software security
play

Software Security CSM27 Computer Security Dr Hans Georg Schaathun - PowerPoint PPT Presentation

Software Security CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 Week 9 Dr Hans Georg Schaathun Software Security Autumn 2009 Week 9 1 / 30 The session Outline The session 1 Examples 2


  1. Software Security CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 – Week 9 Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 1 / 30

  2. The session Outline The session 1 Examples 2 Overflows 3 Coding Practices 4 Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 2 / 30

  3. The session Session objectives Be aware of implementation errors leading to security vulnerabilities Discuss dangers of broken abstraction Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 3 / 30

  4. The session Source Most of this material is due to Robert C Seacord Examples from Secure Coding in C and C++ Practices from https://www.securecoding.cert.org/confluence/ display/seccode/Top+10+Secure+Coding+Practices Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 4 / 30

  5. The session Security or Useability This chapter is largely about software bugs Is this security? . . . or is it useability? Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 5 / 30

  6. The session Security or Useability This chapter is largely about software bugs Is this security? . . . or is it useability? Answer is yes Bugs are user (programmer) mistakes – useability. Many bugs cause security vulnerabilities. Useability is a prerequisite of security. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 5 / 30

  7. The session Security or Useability This chapter is largely about software bugs Is this security? . . . or is it useability? Answer is yes Bugs are user (programmer) mistakes – useability. Many bugs cause security vulnerabilities. Useability is a prerequisite of security. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 5 / 30

  8. Examples Outline The session 1 Examples 2 Overflows 3 Coding Practices 4 Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 6 / 30

  9. Examples Why is this code insecure? bool IsPasswordOkay ( void ) { char Password [12] ; gets ( Password ) ; i f ( ! strcmp ( Password , " goodpass " ) ) return true ; else return ( false ) ; } void main ( void ) { bool PwStatus ; puts ( " Enter password : " ) ; PwStatus = IsPasswordOkay ( ) ; i f ( PwStatus == false ) { puts ( " Access denied " ) ; e x i t ( − 1) ; } else puts ( " Access granted " ) ; } Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 7 / 30

  10. Examples String handling Why is this insecure? int main ( int argc , char ∗ argv [ ] ) { char a [16] ; char b [16] ; char c [32] ; strcpy ( a , " 0123456789abcdef " ) ; strcpy ( b , " 0123456789abcdef " ) ; strcpy ( c , a ) ; s t r c a t ( c , b ) ; p r i n t f ( "a = %s \ n" , a ) ; return 0 ; } Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 8 / 30

  11. Examples String handling A C string is an array of characters (bytes). represented by pointer to start of array 0 byte marks the end of the string. E.g. 16-character string requires 17 bytes Easy to forget. Hard bug to spot. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 9 / 30

  12. Overflows Outline The session 1 Examples 2 Overflows 3 Coding Practices 4 Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 10 / 30

  13. Overflows Integer Overflows Integers in mathematical terms is an infinite set {−∞ , . . . , − 2 , − 1 , 0 , 1 , 2 , . . . , ∞} Integers in computing terms is a finite set 8-bit: { 0 , 1 , 2 , 3 , . . . , 254 , 255 } 32-bit: { 0 , 1 , 2 , 3 , . . . , 2 32 − 2 , 2 32 − 1 } This is (often) a broken abstraction What is 212 + 64? Using 8-bit integers in C, we get 20! Safe languages would raise an exception (run-time). If your language has no built-in protection you have to make your own protection manually Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 11 / 30

  14. Overflows Integer Overflows Integers in mathematical terms is an infinite set {−∞ , . . . , − 2 , − 1 , 0 , 1 , 2 , . . . , ∞} Integers in computing terms is a finite set 8-bit: { 0 , 1 , 2 , 3 , . . . , 254 , 255 } 32-bit: { 0 , 1 , 2 , 3 , . . . , 2 32 − 2 , 2 32 − 1 } This is (often) a broken abstraction What is 212 + 64? Using 8-bit integers in C, we get 20! Safe languages would raise an exception (run-time). If your language has no built-in protection you have to make your own protection manually Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 11 / 30

