software flaws and malware i - mcmaster university
TRANSCRIPT
Software Flaws and Malware ICS 3IS3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton,Ontario, Canada
Acknowledgments: Material based on Information Security by Mark Stamp (Chapters 11.1-11.2)
Ryszard Janicki Software Flaws and Malware I 1/34
Why Software?
Why is software as important to security as cryptography,access control, protocols?
Virtually all information security features are implemented insoftware
If your software is subject to attack, your security can bebroken
Regardless of strength of cryptography, access control, orprotocols
Software is a poor foundation for security
Ryszard Janicki Software Flaws and Malware I 2/34
Bad Software is Ubiquitous
NASA Mars Lander (cost $165 million)
Crashed into Mars due to. . .. . . error in converting English and metric units of measureBelieve it or not
Denver airport
Baggage handling system - very buggy softwareDelayed airport opening by 11 monthsCost of delay exceeded $1 million/day
MV-22 Osprey
Advanced military aircraftFaulty software can be fatal
There are many other examples...
Ryszard Janicki Software Flaws and Malware I 3/34
Software Issues
Alice and Bob
Find bugs and flaws byaccident
Hate bad software. . .
. . . but they learn to livewith it
Must make bad softwarework
Trudy
Actively looks for bugsand flaws
Likes bad software. . .
. . . and tries to make itmisbehave
Attacks systems via badsoftware
Ryszard Janicki Software Flaws and Malware I 4/34
Complexity
“Complexity is the enemy of security”, Paul Kocher,Cryptography Research, Inc.
Part 4 Software 6
Complexity “Complexity is the enemy of security”, Paul
Kocher, Cryptography Research, Inc.
A new car contains more LOC than was required to land the Apollo astronauts on the moon
System Lines of Code (LOC)
Netscape 17 million
Space Shuttle 10 million
Linux kernel 2.6.0 5 million
Windows XP 40 million
Mac OS X 10.4 86 million
Boeing 777 7 million
A new car contains more Lines of Code (LOC) than wasrequired to land the Apollo astronauts on the moon.
This is also a wrong culture of current programmers “themore LOC the better programmer I am”. This culture is alsooften cultivated by many software companies!
Ryszard Janicki Software Flaws and Malware I 5/34
Lines of Code and Bugs
Conservative estimate: 5 bugs/10,000 LOC
Do the math:Typical computer: 3k exe’s of 100k LOC eachConservative estimate: 50 bugs/exeImplies about 150k bugs per computerSo, 30,000 - node network has 4.5 billion bugsMaybe only 10% of bugs security-critical and only 10% ofthose remotely exploitableThen “only” 45 million critical security flaws!
Ryszard Janicki Software Flaws and Malware I 6/34
Software Security Topics
Basic Program Flaws (unintentional)
Buffer overflowIncomplete mediationRace conditions
Malicious Software (intentional)
VirusesWormsOther breeds of malware
Ryszard Janicki Software Flaws and Malware I 7/34
Program Flaws
An error is a programming mistake. To err is human
An error may lead to incorrect state: faultA fault is internal to the program
A fault may lead to a failure, where a system departs from itsexpected behavior - a failure is externally observable
Part 4 Software 9
Program Flaws
An error is a programming mistake
o To err is human
An error may lead to incorrect state: fault
o A fault is internal to the program
A fault may lead to a failure, where a system departs from its expected behavior
o A failure is externally observable
error fault failure
Example
Part 4 Software 10
Examplechar array[10];
for(i = 0; i < 10; ++i)
array[i] = `A`;
array[10] = `B`;
This program has an error
This error might cause a fault
o Incorrect internal state
If a fault occurs, it might lead to a failure
o Program behaves incorrectly (external)
We use the term flaw for all of the above
This program has an errorThis error might cause a fault - incorrect internal state
If a fault occurs, it might lead to a failureProgram behaves incorrectly (external)
We use the term flaw for all of the aboveRyszard Janicki Software Flaws and Malware I 8/34
Secure Software
In software engineering, try to ensure that a program doeswhat is intended
Secure software engineering requires that software doeswhat is intended. . .
