cpsc 6126 computer security information assurance
TRANSCRIPT
Chapter 3 – Program SecurityChapter 3 – Program Security Programming errors with security Programming errors with security
implications-buffer overflows, incomplete implications-buffer overflows, incomplete access controlaccess control
Malicious code-viruses, worms, Trojan Malicious code-viruses, worms, Trojan horseshorses
Program development controls against Program development controls against malicious code and vulnerabilities-malicious code and vulnerabilities-software engineering principles and software engineering principles and practicespractices
Controls to protect against program flaws Controls to protect against program flaws in execution-operating system support and in execution-operating system support and administrative controlsadministrative controls
Program SecurityProgram Security
How do we keep programs free from How do we keep programs free from flaws?flaws?
How do we protect computing resources How do we protect computing resources against programs that contain flaws?against programs that contain flaws?
Presented with a finished product, for Presented with a finished product, for example, a commercial software package, example, a commercial software package, how can you tell how secure it is or how to how can you tell how secure it is or how to use it in its most secure way?use it in its most secure way?
SECURE PROGRAMSSECURE PROGRAMS
Security implies some degree of trust Security implies some degree of trust that the program enforces expected that the program enforces expected confidentiality, integrity, and confidentiality, integrity, and availability.availability.
How can we look at software How can we look at software component and assess its security?component and assess its security?
Fixing FaultsFixing Faults
Software that has many faults early Software that has many faults early on is likely to have many others still on is likely to have many others still waiting to be found.waiting to be found.
Early computer security work used Early computer security work used “penetrate and patch” method where “penetrate and patch” method where analysts searched for and repaired analysts searched for and repaired faults (tiger team)faults (tiger team)
Often patch efforts made system less Often patch efforts made system less secure:secure:
Fixing FaultsFixing Faults
Pressure to repair encourages a Pressure to repair encourages a narrow focus on the fault and not its narrow focus on the fault and not its context.context.
Fixing the fault often introduces side Fixing the fault often introduces side effects.effects.
Fault not fixed properly cause it will Fault not fixed properly cause it will cause performance problems.cause performance problems.
Unexpected BehaviorUnexpected Behavior Compare program requirements with behavior to Compare program requirements with behavior to
identify identify program security flawsprogram security flaws Flaw is either a fault or failureFlaw is either a fault or failure Vulnerability is a class of flaws (e.g. buffer Vulnerability is a class of flaws (e.g. buffer
overflows)overflows) Need to determine how to prevent harm caused Need to determine how to prevent harm caused
by possible flawsby possible flaws Program security flaws can derive from any kind Program security flaws can derive from any kind
of software fault.of software fault.• Inadvertent human flawsInadvertent human flaws• Malicious, intentionally induced flawsMalicious, intentionally induced flaws
Unexpected BehaviorUnexpected Behavior
Hindrances for eliminating program Hindrances for eliminating program security flawssecurity flaws• How do we test for what a program How do we test for what a program
shouldn’t do?shouldn’t do?• Programming and software engineering Programming and software engineering
techniques evolve more rapidly than techniques evolve more rapidly than computer security techniquescomputer security techniques
Types of FlawsTypes of Flaws
IntentionalIntentional• MaliciousMalicious• NonmaliciousNonmalicious
InadvertentInadvertent• Validation error (incomplete / inconsistent)Validation error (incomplete / inconsistent)• Domain errorDomain error• Serialization and aliasingSerialization and aliasing• Inadequate identification and authenticationInadequate identification and authentication• Boundary condition violationBoundary condition violation• Other exploitable logic errorsOther exploitable logic errors
Nonmalicious Program ErrorsNonmalicious Program Errors
Buffer OverflowsBuffer Overflows char sample[10];char sample[10]; for (i=1; i<=10; i++) sample[i] = ‘A’;for (i=1; i<=10; i++) sample[i] = ‘A’;
Last ‘A’ goes into user data, user code, Last ‘A’ goes into user data, user code, system data, or system codesystem data, or system code
If data is overwritten, can affect resultsIf data is overwritten, can affect results If system is overwritten, unpredictable If system is overwritten, unpredictable
resultsresults
Nonmalicious Program ErrorsNonmalicious Program Errors
Buffer Overflows Security ImplicationBuffer Overflows Security Implication• Attacker replaces code in the system Attacker replaces code in the system
space and takes control back from the space and takes control back from the operating systemoperating system
• Attacker uses the stack pointer or return Attacker uses the stack pointer or return register to execute other coderegister to execute other code
• How to write buffer overflowsHow to write buffer overflows• Smashing the Stack for Fun and ProfitSmashing the Stack for Fun and Profit
Nonmalicious Program ErrorsNonmalicious Program Errors
Buffer Overflows Security ImplicationBuffer Overflows Security Implication• Parameter passing to web serverParameter passing to web server
• http://www.somesite.com/subpage/http://www.somesite.com/subpage/data&parm1=(808)555-1212&parm2=2004Jan01data&parm1=(808)555-1212&parm2=2004Jan01
• What if one of the parameters is made longer?What if one of the parameters is made longer?
