CPSC 6126 Computer Security Information Assurance.

CPSC 6126 Computer CPSC 6126 Computer SecuritySecurity

Information AssuranceInformation Assurance

Chapter 3 – Program SecurityChapter 3 – Program Security Programming errors with security Programming errors with security

implications-buffer overflows, incomplete implications-buffer overflows, incomplete access controlaccess control

Malicious code-viruses, worms, Trojan Malicious code-viruses, worms, Trojan horseshorses

Program development controls against Program development controls against malicious code and vulnerabilities-malicious code and vulnerabilities-software engineering principles and software engineering principles and practicespractices

Controls to protect against program flaws Controls to protect against program flaws in execution-operating system support and in execution-operating system support and administrative controlsadministrative controls

Program SecurityProgram Security

How do we keep programs free from How do we keep programs free from flaws?flaws?

How do we protect computing resources How do we protect computing resources against programs that contain flaws?against programs that contain flaws?

Presented with a finished product, for Presented with a finished product, for example, a commercial software package, example, a commercial software package, how can you tell how secure it is or how to how can you tell how secure it is or how to use it in its most secure way?use it in its most secure way?

SECURE PROGRAMSSECURE PROGRAMS

Security implies some degree of trust Security implies some degree of trust that the program enforces expected that the program enforces expected confidentiality, integrity, and confidentiality, integrity, and availability.availability.

How can we look at software How can we look at software component and assess its security?component and assess its security?

Fixing FaultsFixing Faults

Software that has many faults early Software that has many faults early on is likely to have many others still on is likely to have many others still waiting to be found.waiting to be found.

Early computer security work used Early computer security work used “penetrate and patch” method where “penetrate and patch” method where analysts searched for and repaired analysts searched for and repaired faults (tiger team)faults (tiger team)

Often patch efforts made system less Often patch efforts made system less secure:secure:

Fixing FaultsFixing Faults

Pressure to repair encourages a Pressure to repair encourages a narrow focus on the fault and not its narrow focus on the fault and not its context.context.

Fixing the fault often introduces side Fixing the fault often introduces side effects.effects.

Fault not fixed properly cause it will Fault not fixed properly cause it will cause performance problems.cause performance problems.

Unexpected BehaviorUnexpected Behavior Compare program requirements with behavior to Compare program requirements with behavior to

identify identify program security flawsprogram security flaws Flaw is either a fault or failureFlaw is either a fault or failure Vulnerability is a class of flaws (e.g. buffer Vulnerability is a class of flaws (e.g. buffer

overflows)overflows) Need to determine how to prevent harm caused Need to determine how to prevent harm caused

by possible flawsby possible flaws Program security flaws can derive from any kind Program security flaws can derive from any kind

of software fault.of software fault.• Inadvertent human flawsInadvertent human flaws• Malicious, intentionally induced flawsMalicious, intentionally induced flaws

Unexpected BehaviorUnexpected Behavior

Hindrances for eliminating program Hindrances for eliminating program security flawssecurity flaws• How do we test for what a program How do we test for what a program

shouldn’t do?shouldn’t do?• Programming and software engineering Programming and software engineering

techniques evolve more rapidly than techniques evolve more rapidly than computer security techniquescomputer security techniques

Types of FlawsTypes of Flaws

IntentionalIntentional• MaliciousMalicious• NonmaliciousNonmalicious

InadvertentInadvertent• Validation error (incomplete / inconsistent)Validation error (incomplete / inconsistent)• Domain errorDomain error• Serialization and aliasingSerialization and aliasing• Inadequate identification and authenticationInadequate identification and authentication• Boundary condition violationBoundary condition violation• Other exploitable logic errorsOther exploitable logic errors

Nonmalicious Program ErrorsNonmalicious Program Errors

Buffer OverflowsBuffer Overflows char sample[10];char sample[10]; for (i=1; i<=10; i++) sample[i] = ‘A’;for (i=1; i<=10; i++) sample[i] = ‘A’;

