alec muffett programming holes programming goofs that
play

Alec Muffett Programming Holes PROGRAMMING GOOFS THAT WILL HOSE - PowerPoint PPT Presentation

Oct 10, 2022 •221 likes •673 views

Alec Muffett Programming Holes PROGRAMMING GOOFS THAT WILL HOSE YOUR SYSTEM SECURITY (a purely personal viewpoint) ALEC MUFFETT http://www.users.dircon.co.uk/~alecm/ Alec Muffett Programming Holes Muffetts Observation: "Frequently

  1. Alec Muffett Programming Holes

  2. PROGRAMMING GOOFS THAT WILL HOSE YOUR SYSTEM SECURITY (a purely personal viewpoint) ALEC MUFFETT http://www.users.dircon.co.uk/~alecm/ Alec Muffett Programming Holes

  3. Muffett’s Observation: "Frequently the most important or critical applications in a network are run on the least secure machines, due to lack of upgrades/patches, mandated by the very criticality of the application..." Alec Muffett Programming Holes

  4. Statements for discussion: "99.9% of bugs are avoidable" (sacrifice the remaining 0.1% to Goedel) "most of these are due to sloppy programming" "we do not learn the lessons of security, even with hindsight and in the aftermath of really major security incidents..." "amongst the prime causes of this are commercial O/Ses, legacy apps, and ignorance" Alec Muffett Programming Holes

  5. The really irritating thing about computer security: THE SAME PROBLEMS COME UP AGAIN AND AGAIN AND AGAIN AND AGAIN AND AGAIN AND AGAIN AND AGAIN Alec Muffett Programming Holes

  6. The same attacks on networked hosts that were used in the 70s, 80s and early 90s are still in use today and moreover get conceptually re-used to attack new protocols (gopher, http, ???) in the same way as older ones (smtp, ftp) WHY? Alec Muffett Programming Holes

  7. Because: - programmers are ignorant when leaving college - companies can sell widgets better than security to the marketplace - legacy apps hamper us (try to convince a vendor to drop sendmail) - legislation ties up technologies that can help (eg: US crypto export) ...AND... Alec Muffett Programming Holes

  8. (#pragma personal_cynicism 1) I strongly suspect that nobody really cares* (*except for the people who have to clear up the mess) Alec Muffett Programming Holes

  9. So what are the problems which keep returning? - viruses (not dealt with by me) - stack overwriting - trusting insanitary data - authentication spoofing (direct or indirect) - OVERPOWERFUL SOFTWARE RUNNING WITH EXCESS PRIVILEGE ...and poor encryption session key generation not covered in this presentation 1st rev. Alec Muffett Programming Holes

  10. Viruses - not really my forte - possibly the one form of security bug that is more "social" than "erroneous" in nature - like life: so long as there is exchange of data there will be the possibility that something nasty is piggybacking a ride, inside Alec Muffett Programming Holes

  11. Stack Overruns - blame squarely on the head of the programmer - can cause: - denial of service - system crash (at protocol level) - hacker infestation Alec Muffett Programming Holes

  12. Stack Overruns - common causes: - gets() (Morris Worm) - sprintf() - strcat() - strcpy() - insanitary calls to read() ...into small/undersized memory buffers Alec Muffett Programming Holes

  13. Stack Overruns before buffer for read() stack growth return address for routine padding landing pad of NOPs viral code after Diagram Alec Muffett Programming Holes

  14. Stack Overflows - require certain creative bent to programming - viral payload usually hand-tooled assembler code - circumstances may dictate that payload contains no NLs, CRs, NULs, etc... can lead to very creative solutions - ...but any moron can execute one that is packaged up adequately. Alec Muffett Programming Holes

  15. Stack Overflows - instances: Morris Worm: unbounded gets() on socket Sendmail: syslog() routine called strcat() on unbounded data read from socket Ping: NIS+ host resolver library did sprintf() on argv[1] from command line; instant SUID hack, no network involved. (nb: made more subtle as required DLLs) Alec Muffett Programming Holes

  16. Stack Overflows Probably the most straightforward of the major holes that we will be looking at today Alec Muffett Programming Holes

  17. Insanitary Data - Far more subtle class of bugs - generally due to meddling/trusting things that are beyond your control in the first case... - so what *is* under your control? Alec Muffett Programming Holes

  18. Under your control? A good question, nearly metaphysical: - files/filestore? - input streams? - environment variables? - executable code? Alec Muffett Programming Holes

  19. Files under your control? Maybe, but watch out for: - user-provided filenames direct input or thru env vars (PATH, termcap/terminfo, "at") - fixed filenames directory perms, time races in code ("ps", "mail", ...) - filestore perms holding config files or parent directories thereof. ("chmod 777 /", GID of "/etc") Alec Muffett Programming Holes

