Transcript Slide 1
Risky Resource Management
Presented by
Sandeep Naidu
for
CS585 – Introduction to Computer Security
Few things every netizen/Security
person should remember
“ Internet was not built keeping security in mind;
it was built keeping functionality as its target.”
- Anonymous
“No system in this world is completely secure.
A system will be resistant against some attacks;
it is then analyzed and found to be vulnerable to
some other attacks and the process goes on...”
- Sandeep Naidu
Overview
What is it?
What does it do?
What can we do? (to prevent/mitigate it)
How can we do?
Note : It refers to the problem we will be talking
about
Programming Errors we will
look at
Failure to Constrain Operations within the Bounds of a Memory Buffer
External Control of Critical State Data
External Control of File Name or Path
Untrusted Search Path
Failure to Control Generation of Code (aka 'Code Injection')
Download of Code Without Integrity Check
Improper Resource Shutdown or Release
Improper Initialization
Incorrect Calculation
What are these?
“These are errors/weaknesses related to
ways in which software does not properly
manage the creation, usage, transfer, or
destruction of important system resources.”
Failure to Constrain Operations within the
Bounds of a Memory Buffer
Weakness Prevalence
High
Consequences
Code Execution,Denial of Service,Data Loss
Ease of Detection
Easy to Moderate
Remediation Cost
Low
Attack Frequency
Often
Attacker Awareness
High
What is the error?
When software permits read or write
operations on memory located outside of an
allocated range, an attacker may be able to
access/modify sensitive information, cause
the system to crash, alter the intended
control flow, or execute arbitrary code.
Example Scenario
This example takes an IP address from a user, verifies that it is well formed and then
looks up the hostname and copies it into a buffer
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supply_addr is in the right format for conversion */
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(&hostname, hp->h_name);
}
This function allocates a buffer of 64 bytes to store the hostname, however
there is no guarantee that the hostname will not be larger than 64 bytes. If
an attacker specifies an address which resolves to a very large hostname,
then we may overwrite sensitive data or even relinquish control flow to the
attacker.
What can we do to avoid it?
Use
Languages (Java, Perl) Own memory mangement
Libraries or frameworks (C String Library (SafeStr) and the
Strsafe.h from Microsoft )
Compilers (Visual Studio from Microsoft)
automated static analysis tools
which can mitigate or eliminate these buffer overflows
Check buffer size is as large as specified.(strcpy)
If necessary, truncate all input strings to a reasonable length
before passing them to the copy and concatenation functions.
External control of Critical State
Data
Weakness Prevalence
High
Consequences
Security bypass,Code Execution,Data Loss
Ease of Detection
Easy
Remediation Cost
Medium
Attack Frequency
Often
Attacker Awareness
High
What is the error?
The software stores security-critical state
information about its users, or the software
itself, in a location that is accessible to
unauthorized actors.
Example Scenario
An application may perform authentication, then save the
state in an "authenticated=true" cookie. An attacker may
simply create this cookie in order to bypass the
authentication.
An authentication flag is read from a browser cookie, thus allowing for
external control of user state data.
Java Example:
Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue()))
{
authenticated = true;
}
}
How can we avoid it?
Understand all the potential locations that are
accessible to attackers.
Do not keep state information on the client without
using encryption and integrity checking, or otherwise
having a mechanism on the server side to catch state
tampering.
Store state information on the server side only
With a stateless protocol such as HTTP, use a
framework that maintains the state for you( include
ASP.NET View State and the OWASP ESAPI Session
Management feature.)
For any security checks that are performed on the client
side, ensure that these checks are duplicated on the
server side
External Control of Filename or
Path
Weakness Prevalence
High
Consequences
Code Execution,Data Loss
Ease of Detection
Easy
Remediation Cost
Medium
Attack Frequency
Often
Attacker Awareness
High
What is the error?
The software allows user input to control or
influence paths that are used in filesystem
operations.
This could allow an attacker to access or modify
system files or other files that are critical to the
application.
When can it happen?
Path manipulation errors occur when the following
two conditions are met:
1. An attacker can specify a path used in an
operation on the filesystem.
2. By specifying the resource, the attacker gains a
capability that would not otherwise be permitted.
Example Scenario
Example 1:
The following code uses input from an HTTP request to create a file
name. The programmer has not considered the possibility that an
attacker could provide a file name such as "../../tomcat/conf/server.xml",
which causes the application to delete one of its own configuration files
(CWE-22).
String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
Example 2:
The following code uses input from a configuration file to determine
which file to open and echo back to the user. If the program runs with
privileges and malicious users can change the configuration file, they
can use the program to read any file on the system that ends with the
extension .txt.
fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);
How can we avoid it?
Run your code in a "jail" or similar sandbox environment that
enforces strict boundaries between the process and the
operating system
When the set of filenames is limited or known, create a
mapping from a set of fixed input values (such as numeric
IDs) to the actual filenames, and reject all other inputs. For
example, ID 1 could map to "inbox.txt" and ID 2 could map
to "profile.txt". Features such as the ESAPI
AccessReferenceMap provide this capability.
