computer security cs 426 lecture 7 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Security CS 426 Lecture 7 PowerPoint Presentation
Download Presentation
Computer Security CS 426 Lecture 7

Loading in 2 Seconds...

play fullscreen
1 / 29

Computer Security CS 426 Lecture 7 - PowerPoint PPT Presentation


  • 338 Views
  • Uploaded on

Computer Security CS 426 Lecture 7 Software Vulnerabilities (Continued) Readings for this and the last lecture Security in Computing 3.1, 3.2 Counter Hack Reloaded Chapter 7 Additional readings

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Security CS 426 Lecture 7' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer security cs 426 lecture 7

Computer Security CS 426Lecture 7

Software Vulnerabilities (Continued)

Fall 2006/Lecture 7

readings for this and the last lecture
Readings for this and the last lecture
  • Security in Computing
    • 3.1, 3.2
  • Counter Hack Reloaded
    • Chapter 7
  • Additional readings
    • Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, et al.
    • Smashing The Stack For Fun And Profit, Aleph One
    • wikipedia topics: buffer overflow, format string attack

Fall 2006/Lecture 7

review
Review
  • Steps in a standard break-in
    • Get your foot in the door
    • Use partial access to gain root (admin) access
    • Set up some way to return
    • Cover your tracks
  • Common software vulnerabilities
    • Input validation, Buffer overflows, Format string problems, Integer overflows, Race conditions

Fall 2006/Lecture 7

buffer overflow
Buffer Overflow
  • Stack overflow
    • Shell code
    • Return-to-libc
      • Overflow sets ret-addr to address of libc function
    • Off-by-one
      • Overflow sets the least significant byte of stored stack frame pointer to 0
  • Heap overflow

Fall 2006/Lecture 7

heap overflow
Heap Overflow
  • Heap overflow is a general term that refers to overflow in data sections other than the stack
    • buffers that are dynamically allocated, e.g., by malloc
    • statically initialized variables (data section)
    • uninitialized buffers (bss section)

Fall 2006/Lecture 7

an example of heap overflow
An Example of Heap Overflow

FILE *tmpfd;

static char buf[BUFSIZE], *tmpfile;

tmpfile = "/tmp/vulprog.tmp";

gets(buf);

tmpfd = fopen(tmpfile, "w");

Does not change the control flow.

Fall 2006/Lecture 7

preventing buffer overflow attacks
Preventing Buffer Overflow Attacks
  • Non-executable stack
  • Static source code analysis.
  • Run time checking: StackGuard, Libsafe, SafeC, (Purify).
  • Randomization.
  • Type safe languages (Java, ML).
    • Legacy code?
  • Detection deviation of program behavior
  • Sandboxing
  • Many more … (covered later in course)

Fall 2006/Lecture 7

marking stack as non execute
Marking stack as non-execute
  • Basic stack exploit can be prevented by marking stack segment as non-executable.
    • Support in SP2. Code patches exist for Linux, Solaris.

Problems:

    • Does not defend against `return-to-libc’ exploit.
    • Some apps need executable stack (e.g. LISP interpreters).
    • Does not block more general overflow exploits:
      • Overflow on heap: overflow buffer next to func pointer.

Fall 2006/Lecture 7

static source code analysis
Static source code analysis
  • Statically check source code to detect buffer overflows.
    • Several consulting companies.
  • Can we automate the review process?
  • Several tools exist:
    • Coverity (Engler et al.): Test trust inconsistency.
    • Microsoft program analysis group:
      • PREfix: looks for fixed set of bugs (e.g. null ptr ref)
      • PREfast: local analysis to find idioms for prog errors.
    • Berkeley: Wagner, et al. Test constraint violations.
  • Find lots of bugs, but not all.

Fall 2006/Lecture 7

bugs to detect
Bugs to Detect
  • Some examples
  • Crash Causing Defects
  • Null pointer dereference
  • Use after free
  • Double free
  • Array indexing errors
  • Mismatched array new/delete
  • Potential stack overrun
  • Potential heap overrun
  • Return pointers to local variables
  • Logically inconsistent code
  • Uninitialized variables
  • Invalid use of negative values
  • Passing large parameters by value
  • Underallocations of dynamic data
  • Memory leaks
  • File handle leaks
  • Network resource leaks
  • Unused values
  • Unhandled return codes
  • Use of invalid iterators

Fall 2006/Lecture 7

run time checking stackguard
Run time checking: StackGuard
  • Many many run-time checking techniques …
  • Solutions 1: StackGuard (WireX)
    • Run time tests for stack integrity.
    • Embed “canaries” in stack frames and verify their integrity prior to function return.

Frame 2

Frame 1

topofstack

sfp

ret

str

local

canary

sfp

ret

str

local

canary

Fall 2006/Lecture 7

canary types
Canary Types
  • Random canary:
    • Choose random string at program startup.
    • Insert canary string into every stack frame.
    • Verify canary before returning from function.
    • To corrupt random canary, attacker must learn current random string.
  • Terminator canary:Canary = 0, newline, linefeed, EOF
    • String functions will not copy beyond terminator.
    • Hence, attacker cannot use string functions to corrupt stack.

Fall 2006/Lecture 7

stackguard cont
StackGuard (Cont.)
  • StackGuard implemented as a GCC patch.
    • Program must be recompiled.
    • Minimal performance effects:8% for Apache.
  • Newer version: PointGuard.
    • Protects function pointers and setjmp buffers by placing canaries next to them.
    • More noticeable performance effects.
  • Note: Canaries don’t offer fullproof protection.
    • Some stack smashing attacks can leave canaries untouched.

