2152150 Progamming Security Holes
-
Upload
gats1234346 -
Category
Documents
-
view
225 -
download
2
Transcript of 2152150 Progamming Security Holes
![Page 1: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/1.jpg)
Secure Programming
Jonathan Care
![Page 2: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/2.jpg)
Secure Programming - Jonathan Care 2
An Observation
• "Frequently the most important or critical applications in a network are run on the least secure machines, due to lack of upgrades/ patches, mandated by the very criticality of the application..."
![Page 3: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/3.jpg)
Secure Programming - Jonathan Care 3
Statements for discussion
• 99.9% of bugs are avoidable” (sacrifice the remaining 0.1% to Goedel)
• Most of these are due to sloppy programming"• We do not learn the lessons of security, even with
hindsight and in the aftermath of really major security incidents...
• Amongst the prime causes of this are commercial Operating Systems, legacy applications, and ignorance
![Page 4: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/4.jpg)
Secure Programming - Jonathan Care 4
The really irritating thing about computer security
THE SAME PROBLEMS COME UP AGAIN AND AGAIN AND AGAIN AND AGAIN AND AGAIN AND AGAIN AND
AGAIN
![Page 5: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/5.jpg)
Secure Programming - Jonathan Care 5
Network attacks in a nutshell
• The same attacks on networked hosts that were used in the 70s, 80s and early 90s are still in use today in the same way as older ones (smtp, ftp)
• Moreover these get conceptually re- used to attack new protocols (gopher, http, ???)
• WHY?
![Page 6: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/6.jpg)
Secure Programming - Jonathan Care 6
Because
• programmers are ignorant when leaving college• companies can sell widgets better than security to
the marketplace• legacy apps hamper us (try to convince a vendor
to drop sendmail)• legislation ties up technologies that can help (eg:
US crypto export)• ... AND...
![Page 7: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/7.jpg)
Secure Programming - Jonathan Care 7
Personal Cynicism
(# pragma personal_ cynicism 1)
I strongly suspect that nobody really cares*
(* except for the people who have to clear up the mess)
![Page 8: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/8.jpg)
Secure Programming - Jonathan Care 8
So what are the problems that keep returning?
• Viruses• Stack overwriting• Trusting insanitary data• Authentication spoofing (direct or indirect)• OVERPOWERFUL SOFTWARE RUNNING
WITH EXCESS PRIVILEGE• ... and poor encryption session key generation (not
covered in this presentation 1st rev.)
![Page 9: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/9.jpg)
Secure Programming - Jonathan Care 9
Viruses
Possibly the one form of security bug that is more "social" than "erroneous" in nature
Like life: so long as there is exchange of data there will be the possibility that something nasty is piggybacking a ride, inside
![Page 10: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/10.jpg)
Secure Programming - Jonathan Care 10
Stack Overruns - blame the programmer
Can cause:
• denial of service
• system crash (at protocol level)
• hacker infestation
![Page 11: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/11.jpg)
Secure Programming - Jonathan Care 11
Stack Overruns - common causes
• gets() (Morris Worm)
• sprintf()
• strcat()
• strcpy()
• insanitary calls to read()
... into small/ undersized memory buffers
![Page 12: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/12.jpg)
Secure Programming - Jonathan Care 12
Stack Overflows - a Taxonomy
read() buffer
Before
subroutinereturn address
Stack growth
“landing pad” of NOPspadding
ViralCode
After
![Page 13: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/13.jpg)
Secure Programming - Jonathan Care 13
Stack Overflows require a certain creative bent to
programming
• viral payload usually hand- tooled assembler code
• circumstances may dictate that payload contains no NLs, CRs, NULs, etc… can lead to very creative solutions
• ... but any moron can execute one that is packaged up adequately.
![Page 14: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/14.jpg)
Secure Programming - Jonathan Care 14
Stack Overflows - instances
• Morris Worm: :unbounded gets() on socket
• Sendmail: syslog() routine called strcat() on unbounded data read from socket
• Ping: NIS+ host resolver library did sprintf() on argv[1] from command line; instant SUID hack, no network involved. (nb: made more subtle as required DLLs)
![Page 15: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/15.jpg)
Secure Programming - Jonathan Care 15
Stack Overflows
• Probably the most straightforward of the major holes that we will be looking at today
![Page 16: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/16.jpg)
Secure Programming - Jonathan Care 16
Insanitary data
Insanitary Data
• Far more subtle class of bugs
• generally due to meddling/ trusting things that are beyond your control in the first case...