Microsoft's Phone Dialer contains a buffer ovMicrosoft's Phone Dialer contains a buffer overrun that allows execution of errun that allows execution of arbitaryarbitary code code
Nonmalicious Program ErrorsNonmalicious Program Errors
Incomplete Mediation Incomplete Mediation (data checking)(data checking)• http://www.somesite.com/subpage/http://www.somesite.com/subpage/
data&parm1=(808)555-1212&parm2=2004Jan01data&parm1=(808)555-1212&parm2=2004Jan01 What if parm2 is 1800Jan01 or 2004Feb30…What if parm2 is 1800Jan01 or 2004Feb30… Use dropdown lists to force the input, test Use dropdown lists to force the input, test
rangesranges Even then, the user could send incorrect Even then, the user could send incorrect
data to the serverdata to the server
Security ImplicationSecurity Implication• Easy to exploit – Things, Inc. exampleEasy to exploit – Things, Inc. example
Nonmalicious Program ErrorsNonmalicious Program Errors
Time-of-Check to Time-of-Use ErrorsTime-of-Check to Time-of-Use Errors• Mediation is performed with a “bait and Mediation is performed with a “bait and
switch” in the middle (synchronization switch” in the middle (synchronization flaw)flaw)
Security ImplicationSecurity Implication• to avoid checking one action and to avoid checking one action and
performing another – use digital performing another – use digital signatures and certificatessignatures and certificates
Viruses and Other Malicious CodeViruses and Other Malicious Code
When was the last time you saw a bit?When was the last time you saw a bit? Do you know in what form a document file Do you know in what form a document file
is stored?is stored? Can you find where a document resides on Can you find where a document resides on
a disk?a disk? Can you tell if a game program does Can you tell if a game program does
anything in addition to its expected anything in addition to its expected interaction with you?interaction with you?
Which files are modified by a word Which files are modified by a word processor when you create a document?processor when you create a document?
Viruses and Other Malicious CodeViruses and Other Malicious Code
Malicious code has been around since the Malicious code has been around since the ’70s’70s
How can malicious code take control of a How can malicious code take control of a system?system?
How can it lodge in a system?How can it lodge in a system? How does malicious code spread?How does malicious code spread? How can it be recognized?How can it be recognized? How can it be detected?How can it be detected? How can it be stopped?How can it be stopped? How can it be prevented?How can it be prevented?
