1 / 19

Implementation Flaws

Implementation Flaws. Part 3: Randomness and Timing Issues. Outline. Randomness Issues Flaws of traditional PRNGs Cryptographically-strong PRNGs Entropy collection Timing Issues Race conditions Time of check, time of use (TOC-TOU). Random Number Generation.

walt
Download Presentation

Implementation Flaws

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementation Flaws Part 3: Randomnessand Timing Issues

  2. Outline • Randomness Issues • Flaws of traditional PRNGs • Cryptographically-strong PRNGs • Entropy collection • Timing Issues • Race conditions • Time of check, time of use (TOC-TOU) SY32 Secure Computing, Lecture 15

  3. Random Number Generation • Computers, being deterministic, are not good at generating random numbers • So-called ‘random number generators’ (RNGs) are, in fact, pseudo-random number generators (PRNGs) • Common example: linear congruential algorithm • PRNGs are seeded with input data • Allows for reproducibility where necessary; a given seed always produces same output sequence • Seeds are typically 32-bit integers SY32 Secure Computing, Lecture 15

  4. Attacks Against PRNGs • Cryptanalytic attack • Discovery of internal state • Observe enough output values and we can figure out how generator was seeded • Knowledge of seed allows us to predict output • Easier than you might think!... SY32 Secure Computing, Lecture 15

  5. Cigital’s Internet Poker Exploit Our cards We can’t see other players’ cards… …but we can compute what they will be! SY32 Secure Computing, Lecture 15

  6. Cigital’s Internet Poker Exploit • Flawed PRNG used for deck shuffling • Non-cryptographic algorithm • 32-bit seed, so 52! (about 2226) possible shuffles reduces to around 4 billion • PRNG seed chosen poorly • Milliseconds since midnight on system clock used, so 4 billion shuffles reduces to 86,400,000 • If we can sync closely to server’s clock, we can reduce this figure significantly… SY32 Secure Computing, Lecture 15

  7. Specify your 2 cards and first 3 from ‘flop’ Synchronise clock & hit Shuffle button Program calculates shuffle, and predicts other players’ hands! SY32 Secure Computing, Lecture 15

  8. Success! SY32 Secure Computing, Lecture 15

  9. A More Serious Scenario • SSL uses randomly-generated session key to perform symmetric encryption of data • Public key cryptography is used to exchange session key securely • No need to break that encryption if we can predict what the session key should be! • 1996: Netscape 1.1 • PRNG seed could be determined from time of day and process IDs SY32 Secure Computing, Lecture 15

  10. Better PRNGs • Cryptographic PRNGs produce numbers that are hard to predict, even when attacker has full knowledge of the algorithm • Typical techniques • Encrypt a secret counter with a secret key • Compute MD5 or SHA-1 hash of secret counter • Critical dependence on seed quality SY32 Secure Computing, Lecture 15

  11. Entropy Collection • Entropy of a seed measures its randomness; the more entropy we have, the better the seed • Sources of entropy: • Radioactive decay (needs special hardware) • Images of chaotic processes: http://www.lavarnd.org/ • Keyboard and mouse events • Events internal to OS (e.g., thread timing) SY32 Secure Computing, Lecture 15

  12. Practical Sources of Randomness • Windows • CryptGenRandom call from Win32 API • Entropy gathered from huge range of sources, including time, CPU counters, interrupt info, PID, paging info… • RNGCryptoServiceProvider class in .NET • Linux • Standard devices, which we open & read like files • /dev/random (processed entropy) • /dev/urandom (pseudo-random numbers) SY32 Secure Computing, Lecture 15

  13. Race Conditions • Common problem in multithreaded apps, or apps where multiple processes share resources • Very difficult to detect and fix • Application will not be robust… • …and there could be security problems SY32 Secure Computing, Lecture 15

  14. Exploiting a Race Condition • Attacker ‘races’ to invalidate an assumption made by programmer in the interval between operations • If attacker wins, program will behave incorrectly • Period during which violating the assumption leads to incorrect behaviour is window of vulnerability SY32 Secure Computing, Lecture 15

  15. Time Of Check, Time Of Use • Special class of RC involving file access—often abbreviated to TOC-TOU • Window of vulnerability occurs between check on some file property and use of the file • More of a problem for UNIX than for Windows • System calls such as access use pathnames rather than a filehandle… • …and a pathname can be made to reference a different file within window of vulnerability! SY32 Secure Computing, Lecture 15

  16. Canonical TOC-TOU Example • A program is running ‘setuid root’ • Grants program the privileges of root, regardless of the user executing it • Program must write to a file owned by user running the program… • …so program must take care not to write to that file unless actual user is permitted to do so SY32 Secure Computing, Lecture 15

  17. Canonical TOC-TOU Attack Check whether real UID has write permission FILE* outfile;...if (access(filename, W_OK) == 0) { outfile = fopen(filename, "wb+"); writeDataTo(outfile);}else { fprintf(stderr, "Not permitted to open %s\n", filename); exit(1);} Window of vulnerability Open file for writing SY32 Secure Computing, Lecture 15

  18. How The Attack Works Preparation: Creates a zero-length, dummy filewith attacker’s permissions $ touch dummy$ ln –s dummy symlink Creates a symbolic link pointing to the dummy file Within window of vulnerability: $ rm symlink; ln –s /etc/passwd symlink Link now points to /etc/passwd, but program thinks it is attacker’s file;password file is overwritten! SY32 Secure Computing, Lecture 15

  19. Summary • When generating pseudo-random numbers: • Use a cryptographically-strong PRNG • Collect enough entropy to provide a good seed • Watch out for race conditions in multithreaded or multi-process applications • Beware of TOC-TOU problems with file access • Avoid system calls that use filenames, if possible; file could change after you start dealing with it! SY32 Secure Computing, Lecture 15

More Related