1 / 47

Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security

Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security. “ Internet was not built keeping security in mind; it was built keeping functionality as its target.” - Anonymous “No system in this world is completely secure.

bridie
Download Presentation

Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security

  2. “ Internet was not built keeping security in mind; it was built keeping functionality as its target.” - Anonymous “No system in this world iscompletely secure. A system will be resistant against some attacks; it is then analyzed and found to be vulnerable to some other attacks and the process goes on...” - Sandeep Naidu Few things every netizen/Security person should remember

  3. Overview • What is it? • What does it do? • What can we do? (to prevent/mitigate it)‏ • How can we do? Note : It refers to the problem we will be talking about

  4. Programming Errors we will look at • Failure to Constrain Operations within the Bounds of a Memory Buffer • External Control of Critical State Data • External Control of File Name or Path • Untrusted Search Path • Failure to Control Generation of Code (aka 'Code Injection') • Download of Code Without Integrity Check • Improper Resource Shutdown or Release • Improper Initialization • Incorrect Calculation

  5. What are these? • “These are errors/weaknesses related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.”

  6. Failure to Constrain Operations within the Bounds of a Memory Buffer

  7. What is the error? • When software permits read or write operations on memory located outside of an allocated range, an attacker may be able to access/modify sensitive information, cause the system to crash, alter the intended control flow, or execute arbitrary code.

  8. Example Scenario • This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer void host_lookup(char *user_supplied_addr){ struct hostent *hp; in_addr_t *addr; char hostname[64]; in_addr_t inet_addr(const char *cp); /*routine that ensures user_supply_addr is in the right format for conversion */ validate_addr_form(user_supplied_addr); addr = inet_addr(user_supplied_addr); hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET); strcpy(&hostname, hp->h_name); } This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then we may overwrite sensitive data or even relinquish control flow to the attacker.

  9. What can we do to avoid it? Use • Languages (Java, Perl) Own memory mangement • Libraries or frameworks (C String Library (SafeStr) and the Strsafe.h from Microsoft ) • Compilers (Visual Studio from Microsoft) • automated static analysis tools which can mitigate or eliminate these buffer overflows • Check buffer size is as large as specified.(strcpy) • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.

  10. External control of Critical State Data

  11. What is the error? • The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.

  12. Example Scenario • An application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication. • An authentication flag is read from a browser cookie, thus allowing for external control of user state data. • Java Example: • Cookie[] cookies = request.getCookies(); • for (int i =0; i< cookies.length; i++) { • Cookie c = cookies[i]; • if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) { • authenticated = true; • } • }

  13. How can we avoid it? • Understand all the potential locations that are accessible to attackers. • Do not keep state information on the client without using encryption and integrity checking, or otherwise having a mechanism on the server side to catch state tampering. • Store state information on the server side only • With a stateless protocol such as HTTP, use a framework that maintains the state for you( include ASP.NET View State and the OWASP ESAPI Session Management feature.) • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side

  14. External Control of Filename or Path

  15. What is the error? • The software allows user input to control or influence paths that are used in filesystem operations. • This could allow an attacker to access or modify system files or other files that are critical to the application.

  16. When can it happen? • Path manipulation errors occur when the following two conditions are met: • 1. An attacker can specify a path used in an operation on the filesystem. • 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

  17. Example Scenario • Example 1: • The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22). String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete(); • Example 2: • The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt. fis = new FileInputStream(cfg.getProperty("sub")+".txt"); amt = fis.read(arr); out.println(arr);

  18. How can we avoid it? • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system • When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability. • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links • Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

  19. Untrusted Search Path

  20. What is the error? • The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control. • An attacker could modify that search path to point to a malicious program. • This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways.

  21. Example Scenario • This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system. C Example: • #define DIR "/restricted/directory" • char cmd[500]; • sprintf(cmd, "ls -l %480s", DIR); • /* Raise privileges to those needed for accessing DIR. */ • RaisePrivileges(...); • system(cmd); • DropPrivileges(...); • ... • However, because the program does not modify the PATH environment variable, the following attack would work: PseudoCode Example: • The user sets the PATH to reference a directory under that user's control, such as "/my/dir/". • The user creates a malicious program called "ls", and puts that program in /my/dir • The user executes the program. • When system() is executed, the shell consults the PATH to find the ls program • The program finds the malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because PATH does not contain "/bin/". • The program executes the malicious program with the raised privileges.

