1. CSC 386 – Computer Security Scott Heggen

2. Agenda Introduction to Software Security

3. Software Security What does it mean?

4. Security and Reliability Security deals with intentional attacks Reliability deals with accidental failures “It does not matter how many bugs there are, it matters how often they are triggered”.

5. Bad Stuff Malware Computer virus Worm Trojan horse Logic bomb

6. Abstraction When writing code, programmers use elementary concepts like character, variable, array, integer, data & program, address (resource locator), atomic transaction, … These concepts have abstract meanings. For example, integers are an infinite set with operations ‘add’, ‘multiply’, ‘less or equal’, … To execute a program, we need concrete implementations of these concepts.

7. Abstraction What’s the benefit?

8. Abstraction What’s the danger? Software security problems typically arise when the concrete implementation and the abstract intuition diverge. Address (location) Character Integer Variable (buffer overflows) Double-linked list Atomic transaction

9. Address (Location) An application wants to give users access only to files in directory C:/webfolder/kittens/. Attack: use../ a few times to step up to root directory first; e.g. get password file with an input of: /../../../../etc/passwd. Countermeasure: input validation, filter out../

10. Unicode Characters UTF-8 encoding of Unicode characters [RFC 2279] Multi-byte UTF-8 formats: a character has more than one representation Example: “/” formatbinaryhex 1 byte0xxx xxxx0010 11112F 2 byte110x xxxx 1100 0000C0 10xx xxxx1010 1111AF 3 byte1110 xxxx 1110 0000E0 10xx xxxx1000 000080 10xx xxxx1010 1111AF

11. Unicode Bug Microsoft IIS Server Attacker accesses server via a URL of: {IPaddress}/scripts/..%c0%af../winnt/system32/ Would get translated to: {IPaddress}/scripts/../../winnt/system32/ Which would access this directory on the server: C:\winnt\system32 IIS did not filter illegal Unicode representations using multi-byte UTF- 8 formats for single byte characters.

12. Unix rLogin Unix login command: login [[-p] [-h ] [[-f] ] -f option “forces” log in: user is not asked for password Unix rlogin command for remote login: rlogin [-l ] The rlogin daemon sends a login request for to Attack (some versions of Linux, AIX): % rlogin -l -froot Results in forced login as root at the designated machine % login -froot login –hmyserver –fheggens rlogin –lheggens myserver Local login Remote login

13. Unix rLogin Problem: Composition of two commands. Each command on its own is not vulnerable. However, rlogin does not check whether the “username” has special properties when passed to login.

14. Integer Error What will happen here? int i = 1; while (i > 0) { i = i * 2; }

15. Integer Math Unsigned 8-bit integers 255 + 1 = 0 16  17 = 16 0 – 1 = 255 Signed 8-bit integers 127 + 1 = -128-128/-1 = -1

16. Next Class Midterm Course Evaluation with Dr. Jadud Quiz 3: Software Security Basics (Wednesday) Read Chapter 10 Understand the 6 types of abstractions: Address (location) Character Integer Variable (buffer overflows) Double-linked list Atomic transaction