Transcript Secure Software Engineering
Common Security Faults
CPSC 410
Common Bugs Causing Security Exploits
1. Buffer Overflow 2. Numeric Representation 3. Time-of-Check Time-of-Use (TOCTOU) 4. Resource Depletion 5. Illegal State Transition
Buffer Overflow
Overwrite values of arbitrary program state Not possible in Runtime Safe Languages Java/C# Ruby/Python/etc..
Common in high performance languages C and C++ Takes advantage that these languages do not check ArrayIndexOutOfBounds Allows execution of injected code Writes new code in memory and jumps to it
Buffer Overflow
Reminder: A String is an array of char in many languages class Person { private char[] name = new char[255]; } public void setName(char[] value) { for(int i=0; i < value.length; i++) { name[i] = value[i]; } } What happens in C++ when
i
>= name.length?
BufferOverflow Corrupts Stack Frame
Current Function Caller Function
Parameters Return Address Local Variables
Parameters
’
Return Address
’
Local Variables
’
Assuming current frame starts at memory Ox10000 and sizeof local variables is N
Ox10000 + N Ox10000
Sample Stack Frame
char * name = input(); foo(name); y=3;
n = 0x23435256 addressof(y=3) return address y x buf
void foo(char * n) { int x,y; char buf[100]; strcpy(buf, n); … }
Sample Stack Frame
char * name = input(); foo(name); y=3;
n = 0x23435256 addressof(y=3) return address y x buf
void foo(char * n) { int x,y; char buf[100]; strcpy(buf, n); … }
Buffer Overflow
What transparently executes in Java (under the hood) class Person { private char[] name = new char[255]; } public void setName(char[] value) { for(int i=0; i < value.length; i++) {
if(name.length >= i) { throw new ArrayIndexOutOfBounds(..); }
name[i] = value[i]; } }
Numeric Representation
Take advantage of programmers who forget to check math computations Also related to binary-decimal conversions and FP-errors E.g. Excel bug Decimal 0.1 -> binary 0.000110011… Formula =77.1 * 850 would display as 100,000 instead of 65,535 http://www.joelonsoftware.com/items/2007/09/26b.html
Numeric Representation
The Vancouver stock exchange devised a short-lived index. At its inception in 1982, the index was given a value of 1000.000. After 22 months of recomputing the index and truncating to three decimal places at each change in market value, the index stood at 524.881, when its "true" value should have been 1009.811
In the 37th second of flight of the Ariane rocket (launched on June 4, 1996), the inertial reference system attempted to convert a 64-bit floating-point number to a 16-bit number, but instead triggered an overflow error which was interpreted by the guidance system as flight data, causing the rocket to veer off course and be destroyed.
[1] ” Source Wikipedia
Numeric Representation
Source: http://mathworld.wolfram.com/RoundoffErr or.html
Time-of-Check Time-of-Use
Take advantage of Race Condition between: Time when Authorization of resource is checked Time when Access to resource actually occurs Force redirection of intended resource during this period Caused by multiple uses of indirection Caused by misunderstanding of concurrency
TOC-TOU in Unix
Program prepares to write to filename: /tmp/X
RACE CONDITION!
$ rm /tmp/X $ ln /etc/passwd /tmp/X
Create a “ shortcut ” to /etc/passwd named /tmp/X
TOC-TOU in Unix
TOC-TOU in Web App [Wikipedia]
Web application allows user to edit pages Also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which he can alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing.
However, since the user has already begun editing, when he submits the form, his might be accepted. When the user began editing, his authorization was checked, and he was indeed allowed to edit.
However, the authorization was used later, after he should no longer have been allowed.
”
Resource Depletion
Create Denial-of-Service Issue more requests to server than it can handle Cause other uses to receive poor service Programmer fails to monitor and throttle client usage OR Attacker uses Botnet to fool the server Botnet uses BufferOverFlow to take over a large number of distributed hosts to cooperate in attack Resource could be CPU Memory File system etc…
Resource Depletion Hole
public void acceptConnections() { ServerSocket serverSocket = new ServerSocket(SERVER_PORT); int counter = 0; boolean hasConnections = true; } while (hasConnections) { Socket client = serverSocket.accept(); Thread t = new Thread(new ClientSocketThread(client)); t.setName(client.getInetAddress().getHostName() + ":" + counter++); t.start(); } serverSocket.close();
}
Resource Depletion/Allocation Check
public static final int SERVER_PORT = 4444; public static final int MAX_CONNECTIONS = 10; public void acceptConnections() { ServerSocket serverSocket = new ServerSocket(SERVER_PORT); int counter = 0; boolean hasConnections = true; while (hasConnections) { hasConnections = checkForMoreConnections(); Socket client = serverSocket.accept(); Thread t = new Thread(new ClientSocketThread(client)); t.setName(client.getInetAddress().getHostName() + ":" + counter++); ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS); pool.execute(t); } serverSocket.close(); Source: http://cwe.mitre.org/data/definitions/770.ht
ml
Illegal State Transition
Take advantage that programmer forgets to check object invariant Once state becomes inconsistent, many new opportunities for attack become available Occurs frequently because: Although programmers may be good at implementing what is specified
Programmers may forget to prevent what is not specified
Illegal State Transition
Illegal State Transition
class BankAccount { private float total; enum Status {Overdrawn, Process, Open, Frozen, Inactive, Closed}; private Status status; public void freeze() { //Need to check if status is Open status = Status.Frozen; } }
Conclusion
All bugs are potential sources of security exploits However, certain common bugs overwhelmingly dominate the percentage of exploit cases Attackers will try to trigger these bugs first Often they reuse scripts for attacks Often not clever in devising new attacks Such bugs should be given high priority in testing/debugging