1 / 23

Common Security Faults

Common Security Faults. CPSC 410. Common Bugs Causing Security Exploits. 1. Buffer Overflow 2. Numeric Representation 3. Time-of-Check Time-of-Use (TOCTOU) 4. Resource Depletion 5. Illegal State Transition. Buffer Overflow. Overwrite values of arbitrary program state

warren-wynn
Download Presentation

Common Security Faults

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Security Faults CPSC 410

  2. Common Bugs Causing Security Exploits 1. Buffer Overflow 2. Numeric Representation 3. Time-of-Check Time-of-Use (TOCTOU) 4. Resource Depletion 5. Illegal State Transition

  3. Buffer Overflow • Overwrite values of arbitrary program state • Not possible in Runtime Safe Languages • Java/C# • Ruby/Python/etc.. • Common in high performance languages • C and C++ • Takes advantage that these languages do not check ArrayIndexOutOfBounds • Allows execution of injected code • Writes new code in memory and jumps to it

  4. Buffer Overflow Reminder: A String is an array of char in many languages class Person { private char[] name = new char[255]; public void setName(char[] value) { for(int i=0; i < value.length; i++) { name[i] = value[i]; } } } What happens in C++ when i >= name.length?

  5. BufferOverflow Corrupts Stack Frame Parameters Return Address Local Variables Parameters’ Return Address’ Local Variables’ Current Function Ox10000 + N Ox10000 Caller Function Assuming current frame starts at memory Ox10000 and sizeof local variables is N

  6. SampleStack Frame n = 0x23435256 addressof(y=3) return address y x buf void foo(char * n) { int x,y; char buf[100]; strcpy(buf, n); … } char * name = input(); foo(name); y=3;

  7. SampleStack Frame n = 0x23435256 addressof(y=3) return address y x buf void foo(char * n) { int x,y; char buf[100]; strcpy(buf, n); … } char * name = input(); foo(name); y=3;

  8. Buffer Overflow What transparently executes in Java (under the hood) class Person { private char[] name = new char[255]; public void setName(char[] value) { for(int i=0; i < value.length; i++) { if(name.length >= i) { throw new ArrayIndexOutOfBounds(..); } name[i] = value[i]; } } }

  9. Numeric Representation • Take advantage of programmers who forget to check math computations • Also related to binary-decimal conversions and FP-errors • E.g. Excel bug • Decimal 0.1 -> binary 0.000110011… • Formula =77.1 * 850 would display as 100,000 instead of 65,535 http://www.joelonsoftware.com/items/2007/09/26b.html

  10. Numeric Representation • The Vancouver stock exchange devised a short-lived index. At its inception in 1982, the index was given a value of 1000.000. After 22 months of recomputing the index and truncating to three decimal places at each change in market value, the index stood at 524.881, when its "true" value should have been 1009.811 • In the 37th second of flight of the Ariane rocket (launched on June 4, 1996), the inertial reference system attempted to convert a 64-bit floating-point number to a 16-bit number, but instead triggered an overflow error which was interpreted by the guidance system as flight data, causing the rocket to veer off course and be destroyed.[1]” • Source Wikipedia

  11. Numeric Representation Source: http://mathworld.wolfram.com/RoundoffError.html

  12. Time-of-Check Time-of-Use • Take advantage of Race Condition between: • Time when Authorization of resource is checked • Time when Access to resource actually occurs • Force redirection of intended resource during this period • Caused by multiple uses of indirection • Caused by misunderstanding of concurrency

  13. TOC-TOU in Unix Program prepares to write to filename: /tmp/X RACE CONDITION! $ rm /tmp/X $ ln /etc/passwd /tmp/X Create a “shortcut” to /etc/passwd named /tmp/X

  14. TOC-TOU in Unix

  15. TOC-TOU in Web App [Wikipedia] • Web application allows user to edit pages • Also allows administrators to lock pages to prevent editing. • A user requests to edit a page, getting a form by which he can alter its content. • Before the user submits the form, an administrator locks the page, which should prevent editing. • However, since the user has already begun editing, when he submits the form, his might be accepted. • When the user began editing, his authorization was checked, and he was indeed allowed to edit. • However, the authorization was used later, after he should no longer have been allowed.”

  16. Resource Depletion • Create Denial-of-Service • Issue more requests to server than it can handle • Cause other uses to receive poor service • Programmer fails to monitor and throttle client usage OR • Attacker uses Botnet to fool the server • Botnet uses BufferOverFlow to take over a large number of distributed hosts to cooperate in attack • Resource could be • CPU • Memory • File system • etc…

  17. Resource Depletion Hole public void acceptConnections() { ServerSocket serverSocket = new ServerSocket(SERVER_PORT); int counter = 0; boolean hasConnections = true; while (hasConnections) { Socket client = serverSocket.accept(); Thread t = new Thread(new ClientSocketThread(client)); t.setName(client.getInetAddress().getHostName() + ":" + counter++); t.start(); } serverSocket.close(); }

  18. Resource Depletion/Allocation Check public static final int SERVER_PORT = 4444; public static final int MAX_CONNECTIONS = 10; public void acceptConnections() { ServerSocket serverSocket = new ServerSocket(SERVER_PORT); int counter = 0; boolean hasConnections = true; while (hasConnections) { hasConnections = checkForMoreConnections(); Socket client = serverSocket.accept(); Thread t = new Thread(new ClientSocketThread(client)); t.setName(client.getInetAddress().getHostName() + ":" + counter++); ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS); pool.execute(t); } serverSocket.close(); } Source: http://cwe.mitre.org/data/definitions/770.html

  19. Illegal State Transition • Take advantage that programmer forgets to check object invariant • Once state becomes inconsistent, many new opportunities for attack become available • Occurs frequently because: • Although programmers may be good at implementing what is specified • Programmers may forget to prevent what is not specified

  20. Illegal State Transition

  21. Illegal State Transition class BankAccount { private float total; enum Status {Overdrawn, Process, Open, Frozen, Inactive, Closed}; private Status status; public void freeze() { //Need to check if status is Open status = Status.Frozen; } }

  22. Conclusion • All bugs are potential sources of security exploits • However, certain common bugs overwhelmingly dominate the percentage of exploit cases • Attackers will try to trigger these bugs first • Often they reuse scripts for attacks • Often not clever in devising new attacks • Such bugs should be given high priority in testing/debugging

More Related