program analysis for security, осень 2010: introduction to compilers
TRANSCRIPT
• General introduction to security• What is system security?
• Threats
• Trends
• Approaches to finding vulnerabilities
• Security vulnerabilities• Memory-based exploits
• Web application vulnerabilities
What is Security?System correctnessn If user supplies expected input, system generates
desired output
Securityn If attacker supplies unexpected input, system does
not fail in certain waysn Goal of the attacker is to make the system fail in
“interesting ways”
What is security?System correctnessn Good input ⇒ Good outputn Think “verification”
Securityn Bad input ⇒ Bad outputn Think “not exploitable”
Security propertiesConfidentialityn Information about system or its users cannot be learned by
an attacker
Integrityn The system continues to operate properly, only reaching
states that would occur if there were no attacker
Availabilityn Actions by an attacker do not prevent users from having
access to use of the system
System
AttackerAlice
General picture
Security is aboutn Honest user (e.g., Alice, Bob, …)n Dishonest Attackern How the Attacker
w Disrupts honest user’s use of the system (Integrity, Availability)w Learns information intended for Alice only (Confidentiality)
Web Attacker
Sets up malicious site visited by
victim; no control of network
Alice
System
Web security
System
AttackerAlice
Confidentiality: Attacker does not learn Alice’s secrets
Integrity: Attacker does not undetectably corrupt system’s function for Alice
Availability: Attacker does not keep system from being useful to Alice
Historical hackers (prior to 2000)Profile:n Malen Between 14 and 34 years of agen Computer addictedn No permanent girlfriend
No Commercial Interest !!!Source: Raimund Genes
Typical Botherder: 0x80" (pronounced X-eighty)
High school dropoutn “…most of these people I infect are so stupid they really ain't got no
business being on the Internet in the first place.“Working hours: approx. 2 minutes/day to manage BotnetMonthly earnings: $6,800 on averageDaily Activities:
n Chatting with people while his bots make him moneyn Recently paid $800 for an hour alone in a VIP room with several dancers
Job Description: n Controls 13,000+ computers in more than 20 countries n Infected Bot PCs download Adware then search for new victim PCsn Adware displays ads and mines data on victim's online browsing habits.n Bots collect password, e-mail address, SS#, credit and banking datan Gets paid by companies like TopConverting.com, GammaCash.com,
Loudcash, or 180Solutions.
14
Washington Post: Invasion of the Computer Snatchers
Some things in the newsNigerian letter (419 Scams) still works:n Michigan Treasurer Sends 1.2MUSD of State Funds !!!
Many zero-day attacksn Google, Excel, Word, Powerpoint, Office …
Criminal access to important devicesn Numerous lost, stolen laptops, storage media, containing
customer informationn Second-hand computers (hard drives) pose risk
Vint Cerf estimates ¼ of PCs on Internet are bots
15
Trends for 2010Malware, worms, and Trojan horsesn spread by email, instant messaging, malicious or infected websites
Botnets and zombiesn improving their encryption capabilities, more difficult to detect
Scareware – fake/rogue security software Attacks on client-side softwaren browsers, media players, PDF readers, etc.
Ransom attacksn malware encrypts hard drives, or DDOS attack
Social network attacks n Users’ trust in online friends makes these networks a prime target.
Cloud Computing - growing use will make this a prime target for attack. Web Applications - developed with inadequate security controls Budget cuts - problem for security personnel and a boon to cyber criminals.
Texas CISO, Feb 2010
Same list in Oklahoma Monthly Security Tips Newsletter
Reported Web Vulnerabilities "In the Wild"
Data from aggregator and validator of NVD-reported vulnerabilities
Web attack toolkit: MPack
21
Basic setupn Toolkit hosted on web servern Infects pages on that servern Page visitors get infected
Featuresn Customized: determines
exploit on the fly, based on user’s OS, browser, etc
n Easy to use: management console provides stats on infection rates
n Customer care toolkit can be purchased with one-year support contract!
Finding Vulnerabilities
Static analysisn Abstract
interpretationn Dataflown Pointer analysisn etc.
