Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer Science & Engineering Software security engineering Vulnerabilities in OS interaction Security as an economic good Risk budgeting with ALE Annual loss expected = (loss amount) ✂ (incidence) Security is a good thing (for defenders) Net risk reduction = ✁ ALE - (security But, must trade off other things to get it cost) Rational to not purchase all available Like with a budget, spreadsheet may In the big picture, always a compromise not match reality Like other cost-benefit analysis, can make trade-offs more explicit Failure: Displacement activity Failure: Risk compensation Security “syllogism” (attributed to: politicians): 1. We must do something Some benefits of security are taken 2. This is something back by riskier behavior 3. Therefore we must do this. Example: H-Day in Sweden We’ll return to human factors later Example: airport security Example: external vs. internal threats
This class’s perspective Outline Security risk and management Some terminology We’ll mostly ignore management issues Logistics intermission For this class, maximize security at all Example security failures costs Software security engineering Vulnerabilities in OS interaction “Trusted” “Trusted” vs. “trustworthy” In security, “trusted” is a bad word Something you actually should trust is ❳ is trusted: ❳ can break your security “trustworthy” “Untrusted” = okay if it’s evil Concise definition of security failure: Trusted Computing Base (TCB): something trusted is not trustworthy minimize “Privilege” 3 common privilege levels Privilege is the power to take 1. Administrator/root/OS kernel security-relevant actions 2. Regular user of system Concise definition of security failure: the 3. Evil people on the Internet adversary gets privilege they shouldn’t
3 common privilege levels Outline Security risk and management 1. Administrator/root/OS kernel Some terminology ✯ Local exploit Logistics intermission 2. Regular user of system Example security failures ✯ Remote exploit Software security engineering 3. Evil people on the Internet Vulnerabilities in OS interaction Posting slides before lecture Exercise set 1 Available on website I’ll try for 11:59pm on the night before, Due Wednesday, September 25th, on not guaranteed Canvas Announcements are most likely to Groups of 1-3, turn in one copy change, recheck after Outline Classic buffer overflow Security risk and management ❝❤❛r ❜✉❢❬✷✵❪❀ Some terminology ❣❡ts✭❜✉❢✮❀ Logistics intermission Example security failures Vulnerability in ❢✐♥❣❡r daemon Morris worm brought down 1988 Software security engineering Internet (4.3BSD VAXes) Vulnerabilities in OS interaction
Buffer overflow classification Read It Twice (WOOT’12) Smart TV (running Linux) only accepts signed apps on USB sticks Bug: stack buffer overflow 1. Check signature on file Attack: return address overwrite 2. Install file Consequence: (binary) code injection Malicious USB device replaces app between steps TV “rooted”/“jailbroken” Confused deputy compiler Leaky intelligence analysts Compiler writes to billing database 1000s of analysts need to view 1000s of classified documents to do their job Compiler can produce debug output to user-specified file Can we prevent it if one wants to send them to the Washington Post? Specify debug output to billing file, disrupt billing More than regular access control How to write policy preventing this? (Reality: many non-technical problems) Outline Vulnerabilities are bugs Security risk and management Security bugs “just a special case” of Some terminology bugs Like regular bugs, only obscure ones Logistics intermission make it through testing Example security failures Key difference: Rare regular bug has limited impact Software security engineering Attackers seek out vulnerability Vulnerabilities in OS interaction circumstances