  20. Environment under your control? No! - Do not expect contents of an env var to be sane - Remember that env vars will propagate to child processes - Be suspicious of your ability to unset a variable before forking a child PATH=/bin:/usr/bin:... IFS=/ IFS=/ (multiple instance) ... Alec Muffett Programming Holes

  21. Environment under your control? Only sane way to approach env vars: 1) do not trust anything 2) do not propagate anything that you did not create "everything is forbidden except that which is explicitly permitted" Alec Muffett Programming Holes

  22. Input under your control? No! - Data servers that are subvertable (DNS, NIS, NFS, Kerberos) - old days: TIOCSTI - new days: TCP segment injection/spoof - inbound spams (see further down) "who knows what’s coming down the pipe next?" Alec Muffett Programming Holes

  23. Cinderella Attack - forge (eg:) poorly-authenticated NTP packets. - use this method to wind the clock on the target host forward to yr 2000-odd - software licenses for security software on target machine expire - firewall bastion host turns into pumpkin - network turns into pumpkin pie. Alec Muffett Programming Holes

  24. Code under your control? Alas, probably not. - stack overflows/buffer spams - new dynamism: - shared libraries (LD_PRELOAD, LC_COLLATE, runpath, LD_LIBRARY_PATH, ...) - ever since we gave users dl_open() or similar... Alec Muffett Programming Holes

  25. DON’T TRUST ANYTHING (and yes, your code really *does* matter, it *is* important to know this) Alec Muffett Programming Holes

  26. Inbound Record Delimiters - one of the great, perpetual mistakes - totally obvious when it is explained, but re-occurs a lot; either programmers forget that the problem exists, or become blithe in their trust of some other service which leaves them open to subversion. Alec Muffett Programming Holes

  27. Inbound record delimiters bug, 1970s IFS variable; field separators define notion of "whitespace", in a shellscript... IFS=/ ; /bin/ls -> "bin" "ls" so, create /tmp/bin that does something nasty, and: export PATH=/tmp:$PATH export IFS=/ suidscriptname # calls /bin/ls, invokes "/tmp/bin" ...works for any char, eg: "IFS=n" -> "/bi" "/ls" Alec Muffett Programming Holes

  28. Inbound record delimiters bug, 1980s DNS reverse lookup hostname set to: \nR"|/bin/sed -e ’1,/^$/d’|/bin/sh"\nHxx: Text interpolates into Sendmail’s control file: HReceived-from: HOSTNAME.site.domain becomes: HReceived-from: R"|/bin/sed -e ’1./^$/d’|/bin/sh" Hxx: .site.domain ...makes bogus recipient record in config, due to lack of checking for newlines in input. Alec Muffett Programming Holes

  29. Viral input bug, 1980s - Log into NIC to do "whois" query... @ whois ‘/bin/sh < /dev/tty >/dev/tty 2>&1‘ ...escapes from captive environment. Alec Muffett Programming Holes

  30. Viral input bug, 1990s http://site/cgi-bin/foo?%60rm+%2Drf+%2F%60 (‘rm -rf /‘ gets eval’ed by poor CGI script) ...worse still... http://site/cgi-bin/perl?... Alec Muffett Programming Holes

  31. Authentication Spoofing - What does this mean? Broad definition: - meddling with an established communications channel - forging credentials to lie about who you are - cheating an authentication process Alec Muffett Programming Holes

  32. Authentication Spoofing Examples: - sniffing/guessing reusable passwords - replaying authentication cookies eg: HTML document passwords == b64encode("username:password") - pre-empting challenge/response schemes eg: hijacking S/Key sessions (aka: "beat the clock") - TCP stream hijacking or resetting thru forged addresses or sequence nos Alec Muffett Programming Holes

  33. TCP/IP IS NOT FIT FOR USE AS AN AUTHENTICATOR Alec Muffett Programming Holes

  34. SO WHY DO PEOPLE PERSIST IN USING IT AS IF IT WERE? Alec Muffett Programming Holes

  35. By now, you should be able to tell me. 8-) Alec Muffett Programming Holes

  36. Spoofing Example - How many people know that "#" is not a legal character in a .rhosts file? - Tweak DNS: #.foo.ac.uk 28800 CNAME host.foo.ac.uk. $ ping # host.foo.ac.uk is alive - Go one step further, set "#" as reverse A-record, and log into any host with a bad .rhosts file... Alec Muffett Programming Holes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN-Hacking with AutoHack - Alec Muffett, USENIX Security Symposium 95 WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security Group Sun Microsystems Alec.Muffett@UK.Sun.COM alec@hicom.org

