《Software and Security(PPT260).ppt》由会员分享,可在线阅读,更多相关《Software and Security(PPT260).ppt(260页珍藏版)》请在三一办公上搜索。
1、Part 4 Software 1,Software and Security,Part 4 Software 2,Why Software?,Why is software as important to security as crypto,access control and protocols?Virtually all of information security is implemented in softwareIf your software is subject to attack,your security is brokenRegardless of strength
2、of crypto,access control or protocolsSoftware is a poor foundation for security,Part 4 Software 3,Bad Software,Bad software is everywhere!NASA Mars Lander(cost$165 million)Crashed into MarsError in converting English and metric units of measureDenver airportBuggy baggage handling systemDelayed airpo
3、rt opening by 11 monthsCost of delay exceeded$1 million/dayMV-22 OspreyAdvanced military aircraftLives have been lost due to faulty software,Part 4 Software 4,Software Issues,Attackers Actively look for bugs and flawsLike bad softwareand try to make it misbehaveAttack systems thru bad software,“Norm
4、al”usersFind bugs and flaws by accidentHate bad softwarebut must learn to live with itMust make bad software work,Part 4 Software 5,Complexity,“Complexity is the enemy of security”,Paul Kocher,Cryptography Research,Inc.,system,Lines of code(LOC),A new car contains more LOC than was required to land
5、the Apollo astronauts on the moon,Part 4 Software 6,Lines of Code and Bugs,Conservative estimate:5 bugs/1000 LOCDo the mathTypical computer:3,000 exes of 100K eachConservative estimate of 50 bugs/exeAbout 150k bugs per computer30,000 node network has 4.5 billion bugsSuppose that only 10%of bugs secu
6、rity-critical and only 10%of those remotely exploitableThen“only”4.5 million critical security flaws!,Part 4 Software 7,Software Security Topics,Program flaws(unintentional)Buffer overflowIncomplete mediationRace conditionsMalicious software(intentional)VirusesWormsOther breeds of malware,Part 4 Sof
7、tware 8,Program Flaws,An error is a programming mistakeTo err is humanAn error may lead to incorrect state:faultA fault is internal to the programA fault may lead to a failure,where a system departs from its expected behaviorA failure is externally observable,error,fault,failure,Part 4 Software 9,Ex
8、ample,char array10;for(i=0;i 10;+i)arrayi=A;array10=B;,This program has an errorThis error might cause a faultIncorrect internal stateIf a fault occurs,it might lead to a failureProgram behaves incorrectly(external)We use the term flaw for all of the above,Part 4 Software 10,Secure Software,In softw
9、are engineering,try to insure that a program does what is intendedSecure software engineering requires that the software does what is intendedand nothing moreAbsolutely secure software is impossibleAbsolute security is almost never possible!How can we manage the risks?,Part 4 Software 11,Program Fla
10、ws,Program flaws are unintentionalBut still create security risksWell consider 3 types of flawsBuffer overflow(smashing the stack)Incomplete mediationRace conditionsMany other flaws can occurThese are most common,Part 4 Software 12,Buffer Overflow,Part 4 Software 13,Typical Attack Scenario,Users ent
11、er data into a Web formWeb form is sent to serverServer writes data to buffer,without checking length of input dataData overflows from bufferSometimes,overflow can enable an attackWeb form attack could be carried out by anyone with an Internet connection,Part 4 Software 14,Buffer Overflow,Q:What hap
12、pens when this is executed?A:Depending on what resides in memory at location“buffer20”Might overwrite user data or codeMight overwrite system data or code,int main()int buffer10;buffer20=37;,Part 4 Software 15,Simple Buffer Overflow,Consider boolean flag for authenticationBuffer overflow could overw
13、rite flag allowing anyone to authenticate!,buffer,F,T,F,O,U,R,S,C,Boolean flag,In some cases,attacker need not be so lucky as to have overflow overwrite flag,Part 4 Software 16,Memory Organization,Text=codeData=static variablesHeap=dynamic dataStack=“scratch paper”Dynamic local variablesParameters t
14、o functionsReturn address,stack,heap,data,text,high address,low address,SP,Part 4 Software 17,Simplified Stack Example,high,void func(int a,int b)char buffer10;void main()func(1,2);,:,buffer,ret,a,b,return address,low,SP,SP,SP,SP,Part 4 Software 18,Smashing the Stack,high,What happens if buffer over
15、flows?,:,buffer,a,b,ret,low,SP,SP,SP,SP,ret,overflow,Program“returns”to wrong location,NOT!,?,A crash is likely,overflow,Part 4 Software 19,Smashing the Stack,high,Attacker has a better idea,:,evil code,a,b,low,SP,SP,SP,SP,ret,ret,Code injectionAttacker can run any code on affected system!,Part 4 So
16、ftware 20,Smashing the Stack,Attacker may not knowAddress of evil codeLocation of ret on stackSolutionsPrecede evil code with NOP“landing pad”Insert lots of new ret,evil code,:,:,ret,ret,:,NOP,NOP,:,ret,ret,Part 4 Software 21,Stack Smashing Summary,A buffer overflow must exist in the codeNot all buf
