CNS2009handout 20 :: software security1 ELEC5616 computer and network security matt barrie

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 Buffer Overflow Attacks and Format String bugs.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Web Security Firewalls, Buffer overflows and proxy servers.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Major Problem Areas for Secure Programming
Mitigation against Buffer Overflow Attacks
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Software Security Testing
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Software Security.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Preventing Buffer Overflow Attacks
Software Security Lesson Introduction
CS703 - Advanced Operating Systems
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

CNS2009handout 20 :: software security1 ELEC5616 computer and network security matt barrie

CNS2009handout 20 :: software security2 design of a secure system Top Down Approach: 1.Threat Model - What are the likely risks? 2.Security Policy - What is the security meant to achieve? 3.Security Mechanisms - How are the mechanisms implemented? Design of a secure system follows a ring design –Every object has an associated security attribute –Every subject has a security clearance The aim is to restrict the interaction between rings least security highest security

CNS2009handout 20 :: software security3 example: trusted operating system security kernel hardware operating system user applications Trusted Computing Base (TCB) -- failure of the TCB leads to failure of the security system

CNS2009handout 20 :: software security4 Bell - LaPadula model Developed in the context of military and intelligence data Also known as “multilevel security” or “MLS systems” Simple Security Property: –No process may read data at a higher level (no read up - NRU) –Agent Alice with “Secret” clearance can’t read Top-Secret documents The *-property: –No process may write data to a lower level (no write down- NWD) –Agent Alice with “Secret” clearance can’t write Public documents

CNS2009handout 20 :: software security5 covert channels Bell-LaPadula: prevent subjects with different access rights from communicating. –Problem: covert channels. Covert channels: –Communication channels undetected by the security policy enforcer. Example: File locking: –High clearance subject frequently locks and unlocks a file. –Low clearance subject checks lock status. –Using synchronized timer: 1000bit/sec transfer rate.

CNS2009handout 20 :: software security6 evaluation: the orange book Trusted Computer Systems Evaluation Criteria US Department of Defense, 1979 Ratings D: Minimal protection. Anyone can get this rating. C1: Discretionary security. Users can disable the security C2: Controlled access. Per user protection. Discretionary. B1: Labeled protection. Every object is labeled. Bell-LaPadula B2: Structured protection. More OS module verification. B3: Security domains. Modular OS design. Clear security policy. A1: Verified design. Formally verified system design. Example: Windows NT is considered C2 compliant.

CNS2009handout 20 :: software security7 common programming mistakes Poor design choices / assumptions Failing to check user supplied input Buffer overflows Incorrect levels and separation of privileges Poor default settings Predictable sources of randomness Race conditions Poor failure modes Insufficient testing Failure to protect secrets properly Poor design review Poor documentation and commenting Poor maintenance of legacy code Bad programming languages

CNS2009handout 20 :: software security8 buffer overflows One of the most common bugs today –Packet Storm has ~ 100 new ones every month Mainly due to poor programming practice, poor languages from a security perspective (e.g. C) and lack of proper code review. Easy to exploit : –Find problem in the source code –Craft an exploit Today there exists even automatic exploit generators that will drop in the right shellcode for a particular processor and operating system.

CNS2009handout 20 :: software security9 buffer overflows explained Suppose a server contains the function foo : void foo(char *str) { char buf[128]; strcpy(buf, str); } When the function is invoked the stack looks like: What if *str is 136 bytes long? After strcpy: bufsfpret addrstr *strnew addrstr top of stack

CNS2009handout 20 :: software security10 basic stack exploit Main problem: no range checking in strcpy() Suppose *str is such that after strcpy stack looks like: Attack code: execv(“/bin/sh”, 0) When the function exits, it returns using the new return address and starts executing the attack code - giving a shell. Note: the attack code runs in the stack. *strretattack code top of stack

CNS2009handout 20 :: software security11 exploiting buffer overflows Suppose the above code is from a web server and foo () is called with a URL sent by the browser. An attacker can create a 200-byte URL to obtain shell on web server. Some complications: –The attack code should not contain the ‘\0’ character. –Overflow should not crash program before foo() exists. Recent buffer overflows of this type ( –TA07-089A: Microsoft Windows Animated Cursor Buffer Overflow (March 2007) A buffer overflow vulnerability in the way Microsoft Windows handles animated cursor files is actively being exploited. –TA05-362A: Microsoft Windows Metafile Handling Buffer Overflow (December 2005) Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format.

CNS2009handout 20 :: software security12 more general exploits Basic stack exploit can be prevented by marking the stack segment as non-executable: –Various solutions exist but there are many ways to trick –Does not block more general overflow exploits. General buffer overflow exploits are based on two steps: –Arrange for attack code to be present in program space. –Cause program to execute attack code.

