Text Book: Security in Computing Program Security Text Book: Security in Computing Charles P. Pfleeger From Charles P. Pfleeger, Security in Computing, 2nd Edition, Prentice Hall, 1996
Program Security Objectives Defined the concept of secured program differentiate malicious and non-malicious code identify and describe programming errors with security implication list and explain different types of viruses, how and where it attack and how it gain controls explain virus signature identify the impact of viruses to the computing system discuss and explain various policies, procedures and technical controls against virus threats
Program/Code Security (cont.) Protecting programs is at the heart of computer security because they constitute so much of a computing system s.a. (OS, Device drivers, Network infrastructure, DBMS, … etc) Two important questions: 1. How do we keep programs free from flaws? 2. How do we protect computing resources against programs that contain flaws?
Secure Program Security implies some degree of trust that the program enforces expected confidentiality, integrity and availability. The meaning of secure software is likely to get difference answer from different people. This difference occurs because the importance of the characteristics depends on who is analyzing the software.
Flaws, faults, and failures A flaw is a problem with a program A program security flaw is an undesired program behavior caused by a program vulnerability A security flaw is a problem that affects security in some way Confidentiality, integrity, availability Flaws come in two types: faults and failures 2-5
Flaws, faults, and failures A fault is a mistake “behind the scenes” An error in the code, data, specification, process, etc. A fault is a potential problem A failure is when something actually goes wrong You log in to the library’s web site, and it shows you someone else’s account “Goes wrong” means a deviation from the desired behaviour, not necessarily from the specified behaviour! The specification itself may be wrong A fault is the programmer/specifier/inside view A failure is the user/outside view 2-6
Finding and fixing faults How do you find a fault? If a user experiences a failure, you can try to work backwards to uncover the underlying fault What about faults that haven’t (yet) led to failures? Intentionally try to cause failures, then proceed as above Remember to think like an attacker! 2-7
Bug, Error, Fault, and Failure Bug in software is a term that can mean many different things depending on context. For example, it can be a mistake in interpreting a requirement or a syntax error in a piece of code. Error is a human mistake in performing some software activity that may lead to a fault in a computer program. A fault may cause a failure (which is a departure from the system's required behavior). a fault is an inside view of the system, seen by the developers, whereas a failure is an outside view seen by the user.
Types of Flaws Intentional - Malicious - Non-malicious Inadvertent (Unintentional) - validation error. - domain error: controlled access to data. - serialization and aliasing: program flow order. - inadequate identification and authentication. - boundary condition violation. - other exploitable logic errors.
Types of security flaws One way to divide up security flaws is by genesis (where they came from) Some flaws are intentional Malicious flaws are intentionally inserted to attack systems, either in general, or certain systems in particular If it’s meant to attack some particular system, we call it a targeted malicious flaw. 2- 12
Types of security flaws Nonmalicious (but intentional) flaws are often features that are meant to be in the system, and are correctly implemented, but nonetheless can cause a failure when used by an attacker Most security flaws are caused by unintentional program errors 2- 12
Nonmalicious Program Errors Human make many mistakes, most of which are unintentional and nonmalicious. Many such errors cause program malfunction but do not lead to more serious security vulnerabilities. 3 main concern : Buffer Overflows Incomplete Mediation Time-of-Check to Time-of-Use Errors 2- 12
Non-malicious Program Errors 1. Buffer Overflows All program and data elements are in memory during execution, sharing space with the operating system, other code, and resident routines. Therefore, the effect of the overflows data depends on where it is go in the memory; It may affect the user data, user code, system data, or system code.
Buffer Overflows buffer (or array or string) is a space in which data can be held. Because memory is finite, a buffer’s capacity is finite. For this reason in many programming languages, the programmer must declare the buffer’s maximum size so that the compiler can set aside the amount of space. Buffer overflow: when user input exceeds max buffer size Extra input goes into unexpected memory locations Attacker can run desired code, hijack program
Malicious user enters > 1024 chars, but buf can only store 1024 chars; extra chars overflow buffer void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input();
Buffer Flows (cont) Example 1 : Declare : char sample[10]; Run : sample[10] = ‘A’; Error : Subscript is out of bounds. Example 2 : Declare : sample[ i ] = ‘A’ Run : for ( i=0; i<=9; i++ ) sample[ i ] sample[10] = ‘B’ Error : Overwrites an existing variable value.
Defences against buffer overflows How might one protect against buffer overflows? Use a language with bounds checking And catch those exceptions! Non-executable stack “W⊕X” (memory page is either writable or executable, but never both) 2- 26
Non-malicious Program Errors (cont.) 2. Incomplete mediation Inputs to programs are often specified by untrusted users Web-based applications are a common example Users sometimes mistype data in web forms Phone number: 51998884567 Email: iang#cs.uwaterloo.ca The web application needs to ensure that what the user has entered constitutes a meaningful request This is called mediation 2- 29
Non-malicious Program Errors (cont.) 2. Incomplete mediation Incomplete Mediation : routine’s failing on a data type error. Another possibility is that the receiving program would continue to execute but would generate the very wrong result. One way to address the potential problems is to anticipate them – written code to check for correctness on the client’s side, program can restrict choice only to a valid ones. 2- 29
Incomplete mediation Example 1 : Declare : int number; Run : number = “two”; Error : Wrong value in specified format Example 2 : Declare : in database we declare name length as 10 character Run : We enter name = Christopher Columbus Error : Database error Incomplete mediation occurs when the application accepts incorrect data from the user
Non-malicious Program Errors (cont.) 3. Time-of-Check to Time-of-Use Errors : Definition : instruction that appear to be adjacent may not actually be executed immediately after each other, either because of intentionally changed order or because of the effects of other processes in concurrent execution. (A delay between checking permission to perform certain operations and using this permission may enable the operations to be changed)
Non-malicious Program Errors (cont.) 3. Time-of-Check to Time-of-Use Errors : Example: 1.User attempts to write 100 bytes at end of file “abc”. Description of operation is stored in a data structure. 2.OS checks user’s permissions on copy of data structure. 3.While user’s permissions are being checked, user changes data structure to describe operation to delete file “xyz”.
Non-malicious Program Errors (cont.) 3. Time-of-Check to Time-of-Use Errors : A delay between the time the access was checked and the time the result of the check was used, a change occurred, invalidating the result of the check. Example: Changing the file name that checked for a deletion access.