Software Security Ge Zhang
Security: When is it software problem � Network Problem: caused by the flaws in networking mechanisms such as network protocols. � OS Problem: caused by the flaws in OS mechanisms such OS resource management policies. � Software Problem: caused by the flaws in software implementation or design � Employee Problem: people do not pay attention on security
Why is software security a challenge � Complexity of systems and software. � Security is not a static feature. � Different goals between software projects and security: � Goals of software projects: functionality, usability, efficiency, time-to-market. � Goals of security: confidentiality, integrity, availability… � Software experts are not security experts.
Causes for Security problems (in programming) � Flaws and oversights in the design and implementation � What is written is not what is meant
Principles for security design 1 � Secure the weakest link � a software system is only as secure as its weakest component
Principles for security design 2 � Practice Defense in Depth
Principles for security design 3 � Fail securely
Principles for security design 4 � Follow the Principle of least privilege
Principles for security design 5 � Compartmentalize
Principles for security design 6 � Keep it simple
Principles for security design 7 � Promote privacy
Principles for security design 8 Remember that hiding secrets is hard � Many people assume that code � compiled into binary is sufficiently well protected against attackers. Reverse Engineering � Sometimes, attackers do not need to � have the source code. Enigma machine �
Principles for security design 9 � Be reluctant to trust
Principles for security design 10 � Use your community resources � “Many-eyeballs phenomenon”; � Not a panacea
Verification Architectural Analysis � Information gathering � Understand the requirements of a system � Attempts to understand the proposed architecture at a high level � Have a number of questions about the system and the environment. Answer the questions. � Analysis � Attack trees � Reporting � Ranking, order � Easy to understand
Implementation Security Analysis � Auditing source code � Implementation should meet the design � Look for implementation specific vulnerabilities. (e.g., buffer overflow, race conditions, SQL injections) � Source-level security auditing tools � RATS, Flawfinder, Findbugs, etc
What’s wrong? � #include "string" int main() � � { int is_successful = 0; //flag � char passwd[4]; � while(is_successful == 0) � � { printf("Please input your password:\n"); � scanf("%s", passwd); � � if (strcmp(passwd,"007") == 0) is_successful = 1; � } � � printf("You are James Bond, now!\n"); } �
Buffer overflow
Buffer overflow
Buffer � What is buffer Chunks of the same data type are allocated, the • memory region is called buffer In the stack • • Non-static local variables: int array[4]; In the heap • • Malloc, new: int *pArray = new int[4]; � What is buffer overflow When a program writes past the boundary of a • buffer.
Process memory organization � A process in memory: - code (Program code; marked read-only, so any attempts to write to it will result in segmentation fault) - data segment (Global and static variables) - stack, heap (Dynamic variables)
Process memory organization
More about the stack � Stack frames � Example: foo(){ } bar(){ foo(); } main(){ bar(); }
More about the stack � What a stack frame should hold for a subroutine? � Parameters to the function � The return address � The old frame pointer � Local variables
How stack is used
Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
A short discussion � Which consequences can be result in?
Prevention � Avoid the usage of suspect functions � strcpy(), sprintf(), fscan(), gets() � Do bound checking yourself (input verification) � Choose a language which is more immune (e.g., Java)
A short discussion � Is strncpy() more secure? � Is the following code secure? char dest[4]; char source[]=”Hello!”; strncpy(dest, source, sizeof(dest));
Review � What is software security? � Why software security is so challenge? � 10 principles of secure design � Buffer overflow � No bound checking � In stack or in heap � Why it is a serious problem? Overwritten data � Consequence of buffer overflow � Counteracts
SQL injection
Web application processing Take user input from a web form and pass it to a server-side 1. script via HTTP methods such as POST or GET. Process request, open connection to database. 2. Query database and retrieve results. 3. Send processed results back to user. 4.
Example $name = $HTTP_POST_VARS["name"]; $passwd = $HTTP_POST_VARS[“passwd"]; $query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ; $result = mysql_query($query);
What is SQL Injection?
Further? � Delete: Select users from table where name = ‘ whatever’; DROP TABLE users; - - ’ � Another way to bypass Authentication � select * from users where username=‘ admin’;-- ’ and password=‘whocares’;
Prevention? A short discussion � Firewall? � System patch?
Prevention � Check and filter user input. � Length limit on input (most attacks depend on long query strings). � Different types of inputs have a specific language and syntax associated with them, i.e. Name, email, etc � Do not allow suspicious keywords (DROP, INSERT, SELECT, SHUTDOWN) as name for example. � “Warning: illegal use of this application has been detected. You IP address has been recorded…”
Race Condition
Discussion � Public class Counter extends HttpServlet{ int count =0; public void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{ out.setContentType(“text/plain”); Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }
Race Conditions � A race condition occurs if an assumption needs to hold true for a period of time, but actually may not. � Possible problem areas Multi threaded � programming File and database access � � “Window of vulnerability” The time interval in which � assumption can be invalidated
Time Action 2 Window of Vulnerability Time Interval Action 1
Improved? � Public class Counter extends HttpServlet{ int count =0; public synchronized void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{ out.setContentType(“text/plain”); Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }
Race Conditions � TOCTTOU (Time of check to time of use) flaws � Time window of vulnerability � Check action � Use action � Variable
What is “TOCTTOU Flaw”? � Semantic Characteristic � Occurs when two events occur and the second depends upon the first one Time Syscall 1 Syscall 2 (Time Of Check) (Time Of Use) Time Interval where attacker can race in and invalidate the assumption that syscall 2 depends upon
File System TOCTTOU: Name-Object Binding Flaws Symbolic Link Races (Temporary File Race) � if ((fd = open (pathname, O_WRONLY))<0) if(error == ENOENT) { if ((fd = creat(pathname, mode))<0) err_sys(“creat error”); }
File System TOCTTOU: Name-Object Binding Flaws � UNIX system provides two different forms of naming, with different semantics � File path name � File descriptor � The difference comes from the way the addresses resolve to the actual objects � File path names are resolved by indirection, requiring the naming and addressing at least one intermediate object other than the actual file object being addressed (indirect pointer to object) � File descriptors are resolved by accessing the file being addressed (direct pointer to object) � Indirect -> Opens up window of vulnerability
PRNG
slide 56 How Random is “Random?”
Random number used in security � Usage � Almost all network security protocols rely on the randomness of certain parameters � Nonce - used to avoid replay � session key � A random number should be unpredictable � Measure random numbers: entropy
Requirements � Utopia � True random generators � High cost � Reality � Pseudo random number generators � Sequence appears random “Any one who consider arithmetical methods of producing random digits is, of course, in a state of sin.” John von Neumann [1951]
Recommend
More recommend