Advanced System Security: Vulnerabilities

Similar documents
CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Confused Deputy

STING: Finding Name Resolution Vulnerabilities in Programs

Advanced Systems Security: Symbolic Execution

Advanced Systems Security: Ordinary Operating Systems

CMPSC 497 Buffer Overflow Vulnerabilities

Advanced Systems Security: New Threats

Advanced Systems Security: Ordinary Operating Systems

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSE 565 Computer Security Fall 2018

CSE 544 Advanced Systems Security

CMPSC 497 Other Memory Vulnerabilities

Memory Corruption Vulnerabilities, Part II

Fundamentals of Computer Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 4 September Required reading materials for this class

OS Security III: Sandbox and SFI

ISA564 SECURITY LAB. Code Injection Attacks

Software Security: Buffer Overflow Attacks

Secure Software Programming and Vulnerability Analysis

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Secure Software Development: Theory and Practice

(Early) Memory Corruption Attacks

20: Exploits and Containment

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

VFS, Continued. Don Porter CSE 506

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

CSE 565 Computer Security Fall 2018

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Secure Programming I. Steven M. Bellovin September 28,

Basic Buffer Overflows

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Software Security; Common Implementation Flaws

C and C++ Secure Coding 4-day course. Syllabus

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CSE 565 Computer Security Fall 2018

File Systems. CSE 2431: Introduction to Operating Systems Reading: Chap. 11, , 18.7, [OSC]

Program Security and Vulnerabilities Class 2

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Software Security: Buffer Overflow Defenses

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

SECURE PROGRAMMING TECHNIQUES. Race conditions. General terms. File access races. Network races. Multithreading. Signal handling races MEELIS ROOS 1

Lecture files in /home/hwang/cs375/lecture05 on csserver.

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

CSE Computer Security

CMPSC 497: Midterm Review

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CMPSC 497 Attack Surface

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Advanced Systems Security: Control-Flow Integrity

CSE 509: Computer Security

Race Condition Vulnerability Lab

CS 161 Computer Security

CS 161 Computer Security

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CMSC 414 Computer and Network Security

Hackveda Training - Ethical Hacking, Networking & Security

Memory Corruption 101 From Primitives to Exploit

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Intrusion Detection and Malware Analysis

Advanced Systems Security: Principles

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

CS 3013 Operating Systems WPI, A Term Assigned: Friday, August 31, 2007 Due: Monday, September 17, 2007

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

Section 3: File I/O, JSON, Generics. Meghan Cowan

Secure Programming II. Steven M. Bellovin September 29,

Advanced Systems Security: Program Diversity

Syscalls, exceptions, and interrupts, oh my!

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Advanced Systems Security: Principles

CSE Computer Security (Fall 2006)

Software Security: Misc and Principles

Secure Architecture Principles

Is stack overflow still a problem?

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Transcription:

Advanced System Security: Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University CSE544 -Advanced Systems Security 1

Program Vulnerabilities What are properties of a program vulnerability? Program flaw Accessible to adversary Adversary is capable of exploiting 2

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); 3

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is larger than 1000 bytes? 4

Address Space Layout Stack Heap Data Text Write beyond variable limit Can write the without limits in some languages Can impact values In heap, on stack, in data Can impact execution integrity Can jump to arbitrary points in the program Function pointers Return addresses 5

Stack Frame Buffer Overflow How it works Previous Function Func Parameters Return Address Local Var Buffer Local Var New Rtn Evil Code Evil Code 6

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is only 1004 bytes? 7

Overflow of Local Variables Don t need to modify return address Local variables may affect control What kinds of local variables would impact control? Ones used in conditionals (example) Function pointers 8

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if we allocate the packet buffer on the heap? 9

Heap Overflow Overflows may occur on the heap also Heap has data regions and metadata Attack Write over heap with target address (heap spraying) Hope that victim uses an overwritten function pointer before program crashes 10

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if ( size < sizeof(buf)) { strcat(buf, packet); fd = open(buf); } Any problem with this conditional check? 11

Integer Overflow Signed variables represent positive and negative values Consider an 8-bit integer: -128 to 127 Weird math: 127+1 =??? This results in some strange behaviors size += PacketRead(packet) What is the possible value of size? if ( size < sizeof(buf)) { What is the possible result of this condition? How can an adversary leverage this? 12

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessQuery( Select, partof(packet)); Any problem with this query request? 13

Parsing Errors Have to be sure that user input can only be used for expected function SQL injection: user provides a substring for an SQL query that changes the query entirely (e.g., add SQL operations to query processing) SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; Goal: format all user input into expected types and ranges of values Integers within range Strings with expected punctuation, range of values Many scripting languages convert data between types automatically -- are not type-safe -- so must be extra careful 14

Character Strings String formats Unicode ASCII -- 0x00 -- 0x7F non-ascii -- 0x80 -- 0xF7 Also, multi-byte formats Decoding is a challenge URL: [IPaddr]/scripts/..%c0%af../winnt/system32 Decodes to /winnt/system32 Markus Kuhn s page on Unicode resources for Linux www.cl.cam.ac.uk/~mgk25/unicode.html 15

