Secure Programming I. Steven M. Bellovin September 28,

Similar documents
ECS 153 Discussion Section. April 6, 2015

CSE 565 Computer Security Fall 2018

Lecture 4 September Required reading materials for this class

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Analyzing Systems. Steven M. Bellovin November 26,

Software Security II: Memory Errors - Attacks & Defenses

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CMSC 414 Computer and Network Security

Buffer overflow background

UMSSIA LECTURE I: SOFTWARE SECURITY

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Defenses

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Static Vulnerability Analysis

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer overflow prevention, and other attacks

Secure Software Development: Theory and Practice

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSE 565 Computer Security Fall 2018

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Heap Arrays. Steven R. Bagley

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Software Security: Buffer Overflow Attacks (continued)

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Advanced Buffer Overflow

Memory Safety (cont d) Software Security

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Foundations of Network and Computer Security

Software Security: Buffer Overflow Attacks

Runtime Defenses against Memory Corruption

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Program Security and Vulnerabilities Class 2

CSE 127 Computer Security

CS 161 Computer Security

Buffer Overflow Attacks

20: Exploits and Containment

Sungkyunkwan University

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Lecture 08 Control-flow Hijacking Defenses

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Buffer overflows. Specific topics:

Program Structure I. Steven M. Bellovin November 14,

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Language Security. Lecture 40

Memory corruption countermeasures

CSC 252: Computer Organization Spring 2018: Lecture 9

Machine-Level Programming V: Buffer overflow

Security Architecture

1/31/2007 C. Edward Chow. CS591 Page 1

gcc hello.c a.out Hello, world gcc -o hello hello.c hello Hello, world

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Program Structure. Steven M. Bellovin April 3,

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer Overflow Defenses

Reflections on using C(++) Root Cause Analysis

Program Structure I. Steven M. Bellovin November 8,

Buffer Overflows Defending against arbitrary code insertion and execution

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

One-Slide Summary. Lecture Outline. Language Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Black Hat Webcast Series. C/C++ AppSec in 2014

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Memory Corruption Vulnerabilities, Part I

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Advanced Buffer Overflow

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Programmer s Points to Remember:

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Computer Security. Robust and secure programming in C. Marius Minea. 12 October 2017

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Foundations of Network and Computer Security

Smashing the Buffer. Miroslav Štampar

Code Injection Attacks Buffer Overflows

Buffer Overflow & Format Strings

Topics in Software Security Vulnerability

Transcription:

Secure Programming I Steven M. Bellovin September 28, 2014 1

If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2

The Heart of the Problem For the typical programmer, crypto is the easy part There are standard solutions and standard libraries that can solve most such problems for you But every program is different How you write the programs, and how you combine them, are the most critical part of total system security Steven M. Bellovin September 28, 2014 3

It s All About the Software Most penetrations are due to buggy software Crypto won t help there: bad software trumps good crypto Design matters, too Steven M. Bellovin September 28, 2014 4

Three Separate Aspects Avoiding bugs Enforcing security Proper components and proper composition Steven M. Bellovin September 28, 2014 5

Avoiding Bugs Many simple bugs can be exploited to cause security problems (The C language is a large part of the problem) Some of the trouble is compounded by poor specifications Steven M. Bellovin September 28, 2014 6

Buffer Overflows Once responsible for about half of all security vulnerabilities; still a serious problem Fundamental problems: Character strings in C are actually arrays of chars There is no array bounds checking done in C Attacker s goal: overflow the array in a controlled fashion Steven M. Bellovin September 28, 2014 7

Stack Frame Return Address r l d \0 When a function is called, the return address is stored on the stack. Lower in memory, all local variables are stored. o w o h e l l Steven M. Bellovin September 28, 2014 8

Buffer Overflow l Return o Address w \0 v e r f If the array bounds are exceeded, the return address can be overwritten. a n o i s T h i s Steven M. Bellovin September 28, 2014 9

Buffer Overflow Attack 0x23Return 0x45Address 0x67 0x89 0x0D 0x0E 0x0F 0x10 0x09 0x0A 0x0B 0x0C 0x05 0x06 0x07 0x08 Put code in the early part of the buffer, then change the return address to point to it. When the function exits, the injected code is executed. 0x01 0x02 0x03 0x04 Steven M. Bellovin September 28, 2014 10

How Can Such Things Happen? C has lots of built-in functions that don t check array bounds Programmers frequently don t check, either The attacker supplies too-long input Steven M. Bellovin September 28, 2014 11

Sample Problematic Code char line[512];... gets(line); That s from the 4.3BSD fingerd command, exploited by the first Internet Worm in 1988... Steven M. Bellovin September 28, 2014 12

Bad versus Good gets() strcpy() strcat() sprintf() fgets() strncpy() strncat() snprintf() Steven M. Bellovin September 28, 2014 13

Java vs. C Java checks array bounds C# checks array bounds Go checks array bounds More or less everything but C and C++ check... Steven M. Bellovin September 28, 2014 14

Indirect Buffer Overflows void f(char *s) { sprintf(s, "..."); } void g() { char buf[128]; } f(buf); Function f doesn t even know the size of the array! Steven M. Bellovin September 28, 2014 15

Canaries Compiler trick available for gcc and Microsoft compilers Insert a random canary value between the return address and the rest of the stack frame Check if it s intact before returning Any stack-smash attack will have to overwrite the canary to get to the return address Use a different random value each time the program is executed Steven M. Bellovin September 28, 2014 16

Overwriting a Canary l Return o Address w \0 v ecanaryr f If the random canary is overwritten, the program will abort a n o i s T h i s Steven M. Bellovin September 28, 2014 17

