20101017 program analysis_for_security_livshits_lecture03_security
TRANSCRIPT
![Page 1: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/1.jpg)
Introduction to Systems Security
Ben Livshits10/16/2010
Some slides are borrowed from CS 155 at Stanford
![Page 2: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/2.jpg)
Organization• General introduction to security
• What is system security?• Threats• Trends• Approaches to finding vulnerabilities
• Security vulnerabilities• Memory-based exploits• Web application vulnerabilities
![Page 3: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/3.jpg)
What is Security?System correctness If user supplies expected input, system
generates desired output
Security If attacker supplies unexpected input,
system does not fail in certain ways Goal of the attacker is to make the system
fail in “interesting ways”
![Page 4: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/4.jpg)
What is security?System correctness Good input Good output Think “verification”
Security Bad input Bad output Think “not exploitable”
![Page 5: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/5.jpg)
What is security?System correctness More features: better
Security More features: can be worse
![Page 6: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/6.jpg)
Security propertiesConfidentiality
Information about system or its users cannot be learned by an attacker
Integrity The system continues to operate properly, only
reaching states that would occur if there were no attacker
Availability Actions by an attacker do not prevent users from
having access to use of the system
![Page 7: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/7.jpg)
System
AttackerAlice
General picture
Security is about Honest user (e.g., Alice, Bob, …) Dishonest Attacker How the Attacker
Disrupts honest user’s use of the system (Integrity, Availability)
Learns information intended for Alice only (Confidentiality)
![Page 8: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/8.jpg)
Network Attacker
Intercepts and controls network communication
Alice
System
Network security
![Page 9: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/9.jpg)
Web Attacker
Sets up malicious site
visited by victim; no control of network
Alice
System
Web security
![Page 10: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/10.jpg)
OS Attacker
Controls malicious files
and applications
Alice
Operating system security
![Page 11: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/11.jpg)
System
AttackerAlice
Confidentiality: Attacker does not learn Alice’s secrets
Integrity: Attacker does not undetectably corrupt system’s function for Alice
Availability: Attacker does not keep system from being useful to Alice
![Page 12: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/12.jpg)
Current Trends
![Page 13: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/13.jpg)
Historical hackers (prior to 2000)
Profile: Male Between 14 and 34 years of age Computer addicted No permanent girlfriend
No Commercial Interest !!!Source: Raimund Genes
![Page 14: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/14.jpg)
Typical Botherder: 0x80" (pronounced X-eighty)
High school dropout “…most of these people I infect are so stupid they really ain't got
no business being on the Internet in the first place.“
Working hours: approx. 2 minutes/day to manage Botnet
Monthly earnings: $6,800 on averageDaily Activities:
Chatting with people while his bots make him money Recently paid $800 for an hour alone in a VIP room with several
dancers
Job Description: Controls 13,000+ computers in more than 20 countries Infected Bot PCs download Adware then search for new victim
PCs Adware displays ads and mines data on victim's online browsing
habits. Bots collect password, e-mail address, SS#, credit and banking
data Gets paid by companies like TopConverting.com,
GammaCash.com, Loudcash, or 180Solutions.
14
Washington Post: Invasion of the Computer Snatchers
![Page 15: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/15.jpg)
Some things in the newsNigerian letter (419 Scams) still works: Michigan Treasurer Sends 1.2MUSD of State Funds !!!
Many zero-day attacks Google, Excel, Word, Powerpoint, Office …
Criminal access to important devices Numerous lost, stolen laptops, storage media,
containing customer information Second-hand computers (hard drives) pose risk
Vint Cerf estimates ¼ of PCs on Internet are bots
15
![Page 16: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/16.jpg)
Trends for 2010Malware, worms, and Trojan horses
spread by email, instant messaging, malicious or infected websites
Botnets and zombies improving their encryption capabilities, more difficult to detect
Scareware – fake/rogue security software Attacks on client-side software
browsers, media players, PDF readers, etc.
Ransom attacks malware encrypts hard drives, or DDOS attack
Social network attacks Users’ trust in online friends makes these networks a prime target.
