CSE543 - Introduction to Computer and Network Security

Similar documents
Advanced System Security: Vulnerabilities

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

STING: Finding Name Resolution Vulnerabilities in Programs

Advanced Systems Security: Confused Deputy

Advanced Systems Security: Symbolic Execution

Advanced Systems Security: Ordinary Operating Systems

Practical Verification of System Integrity in Cloud Computing Environments

CMPSC 497 Buffer Overflow Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: New Threats

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 565 Computer Security Fall 2018

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

20: Exploits and Containment

Fundamentals of Computer Security

(Early) Memory Corruption Attacks

CSE 544 Advanced Systems Security

Software Security: Buffer Overflow Attacks

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

CSE 565 Computer Security Fall 2018

Lecture 4 September Required reading materials for this class

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Memory Corruption Vulnerabilities, Part II

CSE 565 Computer Security Fall 2018

Secure Programming I. Steven M. Bellovin September 28,

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

OS Security III: Sandbox and SFI

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Secure Software Programming and Vulnerability Analysis

CSE 509: Computer Security

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Secure Software Development: Theory and Practice

File Systems. CSE 2431: Introduction to Operating Systems Reading: Chap. 11, , 18.7, [OSC]

CSE Computer Security

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Program Security and Vulnerabilities Class 2

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CS 161 Computer Security

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Secure Programming II. Steven M. Bellovin September 29,

Basic Buffer Overflows

CMSC 414 Computer and Network Security

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Memory Safety (cont d) Software Security

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Security: Buffer Overflow Defenses

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Software Security; Common Implementation Flaws

Hackveda Training - Ethical Hacking, Networking & Security

Lecture files in /home/hwang/cs375/lecture05 on csserver.

SECURE PROGRAMMING TECHNIQUES. Race conditions. General terms. File access races. Network races. Multithreading. Signal handling races MEELIS ROOS 1

ISA564 SECURITY LAB. Code Injection Attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

C and C++ Secure Coding 4-day course. Syllabus

Race Condition Vulnerability Lab

CSE Computer Security (Fall 2006)

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

VFS, Continued. Don Porter CSE 506

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

Secure Architecture Principles

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Chapter 6. File Systems

CMPSC 497: Midterm Review

Lecture 1: Buffer Overflows

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

CMPSC 497 Other Memory Vulnerabilities

ECE 471 Embedded Systems Lecture 22

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

CS 161 Computer Security

UMSSIA LECTURE I: SOFTWARE SECURITY

This exam contains 8 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Secure Software Programming and Vulnerability Analysis

Least-Privilege Isolation: The OKWS Web Server

SysSec. Aurélien Francillon

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Software Vulnerabilities Professor Trent Jaeger 1

Programming Why do we write programs? Function What functions do we enable via our programs? Some we want -- some we don t need Adversaries take advantage of such hidden function 2

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); 3

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is larger than 1000 bytes? 4

Address Space Layout Stack Heap Data Text Stack Can write the stack vars without limits Type Safety Can write outside a data structure using its reference Execution Integrity Can jump to arbitrary points in the program Function pointers Return addresses 5

Stack Frame Buffer Overflow How it works Previous Function Func Parameters Return Address Local Var Buffer Local Var New Rtn Evil Code Evil Code 6

Buffer Overflow Defense Previous Function Func Parameters Return Address CANARY Local Var Buffer Local Var Canary on the stack Random value placed between the local vars and the return address If canary is modified, program is stopped Alternative: How does this prevent return-to-libc? Are we done? 7

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is only 1004 bytes? 8

Overflow of Local Variables Don t need to modify return address Local variables may affect control What kinds of local variables would impact control? Ones used in conditionals (example) Function pointers What can you do to prevent that? 9

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if we allocate the packet buffer on the heap? 10

Heap Overflow Overflows may occur on the heap also Heap has data regions and metadata Attack Write over heap with target address (heap spraying) Hope that victim uses an overwritten function pointer before program crashes 11

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if ( size < sizeof(buf)) { strcat(buf, packet); fd = open(buf); } Any problem with this conditional check? 12

Integer Overflow Signed variables represent positive and negative values Consider an 8-bit integer: -128 to 127 Weird math: 127+1 =??? This results in some strange behaviors size += PacketRead(packet) What is the possible value of size? if ( size < sizeof(buf)) { What is the possible result of this condition? How do we prevent these errors? 13

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessQuery( Select, partof(packet)); Any problem with this query request? 14

Parsing Errors Have to be sure that user input can only be used for expected function SQL injection: user provides a substring for an SQL query that changes the query entirely (e.g., add SQL operations to query processing) SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; Goal: format all user input into expected types and ranges of values Integers within range Strings with expected punctuation, range of values Many scripting languages convert data between types automatically -- are not type-safe -- so must be extra careful 15

Character Strings String formats Unicode ASCII -- 0x00 -- 0x7F non-ascii -- 0x80 -- 0xF7 Also, multi-byte formats Decoding is a challenge URL: [IPaddr]/scripts/..%c0%af../winnt/system32 Decodes to /winnt/system32 Markus Kuhn s page on Unicode resources for Linux www.cl.cam.ac.uk/~mgk25/unicode.html 16

Secure Programming David Wheeler s Secure Programming for Linux and UNIX Validate all input; Only execute application-defined inputs! Avoid buffer overflows (and other code injection problems) Minimize process privileges Carefully invoke other resources Send information back carefully Minimize Privilege Avoid Overflows Bad Validate Input Server Invoke Safely Worker Return little 17

Name Resolution Processes often use names to obtain access to system resources" A nameserver (e.g.,os) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)" Filesystem, System V IPC,! Namespace (filesystem)" P! open( /var/ mail/root ) Name! (filename)"! /! var! mail! root!! Bindings (directories)" Resource (file)" 18