. . . and nothing more
Absolutely secure software? Dream on. . .
Absolute security anywhere is impossible
How can we manage software risks?
Ryszard Janicki Software Flaws and Malware I 9/34
Program Flaws
Program flaws are unintentionalBut can still create security risks
We will consider 3 types of flaws
Buffer overflow (smashing the stack)Incomplete mediationRace conditions
These are the most common flaws (but there are other..)
Ryszard Janicki Software Flaws and Malware I 10/34
Buffer Overflow: Attack Scenario
Users enter data into a Web formWeb form is sent to serverServer writes data to array called buffer, without checkinglength of input dataData “overflows” buffer
Such overflow might enable an attackIf so, attack could be carried out by anyone with Internetaccess
Buffer overflow:
Part 4 Software 15
Buffer Overflow
Q: What happens when code is executed?
A: Depending on what resides in memory at location “buffer[20]”
o Might overwrite user data or code
o Might overwrite system data or code
o Or program could work just fine
int main(){
int buffer[10];
buffer[20] = 37;}
Question: What happens when code is executed?Answer: Depending on what resides in memory at location“buffer[20]”
Might overwrite user data or codeMight overwrite system data or codeOr program could work just fine
Ryszard Janicki Software Flaws and Malware I 11/34
Simple Buffer Overflow
Consider Boolean flag for authentication
Buffer overflow could overwrite flag allowing anyone toauthenticate
Part 4 Software 16
Simple Buffer Overflow
Consider boolean flag for authentication
Buffer overflow could overwrite flag allowing anyone to authenticate
buffer
FTF O U R S C …
Boolean flag
In some cases, Trudy need not be so lucky as in this example
In some cases, Trudy need not be so lucky as in this example
Ryszard Janicki Software Flaws and Malware I 12/34
Memory Organization
Text - code
Data - static variables
Heap - dynamic data
Stack - “scratch paper”
Dynamic local variablesParameters tofunctionsReturn address
Part 4 Software 17
Memory Organization
Text code
Data static variables
Heap dynamic data
Stack “scratch paper”
o Dynamic local variables
o Parameters to functions
o Return addressstack
heap
data
text
high address
low address
stack pointer (SP)
Ryszard Janicki Software Flaws and Malware I 13/34
Simplified Stack Example
Part 4 Software 18
Simplified Stack Example
high
void func(int a, int b){
char buffer[10];
}
void main(){
func(1,2);
}
::
buffer
ret
a
b
returnaddress
low
SP
SP
SP
SP
Ryszard Janicki Software Flaws and Malware I 14/34
Smashing the Stack I
What happens if bufferoverflows?
Program “returns” towrong location
A crash is likely
Part 4 Software 19
Smashing the Stack
high
What happens if buffer overflows?
::
buffer
a
b
ret…
low
SP
SP
SP
SP
retoverflow
Program “returns” to wrong location
NOT!
???
A crash is likelyoverflow
Ryszard Janicki Software Flaws and Malware I 15/34
Smashing the Stack II
Trudy has a better idea. . .
Code injection
Trudy can run code of herchoosing. . .
. . . on your machine
Part 4 Software 20
Smashing the Stack
high
Trudy has a better idea… :
:
evil code
a
b
low
SP
SP
SP
SP
retret
Code injection
Trudy can run code of her choosing…o …on your machine
Ryszard Janicki Software Flaws and Malware I 16/34
Smashing the Stack III
Trudy may not know. . .1 Address of evil code2 Location of ret on
stack
Trudy’s solutions1 Precede evil code with
NOP (‘do nothing’instruction) “landingpad”
2 Insert ret many times
Part 4 Software 21
Smashing the Stack
Trudy may not know…
1) Address of evil code
2) Location of ret on stack
Solutions
1) Precede evil code with NOP “landing pad”
2) Insert ret many times
evil code
::
::
ret
ret
:
NOP
NOP
:
ret
ret
Ryszard Janicki Software Flaws and Malware I 17/34
Stack Smashing Summary
A buffer overflow must exist in the code
Not all buffer overflows are exploitable
Things must align properly
If exploitable, attacker can inject code
Trial and error is likely required
Stack smashing is “attack of the decade”. . .. . . for many recent decadesAlso heap and integer overflows, format strings, etc.
