CPSC 6126 Computer Security Information Assurance

Chapter 3 – Program Security  Programming errors with security implications-buffer overflows, incomplete access control  Malicious code-viruses, worms, Trojan horses  Program development controls against malicious code and vulnerabilities- software engineering principles and practices  Controls to protect against program flaws in execution-operating system support and administrative controls

Program Security  How do we keep programs free from flaws?  How do we protect computing resources against programs that contain flaws?  Presented with a finished product, for example, a commercial software package, how can you tell how secure it is or how to use it in its most secure way?

SECURE PROGRAMS  Security implies some degree of trust that the program enforces expected confidentiality, integrity, and availability.  How can we look at software component and assess its security?

Fixing Faults  Software that has many faults early on is likely to have many others still waiting to be found.  Early computer security work used “penetrate and patch” method where analysts searched for and repaired faults (tiger team)  Often patch efforts made system less secure:

Fixing Faults  Pressure to repair encourages a narrow focus on the fault and not its context.  Fixing the fault often introduces side effects.  Fault not fixed properly cause it will cause performance problems.

Unexpected Behavior  Compare program requirements with behavior to identify program security flaws  Flaw is either a fault or failure  Vulnerability is a class of flaws (e.g. buffer overflows)  Need to determine how to prevent harm caused by possible flaws  Program security flaws can derive from any kind of software fault. Inadvertent human flawsInadvertent human flaws Malicious, intentionally induced flawsMalicious, intentionally induced flaws

Unexpected Behavior  Hindrances for eliminating program security flaws How do we test for what a program shouldn’t do?How do we test for what a program shouldn’t do? Programming and software engineering techniques evolve more rapidly than computer security techniquesProgramming and software engineering techniques evolve more rapidly than computer security techniques

Types of Flaws  Intentional MaliciousMalicious NonmaliciousNonmalicious  Inadvertent Validation error (incomplete / inconsistent)Validation error (incomplete / inconsistent) Domain errorDomain error Serialization and aliasingSerialization and aliasing Inadequate identification and authenticationInadequate identification and authentication Boundary condition violationBoundary condition violation Other exploitable logic errorsOther exploitable logic errors

Nonmalicious Program Errors  Buffer Overflows  char sample[10];  for (i=1; i<=10; i++) sample[i] = ‘A’;  Last ‘A’ goes into user data, user code, system data, or system code  If data is overwritten, can affect results  If system is overwritten, unpredictable results

Nonmalicious Program Errors  Buffer Overflows Security Implication Attacker replaces code in the system space and takes control back from the operating systemAttacker replaces code in the system space and takes control back from the operating system Attacker uses the stack pointer or return register to execute other codeAttacker uses the stack pointer or return register to execute other code How to write buffer overflowsHow to write buffer overflowsHow to write buffer overflowsHow to write buffer overflows Smashing the Stack for Fun and ProfitSmashing the Stack for Fun and ProfitSmashing the Stack for Fun and ProfitSmashing the Stack for Fun and Profit

Nonmalicious Program Errors  Buffer Overflows Security Implication Parameter passing to web serverParameter passing to web server (808) &parm2=2004Jan01http:// (808) &parm2=2004Jan01 What if one of the parameters is made longer?What if one of the parameters is made longer?  Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code

Nonmalicious Program Errors  Incomplete Mediation (data checking) (808) &parm2=2004Jan01http:// (808) &parm2=2004Jan01  What if parm2 is 1800Jan01 or 2004Feb30…  Use dropdown lists to force the input, test ranges  Even then, the user could send incorrect data to the server  Security Implication Easy to exploit – Things, Inc. exampleEasy to exploit – Things, Inc. example

Nonmalicious Program Errors  Time-of-Check to Time-of-Use Errors Mediation is performed with a “bait and switch” in the middle (synchronization flaw)Mediation is performed with a “bait and switch” in the middle (synchronization flaw)  Security Implication to avoid checking one action and performing another – use digital signatures and certificates to avoid checking one action and performing another – use digital signatures and certificates

Viruses and Other Malicious Code  When was the last time you saw a bit?  Do you know in what form a document file is stored?  Can you find where a document resides on a disk?  Can you tell if a game program does anything in addition to its expected interaction with you?  Which files are modified by a word processor when you create a document?

Viruses and Other Malicious Code  Malicious code has been around since the ’70s  How can malicious code take control of a system?  How can it lodge in a system?  How does malicious code spread?  How can it be recognized?  How can it be detected?  How can it be stopped?  How can it be prevented?