17、fer overflows are exploitableThings must line up correctlyIf exploitable,attacker can inject codeTrial and error likely requiredLots of help available onlineSmashing the Stack for Fun and Profit,Aleph OneAlso possible to overflow the heapStack smashing is“attack of the decade”,Part 4 Software 22,Sta
18、ck Smashing Example,Program asks for a serial number that the attacker does not knowAttacker also does not have source codeAttacker does have the executable(exe),Program quits on incorrect serial number,Part 4 Software 23,Example,By trial and error,attacker discovers an apparent buffer overflow,Note
19、 that 0 x41 is“A”Looks like ret overwritten by 2 bytes!,Part 4 Software 24,Example,Next,disassemble bo.exe to find,The goal is to exploit buffer overflow to jump to address 0 x401034,Part 4 Software 25,Example,Find that 0 x401034 is“P4”in ASCII,Byte order is reversed?Why?X86 processors are“little-en
20、dian”,Part 4 Software 26,Example,Reverse the byte order to“4P”and,Success!Weve bypassed serial number check by exploiting a buffer overflowOverwrote the return address on the stack,Part 4 Software 27,Example,Attacker did not require access to the source codeOnly tool used was a disassembler to deter
21、mine address to jump toCan find address by trial and errorNecessary if attacker does not have exeFor example,a remote attack,Part 4 Software 28,Example,Source code of the buffer overflow,Flaw easily found by attackerEven without the source code!,Part 4 Software 29,Stack Smashing Prevention,1st choic
22、e:employ non-executable stack“No execute”NX bit(if available)Seems like the logical thing to do,but some real code executes on the stack!(Java does this)2nd choice:use safe languages(Java,C#)3rd choice:use safer C functionsFor unsafe functions,there are safer versionsFor example,strncpy instead of s
23、trcpy,Part 4 Software 30,Stack Smashing Prevention,CanaryRun-time stack checkPush canary onto stackCanary value:Constant 0 x000aff0dOr value depends on ret,high,:,buffer,a,b,low,overflow,ret,canary,overflow,Part 4 Software 31,Microsofts Canary,Microsoft added buffer security check feature to C+with/
24、GS compiler flagUses canary(or“security cookie”)Q:What to do when canary dies?A:Check for user-supplied handlerHandler may be subject to attackClaimed that attacker can specify handler codeIf so,formerly safe buffer overflows become exploitable when/GS is used!,Part 4 Software 32,Buffer Overflow,The
25、“attack of the decade”for 90sWill be the attack of the decade for 00sCan be preventedUse safe languages/safe functionsEducate developers,use tools,etc.Buffer overflows will exist for a long timeLegacy codeBad software development,Part 4 Software 33,Incomplete Mediation,Part 4 Software 34,Input Valid
26、ation,Consider:strcpy(buffer,argv1)A buffer overflow occurs iflen(buffer)len(argv1)Software must validate the input by checking the length of argv1Failure to do so is an example of a more general problem:incomplete mediation,Part 4 Software 35,Input Validation,Consider web form data Suppose input is
27、 validated on clientFor example,the following is validhttp:/input is not checked on serverWhy bother since input checked on client?Then attacker could send http messagehttp:/,Part 4 Software 36,Incomplete Mediation,Linux kernelResearch has revealed many buffer overflowsMany of these are due to incom
28、plete mediationLinux kernel is“good”software sinceOpen-source Kernel written by coding gurusTools exist to help find such problemsBut incomplete mediation errors can be subtleAnd tools useful to attackers too!,Part 4 Software 37,Race Conditions,Part 4 Software 38,Race Condition,Security processes sh
29、ould be atomicOccur“all at once”Race conditions can arise when security-critical process occurs in stagesAttacker makes change between stagesOften,between stage that gives authorization,but before stage that transfers ownershipExample:Unix mkdir,Part 4 Software 39,mkdir Race Condition,mkdir creates
30、new directoryHow mkdir is supposed to work,1.Allocate space,mkdir,2.Transfer ownership,Part 4 Software 40,mkdir Attack,Not really a“race”But attackers timing is critical,1.Allocate space,mkdir,3.Transfer ownership,2.Create link to password file,The mkdir race condition,Part 4 Software 41,Race Condit
31、ions,Race conditions are commonRace conditions may be more prevalent than buffer overflowsBut race conditions harder to exploitBuffer overflow is“low hanging fruit”todayTo prevent race conditions,make security-critical processes atomicOccur all at once,not in stagesNot always easy to accomplish in p
32、ractice,Part 4 Software 42,Malware,Part 4 Software 43,Malicious Software,Malware is not new!Fred Cohens initial virus work in 1980sUsed viruses to break MLS systemsTypes of malware(lots of overlap)Virus passive propagationWorm active propagationTrojan horse unexpected functionalityTrapdoor/backdoor
33、unauthorized accessRabbit exhaust system resources,Part 4 Software 44,Viruses/Worms,Where do viruses live?Boot sectorTake control before anything elseMemory residentStays in memoryApplications,macros,data,etc.Library routinesCompilers,debuggers,virus checker,etc.These are particularly nasty!,Part 4
