Programming Faults
-
Upload
cornelia-corbin -
Category
Documents
-
view
27 -
download
1
description
Transcript of Programming Faults
![Page 1: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/1.jpg)
Programming Faults
Programming Errors that Lead to Compromised Systems
![Page 2: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/2.jpg)
Definition of Information Security
• Confidentiality == assurance that information is not disclosed to unauthorized entities or processes
• Integrity == quality of an information system that reflects its logical correctness and reliability
• Availability == timely, reliable access to data and information services for authorized users
![Page 3: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/3.jpg)
Definition of a Fault
• Fault == defect that does not change state
• Failure == manifestation of a fault
• “A programming mistake is a latent fault until that code is invoked by the system.”
• “If a fault affects the delivered service, a failure occurs.”
![Page 4: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/4.jpg)
Programming Faults and Intrusion Detection
• Intrusion Detection Systems monitor for attempts to exploit Programming Faults
• Exploits become rules in signature databases used by IDS software to detect the failures caused by activating the flaws
![Page 5: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/5.jpg)
Confidentiality Faults
• Buffer Overruns
• Environment Variables
• Interactive Input
• Handling Sensitive Data
• Executing Other Programs
![Page 6: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/6.jpg)
Buffer Overruns
• Subvert the normal course of execution to execute code written by the cracker
• Exploit root privileged programs to gain root authority
• Result of mismanaging arrays and pointers (mostly character arrays)
• Write past the end of the buffer to overwrite other data in memory
![Page 7: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/7.jpg)
• Two types of buffers - static and dynamic
• Dynamic buffers are allocated from the stack at run time
• As part of the stack, they are in the same area of memory as data used by kernels in OSes which do not maintain separate user and kernel modes
![Page 8: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/8.jpg)
void function (char *str) { char buffer[16]; strcpy(buffer, str);}void main() { char large_string[256]; int i for (i=0; i<255; i++) large_string[i]=‘A’; function(large_string);}
![Page 9: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/9.jpg)
top of stack
bottom of memory
<------------------------------<
|Buffer Sfp Ret *Str |. . .
|[ ][ ] [ ] [ ] |. . .
<------------------------------<
top of memory
bottom of stack
![Page 10: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/10.jpg)
#include <stdio.h>void main() { char *name[2]; name[0] = “/bin/sh”; name[1] = “NULL; execve(name[0], name, NULL);}
char shellcode[] =“\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00]x00\x00”“\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80”“\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff”“\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3”;
![Page 11: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/11.jpg)
• If the IDS captures a long series of NOOPs being transmitted to a protected system, it should flag that as a potential exploit attempt.
• alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:5;)
Buffer Overruns and IDS
![Page 12: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/12.jpg)
Environment Variables
• Environment variables are sources of user input
• Depending on how a program handles the variable, it’s possible to insert an exploit to either cause a failure, or to take advantage of poor logic
![Page 13: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/13.jpg)
Suppose IFS (variable to control whitespace designator) is set to ‘/’ (the pathname seperator).
Thenexec(“/bin/sh”,”-c”,”/bin/mail userbob”);
Becomesbin mail userbob
![Page 14: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/14.jpg)
Environment Variables and IDS
• If the IDS detects an IFS setting being transmitted to a protected system, should it flag that as a potential exploit attempt?
![Page 15: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/15.jpg)
Integrity Flaws
• Executing Input
• Links
• Regular Files
• Race Conditions
• Resource Sharing
![Page 16: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/16.jpg)
Executing Input
• From an old version of a web browser:sprintf(buf, telnet %s”, resid_url);system(buf);
• Internet clients that try to be helpful by downloading & executing content.
![Page 17: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/17.jpg)
User Input and IDS
• Formatted commands to network services make good signatures for IDS.
• alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flow:to_server,established; offset:32; classtype:attempted-user; sid:681; rev:4;)
![Page 18: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/18.jpg)
Links
• Replace a temporary file used by a privileged program with a link to another file.
• Can capture data, or trick the program into corrupting system files.
![Page 19: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/19.jpg)
• Ex: suppose /tmp/abc123 is used by a root program and to temporarily store data.
• If the program doesn’t verify that /tmp/abc123 doesn’t already exist, a user can pre-create /tmp/abc123 -> /etc/passwd.
• The program follows the link, and clobbers the password file.
![Page 20: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/20.jpg)
File Manipulations and IDS
• How can a network device tell the difference between creating a link to exploit a program, or creating a link to create a link?
• Host Based IDS are required to detect file changes (ie file integrity checkers).
![Page 21: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/21.jpg)
Availability Faults
• Local System DOS
• Network DOS
• Buffer Overruns
• System Overload
• Spoofing
![Page 22: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/22.jpg)
Local System DOS
• Fill up the filesystemint main() {int ifd;char buf[8192];ifd=open(“./attack”, O_WRITE|O_CREATE, 0777);unlink(“./attack”);while(1) write(ifd, buf, sizeof(buf));
}
• Use up inodes, fill up the process table, use up memory…
![Page 23: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/23.jpg)
Local DOS and IDS
• Look for error messages indicating system problems.
• Good system administration practices probably more important.Filesystem monitoringMemory statistics monitoringCPU load monitoring…
![Page 24: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/24.jpg)
Network DOS
• Manipulate the network protocols to cause a failure on the target.
• Ex: >6 bytes data in a SYN packet• Ex: ICMP ECHO requests > 65507 octets• Ex: setting packet header flags to
nonsensical values• …
![Page 25: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/25.jpg)
• More often than not protocols and standards are not properly or fully implemented, creating flaws that lead to denial of service.
• RFCs provide the structure and behavior guidelines; following the RFC reduces flaws; testing the RFC finds the flaws.
![Page 26: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/26.jpg)
Network DOS and IDS
• Use the IDS to monitor network traffic for packets in unexpected parts of network; malformed packets; or just certain types of packets.
• alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388; classtype:misc-activity; rev:4;)
![Page 27: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/27.jpg)
Conclusion(s)
• Use good programming techniques to avoid perpetuating the same old flaws.
• The same flaws that existed in the dawn of the Internet still exist. Example - the Morris Worm and the Blaster Worm used the same techniques to exploit a system and spread themselves to other systems.
![Page 28: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/28.jpg)
• IDS systems, network based and host based, are an important layer in the Defense-in-Depth approach to good information security.
• IDS systems also make good system administration tools.
![Page 29: Programming Faults](https://reader036.fdocuments.us/reader036/viewer/2022062517/5681379e550346895d9f4313/html5/thumbnails/29.jpg)
Works Consulted
• Aleph One. Smashing the Stack for Fun and Profit. Phrack. Vol 7, Num 49.
• Forbes, Liam. Secure Programming in the UNIX Environment. UAF CS Dept., 1998.
• Patterson, David A. An Introduction to Dependability. ;login: The Magazine of USENIX & SAGE. August 2002, Vol 27, Num 4.