"Secure" Coding Practices Nicholas Weaver

Similar documents
Memory Safety (cont d) Software Security

Software Security: Defenses

Software Security: Defenses

CS 161 Computer Security

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Midterm 1 Review. Memory Safety & Web Attacks

CSE 565 Computer Security Fall 2018

CS 161 Computer Security. Security Throughout the Software Development Process

Computer Security Course. Midterm Review

Lecture 4 September Required reading materials for this class

Lecture 3 Notes Arrays

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer overflow background

17. Assertions. Outline. Built-in tests. Built-in tests 3/29/11. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

18-642: Code Style for Compilers

17. Assertions. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

Information page for written examinations at Linköping University

Secure Software Development: Theory and Practice

CS 142 Style Guide Grading and Details

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Analysis of MS Multiple Excel Vulnerabilities

Regression testing. Whenever you find a bug. Why is this a good idea?

Software Engineering Testing and Debugging Testing

Introduction to Linked Lists. Introduction to Recursion Search Algorithms CS 311 Data Structures and Algorithms

CS 161 Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow Defenses

Software Security: Vulnerability Analysis

Lecture Notes on Arrays

Chapter 3.4: Exceptions

Buffer overflow prevention, and other attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Language Security. Lecture 40

Semantic Analysis Type Checking

CS 161 Computer Security

Software Engineering

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Arrays and Memory Management

Program Verification (6EC version only)

C Bounds Non-Checking. Code Red. Reasons Not to Use C. Good Reasons to Use C. So, why would anyone use C today? Lecture 10: *&!

Abstraction and Specification

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

Inline Reference Monitoring Techniques

Overflows, Injection, & Memory Safety

Engineering Your Software For Attack

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Unit Testing as Hypothesis Testing

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

SoK: Eternal War in Memory

Administrivia. Introduction to Computer Systems. Pointers, cont. Pointer example, again POINTERS. Project 2 posted, due October 6

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

CSE 565 Computer Security Fall 2018

Protection. Thierry Sans

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Assertions, pre/postconditions

CSE 153 Design of Operating Systems

Black Hat Webcast Series. C/C++ AppSec in 2014

Formal Verification Techniques for GPU Kernels Lecture 1

Program Verification! Goals of this Lecture! Words from the Wise! Testing!

When Brunel s ship the SS Great Britain was launched into the River Thames, it made such a splash that several spectators on the opposite bank were

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

CS 520 Theory and Practice of Software Engineering Fall 2018

Testing! The material for this lecture is drawn, in part, from! The Practice of Programming (Kernighan & Pike) Chapter 6!

An Attack Surface Driven Approach to Evaluation

CS 161 Computer Security

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Steps for project success. git status. Milestones. Deliverables. Homework 1 submitted Homework 2 will be posted October 26.

Testing! The material for this lecture is drawn, in part, from! The Practice of Programming (Kernighan & Pike) Chapter 6!

CS 161 Computer Security

CMSC 414 Computer and Network Security

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Exceptions and Testing Michael Ernst Saman Amarasinghe

One-Slide Summary. Lecture Outline. Language Security

Lecture 8 Data Structures

Lecture 10 Design by Contract

Static Analysis in Practice

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

18-642: Security Mitigation & Validation

Hardware versus software

MSO Lecture Design by Contract"

Security Principles & Sandboxes

Who is our rival? Upcoming. Testing. Ariane 5 rocket (1996) Ariane 5 rocket 3/8/18. Real programmers need no testing!

COSC Software Engineering. Lecture 16: Managing Memory Managers

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Software Security: Buffer Overflow Defenses

Unit Testing as Hypothesis Testing

Secure Programming I. Steven M. Bellovin September 28,

Lecture 14 Notes. Brent Edmunds

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Important From Last Time

C++ Undefined Behavior What is it, and why should I care?

