Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS2S562 Secure Software Development

Published bySuhendra Rachman Modified over 6 years ago

Similar presentations

Presentation on theme: "CS2S562 Secure Software Development"— Presentation transcript:

1 CS2S562 Secure Software Development
String Security

2 Before we Start… Three definitions Why should I care? Secure vs. Safe
Risk Vulnerability Why should I care? Apart from the obvious reasons, ….

3 Secure vs. Safe Both Secure (passive) Safe (active)
Protection from hazards, dangers, threats Secure (passive) protecting data from unauthorized access, such as private info being viewed ensuring that the program cannot be harmed Safe (active) Data integrity. Backups, checksums, etc all ensure that the program does not cause harm Generally in IT (and in this module) both a muddled-up: ‘secure’ = ‘safe’ + ‘secure’

4 Risk = S x L x R Severity - How serious are the consequences
1 = low (denial-of-service attack, abnormal termination) 2 = medium (data integrity violation, unintended info disclosure) 3 = high (run arbitrary code, privilege escalation) Likelihood - How likely is it an exploitable vulnerability 1 = unlikely 2 = probable 3 = likely Remediation Cost - How expensive is it to fix 3 = high (manual detection and correction) 2 = medium (automatic detection and manual correction) 1 = low (automatic detection and correction)

5 Anti-risk spending wrong by a ratio of 1 : 19,400
Risk = S x L x R We often get Risk wrong USA: fatal road accidents (US territory only) Likelihood: 38,300, (injured: 4.4 million) (2015) [1] Severity: 3, Cost: 3 Spending by US Government on road safety: less than £0.9bn (2015) [2] ca. $22,200 per death USA: death by terror attack (US citizens world wide) Likelihood: 26 (2012), 16 (2013), 37 (2014) [3] Spending by US Government on anti-terror measures: $16bn [4] ca. $ 432,000,000 per death Anti-risk spending wrong by a ratio of 1 : 19,400 Data sources: [1] [2] [3] [4]

6 Vulnerability Wikipedia says:
“In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.” Motto of this module Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

7 Before we Start… Three definitions Why should I care? Secure vs. Safe
Risk Vulnerability Why should I care? Apart from the obvious reasons, ….

8 It’s the Law Why should I care? Apart from the obvious reasons, ….
It is a legal requirement: In March 2018 new General Data Protection Regulations replaced the old Data Protection Act. Systems must now have privacy and security by design, not as an afterthought. If you do not take security measures you will be prosecuted. Link to summary here

9 Before we Start… Three definitions Why should I care?
Secure vs. Safe Risk Vulnerability Why should I care? Apart from the obvious reasons, it’s the law! OK, done. Let’s start......

10 String Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C++ Storage for string must have enough space for data and null terminator 3 2 18 Do not attempt to create a std::string from a null pointer Use valid references, pointers, and iterators to reference elements of a basic_string C Do not pass a non-null-terminated character sequence to a library function that expects a string 12 Do not confuse narrow and wide character strings and functions 1 9 Range check element access 6 Do not attempt to modify string literals Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

11 Space for Data & null Terminator
Extract from the ‘Common Weakness Enumerator’ (CWE) Top 25 list Rank Score ID Name [1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] 79.0 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] 76.9 CWE-306 Missing Authentication for Critical Function [6] 76.8 CWE-862 Missing Authorization [7] 75.0 CWE-798 Use of Hard-coded Credentials [8] CWE-311 Missing Encryption of Sensitive Data [9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type [10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision

12 Space for Data & null Terminator
Spot the problem: #include <iostream> void aFunction() {    char buf[12];    std::cin >> buf; } In ‘Debug’ mode In ‘Release’ mode When running .exe

13 (Excursion: Buffer Overflow Attack)
Dynamic memory allocation is on the Heap This is reasonably safe. Any overflow will most likely cause a crash as pointers are not allowed to access heap memory that does not belong to it. Static memory is allocated on the Stack Stack memory belongs to the program that is running and there is no check. char *ptr  = (char*) malloc(10); ptr[10] = 'c'; // ----> crash char buff[10] ; strcpy(buff, "This String is too long"); // > no crash Memory The buffer overflow quietly corrupts the neighbouring memory. If corrupted memory is being used by the program it can cause unexpected results. More in a few weeks. Heap Stack Static / Global Code

14 Space for Data & null Terminator
Back to the problem: #include <iostream> void aFunction() {    char buf[12];    std::cin >> buf; } std::ios_base::width() to the rescue ? #include <iostream> void aFunction() {    char bufOne[12];    char bufTwo[12];    std::cin.width(12);    std::cin >> bufOne;    std::cin >> bufTwo; } limits to 12 but may truncate string width() only works for the next cin and then resets to ‘width(0)’.

15 Space for Data & null Terminator
Solution: Use <string> wherever possible But that is not without problems either: what about null pointers? #include <iostream> #include <string> void aFunction() { std::string stringOne, stringTwo; std::cin >> stringOne >> stringTwo; }

16 String Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C++ Storage for string must have enough space for data and null terminator 3 2 18 Do not attempt to create a std::string from a null pointer Use valid references, pointers, and iterators to reference elements of a basic_string C Do not pass a non-null-terminated character sequence to a library function that expects a string 12 Do not confuse narrow and wide character strings and functions 1 9 Range check element access 6 Do not attempt to modify string literals Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

17 String from null pointer
Spot the problem: getenv() returns a so called environment string. In this example this is the path to the temporary storage folder. #include <cstdlib> #include <string> void aFunction() { std::string tmp( std::getenv("TMP") ); if (!tmp.empty()) { // ... } getenv() returns a null pointer on failure. As a result the string tmp is initialised to null. The call to tmp.empty() will fail (empty means ‘no characters’ but not ‘no pointer’)