Runtime analysis n Fuzzingn Testingn Simulationn Symbolic
executionn Model checking
Outline24
¨ Memorysafetyattacks¤ Bufferoverruns¤ Formatstringvulnerabilities
¨ Webapplicationvulnerabilities¤ SQLinjections¤ Cross-sitescriptingattacks
BufferOverrunExample26
strretsfplocalstrretsfplocal
Frame 1Frame 2
void lame (void) { char small[30]; gets(small); printf("%s\n", small);
}
InputValidation¨ Classifyingvulnerabilities:
¤ Bufferoverflows canbeviewedasanexampleofimproperinputvalidation¤ Anotherrelatedtypeofvulnerability isinformationleaks
¨ Othernotableexamples:¤ Formatstringvulnerabilities¤ SQLinjection attacks¤ Cross-site scriptingattacks
¨ Mechanismstopreventattacks¤ Betterinputvalidation¤ Safeprogrammingtechniques¤ Techniques fordetectingpotentialbufferoverflowsincode
n Staticanalysisn Runtimeanalysisn Fuzzing/penetrationtestingn Write-boxfuzzingn etc.
27
SecureProgrammingTechniques
¨ Validateallinput¤ Easiersaidthandone¤ Whyisthat?
¨ Avoidbufferoverflows¤ Usesafestringmanipulationfunctions¤ Carefullengthchecking¤ Avoidstaticallydeclaredarrays¤ etc.
¨ Oruseamemory-safelanguage¤ JavaorC#¤ JavaScript(nottype-safe)
28
ValidatingInput
¨ Determineacceptableinput,checkformatch---don’tjustcheckagainstlistof“non-matches”¤ Limitmaximumlength¤Watchoutforspecialcharacters,escapechars.
¨ Checkboundsonintegervalues¤ Checkfornegativeinputs¤ Checkforlargeinputsthatmightcauseoverflow!
29
Avoidstrcpy,…
¨ Wehaveseenthatstrcpy isunsafe¤ strcpy(buf,str)simplycopiesmemorycontentsintobuf startingfrom*str until“\0”isencountered,ignoringthesizeofbuf
¨ Avoidstrcpy(),strcat(),gets(),etc.¤Usestrncpy(),strncat(),instead¤ Still,computingproperboundsisdifficultinpractice¤ Easytomessup,off-by-oneerrorsarecommon
30
StaticandDynamicAnalysis¨ Staticanalysis:runonthesourcecodepriortodeployment; checkforknownflaws
¤ e.g.,flawfinder, cqual¤ OrPrefix/Prefast¤ OrCoverity orFortifytools¤ Willlook atsomemorerecentworkinthiscourseaswellasolderstuff
¨ Dynamicanalysis:trytocatch(potential)bufferoverflowsduringprogramexecution¤ Soundness¤ Precision
¨ Comparison?¤ Staticanalysisveryuseful, butnotperfect
n Falsepositivesn Falsenegatives
¤ Dynamicanalysiscanbebetter(intandemwithstaticanalysis), butcanslowdownexecution¤ Historicallyofgreatimportance,droveadoptionoftype-safelanguagessuchasJavaandC#
31
Dynamicanalysis:Libsafe
¨ Verysimpleexampleofwhatcanbedoneatruntime
¨ Interceptsallcallsto,e.g.,strcpy(dest,src)¤ Validatessufficientspaceincurrentstackframe:
|frame-pointer– dest|>strlen(src)¤ Ifso,executesstrcpy;otherwise,terminatesapplication
32
PreventingBufferOverflows
¨ Operatingsystemsupport:¤ Canmarkstacksegmentasnon-executable¤ Randomizestacklocation
¨ Problems:¤ Doesnotdefendagainst`return-to-libc’exploit
n Overflowsetsret-addr toaddressoflibc function¤ Doesnotpreventgeneralbufferoverflowflaws,orheapoverflow
¨ BasicheapoverflowscanbehelpedwithALSR
33
Heap-basedBufferOverrunsandHeapSpraying
34
¨ Bufferoverrunsconsistoftwosteps¤ Introducethepayload¤ Causetheprogramtojumptoit
¨ Canputthepayload/shellcode intheheap¤ Arbitraryamountsofcode¤ Doesn’tworkwithheaprandomization¤ Locationofthepayloadchangeseverytime
¨ Heapspraying:¤ Allocatemultiplecopiesofthepayload¤ Whenthejumphappens,ithitsthepayloadwithahighprobability
StackGuard
¨ Embedrandom“canaries”instackframesandverifytheirintegritypriortofunctionreturn
¨ Thisisactuallyused!