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

ECS 153 Discussion Section. April 6, 2015

Transcription:

"Secure" Coding Practices based on David Wagner s slides from Sp 2016 1

Administrivia Computer Science 161 Fall 2016 2

3

This is a Remarkably Typical C Problem Computer Science 161 Fall 2016 if ((options == ( WCLONE WALL)) && (current->uid = 0)) retval = -EINVAL; Someone attempted to add this checking code into the Linux kernel back in 2003 It goes caught only because they didn't have proper write permission so it was flagged as anomalous If you use the proper compiler flags, it should gripe when you do this 4

Why does software have vulnerabilities? Computer Science 161 Fall 2016 Programmers are humans. And humans make mistakes. Use tools Programmers often aren t security-aware. Learn about common types of security flaws. Programming languages aren t designed well for security. Use better languages (Java, Python, ). 5

Testing for Software Security Issues Computer Science 161 Fall 2016 What makes testing a program for security problems difficult? We need to test for the absence of something Security is a negative property! nothing bad happens, even in really unusual circumstances Normal inputs rarely stress security-vulnerable code How can we test more thoroughly? Random inputs (fuzz testing) Mutation Spec-driven How do we tell when we ve found a problem? Crash or other deviant behavior How do we tell that we ve tested enough? Hard: but code-coverage tools can help 6

Testing for Software Security Issues Computer Science 161 Fall 2016 What makes testing a program for security problems difficult? We need to test for the absence of something Security is a negative property! nothing bad happens, even in really unusual circumstances Normal inputs rarely stress security-vulnerable code How can we test more thoroughly? Random inputs (fuzz testing) Mutation Spec-driven How do we tell when we ve found a problem? Crash or other deviant behavior How do we tell that we ve tested enough? Hard: but code-coverage tools can help 7

Test For Failures... Not Just Successes Computer Science 161 Fall 2016 Think about how your program might fail, not just succeed Because the bad guys are going to look there "Edge cases" are where your problems likely lie Either barely erroneous or barely correct E.g. if your function accepts strings up to length n Be sure to test lengths 0, 1, n-1, n, n+1, 2n-1, 2n, and 2n+1 A good guide by @eevee: https://eev.ee/blog/2016/08/22/testing-for-people-who-hate-testing/ 8

This Applies to Both Sides... Computer Science 161 Fall 2016 When making your program robust, think like an attacker would "Hmm, what if I spew random junk?" "Hmm, what if I go for obvious corner cases?" When attacking software, think like a dumb programmer? "Hmm, what mistakes have I made in the past? Lets try those!" 9

Try to Eliminate entire classes of problems Computer Science 161 Fall 2016 Stack Overflows: Turn on compiler protections Memory corruption attacks more generally Use a safe language Or barring that, turn on ALL defenses: W^X/DEP + 64b ASLR + put a timeout on crash recovery SQL Injection Only use parameterized SQL libraries 10

Working Towards Secure Systems Computer Science 161 Fall 2016 Along with securing individual components, we need to keep them up to date What s hard about patching? Can require restarting production systems Can break crucial functionality Vendor regression tests should prevent this but don't always! Management burden: It never stops (the patch treadmill ) User burden: "Flaw in Flash, you need to manually update it..." But absolutely essential: 0-days are pricey, N-days are free 11

Working Towards Secure Systems Computer Science 161 Fall 2016 Along with securing individual components, need to keep them up to date What s hard about patching? Can require restarting production systems Can break crucial functionality Management burden: It never stops (the patch treadmill ) and can be difficult to track just what s needed where Other (complementary) approaches? Vulnerability scanning: probe your systems/networks for known flaws Penetration testing ( pen-testing ): pay someone to break into your systems provided they take excellent notes about how they did it! 13

Reasoning About Safety Computer Science 161 Fall 2016 How can we have confidence that our code executes in a safe (and correct, ideally) fashion? Approach: build up confidence on a function-by-function / module-by-module basis Modularity provides boundaries for our reasoning: Preconditions: what must hold for function to operate correctly Postconditions: what holds after function completes These basically describe a contract for using the module Notions also apply to individual statements (what must hold for correctness; what holds after execution) Stmt #1 s postcondition should logically imply Stmt #2 s precondition Invariants: conditions that always hold at a given point in a function 15

int deref(int *p) { return *p; Precondition? 16

/* requires: p!= NULL (and p a valid pointer) */ int deref(int *p) { return *p; Precondition: what needs to hold for function to operate correctly 17

void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); return p; Postcondition? 18