Last ‘A’ goes into user data, user code, Last ‘A’ goes into user data, user code, system data, or system codesystem data, or system code

If data is overwritten, can affect resultsIf data is overwritten, can affect results If system is overwritten, unpredictable If system is overwritten, unpredictable

resultsresults


Buffer Overflows Security ImplicationBuffer Overflows Security Implication• Attacker replaces code in the system Attacker replaces code in the system

space and takes control back from the space and takes control back from the operating systemoperating system

• Attacker uses the stack pointer or return Attacker uses the stack pointer or return register to execute other coderegister to execute other code

• How to write buffer overflowsHow to write buffer overflows• Smashing the Stack for Fun and ProfitSmashing the Stack for Fun and Profit


Buffer Overflows Security ImplicationBuffer Overflows Security Implication• Parameter passing to web serverParameter passing to web server

• http://www.somesite.com/subpage/http://www.somesite.com/subpage/data&parm1=(808)555-1212&parm2=2004Jan01data&parm1=(808)555-1212&parm2=2004Jan01

• What if one of the parameters is made longer?What if one of the parameters is made longer?

Microsoft's Phone Dialer contains a buffer ovMicrosoft's Phone Dialer contains a buffer overrun that allows execution of errun that allows execution of arbitaryarbitary code code


Incomplete Mediation Incomplete Mediation (data checking)(data checking)• http://www.somesite.com/subpage/http://www.somesite.com/subpage/

data&parm1=(808)555-1212&parm2=2004Jan01data&parm1=(808)555-1212&parm2=2004Jan01 What if parm2 is 1800Jan01 or 2004Feb30…What if parm2 is 1800Jan01 or 2004Feb30… Use dropdown lists to force the input, test Use dropdown lists to force the input, test

rangesranges Even then, the user could send incorrect Even then, the user could send incorrect

data to the serverdata to the server

Security ImplicationSecurity Implication• Easy to exploit – Things, Inc. exampleEasy to exploit – Things, Inc. example


Time-of-Check to Time-of-Use ErrorsTime-of-Check to Time-of-Use Errors• Mediation is performed with a “bait and Mediation is performed with a “bait and

switch” in the middle (synchronization switch” in the middle (synchronization flaw)flaw)

Security ImplicationSecurity Implication• to avoid checking one action and to avoid checking one action and

performing another – use digital performing another – use digital signatures and certificatessignatures and certificates

Viruses and Other Malicious CodeViruses and Other Malicious Code

When was the last time you saw a bit?When was the last time you saw a bit? Do you know in what form a document file Do you know in what form a document file

is stored?is stored? Can you find where a document resides on Can you find where a document resides on

a disk?a disk? Can you tell if a game program does Can you tell if a game program does

anything in addition to its expected anything in addition to its expected interaction with you?interaction with you?

Which files are modified by a word Which files are modified by a word processor when you create a document?processor when you create a document?

Viruses and Other Malicious CodeViruses and Other Malicious Code

Malicious code has been around since the Malicious code has been around since the ’70s’70s

How can malicious code take control of a How can malicious code take control of a system?system?

How can it lodge in a system?How can it lodge in a system? How does malicious code spread?How does malicious code spread? How can it be recognized?How can it be recognized? How can it be detected?How can it be detected? How can it be stopped?How can it be stopped? How can it be prevented?How can it be prevented?

Kinds of Malicious CodeKinds of Malicious Code Virus – code that attaches to another program Virus – code that attaches to another program

and copies itself to other programsand copies itself to other programs• Transient virus – life depends on life of its hostTransient virus – life depends on life of its host• Resident virus – locates inside memoryResident virus – locates inside memory

Trojan Horse – malicious effect is hidden from Trojan Horse – malicious effect is hidden from useruser

