply buffer overflow when the attacker doesn’t know absolute address of buffer ( buff ) Key insight: if a program register R contains a value relative to buff, control can be transferred to buff by first translating control to a sequence of instructions that indirectly transfers via R. –Key: finding such a sequence of instructions at a well-known or predictable address (this is the “trampoline”)

Fall 2008CS 334: Computer SecuritySlide #13 Another Enhancement Separate two parts of buffer overflow –Useful if the buffer being overrun is too small for payload –Attacker arranges for payload to be in another location, possibly executed later Payload in programs memory space? Stored in an environment variable (because typically accessible on linux systems from well-known address near base of the stack)

Fall 2008CS 334: Computer SecuritySlide #14 Heap Overflow Stack is used to store local variables Heap stores memory that is global and also memory that is dynamically allocated (e.g. via call to malloc() )

Fall 2008CS 334: Computer SecuritySlide #15 Arc Injection Attack Instead of supplying code, supply data that will lead to desired effect when programs existing code operates on it. –E.g. attacker supplies a command line that the program under attack will use to spawn another process Called arc injection because the attack causes a new arc (control-flow transfer) into the programs control flow graph, as opposed to code injection (e.g. smashing the stack) which also inserts a new node into graph

Fall 2008CS 334: Computer SecuritySlide #16 Arc Injection Basic Example Stack buffer overrun modifies saved return address to point to location in the program’s address space –Specifically to location within system function in C standard library –system function takes arbitrary command line as argument, checks arguments validity, loads it into a register R, and makes a call to create the process

Fall 2008CS 334: Computer SecuritySlide #17 Arc Injection Example (cont) Attacker arranges for R to point to attacker supplied string, then jumps directly to location target, bypassing validity check and assignment C standard library loads most processes at a well known location, so computing target’s absolute address is straightforward

Fall 2008CS 334: Computer SecuritySlide #18 Arc Injection Example (cont) How does attacker get R to point to attacker supplied string? –It can be trivial: programs routinely reuse registers, so it would not be unusual that the program uses R in the procedure in which a buffer overrun occurs (e.g., pointing to buff in code below). –Attacker simply writes command line string into buff and ensures that target’s location appears at correct offset in buffer to overwrite return address –Then on return, control is passed to middle of system function

Fall 2008CS 334: Computer SecuritySlide #19 Pointer Subterfuge Four flavors –Function-pointer clobbering –Data-pointer modification –Exception-handler hijacking –Virtual Pointer (VPTR)smashing Bottom line is that if you can control pointers, you can cause memory to be overwritten, etc.

Fall 2008CS 334: Computer SecuritySlide #20 Incomplete Mediation An Example: =(808) &parm2=2009Jan17 This URL causes the execution of code on the server that reads the two parameters parm1 and parm2. –There may be code on the client (browser) page that checks validity of parameters. –It’s likely also that the values were entered using forms that prohibit certain kinds of entries for various fields –But the parameters are packed into the URL line, which is user modifiable. So whatever checks were made are ineffective.

Fall 2008CS 334: Computer SecuritySlide #21 Incomplete Mediation The problem: the sensitive data was not completely mediated -- it was placed in an exposed uncontrolled condition A true-life example: &qy=20&price=10&ship=boat&shipcost=5&total=205 &qy=20&price=10&ship=boat&shipcost=5&total=25 original modifie d Question: why even transmit price data?!

Fall 2008CS 334: Computer SecuritySlide #22 TOCTOU Errors Time-of-check to Time-of-Use Errors Synchronization error: basically, exploitable gap between (time condition for accessing object is checked) and (time access actually occurs) Ex: Sculpture costs $100. Buyer counts $100 and places it on table. Seller turns around to write receipt, buyer takes $20 back and hands stack to seller (who assumes there is still $100 in stack) –Between time security was checked (counting bills) and object accessed (get sculpture) the condition changed

Fall 2008CS 334: Computer SecuritySlide #23 TOCTOU Error File system: –Data structure “work ticket” presented to access control module. –Work ticket requires “stamp” authorizing access –Module places copy of ticket in its own work area for checking validity of request, actual ticket remains in user address space. –User modifies data structure in its own address space while access control module is checking the requested file name, etc. –Ticket is validated by access control module (e.g. by returning an auxiliary ticket) –User uses modified data structure with ticket validation for illegal access

Fall 2008CS 334: Computer SecuritySlide #24 Privilege Escalation Access rights and privileges of programs are dictated by program context, which is typically dictated by user running program –You can modify, delete, etc, files you own, but not critical system files Privilege Escalation attack is one in which malicious code is launched by a user with low privilege but run with high privilege

Fall 2008CS 334: Computer SecuritySlide #25 Example (April 2006) Symantec Live Update –Runs with elevated privilege since it needs to download and install programs in system directory –Uses four modules, LU1, LU2, Sys3, and Sys4 First two are part of Live Update, other two are functions in the OS. –In some releases for Mac, Symantec allowed Live Update to locate Sys3 and Sys4 by using the PATH environment variable rather than specifying the location explicitly.

Fall 2008CS 334: Computer SecuritySlide #26 Example (April 2006) But the LU modules run with escalated privilege, and this is passed automatically to the Sys modules. So an attacker can write their own function, call it Sys3 or Sys4, and modify the PATH variable so that this is what is run when Live Update runs. The end result is a user written function running with elevated privileges!

Fall 2008CS 334: Computer SecuritySlide #27 Covert Channels A much researched topic Defn: Programs that communicate information to people who should not receive it. –Communication usually travels unnoticed, accompanying other communications Example: Student helping others cheat on multiple choice exam by coughing, wheezing, moving foot, etc, to indicate choice (a), (b), etc.

Fall 2008CS 334: Computer SecuritySlide #28

Fall 2008CS 334: Computer SecuritySlide #29 Covert Channels Problem: these are easy to create –Timing –Existence of files –Exact format of files Number of blank spaces in fields Incorrect (but unnoticed) information –Availability of resources Dynamically allocated memory available? File locked or unlocked?

Fall 2008CS 334: Computer SecuritySlide #30

Fall 2008CS 334: Computer SecuritySlide #31 File Lock Covert Channel

Fall 2008CS 334: Computer SecuritySlide #32 File Existence Channel Signaling 100

Fall 2008CS 334: Computer SecuritySlide #33 Timing Channel Pass information by using speed at which things happen Example: two process system where info passed by accepting(1) or rejecting(0) offered processing time