CNS2009handout 20 :: software security13 inserting the attack code Injecting attack code: –Place code in stack variable (local variables). –Place code in a heap variable (malloc’d variables). –Place code in static data segment (static variables). Using existing code: return-into-libc (exec) –Cause function pointer or return address to point to the libc “exec” function. –At same time override first argument to be “/bin/sh” local varsSFP top of stack ret-addrarg1 exec()/bin/sh

CNS2009handout 20 :: software security14 causing execution of attack code Stack smashing attack: –Override return address in stack activation record by overflowing a local buffer variable. Function pointers: –Overflowing buf will override function pointer. Longjmp buffers: longjmp(pos) –Overflowing buf next to pos overrides value of pos. buf[128]FP top of stack

CNS2009handout 20 :: software security15 finding buffer overflows Hackers find buffer overflows as follows: –Run software on local machine. –Supply long strings into user input fields. Long strings are of the form “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”. –If the software crashes, search the core dump for “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX” to find the overflow location. Some automated tools exist. (eEye Retina, ISIC).

CNS2009handout 20 :: software security16 preventing buffer overflows Main problem: –strcpy(), strcat(), sprintf() have no range checking. –“Safe” versions strncpy(), strncat() are often misleading strncpy() may leave buffer unterminated. strncpy(), strncat() encourage off by 1 bugs. strncpy( dest, src, strlen(src)+1 ) Defenses: 1.Static source code analysis. 2.Run time checking. 3.Black box testing (e.g. eEye Retina, ISIC).

CNS2009handout 20 :: software security17 static source code analysis Statically check source to detect buffer overflows. –Internal code reviews –Consulting companies ($$$) Automated tools –Still requires expertise to run and analyse results (l0pht.com): SLINT (designed for UNIX) –rstcorp: its4. Scans function calls. –Berkeley: Wagner, et al. Tests constraint violations.

CNS2009handout 20 :: software security18 run time checking Runtime range checking –Significant performance degradation. –Hard for languages like C and C++. StackGuard (OGI) –Run time tests for stack integrity. –Embed “canaries” in stack frames and verify their integrity prior to returning from the function. local varscanary top of stack ret-addrstrSFP

CNS2009handout 20 :: software security19 canary types Random canary: –Choose random string at program startup. –Insert canary string into every stack frame. –Verify canary before returning from function. –To corrupt random canary attacker must learn current random string. Terminator canary: –Canary = 0, new line, linefeed, EOF. –String functions will not copy beyond terminator. –Hence, attacker cannot use string functions to corrupt stack. –Other functions still have problems.

CNS2009handout 20 :: software security20 ProPolice (SSP) ProPolice implemented as a GCC patch, now in GCC 4.1. Minimal performance effects. Protects more than just return address Note: Canaries don’t offer foolproof protection. –Some stack smashing attacks can leave canaries untouched. Related: Address Space Layout Randomisation (ASLR) –Randomise placement of certain code in process’ address space

CNS2009handout 20 :: software security21 race conditions A race condition attack exploits the fact that multiple instruction transactions are not atomic Example: Race condition in the old UNIX “ mkdir ” command mkdir executed with two Stages: –Storage allocated –Ownership transferred to user Attack: –User initiates mkdir –User quickly replaces the new directory with /etc/passwd –mkdir process transfers ownership to user Many such problems have existed with temporary files in /tmp

CNS2009handout 20 :: software security22 race conditions Example: Print server race condition with print quotas –User prints file –Print server determines cost of file –Print server checks account balance and deducts amount –Print server spools file for printing Attack: lpr smallfile sleep (1) cat bigfile > smallfile

CNS2009handout 20 :: software security23 timing attacks Timing attacks extract secret information based on the time a device takes to respond (“side channel attack”) Applicable to: –Smartcards –Cell phones –PCI cards –Network software Examples: –RSA exponentiation –Password checking and lengths –Inter-keystroke timing (e.g. attack on ssh)

CNS2009handout 20 :: software security24 timing attacks Consider the following password checking code: int password_check(char *inp, char *pwd) { if (strlen(inp) != strlen(pwd)) return 0; for( i=0; i < strlen(pwd); ++i) if ( inp[i] != pwd[i] ) return 0; return 1; } A simple timing attack will expose the length and the password one character at a time.

CNS2009handout 20 :: software security25 timing attacks Correct code: int password_check(char *inp, char *pwd) { oklen = 1; if (strlen(inp) != strlen(pwd)) oklen=0; for( ok=1, i=0; i < strlen(pwd); ++i) { if ( inp[i] != pwd[i] ) ok = ok & 0; else ok = ok & 1; } return ok & oklen; } Timing attack is ineffective.

CNS2009handout 20 :: software security26 references Papers –Smashing the Stack for Fun and Profit (Aleph One) –Timing Analysis of Keystrokes and Timing Attacks on SSH (Wagner et al)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.