Kinds of Malicious CodeKinds of Malicious Code Virus – code that attaches to another program Virus – code that attaches to another program
and copies itself to other programsand copies itself to other programs• Transient virus – life depends on life of its hostTransient virus – life depends on life of its host• Resident virus – locates inside memoryResident virus – locates inside memory
Trojan Horse – malicious effect is hidden from Trojan Horse – malicious effect is hidden from useruser
Logic bomb – triggered by an eventLogic bomb – triggered by an event Time bomb – triggered by a time or dateTime bomb – triggered by a time or date Trapdoor (backdoor) – feature that allows access Trapdoor (backdoor) – feature that allows access
to program other than through normal channelsto program other than through normal channels Worm – program that spreads copies of itself Worm – program that spreads copies of itself
through a networkthrough a network Rabbit – virus/worm that self-replicates without Rabbit – virus/worm that self-replicates without
boundbound
How Viruses AttackHow Viruses Attack
A virus is attached to a “program”A virus is attached to a “program” The virus is activated by executing The virus is activated by executing
the programthe program Most common viruses today are Most common viruses today are
attached to e-mail; when the attached to e-mail; when the attachment is opened, virus is activeattachment is opened, virus is active
Ways Viruses are attachedWays Viruses are attached
Appended Viruses (see Fig. 3-4): Appended Viruses (see Fig. 3-4): virus code is inserted before first virus code is inserted before first instruction, last virus instruction instruction, last virus instruction points to first program instructionpoints to first program instruction
Virus surrounds program (See Fig. 3-Virus surrounds program (See Fig. 3-5): 25): 2ndnd part of virus cleans up part of virus cleans up evidenceevidence
Integrated Viruses and Replacements Integrated Viruses and Replacements (see Fig. 3-6)(see Fig. 3-6)
Types of VirusesTypes of Viruses
Boot Sector Virus – virus is part of Boot Sector Virus – virus is part of the bootstrap program (many earlier the bootstrap program (many earlier viruses)viruses)
Memory-Resident Virus – most Memory-Resident Virus – most program viruses stay in the memory program viruses stay in the memory when program is first runwhen program is first run
Document (Macro) Virus – virus is Document (Macro) Virus – virus is part of the macro associated with a part of the macro associated with a documentdocument
Antivirus SoftwareAntivirus Software
Virus Signature Virus Signature (virus scanner looks for (virus scanner looks for signatures)signatures)
Storage Patterns Storage Patterns (virus scanner looks for (virus scanner looks for suspicious patterns)suspicious patterns)
Execution PatternsExecution Patterns Transmission PatternsTransmission Patterns Polymorphic VirusesPolymorphic Viruses
Prevention of Virus InfectionsPrevention of Virus Infections Use only commercial software acquired from Use only commercial software acquired from
reliable, well-established vendorsreliable, well-established vendors Test all new software on an isolated computerTest all new software on an isolated computer Open attachments only when you know them to Open attachments only when you know them to
be safebe safe Make a recoverable system image and store it Make a recoverable system image and store it
safelysafely Make and retain backup copies of executable Make and retain backup copies of executable
system files.system files. Use virus detectors daily and update them Use virus detectors daily and update them
regularlyregularly
Truths and Misconceptions about Truths and Misconceptions about virusesviruses
Viruses can infect only Microsoft Windows Viruses can infect only Microsoft Windows systems – FALSEsystems – FALSE
Viruses can modify “hidden” or “read-only” files – Viruses can modify “hidden” or “read-only” files – TRUETRUE
Viruses can appear only in data files, or only in Viruses can appear only in data files, or only in Word documents, or only in programs – FALSEWord documents, or only in programs – FALSE
Viruses spread only on disks or only in e-mail – Viruses spread only on disks or only in e-mail – FALSEFALSE
Viruses cannot remain in memory after a COLD Viruses cannot remain in memory after a COLD BOOT – TRUEBOOT – TRUE
Viruses cannot infect hardware – TRUEViruses cannot infect hardware – TRUE Viruses can be malevolent, benign, or benevolent Viruses can be malevolent, benign, or benevolent
- TRUE- TRUE
EXAMPLESEXAMPLES
Pakistani Brain VirusPakistani Brain Virus Internet WormInternet Worm Code RED WormCode RED Worm SQL-Server SlammerSQL-Server Slammer Web Bugs (spyware)Web Bugs (spyware)
Targeted Malicious CodeTargeted Malicious Code
Trapdoor – undocumented entry Trapdoor – undocumented entry point to a modulepoint to a module