651 views • 9 slides
? P12 2 Getting Started/Lab Programming Lab Programming Program of Requirements PRELIMINARY

? P12 2 Getting Started/Lab Programming Lab Programming Program of Requirements PRELIMINARY

2 Getting Started/Lab Programming MODULE 2 LAB PROGRAMMING October 2013 2 Getting Started/Lab Programming 1. Getting Started 2. Scoping the Project 3. Lab Programming What is programming? Information gathering Organizing and

526 views • 36 slides
Network Programming Network Programming as Programming across Machine Boundaries The

Network Programming Network Programming as Programming across Machine Boundaries The

CPSC-313: Introduction to Computer Systems Networking Programming Network Programming Network Programming as Programming across Machine Boundaries The Sockets API Reliable Communication Channels: TCP Dangerous at any Speed;

552 views • 14 slides
Dynamic Programming Has nothing to do with programming in the way we normally use that term

Dynamic Programming Has nothing to do with programming in the way we normally use that term

Dynamic Programming Has nothing to do with programming in the way we normally use that term Dynamic Programming More like TV programming (scheduling) Filling in a table Chapter 16 Algorithm design technique CPTR 318 1 2

462 views • 6 slides
Programming language shapes Programming thought programming languages are not merely

Programming language shapes Programming thought programming languages are not merely

CMPS 112: Spring 2019 Comparative Programming Languages Lecture 1: Course Overview. Owen Arden UC Santa Cruz A Programming Language Two variables L1: x++; x , y y--; Three operations (y=0)?L2:L1 x++ L2:

476 views • 18 slides
+ f(x) = Python Functional Programming Python Functional Programming Functional Programming by

+ f(x) = Python Functional Programming Python Functional Programming Functional Programming by

+ f(x) = Python Functional Programming Python Functional Programming Functional Programming by Wikipidia: Functional programming is a programming paradigm that treats computation as the evaluation of mathematical functions and avoids

754 views • 27 slides
Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an

Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an

Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an automated method for creating a working computer program from a high-level problem statement of a problem. Genetic programming starts from a high-

197 views • 8 slides
Hierarchy of Software Complexity Application Programs Sequential Programming Embedded

Hierarchy of Software Complexity Application Programs Sequential Programming Embedded

Hierarchy of Software Complexity Application Programs Sequential Programming Embedded Programming Middleware Concurrent Programming Distributed Programming Real-Time Programming Security Programming Reliable (FT) Programming Quality of

342 views • 5 slides
Programming Styles and Objects Fermilab - TARGET 2018 Week 3 Programming styles Imperative

Programming Styles and Objects Fermilab - TARGET 2018 Week 3 Programming styles Imperative

Programming Styles and Objects Fermilab - TARGET 2018 Week 3 Programming styles Imperative programming - Procedural programming - Object oriented programming Declarative programming - Database languages (Structured Query Language) -

541 views • 11 slides
Linear Programming Linear Programming In a linear programming problem, there is a set of

Linear Programming Linear Programming In a linear programming problem, there is a set of

Linear Programming Linear Programming In a linear programming problem, there is a set of variables, and we want to assign real values to CISC5835, Algorithms for Big Data them so as to satisfy a set of linear equations and/or linear

414 views • 6 slides
GPU PROGRAMMING 2 GPU Programming Assignment 4 Consists of

GPU PROGRAMMING 2 GPU Programming Assignment 4 Consists of

1 GPU Programming GPU PROGRAMMING 2 GPU Programming Assignment 4 Consists of two programming assignments Concurrency GPU programming Requires a

819 views • 65 slides
Chapter 7 Programming Hardware Programming Barely Information (Low level programming

Chapter 7 Programming Hardware Programming Barely Information (Low level programming

2018/11/1 Communication Application Operating System Chapter 7 Programming Hardware Programming Barely Information (Low level programming languages) 2-2 Chapter Goals Connecting CPU and Memory Describe the

564 views • 6 slides
Programming language shapes Programming thought So why study PL ? Language affects how:

Programming language shapes Programming thought So why study PL ? Language affects how:

CMPS 116: Fall 2019 Introduction to Functional Programming Lecture 1: Course Overview. Owen Arden UC Santa Cruz A Programming Language Two variables L1: x++; x , y y--; Three operations (y=0)?L2:L1 x++

585 views • 16 slides
Towards an IDE Towards an IDE to Support to Support Programming as Programming as

Towards an IDE Towards an IDE to Support to Support Programming as Programming as