Kinds of Malicious Code  Virus – code that attaches to another program and copies itself to other programs Transient virus – life depends on life of its hostTransient virus – life depends on life of its host Resident virus – locates inside memoryResident virus – locates inside memory  Trojan Horse – malicious effect is hidden from user  Logic bomb – triggered by an event  Time bomb – triggered by a time or date  Trapdoor (backdoor) – feature that allows access to program other than through normal channels  Worm – program that spreads copies of itself through a network  Rabbit – virus/worm that self-replicates without bound

How Viruses Attack  A virus is attached to a “program”  The virus is activated by executing the program  Most common viruses today are attached to ; when the attachment is opened, virus is active

Ways Viruses are attached  Appended Viruses (see Fig. 3-4): virus code is inserted before first instruction, last virus instruction points to first program instruction  Virus surrounds program (See Fig. 3- 5): 2 nd part of virus cleans up evidence  Integrated Viruses and Replacements (see Fig. 3-6)

Types of Viruses  Boot Sector Virus – virus is part of the bootstrap program (many earlier viruses)  Memory-Resident Virus – most program viruses stay in the memory when program is first run  Document (Macro) Virus – virus is part of the macro associated with a document

Antivirus Software  Virus Signature (virus scanner looks for signatures)  Storage Patterns (virus scanner looks for suspicious patterns)  Execution Patterns  Transmission Patterns  Polymorphic Viruses

Prevention of Virus Infections  Use only commercial software acquired from reliable, well-established vendors  Test all new software on an isolated computer  Open attachments only when you know them to be safe  Make a recoverable system image and store it safely  Make and retain backup copies of executable system files.  Use virus detectors daily and update them regularly

Truths and Misconceptions about viruses  Viruses can infect only Microsoft Windows systems – FALSE  Viruses can modify “hidden” or “read-only” files – TRUE  Viruses can appear only in data files, or only in Word documents, or only in programs – FALSE  Viruses spread only on disks or only in – FALSE  Viruses cannot remain in memory after a COLD BOOT – TRUE  Viruses cannot infect hardware – TRUE  Viruses can be malevolent, benign, or benevolent - TRUE

EXAMPLES  Pakistani Brain Virus  Internet Worm  Code RED Worm  SQL-Server Slammer  Web Bugs (spyware)

Targeted Malicious Code  Trapdoor – undocumented entry point to a module  Salami Attack (Ex. Interest computation)  Covert Channels: programs that leak information (Ex. Hide data in output) Storage Channels – pass information by using presence or absence of objects in storageStorage Channels – pass information by using presence or absence of objects in storage Timing Channels – pass information using the speed at which things happenTiming Channels – pass information using the speed at which things happen

Controls Against Program Threats  Prevent Threats during software development Modularity – security analysts must be able to understand each component as an independent unit and be assured of its limited effect on other componentsModularity – security analysts must be able to understand each component as an independent unit and be assured of its limited effect on other components Encapsulation –minimize interfaces to reduce covert channelsEncapsulation –minimize interfaces to reduce covert channels Information hiding – components will have limited effect on other componentsInformation hiding – components will have limited effect on other components

Controls Against Program Threats  Peer Reviews  Hazard Analysis – set of systematic techniques to expose potentially hazardous system states  Testing – unit testing, integration testing, function testing, performance testing, acceptance testing, installation testing, regression testing  Good Design Using a philosophy of fault toleranceUsing a philosophy of fault tolerance Have a consistent policy for handling failuresHave a consistent policy for handling failures Capture the design rationale and historyCapture the design rationale and history Use design patternsUse design patterns

Controls Against Program Threats  Prediction – predict the risks involved in building and using the system  Static Analysis – Use tools and techniques to examine characteristics of design and code to see if the characteristics warn of possible faults  Configuration Management – control changes during development and maintenance  Analysis of Mistakes  Proofs of Program Correctness – Can we prove that there are no security holes?

Operating System Controls on Use of Programs  Trusted Software – code has been rigorously developed and analyzed Functional correctnessFunctional correctness Enforcement of integrityEnforcement of integrity Limited privilegeLimited privilege Appropriate confidence levelAppropriate confidence level  Mutual Suspicion – assume other program is not trustworthy  Confinement – limit resources that program can access  Access Log – list who access computer objects, when, and for how long

Administrative Controls  Standards of Program Development  Standards of design  Standards of documentation, language, and coding style  Standards of programming  Standards of testing  Standards of configuration management  Security Audits  Separation of Duties

Ten Most Critical Web Application Security Vulnerabilities (  Unvalidated Parameters  Broken Access Control  Broken Account and Session Management  Cross-Site Scripting Flaws  Buffer Overflows  Command Injection Flaws  Error Handling Problems  Insecure Use of Cryptography  Remote Administration Flaws  Web and Application Server Misconfiguration