Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Configuration management
Configuration management
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Lecture 16 Buffer Overflow
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Chapter 3 – Program Security Section 3.4 Targeted Malicious Code Section 3.5 Controls Against Program Threats.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Information Systems Security Computer System Life Cycle Security.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
Computer Security and Penetration Testing
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Mitigation of Buffer Overflow Attacks
EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Testing. 2 Overview Testing and debugging are important activities in software development. Techniques and tools are introduced. Material borrowed here.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Operating Systems Security
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Writing Secure Programs. Program Security CSCE Farkas/Eastman - Fall Program Flaws Taxonomy of flaws: how (genesis) when (time) where (location)
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Mitigation against Buffer Overflow Attacks
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2016.
Chapter 8 – Software Testing
Secure Software Development: Theory and Practice
Taint tracking Suman Jana.
Software Security.
Preventing Buffer Overflow Attacks
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2011.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
Chapter 29: Program Security
CNT4704: Analysis of Computer Communication Network Special Topic: Buffer Overflow II: Defense Techniques Cliff Zou Fall 2011.
Presentation transcript:

Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II

Computer Science CSC 405Dr. Peng Ning2 Targeted Malicious Code General purpose malicious code –Affect users and machines indiscriminately Targeted malicious code –Written for a particular system, for a particular application, and for a particular purpose –Trapdoor –Salami attack –Covert channel

Computer Science CSC 405Dr. Peng Ning3 Salami Attack A salami attack merges seemingly inconsequential data to yield powerful results Example –Bank programmer: transfer one cent of interest from each account to his/her account

Computer Science CSC 405Dr. Peng Ning4 Covert Channels Covert channels –Programs that communicate information to people who should not receive it –The communication travels unnoticed, accompanying other, perfectly proper, communications A human example –Reveal answers to multiple choice questions Coughing for (a) Sighing for (b) …

Computer Science CSC 405Dr. Peng Ning5 Covert Channels (Cont’d) Structure of cover channels –A sender Service program –A receiver Spy –A Trojan horse is always involved Protected data Spy Legitimate user Service Program

Computer Science CSC 405Dr. Peng Ning6 How to Create Covert Channels Example: A printed report

Computer Science CSC 405Dr. Peng Ning7 Classification of Covert Channels Storage channels –Pass information by using the presence or absence of objects in storage Timing channels –Pass information by using the speed at which things happen

Computer Science CSC 405Dr. Peng Ning8 Storage Channels Example 1: File lock channel

Computer Science CSC 405Dr. Peng Ning9 Storage Channels (Cont’d) Example 2: File existence channel

Computer Science CSC 405Dr. Peng Ning10 Timing Channels Example: Cover timing channel The attacker may use error correction codes to reduce the interference from other processes.

Computer Science CSC 405Dr. Peng Ning11 Covert Channels (Cont’d) The service program and the spy need access to a shared resource –Storage channels Object in shared storage medium –Timing channels Time

Computer Science CSC 405Dr. Peng Ning12 Identifying Potential Covert Channels Shared resource matrix –Basis of cover channel is a shared resource –  Find all shared resources –  Determine which processes can write to and read from the resources –Can be automated Service Process Spy’s Process LockedR, M Confidential data R Service Process Spy’s Process LockedR, M Confidential data RR R: Can read M: Can write

Computer Science CSC 405Dr. Peng Ning13 Identifying Potential Covert Channels (Cont’d) Information flow method –Static analysis of program source code –Explicit flow B:=A –Information flows from A to B B:=A; C:=B –Information flows from A to C (by way of B) –Implicit flow IF D=1 THEN B:=A –Information flows explicitly from A to B –Information flows implicitly from D to B

Computer Science CSC 405Dr. Peng Ning14 Information Flow Method (Cont’d) Functions –B:=fntl(args) At a superficial level, information flows from args to B Need to analyze the definition of fntl –Information flows from global variables to B Need to put all pieces together to show which output are affected by which inputs –Can be automated

Computer Science CSC 405Dr. Peng Ning15 Controls against Program Security Threats Development controls Operating system controls Administrative controls

Computer Science CSC 405Dr. Peng Ning16 Development Controls Peer reviews –Review Presented informally to a team of reviewers Goal: consensus and buy-in before development proceeds further –Walk-through Presented to the team by its creator Goal: education; focus is on learning about a single document –Inspection Formal process; detailed analysis in which the artifact is checked against a prepared listed of concerns Goal: verify properties of the artifact of concern

