software security ii other types of software
play

Software Security (II): Other types of software vulnerabilities - PowerPoint PPT Presentation

Apr 05, 2023 •177 likes •804 views

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE Dawn Song

  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1

  3. Dawn Song 3

  4. #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE

  5. Dawn Song 5

  6. #293 HRE-THR 850 1930 ALICE SMITHHHHHHHHHHH HHACH SPECIAL INSTRUX: NONE

  7. Dawn Song 7

  8. #293 HRE-THR 850 1930 ALICE SMITH FIRST SPECIAL INSTRUX: NONE

  9. Example #1 void vulnerable() { void vulnerable() { char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  10. Example #2 void vulnerable() { void vulnerable() { char instrux[80] = “none”; char instrux[80] = “none”; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  11. Example #3 void vulnerable() { void vulnerable() { char cmd[80]; char cmd[80]; char line[512]; char line[512]; … … strncpy(cmd,”/usr/bin/fjnger”, 80); strncpy(cmd,”/usr/bin/fjnger”, 80); gets(line); gets(line); … … execv(cmd, …); execv(cmd, …); } }

  12. Example #4 void vulnerable() { void vulnerable() { int (*fnptr)(); int (*fnptr)(); char buf[80]; char buf[80]; … … gets(buf); gets(buf); … … } }

  13. Example #5 void vulnerable() { void vulnerable() { int seatinfjrstclass = 0; int seatinfjrstclass = 0; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  14. Example #6 void vulnerable() { void vulnerable() { int authenticated = 0; int authenticated = 0; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  15. Common Coding Errors • Input validation vulnerabilities • Memory management vulnerabilities • TOCTTOU vulnerability (later) Dawn Song 15

  16. Input validation vulnerabilities • Program requires certain assumptions on inputs to run properly • Without correct checking for inputs – Program gets exploited • Example: – Bufger overfmow – Format string Dawn Song 16

  17. Example I Example I 1: unsigned int size; 2: Data **datalist; 3: 4: size = GetUntrustedSizeValue(); 5: datalist = (data **)malloc(size * sizeof(Data *)); 6: for(int i=0; i<size; i++) { 7: datalist[i] = InitData(); 8: } 9: datalist[size] = NULL; 10: ... Dawn Song 17

  18. Example II Example II 1: char buf[80]; 2: void vulnerable() { 3: int len = read_int_from_network(); 4: char *p = read_string_from_network(); 5: if (len > sizeof buf) { 6: error(“length too large, nice try!”); 7: return; 8: } 9: memcpy(buf, p, len); 10: } • What's wrong with this code? • Hint – memcpy() prototype: – void *memcpy(void *dest, const void *src, size_t n); • Defjnition of size_t : typedef unsigned int size_t; • Do you see it now? Dawn Song 18

  19. Implicit Casting Bug • Attacker provides a negative value for len – if won ’ t notice anything wrong – Execute memcpy() with negative third arg – Third arg is implicitly cast to an unsigned int , and becomes a very large positive int – memcpy() copies huge amount of memory into buf , yielding a bufger overrun! • A signed/unsigned or an implicit casting bug – Very nasty – hard to spot • C compiler doesn ’ t warn about type mismatch between signed int and unsigned int – Silently inserts an implicit cast Dawn Song 19

  20. Example III (Integer Overfmow) Example III 1: size_t len = read_int_from_network(); 2: char *buf; 3: buf = malloc(len+5); 4: read(fd, buf, len); 5: ... • What ’ s wrong with this code? – No bufger overrun problems (5 spare bytes) – No sign problems (all ints are unsigned) • But, len+5 can overfmow if len is too large – If len = 0xFFFFFFFF , then len+5 is 4 – Allocate 4-byte bufger then read a lot more than 4 bytes into it: classic bufger overrun! • Know programming language ’ s semantics well to avoid pitfalls Dawn Song 20

  21. Example IV Example IV 1: char* ptr = (char*) malloc(SIZE); 2: if (err) { 3: abrt = 1; 4: free(ptr); 5: } 6: ... 7: if (abrt) { 8: logError(“operation aborted before commit”, ptr); 9: } • Use-after-free • Corrupt memory http://cwe.mitre.org Dawn Song 21

  22. Example V Example V 1: char* ptr = (char*) malloc(SIZE); 2: if (err) { 3: abrt = 1; 4: free(ptr); 5: } 6: ... 7: free(ptr); • Double-free error • Corrupts memory-management data structure http://owasp.org Dawn Song 22

  23. Example VI: Format string problem Example VI int func(char *user) { fprintf( stderr, user); }

  24. Format Functions • Used to convert simple C data types to a string representation • Variable number of arguments • Including format string • Example – printf(“%s number %d”, “block”, 2) – Output: “block number 2” Dawn Song 24

  25. Format String Parameters Paramet Output Passed as er %d Decimal (int) Value %u Unsigned decimal (unsigned Value int) %x Hexadecimal (unsigned int) Value %s String ((const) (unsigned) Reference char *) %n # bytes written so far, (* int) Reference

  26. Example VI: Format string problem Example VI int func(char *user) { fprintf( stderr, user); } • Problem: what if * user = “%s%s%s%s%s%s %s” ?? – %s displays memory – Likely to read from an illegal address – If not, program will print memory contents. Correct form: fprintf( stdout, “%s”, user);

  27. Stack and Format Strings • Function behavior is controlled by the format string • Retrieves parameters from stack as requested: “%” • Example: A Address of the format printf(“Number %d has no address, number %d has: string stack top … %08x\n”, I, a, &a) i Value of variable I <&a> <a> a Value of variable a <i> A &a Address of variable a … stack bottom