Towards an IDE Towards an IDE to Support to Support Programming as Programming as Problem-Solving Problem-Solving Nicholas Nelson Anita Sarma Andr van der Hoek Programming is more than dealing with language syntax and semantics: it is

400 views • 13 slides
Introduc)on to Programming using Python Programming Course for

Introduc)on to Programming using Python Programming Course for

Introduc)on to Programming using Python Programming Course for Biologists WC-16 David Knox and Phil Richmond Dic)onary Data Type Similar to Word

227 views • 10 slides
Introduction to Functional Programming in Python David Jones drj@ravenbrook.com Programming:

Introduction to Functional Programming in Python David Jones drj@ravenbrook.com Programming:

Introduction to Functional Programming in Python David Jones drj@ravenbrook.com Programming: Modes of Operation Functional Programming Object Oriented Programming Imperative Programming FP versus Imperative a spectrum of possibilities ML

915 views • 27 slides
About you? 1 11/1/2013 My experience, experiences of audience, discussion Agenda 1.

About you? 1 11/1/2013 My experience, experiences of audience, discussion Agenda 1.

11/1/2013 Championing test automation at a new team: The challenges and benefits Alan Leung @ PNSQC 2013 About you? 1 11/1/2013 My experience, experiences of audience, discussion Agenda 1. Background 2. Selecting tools 3. Custom

410 views • 18 slides
Develop A Peak Performing Value Proposition For Your _____ A. Develop A B. Develop A Peak

Develop A Peak Performing Value Proposition For Your _____ A. Develop A B. Develop A Peak

Develop A Peak Performing Value Proposition For Your _____ A. Develop A B. Develop A Peak Performing Peak Performing Value Proposition Value Proposition For Your Startup For Your Sex Life Develop A Peak Performing Value Proposition

750 views • 61 slides
The Unix Shell (Slides used in the workshop) David McKain Software Carpentry Workshop - 4 th

The Unix Shell (Slides used in the workshop) David McKain Software Carpentry Workshop - 4 th

The Unix Shell (Slides used in the workshop) David McKain Software Carpentry Workshop - 4 th &amp; 11 th February 2020 Lesson links Please keep open in your web browser: 1. Shared info to cut &amp; paste during todays session:

601 views • 57 slides
Presence of a cryptic hybrid zone explains spatial variability in population genetic structuring

Presence of a cryptic hybrid zone explains spatial variability in population genetic structuring

Presence of a cryptic hybrid zone explains spatial variability in population genetic structuring of a colonial nesting seabird Chris Burridge 1 Amanda Peucker 2 Rebecca Overeem 2,3 Craig Styan 4 Peter Dann 3 1 University of Tasmania 2 Deakin

523 views • 30 slides
Saving Time Bill Rising StataCorp LLC 2018 Stata Conference Columbus, OH July 20, 2018 Saving

Saving Time Bill Rising StataCorp LLC 2018 Stata Conference Columbus, OH July 20, 2018 Saving

Introduction Saving Time via Programming Saving Time via Software Conclusion Saving Time Bill Rising StataCorp LLC 2018 Stata Conference Columbus, OH July 20, 2018 Saving Time Handout page: 1 Introduction Saving Time via Programming

328 views • 28 slides
New HTML Element to Display a 3D Scene ANDO Yasushi Kabuku Inc. Email: andyjpn@gmail.com

New HTML Element to Display a 3D Scene ANDO Yasushi Kabuku Inc. Email: andyjpn@gmail.com

New HTML Element to Display a 3D Scene ANDO Yasushi Kabuku Inc. Email: andyjpn@gmail.com Twitter: @technohippy Summary We should have a new HTML element to display a 3D scene. Problem 3D contents are not popular enough for standard web

612 views • 9 slides
Introduction to R Thomas J. Leeper Department of Political Science and Government Aarhus

Introduction to R Thomas J. Leeper Department of Political Science and Government Aarhus

Challenges Opportunities Introduction to R Thomas J. Leeper Department of Political Science and Government Aarhus University November 14, 2013 Challenges Opportunities Challenges Opportunities Challenges 1 2 Opportunities Challenges

857 views • 54 slides
Evaluation Strategies for Functional Logic Programming WRS01, Utrecht, May 26 Sergio Antoy

Evaluation Strategies for Functional Logic Programming WRS01, Utrecht, May 26 Sergio Antoy

Evaluation Strategies for Functional Logic Programming WRS01, Utrecht, May 26 Sergio Antoy antoy@cs.pdx.edu Portland State University 1 Outline Whats, hows and whys of Functional Logic Programming. Constructor-based rewrite systems as

238 views • 23 slides

More recommend