Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Similar presentations


Presentation on theme: "Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing."— Presentation transcript:

1 Software Security

2 Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing of input allowing an attacker to –Read data –Write data –Execute programs

3 Example 1 int main (int argc, char *argv[]) {char password_ok = 0; if (strcmp(password,"bgu_cse")==0) password_ok=1; else password_ok=1; if (password_ok==1) {...} }

4 Example 2 int main (i) {int j; char tmp; char password_ok = 0; const char *password = “bgu_cse”; for (j=0; j<7; j++) { tmp = receive_next_password_char(); if (tmp != password[j]) { send (error_message); return password_ok; } password_ok=1; if (password_ok==1) {...} }

5 Example 3 int main (int argc, char *argv[]) {char password_ok; char password[8]; password_ok = 0; strcpy (password,argv[1]); if (strcmp(password,"bgu_cse")==0) password_ok=1; if (password_ok==1) {...} }

6 Buffer Overflow Up to 2005 the most common security hole The length of an input buffer is not checked Arbitrary data is appended to legal input Data can be written to memory More importantly: program flow control can be hijacked by attacker Examples: Microsoft IIS version 5.0 (see www.cert.org/advisories/CA-2001-10.html), Blaster vulnerability. www.cert.org/advisories/CA-2001-10.html

7 Buffer Overflow stages Send user-controlled data that overflows buffer Include an overflow of a flow-control memory location Use new code –The code can be supplied by the attacker –The code can already exist as part of the attacked software –Injected code is written in machine code to be executed

8 Buffer Overflow on Stack Local Variables Return Address Parameters Stack Single function memory Stack growth String growth

9 Function pointers The C language has pointers to functions void (* Pfunc) () declares a variable that points to a function that returns void Function pointers are used when different functions are called according to input/changing state etc. An overflowing buffer next to a function pointer can cause similar problems to stack smashing

10 Counter Measures Language level –Languages/Libraries that check buffer limits –No buffer overflows in Java or C# –Exchange “unsafe” standard functions with safe counterparts –Block return address overwrite Source code level Compilation level – –Bounds checking at compiler level –Separate stack for return addresses –Canary values between locals and return addresses

11 Counter Measures (cont.) Operating system level: –Non-executable stack (NX bit) –Mapping standard functions to addresses beginning with 0x00 –First measure does not block arbitrary calls to program functions.

12 Overflow and pointers void func1 (char *external) { int a, *b; char*array; … strcpy (array, external); … *b = a; } a b array overflow PC Stored execution pointer Exploit code

13 Stages of pointer based overflow Send user-controlled data that overflows buffer Include exploit code in the overflow Carefully set values of variables a and b When program runs *b=a instruction, the stored pointer for execution that b points to is changed to beginning of exploit code Program execution jumps to exploit code

14 Heap overflow A program stores data in three places –Data segment for static variables –Stack segments for a function’s local variables –Heap for dynamically allocated memory Memory in heap allocated by instructions such as malloc or new Buffer overflow in heap allows “pointer based” exploit Heap operation depends on platform

15 Heap A program performs two operations with dynamic memory –It allocates memory –It frees allocated memory The heap manages memory Fragmentation of memory blocks – one of the main problems of managing dynamic memory Solution – merge free blocks together when possible

16 Example: heap as linked list Heap consists of doubly linked list of memory blocks Each block –Previous pointer –Next pointer –Size – number of words –Used flag – 0 if the block is free and 1 if it’s used

17 Example: Initialization Null 10000 NextPrevSizeUsed

18 Example: allocation of block Null9920 NextPrevSizeUsed 1 Data 4Null

19 9840 1 Data 4Null 1 Data 4 Example: another allocation NextPrevSizeUsed heap heap  next heap  next  next

20 Null9760 1 Data 4Null 0 Data 4 Example: free a block NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next 1 Data 4

21 Null9760 1 Data 4Null 0 Data 12 Example: free a block NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next

22 Null9760 1 Data 4Null 0 Data 4 Exploit: heap overflow NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next 1 Data 4 Pointer to Exploit code Pointer to Execution address Overflow

23 Cross Site Scripting

24 HTTP Basic function –A web client requests a page –Requests are identified by URL –A web server serves the page In this basic scheme, content is dull Enhancements –Client supplies data to web application (server) –Server returns answers as function of data –Client executes local scripts

25 Client side scripts Javascript Active-X VBscript Executing scripts is essential for most web applications, e.g. gmail Client allows remote entity (server) to run software (script) on client machine The scripts are therefore limited to browser context: passwords, cookies etc.

26 Cross site The client allows a trusted server (e.g. gmail) to invoke a script When surfing to another site, that site can’t run scripts that use the trusted site’s data (e.g. password). Cross site scripting: attacker runs a script as if it came from the trusted site. Google ads on different sites learn user preferences and serve appropriate ads

27 Example

28 Example – source HTML

29 Cross Site Scripting Attack (XSS) Web server is vulnerable to attack –Sends scripts to client –Doesn’t check source or content of script –Example – echoing client URL back to the client without checking –Example – serving content provided by an attacker (e.g. forum) Client is target of attack –Executes script

30 XSS – what is at stake? Script can read any data in the web site’s context –Cookies –Passwords –Keystrokes Script can pass this data to attacker –Directly in URL –Indirectly by opening a side channel (e.g. loading one out of a pair of pictures to signisl a bit 0 or 1)

31 XSS-Attack: Reflected Attack E-mail: Click on this great link www.site.com/reflect.cgi? attack code 1. Attacker sends malicious code 2. Client user sends code (unwittingly) to server 3. Server reflects code to client 4. Browser executes script attack code www.site.com/reflect.cgi? attack code Attacker Client Web Server !!! attack code !!! Source: Eurosec project

32 XSS-Attack: Stored Attack Post Forum Message: Subject: GET Money for FREE !!! Body: attack code 1. Attacker sends malicious code 2. Server stores message Did you know this?..... 3. User requests message 4. Message is delivered by server 5. Browser executes script in message GET Money for FREE !!! attack code Get /forum.jsp?fid=122&mid=2241 Attacker Client Web Server GET Money for FREE !!! attack code !!! attack code !!! Re: Error message on startup..... I found a solution!..... Can anybody help?..... Error message on startup..... Source: Eurosec project

33 Where script is executed... Source: http://www.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0 [IE] & [code] [N4] &{[code]}; [N4] [IE] [N4] [code] "> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <div style="background-image: url(javascript:[code]);"> [IE] [Mozilla] [IE] [N4] [code] [IE] <object classid="clsid:..." codebase="javascript:[code]"> [code]//--> [code] " onmouseover="[code]"> <script>[code]</script>; <div datafld="b" dataformatas="html" datasrc="#X"> [UTF-8; IE, Opera] [\xC0][\xBC]script>[code][\xC0][\xBC]/script>

34 Countermeasures - Server Fairly easy –Canonicalization of user supplied data (Unicode and other translations are turned into canonical representation) –Do not reflect scripts –Do not store scripts –Check all data, including hidden HTTP fields: referrer, method etc. Harder (site wishes to serve user supplied scripts) –Check that user supplied data does no harm –How exactly?

35 Countermeasures - Client Easy –Canonicalization of server data –Block all scripts Effect – very boring surfing experience Tainting objects –Do not send sensitive data (e.g. cookies) to any site other than original site –Do not send any data changed (“tainted”) by sensitive data Limitations –Some data, such as keystrokes is difficult to classify –Indirect information passing, such as the picture method may bypass such measures. –Performance hit


Download ppt "Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing."

Similar presentations


Ads by Google