Cloud Computing - growing use will make this a prime target for attack.
Web Applications - developed with inadequate security controls
Budget cuts - problem for security personnel and a boon to cyber criminals.
Texas CISO, Feb 2010
Same list in Oklahoma Monthly Security Tips Newsletter
![Page 17: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/17.jpg)
Trends
![Page 18: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/18.jpg)
Reported Web Vulnerabilities "In the Wild"
Data from aggregator and validator of NVD-reported vulnerabilities
![Page 19: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/19.jpg)
Web vs System vulnerabilities
XSS peak
![Page 20: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/20.jpg)
Web attack toolkit: MPack
21
Basic setup Toolkit hosted on web
server Infects pages on that server Page visitors get infected
Features Customized: determines
exploit on the fly, based on user’s OS, browser, etc
Easy to use: management console provides stats on infection rates
Customer care toolkit can be purchased with one-year support contract!
![Page 21: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/21.jpg)
Finding Vulnerabilities
Static analysis Abstract
interpretation Dataflow Pointer analysis etc.
Runtime analysis Fuzzing Testing Simulation Symbolic
execution Model checking
![Page 22: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/22.jpg)
NECESSARY BACKGROUND
ON
MEMORY EXPLOITS AND
WEB APPLICATION VULNERABILITIES
23
![Page 23: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/23.jpg)
24
Outline
Memory safety attacks Buffer overruns Format string vulnerabilities
Web application vulnerabilities SQL injections Cross-site scripting attacks
![Page 24: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/24.jpg)
Buffer Overflows
25
![Page 25: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/25.jpg)
26
Buffer Overrun Example
strretsfplocalstrretsfplocal
Frame 1Frame 2
void lame (void) { char small[30]; gets(small); printf("%s\n", small);
}
![Page 26: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/26.jpg)
27
Input Validation Classifying vulnerabilities:
Buffer overflows can be viewed as an example of improper input validation Another related type of vulnerability is information leaks
Other notable examples: Format string vulnerabilities SQL injection attacks Cross-site scripting attacks
Mechanisms to prevent attacks Better input validation Safe programming techniques Techniques for detecting potential buffer overflows in code
Static analysis Runtime analysis Fuzzing/penetration testing Write-box fuzzing etc.
![Page 27: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/27.jpg)
28
Secure Programming Techniques
Validate all input Easier said than done Why is that?
Avoid buffer overflows Use safe string manipulation functions Careful length checking Avoid statically declared arrays etc.
Or use a memory-safe language Java or C# JavaScript (not type-safe)
![Page 28: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/28.jpg)
29
Validating Input
Determine acceptable input, check for match --- don’t just check against list of “non-matches” Limit maximum length Watch out for special characters, escape chars.
Check bounds on integer values Check for negative inputs Check for large inputs that might cause overflow!
![Page 29: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/29.jpg)
30
Avoid strcpy, …
We have seen that strcpy is unsafe strcpy(buf, str) simply copies memory contents into
buf starting from *str until “\0” is encountered, ignoring the size of buf
Avoid strcpy(), strcat(), gets(), etc. Use strncpy(), strncat(), instead Still, computing proper bounds is difficult in practice Easy to mess up, off-by-one errors are common
![Page 30: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/30.jpg)
31
Static and Dynamic Analysis
Static analysis: run on the source code prior to deployment; check for known flaws e.g., flawfinder, cqual Or Prefix/Prefast Or Coverity or Fortify tools Will look at some more recent work in this course as well as older stuff
Dynamic analysis: try to catch (potential) buffer overflows during program execution Soundness Precision
Comparison? Static analysis very useful, but not perfect
False positives False negatives
Dynamic analysis can be better (in tandem with static analysis), but can slow down execution Historically of great importance, drove adoption of type-safe languages such as Java and C#
![Page 31: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/31.jpg)
32
Dynamic analysis: Libsafe
Very simple example of what can be done at runtime
Intercepts all calls to, e.g., strcpy(dest, src) Validates sufficient space in current stack frame:
|frame-pointer – dest| > strlen(src) If so, executes strcpy; otherwise, terminates
application
![Page 32: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/32.jpg)
33
Preventing Buffer Overflows
Operating system support: Can mark stack segment as non-executable Randomize stack location
Problems: Does not defend against `return-to-libc’ exploit
Overflow sets ret-addr to address of libc function Does not prevent general buffer overflow flaws, or
heap overflow
Basic heap overflows can be helped with ALSR
![Page 33: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/33.jpg)
34
Heap-based Buffer Overruns and Heap Spraying
Buffer overruns consist of two steps Introduce the payload Cause the program to jump to it
Can put the payload/shellcode in the heap Arbitrary amounts of code Doesn’t work with heap randomization Location of the payload changes every time
Heap spraying: Allocate multiple copies of the payload When the jump happens, it hits the payload with a high probability
![Page 34: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/34.jpg)
35
StackGuard
Embed random “canaries” in stack frames and verify their integrity prior to function return
This is actually used!