¨ Helpful,butnotfoolproof…
strretsfplocal canarystrretsfplocal canary
Frame 1Frame 2
35
MoreMethods…
¨ Addressobfuscation¤ EncryptreturnaddressonstackbyXORingwithrandomstring.Decryptjustbeforereturningfromfunction
¤ Attackerneedsdecryptionkeytosetreturnaddresstodesiredvalue
36
FormatStringVulnerabilities
¨ Whatisthedifferencebetweenprintf(buf);
andprintf(“%s”, buf);
?¨ Whatifbuf holds%x?¨ Lookatmemory,andwhatprintf expects…
38
FormatStringExploits¨ Technique:
¤ Declareavariableoftypeint inline4andcallitbytes_formatted
¤ Line6the format string specifiesthat20charactersshouldbeformattedinhexadecimal(“%.20x”)usingbuffer
¤ Whenthisisdone,duetothe“%n”specifier writethevalue20tobytes_formatted
¨ Result:¤ Thismeansthatwehavewrittena
valuetoanothermemorylocation¤ Verydefinitionofviolatingmemory
safety¤ Maybepossibletogaincontrolover
aprogram’sexecution
#include<stdio.h>
int main(){
int bytes_formatted=0;
charbuffer[28]=”ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
printf(“%.20x%n”,buffer,&bytes_formatted);
printf(
“\nThenumberofbytesformattedinthepreviousprintfstatement
was%d\n”,bytes_formatted);return0;
}
39
OtherInputValidationBugs
¨ Integeroverflow…
¨ Considerthecode:strncpy(msg+offset, str, slen);
wheretheadversarymaycontroloffset
¨ Bysettingthevaluehighenough,itwillwraparoundandbetreatedasanegativeinteger!
¨ Writeintothemsg bufferinsteadofafterit
40
SQLInjectionAttacks
¨ AffectapplicationsthatuseuntrustedinputaspartofanSQLquerytoaback-enddatabase
¨ Specificcaseofamoregeneralproblem:usinguntrustedinputincommands
42
SQLInjection:Example
¨ Considerabrowserform,e.g.:
¨ Whentheuserentersanumberandclicksthebutton,thisgeneratesanhttprequestlike
https://www.pizza.com/show_orders?month=10
43
ExampleContinued…
¨ Uponreceivingtherequest,aJavaprogrammightproduceanSQLqueryasfollows:
¨ Anormalquerywouldlooklike:
sql_query= "SELECT pizza, quantity, order_day "
+ "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= "+ request.getParameter("month");
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=10
44
ExampleContinued…
¨ Whatiftheusermakesamodifiedhttprequest:https://www.pizza.com/show_orders?month=0%20OR%201%3D1
¨ (ParameterstransferredinURL-encodedform,wheremeta-charactersareencodedinASCII)
¨ Thishastheeffectofsettingrequest.getParameter(“month”)
equaltothestring0 OR 1=1
45
ExampleContinued
¨ SothescriptgeneratesthefollowingSQLquery:
¨ SinceANDtakesprecedenceoverOR,theabovealwaysevaluatestoTRUE¤ Theattackergetseveryentryinthedatabase!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 OR 1=1
()
46
EvenWorse…
¨ CraftanhttprequestthatgeneratesanSQLquerylikethefollowing:
¨ Attackergetstheentirecreditcarddatabaseaswell!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 OR 1=0UNION SELECT cardholder, number, exp_dateFROM creditcards
47
MoreDamage…
¨ SQLqueriescanencodemultiplecommands,separatedby‘;’
¨ CraftanhttprequestthatgeneratesanSQLquerylikethefollowing:
¨ Creditcardtabledeleted!¤ DoS attack
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 ;DROP TABLE creditcards
48
MoreDamage…
¨ CraftanhttprequestthatgeneratesanSQLquerylikethefollowing:
¨ User(withchosenpassword)enteredasanadministrator!¤ Databaseowned!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 ;INSERT INTO admin VALUES (‘hacker’, ...)