ASLR: Address Space Layout Randomization Put stack at different random location each time program is executed Put heap at different random location as well Defeats attempts to address known locations But makes debugging harder Steven M. Bellovin September 28, 2014 18

Checking Code Look for suspect calls Use static checkers Use language feature like Perl s taint mode Steven M. Bellovin September 28, 2014 19

Taint Mode Optional feature in Perl Variables whose value comes from an untrusted source are marked as tainted Variables whose value comes (in part) from a tainted variable are also tainted Tainted values cannot be passed to sensitive routines Taints are removed via regular expression match; it is presumed that the expression will sanitize the data, and remove anything dangerous Steven M. Bellovin September 28, 2014 20

Stack versus Heap or BSS Storage Easiest to exploit if the buffer is on the stack Exploits for heap- or BSS-resident buffers are also possible, though they re harder Heap and BSS attacks not preventable with canaries (but there are analogous techniques to protect malloc()-allocated storage) Some operating systems can make such memory pages non-executable, which is a big help but that breaks some applications Steven M. Bellovin September 28, 2014 21

Issues for the Attacker Finding vulnerable programs NUL bytes Uncertainty about addresses Steven M. Bellovin September 28, 2014 22

Finding Vulnerable Programs Use nm and grep to spot use of dangerous routines Probe via very-long inputs Look at source or disassembed/decompiled code Steven M. Bellovin September 28, 2014 23

NUL Bytes C strings can t have embedded 0 bytes Some instructions do have 0 bytes, perhaps as part of an operand Solution: use different instruction sequence Steven M. Bellovin September 28, 2014 24

Address Uncertainty Pad the evil instructions with NOPs This is called a landing zone or a NOP sled Set the return address to anywhere in the landing zone Steven M. Bellovin September 28, 2014 25

Buffer Overflow: Summary You must check buffer lengths Where you can, use the safer library functions Write your own safe string library (there s no commonly-available standard) Use C++ and class String Use Java Use anything but raw C! Steven M. Bellovin September 28, 2014 26

History of Buffer Overflows Long-recognized as a security issue First very visible exploit: Robert T. Morris Internet Worm, November 1988. Popularized by Aleph One in November 1996; serious threat since then The attack is theoretically difficult, but there are canned exploit kits available Steven M. Bellovin September 28, 2014 27

Hoare s Turing Award Lecture, 1980 The first principle was security:... A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array.... I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law. Steven M. Bellovin September 28, 2014 28

Can We Afford Array-Bounds Checking? Of course spend the Moore s Law benefit on something besides better video games Compiler optimizations often make the expense a lot less than you d think It s hard to do in C, though, because of array vs. pointer semantics Things like *p++ = *q++ are hard to check efficiently A bounds-checking C compiler has been written, but it s largely unused Steven M. Bellovin September 28, 2014 29

The Role of Specifications Contrast this: with File names may be up to 1024 bytes long File names may be up to 1024 bytes long; longer file names must be rejected The second form alerts the programmer to the real requirement Just as important, the second form alerts the tester to the requirement Testing is done against requirements! Steven M. Bellovin September 28, 2014 30

Format String Errors Suppose str is input to the program Wrong: printf(str); Right: printf("%s", str); Format strings can be dangerous... Note: other functions (i.e., syslog) also take format strings Steven M. Bellovin September 28, 2014 31

What s the Problem? Minor problem: metacharacters can confuse log files Here s an embedded newline in a username 12:34:56 Permission denied: user 12:34:xx Watch this crash! Bigger problem: %n Steven M. Bellovin September 28, 2014 32

The %n Problem Rather complex; I won t try to explain the details here Fundamental issue: %n writes to a variable the number of bytes printed thus far The statement printf("hello\n%n", &cnt) stores a 6 in integer variable cnt This can be used to overwrite memory locations Use tricks involving other references to (non-existent!) other arguments to let you write to someplace useful Steven M. Bellovin September 28, 2014 33

The Underlying Issues Problem 1: C has strange semantics The only defense is to know the language thoroughly You also have to know possible exploits There are integer overflow attacks, too Problem 2: programs don t always validate their inputs Steven M. Bellovin September 28, 2014 34

Input Validation Trust nothing supplied by the user Must define inputs before they can be checked A program whose behavior has not been specified cannot be buggy, only surprising. Example: is a newline a valid character in a username? Steven M. Bellovin September 28, 2014 35

Defenses Rigorously check all inputs against the specification Before that, of course, you need a spec (Specs can be buggy, too) Alternatively, use an earlier filter or check against a known-good list Steven M. Bellovin September 28, 2014 36

Filtering Example: fgets() stops at a newline; you can t find any embedded But watch for unterminated buffer what if the input line is too long? Note that argv has no such guarantee Email: check recipient name against valid user list no funny characters there Steven M. Bellovin September 28, 2014 37

Being Careful Near the Shell If user input is being passed to the shell, be especially careful Watch for popen() and system() Dangerous characters include: $ˆ&()={}[] ;: "?<>\ That s most of the special characters! You re always much better off with a good list than a bad list Example: on some Unix systems, ˆ is treated the same as. Why? Because on some models of Teletype, ˆ printed as, which looked similar to Steven M. Bellovin September 28, 2014 38

Knowing the Semantics Sometimes check that there are no / characters in a program name Why? To ensure that the reference is to a given directory Do you need to check \ as well? Will the program ever run on Windows? Note that URLs on Windows use /, but the file system uses \ Steven M. Bellovin September 28, 2014 39

Summary Trust nothing Specify acceptable inputs Check everything Understand the semantics of anything you invoke Try to use a better language than C Steven M. Bellovin September 28, 2014 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback