software security ii other types of software
play

Software Security (II): Other types of software vulnerabilities - PowerPoint PPT Presentation

Apr 05, 2023 •177 likes •804 views

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE Dawn Song

  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1

  3. Dawn Song 3

  4. #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE

  5. Dawn Song 5

  6. #293 HRE-THR 850 1930 ALICE SMITHHHHHHHHHHH HHACH SPECIAL INSTRUX: NONE

  7. Dawn Song 7

  8. #293 HRE-THR 850 1930 ALICE SMITH FIRST SPECIAL INSTRUX: NONE

  9. Example #1 void vulnerable() { void vulnerable() { char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  10. Example #2 void vulnerable() { void vulnerable() { char instrux[80] = “none”; char instrux[80] = “none”; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  11. Example #3 void vulnerable() { void vulnerable() { char cmd[80]; char cmd[80]; char line[512]; char line[512]; … … strncpy(cmd,”/usr/bin/fjnger”, 80); strncpy(cmd,”/usr/bin/fjnger”, 80); gets(line); gets(line); … … execv(cmd, …); execv(cmd, …); } }

  12. Example #4 void vulnerable() { void vulnerable() { int (*fnptr)(); int (*fnptr)(); char buf[80]; char buf[80]; … … gets(buf); gets(buf); … … } }

  13. Example #5 void vulnerable() { void vulnerable() { int seatinfjrstclass = 0; int seatinfjrstclass = 0; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  14. Example #6 void vulnerable() { void vulnerable() { int authenticated = 0; int authenticated = 0; char name[20]; char name[20]; … … gets(name); gets(name); … … } }

  15. Common Coding Errors • Input validation vulnerabilities • Memory management vulnerabilities • TOCTTOU vulnerability (later) Dawn Song 15

  16. Input validation vulnerabilities • Program requires certain assumptions on inputs to run properly • Without correct checking for inputs – Program gets exploited • Example: – Bufger overfmow – Format string Dawn Song 16

  17. Example I Example I 1: unsigned int size; 2: Data **datalist; 3: 4: size = GetUntrustedSizeValue(); 5: datalist = (data **)malloc(size * sizeof(Data *)); 6: for(int i=0; i<size; i++) { 7: datalist[i] = InitData(); 8: } 9: datalist[size] = NULL; 10: ... Dawn Song 17

  18. Example II Example II 1: char buf[80]; 2: void vulnerable() { 3: int len = read_int_from_network(); 4: char *p = read_string_from_network(); 5: if (len > sizeof buf) { 6: error(“length too large, nice try!”); 7: return; 8: } 9: memcpy(buf, p, len); 10: } • What's wrong with this code? • Hint – memcpy() prototype: – void *memcpy(void *dest, const void *src, size_t n); • Defjnition of size_t : typedef unsigned int size_t; • Do you see it now? Dawn Song 18

  19. Implicit Casting Bug • Attacker provides a negative value for len – if won ’ t notice anything wrong – Execute memcpy() with negative third arg – Third arg is implicitly cast to an unsigned int , and becomes a very large positive int – memcpy() copies huge amount of memory into buf , yielding a bufger overrun! • A signed/unsigned or an implicit casting bug – Very nasty – hard to spot • C compiler doesn ’ t warn about type mismatch between signed int and unsigned int – Silently inserts an implicit cast Dawn Song 19

  20. Example III (Integer Overfmow) Example III 1: size_t len = read_int_from_network(); 2: char *buf; 3: buf = malloc(len+5); 4: read(fd, buf, len); 5: ... • What ’ s wrong with this code? – No bufger overrun problems (5 spare bytes) – No sign problems (all ints are unsigned) • But, len+5 can overfmow if len is too large – If len = 0xFFFFFFFF , then len+5 is 4 – Allocate 4-byte bufger then read a lot more than 4 bytes into it: classic bufger overrun! • Know programming language ’ s semantics well to avoid pitfalls Dawn Song 20

  21. Example IV Example IV 1: char* ptr = (char*) malloc(SIZE); 2: if (err) { 3: abrt = 1; 4: free(ptr); 5: } 6: ... 7: if (abrt) { 8: logError(“operation aborted before commit”, ptr); 9: } • Use-after-free • Corrupt memory http://cwe.mitre.org Dawn Song 21

  22. Example V Example V 1: char* ptr = (char*) malloc(SIZE); 2: if (err) { 3: abrt = 1; 4: free(ptr); 5: } 6: ... 7: free(ptr); • Double-free error • Corrupts memory-management data structure http://owasp.org Dawn Song 22