Attacks on Name Resolution Improper Resource Attack! Adversary controls final resource in unexpected ways! Untrusted search paths (e.g., Trojan library), file squatting! Victim expects high integrity, gets low integrity instead! V root!! open( /var/ mail/root ) /! var!! mail! root! owner root A mail! 19

Attacks on Name Resolution Improper Resource Attack! Adversary controls final resource in unexpected ways! Untrusted search paths (e.g., Trojan library), file squatting! Victim expects high integrity, gets low integrity instead! V root!! open( /var/ mail/root ) /! var!! mail! root! owner mail A mail! 20

Attacks on Name Resolution Improper Binding Attack! Adversary controls bindings to redirect victim to a resource not under adversary s control (confused deputy)! Symbolic link, hard link attacks! Victim expects low integrity/secrecy, gets high instead! V root!! open( /var/ mail/root ) /! var!! mail! root! A mail! etc! passwd! 21

Attacks on Name Resolution Race Conditions! Adversary exploits non-atomicity in check and use of resource to conduct improper resource and improper binding attacks! Well-known TOCTTOU attacks! V root!! mail/root ) /! var!! mail! root! lstat( /var/ A mail! etc! passwd! 22

Attacks on Name Resolution Race Conditions! Adversary exploits non-atomicity in check and use of resource to conduct improper resource and improper binding attacks! Well-known TOCTTOU attacks! V root!! mail/root ) /! var!! mail! root! lstat( /var/ A mail! etc! passwd! 23

Attacks on Name Resolution Race Conditions! Adversary exploits non-atomicity in check and use of resource to conduct improper resource and improper binding attacks! Well-known TOCTTOU attacks!! V root! open( /var/ mail/root ) /! var!! mail! root! A mail! etc! passwd! 24

How Serious a Problem? Name resolution vulnerabilities accounts for 5-10% CVE entries each year! These are particularly hard to eradicate as they involve multiple parties! Programmers who write code! OS distributors who define access control policies! Administrators who configure end system! 25

Difficult to Prevent Manual checks can easily overlook vulnerabilities! But, misses already existing file squat!! 01 /* filename = /var/mail/root */ 02 /* First, check if file already exists */ 03 fd = open (filename, flg); 04 if (fd == -1) { 05 /* Create the file */ 06 fd = open(filename, O_CREAT O_EXCL); 07 if (fd < 0) { 08 return errno; 09 } 10 } 11 /* We now have a file. Make sure 12 we did not open a symlink. */ 13 struct stat fdbuf, filebuf; 14 if (fstat (fd, &fdbuf) == -1) 15 return errno; 16 if (lstat (filename, &filebuf) == -1) 17 return errno; 18 /* Now check if file and fd reference the same file, 19 file only has one link, file is plain file. */ 20 if ((fdbuf.st_dev!= filebuf.st_dev 21 fdbuf.st_ino!= filebuf.st_ino 22 fdbuf.st_nlink!= 1 23 filebuf.st_nlink!= 1 24 (fdbuf.st_mode & S_IFMT)!= S_IFREG)) { 25 error (_("%s must be a plain file 26 with one link"), filename); 27 close (fd); 28 return EINVAL; 29 } 30 /* If we get here, all checks passed. 31 Start using the file */ 32 read(fd,...) Squat during! create! Symbolic link! Hard link,! race conditions! 26

Fundamental Problem Security problems occur because low-integrity adversary processes share the same OS namespaces as high-integrity victim processes! Adversary processes attempt to affect name resolution of victim processes! Permissions for /var/mail! Group mail can create and delete files 27

STING Approach Thus, we have to actively change the namespace to create adversarial scenarios! And evaluate process response to scenario! We take inspiration from grey-box testing! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)! Generate! Adversarial! Input! test ; drop table name; V! db.exec( drop table name ); Vulnerable!! Study! Program! Response! 28

Adversary Accessibility Under DAC adversary model! Only 4% (Fedora) and 5.7% (Ubuntu) of total name resolution entrypoints were accessible to adversaries! Only 0.3% (Fedora) and 0.9% (Ubuntu) of total name resolutions were vulnerable! 29

Vulnerabilities Found Program Vuln. Priv. Escalation Distribution Previously Entry DAC: uid->uid known dbus-daemon 2 messagebus->root Ubuntu Unknown landscape 4 landscape->root Ubuntu Unknown Startup scripts (3) 4 various->root Ubuntu Unknown mysql 2 mysql->root Ubuntu 1 Known mysql upgrade 1 mysql->root Ubuntu Unknown tomcat script 2 tomcat6->root Ubuntu Known lightdm 1 *->root Ubuntu Unknown bluetooth-applet 1 *->user Ubuntu Unknown java (openjdk) 1 *->user Both Known zeitgeist-daemon 1 *->user Both Unknown mountall 1 *->root Ubuntu Unknown mailutils 1 mail->root Ubuntu Unknown bsd-mailx 1 mail->root Fedora Unknown cupsd 1 cups->root Fedora Known abrt-server 1 abrt->root Fedora Unknown yum 1 sync->root Fedora Unknown x2gostartagent 1 *->user Extra Unknown 19 Programs 26 21 Unknown 30

Take Away Programs have function Adversaries can exploit unexpected functions Vulnerabilities due to malicious input Buffer overflows Heap overflows Injection attacks Is an integer overflow possible in type-safe languages? E.g., Java Vulnerabilities due to controlling name resolution Improper resource: file squatting, untrusted search path Improper bindings: link traversal and TOCTTOU 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback