Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z."— Presentation transcript:

1

2 Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.

3 Security Team Introduction Part of service group Respond to NetScreen product flaws Audit security of NetScreen products Provide security knowledge to R&D Create/maintain IDP signatures Create/maintain hardened OS images

4 Why Worry About Security? We sell a security product Embarrassment Loss of revenue Patch releases are inefficient Save Security Team work

5 Why Security Flaws Exist Security is hard! Lack of education Lack of priority/schedule No liability laws (yet) C, the cursed language

6 Designing a Secure Product Security from the beginning Clear security requirements Multiple layers of security Review issues in similar products Allow time for security

7 Developing a Secure Product Training/experience Think like a hacker Never ever trust input Check data obsessively Code reviews

8 Testing a secure Product Allocate time for security testing Be mean (breaking things is your job) Think like a hacker Test for common flaws

9 Common Flaws - BOFs Buffer overflow Most common serious flaw Mostly problem in C libc functions usually at fault

10 Buffer Overflows - Cont. Text Segment where executable code is stored cannot be written to Heap where malloced memory is located Stack stores local variables stack frames grows down

11 Buffer Overflows - Cont. Stack Frame Tracks function calls Saved Frame Pointer points to the FP of the calling function Return Address contains address of code of calling function this is the next line-of- code executed after a return statement Local Variables

12 Buffer Overflows - Cont. Example of a Stack Buffer Overflow void main(int argc, char **argv){ foo(argv[1]); } void foo(char *str){ int a; char c[16]; strcpy(c, str); return; }

13 Buffer Overflows - Cont. Use Example: #./program “hello”

14 Buffer Overflows - Cont. Use Example: #./program “AAAAAAAAAAAAAAAAAAAAAAAA AAAA” (that’s 28 As) Return Address is now “AAAA” or 0x41414141!

15 Buffer Overflows - Cont. Use Example: #./program “AAAAAAAAAAAAAAAAAAAAAAAA 0xc0778012” Return Address is now 0xc0778012 on function return, program starts executing c[0] Since we control what goes in c[], we now control the program!

16 Buffer Overflows - Cont. What can a h4x0r do now? Crash the machine (DoS) Destroy data (rm -rf /) Install a trojan (subseven, backorifice) Spawn a shell (nc -l -p 5000 | sh) On a NetScreen? DoS (crash) most common result Overwrite the policy with garbage? Modify the policy to allow access? Execute arbitrary ScreenOS commands?

17 Buffer Overflows - Cont. Heap overflows Can modify variable values logged_in = 1 is_superuser = 1 Code execution Harder than stack overflows Only works on some systems Overwrites malloc headers This is a very complex attack

18 Dangerous libc Functions The worst strcpy strcat sprintf, vsprintf gets strlen scanf, sscanf, fscanf, vscanf, vsscanf Some others realpath getopt getpass streadd strecpy strtms getwd

19 Format String Flaws Caused by improper use of *printf functions printf(str) instead of printf(“%s”, str) %n argument writes to stack Use field widths to increase value (e.g. %100d) Use multiple %n (one for each byte)

20 Format String Example int main(int argc, char **argv){ char str[256]; scanf(“%256s”, str); //look ma, no overflow! printf(str); } #./program AAAA%08x%08x%08x%08x%08x%n We’ve overwritten memory @ 0x41414141. Replace AAAA with your return address, or any other data structure location

21 Format Strings - Cont. What can a hacker do now? Take control of program (overwrite return address) Dump memory using %s or %x Modify arbitrary data structures logged_in = 1 Crash the program (write to bogus address, SEGFAULT)

22 Format Strings - Cont. Dangerous functions fprintf printf sprintf snprintf vfprintf vsprintf vsnprintf syslog others (err*, verr*, warn*, vwarn*) your own logging functions

23 Integer Flaws Even integer math can contain flaws Sign mistakes Integer overflows

24 Integer Sign Flaws Relatively common Have to check function prototypes (unsigned int)-1 = 4,294,967,295 Hard to exploit Apache chunked encoding vulnerability

25 Integer Sign Flaw - Example void foo(int len, char *src){ buf[256]; if(len > 256) { //no overflows allowed! printf(“error!”); return; } memcpy(buf, src, len); printf(“ok!”); } foo(7, “hello”); -- ok! foo(500,...); -- error! foo(-1,...); -- SEGFAULT

26 Integer Overflows What happens when an int gets too big? 4,294,967,295 + 1 = 0 All integer math is mod 2^32 No way to tell this has happened

27 Integer Overflow Example int* arraydup(int *array, unsigned int n){ int *newarray = malloc(n * sizeof(int)); int i; for(i = 0; i < n; i++){ newarray[i] = array[i]; } return newarray; } if n = 1073741824, n * sizeof(int) = 4294967296 = 0

28 Integer Overflow Example(2) char *strcat(char *str1, uint len1, char *str2, uint len2) { char *newstr = malloc(len1 + len2); memcpy(newstr, str1, len1); memcpy(newstr + len1, str2, len2); return newstr; } if len1 = len2 = 0x80000000, len1 + len2 = 0x0100000000 = 0 result: SEGFAULT

29 /tmp Attacks Can happen when filename is predictable Attacker can symlink file to anything Not just /tmp Solution: use tempnam, etc.

30 /tmp Attacks - Example void main(){ int fd = creat(“/tmp/foo”, O_RDRW); write_temp_data(fd); } Attacker can symlink /tmp/foo to some other file owned by the process UID. You’re not root are you? /etc/passwd /var/firewall/policy.txt if attacker can control what is written, could be even worse attack

31 Cross-Site Scripting HTML/javascript attack Way to trick other users Can Occur whenever user-provided data is displayed (NetScreen FW Logs) Very difficult to block, script can be entered many ways Only allow good characters, don’t try to block bad

32 Cross-Site Scripting - Example <?php print “Welcome $username\n”; ?> What if username was: victim Victim would see “Welcome victim!” but their cookie was just stolen. Can be made less conspicuous by using URL encodings, e.g.: /login.php?username=<form... can look like: /login.php?%75%73%65%72%6e%61%6d%65%3d%3c%66%6f%72%6d...

33 Command/SQL Injection Can occur whenever commands are executed Also in all SQL statements Prematurely end statement, add 2nd statement Don’t filter out bad characters, only allow good characters

34 Command Injection - Example #!/bin/perl #Web-based finger gateway $user = $form[user]; @output = `/bin/finger $user`; print @output; What if $form[user] was “foo; rm -rf /” or “foo; cat /etc/passwd”? The ‘;’ terminates the 1st command, begins 2nd command. Not only ‘;’, some shells allow &&, ||, etc.

35 SQL Injection - Example void insert_log(char *user, char *log){ db->insert(“insert into log values(%s, %s)”, user, log); } What if log was: “executed command: foo); truncate table log;” (presumably the attacker typed “foo); truncate table log;” at the prompt or this: “update userdb set password=$passwd where user=$user;” What if $user was “attacker or user like ‘admin’” The attacker just set the admin’s password!

36 Summary Plan for security Always keep security in mind For developers: Never trust input Check everything Only allow valid data Be familiar with common security flaws

37 Thank You You’ve just made our job easier.

Download ppt "Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Arrays and Pointers in C Alan L. Cox

Arrays and Pointers in C Alan L. Cox
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.
Lecture 12 Overview.

Lecture 12 Overview.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Similar presentations

Ads by Google