1. CIT 480: Securing Computer Systems
Secure Programming

2. Topics Input-based vulnerabilities Input validation Input entry points
Integer overflows
Format string attacks
The nature of trust

3. Path Traversal Vulnerabilities
Example web application URL
What if URL modified after file= to be?
getfile.php
Could threat read application source code?
../../../../../etc/passwd
Walks up directory tree to get passwd file.

4. Paths If attacker controls paths used by program
Can read files accessible by program.
Can write files accessible by program.
Vulnerability if access is different than attackers
Privileged (SETUID) local programs.
Remote server applications, including web.
Directory traversal
Use “../../..” to climb out of application’s directory and access files.

5. Canonicalization
How to make correct access control decisions when there are many names?
config
./config
/etc/program/config
../program/config
/tmp/../etc/program/config
Canonical Name: standard form of a name
Generally simplest form.
Canonicalize name then apply access control.
Use realpath() in C to canonicalize.

6. Common Naming Issues . represents current directory
.. represents previous directory
Case sensitivity
Windows allows both / and \ in URLs.
Windows 8.3 representation of long names
Two names for each file for backwards compat.
Trailing dot in DNS names ==
URL encoding

7. Win/Apache Directory Traversal
Found in Apache and earlier.
To view the file winnt\win.ini, use:
which is the escaped form of
Note that both Apache security flaws in this lecture were on platforms to which Apache was ported after the original writings. These other platforms’ filesystems invalidate some of the naming assumptions based on Apache’s native UNIX platform.
Apache fixed this bug.

8. Command Injection
Find program that invokes a subshell command with user input
Shell: every command with user input
Perl: system(), ``, open()
Ruby: system(), ``, %x{}, IO.popen(), etc.
Python: os.system(), os.popen(), etc.
Attack uses shell meta-characters to insert user-defined code into the command.

9. UNIX Shell Metacharacters
`command` will execute command
‘;’ separates commands
‘|’ creates a pipe between two commands
‘&&’ and ‘||’ logical operators which may execute following command
‘!’ logical negation—reverses truth value of test
‘-’ could convert filename into an argument
‘*’ and ‘?’ glob, matching files, which may be interpreted as args: what if “-rf” is file?
‘#’ comments to end of line

10. Command Injection in Ruby
Vulnerable Code
file = gets.chomp
system(“cat #{file}”)
Fixed Code
system(“cat”, file)
system() argument handling
String: send string to bash as command line
List: fork and exec first argument w/o bash.

11. Validate All Input Never trust input.
Assume dangerous until proven safe.
Prefer rejecting data to filtering data.
Difficult to filter out all dangerous input
Every component should validate data.
Trust is transitive.
Don’t trust calling component.
Don’t trust called component: shell, SQL

12. Validation Techniques
Indirect Selection
Allow user to supply index into a list of legitimate values.
Application never directly uses user input.
Whitelist
List of valid patterns or strings.
Input rejected unless it matches list.
Blacklist
List of invalid patterns or strings.
Input reject if it matches list.

13. Validation Actions Sanitize Reject Reject with Explanation Log Alert
Attempt to fix input by removing dangerous parts.
Reject
Refuse to use invalid input.
Reject with Explanation
Explain problems with input to user.
Log
Record invalid input in log file.
Alert
Send an alert to an administrator about input.

14. Usability Validation ≠ Security Validation
Usability Validation helps legitimate users
Catch common errors.
Provide easy to understand feedback.
Client-side feedback is helpful for speed.
Security Validation mitigates vulnerabilities
Catches potential attacks, including unusual, unfriendly types of input.
Provide little to no feedback on reasons for blocking input.
Cannot trust client. Always server side.

15. Check Input Length Long input can result in buffer overflows.
Can also cause DoS due to low memory.
Truncation vulnerabilities
8-character long username column in DB.
User tries to enter ‘admin x’ as username.
DB returns no match since name is 9 chars.
App inserts data into DB, which truncates.
Later SQL queries will return both names, since MySQL ignores trailing spaces on string comparisons.
Wordpress had a SQL column truncation vulnerability. See .

16. Check Input Type Is input the type you expect? If not, reject input.
Integer
Temperature (integer within specified range)
Money value (fixed point)
Name (alphabetic string allowing ‘, -, spaces)
If not, reject input.

17. Python: Input Type Check Example
def readInteger(): while True: try: return int(raw_input()) except ValueError: pass

18. Check Input Syntax Is input in correct format? If not, reject input.
Phone number (xxx-xxx-xxxx format)
International phone number (more options)
Credit card number (format, Luhn checksum)
URL
address
If not, reject input.

19. Python: Input Syntax Check
import re def readPhoneNumber(): while True: phone = raw_input() if re.match(r‘^[0-9]{3}-[0-9]{4}$', phone): return phone print('Invalid phone number. Try again:')

20. Regular Expression Validation
Beginnings and Endings
Begin with ^ to match beginning of input.
End with $ to match end of input.
Use both to ensure re matches entire input.
Optional Components with ()? Syntax
^\d{5}(-\d{4})?$ will match 5- and 9-digit zip codes.
Limitations
Cannot match complex types of input, such as programming languages or markup languages, or subsets of them, like XML or JSON.

