1 / 29

Computer Security CS 426 Lecture 7

Computer Security CS 426 Lecture 7 Software Vulnerabilities (Continued) Readings for this and the last lecture Security in Computing 3.1, 3.2 Counter Hack Reloaded Chapter 7 Additional readings

albert
Download Presentation

Computer Security CS 426 Lecture 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security CS 426Lecture 7 Software Vulnerabilities (Continued) Fall 2006/Lecture 7

  2. Readings for this and the last lecture • Security in Computing • 3.1, 3.2 • Counter Hack Reloaded • Chapter 7 • Additional readings • Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, et al. • Smashing The Stack For Fun And Profit, Aleph One • wikipedia topics: buffer overflow, format string attack Fall 2006/Lecture 7

  3. Review • Steps in a standard break-in • Get your foot in the door • Use partial access to gain root (admin) access • Set up some way to return • Cover your tracks • Common software vulnerabilities • Input validation, Buffer overflows, Format string problems, Integer overflows, Race conditions Fall 2006/Lecture 7

  4. Buffer Overflow • Stack overflow • Shell code • Return-to-libc • Overflow sets ret-addr to address of libc function • Off-by-one • Overflow sets the least significant byte of stored stack frame pointer to 0 • Heap overflow Fall 2006/Lecture 7

  5. Heap Overflow • Heap overflow is a general term that refers to overflow in data sections other than the stack • buffers that are dynamically allocated, e.g., by malloc • statically initialized variables (data section) • uninitialized buffers (bss section) Fall 2006/Lecture 7

  6. An Example of Heap Overflow FILE *tmpfd; static char buf[BUFSIZE], *tmpfile; tmpfile = "/tmp/vulprog.tmp"; gets(buf); tmpfd = fopen(tmpfile, "w"); … Does not change the control flow. Fall 2006/Lecture 7

  7. Preventing Buffer Overflow Attacks • Non-executable stack • Static source code analysis. • Run time checking: StackGuard, Libsafe, SafeC, (Purify). • Randomization. • Type safe languages (Java, ML). • Legacy code? • Detection deviation of program behavior • Sandboxing • Many more … (covered later in course) Fall 2006/Lecture 7

  8. Marking stack as non-execute • Basic stack exploit can be prevented by marking stack segment as non-executable. • Support in SP2. Code patches exist for Linux, Solaris. Problems: • Does not defend against `return-to-libc’ exploit. • Some apps need executable stack (e.g. LISP interpreters). • Does not block more general overflow exploits: • Overflow on heap: overflow buffer next to func pointer. Fall 2006/Lecture 7

  9. Static source code analysis • Statically check source code to detect buffer overflows. • Several consulting companies. • Can we automate the review process? • Several tools exist: • Coverity (Engler et al.): Test trust inconsistency. • Microsoft program analysis group: • PREfix: looks for fixed set of bugs (e.g. null ptr ref) • PREfast: local analysis to find idioms for prog errors. • Berkeley: Wagner, et al. Test constraint violations. • Find lots of bugs, but not all. Fall 2006/Lecture 7

  10. Bugs to Detect • Some examples • Crash Causing Defects • Null pointer dereference • Use after free • Double free • Array indexing errors • Mismatched array new/delete • Potential stack overrun • Potential heap overrun • Return pointers to local variables • Logically inconsistent code • Uninitialized variables • Invalid use of negative values • Passing large parameters by value • Underallocations of dynamic data • Memory leaks • File handle leaks • Network resource leaks • Unused values • Unhandled return codes • Use of invalid iterators Fall 2006/Lecture 7

  11. Run time checking: StackGuard • Many many run-time checking techniques … • Solutions 1: StackGuard (WireX) • Run time tests for stack integrity. • Embed “canaries” in stack frames and verify their integrity prior to function return. Frame 2 Frame 1 topofstack sfp ret str local canary sfp ret str local canary Fall 2006/Lecture 7

  12. Canary Types • Random canary: • Choose random string at program startup. • Insert canary string into every stack frame. • Verify canary before returning from function. • To corrupt random canary, attacker must learn current random string. • Terminator canary:Canary = 0, newline, linefeed, EOF • String functions will not copy beyond terminator. • Hence, attacker cannot use string functions to corrupt stack. Fall 2006/Lecture 7

  13. StackGuard (Cont.) • StackGuard implemented as a GCC patch. • Program must be recompiled. • Minimal performance effects:8% for Apache. • Newer version: PointGuard. • Protects function pointers and setjmp buffers by placing canaries next to them. • More noticeable performance effects. • Note: Canaries don’t offer fullproof protection. • Some stack smashing attacks can leave canaries untouched. Fall 2006/Lecture 7

