Program Security CMPSC 443 - Spring 2012 Introduction Computer and - - PowerPoint PPT Presentation

program security
SMART_READER_LITE
LIVE PREVIEW

Program Security CMPSC 443 - Spring 2012 Introduction Computer and - - PowerPoint PPT Presentation

Aug 13, 2022 156 likes •383 views

Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger System Resources

slide-1
SLIDE 1

CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Program Security

CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse443-s12/

slide-2
SLIDE 2

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

System Resources

  • Programs often need system resources to function

– Libraries, configurations, environment variables, etc.

  • Programs are often tasked to process particular system

resources

– User files, remote requests, etc.

  • Adversaries can leverage the mechanisms designed to

retrieve system resources to compromise programs

– So, you have to prevent such attacks

  • What are the types of system resources?

2

slide-3
SLIDE 3

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Namespace Resolution

  • Client (Process) requests a resource (File) from a

system name server (OS) by name

  • Name server resolves name to a resource using its

namespace bindings

– Mapping between names and resources – E.g., File pathnames to directories and files

  • Namespaces are used in many places

– Android Intents – XenStore key-values – D-Bus methods – URLs – DNS names

  • Adversaries may control names, bindings, or resources

3

slide-4
SLIDE 4

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Namespace Resolution Attacks

  • Adversaries may choose names

– Use a maliciously crafted name to circumvent parsing and get to the resource they desire – Affect the construction of names (e.g., environment variables) to redirect the victim to a malicious resource

  • Adversaries may control namespace bindings

– Create a link to direct the victim to a file of the adversaries choosing – May create malicious files in shared directories

  • Adversaries may control resources themselves

– Victim may not know that an adversary can modify a particular resource that it expects to be safe

  • Difficult to prevent these attacks as programs often

process untrusted names, bindings, and resources

4

slide-5
SLIDE 5

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Threat Model

  • How does the adversary gain access to namespace

resolution?

– Could have access to victim

  • Can provide a name
  • E.g., A client of a web server

– Could have access to name server

  • Can update the namespace bindings
  • E.g., An Android app can update Intents

– Could have access to resources

  • Can modify the data in some of the resources
  • E.g., A process on a file system
  • The attacks to look for depend on the threat model

5

slide-6
SLIDE 6

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Adversary-Controlled Names

  • Maliciously-crafted names

– Multiple ways of naming lots of things

  • Files

– /x/data or /y/z/../../x/data or /y/z/%2e%2e/x/data

  • Lots of others -- URLs, DNS names, middleware-specific, etc.
  • Get access to resources that the adversary normally

cannot (but, victim can)

– E.g., Windows system files – These are called Confused Deputy attacks

  • Trick process into accessing untrusted resources

where safe are expected

– E.g., untrusted PHP files – These are called File Inclusion attacks

6

slide-7
SLIDE 7

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Search Path Vulnerability

  • Adversaries may craft malicious names using search

path environment variables

  • When a program needs a library

– Dynamic linker crafts a file name using LD_PATH environment variables – May point to the directory in which the process was started

  • Attack

– If the adversary can plant a malicious library in the user’s home directory – And start a privileged program from the user’s home directory – The dynamic linker will request libraries using a name whose prefix is the user’s home directory – Enabling the adversary to supply code to root processes

7

slide-8
SLIDE 8

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Windows: Library Loads

  • Search in directories for DLL of specified name

– Program Directory: directory of executable – System Directory: “presumably protected” directory – Working Directory: directory of process (where user exec’d from)

  • Problem: Attacker may get file in working directory

– User likely does not even know the working directory of a process – Program Directory is always first

  • SafeDllSearchMode

– Load from working before system directory if 0 – System before working if 1 – Default value is 1 in Windows2003 and 0 in XP

8

slide-9
SLIDE 9

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Safe Name Usage

  • Canonicalization

– Conversion to a single, “standard” name

  • Rules of thumb

– Do not rely on names -- or anything -- from remote user

  • At least not blindly

– Be careful if your program may be started by user in their

  • wn directory
  • Environment variables

– Convert them -- correctly -- to canonical format

  • Enable checking against your rules

– Get a resource reference as soon as possible (e.g., inodes instead of filenames)

  • Check that these right resources with stat commands

9

slide-10
SLIDE 10

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

A Simple Program

01 SOCKET_DIR=/tmp/.X11-unix ... 02 set_up_socket_dir () { 03 if [ "$VERBOSE" != no ]; then 04 log_begin_msg "Setting up X server socket directory" 05 fi 06 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then 07 mv $SOCKET_DIR $SOCKET_DIR.$$ 08 fi 09 mkdir -p $SOCKET_DIR 10 chown root:root $SOCKET_DIR 11 chmod 1777 $SOCKET_DIR 12 do_restorecon $SOCKET_DIR 13 [ "$VERBOSE" != no ] && log_end_msg 0 || return 0 14 }

