COMP3441 Lecture 7: Software Vulnerabilities

Transcription

1 COMP3441 Lecture 7: Software Vulnerabilities Ron van der Meyden (University of New South Wales Sydney, Australia) April 22, 2013 Overview Buffer overflow attacks SQL injection attacks Defensive measures Exploit economics

2 Buffer Overflow Attacks C/C++ does not enforce array boundaries attacker can control the value of more than program input locations von Neumann Architectures: data and programs stored in the same type of memory attacker can cause execution of a program they have written to memory Example: attacker changes program behaviour A C library function: char *gets ( char *str ); Get string from stdin Reads characters from stdin and stores them as a string into str until a newline character ( \n ) or the End-of-File is reached. The ending newline character ( \n ) is not included in the string. A null character ( \0 ) is automatically appended after the last character copied to str to signal the end of the C string.

3 char buffer[100]; int security-critical-variable = 0 (some code) gets(buffer); (more code) if (security-critical-variable) {security-critical-code}; How this looks in memory: buffer[100] sec-critvar If the attacker gives as input a string of 101 non-zero values, the last of these is written to security-critical-variable, ensuring that security-critical-code is executed.

4 A more serious version char buffer[100]; int (*function-pointer-variable) (); int v; (some code) gets(buffer); (more code) v=function-pointer-variable(); Here the attacker can first write a malicious program into the buffer, and use the overflow into function-pointer-variable to make that point at the malicious program! The assignment to v now makes that malicious program run. This is an example of a code-injection attack.

5 An example attack The Morris worm (1988): used gets based buffer overflow in fingerd (network finger deamon) to overwrite filename of a command executed by in.fingerd used a debugging option in sendmail, which allows commands to the sendmail process to be run (many installations left this on) mounted a password guessing attack against the (then openly available) encrypted password file hid itself by removing its files from disk, and frequently forking a copy of itself and killing the parent to prevent its detection as a cycle-intensive process The Internet Worm Program: An Analysis Purdue Technical Report CSD-TR-823, Eugene H. Spafford Stack Smashing Nested function calls are handled using the stack. In memory: SP= stack pointer: a register pointing to the top of the stack IP = instruction pointer: a register pointing to the next executed instruction stack frame = a region of the stack storing data relevant to a function call instance saved SP = stack pointer before this invocation return address = program location to return to when this invocation is done

6 CPU IP: Instruction pointer Stack Pointer Program Stack Frame Memory Heap Stack A call to a function void functionname() { char a[100]; int b; char c[100] (function code) } is compiled so that at run-time, we have functionname entry code functioname code functionname exit code... Program saved stack a[100] b c[100] return address pointer caller stack frame Stack frame

7 Entry code: sets up the new stack frame, saves the current stack frame there, saves program location after function call as return address sets up offsets so that frame instances of variables are used in function code Exit Code: restores stack pointer to saved stack pointer in current frame sets instruction pointer to return address in current frame The stack-smashing attack If function code contains a buffer overflow vulnerability (e.g. gets), the attacker can write a malicious program into the buffer (or somewhere else in memory) overflow the buffer so as to write the location of the malicious program into return address Now, when the function exits, it jumps to executing the malicious code!

8 A Typical malicious program Often, the attacker will not know the exact location of the malicious program in memory, but has an estimate. To ensure the malicious program runs, attacker stores NoOP, NoOp..., NoOp, (Malicious machine code) so a jump to an earlier point eventually runs into Malicious code. Often the malicious program calls the Operating System Shell, then does bad stuff Format String Vulnerability printf("%s", buffer) = print buffer as a string common programming error: printf(buffer) interpret buffer as a format string, and parse any formatting instructions it contains. The formatting instructions are quite powerful...

9 Example: Format instructions can write to designated memory locations: When the %n format is encountered in the format string, the number of characters output before the %n field was encountered is stored at the address passed in the next argument. int pos, x = 235, y = 93; printf("%d %n%d\n", x, &pos, y); printf("the offset was %d\n", pos); Using the power of the formatting instructions, the attacker can inject code into the stack change the value of (almost) arbitrary memory locations (e.g. return addresses), so run code of the attackers choice. Details: see Format String Attacks, Tim Newsham, Sep

10 Defensive Measures Defensive programming Safe Libraries Type-Safe Languages Runtime-checks Static Analysis Testing Program Verification Canary Variables Executable space protection Deep Packet Inspection Address Space Layout Randomization Defense: Canary variables (after use of canaries to detect oxygen depletion in coal mines) canary saved stack a[100] b c[100] return address variable pointer caller stack frame Stack frame Function entry code saves a (random) value to the canary variable. Function exit code checks if the canary variable still has the expected value, if not, abort/raise error. (Assumes the attacker cannot work out the expected value.)