Use a built-in path canonicalization function (such as
realpath() in C) that produces the canonical version of the
pathname, which effectively removes ".." sequences and
symbolic links
Use OS-level permissions and run as a low-privileged user
to limit the scope of any successful attack.
Untrusted Search Path
Weakness Prevalence
Low
Consequences
Code Execution
Ease of Detection
Easy
Remediation Cost
Medium
Attack Frequency
Rarely
Attacker Awareness
High
What is the error?
The application searches for critical resources
using an externally-supplied search path that can
point to resources that are not under the
application's direct control.
An attacker could modify that search path to point
to a malicious program.
This might allow attackers to execute their own
programs, access unauthorized data files, or modify
configuration in unexpected ways.
Example Scenario
This program is intended to execute a command that lists the contents of a restricted
directory, then performs other actions. Assume that it runs with setuid privileges in order
to bypass the permissions check by the operating system.
C Example:
#define DIR "/restricted/directory"
char cmd[500];
sprintf(cmd, "ls -l %480s", DIR);
/* Raise privileges to those needed for accessing DIR. */
RaisePrivileges(...);
system(cmd);
DropPrivileges(...);
...
However, because the program does not modify the PATH environment variable, the
following attack would work:
PseudoCode Example:
The user sets the PATH to reference a directory under that user's control, such as
"/my/dir/".
The user creates a malicious program called "ls", and puts that program in /my/dir
The user executes the program.
When system() is executed, the shell consults the PATH to find the ls program
The program finds the malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because
PATH does not contain "/bin/".
The program executes the malicious program with the raised privileges.
How can we avoid it?
Hard-code your search path to a set of known-safe values,
or allow them to be specified by the administrator in a
configuration file.
Do not allow these settings to be modified by an external
party
Sanitize your environment before invoking other programs.
Check your search path before use and remove any
elements that are likely to be unsafe, such as the current
working directory or a temporary files directory
Use other functions that require explicit paths. For example,
system() in C does not require a full path since the shell can
take care of it, while execl() and execv() require a full path.
Failure to Control Generation of
Code(aka 'Code Injection')
Weakness Prevalence
Medium
Consequences
Code Execution
Ease of Detection
Moderate
Remediation Cost
High
Attack Frequency
Sometimes
Attacker Awareness
Medium
What is the error?
The product does not sufficiently filter code
(control-plane) syntax from user-controlled
input (data plane) when that input is used
within code that the product generates.
This means that the execution of the process
may be altered by sending code in through
legitimate data channels, using no other
mechanism.
The most classic instantiations of this
category of weakness are SQL injection and
format string vulnerabilities.
Example Scenario
$MessageFile = "cwe-94/messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle);
echo "Message Saved!<p>\n";
}
else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
}
name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
<?php system("/bin/ls -l");?>
Live example
union select 2, concat_ws(char(58),email,password) from user
How can we avoid it?
Refactor your program so that you do not have to dynamically generate
code.
Assume all input is malicious. Use an "accept known good" input
validation strategy (i.e., use a whitelist). Reject any input that does not
strictly conform to specifications, or transform it into something that
does. Use a blacklist to reject any unexpected inputs and detect
potential attacks.
Run your code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This
may effectively restrict which code can be executed by your software.
Examples include the Unix chroot jail and AppArmor. In general,
managed code may provide some protection
Download of Code without
Integrity Check
Weakness Prevalence
Medium
Consequences
Code Execution
Ease of Detection
Moderate
Remediation Cost
Medium to High
Attack Frequency
Rarely
Attacker Awareness
Low
What is the error?
The product downloads source code or an
executable from a remote location and
executes the code without sufficiently
verifying the origin and integrity of the code.
Example Scenario
URL[] classURLs= new URL[]{
new URL("file:subdir/")
};
URLClassLoader loader = new
URLClassLoader(classURLs);
Class loadedClass =
Class.forName("loadMe", true, loader);
How can we avoid it?
Perform proper forward and reverse DNS
lookups to detect DNS spoofing. This is only
a partial solution since it will not prevent your
code from being modified on the hosting site
or in transit.
Encrypt the code with a reliable encryption scheme
before transmitting.
Use integrity checking on the transmitted
code.(using cryptographic signatures)
Use code signing technologies such as
Authenticode
Improper Resource Shutdown
or Release
Weakness Prevalence
Medium
Consequences
Code Execution,Denial of Service
Ease of Detection
Easy to Moderate
Remediation Cost
Medium
Attack Frequency
Rarely
Attacker Awareness
Low
What is the error?
The program fails to release - or incorrectly
releases - a system resource before it is
made available for re-use.
When a resource is created or allocated, the
developer is responsible for properly
releasing the resource as well as accounting
for all potential paths of expiration or
invalidation, such as a set period of time or
revocation.
Example Scenario
In this example, the program fails to use matching
functions such as malloc/free, new/delete, and
new[]/delete[] to allocate/deallocate the resource.