10

Code moves a directory if already exists to create a new one

slide-11
SLIDE 11

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

A Simple Program

01 SOCKET_DIR=/tmp/.X11-unix ... 02 set_up_socket_dir () { 03 if [ "$VERBOSE" != no ]; then 04 log_begin_msg "Setting up X server socket directory" 05 fi 06 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then 07 mv $SOCKET_DIR $SOCKET_DIR.$$ 08 fi 09 mkdir -p $SOCKET_DIR 10 chown root:root $SOCKET_DIR 11 chmod 1777 $SOCKET_DIR 12 do_restorecon $SOCKET_DIR 13 [ "$VERBOSE" != no ] && log_end_msg 0 || return 0 14 }

11

Can mkdir fail then?

slide-12
SLIDE 12

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Binding Attacks (Links)

  • Adversary who has access to /tmp can create directory

for /tmp/.X11-unix

– victim code does not detect that problem

  • Adversary can make this a link to /etc/shadow, and

later code makes this file world-writeable

– Adversary changes namespace bindings

  • Two parts to the attack

– Change the namespace binding – Race condition to insert link between ‘mv’ and ‘mkdir’

  • Adversary ability to change namespace binding is

fundamental to this attack

– Race conditions are much easier to create than you might think

12

slide-13
SLIDE 13

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

File Squatting

  • For directories where create access is shared with

adversaries

– Adversaries may predict the names of files/directories

  • Create sub-directory in advance

– E.g., Adversaries predicted the .X11-unix directory in /tmp

  • Also, works for files

– Adversary binds name to a file of their choice before the victim can – Then, the victim uses the adversary’s file instead

  • Current Defense: Check for existence on creation

– open( name, O_CREAT | O_EXCL)

13

slide-14
SLIDE 14

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

TOCTTOU Race Condition

  • Victim checks the properties of a resource at a

particular name (time-of-check)

  • Adversary changes the binding of that name to a

different resource (race)

– Via a symbolic link is the most common

  • Victim is tricked into using a resource of the

adversary’s choice (time-of-use)

– E.g., the /etc/shadow resource was chosen in this case – Called TOCTTOU attack

  • Current Defense: Prevent following of links

– Preventing use of adversary-controlled links to “safe” files is fundamental

14

slide-15
SLIDE 15

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Multi-binding

  • One name may refer to multiple resources
  • Victim adds mapping of name to resource of their

control

– So does adversary – Name server allows multiple bindings to name

  • Name server chooses either resource

– E.g., Chooses resource at random

  • Is this for real?

– Yes, Android Intents and D-Bus methods both allow such binds

  • Current Defense: ???

– Prevent use of adversary-controlled resources

15

slide-16
SLIDE 16

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Binding Defenses

  • More extensive defenses

– Safe sequence of system calls

  • lstat (get inode #)
  • access (check)
  • open (use -- get fd)
  • fstat (get inode # of fd)
  • Does this work?

– Safe resources should only be accessed using safe names

  • Prevents use of untrusted links to access safe resources
  • What is a safe name? What is a safe resource?
  • Can work for root-user, but is limited without program information
  • Any binding defense must:

– it must have side information about the programs it protects, it must protect

  • nly a subset of all programs, it must be vulnerable to DoS attacks, it must

have false-positives, or it must fail to prevent some race condition exploits

16

slide-17
SLIDE 17

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Testing Programs for Binding Errors

  • We have developed a test harness for finding binding

vulnerabilities

– Found 30+ vulnerabilities for new and mature programs

  • The test harness enables

– Flexible adversary definition: Which bindings can adversaries change? – Flexible operations: Any system call that performs namespace resolution to get a resource – Generate test cases: Produce redirection to file of choice automatically – Detect vulnerabilities: Does victim use a redirected resource?

  • Found the example using this tool

– Works for binaries and scripts

17

slide-18
SLIDE 18

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Resource Attacks

  • Systems allow for the sharing of resources

– So a process may access a resource that is under an adversary’s control – Even when expecting a safe resource

  • What kinds of resources are under an adversary’s

control?

– files in the users’ home directories for root processes

  • authorized_keys for OpenSSH
  • user content for Apache

– logs for Apache – many others

  • Problem: programmers do not know the deployment

environments of their programs accurately

18

slide-19
SLIDE 19

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Resource Usage

  • What does the process do with the retrieved

resources?

– Retrieve resources for clients

  • Such resources may be adversary-controlled
  • Editors, servers, etc.

– Retrieve resources for security-critical information

  • Such resources must be safe
  • Libraries, modules, configurations, etc.
  • Need to know which to protect the process (invariants)

– If adversary provides the name, the process should retrieve adversary-accessible (and perhaps controlled) resource – If name is safe, the process should only retrieve adversary- controlled resources if updates are not security-critical – Etc.

19

slide-20
SLIDE 20

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Resource Attack Defenses

  • Access control

– System authorization policy

  • They can be weak

– Root can access anything – All your user processes have the same permissions

  • Some sharing is likely, and programs must defend

against it

– We will discuss this further over the next few lectures

20

slide-21
SLIDE 21

Page CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Take Away

  • Programs use system resources

– Retrieve resources using namespace resource

  • However, adversaries can control aspects of

namespace resolution to create a variety of vulnerabilities

– Adversaries can provide names – Adversaries can change namespace bindings – Adversaries can control resources

  • Programmers often fail to prevent such attacks

– A variety of ad hoc approaches to prevent such attacks

  • Want a systematic goal to prevent these attacks

– Need to compute adversary access and identify security- critical program variables

21