Fundamental Vulnerabilities Causes - ACIS€¦ · Notas: Notas: Pág. 2 Fundamental Vulnerabilities...
Transcript of Fundamental Vulnerabilities Causes - ACIS€¦ · Notas: Notas: Pág. 2 Fundamental Vulnerabilities...
Notas:
Notas:
Pág. 1
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
FundamentalVulnerability
Contents
• How are vulnerabilities created?• Fundamental vulnerabilities causes• Programming for survivability
Notas:
Notas:
Pág. 2
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
How are vulnerabilities created?
• Most are variations on known themes– Buffer overflows,– Timing windows (TOCTOU),
• Reuse of vulnerable code– Two reasons: legacy and costs
• Few things are truly new
BIND security
1990 Cache poisoning discovered by Mockapetris and Bellovin,
1995 Cache poisoning paper publishedWe have observed that if BIND would just do what the DNS specifications say it should do, stop crashing, and start checking its inputs, then most of the existing security holes in DNS as practiced would go away. To be sure, attackers would still have a pretty easy time co-opting DNS in their break-in attempts. Our aim has been to get BIND to the point where its only vulnerabilities are due to the DNS protocol, and not the implementation – Paul Vixie
1997 CA-1997-22 with cache poisoning fixes1998 CA-1998-05 on three implementation vulnerabilities1999 CA-1999-14 Multiple vulnerabilities in BIND2000-2005 Several more BIND vulnerabilities reported
Notas:
Notas:
Pág. 3
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
DNSSEC
1995We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet – Paul Vixie
1997 RFC 2065, DNS Security Extensions1997 TIS reference implementation beta1997 Experimental prototype available for export by John
Gilmore1998 DARPA grant to ISC for DNSsec effort1999 Target date for implementationA2000 Implementation is part of current distribution2006 still not widely deployed
Host resolution services(attack target groupings)
Manual process
Manual process Manual
process
Lookup process (hosts, lmhosts,…),
DNS network settings (DHCP rogue
servers)…
Domain hijacking (wait for expiration date), similar
domain name registration, google bombing (page rank
escalation), adwords, …
DNS cache poisoning, DNS spoofing, DNS ID spoofing with sniffing, the birthday
attack,…
DNS cache poisoning, DNS spoofing, DNS ID spoofing with sniffing, the birthday
attack,…
Notas:
Notas:
Pág. 4
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Where the software engineering process can fail?
• Specification,• Design,• Implementation,• Testing,• Maintenance,
Hyatt Sky Bridges(Kansas City 1981, 114 deaths, 200 injured)
Notas:
Notas:
Pág. 5
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Hyatt Sky Bridges(design change… by builder)
A hackers toolkit(land attack)
“el-pinzas”Ana
“la víctima”
SYN
SYN-ACK
Notas:
Notas:
Pág. 6
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
A hackers toolkit(land attack)(.)
• The problem is that source, destination ports and addresses are the same!
• RFC 793 (TCP Protocol Specification) is ambiguous:
– p. 36: send RST to terminate connection– p. 69: reply with empty packet having current
sequence number t+1 and ACK number s+1—but it receives packet and ACK number is incorrect. So it repeats this … system hangs or runs very slowly, depending on whether interrupts are disabled
Testing
• Incorrect answers may “look right”– Similarly, incorrect code may look right
• The tester must know the correct behavior– Programmer should not be the tester
• “Correct” results may still be due to flawed logic which will fail some other way
• Easy to have inadequate tests• Requirements can be misunderstood• Security is an “emergent” property
– Derive from the interactions among the parts» the weakest link property is definitive
Notas:
Notas:
Pág. 7
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
The weakest-link property
Contents
• How are vulnerabilities created?• Fundamental vulnerabilities causes• Programming for survivability
Notas:
Notas:
Pág. 8
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Fundamental Vulnerability Causes
• Basic programming practices– Buffer overflows, lack of type-safety
• Privileged programs• Trusting untrustworthy information• Timing windows• Improper use of algorithms• Other
Fundamental Vulnerability Causes(basic programming practices) (buffer overflows)
• What can we do?– It’s a pervasive problem
» Algol (1968), MULTICS-PL/I and ADA included “mandatory array-bound checking”,
• Unfortunately ADA causes brain-cancer in laboratory rats
• I am asking for jail for K&R– See section 1.9
Notas:
Notas:
Pág. 9
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Buffer Overflow attacks(C++ / C)
• Ghosts from your past will haunt you!
Process Memory Organization
Code
Data
Heap
Stack
Code (or text segment) includes instructions and read-only data
Contains (un) initialized data andstatic / global variables
LIFO structure to supportprocess execution
Notas:
Notas:
Pág. 10
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
A very simple (and vulnerable) password checking program
A very simple (and vulnerable) password checking program (.)
Storage for PwStatus (4B)
Caller ebp - Frame pointer OS (4B)
Return address of main() – OS (4B)
…
Storage for PwStatus (4B)
Caller ebp - Frame pointer OS (4B)
Return address of main() – OS (4B)
…
Storage for Password (12B)
Caller ebp - Frame pointer main() (4B)
Return address - main() – OS (4B)
SP
SP
Notas:
Notas:
Pág. 11
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
A very simple (and vulnerable) password checking program (..)
SP
Storage for PwStatus (4B)“/0” – NULL (last 3 Bytes unchanged)
Caller ebp - Frame pointer OS (4B)
Return address of main() – OS (4B)
…
Storage for Password (12B) “123456789012”
Caller ebp - Frame pointer main() (4B)“3456”
Return address - main() – OS (4B)“7890”
A very simple (and vulnerable) password checking program (…)
SP
Storage for PwStatus (4B)NULL (no changes)
Caller ebp - Frame pointer OS (4B)
Return address of main() – OS (4B)
…
Storage for Password (12B) “123456789012”
Caller ebp - Frame pointer main() (4B)“3456”
Return address - main() – OS (4B)“u�@/0”
Notas:
Notas:
Pág. 12
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Code Red attack(a buffer overflow with code injection)
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Check “Smashing the stackfor fun or profit” – Aleph One
Fundamental Vulnerability Causes(basic programming practices) (lack of type-safety)
• What is the result of 32,768+1?
Answer: -32,767
If you use a 2-complement 16-bits field
Notas:
Notas:
Pág. 13
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Fundamental Vulnerability Causes(basic programming practices) (lack of type-safety)(.)
• On Saturday December 25, 2004, COMAIR (Delta airlines) halted all operations and grounded 1,100 flights because of an int overflow,
– More than 32,768 flights that season,
• The CEO was fired!– It was a DOC bug (Denial Of Career),
Fundamental Vulnerability Causes(privileged programs)
• “With great power comes great responsibility” Spiderman
• Compartmentalized security
Notas:
Notas:
Pág. 14
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Fundamental Vulnerability Causes(trusting untrustworthy information)
• Already seen on our buffer overflow example,
• Untrustworthy Information can be:– User data,
» v.g. sql injection, XSS scripting,
– Writable directories and files,– User input,
» Specially unicode,
– Active content,– Controllable data,
» Protocol data
Fundamental Vulnerability Causes(trusting untrustworthy information) (Active Content)
Taken from “2600 – The HackerQuarterly” – Sprint 2006
Notas:
Notas:
Pág. 15
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Fundamental Vulnerability Causes(flawed logic exploited by W32.Blaster.Worm)
Used to extract the hostname from a larger string
Taken from “Secure Codingin C and C++” – Robert Seacord
Fundamental Vulnerability Causes(timing windows - TOCTOU)
• First documented in august 2004 (?)– VU#132110 – Apache http server v2.0.48
• With some patience, the attacker can cause a DoS event,
• TOCTOU because of Time of Check is different from Time Of Use
– Main reason for “software aging”
Notas:
Notas:
Pág. 16
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Fundamental Vulnerability Causes(timing windows - TOCTOU) (.)
Race window: an external process can replace some_file with other file
- A link (hard or symbolic)
Fundamental Vulnerability Causes(improper use of algorithms)
• Checksums (CRC vs. MD5)• Random number generators• More generally don’t understand the
technology– V.g. biometric technology
Notas:
Notas:
Pág. 17
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Error modeling in biometric systems
SOURCE: IDEX
matching score
frequency
0 100
Non-matchingprints
Matching prints
Acceptance threshold
FARFRR
Fundamental Vulnerability Causes(other)
• Incorrect assumptions• Design errors• Requirement errors• User interface
– Usability problems» Why Johnny can’t encrypt: A usability evaluation of
PGP. Alma Whitten – J.D. Tygar
– Insecure default configuration– Documentation problem
Notas:
Notas:
Pág. 18
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Contents
• How are vulnerabilities created?• Fundamental vulnerabilities causes• Programming for survivability
Programming for survivability
• Consider other points of view– Add to your “use cases” some “misuse cases” or
even “abuse cases”,– Remember “hacking is aikido”,
• Identify security risks:– STRIDE (Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service and Elevation of privilege),
• Follow the principle of least privilege– Yo, spiderman!