• so what *is* under your control?
![Page 17: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/17.jpg)
Secure Programming - Jonathan Care 17
Under your control?
A good question, nearly metaphysical:
• files/ filestore?
• executable code?
• input streams?
• environment variables?
![Page 18: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/18.jpg)
Secure Programming - Jonathan Care 18
Files under your control?
Maybe, but watch out for:• user- provided filenames
– direct input or thru env vars– (PATH, termcap/ terminfo, "at")
• fixed filenames– directory perms, time races in code– (" ps", "mail", ...)
• filestore perms holding config files or parent directories thereof.– (" chmod 777 /", GID of "/ etc")
![Page 19: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/19.jpg)
Secure Programming - Jonathan Care 19
Code under your control?
Alas, probably not.
• stack overflows/ buffer spams
• new dynamism:
• shared libraries– (LD_ PRELOAD, LC_ COLLATE, runpath,
LD_ LIBRARY_ PATH, ...)
• ever since we gave users dl_ open() or similar...
![Page 20: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/20.jpg)
Secure Programming - Jonathan Care 20
Input under your control?
No!• Data servers that are subvertable
– (DNS, NIS, NFS, Kerberos)
• old days: TIOCSTI• new days: TCP segment injection/ spoof• inbound spams (see further down)• "who knows what’s coming down the pipe next?"
![Page 21: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/21.jpg)
Secure Programming - Jonathan Care 21
Environment under your control?
No!• Do not expect contents of an env var to be sane to
child processes• Remember that env vars will propagate• Be suspicious of your ability to unset a variable
before forking a childPATH=/ bin:/ usr/ bin:...IFS=/IFS=/...(multiple instance)
![Page 22: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/22.jpg)
Secure Programming - Jonathan Care 22
Environment under your control
Only sane way to approach env vars:
1) do not trust anything
2) do not propagate anything that you did not create
"everything is forbidden except that which is explicitly permitted"
![Page 23: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/23.jpg)
Secure Programming - Jonathan Care 23
Cinderella Attack
• Forge (eg:) poorly- authenticated NTP packets.
• use this method to wind the clock on the target host forward to yr 3000- odd
• Software licenses for security software on target machine expire
• Firewall bastion host turns into pumpkin
• Network turns into pumpkin pie.
![Page 24: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/24.jpg)
Secure Programming - Jonathan Care 24
How do I ensure that my programs are under my control?
DON’T TRUST ANYTHING
(and yes, your code really does matter, it is important to know this)
![Page 25: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/25.jpg)
Secure Programming - Jonathan Care 25
Inbound Record Delimiters
• one of the great, perpetual mistakes - totally obvious when it is explained, but re- occurs a lot; either programmers forget that the problem exists, or become blithe in their trust of some other service which leaves them open to subversion.
![Page 26: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/26.jpg)
Secure Programming - Jonathan Care 26
Inbound record delimiters bug, 1970s
• IFS variable; field separators define notion of
"whitespace", in a shellscript...
IFS=/ ; /bin/ ls -> "bin" "ls"
• so, create /tmp/ bin that does something nasty, and:
export IFS=/
export PATH=/ tmp:$ PATH
suidscriptname # calls /bin/ ls, invokes "/ tmp/ bin"
• ... works for any char, eg: "IFS= n" -> "/ bi" "/ ls"
![Page 27: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/27.jpg)
Secure Programming - Jonathan Care 27
Inbound record delimiters bug, 1980s
DNS reverse lookup hostname set to:\nR"|/ bin/ sed -e ’1,/^$/ d’|/ bin/ sh"\ nHxx:
Text interpolates into Sendmail’s control file:HReceived- from: HOSTNAME. site. Domain
becomes:HReceived- from:R"|/ bin/ sed -e ’1./^$/ d’|/ bin/ sh"Hxx: .site. domain
... makes bogus recipient record in config,due to lack of checking for newlines in input.
![Page 28: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/28.jpg)
Secure Programming - Jonathan Care 28
Viral input bug, 1980s
• Log into NIC to do "whois" query...@ whois ‘/ bin/ sh < /dev/ tty >/ dev/ tty 2>& 1‘
• ... escapes from captive environment.