  23. Example VI: Format string problem Example VI int func(char *user) { fprintf( stderr, user); }

  24. Format Functions • Used to convert simple C data types to a string representation • Variable number of arguments • Including format string • Example – printf(“%s number %d”, “block”, 2) – Output: “block number 2” Dawn Song 24

  25. Format String Parameters Paramet Output Passed as er %d Decimal (int) Value %u Unsigned decimal (unsigned Value int) %x Hexadecimal (unsigned int) Value %s String ((const) (unsigned) Reference char *) %n # bytes written so far, (* int) Reference

  26. Example VI: Format string problem Example VI int func(char *user) { fprintf( stderr, user); } • Problem: what if * user = “%s%s%s%s%s%s %s” ?? – %s displays memory – Likely to read from an illegal address – If not, program will print memory contents. Correct form: fprintf( stdout, “%s”, user);

  27. Stack and Format Strings • Function behavior is controlled by the format string • Retrieves parameters from stack as requested: “%” • Example: A Address of the format printf(“Number %d has no address, number %d has: string stack top … %08x\n”, I, a, &a) i Value of variable I <&a> <a> a Value of variable a <i> A &a Address of variable a … stack bottom

  28. View Stack • printf(“%08x. %08x. %08x. %08x\n”) – 40012983.0806ba43.bfgfgf4a.0802738b • display 4 values from stack

  29. Read Arbitrary Memory • char input[] = “\x10\x01\x48\x08_%08x. %08x. %08x. %08x|%s|”; printf(input) – Will display memory from 0x08480110 • Uses reads to move stack pointer into format string • %s will read at 0x08480110 till it reaches null byte

  30. Writing to arbitrary memory • printf( “hello %n”, &temp) – writes ‘6’ into temp. • printf( “%08x.%08x.%08x.%08x.%n”)

  31. Vulnerable functions Any function using a format string. Printing: printf, fprintf, sprintf, … vprintf, vfprintf, vsprintf, … Logging: syslog, err, warn

  32. An Exploit Example syslog( “ Reading username: ” ); read_socket(username); syslog(username); ⇓ Welcome to InsecureCorp. Please login. Login: EvilUser%s%s…%400n…%n root@server> _

  33. Why The Bug Exists • C language has poor support for variable-argument functions – Callee doesn ’ t know the number of actual args • No run-time checking for consistency between format string and other args • Programmer error

  34. Real-world Vulnerability Samples • First exploit discovered in June 2000. • Examples: – wu-ftpd 2.* : remote root – Linux rpc.statd: remote root – IRIX telnetd: remote root – BSD chpass: local root

  35. What are software vulnerabilities? • Flaws in software • Break certain assumptions important for security – E.g., what assumptions are broken in bufger overfmow? Dawn Song 35

  36. Why does software have vulnerabilities? • Programmers are humans! – Humans make mistakes! • Programmers are not security-aware • Programming languages are not designed well for security Dawn Song 36

  37. What can you do? • Programmers are humans! – Humans make mistakes! – Use tools! (next lecture) • Programmers were not security aware – Learn about difgerent common classes of coding errors • Programming languages are not designed well for security – Pick better languages Dawn Song 37

  38. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (III): Defenses against Memory-Safety Exploits Dawn Song 38

  39. Preventing hijacking attacks Fix bugs: • Audit software • Automated tools: Coverity, Prefast/Prefjx, Fortify • Rewrite software in a type-safe language (Java, ML) • Diffjcult for existing (legacy) code … Allow overfmow, but prevent code execution Add runtime code to detect overfmows exploits: • Halt process when overfmow exploit detected • StackGuard, Libsafe Dawn Song 39

  40. Control-hijacking Attack Space Defenses/Mitigations Code Injection Arc Injection Stack Heap Exceptio n Handler s Dawn Song 40

  41. Defense I: non-execute (W^X) Prevent attack code execution by marking stack and heap as non-executable • NX -bit on AMD Athlon 64, XD -bit on Intel P4 Prescott – NX bit in every Page T able Entry (PTE) • Deployment: – Linux (via PaX project); OpenBSD – Windows: since XP SP2 (DEP) • Boot.ini : /noexecute=OptIn or AlwaysOn • Visual Studio: /NXCompat[:NO] Dawn Song 41

