cs527 software security
play

CS527 Software Security Web Security Mathias Payer Purdue - PowerPoint PPT Presentation

Mar 15, 2024 •179 likes •503 views

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

  1. CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security

  2. Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail server, or a DNS server are examples of daemons. What makes daemons prone to attacks? Mathias Payer CS527 Software Security

  3. Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail server, or a DNS server are examples of daemons. What makes daemons prone to attacks? Daemons are long running Daemons are complex (multi-threaded, caching, broad functionalities) Daemons are exposed Mathias Payer CS527 Software Security

  4. Daemons are long running ASLR/stack canaries are probabilistic, single secret per process Heap layout influenced by concurrent allocations Information leaks become more dangerous Mathias Payer CS527 Software Security

  5. Daemons are complex Crashing threads are restarted: resilience/uptime versus security Large set of functionalities increases attack surface Shared secrets across users in single address space Mathias Payer CS527 Software Security

  6. Daemons are exposed Concurrent users must be serviced Outside connections are allowed Attackers can leverage many different IPs (what about rate limiting accounts?) Mathias Payer CS527 Software Security

  7. Daemon compartmentalization Break complexity into smaller compartments Develop “fault compartments”, can fail independently Goal: one component fails, others continue to function Mathias Payer CS527 Software Security

  8. Example: mail agent Mail agents need to do a plethora of tasks: Send/receive data from the network Manage a pool of received/unsent messages Provide access to stored messages for each user Two approaches: sendmail and qmail Sendmail uses a typical Unix approach with a large monolithic server and is known for the high complexity and previous security vulnerabilities QMail uses a modern least privilege approach with a set of communicating processes. Mathias Payer CS527 Software Security

  9. QMail Separate modules run under separate user IDs (isolation) Each user ID has only limited access to a subset of the resources (least privilege) Only one very small component runs as suid root Only one very small component running as root Mathias Payer CS527 Software Security

  10. QMail Figure 1: Mathias Payer CS527 Software Security

  11. QMail components qmaild/user : incoming email suid qmaild : split message into contents and headers, signal qmail-send qmail-send : send locally or remotely qmail-lspawn : root, spawns qmail-local with ID of user qmail-local : handles alias expansion, delivers locally, or signals qmail-queue if needed qmail-remote : sends remote message Mathias Payer CS527 Software Security

  12. Case study: daemon attack surface Command injection SQL injection Cross site scripting Mathias Payer CS527 Software Security

  13. Command injection Unix philosophy: leverage simple tools to achieve complex results Data is passed to scripts or programs as parameters Often the constrained communication channel will contain both code and data (e.g., the query command and the query arguments) While functionality is tested, the security guarantees are often not Vetting and escaping arguments correctly is challenging Mathias Payer CS527 Software Security

  14. Example: web-based command injection Dynamic web pages execute code on the server This allows the web server to add content from other sources (e.g., databases) and provide rich interfaces back to the user Build and combine complex parts dynamically and send the final result to the user (e.g., a content management system that loads contents from the database, intersects it with the site template, adds navigation modules and other third party modules) Mathias Payer CS527 Software Security

  15. Example: web-based command injection <html><head><title>Display a file</title></head> <body> <? echo system("cat ". $_GET ['file']); ?> </body></html> Mathias Payer CS527 Software Security

  16. Example: web-based command injection <html><head><title>Display a file</title></head> <body> <? echo system("cat ". $_GET ['file']); ?> </body></html> There is no separation of code and data that is passed through the channel display.php?file=info.txt\%3bcat\%20\%2fetc\%2fpasswd ; allows chaining of individual bash commands system is a powerful command that executes full shell scripts Mathias Payer CS527 Software Security

  17. Command injection mitigation Can we just block ; ? Mathias Payer CS527 Software Security

  18. Command injection mitigation Can we just block ; ? Blacklisting is not a good solution, attack space may be infinite What about using a pipe? What about using a backtick? What about other commands (cat instead of rm) Even the shell has many builtin commands Mathias Payer CS527 Software Security

  19. Mitigation through validation Ensure that the filename matches a set of allowed filenames Non-alphanumeric characters are needed to execute commands Fix both directory and set of allowed files Disallow special characters in the file name Mathias Payer CS527 Software Security

  20. Mitigation through escaping Escape parameters so that interpreter can distinguish between data (channel) and control (channel) Escaped form: system("cat 'file.txt') How do you write such an escape function? Mathias Payer CS527 Software Security

  21. Mitigation through escaping Escape parameters so that interpreter can distinguish between data (channel) and control (channel) Escaped form: system("cat 'file.txt') How do you write such an escape function? You don’t – there’s a huge potential for error. Use built-in ones. Each language has its own flavours of escape functions. Mathias Payer CS527 Software Security

  22. Mitigation through reduction of privileges The system command is immensely powerful as it launches a new shell interpreter Fall down to simplest possible API: open the file yourself and read it into a buffer or, if you must execute a command, launch it directly and not through the shell Mathias Payer CS527 Software Security

  23. Generalized injection attacks What enables injection attacks? Both code and data share the same channel. In the system example above, cat and file are specified as part of the same “shell script” where ; starts a new command In code injection the data on the stack and the executed code share the same channel (as do code pointers) Mathias Payer CS527 Software Security

  24. Example: SQL injection $sql = "SELECT * FROM users WHERE email='" . $_GET ['email'] . "' AND pass='" . $_GET ['pwd'] . ';" What is wrong with this query? Mathias Payer CS527 Software Security

  25. Example: SQL injection $sql = "SELECT * FROM users WHERE email='" . $_GET ['email'] . "' AND pass='" . $_GET ['pwd'] . ';" What is wrong with this query? An attacker may inject ’ to escape queries and inject commands. (Also, the password is not hashed but stored in plaintext.) SQL injection is, in spirit, the same attack as code injection or command injection. Mathias Payer CS527 Software Security