Ryszard Janicki Software Flaws and Malware I 18/34
Stack Smashing Example
Suppose program asks for a serial number that Trudy doesnot know
Also, Trudy does not have source code
Trudy only has the executable (exe)
Part 4 Software 23
Stack Smashing Example
Suppose program asks for a serial number that Trudy does not know
Also, Trudy does not have source code
Trudy only has the executable (exe)
Program quits on incorrect serial numberProgram quits on incorrect serial number
Ryszard Janicki Software Flaws and Malware I 19/34
Buffer Overflow Present?
By trial and error (or magic),Trudy discovers apparent bufferoverflow
Part 4 Software 24
Buffer Overflow Present? By trial and error, Trudy discovers
apparent buffer overflow
Note that 0x41 is ASCII for “A”
Looks like ret overwritten by 2 bytes!Note that 0x41 is ASCII for “A”
Looks like ret overwritten by 2 bytes!
Ryszard Janicki Software Flaws and Malware I 20/34
Disassemble Code
Next, disassemble bo.exe to find
Part 4 Software 25
Disassemble Code
Next, disassemble bo.exe to find
The goal is to exploit buffer overflow to jump to address 0x401034
The goal is to exploit buffer overflow to jump to address0x401034
Ryszard Janicki Software Flaws and Malware I 21/34
Buffer Overflow Attack
Find that, in ASCII, 0x401034 is “@ˆP4”
Part 4 Software 26
Buffer Overflow Attack
Find that, in ASCII, 0x401034 is “@^P4”
Byte order is reversed? What the …
X86 processors are “little-endian” Byte order is reversed?
It happens for some processors, like X86, but not all
Ryszard Janicki Software Flaws and Malware I 22/34
Overflow Attack, Take 2
Reverse the byte order to “4ˆP@” and. . .
Part 4 Software 27
Overflow Attack, Take 2 Reverse the byte order to “4^P@” and…
Success! We’ve bypassed serial number check by exploiting a buffer overflow
What just happened?
o Overwrote return address on the stack
Success! We have bypassed serial number check by exploitinga buffer overflow
What has just happened?We overwrote return address on the stack
Ryszard Janicki Software Flaws and Malware I 23/34
Buffer Overflow
Trudy did not require access to the source code
Only tool used was a disassembler to determine address tojump to
Find desired address by trial and error?
Necessary if attacker does not have exeFor example, a remote attack
Ryszard Janicki Software Flaws and Malware I 24/34
Source code for buffer overflow example
Flaw easily exploited byattacker. . .
. . . without access tosource code!
Part 4 Software 29
Source Code
Source code for buffer overflow example
Flaw easilyexploited by attacker…
…without access to source code!
Ryszard Janicki Software Flaws and Malware I 25/34
Stack Smashing Defenses
Employ non-executable stack“No execute” NX bit (if available, often impossible)Seems like the logical thing to do, but some real code executeson the stack (Java, for example)
Use a canaryCanaries or canary words are known values that are placed
between a buffer and control data on the stack to monitorbuffer overflows. When the buffer overflows, the first data tobe corrupted will usually be the canary, and a failedverification of the canary data will therefore alert of anoverflow, which can then be handled, for example, byinvalidating the corrupted data.