Computer Science CSC 405Dr. Peng Ning17 Peer Review (Cont’d) Review log analysis –Do particular reviewers need training? –Root cause analysis ==> What should be done to discover the fault earlier? –Build a checklist for future reviews

Computer Science CSC 405Dr. Peng Ning18 Development Controls (Cont’d) Hazard analysis –Intended to expose potentially hazardous system states –Involves developing Hazard lists, and Procedures for exploring “what if” scenarios to trigger consideration of non-obvious hazards Example: Failure modes and effects analysis (FMEA) Bottom up technique Identify each component’s possible faults Determine what could trigger the fault and the system-wide effects of the fault Often lead to possible system failures that are not made visible by other analytical means

Computer Science CSC 405Dr. Peng Ning19 Development Controls (Cont’d) Testing –Involves several stages –Unit testing Each component is tested on its own, isolated from the other components in the system Done in a controlled environment AKA, module testing, component testing –Integration testing Ensure the interface among the components are defined and handled properly Verify that the system components work together as specified

Computer Science CSC 405Dr. Peng Ning20 Testing (Cont’d) Function test –Evaluate the system to determine whether the functions described by the requirement specification are actually performed by the system Performance test –Compare the system with the remainder of the software and hardware requirements Security requirements are examined during the function and performance tests

Computer Science CSC 405Dr. Peng Ning21 Testing (Cont’d) Acceptance test –Ensure that the system works according to customer expectations Installation test –A final test to ensure the system still functions as it should Regression test –After a change is made to enhance or fix the system, regression testing ensures that all remaining functions are still working

Computer Science CSC 405Dr. Peng Ning22 Development Controls (Cont’d) Good design –Using a philosophy of fault tolerance Active fault detection Redundancy Isolate the damage and minimize the disruption –Having a consistent policy for handling failures –Capturing the design rationale and history –Using design patterns

Computer Science CSC 405Dr. Peng Ning23 Development Controls (Cont’d) Prediction –Identify what unwanted events might occur –Make plans to avoid them or mitigate their effects Static analysis –Examine design and code to locate and repair security flaws Control flow Data flow Data structure –Many approaches; automated tools needed

Computer Science CSC 405Dr. Peng Ning24 Development Controls (Cont’d) Configuration management –The process by which we control the changes during development and maintenance –Four activities Configuration identification –Build an inventory (baseline) of all components of the system Configuration control and change management –Coordinate separate, related versions Configuration auditing –Confirms that the baseline is complete and accurate, changes are recorded, recorded changes are made, the actual software is reflected accurately in the documents Status accounting –Record the information about the components

Computer Science CSC 405Dr. Peng Ning25 Operating System (OS) Controls Trusted software –A part of the OS that has been rigorously developed and analyzed –Called Trusted Computer Base (TCB) Key characteristics during rigorous analysis and testing –Functional correctness –Enforcement of integrity –Limited privilege Access is minimized; sensitive data not disclosed –Appropriate confidence level Often used as a safe way for general users to access sensitive data

Computer Science CSC 405Dr. Peng Ning26 Operating System (OS) Controls (Cont’d) Mutual suspicion –Programs do not trust each other Confinement –Program is strictly limited in what system resources it can access Access (audit) log –List of who accessed what objects –Allow tracking down what has been done

Computer Science CSC 405Dr. Peng Ning27 Administrative Controls Standards of program development –Capture the wisdom from previous projects –Standards of design Design tools, languages, methodologies –Standards of documentation, language, and coding style Layout of code, choices of variable names, recognized program structures –Standards of programming Mandatory peer reviews, periodic code audits, compliance with standards –Standards of testing Program verification, archiving test results, independent testers,… –Standards of configuration management

Computer Science CSC 405Dr. Peng Ning28 Administrative Controls (Cont’d) Separation of duties –Break development tasks into pieces to be performed by separate developers/testers/administrators –Force developers/testers/administrators to cooperate –More rigorous examination

Computer Science CSC 405Dr. Peng Ning29 Preventing Buffer Overflow Attacks Non-executable stack Static source code analysis Run time checking: StackGuard, Libsafe, SafeC, (Purify) Randomization Type safe languages ( Java, ML ) –Legacy code? Detection deviation of program behavior Many more …