Security and quality Security and other features Security would be much easier if Security correlated with other software systems were less complex quality: Developers understand code well But, very few users want that trade-off Interactions between modules controlled Risk compensation with improvements Well tested to development process Contracts and checks Defensive programming Requirement: check ❳ before doing ❨ Analogy: defensive driving What function’s responsibility is the Don’t assume things are right, check check? Inbound: preconditions on arguments Answer embodied in contracts, aka Outbound: error conditions specifications, preconditions and Within reason: some things can’t be postconditions checked at some places Outline Shell code injection Security risk and management Don’t pass untrusted strings to a Some terminology command shell Logistics intermission In C: s②st❡♠ , ♣♦♣❡♥ s②st❡♠✭✧❝♠❞ ✩❛r❣✶ ✩❛r❣✷✧✮ Example security failures Fix 1: avoid shell Software security engineering Fix 2: sanitize data (preferably whitelist) Vulnerabilities in OS interaction
Shell code injection example Bad/missing error handling Under what circumstances could each Benign: s②st❡♠✭✧❝♣ ✩❛r❣✶ ✩❛r❣✷✧✮ , system call fail? arg1 = ✧❢✐❧❡✶✳t①t✧ Careful about rolling back after an error Attack: arg1 = ✧❛ ❜❀ ❡❝❤♦ ●♦t❝❤❛✧ in the middle of a complex operation Command: Fail to drop privileges ✮ run untrusted ✧❝♣ ❛ ❜❀ ❡❝❤♦ ●♦t❝❤❛ ❢✐❧❡✷✳t①t✧ code anyway Not a complete solution: blacklist ‘ ❀ ’ Update file when disk full ✮ truncate Race conditions Classic races: files in ✴t♠♣ Two actions in parallel; result depends Temp filenames must already be unique on which happens first But “unguessable” is a stronger Usually attacker racing with you requirement 1. Write secret data to file Unsafe design ( ♠❦t❡♠♣✭✸✮ ): function to 2. Restrict read permissions on file return unused name Many other examples Must use ❖ ❊❳❈▲ for real atomicity TOCTTOU gaps TOCTTOU example Time-of-check (to) time-of-use races ✐♥t s❛❢❡❴♦♣❡♥❴❢✐❧❡✭❝❤❛r ✯♣❛t❤✮ ❢ ✐♥t ❢❞ ❂ ✲✶❀ 1. Check it’s OK to write to file str✉❝t st❛t s❀ 2. Write to file st❛t✭♣❛t❤✱ ✫s✮ Attacker changes the file between ✐❢ ✭✦❙ ■❙❘❊●✭s✳st ♠♦❞❡✮✮ steps 1 and 2 ❡rr♦r✭✧♦♥❧② r❡❣✉❧❛r ❢✐❧❡s ❛❧❧♦✇❡❞✧✮❀ ❡❧s❡ ❢❞ ❂ ♦♣❡♥✭♣❛t❤✱ ❖ ❘❉❖◆▲❨✮❀ Just get lucky, or use tricks to slow r❡t✉r♥ ❢❞❀ you down ❣
TOCTTOU example TOCTTOU example ✐♥t s❛❢❡❴♦♣❡♥❴❢✐❧❡✭❝❤❛r ✯♣❛t❤✮ ❢ ✐♥t s❛❢❡❴♦♣❡♥❴❢✐❧❡✭❝❤❛r ✯♣❛t❤✮ ❢ ✐♥t ❢❞ ❂ ✲✶✱ r❡s❀ ✐♥t ❢❞ ❂ ✲✶✱ r❡s❀ str✉❝t st❛t s❀ str✉❝t st❛t s❀ r❡s ❂ st❛t✭♣❛t❤✱ ✫s✮ r❡s ❂ st❛t✭♣❛t❤✱ ✫s✮ ✐❢ ✭r❡s ⑤⑤ ✦❙ ■❙❘❊●✭s✳st ♠♦❞❡✮✮ ✐❢ ✭r❡s ⑤⑤ ✦❙ ■❙❘❊●✭s✳st ♠♦❞❡✮✮ ❡rr♦r✭✧♦♥❧② r❡❣✉❧❛r ❢✐❧❡s ❛❧❧♦✇❡❞✧✮❀ ❡rr♦r✭✧♦♥❧② r❡❣✉❧❛r ❢✐❧❡s ❛❧❧♦✇❡❞✧✮❀ ❡❧s❡ ❢❞ ❂ ♦♣❡♥✭♣❛t❤✱ ❖ ❘❉❖◆▲❨✮❀ ❡❧s❡ ❢❞ ❂ ♦♣❡♥✭♣❛t❤✱ ❖ ❘❉❖◆▲❨✮❀ r❡t✉r♥ ❢❞❀ r❡t✉r♥ ❢❞❀ ❣ ❣ Changing file references Directory traversal with ✳✳ Program argument specifies file, found With symbolic links in directory ❢✐❧❡s With hard links What about With changing parent directories ❢✐❧❡s✴✳✳✴✳✳✴✳✳✴✳✳✴❡t❝✴♣❛ss✇❞ ? Environment variables IFS and why it’s a problem Can influence behavior in unexpected In Unix, splitting a command line into ways words is the shell’s job P❆❚❍ String ✦ argv array ▲❉ ▲■❇❘❆❘❨ P❆❚❍ ❣r❡♣ ❛ ❜ ❝ vs. ❣r❡♣ ✬❛ ❜✬ ❝ ■❋❙ Choice of separator characters (default . . . space, tab, newline) is configurable Also umask, resource limits, current Exploit s②st❡♠✭✧✴❜✐♥✴✉♥❛♠❡✧✮ directory
Next time Bugs particular to low-level (e.g., C) programs
Recommend
More recommend