Address space layout randomization (ASLR)
Use safe languages (Java, C#)Use safer C functions
For unsafe functions, safer versions existFor example, strncpy instead of strcpy
Ryszard Janicki Software Flaws and Malware I 26/34
Canary
Run-time stack check
Push canary onto stack
Canary value:Constant 0x000aff0dOr, may depends on ret
Part 4 Software 31
Stack Smashing Defenses
Canary
o Run-time stack check
o Push canary onto stack
o Canary value:
Constant 0x000aff0d
Or, may depends on ret
high
::
buffer
a
b
low
overflowret
canaryoverflow
Ryszard Janicki Software Flaws and Malware I 27/34
Address Space Layout Randomization (ASLR)
Randomize place where code loaded in memory
Makes most buffer overflow attacks probabilistic
Windows 10 uses 256 random layoutsSo about 1/256 chance buffer overflow works
Similar thing in MacOS X and other OSs
Attacks against Microsoft’s ASLR do existPossible to “de-randomize”
Ryszard Janicki Software Flaws and Malware I 28/34
Buffer Overflow
A major security threat yesterday, today, and tomorrow
The good news?It ispossible to reduce overflow attacks (safe languages,NX
bit, ASLR, education, etc.)
The bad news?Buffer overflows will exist for a long timeWhy? Legacy code (bad but not good! Very old is actuallygood!), bad development practices, clever attacks, etc.
Ryszard Janicki Software Flaws and Malware I 29/34
Incomplete Mediation - Input Validation
Consider: strcpy(buffer, argv[1])
A buffer overflow occurs iflen(buffer) < len(argv[1])
Software must validate the input by checking the length ofargv[1]
Failure to do so is an example of a more general problem:incomplete mediationConsider web form dataSuppose input is validated on clientFor example, the following is validhttp://www.things.com/orders/final&custID=112
&num=55A&qty=20&price=10&shipping=5&total=205
Suppose input is not checked on serverWhy bother since input checked on client?Then attacker could send http message
http://www.things.com/orders/final&custID=112
&num=55A&qty=20&price=10&shipping=5&total=25
Ryszard Janicki Software Flaws and Malware I 30/34
Incomplete Mediation
Linux kernelResearch revealed many buffer overflowsLots of these due to incomplete mediation
Linux kernel is “good” software sinceOpen-sourceKernel - written by coding gurus, but not necessary
believers in formal methods...
Tools exist to help find such problemsBut incomplete mediation errors can be subtleAnd tools useful for attackers too!
Ryszard Janicki Software Flaws and Malware I 31/34
Race Condition
Security processes should be atomicOccur “all at once”
Race conditions can arise when security-critical process occursin stages
Attacker makes change between stagesOften, between stage that gives authorization, but before
stage that transfers ownership
Example: Unix mkdir
mkdir creates new directory
How mkdir is supposed to work?
Part 4 Software 41
mkdir Race Condition
mkdir creates new directory
How mkdir is supposed to work
1. Allocatespace
mkdir
2. Transferownership
Ryszard Janicki Software Flaws and Malware I 32/34
mkdir Attack
Part 4 Software 41
mkdir Race Condition
mkdir creates new directory
How mkdir is supposed to work
1. Allocatespace
mkdir
2. Transferownership
The mkdir race condition
Part 4 Software 42
mkdir Attack
Not really a “race”o But attacker’s timing is critical
1. Allocatespace
mkdir
3. Transferownership
2. Create link topassword file
The mkdir race condition
Not really a “race”But attacker’s timing is critical
Ryszard Janicki Software Flaws and Malware I 33/34
Race Conditions
Race conditions are common, especially for concurrent systems
Race conditions may be more prevalent than buffer overflows
But race conditions harder to exploit (a few danger cases inmedical devices)
Buffer overflow is “low hanging fruit” today
To prevent race conditions, make security-critical processesatomic:
Occur all at once, not in stagesNot always easy to accomplish in practice
Ryszard Janicki Software Flaws and Malware I 34/34