/* ensures: retval!= NULL (and a valid pointer) */ void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); return p; Postcondition: what the function promises will hold upon its return 19

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; Precondition? 20

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 21

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access? (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 22

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 23

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /*?? */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires? (3) Propagate requirement up to beginning of function 24

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a!= NULL && 0 <= i && i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 25

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a!= NULL && 0 <= i && i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 26

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a!= NULL && 0 <= i && i < size(a) */ total += a[i]; return total; Let s simplify, given that a never changes. (It gets much worse when we have multiple threads) 27

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; 28

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 29

/* requires: a!= NULL */ int sum(int a[], size_t n) {? int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 30

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 31

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; The 0 <= i part is clear, so let s focus for now on the rest. 32

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: i < size(a) */ total += a[i]; return total; 33

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function?? 34

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0;? for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 35

/* requires: a!= NULL */ int sum(int a[], size_t n) { int total = 0;? for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; How to prove our candidate invariant? n <= size(a) is straightforward because n never changes. 36

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++)? /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; 37

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++)? /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; What about i < n? 38

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++)? /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; What about i < n? That follows from the loop condition. 39

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0;? for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; At this point we know the proposed invariant will always hold... 40

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant: a!= NULL && 0 <= i && i < n && n <= size(a) */ total += a[i]; return total; and we re done! 41

/* requires: a!= NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant: a!= NULL && 0 <= i && i < n && n <= size(a) */ total += a[i]; return total; A more complicated loop might need us to use induction: Base case: first entrance into loop. Induction: show that postcondition of last statement of loop plus loop test condition implies invariant. 42

int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; 43

/* requires: a!= NULL && size(a) >= n &&??? */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; 44

/* requires: a!= NULL && size(a) >= n && for all j in 0..n-1, a[j]!= NULL */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; 45

char *tbl[n]; /* N > 0, has type int */ Computer Science 161 Fall 2016 int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 46

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures:??? */ int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; What is the correct postcondition for hash()? bool (a) 0 <= search(char retval < N, (b) *s) 0 <= { retval, (c) int retval i = < N, hash(s); (d) none of the above. Discuss return with tbl[i] a partner. && (strcmp(tbl[i], s)==0); 47

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 48

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) h = 257*h + (*s++) + 3; return h % N; bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 49

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; return h % N; bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 50

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 51

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 52

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <=? h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 53

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 54

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 55

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 56

char *tbl[n]; Computer Science 161 Fall 2016 /* ensures: 0 <= retval && retval < N */ unsigned int hash(char *s) { unsigned int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ bool search(char *s) { unsigned int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); 57

void foo(int *a){ int i, j, sum; sum = 0; j = 0; for(i = 1; i < 10; ++i){ sum += a[j]; j = a[j]; 58

Common Coding Errors Computer Science 161 Fall 2016 Memory safety vulnerabilities In a "safe" language they cause immediate faults May result in a "denial of service", aka crash, but not control flow hijack In an "unsafe" language they may cause unpredictable (and likely exploitable) errors Input validation vulnerabilities "You mean you trusted me when I said my name was "robert'); drop table students;--??!?" Time-of-Check to Time-of-Use (TOCTTOU) vulnerability (later) 59

Input Validation Vulnerabilities Computer Science 161 Fall 2016 Program requires certain assumptions on inputs to run properly Programmer forgets to check inputs are valid => program gets exploited Example: Bank money transfer: Check that amount to be transferred is nonnegative and no larger than payer s current balance SQLi: Accept string as input into an SQL command Format String vulnerability: Accept string as the format string for printf 60

If Time Left: Real World Security Research: Click Trajectories Computer Science 161 Fall 2016 61

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback