Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
System Resources • Programs often need system resources to function – Libraries, configurations, environment variables, etc. • Programs are often tasked to process particular system resources – User files, remote requests, etc. • Adversaries can leverage the mechanisms designed to retrieve system resources to compromise programs – So, you have to prevent such attacks • What are the types of system resources? CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 2
Namespace Resolution • Client (Process) requests a resource (File) from a system name server (OS) by name • Name server resolves name to a resource using its namespace bindings – Mapping between names and resources – E.g., File pathnames to directories and files • Namespaces are used in many places – Android Intents – XenStore key-values – D-Bus methods – URLs – DNS names • Adversaries may control names, bindings, or resources CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 3
Namespace Resolution Attacks • Adversaries may choose names – Use a maliciously crafted name to circumvent parsing and get to the resource they desire – Affect the construction of names (e.g., environment variables) to redirect the victim to a malicious resource • Adversaries may control namespace bindings – Create a link to direct the victim to a file of the adversaries choosing – May create malicious files in shared directories • Adversaries may control resources themselves – Victim may not know that an adversary can modify a particular resource that it expects to be safe • Difficult to prevent these attacks as programs often process untrusted names, bindings, and resources CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 4
Threat Model • How does the adversary gain access to namespace resolution? – Could have access to victim • Can provide a name • E.g., A client of a web server – Could have access to name server • Can update the namespace bindings • E.g., An Android app can update Intents – Could have access to resources • Can modify the data in some of the resources • E.g., A process on a file system • The attacks to look for depend on the threat model CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 5
Adversary-Controlled Names • Maliciously-crafted names – Multiple ways of naming lots of things • Files – /x/data or /y/z/../../x/data or /y/z/%2e%2e/x/data • Lots of others -- URLs, DNS names, middleware-specific, etc. • Get access to resources that the adversary normally cannot (but, victim can) – E.g., Windows system files – These are called Confused Deputy attacks • Trick process into accessing untrusted resources where safe are expected – E.g., untrusted PHP files – These are called File Inclusion attacks CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 6
Search Path Vulnerability • Adversaries may craft malicious names using search path environment variables • When a program needs a library – Dynamic linker crafts a file name using LD_PATH environment variables – May point to the directory in which the process was started • Attack – If the adversary can plant a malicious library in the user’s home directory – And start a privileged program from the user’s home directory – The dynamic linker will request libraries using a name whose prefix is the user’s home directory – Enabling the adversary to supply code to root processes CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 7
Windows: Library Loads • Search in directories for DLL of specified name – Program Directory: directory of executable – System Directory: “presumably protected” directory – Working Directory: directory of process (where user exec’d from) • Problem: Attacker may get file in working directory – User likely does not even know the working directory of a process – Program Directory is always first • SafeDllSearchMode – Load from working before system directory if 0 – System before working if 1 – Default value is 1 in Windows2003 and 0 in XP CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 8
Safe Name Usage • Canonicalization – Conversion to a single, “standard” name • Rules of thumb – Do not rely on names -- or anything -- from remote user • At least not blindly – Be careful if your program may be started by user in their own directory • Environment variables – Convert them -- correctly -- to canonical format • Enable checking against your rules – Get a resource reference as soon as possible (e.g., inodes instead of filenames) • Check that these right resources with stat commands CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 9
A Simple Program 01 SOCKET_DIR=/tmp/.X11-unix ... 02 set_up_socket_dir () { 03 if [ "$VERBOSE" != no ]; then Code moves a 04 log_begin_msg "Setting up X server socket directory" directory if 05 fi already exists to 06 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then create a new one 07 mv $SOCKET_DIR $SOCKET_DIR.$$ 08 fi 09 mkdir -p $SOCKET_DIR 10 chown root:root $SOCKET_DIR 11 chmod 1777 $SOCKET_DIR 12 do_restorecon $SOCKET_DIR 13 [ "$VERBOSE" != no ] && log_end_msg 0 || return 0 14 } CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 10
A Simple Program 01 SOCKET_DIR=/tmp/.X11-unix ... 02 set_up_socket_dir () { 03 if [ "$VERBOSE" != no ]; then 04 log_begin_msg "Setting up X server socket directory" Can mkdir 05 fi fail then? 06 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then 07 mv $SOCKET_DIR $SOCKET_DIR.$$ 08 fi 09 mkdir -p $SOCKET_DIR 10 chown root:root $SOCKET_DIR 11 chmod 1777 $SOCKET_DIR 12 do_restorecon $SOCKET_DIR 13 [ "$VERBOSE" != no ] && log_end_msg 0 || return 0 14 } CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 11
Binding Attacks (Links) • Adversary who has access to /tmp can create directory for /tmp/.X11-unix – victim code does not detect that problem • Adversary can make this a link to /etc/shadow , and later code makes this file world-writeable – Adversary changes namespace bindings • Two parts to the attack – Change the namespace binding – Race condition to insert link between ‘mv’ and ‘mkdir’ • Adversary ability to change namespace binding is fundamental to this attack – Race conditions are much easier to create than you might think CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 12
File Squatting • For directories where create access is shared with adversaries – Adversaries may predict the names of files/directories • Create sub-directory in advance – E.g., Adversaries predicted the .X11-unix directory in /tmp • Also, works for files – Adversary binds name to a file of their choice before the victim can – Then, the victim uses the adversary’s file instead • Current Defense: Check for existence on creation – open( name, O_CREAT | O_EXCL) CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 13
TOCTTOU Race Condition • Victim checks the properties of a resource at a particular name (time-of-check) • Adversary changes the binding of that name to a different resource (race) – Via a symbolic link is the most common • Victim is tricked into using a resource of the adversary’s choice (time-of-use) – E.g., the /etc/shadow resource was chosen in this case – Called TOCTTOU attack • Current Defense: Prevent following of links – Preventing use of adversary-controlled links to “safe” files is fundamental CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 14
Multi-binding • One name may refer to multiple resources • Victim adds mapping of name to resource of their control – So does adversary – Name server allows multiple bindings to name • Name server chooses either resource – E.g., Chooses resource at random • Is this for real? – Yes, Android Intents and D-Bus methods both allow such binds • Current Defense: ??? – Prevent use of adversary-controlled resources CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 15
Recommend
More recommend
