Introduction Gang Tan Penn State University Spring 2019 CMPSC - - PowerPoint PPT Presentation

Introduction

Gang Tan Penn State University Spring 2019

CMPSC 447: Software Security

Why a course on software security?

 Software plays a major role in the modern

society

 But is a major source of security problems.  Software is the weakest link in the security chain,

with the possible exception of “the human factor”

 Software security does not get much attention  in other security courses, or  in programming courses

2

3

We focus on software security, but don’t forget that security is about, in no particular order,

people (users, employees, sys‐admins, programmers,...), access control, passwords, biometrics, cryptology, protocols, policies & their enforcement, monitoring, auditing, legislation, persecution, liability, risk management, incompetence, confusion, lethargy, stupidity, mistakes, complexity, software, bugs, verification, hackers, viruses, hardware, operating systems, networks, databases, public relations, public perception, conventions, standards, physical protection, data protection, ...

Motivation: Software Insecurity

Software Insecurity

 The media is full of reports of the

catastrophic impact of software insecurity

 Web site defacement  Malware: viruses, internet worms, botnets, …  Distributed Denial of Service attacks (DDoS)  Hacked databases  Compromised smartphones  …

5

Web Site Defacements

 Defacement = “graffiti” on the Internet  Example: Unicef defacement (Jan 1998):

6

7

Malicious Software (Malware): Virus, Worm, and Botnet

 virus = harmful piece of code that can infect

• ther programs

 worm = self‐replicating virus; no user action

required for spreading infection

 botnet = a network of computers that have been

hijacked by the bot master

 First worm: Nov 1988, crashed 10% of internet  More recently  email viruses: I Love You, Kounikova, ...  Worms: Slammer, Blaster, ...  Botnets: Agobot, Storm, …

Slammer Worm (Jan 25th, 2003, 5:29:00) # of computers infected: 0

8 Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver

Slammer Worm (Jan 25th, 2003, 6:00:00) # of computers infected: 74855

9 Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver

Software Insecurity in 2014

10

What Allowed Attacks?

 A lot of times, tiny programming mistakes  Code Red worm exploited:

TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), …);

 Buffer overflow  The first Internet worm, and many subsequent

• nes (CodeRed, Blaster, ...) exploited buffer
• verflows

 Buffer overflows cause in the order of 50% of all

security alerts

11

sizeof(buff)/2

Microsoft Zune Crash

 Last day of 2008  Thousands of Microsoft Zune music players began freezing

about midnight year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days ‐= 366; year += 1; } } else { days ‐= 365; year += 1; } }

 Initially, days holds the number of days since 1/1/1980  The bug surfaces on the last day of a leap year

12

Programming Bug: Poker Site Flaw

 Web site where users can play poker over the

Internet.

13

Picture taken from Cigital Press Release

Programming Bug: Poker Site Flaw

 Security engineers wrote a program to “predict”

cards of opponents:



Exploited flaw: bad random number generation in shuffling cards

14

OpenSSL Heartbleed

 A programming bug in the OpenSSL implementation’s HeartBeat

mechanism

 Used in many servers  The bug: lack of input validation  An attacker can send in a HeartBeat request, which contains a

message and a length

• The length should correspond to the message’s size

 Server allocates a buffer and copies back the message with size

length

 However, the length is not bounds checked  Attacker can  Send in a request with a large length, greater than the message’s

size

 Hence the attacker can get a slice of data from server’s main

memory ‐‐ one that's up to 64KB in length.

 That memory could contain the private key of the server (or other

users’ passwords)

15

OpenSSL Heartbleed

 Fix is simple: adds bounds checks

if (1 + 2 + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s‐>s3‐>rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; http://blog.cryptographyengineering.com/2014/04/attack‐of‐ week‐openssl‐heartbleed.html

16

17

Programming Bug: Vulnerability in Windows Graphics Engine

 Graphics Rendering Engine Vulnerability ‐ CVE‐2005‐

4560:Microsoft Security Bulletin MS06‐001

 Published: January 5, 2006  Impact of Vulnerability: Remote Code Execution  Maximum Severity Rating: Critical  A remote code execution vulnerability exists in the Graphics

Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or

• pened a specially crafted attachment in e‐mail. An attacker who

successfully exploited this vulnerability could take complete control

• f an affected system.

17

18

Programming Bug: Vulnerability in Java Runtime Environment

Original release date: January 22, 2007 Source: US‐CERT Overview The Sun Java Runtime Environment(JRE) contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploit code is publicly available for at least one of these vulnerabilities.



Vulnerability Note VU#149457 Sun Java JRE vulnerable to arbitrary code execution via an undetermined error Two buffer overflow vulnerabilities in the Sun JRE may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.



Vulnerability Note VU#388289 Sun Microsystems Java GIF image processing buffer overflow The Sun JRE allows users to run Java applications in a browser or as standalone

• programs. When a GIF image with a specified width of 0 is processed, the Sun JRE

will overwrite memory contents, which can cause pointer corruption.

18

Why Can’t Programmers be More Careful?

Software Programmers Facing “Trinity of Trouble”

 Complexity  Software becomes more and more complicated.  Size is measured in terms of millions lines of code  Connectivity  The internet makes it possible for attackers to

exploit software remotely

 Extensibility  Extensions written by untrusted parties

20

Software System Complexity

Year Operating System SLOC (Million) 1993 Windows NT 3.1 4-5 1994 Windows NT 3.5 7-8 1996 Windows NT 4.0 11-12 2000 Windows 2000 More than 29 2001 Windows XP 40 2006 Windows Vista ~50 Windows 7 ??? Windows 8 ??? Windows 10 ???

Estimate of bug rate: 1 bug per 1,000 lines of code

21

Connectivity

 It’s easy to secure your smartphone if it’s off the

internet

 Attackers cannot get to your phone remotely  You cannot browse malicious webpages or

download malware

 Reality: almost every device is on the internet  Connectivity enables many things  But hackers also like it: it allows the possibility of

remotely hacking any device on the internet

22

Extensibility

 Software systems are not closed  Smartphone app market: allow users to extend

the functionality of their phones

 However  We don’t know who wrote those apps?  What if an app steal our credit card info or track

• ur locations?

 Like connectivity, hackers also like extensible

systems

 Giving them an opportunity to inject malicious

code

23

Course Summary

Topics

 Security fundamentals  Threat model  Trusted computing base  Policy vs enforcement  General principles  Memory corruption vulnerabilities  Buffer overflows  Format string attacks  Use‐after free  …

25

Topics

 Software defenses  Randomization  Safe programming techniques  Fuzzing  Static analysis  Reference monitors (execution integrity, dynamic

taint tracking)

 Secure information flow  Privilege separation  Java security  Other possible topics (?)  More attacks (type confusion, authorization

vulnerabilities)

 Web application security

26

Administrivia

 A course public website  http://www.cse.psu.edu/~gxt29/teaching/cs447s19/schedule.ht

ml

 Schedule, slides, and homework announcements posted there  Canvas (canvas.psu.edu)  Homework submission; grades  Q&A Forum: Piazza  Please post general questions and try to answer questions

there, but do not post your code

 Some homework assignments  Some written assignments and some projects  Exams  No midterm exams  One final exam

Course Syllabus

 Prerequisite  CMPSC 443; cannot be waived  No textbook required  Lecture format  Mostly slides; sometimes blackboard  Attendance required  5% of the final grade  Based on random, in‐class quizzes  Late homework policy  Technology use

Academic Integrity

 Projects  You cannot borrow code from any other

source, including the internet or other students

 We run automatic plagiarism detection tools

Questions?