18 String from null pointer
Solution: Check before assigning: #include <cstdlib> #include <string> void aFunction() { const char *tmpPtr= std::getenv("TMP"); if( tmpPtr == NULL ) { // error message here { }

19 String Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C++ Storage for string must have enough space for data and null terminator 3 2 18 Do not attempt to create a std::string from a null pointer Use valid references, pointers, and iterators to reference elements of a basic_string C Do not pass a non-null-terminated character sequence to a library function that expects a string 12 Do not confuse narrow and wide character strings and functions 1 9 Range check element access 6 Do not attempt to modify string literals Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

20 Invalid References to String
Spot the problem: This code will fail because the iterator loc is invalidated after the first call to insert(); void replaceSemicolonWithSpace(const std::string &input) { std::string someText; std::string::iterator loc = someText.begin(); auto b = input.begin(); auto e = input.end(); for (auto i = b; i != e; ++i) { if (*i == ';') someText.insert(loc, ' '); else someText.insert(loc, *i); ++loc; } std::cout << "Output: "<<someText;

21 Invalid References to String
Solution: The value of loc is updated as a result of insert(); replaceSemicolonWithSpace("Hello;World;how;are;you"); void replaceSemicolonWithSpace(const std::string &input) { std::string someText; std::string::iterator loc = someText.begin(); auto b = input.begin(); auto e = input.end(); for (auto i = b; i != e; ++i) { if (*i == ';') loc = someText.insert(loc, ' '); else loc = someText.insert(loc, *i); ++loc; } std::cout << "Output: "<<someText;

22 Avoid Code Obfuscation
Which code is more secure? Note: no difference in speed or performance between the two void replaceSemicolonWithSpace(const std::string &input) { std::string someText; std::string::iterator loc = someText.begin(); auto b = input.begin(); auto e = input.end(); for (auto i = b; i != e; ++i) { if (*i == ';') loc = someText.insert(loc, ' '); else loc = someText.insert(loc, *i); ++loc; } std::cout << "Output: "<<someText; void replaceSemicolonWithSpace(const std::string &input) { std::string someText; std::string::iterator loc = someText.begin(); for (auto i = input.begin(), e=input.end(); i != e; ++i, ++loc) { loc = someText.insert(loc, *i != ‘;’ ? *i:’ ‘); } std::cout << "Output: "<<someText;

23 String Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C++ Storage for string must have enough space for data and null terminator 3 2 18 Do not attempt to create a std::string from a null pointer Use valid references, pointers, and iterators to reference elements of a basic_string C Do not pass a non-null-terminated character sequence to a library function that expects a string 12 Do not confuse narrow and wide character strings and functions 1 9 Range check element access 6 Do not attempt to modify string literals Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

24 Passing non-null Terminated Character Sequences
The problem: Many C / C++ string library functions expect a properly null terminated string If string not null terminated then memory outside the bounds of string object may be accessed Example: printf() Visual Studio picks this up (but not all other compilers): #include <stdio.h> void func(void) {    char c_str[3] = "abc";    printf("%s\n", c_str); } 3 chars  OK, but: ‘\0’  no space

25 Passing non-null Terminated Character Sequences
Solution: Do not specify the bound of the character array: Compiler will allocate sufficient storage for abc and \0 #include <stdio.h> void func(void) {    char c_str[ ] = "abc";    printf("%s\n", c_str); }

26 Passing non-null Terminated Character Sequences
Another problem: strncpy( ) copies n characters and returns an un-terminated string (i.e. no ‘\0’ terminator) A call to strlen( ) fails: The problematic line CodeBlocks and GCC compiler

27 Passing non-null Terminated Character Sequences
Solutions: Add ‘0\’ manually: CodeBlocks and GCC compiler

28 Passing non-null Terminated Character Sequences
Solutions: Use the new strxxxxx_s( ) functions (strcpy_s(), strcat_s(), strnlen_s(), ...) All _s functions feature: Buffer overflow protection Guaranteed null termination No string truncation possible But: Not part of C99 Introduced with C11 (ISO/IEC 9899:2011, Annex K  optional) Making its way into libraries. Slooooowly.... Available in Visual Studio (MS’ own version – a bit sketchy) Not yet in GCC Not as fast

29 String Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C++ Storage for string must have enough space for data and null terminator 3 2 18 Do not attempt to create a std::string from a null pointer Use valid references, pointers, and iterators to reference elements of a basic_string C Do not pass a non-null-terminated character sequence to a library function that expects a string 12 Do not confuse narrow and wide character strings and functions 1 9 Range check element access 6 Do not attempt to modify string literals Self Study (aka ‘homework’) Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

30 Summary String vulnerabilities:
Buffer overflow 3rd most frequent vulnerability in software generally Use string class wherever possible, not char[ ] Use the safe str…_s() methods If using char[ ] : use i < xxx.length_s() for safe upper boundary, not <= check also: lower boundary never negative If using string class: should be null terminated (even if used with str…_s() methods) check if pointer to string is != NULL before use

31 End of Lecture

Download ppt "CS2S562 Secure Software Development"

Similar presentations

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 10.

Chapter 10.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Simple Buffer Overflow Example Dan Fleck CS469 Security Engineering Reference: Coming up: Buffer Overflows.

Simple Buffer Overflow Example Dan Fleck CS469 Security Engineering Reference: Coming up: Buffer Overflows.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.

Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.

Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.

DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
Variables Bryce Boe 2012/09/05 CS32, Summer 2012 B.

Variables Bryce Boe 2012/09/05 CS32, Summer 2012 B.

Similar presentations

Ads by Google