  42. Efgectiveness and Limitations • Limitations: – Some apps need executable heap (e.g. JIT s). – Does not defend against exploits using return-oriented programming Defenses/Mitigations Code Injection Arc Injection Code Injection Arc Injection Stack Stack Non-Execute (NX)* Heap Non-Execute (NX)* Heap Exceptio Non-Execute (NX)* n Handler Exceptio s n Handler s * When Applicable Dawn Song 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
CS 5150 Software Engineering Three Types of Software Process

CS 5150 Software Engineering Three Types of Software Process

Cornell University Computing and Information Science CS 5150 Software Engineering Three Types of Software Process William Y. Arms Types of Software Process The basic

281 views • 26 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of software engineering Types of software The nature of software Software history and the software crisis Software quality Elements of

818 views • 67 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering

Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering

Engineering Software Integral types Andrei Zlate-Podani 1968 NATO Software Engineering Conference - Garmisch Projects running over-budget Projects running over-time Software was inefficient Software was of low quality

710 views • 39 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 8 January 2019 OSU CSE 1 Restated Learning Outcomes Theme 1: software engineering concepts Be familiar with sound software engineering

535 views • 17 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
Type Instructional Software Presentation Instructional Software forHigh School Physical

Type Instructional Software Presentation Instructional Software forHigh School Physical

Type Instructional Software Presentation Instructional Software forHigh School Physical ScienceTara RowlandEDTECH This presentation categorizes various types of software used in education. instructional software Software requirements depend on

2.21k views • 4 slides
CS642: Computer Security Professor Ristenpart

CS642: Computer Security Professor Ristenpart

Low-level soEware vulnerability protecGon mechanisms CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot

733 views • 55 slides
StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security

StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security

StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security Microsoft Aleph One Fires The Opening Shot Smashing the Stack for Fun and Profit Aleph One (AKA Elias Levy), Phrack 49, August 1996 It is

714 views • 27 slides
Matthew Samet msamet@tamdistrict.org 1st Period Ph.Un. - Room 120 3rd Period Ph.Un. - Room 115

Matthew Samet msamet@tamdistrict.org 1st Period Ph.Un. - Room 120 3rd Period Ph.Un. - Room 115

Matthew Samet msamet@tamdistrict.org 1st Period Ph.Un. - Room 120 3rd Period Ph.Un. - Room 115 4th Period Ph.Un. - Room 115 5th Period Ph.Un. - Room 115 7th Period Ph.Un. - Room 115 TUHSD Science Requirements: Year 1: Physics in the

300 views • 6 slides
2015 DBE/LBE Upcoming Opportunity Overview and Networking Event SAN FRANCISCO COUNTY

2015 DBE/LBE Upcoming Opportunity Overview and Networking Event SAN FRANCISCO COUNTY

2015 DBE/LBE Upcoming Opportunity Overview and Networking Event SAN FRANCISCO COUNTY TRANSPORTATION AUTHORITY Febru ruar ary y 5, 2015 Presentation Agenda 1. 1. Desc scription ription of upcomi coming ng opportun portunit ities ies

1.04k views • 79 slides
Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester Rebeiro Indian Institute of Technology Madras Parts of Malware Two parts Subvert execution: change the normal execution behavior of the program

1.25k views • 102 slides
DevOps + Infrastructure TRACK SUPPORTED BY About me Nils Peeters DevOps Engineer

DevOps + Infrastructure TRACK SUPPORTED BY About me Nils Peeters DevOps Engineer

DevOps + Infrastructure TRACK SUPPORTED BY About me Nils Peeters DevOps Engineer nils@scalecity.io https://www.linkedin.com/in/nilspeeters/ www.scalecity.io Containerized Drupal, Kubernetes and blue/green Down the rabbit

1.06k views • 83 slides
ASSOCIATIVE NETS AND FRAME SYSTEMS Network Representations If L is a set of labeled links and N

ASSOCIATIVE NETS AND FRAME SYSTEMS Network Representations If L is a set of labeled links and N

ASSOCIATIVE NETS AND FRAME SYSTEMS Network Representations If L is a set of labeled links and N is a set of nodes, then a network is any subset of NLN, where the order of the triples is material. Lecture 4 Associative Nets &amp; Frames

491 views • 32 slides
Any Problem Here? /* File: drivers/usb/core/devio.c*/ /* define data structure

Any Problem Here? /* File: drivers/usb/core/devio.c*/ /* define data structure

UniSan : Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/ /* define data

428 views • 26 slides

More recommend