Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland.

Published byMalcolm Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland."— Presentation transcript:

1 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460. Barton P. Miller Jim Kupsch Computer Sciences Department University of Wisconsin bart@cs.wisc.edu Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona Elisa.Heymann@uab.es

2 2 Things That We All Know All software has vulnerabilities Critical infrastructure software is complex and large Vulnerabilities can be exploited by both authorized users and by outsiders Programmers must be security- aware –Designing for security and the use of secure practices and standards does not guarantee security… but helps

3 3 What do we do Assess Middleware: Make cloud/grid software more secure Train: We teach tutorials for users, developers, sys admins, and managers Research: Make in-depth assessments more automated and improve quality of automated code analysis http://www.cs.wisc.edu/mist/papers/VAshort.pdf

4 4 1. Buffer overflow

5 5 Buffer Overflow of User Data Affecting Flow of Control char id[8]; int validId = 0; /* not valid */ gets(id); /* reads "evillogin"*/ /* validId is now 110 decimal */ if (IsValid(id)) validId = 1; /* not true */ if (validId) /* is true */ {DoPrivilegedOp();} /* gets executed */ evillogi 110 ‘n’ \0 idvalidId \0 idvalidId

6 6 2. Numeric Errors

7 7 Integer Vulnerabilities Description –Many programming languages allow silent loss of integer data without warning due to Overflow Truncation Signed vs. unsigned representations –Code may be secure on one platform, but silently vulnerable on another, due to different underlying integer types. General causes –Not checking for overflow –Mixing integer types of different ranges –Mixing unsigned and signed integers

8 8 Numeric Parsing Unreported Errors atoi, atol, atof, scanf family (with %u, %i, %d, %x and %o specifiers) –Out of range values results in unspecified behavior –Non-numeric input returns 0

9 9 3. Race Conditions

10 File System Race Examples Check properties of a file then open Bad: access or stat  open Safe: open  fstat Create file if it doesn’t exist Bad: if stat fails  creat( fn, mode ) Safe: open( fn, O_CREAT|O_EXCL, mode ) http://www.cs.wisc.edu/mist/safefile James A. Kupsch and Barton P. Miller, “How to Open a File and Not Get Hacked,” 2008 Third International Conference on Availability, Reliability and Security (ARES), Barcelona, Spain, March 2008.http://www.cs.wisc.edu/mist/safefile 10

11 11 Race Condition Examples Your ActionsAttackers Action s=strdup("/tmp/zXXXXXX") tempnam(s) // s now "/tmp/zRANDOM"link = "/etc/passwd" file = "/tmp/zRANDOM" symlink(link, file) f = fopen(s, "w+") // writes now update // /etc/passwd time

12 12 4. Exceptions

13 Exception Suppression 1. User sends malicious data boolean Login(String user, String pwd){ boolean loggedIn = true; String realPwd = GetPwdFromDb(user); try { if (!GetMd5(pwd).equals(realPwd)) { loggedIn = false; } } catch (Exception e) { //this can not happen, ignore } return loggedIn; } user=“admin”,pwd=null 2. System grants access Login() returns true 13

14 14 5. Too much information

15 WTMI (Way Too Much Info) 15 Login(… user, … pwd) { try { ValidatePwd(user, pwd); } catch (Exception e) { print("Login failed.\n"); print(e + "\n"); e.printStackTrace(); return; } void ValidatePwd(… user, … pwd) throws BadUser, BadPwd { realPwd = GetPwdFromDb(user); if (realPwd == null) throw BadUser("user=" + user); if (!pwd.equals(realPwd)) throw BadPwd("user=" + user + " pwd=" + pwd + " expected=" + realPwd); … Login failed. BadPwd: user=bob pwd=x expected=password BadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71)... Login failed. BadPwd: user=bob pwd=x expected=password BadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71)... User exists Entered pwd User's actual password ?!? (passwords aren't hashed) User's actual password ?!? (passwords aren't hashed) Reveals internal structure (libraries used, call structure, version information) Reveals internal structure (libraries used, call structure, version information)