  15. Overflows Integer Overflows Integers in mathematical terms is an infinite set {−∞ , . . . , − 2 , − 1 , 0 , 1 , 2 , . . . , ∞} Integers in computing terms is a finite set 8-bit: { 0 , 1 , 2 , 3 , . . . , 254 , 255 } 32-bit: { 0 , 1 , 2 , 3 , . . . , 2 32 − 2 , 2 32 − 1 } This is (often) a broken abstraction What is 212 + 64? Using 8-bit integers in C, we get 20! Safe languages would raise an exception (run-time). If your language has no built-in protection you have to make your own protection manually Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 11 / 30

  16. Overflows Stack Overrun Original stack frame argument a argument b argument c Return address Saved frame pointer local variable x local variable y Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 12 / 30

  17. Overflows Stack Overrun Original stack frame Overrun argument a argument a argument b argument b argument c argument c Return address Bad return address . . . Saved frame pointer . . . local variable x . . . local variable y Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 12 / 30

  18. Overflows The finger bug Command Argument Meaning push ’/sh,<nul>’ push1 $68732f push1 $6e69622f push ’/bin’ save address of start of string mov1 sp, r10 push 0 (argument 3) push1 $0 push 0 (argument 2) push1 $0 push string address (arg. 1) push1 r10 push argument count push1 $3 set argument pointer mov1 sp, ao chmk $3b make execve kernel call Executes execve("/bin/sh",0,0) on return Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 13 / 30

  19. Overflows The finger bug Command Argument Meaning push ’/sh,<nul>’ push1 $68732f push1 $6e69622f push ’/bin’ save address of start of string mov1 sp, r10 push 0 (argument 3) push1 $0 push 0 (argument 2) push1 $0 push string address (arg. 1) push1 r10 push argument count push1 $3 set argument pointer mov1 sp, ao chmk $3b make execve kernel call Executes execve("/bin/sh",0,0) on return Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 13 / 30

  20. Coding Practices Outline The session 1 Examples 2 Overflows 3 Coding Practices 4 Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 14 / 30

  21. Coding Practices 1. Validate input Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments network interfaces environmental variables user controlled files Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 15 / 30

  22. Coding Practices 1. Validate input Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments network interfaces environmental variables user controlled files Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 15 / 30

  23. Coding Practices Example: path names Suppose you write an application, where users upload files The user can specify a filename, e.g. holiday.jpg, ... and you prepend a directory name, e.g. /public/images/ How can this be exploited? Suppose the users use filename /../../etc/passwd. How do we avoid this? Input checking is possible; ../ is an illegal string. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 16 / 30

  24. Coding Practices Example: path names Suppose you write an application, where users upload files The user can specify a filename, e.g. holiday.jpg, ... and you prepend a directory name, e.g. /public/images/ How can this be exploited? Suppose the users use filename /../../etc/passwd. How do we avoid this? Input checking is possible; ../ is an illegal string. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 16 / 30

  25. Coding Practices Example: path names Suppose you write an application, where users upload files The user can specify a filename, e.g. holiday.jpg, ... and you prepend a directory name, e.g. /public/images/ How can this be exploited? Suppose the users use filename /../../etc/passwd. How do we avoid this? Input checking is possible; ../ is an illegal string. Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 16 / 30

  26. Coding Practices Character Encoding Vulnerabilities in Unicode Unicode collects characters for (almost) every language UTF-8 is the most common encoding of Unicode Variable length characters ASCII (American 7-bit character set) uses one byte Ensuring compatibility. Western European (non-ASCII) characters use two bytes More exotic characters require 3 or 4 bytes Dr Hans Georg Schaathun Software Security Autumn 2009 – Week 9 17 / 30

Recommend


More recommend