Fall 2006/Lecture 7

windows xp sp2 gs
Windows XP SP2 /GS
  • Non executable stack.
  • Compiler /GS option:
    • Combination of ProPolice and Random canary.
    • Triggers UnHandledException in case of Canary mismatch to shutdown process.
  • Litchfield vulnerability report.
    • Overflow overwrites exception handler.
    • Redirects exception to attack code.

Fall 2006/Lecture 7

run time checking libsafe
Run time checking: Libsafe
  • Solutions 2: Libsafe (Avaya Labs)
    • Dynamically loaded library.
    • Intercepts calls to strcpy (dest, src)
      • Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src)
      • If so, does strcpy. Otherwise, terminates application.

topofstack

src

buf

sfp

ret-addr

sfp

ret-addr

dest

main

libsafe

Fall 2006/Lecture 7

more methods
More methods …
  • StackShield
    • At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment)
    • Upon return, check that RET and SFP is equal to copy.
    • Implemented as assembler file processor (GCC)

Fall 2006/Lecture 7

randomization motivations
Randomization: Motivations.
  • Buffer overflow and return-to-libc exploits need to know the (virtual) address to which pass control
    • Address of attack code in the buffer
    • Address of a standard kernel library routine
  • Same address is used on many machines
    • Slammer infected 75,000 MS-SQL servers using same code on every machine
  • Idea: introduce artificial diversity
    • Make stack addresses, addresses of library routines, etc. unpredictable and different from machine to machine

Fall 2006/Lecture 7

randomization
Randomization
  • PaX Address Space Layout Randomization
    • Randomize location of libc.
    • Attacker cannot jump directly to exec function.
    • Attacks:
      • Repetitively guess randomized address
      • Spraying injected attack code
  • Instruction Set Randomization (ISR)
    • Each program has a different and secret instruction set
    • Use translator to randomize instructions at load-time
    • Attacker cannot execute its own code.

Fall 2006/Lecture 7

other bugs

Other Bugs

Fall 2006/Lecture 7

format string problem
Format string problem

int func(char *user) {

fprintf( stdout, user);

}

Problem: what if user = “%s%s%s%s%s%s%s” ??

  • Most likely program will crash: DoS.
  • If not, program will print memory contents. Privacy?
  • Full exploit using user = “%n”

Correct form:

int func(char *user) {

fprintf( stdout, “%s”, user);

}

Fall 2006/Lecture 7

history
History
  • Danger discovered in June 2000.
  • Examples:
    • wu-ftpd 2.* : remote root.
    • Linux rpc.statd: remote root
    • IRIX telnetd: remote root
    • BSD chpass: local root

Fall 2006/Lecture 7

vulnerable functions
Vulnerable functions

Any function using a format string.

Printing:

printf, fprintf, sprintf, …

vprintf, vfprintf, vsprintf, …

Logging:

syslog, err, warn

Fall 2006/Lecture 7

integer overflow
Integer Overflow
  • Direct causes:
    • Truncation
    • Integer casting
  • Example:

const long MAX_LEN = 20K;

short len = strlen(input);

if (len < MAX_LEN)

// do something

How long does input needs to be to bypass the check?

Fall 2006/Lecture 7

where does integer overflow matter
Where Does Integer Overflow Matter?
  • Allocating spaces using calculation.
  • Calculating indexes into arrays
  • Checking whether an overflow could occur

Fall 2006/Lecture 7

how does casting work
How does casting work?
  • Signed int to Larger signed int
  • Signed int to Same-size unsigned int
  • Signed int to Larger unsigned int
  • Unsigned int to Larger unsigned int
  • Unsigned int to Same-size signed int
  • Unsigned int to Larger signed int
  • Downcast

Language, system dependent!

Fall 2006/Lecture 7

when casting occurs in c
When casting occurs in C?
  • For binary operators +, -, *, /, %, &, |, ^,
    • if either operand is an unsigned long, both are cast to an unsigned long
    • in all other cases where both operands are 32-bits or less, the arguments are both upcast to int, and the result is an int
  • For unary operators
    • ~ changes type, e.g., ~((unsigned short)0) is int
    • ++ and -- does not change type

Fall 2006/Lecture 7

another example
Another Example

bool IsValidAddition(unsigned short x,

unsigned short y)

{

if (x+y < x)

return false;

return true;

}

Fall 2006/Lecture 7

race conditions
Race conditions
  • Idea
    • Race conditions lead to many subtle bugs (hard to find, fix, etc.)
    • Specific problems with file permission checks
  • Example: Ghostscript temporary files
    • Ghostscript creates a lot of temporary files
    • Temporary file names under Unix often generated by maketemp()

name = maketemp("/tmp/gs_XXXXXXXX");

fp = fopen(name,"w");

    • Problem: predictable file names, derived from the process ID
  • Attack
    • Create symlink /tmp/gs_12345A -> /etc/passwd, at right time
    • This causes Ghostscript to rewrite /etc/passwd.
    • Similar problems with enscript, other programs with temp files
  • Recommendation
    • Use atomic mkstemp() which creates and opens a file atomically

Fall 2006/Lecture 7

coming attractions
Coming Attractions …
  • September 14: More on Unix Access Control: Sandboxing Programs

Fall 2006/Lecture 7