Computer Science CSC 405Dr. Peng Ning30 Marking Stack as Non-Executable Basic stack exploit can be prevented by marking stack segment as non-executable –Support in SP2. Code patches exist for Linux, Solaris Problems: –Does not defend against `return-to-libc’ exploit –Some apps need executable stack (e.g. LISP interpreters) –Does not block more general overflow exploits: Overflow on heap: overflow buffer next to func pointer

Computer Science CSC 405Dr. Peng Ning31 Static Source Code Analysis Statically check source code to detect buffer overflows –Several consulting companies Can we automate the review process? Several tools exist: –Coverity (Engler et al.): Test trust inconsistency –Microsoft program analysis group: PREfix: looks for fixed set of bugs (e.g. null ptr ref) PREfast: local analysis to find idioms for prog errors –Berkeley: Wagner, et al. Test constraint violations Find lots of bugs, but not all

Computer Science CSC 405Dr. Peng Ning32 pararetsfplocal stack canarypararetsfp local canary Frame 1Frame 2 Run Time Checking: StackGuard Many many run-time checking techniques … Solutions 1: StackGuard (WireX) –Run time tests for stack integrity –Embed “canaries” in stack frames and verify their integrity prior to function return

Computer Science CSC 405Dr. Peng Ning33 Canary Types Random canary: –Choose random string at program startup –Insert canary string into every stack frame –Verify canary before returning from function –To corrupt random canary, attacker must learn current random string Terminator canary: Canary = 0, newline, linefeed, EOF –String functions will not copy beyond terminator –Hence, attacker cannot use string functions to corrupt stack

Computer Science CSC 405Dr. Peng Ning34 StackGuard (Cont’d) StackGuard implemented as a GCC patch –Program must be recompiled –Minimal performance effects: 8% for Apache Newer version: PointGuard –Protects function pointers and setjmp buffers by placing canaries next to them –More noticeable performance effects Note: Canaries don’t offer fullproof protection –Some stack smashing attacks can leave canaries untouched

Computer Science CSC 405Dr. Peng Ning35 Windows XP SP2 /GS Non executable stack Compiler /GS option: –Combination of ProPolice and Random canary –Triggers UnHandledException in case of Canary mismatch to shutdown process Litchfield vulnerability report –Overflow overwrites exception handler –Redirects exception to attack code

Computer Science CSC 405Dr. Peng Ning36 destret-addrsfp stack srcbufret-addrsfp libsafe main Run Time Checking: Libsafe Solutions 2: Libsafe (Avaya Labs) –Dynamically loaded library –Intercepts calls to strcpy (dest, src) Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) If so, does strcpy Otherwise, terminates application

Computer Science CSC 405Dr. Peng Ning37 More Methods … StackShield –At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment) –Upon return, check that RET and SFP is equal to copy –Implemented as assembler file processor (GCC)

Computer Science CSC 405Dr. Peng Ning38 Randomization: Motivation Buffer overflow and return-to-libc exploits need to know the (virtual) address to which pass control –Address of attack code in the buffer –Address of a standard kernel library routine Same address is used on many machines –Slammer infected 75,000 MS-SQL servers using same code on every machine Idea: introduce artificial diversity –Make stack addresses, addresses of library routines, etc. unpredictable and different from machine to machine

Computer Science CSC 405Dr. Peng Ning39 Randomization PaX Address Space Layout Randomization –Randomize location of libc –Attacker cannot jump directly to exec function. –Attacks: Repetitively guess randomized address Spraying injected attack code Instruction Set Randomization (ISR) –Each program has a different and secret instruction set –Use translator to randomize instructions at load-time –Attacker cannot execute its own code.

Computer Science CSC 405Dr. Peng Ning40 Dynamic Taint Analysis Hard to tell if data is sensitive when it is written –Binary has no type information Easy to tell it is sensitive when it is used Dynamic Taint Analysis: –Keep track of tainted data from untrusted sources –Detect when tainted data is used in a sensitive way e.g., as return address or function pointer Reference: James Newsome and Dawn Song. “Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software,” In Proceedings of Network and Distributed Systems Security Symposium, Feb 2005.