34、Software 45,Malware Timeline,Preliminary work by Cohen(early 80s)Brain virus(1986)Morris worm(1988)Code Red(2001)SQL Slammer(2004)Future of malware?,Part 4 Software 46,Brain,First appeared in 1986More annoying than harmfulA prototype for later virusesNot much reaction by usersWhat it didPlaced itsel
35、f in boot sector(and other places)Screened disk calls to avoid detectionEach disk read,checked boot sector to see if boot sector infected;if not,goto 1Brain did nothing malicious,Part 4 Software 47,Morris Worm,First appeared in 1988What it tried to doDetermine where it could spreadSpread its infecti
36、onRemain undiscoveredMorris claimed it was a test gone bad“Flaw”in worm code it tried to re-infect already-infected systemsLed to resource exhaustionAdverse effect was like a so-called rabbit,Part 4 Software 48,Morris Worm,How to spread its infection?Tried to obtain access to machine byUser account
37、password guessingExploited buffer overflow in fingerdExploited trapdoor in sendmailFlaws in fingerd and sendmail were well-known at the time,but not widely patched,Part 4 Software 49,Morris Worm,Once access had been obtained to machine“Bootstrap loader”sent to victimConsisted of 99 lines of C codeVi
38、ctim machine compiled and executed codeBootstrap loader then fetched the rest of the wormVictim even authenticated the sender!,Part 4 Software 50,Morris Worm,How to remain undetected?If transmission of the worm was interrupted,all code was deletedCode was encrypted when downloadedDownloaded code del
39、eted after decrypting and compilingWhen running,the worm regularly changed its name and process identifier(PID),Part 4 Software 51,Result of Morris Worm,Shocked the Internet community of 1988Internet designed to withstand nuclear warYet it was brought down by a graduate student!At the time,Morris fa
40、ther worked at NSACould have been much worse not maliciousUsers who did not panic recovered quickestCERT began,increased security awarenessThough limited actions to improve security,Part 4 Software 52,Code Red Worm,Appeared in July 2001Infected more than 250,000 systems in about 15 hoursIn total,inf
41、ected 750,000 out of 6,000,000 susceptible systemsExploited buffer overflow in Microsoft IIS server softwareThen monitored traffic on port 80 for other susceptible servers,Part 4 Software 53,Code Red Worm,What it didDay 1 to 19 of month:tried to spread infectionDay 20 to 27:distributed denial of ser
42、vice attack on www.whitehouse.govLater versions(several variants)Included trapdoor for remote accessRebooted to flush worm,leaving only trapdoorHas been claimed that Code Red may have been“beta test for information warfare”,Part 4 Software 54,SQL Slammer,Infected 250,000 systems in 10 minutes!Code R
43、ed took 15 hours to do what Slammer did in 10 minutesAt its peak,Slammer infections doubled every 8.5 secondsSlammer spread too fast“Burned out”available bandwidth,Part 4 Software 55,SQL Slammer,Why was Slammer so successful?Worm fit in one 376 byte UDP packetFirewalls often let small packet thru,as
44、suming it could do no harm by itselfThen firewall monitors the connectionExpectation was that much more data would be required for an attackSlammer defied assumptions of“experts”,Part 4 Software 56,Trojan Horse Example,A trojan has unexpected functionPrototype of trojan for the Mac File icon for fre
45、eMusic.mp3:,For a real mp3,double click on iconiTunes opensMusic in mp3 file playsBut for freeMusic.mp3,unexpected results,Part 4 Software 57,Trojan Example,Double click on freeMusic.mp3iTunes opens(expected)“Wild Laugh”(probably not expected)Message box(unexpected),Part 4 Software 58,Trojan Example
46、,How does freeMusic.mp3 trojan work?This“mp3”is an application,not data!,This trojan is harmless,butCould have done anything user can doDelete files,download files,launch apps,etc.,Part 4 Software 59,Malware Detection,Three common methodsSignature detectionChange detectionAnomaly detectionWell brief
47、ly discuss each of theseAnd consider advantages and disadvantages of each,Part 4 Software 60,Signature Detection,A signature is a string of bits found in software(or could be a hash value)Suppose that a virus has signature 0 x23956a58bd910345We can search for this signature in all filesIf we find th
48、e signature are we sure weve found the virus?No,same signature could appear in other filesBut at random,chance is very small:1/264Software is not random,so probability is higher,Part 4 Software 61,Signature Detection,AdvantagesEffective on“traditional”malwareMinimal burden for users/administratorsDi
49、sadvantagesSignature file can be large(10,000s)making scanning slowSignature files must be kept up to dateCannot detect unknown virusesCannot detect some new types of malwareBy far the most popular detection method!,Part 4 Software 62,Change Detection,Viruses must live somewhere on system If we dete
50、ct that a file has changed,it may be infectedHow to detect changes?Hash files and(securely)store hash valuesRecompute hashes and compareIf hash value changes,file might be infected,Part 4 Software 63,Change Detection,AdvantagesVirtually no false negativesCan even detect previously unknown malwareDis
