Software Security Ge Zhang Security: When is it software problem - - PDF document
Software Security Ge Zhang Security: When is it software problem Network Problem: caused by the flaws in networking mechanisms such as network protocols. OS Problem: caused by the flaws in OS mechanisms such OS resource management
Ge Zhang
Security: When is it software problem
Network Problem: caused by the flaws in networking
mechanisms such as network protocols.
OS Problem: caused by the flaws in OS
mechanisms such OS resource management policies.
Software Problem: caused by the flaws in software
implementation or design
Employee Problem: people do not pay attention on
security
Complexity of systems and software. Security is not a static feature. Different goals between software projects
and security:
Goals of software projects: functionality, usability,
efficiency, time-to-market.
Goals of security: confidentiality, integrity,
availability…
Software experts are not security experts.
Causes for Security problems (in programming)
Flaws and oversights in the design and
implementation
What is written is not what is meant
Secure the weakest link
a software system is only
as secure as its weakest component
Practice Defense in Depth
Fail securely
Follow the Principle of
least privilege
Compartmentalize
Keep it simple
Promote privacy
compiled into binary is sufficiently well protected against attackers.
have the source code.
Be reluctant to trust
Use your community
resources
“Many-eyeballs
phenomenon”;
Not a panacea
Verification Architectural Analysis
Information gathering
Understand the requirements of a system Attempts to understand the proposed architecture at a high
level
Have a number of questions about the system and the
Analysis
Attack trees
Reporting
Ranking, order Easy to understand
Implementation Security Analysis
Auditing source code
Implementation should meet the design Look for implementation specific vulnerabilities.
(e.g., buffer overflow, race conditions, SQL injections)
Source-level security auditing tools
RATS, Flawfinder, Findbugs, etc
//flag
What is buffer
memory region is called buffer
What is buffer overflow
buffer.
A process in memory:
write to it will result in segmentation fault)
Stack frames Example:
foo(){ } bar(){ foo(); } main(){ bar(); }
What a stack frame should hold for a
subroutine?
Parameters to the function The return address The old frame pointer Local variables
void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
Which consequences can be result in?
Avoid the usage of suspect functions
strcpy(), sprintf(), fscan(), gets()
Do bound checking yourself (input verification) Choose a language which is more immune
(e.g., Java)
Is strncpy() more secure? Is the following code secure?
char dest[4]; char source[]=”Hello!”; strncpy(dest, source, sizeof(dest));
What is software security? Why software security is so challenge? 10 principles of secure design Buffer overflow
No bound checking In stack or in heap Why it is a serious problem? Overwritten data Consequence of buffer overflow Counteracts
1.
Take user input from a web form and pass it to a server-side script via HTTP methods such as POST or GET.
2.
Process request, open connection to database.
3.
Query database and retrieve results.
4.
Send processed results back to user.
$name = $HTTP_POST_VARS["name"]; $passwd = $HTTP_POST_VARS[“passwd"]; $query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ; $result = mysql_query($query);
Delete:
Select users from table where name = ‘whatever’; DROP TABLE users; -
Another way to bypass Authentication
select * from users where
username=‘admin’;--’ and password=‘whocares’;
Firewall? System patch?
Check and filter user input.
Length limit on input (most attacks depend on long query
strings).
Different types of inputs have a specific language and
syntax associated with them, i.e. Name, email, etc
Do not allow suspicious keywords (DROP, INSERT,
SELECT, SHUTDOWN) as name for example.
“Warning: illegal use of this application
has been detected. You IP address has been recorded…”
Public class Counter extends HttpServlet{
int count =0; public void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{
Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }
A race condition occurs if
an assumption needs to hold true for a period of time, but actually may not.
Possible problem areas
programming
“Window of vulnerability”
assumption can be invalidated
Action 1 Action 2
Time Interval
Time
Public class Counter extends HttpServlet{
int count =0; public synchronized void doGet(HttpServletRequest in, HttpServletResponse out) throws ServeletException, IOException{
Printwriter p = out.getWriter(); count++; p.println(count+”hits so far!”); } }
TOCTTOU (Time of check to time of
use) flaws
Time window of vulnerability Check action Use action Variable
Semantic Characteristic Occurs when two events occur and the
second depends upon the first one
Time Interval where attacker can race in and invalidate the assumption that syscall 2 depends upon
Time Syscall 1 (Time Of Check) Syscall 2 (Time Of Use)
File System TOCTTOU: Name-Object Binding Flaws
if ((fd = open (pathname, O_WRONLY))<0) if(error == ENOENT) { if ((fd = creat(pathname, mode))<0) err_sys(“creat error”); }
File System TOCTTOU: Name-Object Binding Flaws
UNIX system provides two different forms of naming, with
different semantics
File path name File descriptor The difference comes from the way the addresses resolve to
the actual objects
File path names are resolved by indirection, requiring the
naming and addressing at least one intermediate object
pointer to object)
File descriptors are resolved by accessing the file being
addressed (direct pointer to object)
Indirect -> Opens up window of vulnerability
slide 56
Random number used in security
Usage
Almost all network security protocols rely on the
randomness of certain parameters
Nonce - used to avoid replay session key
A random number should be unpredictable Measure random numbers: entropy
Utopia True random generators High cost Reality Pseudo random number generators Sequence appears random
“Any one who consider arithmetical methods of producing random digits is, of course, in a state of sin.” John von Neumann [1951]
Computers are completely deterministic machines.
Therefore computers cannot be good at creating true random number.
Pseudo-random number generator (PRNG) Requires inputs, called seed. Requirements
Statistical tests: Uniform distribution (e.g., number of ‘0’
equals number of ‘1’)
Non predictable Fast computing Low memory consumption
Linear Congruential Generator (LCG)
Xn+1 = (Xn * a + b) mod c Xn – current number [x0 – seed] Xn+1 – next number a, b, c are usually prime numbers
[ Lehmer, 1949 ]
Hardware solution
Radioactive decay Digital camera + Lava lamp
Interaction
Key sticking and mouse moving
Implementation Security Analysis
Auditing source code
Implementation should meet the design Look for implementation specific vulnerabilities.
(e.g., buffer overflow, race conditions, SQL injections)
Source-level security auditing tools
RATS, Flawfinder, Findbugs, etc