![Page 29: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/29.jpg)
Secure Programming - Jonathan Care 29
Viral Input bug, 1990’s
• ... worse still...http:// site/ cgi- bin/ foo?% 60rm+% 2Drf+% 2F% 60
• (‘ rm -rf /‘ gets eval’ed by poor CGI script)
• http:// site/ cgi- bin/ perl?...
![Page 30: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/30.jpg)
Secure Programming - Jonathan Care 30
Authentication spoofing
• What does this mean?
• Broad definition:– meddling with an established communications
channel– forging credentials to lie about who you are– cheating an authentication process
![Page 31: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/31.jpg)
Secure Programming - Jonathan Care 31
Authentication spoofing
Examples:• sniffing/ guessing reusable passwords• replaying authentication cookies
– eg: HTML document passwords == b64encode(" username: password")
• pre-empting challenge/ response schemes– eg: hijacking S/ Key sessions (aka: "beat the clock")
• TCP stream hijacking or resetting through forged addresses or sequence numbers
![Page 32: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/32.jpg)
Secure Programming - Jonathan Care 32
Spoofing examples
How many people know that "#” is not a legal character in a .rhosts file?
Tweak DNS:• #. foo. ac. uk 28800 CNAME host. foo. ac. uk.$ ping #
host. foo. ac. uk is alive
• Go one step further, set "#" as reverse PTR record, and log into any host with a bad .rhosts file...
![Page 33: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/33.jpg)
Secure Programming - Jonathan Care 33
Spoofing Examples
... but that’s HARD compared to just plain lying.
• "+" in hosts. equiv, "my name is ’root’... honest"• forged "admind" requests from ‘‘ localhost’’• source routed NFS traffic to implement a VPN• forged TCP RSTs to disconnect sessions• SYN flooding probably fits this category, too
![Page 34: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/34.jpg)
Secure Programming - Jonathan Care 34
TCP/IP is not fit for use as an authenticator
so why do people insist on using it as if it were?
![Page 35: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/35.jpg)
Secure Programming - Jonathan Care 35
• By now, you should be able to tell me.
![Page 36: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/36.jpg)
Secure Programming - Jonathan Care 36
Irritations of excess privilege
• Attitude amongst O/ S designers often is:
"files executed by root may be owned by anyone at all..."
• Attitude should be:
"As much as possible should be root- owned but almost nothing should be root- executed since this automatically limits damage..."
![Page 37: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/37.jpg)
Secure Programming - Jonathan Care 37
Irritations of excess privilege
• perms on "/ etc", rwxrwxr- x, uid= root gid= bin– therefore anyone who can get "bin” can get
root.
• ownership on older /var/ spool dirs =uucp therefore anyone who can get "uucp” can get root (eg: forge a sendmail queuefile)
• ... and so forth.
![Page 38: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/38.jpg)
Secure Programming - Jonathan Care 38
Excess privilege
• Problem cuts both ways:– not only use of root permissions for programs
that do not require them...– ... but also excessive promiscuity of data that
shouldn’t really be public
• The BANE of our LIVES
![Page 39: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/39.jpg)
Secure Programming - Jonathan Care 39
Excess privilege
• Encrypted ciphertexts– (how many years before shadow passwords
gained common acceptance?)
• Data users don’t need to see, and data users don’t need to be able to modify.– syslog data, etc...– world writable tty’s, /dev/ console, etc...– lots of stupid little things, but...
![Page 40: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/40.jpg)
Secure Programming - Jonathan Care 40
Security is holistic
![Page 41: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/41.jpg)
Secure Programming - Jonathan Care 41
Excess privilege - THE EXAMPLE
• "sendmail"
• Why run as root?– "chown" mailboxes to users? Use groups.– protect intermediate files? Unix fileperms.– odds and sods? Use SUID modules.– TCP port 25 access? Use inetd/ fd- passing
• What is there about a mail daemon that requires root?
![Page 42: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/42.jpg)
Secure Programming - Jonathan Care 42
The principle of least privilege
• Design your software such that it runs without requiring privileges that are unavailable to normal users.
• Try not to screw up.
![Page 43: 2152150 Progamming Security Holes](https://reader034.fdocuments.us/reader034/viewer/2022042619/577ccd121a28ab9e788b6b99/html5/thumbnails/43.jpg)
Secure Programming - Jonathan Care 43
The End