11 Defense: Address Space Layout Randomization Main idea: to jump to a program the attacker has saved, the attacker needs to know its location. Standard compilers place data structures at predictable locations. Compilation using Address Space Layout Randomization places the data structures used by attacker randomly in memory. Introduced in PaX (linux patch implementing least-privilege on memory pages), 2001 Used in OpenBSD, Linux (weakly), Windows (since 2008), Mac OS X (since 2007), ios, Android Hardware Defenses Stack smashing relies on the von Neumann architecture treating program and data as the same type. The Harvard architecture kept these as separate types. Some modern CPU s support this idea via a No Execute (NX) or Execute disabled (XD) bit on memory locations. If set, the hardware will not execute the memory location.

12 Network Defense: Deep packet Inspection Attacks typically come via the network. So we can have the firewall inspect user data to find known attacks long NoOp sequences in input data code to start a shell in input data But attackers are starting to cover their tracks and avoid detection: Shellcode that looks like English: Defense: Secure Programming Practice The best defense is not to have vulnerabilities: Use a type-safe language (e.g. Java) that does run-time array bounds checking use secure versions of C libraries (e.g. gets s) Secure_C_Library Better String Library Vstr library Libsafe Follow coding guidelines such as Cert Secure Coding Initiative: e.g. check code carefully for potential for array overflows

13 Static Analysis A Static Analysis system processes code based on its syntactic structure, to find a variety of common programming errors (e.g. use of gets, array bounds checking errors) (Cf. Dynamic analysis, done at runtime.) SA Vendors targetting security Fortify Coverity (Dept of Homeland Security project on Linux 2006) Downside: False negatives (does not catch all errors) False positive rate (reported errors that are not errors) may be high SQL Injection Attacks Another common software vulnerability, particularly in web code, which receives input fields entered by a user constructs a database query from the input fields executes the query against the database (SQL is a database query language)

14 Example Server code for a web page used for forgotten password retrieval: query := "SELECT password, from passwordtable WHERE username = " + user_input + " ";... run query in database.. if result ok then { send password to , return ("Password has been sent to"+ ) } else return ("No such username") If we enter user_input = "anything OR x = x" the query constructed is SELECT password, from passwordtable WHERE username = anything OR x = x which is guaranteed to retrieve the whole password table, and our code probably returns just the first (say bob@cse.unsw.edu)!

15 If we enter user_input = "bob AND password= hello123" the query constructed is SELECT password, from passwordtable WHERE username = bob AND password= hello123 and we get back ( Password has been sent to + ) just in case bob s password is hello123. Now we are running a password guessing attack! If we enter user_input = "anything ; DROP TABLE passwordtable the query constructed is SELECT password, from passwordtable WHERE username = anything ; DROP TABLE passwordtable which deletes the password table! (Denial of service)

16 Some examples of SQL injection attacks 2008 Sexual and Violent Offender Registry of Oklahoma loses 10,000+ Social Security numbers of sex offenders 2009: Albert Gonzalez + 2 Russians steal 130 Million credit card numbers from a credit card processor (Heartland), 7-Eleven, & a supermarket chain (Hannaford) 7-Safe UK security breach report 2010: 40% of attacks are SQL injection, another 20% SQL injection + malware Defensive Measures escape user input, i.e. wrap in top level quotes that override any internal quotes Filter user input, e.g., truncate at first, or deny data containing Instruction set randomization: Randomize keywords such as WHERE, derandomise before processing Construct query trees directly, using an API, rather than as strings to be parsed

17 Market in Vulnerabilties 2005: Microsoft Excel vulnerability offered on E-bay (auction stopped by E-Bay) Organizations that pay for vulnerability information: White Market: software vendors, Zero Day Initiative Grey Market: Governments Black Market: Organised Crime Tipping Point Zero-Day Initiative A researcher discovers a vulnerability, submits it to ZDI ZDI verifies the vulnerability, if real, makes an offer of $ to researcher. The researcher accepts the offer, assigns exclusivity of the information to ZDI Researcher is paid, TippingPoint notifies the affected vendor; Intrusion Prevention System protection filters are distributed to ZDI customers. Later, ZDI shares advance notice of the vulnerability to other security vendors prior to public disclosure. TippingPoint and the affected vendor coordinate public disclosure once a patch is ready.