Salami Attack Salami Attack (Ex. Interest computation)(Ex. Interest computation)
Covert Channels: programs that leak Covert Channels: programs that leak information information (Ex. Hide data in output)(Ex. Hide data in output)
• Storage ChannelsStorage Channels – pass information by using – pass information by using presence or absence of objects in storagepresence or absence of objects in storage
• Timing Channels – pass information using the Timing Channels – pass information using the speed at which things happenspeed at which things happen
Controls Against Program ThreatsControls Against Program Threats
Prevent Threats during software Prevent Threats during software developmentdevelopment• Modularity – security analysts must be Modularity – security analysts must be
able to understand each component as able to understand each component as an independent unit and be assured of an independent unit and be assured of its limited effect on other componentsits limited effect on other components
• Encapsulation –minimize interfaces to Encapsulation –minimize interfaces to reduce covert channelsreduce covert channels
• Information hiding – components will Information hiding – components will have limited effect on other componentshave limited effect on other components
Controls Against Program ThreatsControls Against Program Threats
Peer ReviewsPeer Reviews Hazard Analysis Hazard Analysis – set of systematic techniques – set of systematic techniques
to expose potentially hazardous system statesto expose potentially hazardous system states Testing Testing – unit testing, integration testing, – unit testing, integration testing,
function testing, performance testing, acceptance function testing, performance testing, acceptance testing, installation testing, regression testingtesting, installation testing, regression testing
Good DesignGood Design• Using a philosophy of Using a philosophy of fault tolerancefault tolerance• Have a consistent Have a consistent policypolicy for handling failures for handling failures• Capture the Capture the design rationaledesign rationale and history and history• Use design patternsUse design patterns
Controls Against Program ThreatsControls Against Program Threats
Prediction Prediction – predict the risks involved in building – predict the risks involved in building and using the systemand using the system
Static Analysis Static Analysis – Use tools and techniques to examine – Use tools and techniques to examine characteristics of design and code to see if the characteristics of design and code to see if the characteristics warn of possible faultscharacteristics warn of possible faults
Configuration Management Configuration Management – control changes – control changes during development and maintenanceduring development and maintenance
Analysis of MistakesAnalysis of Mistakes Proofs of Program Correctness – Can we Proofs of Program Correctness – Can we
prove that there are no security holes?prove that there are no security holes?
Operating System Controls on Use Operating System Controls on Use of Programsof Programs
Trusted Software – code has been rigorously Trusted Software – code has been rigorously developed and analyzeddeveloped and analyzed• Functional correctnessFunctional correctness• Enforcement of integrityEnforcement of integrity• Limited privilegeLimited privilege• Appropriate confidence levelAppropriate confidence level
Mutual Suspicion – assume other program is not Mutual Suspicion – assume other program is not trustworthytrustworthy
Confinement – limit resources that program can Confinement – limit resources that program can accessaccess
Access Log – list who access computer objects, Access Log – list who access computer objects, when, and for how longwhen, and for how long
Administrative ControlsAdministrative Controls
Standards of Program DevelopmentStandards of Program Development Standards of designStandards of design Standards of documentation, language, and Standards of documentation, language, and
coding stylecoding style Standards of programmingStandards of programming Standards of testingStandards of testing Standards of configuration managementStandards of configuration management Security AuditsSecurity Audits
Separation of DutiesSeparation of Duties
Ten Most Critical Web Application Security Ten Most Critical Web Application Security VulnerabilitiesVulnerabilities
(http://www.owasp.org(http://www.owasp.org
Unvalidated ParametersUnvalidated Parameters Broken Access ControlBroken Access Control Broken Account and Session ManagementBroken Account and Session Management Cross-Site Scripting FlawsCross-Site Scripting Flaws Buffer OverflowsBuffer Overflows Command Injection FlawsCommand Injection Flaws Error Handling ProblemsError Handling Problems Insecure Use of CryptographyInsecure Use of Cryptography Remote Administration FlawsRemote Administration Flaws Web and Application Server MisconfigurationWeb and Application Server Misconfiguration