CPSC 6126 Computer Security Information Assurance

Chapter 3 – Program Security  Programming errors with security implications-buffer overflows, incomplete access control  Malicious code-viruses, worms, Trojan horses  Program development controls against malicious code and vulnerabilities- software engineering principles and practices  Controls to protect against program flaws in execution-operating system support and administrative controls

Program Security  How do we keep programs free from flaws?  How do we protect computing resources against programs that contain flaws?  Presented with a finished product, for example, a commercial software package, how can you tell how secure it is or how to use it in its most secure way?

SECURE PROGRAMS  Security implies some degree of trust that the program enforces expected confidentiality, integrity, and availability.  How can we look at software component and assess its security?

Fixing Faults  Software that has many faults early on is likely to have many others still waiting to be found.  Early computer security work used “penetrate and patch” method where analysts searched for and repaired faults (tiger team)  Often patch efforts made system less secure:

Fixing Faults  Pressure to repair encourages a narrow focus on the fault and not its context.  Fixing the fault often introduces side effects.  Fault not fixed properly cause it will cause performance problems.

Unexpected Behavior  Compare program requirements with behavior to identify program security flaws  Flaw is either a fault or failure  Vulnerability is a class of flaws (e.g. buffer overflows)  Need to determine how to prevent harm caused by possible flaws  Program security flaws can derive from any kind of software fault. Inadvertent human flawsInadvertent human flaws Malicious, intentionally induced flawsMalicious, intentionally induced flaws

Unexpected Behavior  Hindrances for eliminating program security flaws How do we test for what a program shouldn’t do?How do we test for what a program shouldn’t do? Programming and software engineering techniques evolve more rapidly than computer security techniquesProgramming and software engineering techniques evolve more rapidly than computer security techniques

Types of Flaws  Intentional MaliciousMalicious NonmaliciousNonmalicious  Inadvertent Validation error (incomplete / inconsistent)Validation error (incomplete / inconsistent) Domain errorDomain error Serialization and aliasingSerialization and aliasing Inadequate identification and authenticationInadequate identification and authentication Boundary condition violationBoundary condition violation Other exploitable logic errorsOther exploitable logic errors

Nonmalicious Program Errors  Buffer Overflows  char sample[10];  for (i=1; i<=10; i++) sample[i] = ‘A’;  Last ‘A’ goes into user data, user code, system data, or system code  If data is overwritten, can affect results  If system is overwritten, unpredictable results

Nonmalicious Program Errors  Buffer Overflows Security Implication Attacker replaces code in the system space and takes control back from the operating systemAttacker replaces code in the system space and takes control back from the operating system Attacker uses the stack pointer or return register to execute other codeAttacker uses the stack pointer or return register to execute other code How to write buffer overflowsHow to write buffer overflowsHow to write buffer overflowsHow to write buffer overflows Smashing the Stack for Fun and ProfitSmashing the Stack for Fun and ProfitSmashing the Stack for Fun and ProfitSmashing the Stack for Fun and Profit

Nonmalicious Program Errors  Buffer Overflows Security Implication Parameter passing to web serverParameter passing to web server (808) &parm2=2004Jan01http:// (808) &parm2=2004Jan01 What if one of the parameters is made longer?What if one of the parameters is made longer?  Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code

Nonmalicious Program Errors  Incomplete Mediation (data checking) (808) &parm2=2004Jan01http:// (808) &parm2=2004Jan01  What if parm2 is 1800Jan01 or 2004Feb30…  Use dropdown lists to force the input, test ranges  Even then, the user could send incorrect data to the server  Security Implication Easy to exploit – Things, Inc. exampleEasy to exploit – Things, Inc. example

Nonmalicious Program Errors  Time-of-Check to Time-of-Use Errors Mediation is performed with a “bait and switch” in the middle (synchronization flaw)Mediation is performed with a “bait and switch” in the middle (synchronization flaw)  Security Implication to avoid checking one action and performing another – use digital signatures and certificates to avoid checking one action and performing another – use digital signatures and certificates