21. Input Entry Points Command line arguments Environment variables Paths
Shell input
Database input
Other input types

22. Command Line Arguments
Scripts access in different ways
Python: argv, getopt.getopt class
Ruby: ARGV, OptionParser class
Shell: $1, $2, …, getopt function
Check carefully, since there may be an
Unlimited number of arguments.
Unlimited length of any argument.
Argument lengths can even be 0.

23. Dangerous Environment Variables
PATH
Search path for binaries
Attacker puts directory with hacked binary first in PATH so his ls used instead of system ls
Avoid “.” as attacker may place hacked binaries in directory program sets CWD to
IFS
Internal field separator for shell
Used to separate command line into arguments
Attacker sets to “/”: /bin/ls becomes “bin” and “ls”
LC_ALL, NLSPATH, and other locale vars may also be dangerous.
This is not an exhaustive list of dangerous environment variables by any means

24. Dangerous Environment Variables
LD_PRELOAD
Programs loads functions from library specified in LD_PRELOAD before searching for system libraries.
Can replace any library function.
setuid root programs don’t honor this variable.
LD_LIBRARY_PATH
Specify list of paths to search for shared libs.
Store hacked version of library in first directory.
Modern libc implementation disallow for setuid/setgid.
Similar problems exist with Windows DLLs. If start a program by clicking on document, directory containing document is searched first for DLLs.

25. Securing Your Environment
Setting a Secure Environment in Shell
Create a wrapper script that clears environment
#!/bin/bash
/usr/bin/env -i /path/to/your/script
At the top of your script set needed env variables
PATH=/bin:/usr/bin
IFS=“\t\n”
Setting a Secure Environment in Ruby
ENV = {
PATH => “/bin:/usr/bin”,
IFS => “ \t\n” }

26. Unsigned Integers 7 1
000
111
001 6
110
010 2
101
011
100 3 5 4

27. Java Factorial Program
public static void main(String args[]) {
long product = 1;
for(int i = 1; i <= 21; i++)
System.out.print(i);
System.out.print("! = ");
product *= i;
System.out.println(product); }

28. Output
1! = 1
2! = 2
3! = 6 ….
20! =
21! =

29. Integer Overflows in Voting
Broward County 2004 election
Amendment 4 vote was reported as tied.
Software from ES&S Systems reported a large negative number of votes.
Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.

30. Format Strings Formatted output functions use format language.
Percent(%) symbols in string indicate substitutions.
%[flags][width][.precision][length]specifier
Example format specifiers
“%010d”, 2009:
“%4.2f”, : 3.14
Example functions
printf()
scanf()
syslog()

31. Format String Vulnerabilities
User-specified format strings
userstring = “foo %x”;
printf( userstring );
Where can it find arguments to replace %x?
The Stack: %x reads 4-bytes higher in stack
Solution: Use
printf( “%s”, userstring ) or
fputs( userstring )

32. %n format command
Number of characters written so far is stored into the integer indicated by the int * pointer argument.
char buf[] = " ";
int *n;
printf(“buf=%s%n\n", buf, n);
printf("n=%d\n", *n);
Output:
buf=
n=14

33. %n format attack Plan of Attack Use %n to write anywhere in memory
Find address of variable to overwrite
Place address of variable on stack (as part of format string) so %n will write to that address
Write # of characters equal to value to insert into variable (use precision, e.g., %.64x)
Use %n to write anywhere in memory
Address on stack can point to any location

34. Trust Relationships Relationship between multiple entities.
Assumptions that certain properties are true.
example: input has a certain format
Assumptions that other properties are false.
example: input never longer than X bytes
Trustworthy entities satisfy assumptions.

35. Who do you trust? Client users Operating system Calling program Vendor
example: encryption key embedded in client
Operating system
example: dynamicly loaded libraries
Calling program
example: environment variables
Vendor
example: Borland Interbase backdoor , only discovered when program made open source

36. Trust is Transitive
If you call another program, locally or across the network, you are trusting the entities that it trusts.
Processes you spawn run with your privileges.
Did you run the program you think you did?
PATH and IFS environment variables
What input format does it use?
Shell escapes in editors and mailers
What output does it send you?

37. Key Points All input must be validated, using best technique possible:
Indirect Selection
Whitelist
Blacklist
Check input length, type, and syntax.
Regular expressions are useful when used with anchors to whitelist input, but cannot validate languages like XML or JSON.
To check URL or filesystem paths, programs must canonicalize them first to avoid path manipulation attacks.
Vulnerabilities
Command injection uses a shell called by program to run any command for the attacker.
Integer overflows allow control of integer variable values.
Format string attacks allow reading and writing of memory.

38. References
Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007.
Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.
John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.
David Wheeler, Secure Programming for UNIX and Linux HOWTO,