  14. Windows XP SP2 /GS • Non executable stack. • Compiler /GS option: • Combination of ProPolice and Random canary. • Triggers UnHandledException in case of Canary mismatch to shutdown process. • Litchfield vulnerability report. • Overflow overwrites exception handler. • Redirects exception to attack code. Fall 2006/Lecture 7

  15. Run time checking: Libsafe • Solutions 2: Libsafe (Avaya Labs) • Dynamically loaded library. • Intercepts calls to strcpy (dest, src) • Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) • If so, does strcpy. Otherwise, terminates application. topofstack src buf sfp ret-addr sfp ret-addr dest main libsafe Fall 2006/Lecture 7

  16. More methods … • StackShield • At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment) • Upon return, check that RET and SFP is equal to copy. • Implemented as assembler file processor (GCC) Fall 2006/Lecture 7

  17. Randomization: Motivations. • Buffer overflow and return-to-libc exploits need to know the (virtual) address to which pass control • Address of attack code in the buffer • Address of a standard kernel library routine • Same address is used on many machines • Slammer infected 75,000 MS-SQL servers using same code on every machine • Idea: introduce artificial diversity • Make stack addresses, addresses of library routines, etc. unpredictable and different from machine to machine Fall 2006/Lecture 7

  18. Randomization • PaX Address Space Layout Randomization • Randomize location of libc. • Attacker cannot jump directly to exec function. • Attacks: • Repetitively guess randomized address • Spraying injected attack code • Instruction Set Randomization (ISR) • Each program has a different and secret instruction set • Use translator to randomize instructions at load-time • Attacker cannot execute its own code. Fall 2006/Lecture 7

  19. Other Bugs Fall 2006/Lecture 7

  20. Format string problem int func(char *user) { fprintf( stdout, user); } Problem: what if user = “%s%s%s%s%s%s%s” ?? • Most likely program will crash: DoS. • If not, program will print memory contents. Privacy? • Full exploit using user = “%n” Correct form: int func(char *user) { fprintf( stdout, “%s”, user); } Fall 2006/Lecture 7

  21. History • Danger discovered in June 2000. • Examples: • wu-ftpd 2.* : remote root. • Linux rpc.statd: remote root • IRIX telnetd: remote root • BSD chpass: local root Fall 2006/Lecture 7

  22. Vulnerable functions Any function using a format string. Printing: printf, fprintf, sprintf, … vprintf, vfprintf, vsprintf, … Logging: syslog, err, warn Fall 2006/Lecture 7

  23. Integer Overflow • Direct causes: • Truncation • Integer casting • Example: const long MAX_LEN = 20K; short len = strlen(input); if (len < MAX_LEN) // do something How long does input needs to be to bypass the check? Fall 2006/Lecture 7

  24. Where Does Integer Overflow Matter? • Allocating spaces using calculation. • Calculating indexes into arrays • Checking whether an overflow could occur Fall 2006/Lecture 7

  25. How does casting work? • Signed int to Larger signed int • Signed int to Same-size unsigned int • Signed int to Larger unsigned int • Unsigned int to Larger unsigned int • Unsigned int to Same-size signed int • Unsigned int to Larger signed int • Downcast Language, system dependent! Fall 2006/Lecture 7

  26. When casting occurs in C? • For binary operators +, -, *, /, %, &, |, ^, • if either operand is an unsigned long, both are cast to an unsigned long • in all other cases where both operands are 32-bits or less, the arguments are both upcast to int, and the result is an int • For unary operators • ~ changes type, e.g., ~((unsigned short)0) is int • ++ and -- does not change type Fall 2006/Lecture 7

  27. Another Example bool IsValidAddition(unsigned short x, unsigned short y) { if (x+y < x) return false; return true; } Fall 2006/Lecture 7

  28. Race conditions • Idea • Race conditions lead to many subtle bugs (hard to find, fix, etc.) • Specific problems with file permission checks • Example: Ghostscript temporary files • Ghostscript creates a lot of temporary files • Temporary file names under Unix often generated by maketemp() name = maketemp("/tmp/gs_XXXXXXXX"); fp = fopen(name,"w"); • Problem: predictable file names, derived from the process ID • Attack • Create symlink /tmp/gs_12345A -> /etc/passwd, at right time • This causes Ghostscript to rewrite /etc/passwd. • Similar problems with enscript, other programs with temp files • Recommendation • Use atomic mkstemp() which creates and opens a file atomically Fall 2006/Lecture 7

  29. Coming Attractions … • September 14: More on Unix Access Control: Sandboxing Programs Fall 2006/Lecture 7

More Related