  22. How can we avoid it? • Hard-code your search path to a set of known-safe values, or allow them to be specified by the administrator in a configuration file. • Do not allow these settings to be modified by an external party • Sanitize your environment before invoking other programs. • Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory • Use other functions that require explicit paths. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

  23. Failure to Control Generation of Code(aka 'Code Injection')‏

  24. What is the error? • The product does not sufficiently filter code (control-plane) syntax from user-controlled input (data plane) when that input is used within code that the product generates. • This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. • The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.

  25. Example Scenario $MessageFile = "cwe-94/messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); } • name=h4x0r • message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E • <?php system("/bin/ls -l");?> • Live example • union select 2, concat_ws(char(58),email,password) from user

  26. How can we avoid it? • Refactor your program so that you do not have to dynamically generate code. • Assume all input is malicious. Use an "accept known good" input validation strategy (i.e., use a whitelist). Reject any input that does not strictly conform to specifications, or transform it into something that does. Use a blacklist to reject any unexpected inputs and detect potential attacks. • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your software. • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection

  27. Download of Code without Integrity Check

  28. What is the error? • The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

  29. Example Scenario • URL[] classURLs= new URL[]{ • new URL("file:subdir/")‏ • }; • URLClassLoader loader = new URLClassLoader(classURLs); • Class loadedClass = Class.forName("loadMe", true, loader);

  30. How can we avoid it? • Perform proper forward and reverse DNS lookups to detect DNS spoofing. This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit. • Encrypt the code with a reliable encryption scheme before transmitting. • Use integrity checking on the transmitted code.(using cryptographic signatures)‏ • Use code signing technologies such as Authenticode

  31. Improper Resource Shutdown or Release

  32. What is the error? • The program fails to release - or incorrectly releases - a system resource before it is made available for re-use. • When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.

  33. Example Scenario • In this example, the program fails to use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource. • C++ Example: • class A { • void foo(); • }; • void A::foo(){ • int *ptr; • ptr = (int*)malloc(sizeof(int)); • delete ptr; • } • Refer few more good examples Online

  34. How can we avoid it? • Use a language with features that can automatically mitigate or eliminate resource-shutdown weaknesses.( languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated. • Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[]. • When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself. • It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions

  35. Improper Initialization

  36. What is the error? • The software does not follow the proper procedures for initializing a resource, which might leave the resource in an improper state when it is accessed or used. • This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

  37. Example Scenario • Example 1: • Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached. Java Example: private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; } Example 2: The following code intends to limit certain operations to the administrator only. Perl Example: $username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }

  38. How can we avoid it? • Use a language with features that can automatically mitigate or eliminate weaknesses related to initialization. • Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. • Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

  39. Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization. • Avoid race conditions during initialization routines • Run or compile your software with settings that generate warnings about uninitialized variables or data.

  40. Incorrect Calculation

  41. What is the error? • The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. • When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things.

  42. What is the error? (contd..) • Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.

  43. Example Scenario • This code attempts to calculates a football team's average number of yards gained per touchdown. • Java Example:... • int touchdowns = team.getTouchdowns(); • int yardsGained = team.getTotalYardage(); • System.out.println(team.getName() + " averages " + yardsGained / touchdowns + "yards gained for every touchdown scored"); • ... • The code does not consider the event that the team they are querying has not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly. C Example: inv_item_t table_ptr; /*10kb struct containing item info */ int num_items; ... num_items = get_num_items(); table_ptr = (inv_item_t*)malloc(sizeof(inv_item_t)*num_items); ... This code intends to allocate a list of length num_items, however as num_items grows large, the calculation determining the size of the list will eventually overflow

  44. How can we avoid it ? • Perform input validation on any numeric inputs by ensuring that they are within the expected range. • Use the appropriate type for the desired action. • For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. • Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++)‏

  45. Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.

  46. Viruses to laugh at • Airline VirusYou're in Dallas, but your data is in Singapore. • Health Care VirusTests your system for a day, finds nothing wrong, and sends you a bill for $4,500. • Joey Buttafuoco VirusOnly attacks minor files. • Disney VirusEverything in the computer goes Goofy. • Ellen Degeneres VirusYour IBM suddenly claims it's a MAC.

  47. Questions & Comments ??? THANK YOU for your time !!!

More Related