49
MayNeedtobeMoreClever…
¨ Considerthefollowingscriptfortext queries:
¨ Previousattackswillnotworkdirectly,sincethecommandswillbequoted
¨ Buteasytodealwiththis…
sql_query= "SELECT pizza, quantity, order_day "
+ "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ "+ request.getParameter(“topping") + “’”
50
ExampleContinued…
¨ Craftanhttprequestwhererequest.getParameter(“topping”)
issettoabc’; DROP TABLE creditcards; --
¨ TheeffectistogeneratetheSQLquery:
¨ (‘--’representsanSQLcomment)
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND toppings=‘abc’;DROP TABLE creditcards ; --’
51
Solutions?
¨ Blacklisting¨ Whitelisting¨ Encodingroutines¨ Preparedstatements/bindvariables¨ MitigatetheimpactofSQLinjection
53
Blacklisting?
¨ I.e.,searchingfor/preventing‘bad’inputs¨ E.g.,forpreviousexample:
¨ …wherekill_chars()deletes,e.g.,quotesandsemicolons
sql_query= "SELECT pizza, quantity, order_day "
+ "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ "+ kill_chars(request.getParameter(“topping"))+ “’”
54
DrawbacksofBlacklisting
¨ Howdoyouknowif/whenyou’veeliminatedallpossible‘bad’strings?¤ Ifyoumissone,couldallowsuccessfulattack
¨ Doesnotpreventfirstsetofattacks(numericvalues)¤ Althoughsimilarapproachcouldbeused,startstogetcomplex!
¨ Mayconflictwithfunctionalityofthedatabase¤ E.g.,userwithnameO’Brien
55
Whitelisting
¨ Checkthatuser-providedinputisinsomesetofvaluesknowntobesafe¤ E.g.,checkthatmonthisanintegerintherightrange
¨ Ifinvalidinputdetected,bettertorejectitthantotrytofixit¤ Fixesmayintroducevulnerabilities¤ Principleoffail-safedefaults
56
PreparedStatements/bindVariables
¨ Preparedstatements:staticquerieswithbindvariables¤ Variablesnotinvolvedinqueryparsing
¨ Bindvariables:placeholdersguaranteedtobedataincorrectformat
57
ASQLInjectionExampleinJava
PreparedStatement ps =db.prepareStatement(
"SELECT pizza, quantity, order_day "+ "FROM orders WHERE userid=? AND order_month=?");
ps.setInt(1, session.getCurrentUserId());ps.setInt(2,
Integer.parseInt(request.getParameter("month")));ResultSet res = ps.executeQuery();
Bindvariables
58
There’sEvenMore59
¨ PracticalSQLInjection:BitbyBit
¨ Overall,SQLinjectioniseasytofixbybanningcertainAPIs¤ PreventqueryExecute-typecallswithnon-constantarguments
¤ Veryeasytoautomate¤ SeeatoollikeLAPSEthatdoesitforJava
Cross-siteScripting60
¨ Iftheapplicationisnotcarefultoencodeitsoutputdata,anattackercaninjectscriptintotheoutput
out.writeln(“<div>”);out.writeln(req.getParameter(“name”));out.writeln(“</div>”);
¨ name:<script>…;xhr.send(document.cookie);</script>
¨ Simplestversioncalledreflectedortype-1XSS
MemoryExploitsandWebAppVulnerabilitiesCompared
¨ Bufferoverruns¤ Stack-based¤ Return-to-libc,etc.¤ Heap-based¤ Heapsprayingattacks¤ Requirescarefulprogramming or
memory-safelanguages¤ Don’talwayshelpasinthecase
ofJavaScript-basedspraying¤ Staticanalysistools
¨ Formatstringvulnerabilies¤ Generally,better,more
restrictiveAPIsareenough¤ Simplestatictoolshelp
¨ Cross-sitescripting¤ XSS-0,-1,-2,-3¤ Requirescarefulprogramming¤ Staticanalysistools
¨ SQLinjection¤ Generally,better,more
restrictiveAPIsareenough¤ Simplestatictoolshelp
61