software security
play

Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner - PowerPoint PPT Presentation

Feb 04, 2023 •847 likes •1.29k views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Security Mindset Anecdote • Craigslist 10/14/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Security Mindset Anecdote • Craigslist 10/14/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Looking Forward • Lab 1 checkpoint is due today • Sploits 4-7 are due October 31 – get working – a crypto homework will be emerging before they’re due! 10/14/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Return-Oriented Programming 10/14/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Run-Time Checking: StackGuard • Embed “canaries” (stack cookies) in stack frames and verify their integrity prior to function return – Any overflow of local variables will damage the canary ret Top of Frame of the canary buf sfp addr calling function stack Pointer to Return Local variables previous execution to frame this address 10/14/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Defeating StackGuard • Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf – Example: dst is a local pointer variable canary buf dst sfp RET Return execution to this address canary BadPointer, attack code &RET sfp RET Overwrite destination of strcpy with RET position strcpy will copy BadPointer here 10/14/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Function Pointer Overflow • Attack : overflow a function pointer so that it points to attack code Buffer with attacker-supplied Callback input string pointer Heap attack code overflow Legitimate function F 10/14/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. Answer Q1 • Attack : overflow a function pointer so that it points to attack code Buffer with attacker-supplied Callback input string pointer Heap attack code overflow Legitimate function F 10/14/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. PointGuard • Idea: encrypt all pointers while in memory – Generate a random key when program is executed – Each pointer is XORed with this key when loaded from memory to registers or stored back into memory • Pointers cannot be overflowed while in registers • Attacker cannot predict the target program’s key – Even if pointer is overwritten, after XORing with key it will dereference to a “random” memory address 10/14/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. [Cowan] Normal Pointer Dereference CPU 2. Access data referenced by pointer 1. Fetch pointer value Memory Pointer Data 0x1234 0x1234 CPU 2. Access attack code referenced by corrupted pointer 1. Fetch pointer value Corrupted pointer Attack Memory 0x1234 Data code 0x1340 0x1234 0x1340 10/14/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. [Cowan] PointGuard Dereference CPU 0x1234 2. Access data referenced by pointer 1. Fetch pointer Decrypt value Memory Encrypted pointer Data 0x7239 0x1234 CPU Decrypts to random value 2. Access random address; segmentation fault and crash 0x9786 1. Fetch pointer Decrypt value Corrupted pointer Attack Memory 0x7239 Data code 0x1340 0x9786 0x1234 0x1340 10/14/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. PointGuard Issues • Answer Q2 10/14/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. PointGuard Issues • Must be very fast – Pointer dereferences are very common • Compiler issues – Must encrypt and decrypt only pointers – If compiler “spills” registers, unencrypted pointer values end up in memory and can be overwritten there • Attacker should not be able to modify the key – Store key in its own non-writable memory page • PG’d code doesn’t mix well with normal code – What if PG’d code needs to pass a pointer to OS kernel? 10/14/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. ASLR: Address Space Randomization • Map shared libraries to a random location in process memory – Attacker does not know addresses of executable code • Deployment (examples) – Windows Vista: 8 bits of randomness for DLLs – Linux (via PaX): 16 bits of randomness for libraries – Even Android – More effective on 64-bit architectures • Other randomization methods – Randomize system call ids or instruction set 10/14/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Example: ASLR in Vista • Booting Vista twice loads libraries into different locations: 10/14/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. ASLR Issues • NOP slides and heap spraying to increase likelihood for custom code (e.g. on heap) • Brute force attacks or memory disclosures to map out memory on the fly – Disclosing a single address can reveal the location of all code within a library 10/14/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Other Possible Solutions • Use safe programming languages, e.g., Java – What about legacy C code? – (Note that Java is not the complete solution) • Static analysis of source code to find overflows • Dynamic testing: “fuzzing” • LibSafe: dynamically loaded library that intercepts calls to unsafe C functions and checks that there’s enough space before doing copies – Also doesn’t prevent everything 10/14/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Even Modern Systems Don’t Use These Defenses! • Embedded systems – E.g., cars 10/14/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Beyond Buffer Overflows… 10/14/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Another Type of Vulnerability • Consider this code: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } • Goal: Open only regular files (not symlink, etc) • What can go wrong? 10/14/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. TOCTOU (Race Condition) • TOCTOU == Time of Check to Time of Use: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } • Goal: Open only regular files (not symlink, etc) • Attacker can change meaning of path between stat and open (and access files they shouldn’t) 10/14/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Another Type of Vulnerability • Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 10/14/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. Integer Overflow and Implicit Cast If len is negative, may • Consider this code: copy huge amounts char buf[80]; of input into buf. void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 10/14/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Another Example size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); (from www-inst.eecs.berkeley.edu—implflaws.pdf) 10/14/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. Integer Overflow and Implicit Cast size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); • What if len is large (e.g., len = 0xFFFFFFFF)? • Then len + 5 = 4 (on many platforms) • Result: Allocate a 4-byte buffer, then read a lot of data into that buffer. (from www-inst.eecs.berkeley.edu—implflaws.pdf) 10/14/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. Password Checker • Functional requirements – PwdCheck(RealPwd, CandidatePwd) should: • Return TRUE if RealPwd matches CandidatePwd • Return FALSE otherwise – RealPwd and CandidatePwd are both 8 characters long • Implementation (like TENEX system) PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i] != CandidatePwd[i]) then return FALSE return TRUE • Clearly meets functional description 10/14/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. Attacker Model PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i] != CandidatePwd[i]) then return FALSE return TRUE • Attacker can guess CandidatePwds through some standard interface • Naive: Try all 256 8 = 18,446,744,073,709,551,616 possibilities • Better: Time how long it takes to reject a CandidatePasswd. Then try all possibilities for first character, then second, then third, .... – Total tries: 256*8 = 2048 10/14/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Timing/Side Channel Attacks • Assume there are no “typical” bugs in the software – No buffer overflow bugs – No format string vulnerabilities – Good choice of randomness – Good design • The software may still be vulnerable to timing attacks – Software exhibits input-dependent timings • Complex and hard to fully protect against 10/14/16 CSE 484 / CSE M 584 - Fall 2016 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
VisualPen It replaces keyboard and mouse: VisualPen: A Physical Interface for natural