Logic bomb – triggered by an eventLogic bomb – triggered by an event Time bomb – triggered by a time or dateTime bomb – triggered by a time or date Trapdoor (backdoor) – feature that allows access Trapdoor (backdoor) – feature that allows access

to program other than through normal channelsto program other than through normal channels Worm – program that spreads copies of itself Worm – program that spreads copies of itself

through a networkthrough a network Rabbit – virus/worm that self-replicates without Rabbit – virus/worm that self-replicates without

boundbound

How Viruses AttackHow Viruses Attack

A virus is attached to a “program”A virus is attached to a “program” The virus is activated by executing The virus is activated by executing

the programthe program Most common viruses today are Most common viruses today are

attached to e-mail; when the attached to e-mail; when the attachment is opened, virus is activeattachment is opened, virus is active

Ways Viruses are attachedWays Viruses are attached

Appended Viruses (see Fig. 3-4): Appended Viruses (see Fig. 3-4): virus code is inserted before first virus code is inserted before first instruction, last virus instruction instruction, last virus instruction points to first program instructionpoints to first program instruction

Virus surrounds program (See Fig. 3-Virus surrounds program (See Fig. 3-5): 25): 2ndnd part of virus cleans up part of virus cleans up evidenceevidence

Integrated Viruses and Replacements Integrated Viruses and Replacements (see Fig. 3-6)(see Fig. 3-6)

Types of VirusesTypes of Viruses

Boot Sector Virus – virus is part of Boot Sector Virus – virus is part of the bootstrap program (many earlier the bootstrap program (many earlier viruses)viruses)

Memory-Resident Virus – most Memory-Resident Virus – most program viruses stay in the memory program viruses stay in the memory when program is first runwhen program is first run

Document (Macro) Virus – virus is Document (Macro) Virus – virus is part of the macro associated with a part of the macro associated with a documentdocument

Antivirus SoftwareAntivirus Software

Virus Signature Virus Signature (virus scanner looks for (virus scanner looks for signatures)signatures)

Storage Patterns Storage Patterns (virus scanner looks for (virus scanner looks for suspicious patterns)suspicious patterns)

Execution PatternsExecution Patterns Transmission PatternsTransmission Patterns Polymorphic VirusesPolymorphic Viruses

Prevention of Virus InfectionsPrevention of Virus Infections Use only commercial software acquired from Use only commercial software acquired from

reliable, well-established vendorsreliable, well-established vendors Test all new software on an isolated computerTest all new software on an isolated computer Open attachments only when you know them to Open attachments only when you know them to

be safebe safe Make a recoverable system image and store it Make a recoverable system image and store it

safelysafely Make and retain backup copies of executable Make and retain backup copies of executable

system files.system files. Use virus detectors daily and update them Use virus detectors daily and update them

regularlyregularly

Truths and Misconceptions about Truths and Misconceptions about virusesviruses

Viruses can infect only Microsoft Windows Viruses can infect only Microsoft Windows systems – FALSEsystems – FALSE

Viruses can modify “hidden” or “read-only” files – Viruses can modify “hidden” or “read-only” files – TRUETRUE

Viruses can appear only in data files, or only in Viruses can appear only in data files, or only in Word documents, or only in programs – FALSEWord documents, or only in programs – FALSE

Viruses spread only on disks or only in e-mail – Viruses spread only on disks or only in e-mail – FALSEFALSE

Viruses cannot remain in memory after a COLD Viruses cannot remain in memory after a COLD BOOT – TRUEBOOT – TRUE

Viruses cannot infect hardware – TRUEViruses cannot infect hardware – TRUE Viruses can be malevolent, benign, or benevolent Viruses can be malevolent, benign, or benevolent

- TRUE- TRUE

EXAMPLESEXAMPLES

Pakistani Brain VirusPakistani Brain Virus Internet WormInternet Worm Code RED WormCode RED Worm SQL-Server SlammerSQL-Server Slammer Web Bugs (spyware)Web Bugs (spyware)

Targeted Malicious CodeTargeted Malicious Code

Trapdoor – undocumented entry Trapdoor – undocumented entry point to a modulepoint to a module

Salami Attack Salami Attack (Ex. Interest computation)(Ex. Interest computation)