16 16 6. Directory Traversal

17 17 Successful Directory Traversal Attack 1. Users requests File="....//etc/passwd" 2. Server deletes /etc/passwd String path = request.getParameter("file"); path = "/safedir/" + path; // remove../'s to prevent escaping out of /safedir Replace(path, "../", ""); File f = new File(path); f.delete(); Before Replace path = "/safedir/….//etc/passwd" After Replace path = "/safedir/../etc/passwd" Before Replace path = "/safedir/….//etc/passwd" After Replace path = "/safedir/../etc/passwd"

18 18 7. SQL Injection Attacks

19 19 Successful SQL Injection Attack Dynamically generated SQL without validation or quoting is vulnerable $u = " '; drop table t --"; $sth = $dbh->do("select * from t where u = '$u'"); Database sees two statements: select * from t where u = ' '; drop table t -- '

20 Successful SQL Injection Attack 1. User sends malicious data boolean Login(String user, String pwd) { boolean loggedIn = false; conn = pool.getConnection( ); stmt = conn.createStatement(); rs = stmt.executeQuery("SELECT * FROM members" + "WHERE u='" + user + "' AND p='" + pwd + "'"); if (rs.next()) loggedIn = true; } user="admin"; pwd="'OR 'x'='x" 4. System grants access Login() returns true 20 SELECT * FROM members WHERE u='admin' AND p='' OR 'x'='x' 2. DB Queried 3. Returns all row of table members

21 21 8. Command Injections

22 Successful OS Injection Attack 1. User sends malicious data 3. System executes nslookup x.com;rm –rf /* 22 String rDomainName(String hostname) { … String cmd = "/usr/bin/nslookup " + hostname; Process p = Runtime.getRuntime().exec(cmd); … hostname="x.com;rm –rf /*" 2. Application uses nslookup to get DNS records 4. All files possible are deleted

23 23 9. Code Injection

24 24 Code Injection Vulnerability %data = ReadLogFile('logfile'); PH = open("|/usr/bin/python"); print PH "import LogIt\n";w while (($k, $v) = (each %data)) { if ($k eq 'name') { print PH "LogIt.Name('$v')"; } 2. Perl log processing code – uses Python to do real work name = John Smith name = ');import os;os.system('evilprog');# 1. logfile – name's value is user controlled import LogIt; LogIt.Name('John Smith') LogIt.Name('');import os;os.system('evilprog');#') 3. Python source executed – 2 nd LogIt executes arbitrary code Start Python, program sent on stdin Read logfile

25 25 10. Web Attacks

26 26 Reflected Cross Site Scripting (XSS) String query = request.getParameter("q"); if (query != null) { out.writeln("You searched for:\n" + query); } You searched for: widget http://example.com?q=widget 3. Generated HTML displayed by browser 1. Browser sends request to web server 2. Web server code handles request

27 27 Reflected Cross Site Scripting (XSS) String query = request.getParameter("q"); if (query != null) { out.writeln("You searched for:\n" + query); } You searched for: alert('Boo!') http://example.com?q= alert('Boo!') 3. Generated HTML displayed by browser 1. Browser sends request to web server 2. Web server code handles request

28 28 Would you like an expanded tutorial taught at your site? Tutorials for users, developers, administrators and managers: –Security Risks –Secure Programming –Vulnerability Assessment Contact us! Barton P. Miller bart@cs.wisc.edu Elisa Heymann Elisa.Heymann@uab.es

29 29 Questions? http://www.cs.wisc.edu/mist

Download ppt "1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland."

Similar presentations

Webgoat.

Webgoat.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Web Database Programming Connecting Database to Web.

Web Database Programming Connecting Database to Web.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
1 Security Risks in Clouds and Grids Condor Week May 5, 2011 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin

1 Security Risks in Clouds and Grids Condor Week May 5, 2011 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
PHP Security.

PHP Security.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1 Security Risks in the Grid UW-Madison July 22, 2010 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin

1 Security Risks in the Grid UW-Madison July 22, 2010 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin

Similar presentations

Ads by Google