VisualPen It replaces keyboard and mouse: VisualPen: A Physical Interface for natural

MOBILE HCI 03 MOBILE HCI 03 MOBILE HCI 03 VisualPen: A Physical Interface for natural human-computer interaction VisualPen: A Physical Interface for natural human-computer interaction Physical Interaction (PI03) Physical Interaction (PI03)

305 views • 3 slides
Distributed W atchpoints: Debugging Very Large Ensem bles of Robots De Rosa, Goldstein, Lee,

Distributed W atchpoints: Debugging Very Large Ensem bles of Robots De Rosa, Goldstein, Lee,

Distributed W atchpoints: Debugging Very Large Ensem bles of Robots De Rosa, Goldstein, Lee, Campbell, Pillai Aug 19, 2006 Motivation Distributed errors are hard to find with traditional debugging tools Centralized snapshot algorithms

325 views • 19 slides
The investigating team Asim Qayyum, Annemaree Lloyd, Kim Thompson, &amp; Mary Anne Kennan

The investigating team Asim Qayyum, Annemaree Lloyd, Kim Thompson, &amp; Mary Anne Kennan

Informing Refugee Settlement Support Service Planning &amp; Policies The investigating team Asim Qayyum, Annemaree Lloyd, Kim Thompson, &amp; Mary Anne Kennan Purpose of the study To map the information landscape of service providers that

244 views • 8 slides
Cabrini University: Planning Commission August 7, 2017 EXISTING CAMPUS SITE PLAN 2 2012

Cabrini University: Planning Commission August 7, 2017 EXISTING CAMPUS SITE PLAN 2 2012

Cabrini University: Planning Commission August 7, 2017 EXISTING CAMPUS SITE PLAN 2 2012 INSTITUTIONAL DEVELOPMENT PLAN 3 2017 MASTER PLAN 4 2014 PRELIMINARY PLAN 5 2017 REVISED PRELIMINARY PLAN 6 2017 FINAL LAND DEVELOPMENT PLAN 7

534 views • 7 slides
2122 May 2020 Presentation Slides Day 2 1. 2. 3. NOTES:

2122 May 2020 Presentation Slides Day 2 1. 2. 3. NOTES:

Workshop is hosted by: 2122 May 2020 Presentation Slides Day 2 1. 2. 3. NOTES: _______________________________________________________________________________________________________________________________

1.28k views • 67 slides
Q209 Defining great customer experience. Strategic Highlights Bill Downe Bill Downe Bill Downe

Q209 Defining great customer experience. Strategic Highlights Bill Downe Bill Downe Bill Downe

Q209 Defining great customer experience. Strategic Highlights Bill Downe Bill Downe Bill Downe Bill Downe President and Chief Executive Officer May 26, 2009 Forward Looking Statements Caution Regarding Forward-Looking Statements Bank of

289 views • 7 slides
CLOUD SECURITY OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE CLOUD PUBLIC Jakob I.

CLOUD SECURITY OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE CLOUD PUBLIC Jakob I.

Click to edit Master title style CLOUD SECURITY OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE CLOUD PUBLIC Jakob I. Pagter Alexandra Instituttet A/S 1 About Alexandra Instituttet A/S Click to edit Master title style

756 views • 39 slides
HealthSouth Acquires Encompass Home Health &amp; Hospice 1 Forward-Looking Statements The

HealthSouth Acquires Encompass Home Health &amp; Hospice 1 Forward-Looking Statements The

HealthSouth Acquires Encompass Home Health &amp; Hospice 1 Forward-Looking Statements The information contained in this presentation includes certain estimates, projections and other forward- looking information that reflect our current outlook,

402 views • 13 slides

More recommend