Secure Software Development: Theory and Practice

Similar documents
Basic Buffer Overflows

Software Security II: Memory Errors - Attacks & Defenses

finding vulnerabilities

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Program Security and Vulnerabilities Class 2

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

ISA564 SECURITY LAB. Code Injection Attacks

Lecture 4 September Required reading materials for this class

Fundamentals of Computer Security

Software Security: Buffer Overflow Attacks

One-Slide Summary. Lecture Outline. Language Security

Software Security: Buffer Overflow Defenses

Analysis/Bug-finding/Verification for Security

UMSSIA LECTURE I: SOFTWARE SECURITY

Secure Programming I. Steven M. Bellovin September 28,

Buffer overflow background

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 565 Computer Security Fall 2018

20: Exploits and Containment

(Early) Memory Corruption Attacks

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CMPSC 497 Buffer Overflow Vulnerabilities

Software Security: Vulnerability Analysis

Computer Security Course. Midterm Review

Software Security: Buffer Overflow Attacks (continued)

Memory Safety (cont d) Software Security

CS 161 Computer Security

ECE 471 Embedded Systems Lecture 22

1/31/2007 C. Edward Chow. CS591 Page 1

Control Hijacking Attacks

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Language Security. Lecture 40

Software Security: Buffer Overflow Defenses and Miscellaneous

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

COMP 3704 Computer Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

18-600: Recitation #4 Exploits (Attack Lab)

CSE 509: Computer Security

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 08 Control-flow Hijacking Defenses

Runtime Defenses against Memory Corruption

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

18-600: Recitation #4 Exploits

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow Vulnerability

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Basic Control Hijacking Attacks

Inject malicious code Call any library functions Modify the original code

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

CSCD 303 Fall Lecture 15 Buffer Overflows

Information Security CS 526

CS 161 Computer Security

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Vulnerabilities. Code Injection - Buffer overflows. Some Commonly Exploitable Flaws

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127 Computer Security

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Advanced Buffer Overflow

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Buffer overflows & friends CS642: Computer Security

Buffer overflows. Specific topics:

CS 161 Computer Security

NET 311 INFORMATION SECURITY

CSE 127 Computer Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Biography. Background

From Over ow to Shell

CSE 127 Computer Security

Basic Memory Corrup+on A3acks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security (cont.): Defenses, Adv. Attacks, & More

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

How to Sandbox IIS Automatically without 0 False Positive and Negative

Finding vulnerabilifes CS642: Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

COMP 2355 Introduction to Systems Programming

in memory: an evolution of attacks Mathias Payer Purdue University

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Transcription:

Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell

Software Security is a major problem!

Why writing secure code is hard?

Software bugs cost US economy $59.5 billion annually (NIST)

Not all bugs are equal! VS. Security bugs Benign functional bugs Why are security bugs more dangerous than other bugs?

Why security bugs are more dangerous? Security bugs allow attackers to cause serious damages: take over machines remotely, steal secrets, etc. malicious input victim computer Get root shell attacker

How do we deal with security bugs? Automatically find and fix bugs Topics of this class Monitor a system at runtime to detect and prevent exploits of bugs Accept that programs will have bugs and design the system to minimize damages Example: Sandboxes, privilege separation

Theory of bug finding

Finding bugs with Program analyzers Code Report Program Analyzer Spec/ Invariants Descriptions of different classes of bugs Type Line 1 mem leak 324 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 10,502 info leak 10,921

Automated bug detection: main challenges int main (int x, int y) { if (2*y!=x) What values of x and y will cause return -1; the program to reach here if (x>y+10) Return -1;. /* buggy code*/ } 1. Too many paths (may be infinite) 2. How will program analyzer find inputs that will reach different parts of code to be tested?

Automated bug detection: two options Static analysis Inspect code or run automated method to find errors or gain confidence about their absence Try to aggregate the program behavior over a large number of paths without enumerating them explicitly Dynamic analysis Run code, possibly under instrumented conditions, to see if there are likely problems Enumerate paths but avoid redundant ones

Static vs dynamic analysis Static Can consider all possible inputs Find bugs and vulnerabilities Can prove absence of bugs, in some cases Dynamic Need to choose sample test input Can find bugs and vulnerabilities Cannot prove their absence

Soundness & Completeness Property Definition Soundness Sound for reporting correctness Analysis says no bugs No bugs or equivalently There is a bug Analysis finds a bug Completeness Complete for reporting correctness No bugs Analysis says no bugs Recall: A B is equivalent to ( B) ( A)

Soundness & Completeness Unsound Sound Complete Reports all errors Reports no false alarms Undecidable May not report all errors Reports no false alarms Decidable Incomplete Reports all errors May report false alarms Decidable May not report all errors May report false alarms Decidable

When to find bugs? Cost of bug finding Credit: Andy Chou, Coverity

Practice of bug finding

Popular classes of security bugs Memory corruption attacks

Memory corruption attacks Attacker s goal: Take over target machine (e.g., web server) Execute arbitrary code on target by hijacking application control flow leveraging memory corruption Examples. Buffer overflow attacks Integer overflow attacks Format string vulnerabilities

What is needed Understanding C functions, the stack, and the heap. Know how system calls are made The exec() system call Attacker needs to know which CPU and OS used on the target machine: Our examples are for x86 running Linux or Windows Details vary slightly between CPUs and OSs: Little endian vs. big endian ( x86 vs. Motorola) Stack Frame structure (Unix vs. Windows)

Stack Frame high arguments return address stack frame pointer exception handlers local variables SP Stack Growth low

Linux process memory layout 0xC0000000 user stack %esp shared libraries 0x40000000 brk run time heap Loaded from exec unused 0x08048000 0

What are buffer overflows? Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); When func() is called stack looks like: } argument: str return address stack frame pointer char buf[128] SP What happens if str is larger than 128?

Basic stack exploit Suppose *str is such that after strcpy stack looks like: high Program P Program P: exec( /bin/sh ) When func() exits, the user gets shell! Note: attack code P runs in stack. return address char buf[128] low

The NOP slide high Program P Problem: how does attacker determine ret-address? Solution: NOP slide Guess approximate stack state when func() is called Insert many NOPs before program P: nop, xor eax,eax, inc ax NOP Slide return address char buf[128] low

How to avoid buffer overflows? Rewrite software in a type safe language (Java, Rust) Use safer functions like strncpy instead of strcpy Difficult for existing (legacy) code Developer may make mistakes Confusing semantics for terminating NULL characters Automatically find them Static analysis tools: Coverity, CodeSoner... Dynamic analysis tools: AFL, libfuzzer... More details about detection techniques later in the semester

Structure of the class 1. Control & data flow analysis 2. Symbolic Execution 3. Fuzzing Program analysis Fundamentals Memory corruption attacks Web Attacks: XSS, SQL injection, and CSRF Semantic/logic bugs Side channel leaks Build tools for detecting classes of bugs DOS attack vectors Different classes of security bugs

Logistics Class webpage http://sumanj.info/secure_sw_devel.html TAs: Eugene Ang and Plaban Mohanty) Reading No text book, slides, and one/two papers per class Grading : Quizzes/programming assignments - 35% Midterm - 30% Group Project (3-4 students) - 30% Class participation - 5%

Summary In this class you will learn about: 1. Different classes of security bugs and their implications 2. State-of-the art of bug finding techniques 3. Using and customizing existing bug finding tools

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback