CS390S week 13: Randomness and CanonicalizationPascal Meunier, Ph.D., M.Sc., CISSPApril 10, 2007Developed thanks to the support of Symantec Corporation,NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.

The Need for Random Numbers

Unique file or directory names Session IDs that carry proof of authentication

(nonces), passwords Games (data, behavior, opponent generation,

character generation) Encryption Cryptographic protocols

– Initial Value (IV) generation Example: Not using a random IV with CBC mode (329)

How Not to Choose a Random Name

Use the process ID Use the user ID Use the time of day Use a counter Use a bad random number generator etc...

OS Support for Temporary Files

The following take a filename “template” as input– mktemp - generate temporary file name (unique)– mkstemp - also create the file– mkstemps - generate temporary file name with suffix– mkdtemp - create a directory

Overwrite part of a template to create a unique name

Some of these functions used to create names using parts of the date or process ID, etc... and were insecure

Prevents "Improper temporary file opening" (ID 378)– "Insecure temporary file" (ID 377)

mktemp (1) (3)

Section (1): command line (shell scripts)– BSD/MacOS X:– creates file with mode 0600

unique name

Section (3): C programs– Race condition between getting the name and creating the

file!– The program must use "open" with the O_CREAT |

O_EXCL flags, and loop until the file is successfully created, or use a different function

Command Line Example

% mktemp "testXXXX"testpnbE% ls -al-rw------- pascal staff testpnbE

mkstemp

Creates name Creates file open for reading and writing with mode

0600 Returns a file descriptor No race condition! Recommended function Usage for extremely paranoid people:

“Unlink” the hard link pointing to the descriptor immediately afterwards (this is a race condition)

The file still exists but nobody else (except with difficulty, the superuser) can access it

Windows Shared Directories

No equivalent to mkstemp() GetTempFileName

– Creates names by incrementing a counter!– Predictable file name

Race condition between getting the name and creating the file– Attacker could create the file to prevent you from using it– If you use the CREATE_ALWAYS flag, see next slide

Under Windows, you have no choice but to write your own function

Still a race condition, limitation due to lack of OS support (use secured directories instead)

Windows CreateFile Problems

Recommended use with the "CREATE_ALWAYS" flag is dangerous– "CREATE_ALWAYS" flag recommended by MSDN,

Howard and Leblanc 2003 Overwrites the file Does not set the security descriptor specified by the

SECURITY_ATTRIBUTES structure– Do the SECURITY_ATTRIBUTES matter to your application?

Perfect opportunity to trick you into overwriting a sensitive file– e.g., with a hard link– Can't use the flag to not follow reparse points– Note that links being uncommonly used in Windows FS

won't prevent an attack from succeeding

Windows CreateFile

TRUNCATE_EXISTING will follow a hard link and could truncate something else than intended

Use "CREATE_NEW"– "The function fails if the specified file already exists. "

(MSDN) – You need to check for errors and loop until the file is

successfully created

GetTempPath

MSDN recommends that software use the GetTempPath function to get the location of the temp dir, but this is dangerous

Checks for the existence of environment variables in the following order and uses the first path found:1. The path specified by the TMP environment variable.

2. The path specified by the TEMP environment variable.

3. The path specified by the USERPROFILE environment variable.

4. The Windows directory."

Are the environment variables safe to use?– Probably not unless you set them yourself

How Random Numbers Are Generated

Linear Congruential Generators– Simple way to generate pseudo-random numbers– Easily cracked– Produce finite sequences of numbers– Each number is tied to the others– Some sequences of numbers will not ever be generated– Results in "Non-cryptographic PRNG" (ID 338)

Cryptographic random number generators Entropy sensors (i.e., extracted randomness)

Seeded Random Number Generators

Pseudo-random generators depend solely on a seed, which determines the entire sequence of numbers returned

How random is the seed?– Process ID, UserID: Bad Idea– Current time: if you’re running NTP (Network Time

Protocol) all systems are synchronized up to some precision. If you use the time, maybe I can guess which seed you used (microsecond part might be difficult to guess, but is limited)

How to Cheat At Random Number Generation

Find a seed that will produce the numbers you want Seed the generator with it Convince someone: "it's random, see?"

– RPG Character generation, etc...

This would be an example of "PRNG Seed Error" (ID 335)

Roll Your Own Generator?

What matters is not only the average and the variance of the numbers generated

All sequences of numbers must be possible LCGs travel definite, limited “paths” through the

universe of possible sequences Need to incorporate entropy as it becomes available Need to avoid betraying the internal state of the

generator... It's difficult to do correctly

Which Generator to use?

Read description, avoid Linear Congruential Generators such as these:– “C” rand(3)– rand (Windows CE, Visual C++, Visual Basic, etc...)– Perl rand – C# Random– PHP rand

Good Generators

Hardware-based– Noise

Cryptographical quality software, entropy-seeded– Fast, secure

Pure Entropy– Random timing of events

Packets Mouse movement, clicks Keyboard

– Slow– Subject to Failure of TRNG (ID 333)

Runs out of entropy with which to generate numbers

Linux/UNIX Devices

/dev/random:– MacOS X: same as urandom– Linux: this is a blocking call that returns only when

sufficient entropy has been captured– Good for seeding pseudo-random number generators

/dev/urandom:– Implements a fairly complex algorithm that varies between

“random” and a well-seeded LCG depending on the availability of entropy

– Non-blocking call– Try "cat /dev/urandom"

Portability

FreeBSD, OpenBSD, NetBSD compatible Several projects ported the functionality to Solaris,

HP-UX, AIX, IRIX MacOS X implements Yarrow for both random and

urandom (so the behavior of “random” is unexpected).

Windows

Windows developers must use the function CryptGenRandom(), which uses the same idea as /dev/urandom

There is no directly accessible entropy collector provided by the OS– Reference: "Secure Programming Cookbook", section

11.4 (Viega et al.)

TCP/IP V. 4

TCP Sequence numbers used for security (32 bits)– Instance of problem: Small space of random values ID

(334)

RST Flag– TCP reset (RST) flag is used to abort TCP connections,

usually to signify an irrecoverable error– Receiver deletes the connection, frees data structures

RST messages are accepted only if they fit inside the sequence number window– Prevents delayed RST messages from previous

connections to affect the current connection

TCP RST Attack

Send a RST (TCP RESET flag) packet with a spoofed IP address to either side of a valid connection– Need to guess a sequence number inside the appropriate

window Or sniff traffic to know which number to use

– The range can be guessed fairly efficiently for RST attacks– Sequence numbers: 32 bits– Window size: up to 16 bits– Number of guesses 32-16 = 16 bit address space

65535 RST attempts, ~ 4 min on DSL connection Faster connection or zombies, faster RST This is the brute force RST attack

TCP Session Hijacking

Idea: all that’s required to mess up someone else’s TCP session is guessing or knowing the sequence numbers for their connection.– Only need to fall within the needed range, exact guess not

needed

Send a spoofed IP packet, with a TCP payload that inserts data

Blast the legitimate client off the net– Replies are still sent to client but client is incapacitated– You do not get to see replies: “blind” hijacking

Unless you can sniff traffic, in which case the sequence numbers to use are also known

Randomness Visualization

Strange attractors– Zalewski 2001, 2002 "Strange Attractors and TCP/IP

Sequence Number Analysis"

Given a sequence of numbers s[n] compute:– x[n] = s[n-2] - s[n-3]– y[n] = s[n-1] - s[n-2]– z[n] = s[n] - s [n-1]

These are the x,y,z coordinates of a point– Plot them to see hidden dependencies

Cisco IOS 12.2 (Zalewski 2002)

IRIX (Zalewski 2002)

Windows XP (Zalewski 2002)

ISN Vulnerabilities

Predictable– Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise

Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. CAN-2002-1463

– Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. CVE-2001-0288

– etc...

Importance of Canonicalization Issues

Very common, but not as much as buffer overflows– They may allow remotely writing or reading files,

depending. These may be executable files, or be secret or confidential documents.

Canonicalization issues are more complex in Windows – Due to the many ways of naming a file

short name (8.3) long name Unicode name Streams Trailing dots, forward slashes or backslashes etc...

– Support from OS is limited

Definition of Canonical

Canonical means *the* standard form or representation of something– Canonicalization: "process by which various equivalent

forms of a name can be resolved to a single, standard name – the so-called canonical name.”

Usually the simplest form– Without symlinks

“/usr/../home/student” is the same as “/home/student”

/home/student is the canonical path

Variations on Canonicalization Problems

Pathname Traversal and Equivalence (CWE ID 21)– Path Manipulation (73)

Path specified by user

– Path Traversal (22) (escape out of directory) Directory traversal, a.k.a. ".." attacks

– Path Equivalence (41) Name tinkering (spaces, etc...)

– Virtual Files (66)– Link Following (59)

(Note that there is some overlap in the categories)

Path Equivalence (41)

Idea:Use an alternative name to a resource to bypass access control

Examples– Windows short name (8.3) vs long name (ID 58)– Backslash and slash combinations (ID 49, 50,51,52,53,54)– Single dots at various places (ID 42, 44, 55)– Spaces in various places (ID 46, 47)

Mismatched Object and Access Control

The HFS+ file system is case insensitive. “/home/PRIVATE” == “/home/private”

Apache directory access control is case sensitive, as it is designed for UFS (UNIX File System). It thinks that “/home/PRIVATE” is different from “/home/private”.

Join the two together and you have a canonicalization (“directory traversal”) vulnerability, even though both systems alone are correct. – CVE-2004-1083

Windows: Trailing Characters

Files ending with an extra “.” (dot) or “\” can fool some access control mechanisms, but the filesystem automatically corrects the names by removing the trailing characters!

file.txt. is the same as file.txt for the filesystem– See “Writing Secure Code” by Howard and Leblanc

Conclusion: It is important to use the Operating System’s functions for file canonicalization, so that your semantic validation and the OS’s match.

Directory Traversal Vulnerabilities

Basic Idea: escape from a subdirectory using meta-characters– The characters ‘..’ mean “Go up a directory”

They can be inserted in file paths for– Browsing– Reading– Execution

Often a network services problem (e.g., ftp)– Web sites– Web-enabled applications– Applications using networks

Synonyms

“..” (“dot dot”) attacks Also “...” on Windows

– Windows 95, 98– Goes up two directories

protocol://server/path http://www.host.com/path path contains ‘..’; what do you do?

The Problem

If you forbid access to /home/private but enable access to /home/public, what do you do with a request for:– “/home/public/../private” ?– “/home/PRIVATE” ? (This one is dependent on the file

system)

Answer

“/home/public/../private” should of course be forbidden, but many programs are fooled by the presence of “..” and equivalent character encodings and obfuscations.

Programs filtering out only “..” are still vulnerable. Related to meta-character vulnerabilities, but:

– Paths including ".." may be valid paths– Issue is not preventing ".." in the paths– Correct handling requires resolving the path first

Then and only then deciding whether to allow the operation

Symantec Example

CVE-1999-0842 Symantec Mail-Gear 1.0 web interface server

allows remote users to read arbitrary files via a .. (dot dot) attack.

Repeated Mistake

Attempt to cleanse ‘..’ and things that have certain meanings (‘.ini’) directly from input

These attempts to do semantic validation before resolving encoding and canonicalization will fail

Too many ways to represent the same thing

Symbolic Link Question

Given that there is a symbolic link:– /home/alfred/sss ->

/home/myhomebiz/accounting/spreadsheets/

What is the canonical path to:“/home/bob/../mary/../alfred/.//sss/may.xls” ?

a) /home/alfred/sss/may.xls b)

/home/myhomebiz/accounting/spreadsheets/may.xls c) /home/alfred/may.xls

Question

Given that there is a symbolic link:– /home/alfred/sss ->

/home/myhomebiz/accounting/spreadsheets/

What is the canonical path to:“/home/bob/../mary/../alfred/.//sss/may.xls” ?

a) /home/alfred/sss/may.xls b)

/home/myhomebiz/accounting/spreadsheets/may.xls c) /home/alfred/may.xls

How to Canonicalize Paths

Goal: Find the absolute name of a file which contains no ".", ".." components nor any repeated path separators (/) or symlinks– Note that race conditions may be possible in unsecured

directories

UNIX:– realpath

Requires buffer allocation ahead of time Buffer should be of length PATH_MAX What if PATH_MAX is undefined because a system has no

limit on path length?

Canonical Names

PHP: – string realpath ( string path)

Windows: – GetFullPathName

Java: – File.getCanonicalPath() or File.getCanonicalFile()

GNU/Linux:– canonicalize_file_name

http://www.delorie.com/gnu/docs/glibc/libc_279.html Uses dynamic memory allocation

Canonical path resolution always goes left to right

Differences Between UNIX and Windows

UNIX:– All but the last component of pathname must exist when

realpath() is called.

Windows:– "This function does not verify that the resulting path and

file name are valid or that they see an existing file on the associated volume."

– Need to standardize on either short or long file names Long names are prefered

Solutions Without Code

Chroot "jail"– Confine a process to a specific directory– Independent microsphere

self-contained

– Derivatives FreeBSD "jail" Solaris "zones"

Subdomain (SuSE Linux/Novell/Immunix)– Applies an access control list to file references– No duplication of files

Windows doesn't have equivalent (closest functionality is virtual machines)

Chroot

Chroot changes the filesystem "root". The applications in a chroot jail can't use files

outside the visible root of the filesystem– They are "jailed" down in a subdirectory

Example– chdir("/foo/bar");

chroot("/foo/bar"); chroot [-u -user] [-g -group] [-G -group,group,...]

newroot [command]

Chroot Can Fail

Doesn’t work against root– Is service running as root?– If not, is there a vulnerability that yields root access?– Yes -> “Get Out of Jail” – http://www.bpfh.net/simes/computing/chroot-break.html

Important to run with lowers privileges– Special users

FreeBSD "jail" claims to have closed those loopholes

Questions or Comments?

About These Slides

You are free to copy, distribute, display, and perform the work; and to

make derivative works, under the following conditions.

– You must give the original author and other contributors credit

– The work will be used for personal or non-commercial educational uses

only, and not for commercial activities and purposes

– For any reuse or distribution, you must make clear to others the terms of

use for this work

– Derivative works must retain and be subject to the same conditions, and

contain a note identifying the new contributor(s) and date of modification

– For other uses please contact the Purdue Office of Technology

Commercialization.

Developed thanks to the support of Symantec Corporation

Pascal Meunierpmeunier@purdue.eduContributors:Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera, Michael Howard