Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Published byRegina Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing."— Presentation transcript:

1 Software Security

2 Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing of input allowing an attacker to –Read data –Write data –Execute programs

3 Example 1 int main (int argc, char *argv[]) {char password_ok = 0; if (strcmp(password,"bgu_cse")==0) password_ok=1; else password_ok=1; if (password_ok==1) {...} }

4 Example 2 int main (i) {int j; char tmp; char password_ok = 0; const char *password = “bgu_cse”; for (j=0; j<7; j++) { tmp = receive_next_password_char(); if (tmp != password[j]) { send (error_message); return password_ok; } password_ok=1; if (password_ok==1) {...} }

5 Example 3 int main (int argc, char *argv[]) {char password_ok; char password[8]; password_ok = 0; strcpy (password,argv[1]); if (strcmp(password,"bgu_cse")==0) password_ok=1; if (password_ok==1) {...} }

6 Buffer Overflow Up to 2005 the most common security hole The length of an input buffer is not checked Arbitrary data is appended to legal input Data can be written to memory More importantly: program flow control can be hijacked by attacker Examples: Microsoft IIS version 5.0 (see www.cert.org/advisories/CA-2001-10.html), Blaster vulnerability. www.cert.org/advisories/CA-2001-10.html

7 Buffer Overflow stages Send user-controlled data that overflows buffer Include an overflow of a flow-control memory location Use new code –The code can be supplied by the attacker –The code can already exist as part of the attacked software –Injected code is written in machine code to be executed

8 Buffer Overflow on Stack Local Variables Return Address Parameters Stack Single function memory Stack growth String growth

9 Function pointers The C language has pointers to functions void (* Pfunc) () declares a variable that points to a function that returns void Function pointers are used when different functions are called according to input/changing state etc. An overflowing buffer next to a function pointer can cause similar problems to stack smashing

10 Counter Measures Language level –Languages/Libraries that check buffer limits –No buffer overflows in Java or C# –Exchange “unsafe” standard functions with safe counterparts –Block return address overwrite Source code level Compilation level – –Bounds checking at compiler level –Separate stack for return addresses –Canary values between locals and return addresses

11 Counter Measures (cont.) Operating system level: –Non-executable stack (NX bit) –Mapping standard functions to addresses beginning with 0x00 –First measure does not block arbitrary calls to program functions.

12 Overflow and pointers void func1 (char *external) { int a, *b; char*array; … strcpy (array, external); … *b = a; } a b array overflow PC Stored execution pointer Exploit code

13 Stages of pointer based overflow Send user-controlled data that overflows buffer Include exploit code in the overflow Carefully set values of variables a and b When program runs *b=a instruction, the stored pointer for execution that b points to is changed to beginning of exploit code Program execution jumps to exploit code

14 Heap overflow A program stores data in three places –Data segment for static variables –Stack segments for a function’s local variables –Heap for dynamically allocated memory Memory in heap allocated by instructions such as malloc or new Buffer overflow in heap allows “pointer based” exploit Heap operation depends on platform

15 Heap A program performs two operations with dynamic memory –It allocates memory –It frees allocated memory The heap manages memory Fragmentation of memory blocks – one of the main problems of managing dynamic memory Solution – merge free blocks together when possible

16 Example: heap as linked list Heap consists of doubly linked list of memory blocks Each block –Previous pointer –Next pointer –Size – number of words –Used flag – 0 if the block is free and 1 if it’s used

17 Example: Initialization Null 10000 NextPrevSizeUsed

18 Example: allocation of block Null9920 NextPrevSizeUsed 1 Data 4Null

19 9840 1 Data 4Null 1 Data 4 Example: another allocation NextPrevSizeUsed heap heap  next heap  next  next

20 Null9760 1 Data 4Null 0 Data 4 Example: free a block NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next 1 Data 4

21 Null9760 1 Data 4Null 0 Data 12 Example: free a block NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next

22 Null9760 1 Data 4Null 0 Data 4 Exploit: heap overflow NextPrevSizeUsed ptr  next  next  prev= ptr  next  prev ptr  next= ptr  next  next ptr ptr  next 1 Data 4 Pointer to Exploit code Pointer to Execution address Overflow

23 Cross Site Scripting

24 HTTP Basic function –A web client requests a page –Requests are identified by URL –A web server serves the page In this basic scheme, content is dull Enhancements –Client supplies data to web application (server) –Server returns answers as function of data –Client executes local scripts

25 Client side scripts Javascript Active-X VBscript Executing scripts is essential for most web applications, e.g. gmail Client allows remote entity (server) to run software (script) on client machine The scripts are therefore limited to browser context: passwords, cookies etc.

26 Cross site The client allows a trusted server (e.g. gmail) to invoke a script When surfing to another site, that site can’t run scripts that use the trusted site’s data (e.g. password). Cross site scripting: attacker runs a script as if it came from the trusted site. Google ads on different sites learn user preferences and serve appropriate ads

27 Example

28 Example – source HTML

29 Cross Site Scripting Attack (XSS) Web server is vulnerable to attack –Sends scripts to client –Doesn’t check source or content of script –Example – echoing client URL back to the client without checking –Example – serving content provided by an attacker (e.g. forum) Client is target of attack –Executes script

30 XSS – what is at stake? Script can read any data in the web site’s context –Cookies –Passwords –Keystrokes Script can pass this data to attacker –Directly in URL –Indirectly by opening a side channel (e.g. loading one out of a pair of pictures to signisl a bit 0 or 1)

31 XSS-Attack: Reflected Attack E-mail: Click on this great link www.site.com/reflect.cgi? attack code 1. Attacker sends malicious code 2. Client user sends code (unwittingly) to server 3. Server reflects code to client 4. Browser executes script attack code www.site.com/reflect.cgi? attack code Attacker Client Web Server !!! attack code !!! Source: Eurosec project

32 XSS-Attack: Stored Attack Post Forum Message: Subject: GET Money for FREE !!! Body: attack code 1. Attacker sends malicious code 2. Server stores message Did you know this?..... 3. User requests message 4. Message is delivered by server 5. Browser executes script in message GET Money for FREE !!! attack code Get /forum.jsp?fid=122&mid=2241 Attacker Client Web Server GET Money for FREE !!! attack code !!! attack code !!! Re: Error message on startup..... I found a solution!..... Can anybody help?..... Error message on startup..... Source: Eurosec project

33 Where script is executed... Source: http://www.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0 [IE] & [code] [N4] &{[code]}; [N4] [IE] [N4] [code] "> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <div style="background-image: url(javascript:[code]);"> [IE] [Mozilla] [IE] [N4] [code] [IE] <object classid="clsid:..." codebase="javascript:[code]"> [code]//--> [code] " onmouseover="[code]"> <script>[code]</script>; <div datafld="b" dataformatas="html" datasrc="#X"> [UTF-8; IE, Opera] [\xC0][\xBC]script>[code][\xC0][\xBC]/script>

34 Countermeasures - Server Fairly easy –Canonicalization of user supplied data (Unicode and other translations are turned into canonical representation) –Do not reflect scripts –Do not store scripts –Check all data, including hidden HTTP fields: referrer, method etc. Harder (site wishes to serve user supplied scripts) –Check that user supplied data does no harm –How exactly?

35 Countermeasures - Client Easy –Canonicalization of server data –Block all scripts Effect – very boring surfing experience Tainting objects –Do not send sensitive data (e.g. cookies) to any site other than original site –Do not send any data changed (“tainted”) by sensitive data Limitations –Some data, such as keystrokes is difficult to classify –Indirect information passing, such as the picture method may bypass such measures. –Performance hit

Download ppt "Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google