introduction
play

Introduction Gang Tan Penn State University Spring 2019 CMPSC - PowerPoint PPT Presentation

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the


  1. Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security

  2. Why a course on software security?  Software plays a major role in the modern society  But is a major source of security problems.  Software is the weakest link in the security chain, with the possible exception of “the human factor”  Software security does not get much attention  in other security courses, or  in programming courses 2

  3. We focus on software security, but don ’ t forget that security is about, in no particular order, people (users, employees, sys‐admins, programmers,...), access control, passwords, biometrics, cryptology, protocols, policies & their enforcement, monitoring, auditing, legislation, persecution, liability, risk management, incompetence, confusion, lethargy, stupidity, mistakes, complexity, software, bugs, verification, hackers, viruses , hardware, operating systems , networks, databases, public relations, public perception, conventions, standards, physical protection, data protection, ... 3

  4. Motivation: Software Insecurity

  5. Software Insecurity  The media is full of reports of the catastrophic impact of software insecurity  Web site defacement  Malware: viruses, internet worms, botnets, …  Distributed Denial of Service attacks (DDoS)  Hacked databases  Compromised smartphones  … 5

  6. Web Site Defacements  Defacement = “graffiti” on the Internet  Example: Unicef defacement (Jan 1998): 6

  7. Malicious Software (Malware): Virus, Worm, and Botnet  virus = harmful piece of code that can infect other programs  worm = self‐replicating virus; no user action required for spreading infection  botnet = a network of computers that have been hijacked by the bot master  First worm: Nov 1988, crashed 10% of internet  More recently  email viruses: I Love You, Kounikova, ...  Worms: Slammer, Blaster, ...  Botnets: Agobot, Storm, … 7

  8. Slammer Worm (Jan 25th, 2003, 5:29:00) # of computers infected: 0 Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver 8

  9. Slammer Worm (Jan 25th, 2003, 6:00:00) # of computers infected: 74855 Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver 9

  10. Software Insecurity in 2014 10

  11. What Allowed Attacks?  A lot of times, tiny programming mistakes  Code Red worm exploited: TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), …); sizeof(buff)/2  Buffer overflow  The first Internet worm, and many subsequent ones (CodeRed, Blaster, ...) exploited buffer overflows  Buffer overflows cause in the order of 50% of all security alerts 11

  12. Microsoft Zune Crash  Last day of 2008  Thousands of Microsoft Zune music players began freezing about midnight year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days ‐= 366; year += 1; } } else { days ‐= 365; year += 1; } }  Initially, days holds the number of days since 1/1/1980  The bug surfaces on the last day of a leap year 12

  13. Programming Bug: Poker Site Flaw  Web site where users can play poker over the Internet. Picture taken from Cigital Press Release 13

  14. Programming Bug: Poker Site Flaw  Security engineers wrote a program to “ predict ” cards of opponents: Exploited flaw: bad random number generation in shuffling cards  14

  15. OpenSSL Heartbleed  A programming bug in the OpenSSL implementation’s HeartBeat mechanism  Used in many servers  The bug: lack of input validation  An attacker can send in a HeartBeat request, which contains a message and a length • The length should correspond to the message’s size  Server allocates a buffer and copies back the message with size length  However, the length is not bounds checked  Attacker can  Send in a request with a large length, greater than the message’s size  Hence the attacker can get a slice of data from server’s main memory ‐‐ one that's up to 64KB in length.  That memory could contain the private key of the server (or other users’ passwords) 15

  16. OpenSSL Heartbleed  Fix is simple: adds bounds checks if (1 + 2 + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; http://blog.cryptographyengineering.com/2014/04/attack‐of‐ week‐openssl‐heartbleed.html 16

  17. Programming Bug: Vulnerability in Windows Graphics Engine  Graphics Rendering Engine Vulnerability ‐ CVE‐2005‐ 4560:Microsoft Security Bulletin MS06‐001  Published: January 5, 2006  Impact of Vulnerability: Remote Code Execution  Maximum Severity Rating: Critical  A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e‐mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. 17 17

  18. Programming Bug: Vulnerability in Java Runtime Environment Original release date: January 22, 2007 Source: US‐CERT Overview The Sun Java Runtime Environment(JRE) contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploit code is publicly available for at least one of these vulnerabilities. Vulnerability Note VU#149457  Sun Java JRE vulnerable to arbitrary code execution via an undetermined error Two buffer overflow vulnerabilities in the Sun JRE may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Vulnerability Note VU#388289  Sun Microsystems Java GIF image processing buffer overflow The Sun JRE allows users to run Java applications in a browser or as standalone programs. When a GIF image with a specified width of 0 is processed, the Sun JRE will overwrite memory contents, which can cause pointer corruption. 18 18

  19. Why Can’t Programmers be More Careful?

  20. Software Programmers Facing “Trinity of Trouble”  Complexity  Software becomes more and more complicated.  Size is measured in terms of millions lines of code  Connectivity  The internet makes it possible for attackers to exploit software remotely  Extensibility  Extensions written by untrusted parties 20

  21. Software System Complexity Year Operating System SLOC (Million) 1993 Windows NT 3.1 4-5 1994 Windows NT 3.5 7-8 1996 Windows NT 4.0 11-12 2000 Windows 2000 More than 29 2001 Windows XP 40 2006 Windows Vista ~50 Windows 7 ??? Windows 8 ??? Windows 10 ??? Estimate of bug rate: 1 bug per 1,000 lines of code 21

  22. Connectivity  It’s easy to secure your smartphone if it’s off the internet  Attackers cannot get to your phone remotely  You cannot browse malicious webpages or download malware  Reality: almost every device is on the internet  Connectivity enables many things  But hackers also like it: it allows the possibility of remotely hacking any device on the internet 22

  23. Extensibility  Software systems are not closed  Smartphone app market: allow users to extend the functionality of their phones  However  We don’t know who wrote those apps?  What if an app steal our credit card info or track our locations?  Like connectivity, hackers also like extensible systems  Giving them an opportunity to inject malicious code 23

  24. Course Summary

  25. Topics  Security fundamentals  Threat model  Trusted computing base  Policy vs enforcement  General principles  Memory corruption vulnerabilities  Buffer overflows  Format string attacks  Use‐after free  … 25

  26. Topics  Software defenses  Randomization  Safe programming techniques  Fuzzing  Static analysis  Reference monitors (execution integrity, dynamic taint tracking)  Secure information flow  Privilege separation  Java security  Other possible topics (?)  More attacks (type confusion, authorization vulnerabilities)  Web application security 26

  27. Administrivia  A course public website  http://www.cse.psu.edu/~gxt29/teaching/cs447s19/schedule.ht ml  Schedule, slides, and homework announcements posted there  Canvas (canvas.psu.edu)  Homework submission; grades  Q&A Forum: Piazza  Please post general questions and try to answer questions there, but do not post your code  Some homework assignments  Some written assignments and some projects  Exams  No midterm exams  One final exam

  28. Course Syllabus  Prerequisite  CMPSC 443; cannot be waived  No textbook required  Lecture format  Mostly slides; sometimes blackboard  Attendance required  5% of the final grade  Based on random, in‐class quizzes  Late homework policy  Technology use

Recommend


More recommend