Computer Science CSC 405Dr. Peng Ning41 Example: Detecting a Buffer Overflow buffer start Memory Function Pointer ATTACK DETECTED! buffer boundary Socket data

Computer Science CSC 405Dr. Peng Ning42 Design & Implementation: TaintCheck Use Valgrind to monitor execution –Instrument program binary at run-time –No source code required Track a taint value for each location: –Each byte of tainted memory –Each register

Computer Science CSC 405Dr. Peng Ning43 TaintTracker TaintCheck Components TaintSeed Copy TaintAssert !!! Misuse Untrusted Input

Computer Science CSC 405Dr. Peng Ning44 TaintSeed Monitors input via system calls Marks data from untrusted inputs as tainted –Network sockets (default) –Standard input –File input (except files owned by root, such as system libraries) !!!

Computer Science CSC 405Dr. Peng Ning45 TaintTracker Propagates taint Data movement instructions: –e.g., move, load, store, etc. –Destination tainted iff source is tainted –Taint data loaded via tainted index e.g., unicode = translation_table[tainted_ascii] Arithmetic instructions: –e.g., add, xor, mult, etc. –Destination tainted iff any operand is tainted Untaint result of constant functions xor eax, eax !!!

Computer Science CSC 405Dr. Peng Ning46 TaintAssert Detects when tainted data is misused –Destination address for control flow (default) –Format string (default) –Argument to particular system calls (e.g., execve ) Invoke Exploit Analyzer when exploit detected !!!

Computer Science CSC 405Dr. Peng Ning47 Coverage: Attack Classes Detected N/A Format String Stack Overflow Heap Overflow Heap Corruption (Double Free) Return Address Function Pointer Fn Ptr Offset (GOT) Jump Address

Computer Science CSC 405Dr. Peng Ning48 Vigilante Automates worm defense ‘Collaborative Infrastructure’ to detect worms Negligible rate of false positives Network-level approaches do not have access to vulnerability specifics Reference: Manuel Costa, Jon Crowcroft, Miguel Castro, Anthony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham, "Vigilante: End-to-End Containment of Internet Worms", SOSP'05, Brighton, UK, October 2005.

Computer Science CSC 405Dr. Peng Ning49 Solution Overview Run heavily instrumented versions of software on honeypot or detector machines Broadcast exploit descriptions to regular machines Generate message filters at regular machines to block worm traffic Requires separate detection infrastructure for each particular service

Computer Science CSC 405Dr. Peng Ning50 SCA: Self-Certifying Alert Allows exploits to be described, shipped, and reproduced Self-Certifying: to verify authenticity, just execute within sandbox Expressiveness: Concise or Inadequate? –Worms defined as ‘exploiters of vulnerability’ rather than ‘generators of traffic’

Computer Science CSC 405Dr. Peng Ning51 Types of Vulnerabilities Arbitrary Execution Control: message contains address of code to execute Arbitrary Code Execution: message contains code to execute Arbitrary Function Argument: changing arguments to ‘critical’ functions. e.g exec How about others?

Computer Science CSC 405Dr. Peng Ning52 Example SCA: Slammer Address of code to execute is contained at this offset within message

Computer Science CSC 405Dr. Peng Ning53 Alert Generation Many existing approaches –Non-executable pages: faster, does not catch function argument exploit –Dynamic Data-flow Analysis: track dirty data Basic Idea: Do not allow incoming messages to execute or cause arbitrary execution

Computer Science CSC 405Dr. Peng Ning54 Alert Verification Hosts run same software with identical configuration within sandbox Insert call to Verified instead of: –Address in execution control alerts –Code in code execution alerts Insert a reference argument value instead of argument in arbitrary function argument alert

Computer Science CSC 405Dr. Peng Ning55 Alert Verification Verification is fast, simple and generic, and has no false positives Assumes that address/code/argument is supplied verbatim in messages –Works for C/C++ buffer overflows, but what about more complex interactions within the service? Assumes that message replay is sufficient for exploit reproduction –Scheduling policies, etc? –Randomization?

Computer Science CSC 405Dr. Peng Ning56 Alert Distribution Flooding over secure Pastry overlay What about DOS? –Don’t forward already seen or blocked SCAs –Forward only after Verification –Rate-limit SCAs from each neighbor

Computer Science CSC 405Dr. Peng Ning57 Local Response Verify SCA Generate filters – conjunctions of conditions on single messages –Data flow analysis: remember how dirty data propagates –Control flow analysis: generate filter condition to remember under what condition the vulnerability is exploited Two levels : general filter with false positives + specific filter with no false positives –General filter: specific filter with some conditions removed Bytes after the vulnerable offset Condition introduced by function calls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.