software security
play

Software Security Ge Zhang Security: When is it software problem - PDF document

Software Security Ge Zhang Security: When is it software problem Network Problem: caused by the flaws in networking mechanisms such as network protocols. OS Problem: caused by the flaws in OS mechanisms such OS resource management


  1. Software Security Ge Zhang

  2. Security: When is it software problem � Network Problem: caused by the flaws in networking mechanisms such as network protocols. � OS Problem: caused by the flaws in OS mechanisms such OS resource management policies. � Software Problem: caused by the flaws in software implementation or design � Employee Problem: people do not pay attention on security

  3. Why is software security a challenge � Complexity of systems and software. � Security is not a static feature. � Different goals between software projects and security: � Goals of software projects: functionality, usability, efficiency, time-to-market. � Goals of security: confidentiality, integrity, availability… � Software experts are not security experts.

  4. Causes for Security problems (in programming) � Flaws and oversights in the design and implementation � What is written is not what is meant

  5. Principles for security design 1 � Secure the weakest link � a software system is only as secure as its weakest component

  6. Principles for security design 2 � Practice Defense in Depth

  7. Principles for security design 3 � Fail securely

  8. Principles for security design 4 � Follow the Principle of least privilege

  9. Principles for security design 5 � Compartmentalize

  10. Principles for security design 6 � Keep it simple

  11. Principles for security design 7 � Promote privacy

  12. Principles for security design 8 Remember that hiding secrets is hard � Many people assume that code � compiled into binary is sufficiently well protected against attackers. Reverse Engineering � Sometimes, attackers do not need to � have the source code. Enigma machine �

  13. Principles for security design 9 � Be reluctant to trust

  14. Principles for security design 10 � Use your community resources � “Many-eyeballs phenomenon”; � Not a panacea

  15. Verification Architectural Analysis � Information gathering � Understand the requirements of a system � Attempts to understand the proposed architecture at a high level � Have a number of questions about the system and the environment. Answer the questions. � Analysis � Attack trees � Reporting � Ranking, order � Easy to understand

  16. Implementation Security Analysis � Auditing source code � Implementation should meet the design � Look for implementation specific vulnerabilities. (e.g., buffer overflow, race conditions, SQL injections) � Source-level security auditing tools � RATS, Flawfinder, Findbugs, etc

  17. What’s wrong? � #include "string" int main() � � { int is_successful = 0; //flag � char passwd[4]; � while(is_successful == 0) � � { printf("Please input your password:\n"); � scanf("%s", passwd); � � if (strcmp(passwd,"007") == 0) is_successful = 1; � } � � printf("You are James Bond, now!\n"); } �

  18. Buffer overflow

  19. Buffer overflow

  20. Buffer � What is buffer Chunks of the same data type are allocated, the • memory region is called buffer In the stack • • Non-static local variables: int array[4]; In the heap • • Malloc, new: int *pArray = new int[4]; � What is buffer overflow When a program writes past the boundary of a • buffer.

  21. Process memory organization � A process in memory: - code (Program code; marked read-only, so any attempts to write to it will result in segmentation fault) - data segment (Global and static variables) - stack, heap (Dynamic variables)

  22. Process memory organization

  23. More about the stack � Stack frames � Example: foo(){ } bar(){ foo(); } main(){ bar(); }

  24. More about the stack � What a stack frame should hold for a subroutine? � Parameters to the function � The return address � The old frame pointer � Local variables

  25. How stack is used

  26. Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

  27. Buffer Overflows

  28. Buffer Overflows

  29. Buffer Overflows

  30. Buffer Overflows

  31. Buffer Overflows

  32. Buffer Overflows

  33. Buffer Overflows

  34. Buffer Overflows

  35. A short discussion � Which consequences can be result in?

  36. Prevention � Avoid the usage of suspect functions � strcpy(), sprintf(), fscan(), gets() � Do bound checking yourself (input verification) � Choose a language which is more immune (e.g., Java)

  37. A short discussion � Is strncpy() more secure? � Is the following code secure? char dest[4]; char source[]=”Hello!”; strncpy(dest, source, sizeof(dest));

  38. Review � What is software security? � Why software security is so challenge? � 10 principles of secure design � Buffer overflow � No bound checking � In stack or in heap � Why it is a serious problem? Overwritten data � Consequence of buffer overflow � Counteracts

  39. SQL injection

  40. Web application processing Take user input from a web form and pass it to a server-side 1. script via HTTP methods such as POST or GET. Process request, open connection to database. 2. Query database and retrieve results. 3. Send processed results back to user. 4.

  41. Example $name = $HTTP_POST_VARS["name"]; $passwd = $HTTP_POST_VARS[“passwd"]; $query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ; $result = mysql_query($query);

  42. What is SQL Injection?

  43. Further? � Delete: Select users from table where name = ‘ whatever’; DROP TABLE users; - - ’ � Another way to bypass Authentication � select * from users where username=‘ admin’;-- ’ and password=‘whocares’;

  44. Prevention? A short discussion � Firewall? � System patch?

  45. Prevention � Check and filter user input. � Length limit on input (most attacks depend on long query strings). � Different types of inputs have a specific language and syntax associated with them, i.e. Name, email, etc � Do not allow suspicious keywords (DROP, INSERT, SELECT, SHUTDOWN) as name for example. � “Warning: illegal use of this application has been detected. You IP address has been recorded…”

  46. Race Condition

  47. Discussion � Public class Counter extends HttpServlet{ int count =0; public void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{ out.setContentType(“text/plain”); Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }

  48. Race Conditions � A race condition occurs if an assumption needs to hold true for a period of time, but actually may not. � Possible problem areas Multi threaded � programming File and database access � � “Window of vulnerability” The time interval in which � assumption can be invalidated

  49. Time Action 2 Window of Vulnerability Time Interval Action 1

  50. Improved? � Public class Counter extends HttpServlet{ int count =0; public synchronized void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{ out.setContentType(“text/plain”); Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }

  51. Race Conditions � TOCTTOU (Time of check to time of use) flaws � Time window of vulnerability � Check action � Use action � Variable

  52. What is “TOCTTOU Flaw”? � Semantic Characteristic � Occurs when two events occur and the second depends upon the first one Time Syscall 1 Syscall 2 (Time Of Check) (Time Of Use) Time Interval where attacker can race in and invalidate the assumption that syscall 2 depends upon

  53. File System TOCTTOU: Name-Object Binding Flaws Symbolic Link Races (Temporary File Race) � if ((fd = open (pathname, O_WRONLY))<0) if(error == ENOENT) { if ((fd = creat(pathname, mode))<0) err_sys(“creat error”); }

  54. File System TOCTTOU: Name-Object Binding Flaws � UNIX system provides two different forms of naming, with different semantics � File path name � File descriptor � The difference comes from the way the addresses resolve to the actual objects � File path names are resolved by indirection, requiring the naming and addressing at least one intermediate object other than the actual file object being addressed (indirect pointer to object) � File descriptors are resolved by accessing the file being addressed (direct pointer to object) � Indirect -> Opens up window of vulnerability

  55. PRNG

  56. slide 56 How Random is “Random?”

  57. Random number used in security � Usage � Almost all network security protocols rely on the randomness of certain parameters � Nonce - used to avoid replay � session key � A random number should be unpredictable � Measure random numbers: entropy

  58. Requirements � Utopia � True random generators � High cost � Reality � Pseudo random number generators � Sequence appears random “Any one who consider arithmetical methods of producing random digits is, of course, in a state of sin.” John von Neumann [1951]

Recommend


More recommend