Introduction to Computer Security Software Security. Pavel Laskov Wilhelm Schickard Institute for Computer Science

Transcription

1 Introduction to Computer Security Software Security Pavel Laskov Wilhelm Schickard Institute for Computer Science

2 Software security threats Modification of program code viruses and self-replicating code OS and API hooking Control flow hijacking integer overflow buffer overflow heap overflow format string vulnerabilities Code and data injection script injection (e.g. XSS) SQL injection

3 Malicious software ( malware ) The term malicious software denotes program code executed without a user s consent and carrying out harmful functionality.

4 Viren-Infektionsvektoren MalwareInfektion carriers: des Boot-Sektors boot sector Infektion des Boot-Sektors Virus kopiert originalen Bootblock und überschreibt den Bootblo VirusSave erhält thekontrolle original MBR beiminbootvorgang a safe locationnoch bevor Betriebssystem Overwrite theund MBR Anti-Viren-SW with an infected geladen one werden Gegenmaßnahme: Bootstrap a system Bootblockschutz using the new MBR im BIOS Abbildung: Mehrfache Infektion durch verschiedene Viren

5 Malware carriers: COM executables Append a virus body to a program Save an entry point to a program in a virus body Viren-Infektionsvektoren Infektion von Dateien Anhängen Replace a program an die Datei entry(1) point with a jump to a virus body Virus code restores the original entry point and jumps to it after its own execution Abbildung: Infektion durch Anhängen

6 Malware carriers: EXE executables Append a virus body to a program Overwrite a program header to switch the entry point to a virus Viren-Infektionsvektoren Infektion von Dateien JumpAnhängen to the original an die Datei entry(2) point during execution Abbildung: Infektion durch Anhängen c Ulrich Flegel Reaktive Sicherheit Teil 4 31 / 130

7 Malware carriers: macros and scripts Malicious functionality is implemented in Visual Basic for Applications (VBA). Viren-Infektionsvektoren Infektion von Dateien Dokumenten-Viren If a document template (3) are infected, so will be every Macro document Viruses on a system. Abbildung: Beispiel: Concept Virus infiziert Microsoft-Word-Dateien

8 Modern malware threats Malicious documents (e.g. PDF, Flash) Drive-by downloads Trojan horses Botnets Keyloggers

9 Exploitation of unvalidated input (1) A CGI script mails a file to an address read from a form: cat $file mail $address

10 Exploitation of unvalidated input (1) A CGI script mails a file to an address read from a form: cat $file mail $address The user inputs user@host rm -rf /

11 Exploitation of unvalidated input (1) A CGI script mails a file to an address read from a form: cat $file mail $address The user inputs user@host rm -rf / The following statement is executed: cat $file mail user@host rm -rf / Root directory is wiped out.

12 Exploitation of unvalidated input (2) The following script validates user name and password: $login = Request.Form(login) $password = Request.Form(password) $sql_command = SELECT user FROM database WHERE Login='$login' AND Password='$password' db->prepare($sql_command)

13 Exploitation of unvalidated input (2) The following script validates user name and password: $login = Request.Form(login) $password = Request.Form(password) $sql_command = SELECT user FROM database WHERE Login='$login' AND Password='$password' db->prepare($sql_command) The user inputs 'OR''=' for login and 'OR''=' for password

14 Exploitation of unvalidated input (2) The following script validates user name and password: $login = Request.Form(login) $password = Request.Form(password) $sql_command = SELECT user FROM database WHERE Login='$login' AND Password='$password' db->prepare($sql_command) The user inputs 'OR''=' for login and 'OR''=' for password The following SQL statement is executed SELECT user FROM database WHERE Login= OR = AND Password= OR = Always true (since = is true); login is successful.

15 Contiguous memory (buffer) allocation C/C++ static: int x[20] declaration outside any function; allocated in the static variables memory along the program code automatic: int x[20] declaraiton inside some function; allocated on the stack dynamic: int *x = new int[20]; must be followed by delete to avoid memory leaks; allocated on the heap Java dynamic: int x = new int[20]; gets allocated in on the heap; automatic deallocation by garbage collector

16 Buffer overruns What does the following program do? #include <stdio.h> #define SIZE 10 main() { int matrix[size*size]; int total_size = SIZE*SIZE; int* row_ind[size]; for (int i = 0; i <= total_size; i++) matrix[i] = i; for (int i = 0; i <= SIZE; i++) row_ind[i] = &matrix[i*size]; for (int i = 0; i <= SIZE; i++) printf("a[%d] = %d\n", i, *row_ind[i]); }

17 Process memory organization Process memory is partitioned into segments:.text - program code.data - initialized static data.bss - uninitialized static data heap - dynamically allocated memory stack - program call stack Each memory segment has appropriate permissions. Access operations violating these permissions cause the segmentation fault error. Higher memory addresses stack unused memory heap bss data text Lower memory addresses

18 Stack organization Stack is composed of frames Each frame comprises functions arguments return address frame pointer: the address of the start of the previous frame local variables Frames are pushed on the stack during function invocation and popped back after the return Previous frames Function arguments Return address Frame pointer Local variables Unused stack space Stack frame

19 Overwriting the return address A local buffer is allocated bottom-up, i.e. it starts at lower and ends at higher stack locations. Without proper bound checking a buffer content can overspill into adjacent upper stack area. By controlling buffer content, an attacker can overwrite the return address with an arbitrary value and hijack the execution flow. Previous frames Function arguments Return address Frame pointer Local variables Unused stack space Stack frame

20 Software security mechanisms Data execution protection mark certain areas in memory as non-executable Address space layout randomization choose stack memory allocation at random makes it difficult to guess the values to overwrite the return address with Canaries preceed the return value with a special value before following the return value, check if is content has not changed after the call

21 Summary Software insecurity stems from attacker s ability to modify system resources criticial for program execution, e.g. instruction pointer, function call addresses, interrupt addresses, etc. One of the key sources for software insecurity is failed validation of user input. Buffer overflows are a most widely used exploitation technique. Special techniques for strengthening software security exist, e.g. canaries, address space layout randomization and data execution prevention.