Notas:
Notas:
Pág. 19
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Programming for survivability (.)
• Assume hostile environment– Users control much of a program’s behavior– Be aware of the source of all the data your program
uses– Permit only safe input rather than blocking bad input– Assume that flaws will lead to a full compromise
• Design for Survivability:– Separate or compartmentalize,– Overprovision,– Minimize publicly visible systems / services,
• Cryptography is a powerful tool, but it is harder than you think
Programming for survivability (..)
• Testing for security is just like testing for quality,
• Security must be evaluated based on the way it fails, not in the way it works,
Notas:
Notas:
Pág. 20
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Some final reflections…(processes)
• “product quality cannot be ensured without first guaranteeing the quality of the process by which the product is developed”
• Two software lifecycle process models– SEI CMM (Carnegie Mellon University),– General Electric six-σ,
• But just because a process is efficient, repeatable, and applied in a consistent, disciplined way, there is no guarantee that the process is actually good, or for our purposes, “security-enhancing”,
– Remember Kodak six-σ,– ISO 9000 defines and standardize,– ISO 27001 “lock”
» and ISO 17799 gives ideas,
Some final reflections…(formal methods)
• Correct software is: “Software which does what is supposed to do”
Secure software is: “Software that doesn’t do what’s not supposed to do”… or even better… “cannot be forced to do what’s not supposed to do”
Notas:
Notas:
Pág. 21
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Some final reflections…(actual solutions - patching)
• Life goes in circles– Application firewalls,– Patch and patch…– Four years from
“trustworthy computing initiative”
» Yesterday I applied 11 patches to protect against 21 holes,
• FIAT: Fix-It Again Tony
Taken from “Security Vulnerabilitiesin software systems – a quantitativeperspective” - Alhazmi
Some final reflections…(historical behavior) (windows)
0
10
20
30
40
50
60
Jul-9
8
Oct
-98
Jan-
99
Apr
-99
Jul-9
9
Oct
-99
Jan-
00
Apr
-00
Jul-0
0
Oct
-00
Jan-
01
Apr
-01
Jul-0
1
Oct
-01
Jan-
02
Apr
-02
Jul-0
2
Oct
-02
Jan-
03
Apr
-03
Jul-0
3
Oct
-03
Jan-
04
Vuln
erab
iltie
s
Windows XP Shared Windows 98
Notas:
Notas:
Pág. 22
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Taken from “Security Vulnerabilitiesin software systems – a quantitativeperspective” - Alhazmi
Some final reflections…(historical behavior) (Linux)
020406080
100120140160180
Mar-00
Jul-0
0
Nov-00
Mar-01
Jul-0
1
Nov-01
Mar-02
Jul-0
2
Nov-02
Mar-03
Jul-0
3
Nov-03
Mar-04
Jul-0
4
Nov-04
Redhat 6.2 Redhat 7.1 Shared
Some final reflections…(historical behavior) (OpenBSD)
W^X: no buffer overflows!
Notas:
Notas:
Pág. 23
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Some final reflections…(be prepare for Vista)
Time
Vuln
erab
ilitie
s
Phase 2Phase 1 Phase 3
Taken from “Security Vulnerabilitiesin software systems – a quantitativeperspective” - Alhazmi
Complexity is the enemy of security
• Lines of code– Windows 3.1 (1992): 3 millions,– Windows 95 (1995): 15 millions,– Windows 98 (1999): 18 millions,– NT 3.5 (1992): 4 millions,– NT 4.0 (1996): 16.5 millions,– Windows 2000 (2001): 35 millions,– Windows XP (2002): 40 millions,– Windows Vista (2006): 50 millions,– Solaris: 7 – 8 millions,– Linux (even with X y Apache): 5 millions,– NetBSD 3.8: 3 millions,
• Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity.
Notas:
Notas:
Pág. 24
Fundamental Vulnerabilities Causes
Copyright Universidad de los Andes 2006 – Especialización en Seguridad
Some interesting developments(server-based computing)
• AJAX, “Rubby on Rails”,• Citrix + vmware + multicore processors