Helpful, but not foolproof…
strretsfplocal canarystrretsfplocal canary
Frame 1Frame 2
![Page 35: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/35.jpg)
36
More Methods …
Address obfuscation Encrypt return address on stack by XORing with
random string. Decrypt just before returning from function
Attacker needs decryption key to set return address to desired value
![Page 36: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/36.jpg)
More Input Validation Flaws
37
![Page 37: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/37.jpg)
38
Format String Vulnerabilities
What is the difference between printf(buf);and printf(“%s”, buf);?
What if buf holds %x ? Look at memory, and what printf expects…
![Page 38: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/38.jpg)
39
Format String Exploits Technique:
Declare a variable of type int in line 4 and call it bytes_formatted
Line 6 the format string specifies that 20 characters should be formatted in hexadecimal (“%.20x”) using buffer
When this is done, due to the “%n” specifier write the value 20 to bytes_formatted
Result: This means that we have written a
value to another memory location Very definition of violating memory
safety May be possible to gain control over a
program’s execution
#include <stdio.h>
int main() {
int bytes_formatted=0;
char buffer[28]=”ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
printf(“%.20x%n”,buffer,&bytes_formatted);
printf(
“\nThe number of bytes formatted in the previous printf statement
was %d\n”,bytes_formatted); return 0;
}
![Page 39: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/39.jpg)
40
Other Input Validation Bugs
Integer overflow…
Consider the code: strncpy(msg+offset, str, slen);
where the adversary may control offset
By setting the value high enough, it will wrap around and be treated as a negative integer!
Write into the msg buffer instead of after it
![Page 40: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/40.jpg)
41
Web Application Vulnerabilities
![Page 41: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/41.jpg)
42
SQL Injection Attacks
Affect applications that use untrusted input as part of an SQL query to a back-end database
Specific case of a more general problem: using untrusted input in commands
![Page 42: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/42.jpg)
43
SQL Injection: Example
Consider a browser form, e.g.:
When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10
![Page 43: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/43.jpg)
44
Example Continued…
Upon receiving the request, a Java program might produce an SQL query as follows:
A normal query would look like:
sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month");
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=10
![Page 44: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/44.jpg)
45
Example Continued…
What if the user makes a modified http request:https://www.pizza.com/show_orders?month=0%20OR%201%3D1
(Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)
This has the effect of setting request.getParameter(“month”) equal to the string 0 OR 1=1
![Page 45: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/45.jpg)
46
Example Continued
So the script generates the following SQL query:
Since AND takes precedence over OR, the above always evaluates to TRUE The attacker gets every entry in the database!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 OR 1=1
()
![Page 46: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/46.jpg)
47
Even Worse…
Craft an http request that generates an SQL query like the following:
Attacker gets the entire credit card database as well!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 OR 1=0UNION SELECT cardholder, number, exp_dateFROM creditcards
![Page 47: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/47.jpg)
48
More Damage…
SQL queries can encode multiple commands, separated by ‘;’
Craft an http request that generates an SQL query like the following:
Credit card table deleted! DoS attack
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 ;DROP TABLE creditcards
![Page 48: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/48.jpg)
49
More Damage…
Craft an http request that generates an SQL query like the following:
User (with chosen password) entered as an administrator! Database owned!
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=0 ;INSERT INTO admin VALUES (‘hacker’, ...)
![Page 49: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/49.jpg)
50
May Need to be More Clever…
Consider the following script for text queries:
Previous attacks will not work directly, since the commands will be quoted
But easy to deal with this…
sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ " + request.getParameter(“topping") + “’”
![Page 50: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/50.jpg)
51
Example Continued…
Craft an http request where request.getParameter(“topping”)is set to abc’; DROP TABLE creditcards; --
The effect is to generate the SQL query:
(‘--’ represents an SQL comment)
SELECT pizza, quantity, order_dayFROM ordersWHERE userid=4123 AND toppings=‘abc’;DROP TABLE creditcards ; --’
![Page 51: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/51.jpg)
52
Source: http://xkcd.com/327/
![Page 52: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/52.jpg)
53
Solutions?
Blacklisting Whitelisting Encoding routines Prepared statements/bind variables Mitigate the impact of SQL injection
![Page 53: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/53.jpg)
54
Blacklisting?
I.e., searching for/preventing ‘bad’ inputs E.g., for previous example:
…where kill_chars() deletes, e.g., quotes and semicolons
sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ " + kill_chars(request.getParameter(“topping")) + “’”
![Page 54: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/54.jpg)
55
Drawbacks of Blacklisting
How do you know if/when you’ve eliminated all possible ‘bad’ strings? If you miss one, could allow successful attack
Does not prevent first set of attacks (numeric values) Although similar approach could be used, starts to get
complex!
May conflict with functionality of the database E.g., user with name O’Brien
![Page 55: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/55.jpg)
56
Whitelisting
Check that user-provided input is in some set of values known to be safe E.g., check that month is an integer in the right range
If invalid input detected, better to reject it than to try to fix it Fixes may introduce vulnerabilities Principle of fail-safe defaults
![Page 56: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/56.jpg)
57
Prepared Statements/bind Variables
Prepared statements: static queries with bind variables Variables not involved in query parsing
Bind variables: placeholders guaranteed to be data in correct format
![Page 57: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/57.jpg)
58
A SQL Injection Example in Java
PreparedStatement ps = db.prepareStatement( "SELECT pizza, quantity, order_day " + "FROM orders WHERE userid=? AND order_month=?");
ps.setInt(1, session.getCurrentUserId());ps.setInt(2, Integer.parseInt(request.getParameter("month")));ResultSet res = ps.executeQuery();
Bind variables
![Page 58: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/58.jpg)
59
There’s Even More
Practical SQL Injection: Bit by Bit
Overall, SQL injection is easy to fix by banning certain APIs Prevent queryExecute-type calls with non-constant
arguments Very easy to automate See a tool like LAPSE that does it for Java
![Page 59: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/59.jpg)
60
Cross-site Scripting
If the application is not careful to encode its output data, an attacker can inject script into the output
out.writeln(“<div>”);out.writeln(req.getParameter(“name”));out.writeln(“</div>”);
name: <script>…; xhr.send(document.cookie);</script>
Simplest version called reflected or type-1 XSS
![Page 60: 20101017 program analysis_for_security_livshits_lecture03_security](https://reader035.vdocument.in/reader035/viewer/2022062706/5575df92d8b42a917e8b5486/html5/thumbnails/60.jpg)
61
Memory Exploits and Web App Vulnerabilities Compared
Buffer overruns Stack-based Return-to-libc, etc. Heap-based Heap spraying attacks Requires careful programming or
memory-safe languages Don’t always help as in the case of
JavaScript-based spraying Static analysis tools
Format string vulnerabilies Generally, better, more restrictive
APIs are enough Simple static tools help
Cross-site scripting XSS-0, -1, -2, -3 Requires careful
programming Static analysis tools
SQL injection Generally, better, more
restrictive APIs are enough
Simple static tools help