  26. SQL injection mitigation Same idea: validation, escaping, or reduction of privileges. Separate control and data channel: prepared SQL statements Similar to printf, define “format” string and supply arguments sql("SELECT * FROM users WHERE email= \$ 1 AND pwd= \$ 2", email Mathias Payer CS527 Software Security

  27. Cross Site Scripting XSS allows an attacker to inject and execute JavaScript (or other content) in the context of another web page (e.g., malicious JavaScript code that is injected into the banking web page of a user to extract user name and password or to issue counterfeit transactions). Three kinds of XSS: persistent/stored, reflected, and client-side XSS. Mathias Payer CS527 Software Security

  28. Persistent XSS The attacker stores the attack data on the server itself A simple chat application allows users to store arbitrary text that is then displayed to other logged in users The attacker may send a message that contains <script>alert('Mr. Evil here');</script> Common use case: feedback forms, blog comments, or even product meta data (you don’t have to see it to execute it) Bug is on the server side Mathias Payer CS527 Software Security

  29. Reflected XSS The attacker encodes the attack data in the link that is then sent to the user (e.g., through email or on a compromised site) A web interface may return your query as part of the results (i.e., “Your search for ‘query’ returned 23 results.”) Requirement: user must click on attacker-controlled link Bug is on the server side Mathias Payer CS527 Software Security

  30. Client-side XSS Large applications contain lots of JS code. Code itself may contain vulnerabilities. JS may use URL parameters to process information (think AJAX/JSON requests to process data in the background) Attacker must make user follow the compromised link but, compared to reflected XSS, the server does not embed the JavaScript code into the page through server side processing but the user-side JavaScript parses the parameters and misses the attack The bug is on the client side , in the server-provided JS Mathias Payer CS527 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS527 Software Security Advanced mitigations

504 views • 26 slides
CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software Security Allow inteded use of software, prevent unintended use that may cause harm. Mathias Payer CS527

470 views • 25 slides
CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python:

710 views • 49 slides
CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Android statistics 1.4 billion users (1) Android generates $31 billion revenue (2) 4,000+ different devices (1)

157 views • 11 slides
CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Exploitation: Disclaimer This section focuses software exploitation We will discuss both basic and advanced

860 views • 49 slides
CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

391 views • 38 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Building the Server Software for Eliminate Introduction Stephen Detwiler Director of

Building the Server Software for Eliminate Introduction Stephen Detwiler Director of

Building the Server Software for Eliminate Introduction Stephen Detwiler Director of Engineering, ngmoco:) James Marr Lead Engineer R&amp;D, ngmoco:) Introduction Build the definitive FPS for iPhone in only 5 months

1.07k views • 74 slides
Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We

Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We

Ho How t to m mak ake your ur Zoo oom m cl class s secur cure and p d pri rivate We will begin shortly. Please answer the brief poll question. Ron Owston, PhD Research Associate, Contact North Professor Emeritus, York University

472 views • 25 slides
User Experience (UX) Design Process, Paper Prototyping &amp; Schemas

User Experience (UX) Design Process, Paper Prototyping &amp; Schemas

User Experience (UX) Design Process, Paper Prototyping &amp; Schemas for Firebase RealAme DB User experience encompasses all aspects of the end-user's interac4on with

534 views • 21 slides
JAX-RS 2.1 AND BEYOND ANDY MCCRIGHT IBM ANDYMC@US.IBM.COM @ANDREWMCCRIGHT Whats In

JAX-RS 2.1 AND BEYOND ANDY MCCRIGHT IBM ANDYMC@US.IBM.COM @ANDREWMCCRIGHT Whats In

JAX-RS 2.1 AND BEYOND ANDY MCCRIGHT IBM ANDYMC@US.IBM.COM @ANDREWMCCRIGHT Whats In JAX-RS 2.1? Reactive Client Server Sent Events Other New APIs Beyond JAX-RS 2.1 JAX-RS in Java SE Type-safe

579 views • 25 slides
Behind the Scenes at MySpace.com Dan Farino Chief Systems Architect dan@myspace.com Friday,

Behind the Scenes at MySpace.com Dan Farino Chief Systems Architect dan@myspace.com Friday,

Behind the Scenes at MySpace.com Dan Farino Chief Systems Architect dan@myspace.com Friday, November 21, 2008 1 Topics Architecture overview and history The stuff I get to work on (in the Windows world) Monitoring

947 views • 57 slides
Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy

Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy

Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy Webbit Overview Single threaded Non-blocking High throughput 1000+ connections No Servlet API No XML 1 Dependency: Netty

827 views • 23 slides
Assignment 3 Hng-n Cao hong-an.cao@inf.ethz.ch Distributed Systems - HS 2014 Hng-n Cao

Assignment 3 Hng-n Cao hong-an.cao@inf.ethz.ch Distributed Systems - HS 2014 Hng-n Cao

Distributed Systems - HS 2014 Assignment 3 Hng-n Cao hong-an.cao@inf.ethz.ch Distributed Systems - HS 2014 Hng-n Cao | 20.10.2014 | 1 Introduction Assignment 3 Outline Review of logical time and UDP Causality Lamport

424 views • 28 slides
Remote Procedure Call Tom Anderson Q&amp;A During Lecture Verbal questions during lecture ok

Remote Procedure Call Tom Anderson Q&amp;A During Lecture Verbal questions during lecture ok

Remote Procedure Call Tom Anderson Q&amp;A During Lecture Verbal questions during lecture ok Unmute to interrupt Re-mute when done Chat questions also ok, if related to lecture topics Send non-lecture Q&amp;A to Ed Please

660 views • 43 slides

More recommend