Protection. Thierry Sans

Transcription

1 Protection Thierry Sans

2 Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems

3 Build Better Programs

4 Why are we still vulnerable to buffer overflows? Why code written in assembly code or C are subject to buffer overflow attacks? Because C has primitives to manipulate the memory directly (pointers ect...)

5 Choosing a better programming language Some languages are type-safe (i.e memory safe) Pure Lisp, pure Java, ADA, ML Some languages isolate potentially unsafe code Modula-3, Java with native methods, C# Some languages are hopeless Assembly languages, C

6 Type-Safe Programs Cannot access arbitrary memory addresses Cannot corrupt their own memory Do not crash

7 So why are we still using unsafe programming languages? If other programming languages are memory safe, why are we not using them instead? Because C and assembly code are used when a program requires high performances (audio, vide, calculus ) or when dealing with hardware directly (OS, drivers.)

8 Can we write better programs with unsafe programming languages? Good Programmer Approach 1. Adopting good programming practices 2. Being security aware programmer Proactive Approach 3. Using security libraries 4. Performing penetration testing Formal Approach 5. Using formal methods to verify a program 6. Using formal methods to generate a program

9 Good Programmer Approach

10 2. Adopting good programming practices Modularity Have separate modules for separate functionalities Easier to find security flaws when components are independent Encapsulation Limit the interaction between the components Avoid wrong usage of the components Information hiding Hide the implementation Black box model does not improve security

11 2. Being security aware programmer Check the inputs, even between components that belongs to the same application (mutual suspicion) Be fault tolerant by having a consistent policy to handle failure (managing exceptions) Reuse known and widely used code by using design patterns and existing libraries

12 Proactive Approach

13 3. Using security libraries - stack smashing protection Check that the stack has not been altered when a function returns If it has been altered, the program exits with a segmentation fault Verification embedded into the program by the compiler

14 3. Using security libraries - examples Libsafe StackGuard ProPolice (gcc patches) Microsoft's Data Execution Prevention

15 4. Testing and Penetration Testing Testing the functionalities Unit test, Integration test, Performance test and so on Testing the security Penetration tests Try to make the software fail by pushing the limits of a normal usage i.e test what the program is not supposed to do

16 Formal Approach

17 5. Using formal methods to verify a program Static analysis - analyzing the code to detect security flaws Control flow - analyzing the sequence of instructions Data flow - analyzing how the date are accessed Data structure - analyzing how data are organized Abstract interpretation [Cousot] Verification of critical embedded software in Airbus aircrafts

18 6. Using formal methods to generate a program Mathematical description of the problem Refinement steps Proof of correctness Executable code or hardware design

19 6. Using formal methods to generate a program Hardware design (VHDL, Verilog) Used by semi-conductor companies such as Intel Critical embedded software (B/Z, Lustre/Esterel) Urban Transportation (METEOR Metro Line 14 in Paris by Alstom) Rail transportation (Eurostar) Aeronautic (Airbus, Eurocopter, Dassault) Nuclear plants (Schneider Electric)

20 Pros and cons of using formal methods Nothing better than a mathematical proof A code proven safe is safe Development is time and effort (and so money) consuming Should be motivated by the risk analysis Do not prevent from specification bugs Example of network protocols

21 Build Better Operating Systems

22 Memory and address protection Programs (and data) used the same address space They should not access memory addresses that has not been allocated to them When a program tries to access to an authorized memory address, an exception is raised The well known segmentation fault

23 Basic (but inefficient) protection - segmentation Cutting the program into pieces (segments) that can be located dynamically wherever in the memory (useful for caching) A program can access a segment only if it appears in the segment table But Shellcode are located in the same segment table

24 What else can we do?

25 Tagged Architecture Tagging memory cells as data or instructions during execution Data in a buffer cannot be turned into a instructions like in buffer overflow attacks Processors implementing this technique Intel XD (EDB) or AMD64 NX (EVP) Operating Systems using it OpenBSD and OSX

26 Return Address Protection Encrypt the return address on stack by XORing with a random string Attacker will not know what address to use in his string Operating System using this technique Windows Vista

27 Address Space Layout Randomization (ASLR) Randomize the return address on the stack dynamically Attacker cannot guess the return address as it expires rapidly Operating Systems using this technique OpenBSD Linux (since ) Windows (since Vista) Mac OSX (fully supported since 10.7 Lion) ios (since 4.3) Android (since 4.0 Ice Cream Sandwich)

28 Confined execution environment - Sandbox A sandbox is tightly-controlled set of resources for untrusted programs to run in Sandboxing servers - virtual machines Sandboxing programs Chroot and AppArmor in Linux Sandbox in MacOS Lion Metro App Sandboxing in Windows 8 Sandboxing applets - Java and Flash in web browsers

29 Intrusion Detection/Prevention Systems Host-based Intrusion Detection Systems (IDS) Host-based Intrusion Prevention systems (IPS) Based on signatures (well known programs) Based on behaviors (unknown programs) Example : Syslog and Systrace on Linux Vulnerable to malicious programs residing in the kernel called rootkits

30 Coming next More on attacks Lecture about malicious code More on countermeasures Lecture about Security Assurance Lecture on Trusted Systems