  28. View Stack • printf(“%08x. %08x. %08x. %08x\n”) – 40012983.0806ba43.bfgfgf4a.0802738b • display 4 values from stack

  29. Read Arbitrary Memory • char input[] = “\x10\x01\x48\x08_%08x. %08x. %08x. %08x|%s|”; printf(input) – Will display memory from 0x08480110 • Uses reads to move stack pointer into format string • %s will read at 0x08480110 till it reaches null byte

  30. Writing to arbitrary memory • printf( “hello %n”, &temp) – writes ‘6’ into temp. • printf( “%08x.%08x.%08x.%08x.%n”)

  31. Vulnerable functions Any function using a format string. Printing: printf, fprintf, sprintf, … vprintf, vfprintf, vsprintf, … Logging: syslog, err, warn

  32. An Exploit Example syslog( “ Reading username: ” ); read_socket(username); syslog(username); ⇓ Welcome to InsecureCorp. Please login. Login: EvilUser%s%s…%400n…%n root@server> _

  33. Why The Bug Exists • C language has poor support for variable-argument functions – Callee doesn ’ t know the number of actual args • No run-time checking for consistency between format string and other args • Programmer error

  34. Real-world Vulnerability Samples • First exploit discovered in June 2000. • Examples: – wu-ftpd 2.* : remote root – Linux rpc.statd: remote root – IRIX telnetd: remote root – BSD chpass: local root

  35. What are software vulnerabilities? • Flaws in software • Break certain assumptions important for security – E.g., what assumptions are broken in bufger overfmow? Dawn Song 35

  36. Why does software have vulnerabilities? • Programmers are humans! – Humans make mistakes! • Programmers are not security-aware • Programming languages are not designed well for security Dawn Song 36

  37. What can you do? • Programmers are humans! – Humans make mistakes! – Use tools! (next lecture) • Programmers were not security aware – Learn about difgerent common classes of coding errors • Programming languages are not designed well for security – Pick better languages Dawn Song 37

  38. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (III): Defenses against Memory-Safety Exploits Dawn Song 38

  39. Preventing hijacking attacks Fix bugs: • Audit software • Automated tools: Coverity, Prefast/Prefjx, Fortify • Rewrite software in a type-safe language (Java, ML) • Diffjcult for existing (legacy) code … Allow overfmow, but prevent code execution Add runtime code to detect overfmows exploits: • Halt process when overfmow exploit detected • StackGuard, Libsafe Dawn Song 39

  40. Control-hijacking Attack Space Defenses/Mitigations Code Injection Arc Injection Stack Heap Exceptio n Handler s Dawn Song 40

  41. Defense I: non-execute (W^X) Prevent attack code execution by marking stack and heap as non-executable • NX -bit on AMD Athlon 64, XD -bit on Intel P4 Prescott – NX bit in every Page T able Entry (PTE) • Deployment: – Linux (via PaX project); OpenBSD – Windows: since XP SP2 (DEP) • Boot.ini : /noexecute=OptIn or AlwaysOn • Visual Studio: /NXCompat[:NO] Dawn Song 41

  42. Efgectiveness and Limitations • Limitations: – Some apps need executable heap (e.g. JIT s). – Does not defend against exploits using return-oriented programming Defenses/Mitigations Code Injection Arc Injection Code Injection Arc Injection Stack Stack Non-Execute (NX)* Heap Non-Execute (NX)* Heap Exceptio Non-Execute (NX)* n Handler Exceptio s n Handler s * When Applicable Dawn Song 42

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
CS 5150 Software Engineering Three Types of Software Process

CS 5150 Software Engineering Three Types of Software Process

Cornell University Computing and Information Science CS 5150 Software Engineering Three Types of Software Process William Y. Arms Types of Software Process The basic

281 views • 26 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of software engineering Types of software The nature of software Software history and the software crisis Software quality Elements of

818 views • 67 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering

Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering

Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering Conference - Garmisch Projects running over-budget Projects running over-time Software was inefficient Software was of low quality

710 views • 39 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 8 January 2019 OSU CSE 1 Restated Learning Outcomes Theme 1: software engineering concepts Be familiar with sound software engineering

535 views • 17 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
Type Instructional Software Presentation Instructional Software forHigh School Physical

Type Instructional Software Presentation Instructional Software forHigh School Physical

Type Instructional Software Presentation Instructional Software forHigh School Physical ScienceTara RowlandEDTECH This presentation categorizes various types of software used in education. instructional software Software requirements depend on

2.21k views • 4 slides
ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan, create, manage, analyze and report agricultural experiments 2 ARM Software Overview Why use ARM Software? ARM provides: Resulting benefits

542 views • 9 slides
Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software Engineering Group, Leibniz Universitt Hannover, Germany Thomas Ruhroth, Jens Brger, and Jan Jrjens

480 views • 24 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we create new software development solutions for projects with sizable data requirements. Having a background in mining industry, KAI Software have

267 views • 26 slides
The Long-Standing Software Safety and Security Problem x x x 2 P.

The Long-Standing Software Safety and Security Problem x x x 2 P.

The Long-Standing Software Safety and Security Problem x x x 2 P. Cousot What is (or should be) the essential preoccupation of computer scientists? The production of reliable software, its mainte- nance and safe

861 views • 71 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation

Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation

11/26/19 Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation In a regular messaging application, what do you expect? Let's assume you want to use it to meet your friend for Friday night dinner.

950 views • 45 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 7 January 2020 OSU CSE 1 Welcome to CSE 2231! Class attendance is required . You will be allowed 4 lecture absences and 4 lab

863 views • 7 slides

More recommend