Covert Channels: programs that leak Covert Channels: programs that leak information information (Ex. Hide data in output)(Ex. Hide data in output)

• Storage ChannelsStorage Channels – pass information by using – pass information by using presence or absence of objects in storagepresence or absence of objects in storage

• Timing Channels – pass information using the Timing Channels – pass information using the speed at which things happenspeed at which things happen

Controls Against Program ThreatsControls Against Program Threats

Prevent Threats during software Prevent Threats during software developmentdevelopment• Modularity – security analysts must be Modularity – security analysts must be

able to understand each component as able to understand each component as an independent unit and be assured of an independent unit and be assured of its limited effect on other componentsits limited effect on other components

• Encapsulation –minimize interfaces to Encapsulation –minimize interfaces to reduce covert channelsreduce covert channels

• Information hiding – components will Information hiding – components will have limited effect on other componentshave limited effect on other components


Peer ReviewsPeer Reviews Hazard Analysis Hazard Analysis – set of systematic techniques – set of systematic techniques

to expose potentially hazardous system statesto expose potentially hazardous system states Testing Testing – unit testing, integration testing, – unit testing, integration testing,

function testing, performance testing, acceptance function testing, performance testing, acceptance testing, installation testing, regression testingtesting, installation testing, regression testing

Good DesignGood Design• Using a philosophy of Using a philosophy of fault tolerancefault tolerance• Have a consistent Have a consistent policypolicy for handling failures for handling failures• Capture the Capture the design rationaledesign rationale and history and history• Use design patternsUse design patterns


Prediction Prediction – predict the risks involved in building – predict the risks involved in building and using the systemand using the system

Static Analysis Static Analysis – Use tools and techniques to examine – Use tools and techniques to examine characteristics of design and code to see if the characteristics of design and code to see if the characteristics warn of possible faultscharacteristics warn of possible faults

Configuration Management Configuration Management – control changes – control changes during development and maintenanceduring development and maintenance

Analysis of MistakesAnalysis of Mistakes Proofs of Program Correctness – Can we Proofs of Program Correctness – Can we

prove that there are no security holes?prove that there are no security holes?

Operating System Controls on Use Operating System Controls on Use of Programsof Programs

Trusted Software – code has been rigorously Trusted Software – code has been rigorously developed and analyzeddeveloped and analyzed• Functional correctnessFunctional correctness• Enforcement of integrityEnforcement of integrity• Limited privilegeLimited privilege• Appropriate confidence levelAppropriate confidence level

Mutual Suspicion – assume other program is not Mutual Suspicion – assume other program is not trustworthytrustworthy

Confinement – limit resources that program can Confinement – limit resources that program can accessaccess

Access Log – list who access computer objects, Access Log – list who access computer objects, when, and for how longwhen, and for how long

Administrative ControlsAdministrative Controls

Standards of Program DevelopmentStandards of Program Development Standards of designStandards of design Standards of documentation, language, and Standards of documentation, language, and

coding stylecoding style Standards of programmingStandards of programming Standards of testingStandards of testing Standards of configuration managementStandards of configuration management Security AuditsSecurity Audits

Separation of DutiesSeparation of Duties

Ten Most Critical Web Application Security Ten Most Critical Web Application Security VulnerabilitiesVulnerabilities

(http://www.owasp.org(http://www.owasp.org

Unvalidated ParametersUnvalidated Parameters Broken Access ControlBroken Access Control Broken Account and Session ManagementBroken Account and Session Management Cross-Site Scripting FlawsCross-Site Scripting Flaws Buffer OverflowsBuffer Overflows Command Injection FlawsCommand Injection Flaws Error Handling ProblemsError Handling Problems Insecure Use of CryptographyInsecure Use of Cryptography Remote Administration FlawsRemote Administration Flaws Web and Application Server MisconfigurationWeb and Application Server Misconfiguration

CPSC 6126 Computer Security Information Assurance.

Documents

Transcript of CPSC 6126 Computer Security Information Assurance.