Secure Input Handling David Wheeler s Secure Programming for Linux and UNIX Validate all input; Only execute application-defined inputs! Avoid the various overflows Minimize process privileges Carefully invoke other resources Send information back carefully Minimize Privilege Avoid Overflows Bad Validate Input Server Invoke Safely Worker Return little 16

Program Vulnerabilities Whose fault are these flaws? Programmer OS distributor System administrator 17

Other Vulnerabilities These may also be the programmers fault Missing an authorization or authentication check Confused deputy Integrate untrustworthy code Logic errors Vet the provenance of command line arguments and environment variables But, the security policy provide accessibility and enables exploitation 18

Name Resolution Processes often use names to obtain access to system resources" A nameserver (e.g.,os) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)" Filesystem, System V IPC,! Namespace (filesystem)" P! open( /var/ mail/root ) Name! (filename)"! /! var! mail! root!! Bindings (directories)" Resource (file)" 19

Attacks on Name Resolution Improper Resource Attack! Adversary controls final resource in unexpected ways! Untrusted search paths (e.g., Trojan library), file squatting! Victim expects high integrity, gets low integrity instead! V root!! open( /var/ mail/root ) /! var!! mail! root! owner root A mail! 20

Attacks on Name Resolution Improper Resource Attack! Adversary controls final resource in unexpected ways! Untrusted search paths (e.g., Trojan library), file squatting! Victim expects high integrity, gets low integrity instead! V root!! open( /var/ mail/root ) /! var!! mail! root! owner mail A mail! 21

Attacks on Name Resolution Improper Binding Attack! Adversary controls bindings to redirect victim to a resource not under adversary s control (confused deputy)! Symbolic link, hard link attacks! Victim expects low integrity/secrecy, gets high instead! V root!! open( /var/ mail/root ) /! var!! mail! root! A mail! etc! passwd! 22

Attacks on Name Resolution Race Conditions! Adversary exploits non-atomicity in check and use of resource to conduct improper resource and improper binding attacks! Well-known TOCTTOU attacks! V root!! mail/root ) /! var!! mail! root! lstat( /var/ A mail! etc! passwd! 23

Attacks on Name Resolution Race Conditions! Adversary exploits non-atomicity in check and use of resource to conduct improper resource and improper binding attacks! Well-known TOCTTOU attacks!! V root! open( /var/ mail/root ) /! var!! mail! root! A mail! etc! passwd! 24

Difficult to Prevent Manual checks can easily overlook vulnerabilities! But, misses already existing file squat!! 01 /* filename = /var/mail/root */ 02 /* First, check if file already exists */ 03 fd = open (filename, flg); 04 if (fd == -1) { 05 /* Create the file */ 06 fd = open(filename, O_CREAT O_EXCL); 07 if (fd < 0) { 08 return errno; 09 } 10 } 11 /* We now have a file. Make sure 12 we did not open a symlink. */ 13 struct stat fdbuf, filebuf; 14 if (fstat (fd, &fdbuf) == -1) 15 return errno; 16 if (lstat (filename, &filebuf) == -1) 17 return errno; 18 /* Now check if file and fd reference the same file, 19 file only has one link, file is plain file. */ 20 if ((fdbuf.st_dev!= filebuf.st_dev 21 fdbuf.st_ino!= filebuf.st_ino 22 fdbuf.st_nlink!= 1 23 filebuf.st_nlink!= 1 24 (fdbuf.st_mode & S_IFMT)!= S_IFREG)) { 25 error (_("%s must be a plain file 26 with one link"), filename); 27 close (fd); 28 return EINVAL; 29 } 30 /* If we get here, all checks passed. 31 Start using the file */ 32 read(fd,...) Squat during! create! Symbolic link! Hard link,! race conditions! 25

Fundamental Problem Security problems occur because low-integrity adversary processes share the same OS namespaces as high-integrity victim processes! Adversary processes attempt to affect name resolution of victim processes! Permissions for /var/mail! Group mail can create and delete files 26

How Serious a Problem? Name resolution vulnerabilities accounts for 5-10% CVE entries each year! These are particularly hard to eradicate as they involve multiple parties! Programmers who write code! OS distributors who define access control policies! Administrators who configure end system! 27

Adversary Accessibility Under DAC adversary model! Only 4% (Fedora) and 5.7% (Ubuntu) of total name resolution entrypoints were accessible to adversaries! Only 0.3% (Fedora) and 0.9% (Ubuntu) of total name resolutions were vulnerable! 28

Take Away Vulnerabilities occur when A program flaw Is accessible to an adversary Who can exploit it Some vulnerabilities are caused by programmer errors But if compiler passes it is it a programmer error? And some logic errors are difficult to tease out Adversary accessibility is an important consideration Name resolution vulnerabilities are only possible in few cases Ambiguous, non-atomic APIs make vulnerabilities common in those cases 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback