software security
Skip this Video
Download Presentation
Software Security

Loading in 2 Seconds...

play fullscreen
1 / 35

Software Security - PowerPoint PPT Presentation

  • Uploaded on

Software Security. CS461/ECE422 Spring 2012. Reading Material. Chapter 12 of the text. Outline. Review common vulnerabilities in programs Input Checking Program Logic Errors Errors Interacting with the OS Output handling. Software Vulnerabilities.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Software Security' - semah

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
software security

Software Security


Spring 2012

reading material
Reading Material
  • Chapter 12 of the text
  • Review common vulnerabilities in programs
  • Input Checking
  • Program Logic Errors
  • Errors Interacting with the OS
  • Output handling
software vulnerabilities
Software Vulnerabilities
  • Generally a result of poor programming practices.
  • OWASP top 10 Web Application Security risks
    • A good number are developer bugs
security in design and architecture
Security in Design and Architecture
  • Security concerns must be considered up front
  • Security impacts system architecture
    • Perhaps re-architect to ameliorate security concerns
    • Security architecture can be used to drive testing
    • True even for projects with no “security features”
  • Leaving security to the test phase (or later) is not a good idea to say the least
defensive programming or secure coding
Defensive Programming or Secure Coding
  • Mostly good software engineering
    • Except when considering security must consider a malicious actor
    • Traditional software engineering concentrates dealing with errors due to accidents
  • Goal
    • Continued functioning of software in spite of unforeseeable usage of said software.
  • Conflicts with time to market
make no assumptions
Make No Assumptions!
  • Don’t assume the user won’t enter more than 512 characters on the command line
  • Don’t that there will always be enough disk space
  • OR codify and enforce your assumptions
handling user input
Handling User Input
  • This is where the user (malicious or innocent) can directly impact the program
    • Always verify the user input
    • White list expected results
  • Input can come from a number of places
    • Text entry
    • Configuration files
    • Environment variables
    • Network
injection attacks
Injection Attacks
  • Error in input handling that results in unexpected execution flow
  • Often occurs in scripting languages
    • Script writer expects user input to be data
    • But user inputs text that will be interpreted as code
running script
Running Script
  • With user = lpb
  • Finger userLogin Name lpbLawrie Brown
  • With user=‘xxx; echo attack success; ls finger*’
  • Finger Userattack successfinger.cgi finger.html
  • Command injection. Running arbitrary commands at the privilege of the web user id.
safer script
Safer Script
  • counter attack by validating input
    • compare to pattern that rejects invalid input
    • see example additions to script:
sql injection
SQL Injection
  • Or why is this XKCD comic funny
sql injection1
SQL Injection
  • another widely exploited injection attack
  • when input used in SQL query to database
    • similar to command injection
    • SQL meta-characters are the concern
    • must check and validate input for these
code injection
Code Injection
  • further variant
  • input includes code that is then executed
    • see PHP remote code injection vulnerability
      • variable + global field variables + remote include
    • this type of attack is widely exploited
cross site scripting xss
Cross Site Scripting (XSS)
  • Goal – Inject malicious code into web pages viewed by others.
    • Sites that allow HTML formatted user input to be stored, e.g. Blog comments, wiki entries.
    • Enter the following into a form that then shows the original query in the response.
      • <script>confirm("Do you hate purple dinosaurs?");</script>
xss example
XSS Example
  • cf. guestbooks, wikis, blogs etc
  • where comment includes script code
    • e.g. to collect cookie details of viewing users
  • need to validate data supplied
    • including handling various possible encodings
  • attacks both input and output handling
input checks
Input Checks
  • Example of evading input checks
    • Samy’s explanation of his Myspace worm
  • Canonicalize input before performing checks
    • Map the multiple versions of ‘A’ to a particular value
  • Issue for numeric values too
    • Is the number 16 bits or 32?
    • Signed or unsigned?
      • Negative number or large positive
input fuzzing
Input Fuzzing
  • Generate “random” inputs to test programs
    • Environment variables
    • Input strings
    • Network values
  • Could be completely randomized or somewhat structured
    • Minifuzz
    • ShareFuzz
    • Spike
    • MuDynamics
  • Standard component of Microsoft’s Software Development Lifecycle
more fuzz spike
More Fuzz - SPIKE
  • An input language for creating variant network packets
  • From WireShark output, make it easy to express new packets
    • a_binary(“00 01 02 03”)Data: <00 01 02 03>
    • a_block_size_big-endian_word(“Blockname”);Data: <00 01 02 03 00 00 00 00>
    • a_block_start(“Blockname”)a_binary(“05 06 07 08”)Data: <00 01 02 03 00 00 00 00 05 06 07 08>
    • a_block_end(“Blockname”);Data: <00 01 02 03 00 00 00 04 05 06 07 08>
writing correct safe code
Writing Correct/Safe Code
  • Is your algorithm correct?
    • Incorrect use of random number generators
      • Bad seeds
      • E.g. Code Red and Netscape
  • TCP session hijacking
    • How random is the sequence number?
  • Leaving in test code
    • Used by Morris Worm
is there a bug in the compiler
Is there a bug in the compiler?
  • Ken Thompson Trojan compiler example
  • Required for higher levels of Common Criteria
    • Correspondence of design, source, and object code.
correct use of memory
Correct Use of Memory
  • Memory Leak
    • Run process out of memory. DoS
  • Free/Allocation errors
    • Heap overflow, can enable arbitrary execution
  • Could be solved by
    • Heap randomization
    • Tools to track heap utilization
      • Valgrind
      • Duma
race conditions and shared memory
Race Conditions and Shared Memory
  • Multiple threads of control accessing a common memory location
    • Subtle (and not so subtle) errors in synchronization are possible
    • Multiple writers
    • Writing while another thread is reading
    • Deadlocks
  • Errors vary from invocation to invocation
  • Attacker could attempt to trigger a latent threading error
environment variables
Environment Variables
  • Another way for the program to get input
    • And should be treated as such
  • Generally set up for the user
    • Sysadmin creates a profile for the user that initializes the environment
  • Environment variables read by compiled programs and scripted program
example vulnerable scripts
Example Vulnerable Scripts
  • using PATH or IFS environment variables
  • cause script to execute attackers program with privileges granted to script
    • SetUID root scripts would be attractive
  • almost impossible to prevent in some form
    • Though the use of IFS has been restricted in most modern shells
path attack on libraries
Path Attack On Libraries
  • Dynamic libraries are loaded at invocation time
  • Loader must search the system to find the libraries needed by the executable
    • Flexibility vs attack avenue
least privilege
Least Privilege
  • Ideally run a program with as many privileges and access rights as it needs but no more
    • What’s the hard in too much access?
  • Root in Unix
  • Web servers and file access
    • What files does the web server process need to read? Need to write?
  • How long does a program need special privilege?
    • E.g., a low port network service program
  • Divide program into sets of processes
    • Move the privilege required elements into smaller, simpler processes
system calls and standard library functions
System Calls andStandard Library Functions
  • programs use system calls and standard library functions for common operations
    • and make assumptions about their operation
    • if incorrect behavior is not what is expected may be a result of system optimizing access to shared resources
      • by buffering, re-sequencing, modifying requests
    • can conflict with program goals
race conditions
Race Conditions
  • Files can be used to synchronize access to OS resources between processes
  • If [ ! –e $file ]then touch $fileelse echo “You don’t have the lock”fi
  • Time of check to time of use (TOCTOU)
temporary files
Temporary Files
  • Many programs create temporary intermediate files
    • Can create unique names based on process id
    • How could an attacker leverage this?
  • do { filename = tempnam(NULL, “foo”);fd = open(filename, ….) free(filename);} while (fd == -1);
output checking
Output Checking
  • Example 1
    • Active display
      • VT100 command characters
      • Or X-terminal display hijack
  • Example 2
    • Cross Site Scripting
      • Generate display from stored data
      • Data is interpreted as command
  • Useful to look at common software vulnerabilities
    • Know common issues to avoid going forward
  • Even more important to consider security in the design architecture
    • More likely to catch/avoid problems if you think from the security perspective up front
    • Someone will be thinking from the security perspective eventually