Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security
Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the weakest link in the security chain, with the possible exception of “the human factor” Software security does not get much attention in other security courses, or in programming courses 2
We focus on software security, but don ’ t forget that security is about, in no particular order, people (users, employees, sys‐admins, programmers,...), access control, passwords, biometrics, cryptology, protocols, policies & their enforcement, monitoring, auditing, legislation, persecution, liability, risk management, incompetence, confusion, lethargy, stupidity, mistakes, complexity, software, bugs, verification, hackers, viruses , hardware, operating systems , networks, databases, public relations, public perception, conventions, standards, physical protection, data protection, ... 3
Motivation: Software Insecurity
Software Insecurity The media is full of reports of the catastrophic impact of software insecurity Web site defacement Malware: viruses, internet worms, botnets, … Distributed Denial of Service attacks (DDoS) Hacked databases Compromised smartphones … 5
Web Site Defacements Defacement = “graffiti” on the Internet Example: Unicef defacement (Jan 1998): 6
Malicious Software (Malware): Virus, Worm, and Botnet virus = harmful piece of code that can infect other programs worm = self‐replicating virus; no user action required for spreading infection botnet = a network of computers that have been hijacked by the bot master First worm: Nov 1988, crashed 10% of internet More recently email viruses: I Love You, Kounikova, ... Worms: Slammer, Blaster, ... Botnets: Agobot, Storm, … 7
Slammer Worm (Jan 25th, 2003, 5:29:00) # of computers infected: 0 Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver 8
Slammer Worm (Jan 25th, 2003, 6:00:00) # of computers infected: 74855 Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver 9
Software Insecurity in 2014 10
What Allowed Attacks? A lot of times, tiny programming mistakes Code Red worm exploited: TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), …); sizeof(buff)/2 Buffer overflow The first Internet worm, and many subsequent ones (CodeRed, Blaster, ...) exploited buffer overflows Buffer overflows cause in the order of 50% of all security alerts 11
Microsoft Zune Crash Last day of 2008 Thousands of Microsoft Zune music players began freezing about midnight year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days ‐= 366; year += 1; } } else { days ‐= 365; year += 1; } } Initially, days holds the number of days since 1/1/1980 The bug surfaces on the last day of a leap year 12
Programming Bug: Poker Site Flaw Web site where users can play poker over the Internet. Picture taken from Cigital Press Release 13
Programming Bug: Poker Site Flaw Security engineers wrote a program to “ predict ” cards of opponents: Exploited flaw: bad random number generation in shuffling cards 14
OpenSSL Heartbleed A programming bug in the OpenSSL implementation’s HeartBeat mechanism Used in many servers The bug: lack of input validation An attacker can send in a HeartBeat request, which contains a message and a length • The length should correspond to the message’s size Server allocates a buffer and copies back the message with size length However, the length is not bounds checked Attacker can Send in a request with a large length, greater than the message’s size Hence the attacker can get a slice of data from server’s main memory ‐‐ one that's up to 64KB in length. That memory could contain the private key of the server (or other users’ passwords) 15
OpenSSL Heartbleed Fix is simple: adds bounds checks if (1 + 2 + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; http://blog.cryptographyengineering.com/2014/04/attack‐of‐ week‐openssl‐heartbleed.html 16
Programming Bug: Vulnerability in Windows Graphics Engine Graphics Rendering Engine Vulnerability ‐ CVE‐2005‐ 4560:Microsoft Security Bulletin MS06‐001 Published: January 5, 2006 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e‐mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. 17 17
Programming Bug: Vulnerability in Java Runtime Environment Original release date: January 22, 2007 Source: US‐CERT Overview The Sun Java Runtime Environment(JRE) contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploit code is publicly available for at least one of these vulnerabilities. Vulnerability Note VU#149457 Sun Java JRE vulnerable to arbitrary code execution via an undetermined error Two buffer overflow vulnerabilities in the Sun JRE may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Vulnerability Note VU#388289 Sun Microsystems Java GIF image processing buffer overflow The Sun JRE allows users to run Java applications in a browser or as standalone programs. When a GIF image with a specified width of 0 is processed, the Sun JRE will overwrite memory contents, which can cause pointer corruption. 18 18
Why Can’t Programmers be More Careful?
Software Programmers Facing “Trinity of Trouble” Complexity Software becomes more and more complicated. Size is measured in terms of millions lines of code Connectivity The internet makes it possible for attackers to exploit software remotely Extensibility Extensions written by untrusted parties 20
Software System Complexity Year Operating System SLOC (Million) 1993 Windows NT 3.1 4-5 1994 Windows NT 3.5 7-8 1996 Windows NT 4.0 11-12 2000 Windows 2000 More than 29 2001 Windows XP 40 2006 Windows Vista ~50 Windows 7 ??? Windows 8 ??? Windows 10 ??? Estimate of bug rate: 1 bug per 1,000 lines of code 21
Connectivity It’s easy to secure your smartphone if it’s off the internet Attackers cannot get to your phone remotely You cannot browse malicious webpages or download malware Reality: almost every device is on the internet Connectivity enables many things But hackers also like it: it allows the possibility of remotely hacking any device on the internet 22
Extensibility Software systems are not closed Smartphone app market: allow users to extend the functionality of their phones However We don’t know who wrote those apps? What if an app steal our credit card info or track our locations? Like connectivity, hackers also like extensible systems Giving them an opportunity to inject malicious code 23
Course Summary
Topics Security fundamentals Threat model Trusted computing base Policy vs enforcement General principles Memory corruption vulnerabilities Buffer overflows Format string attacks Use‐after free … 25
Topics Software defenses Randomization Safe programming techniques Fuzzing Static analysis Reference monitors (execution integrity, dynamic taint tracking) Secure information flow Privilege separation Java security Other possible topics (?) More attacks (type confusion, authorization vulnerabilities) Web application security 26
Administrivia A course public website http://www.cse.psu.edu/~gxt29/teaching/cs447s19/schedule.ht ml Schedule, slides, and homework announcements posted there Canvas (canvas.psu.edu) Homework submission; grades Q&A Forum: Piazza Please post general questions and try to answer questions there, but do not post your code Some homework assignments Some written assignments and some projects Exams No midterm exams One final exam
Course Syllabus Prerequisite CMPSC 443; cannot be waived No textbook required Lecture format Mostly slides; sometimes blackboard Attendance required 5% of the final grade Based on random, in‐class quizzes Late homework policy Technology use
Recommend
More recommend