C++ Example:
class A {
void foo();
};
void A::foo(){
int *ptr;
ptr = (int*)malloc(sizeof(int));
delete ptr;
}
Refer few more good examples Online
How can we avoid it?
Use a language with features that can automatically mitigate or
eliminate resource-shutdown weaknesses.( languages such as Java,
Ruby, and Lisp perform automatic garbage collection that releases memory
for objects that have been deallocated
.
Memory should be allocated/freed using matching functions such
as malloc/free, new/delete, and new[]/delete[].
When releasing a complex object or structure, ensure that you
properly dispose of all of its member components, not just the
object itself.
It is good practice to be responsible for freeing all resources you
allocate and to be consistent with how and where you free
memory in a function. If you allocate memory that you intend to
free upon completion of the function, you must be sure to free the
memory at all exit points for that function including error
conditions
Improper Initialization
Weakness Prevalence
Medium
Consequences
Code Execution,Data Loss
Ease of Detection
Easy
Remediation Cost
Low
Attack Frequency
Sometimes
Attacker Awareness
Low
What is the error?
The software does not follow the proper
procedures for initializing a resource, which
might leave the resource in an improper state
when it is accessed or used.
This can have security implications when the
associated resource is expected to have
certain properties or values, such as a
variable that determines whether a user has
been authenticated or not.
Example Scenario
Example 1:
Here, a boolean initiailized field is consulted to ensure that initialization
tasks are only completed once. However, the field is mistakenly set to true
during static initialization, so the initialization code is never reached.
Java Example:
private boolean initialized = true;
public void someMethod() {
if (!initialized) {
// perform initialization tasks
...
initialized = true;
}
Example 2:
The following code intends to limit certain operations to the administrator only.
Perl Example:
$username = GetCurrentUser();
$state = GetStateData($username);
if (defined($state)) {
$uid = ExtractUserID($state);
}
# do stuff
if ($uid == 0) {
DoAdminThings();
}
How can we avoid it?
Use a language with features that can
automatically mitigate or eliminate
weaknesses related to initialization.
Identify all variables and data stores that
receive information from external sources,
and apply input validation to make sure that
they are only initialized to expected values.
Explicitly initialize all your variables and other
data stores, either during declaration or just
before the first usage.
Pay close attention to complex conditionals
that affect initialization, since some conditions
might not perform the initialization.
Avoid race conditions during initialization
routines
Run or compile your software with settings that
generate warnings about uninitialized
variables or data.
Incorrect Calculation
Weakness Prevalence
High
Consequences
Code Execution,Denial of Service,Data Loss
Ease of Detection
Easy to Difficult
Remediation Cost
Low
Attack Frequency
Often
Attacker Awareness
Medium
What is the error?
The software performs a calculation that
generates incorrect or unintended results that
are later used in security-critical decisions or
resource management.
When software performs a security-critical
calculation incorrectly, it might lead to incorrect
resource allocations, incorrect privilege
assignments, or failed comparisons among other
things.
What is the error? (contd..)
Many of the direct results of an incorrect
calculation can lead to even larger problems
such as failed protection mechanisms or
even arbitrary code execution.
Example Scenario
This code attempts to calculates a football team's average number of
yards gained per touchdown.
Java Example:...
int touchdowns = team.getTouchdowns();
int yardsGained = team.getTotalYardage();
System.out.println(team.getName() + " averages " + yardsGained / touchdowns
+ "yards gained for every touchdown scored");
...
The code does not consider the event that the team they are querying has
not scored a touchdown, but has gained yardage. In that case, we should
expect an ArithmeticException to be thrown by the JVM. This could lead to a loss
of availability if our error handling code is not set up correctly.
C Example:
inv_item_t table_ptr; /*10kb struct containing item info */
int num_items;
...
num_items = get_num_items();
table_ptr = (inv_item_t*)malloc(sizeof(inv_item_t)*num_items);
...
This code intends to allocate a list of length num_items, however as
num_items grows large, the calculation determining the size of the list will
eventually overflow
How can we avoid it ?
Perform input validation on any numeric inputs by
ensuring that they are within the expected range.
Use the appropriate type for the desired action.
For example, in C/C++, only use unsigned types for values
that could never be negative, such as height, width, or other
numbers related to quantity.
Use languages, libraries, or frameworks that
make it easier to handle numbers without
unexpected consequences.
Examples include safe integer handling packages such as
SafeInt (C++) or IntegerLib (C or C++)
Understand your programming language's
underlying representation and how it interacts
with numeric calculation. Pay close attention to
byte size discrepancies, precision,
signed/unsigned distinctions, truncation,
conversion and casting between types, "not-anumber" calculations, and how your language
handles numbers that are too large or too small
for its underlying representation.
Viruses to laugh at
Airline Virus
You're in Dallas, but your data is in Singapore.
Health Care Virus
Tests your system for a day, finds nothing wrong,
and sends you a bill for $4,500.
Joey Buttafuoco Virus
Only attacks minor files.
Disney Virus
Everything in the computer goes Goofy.
Ellen Degeneres Virus
Your IBM suddenly claims it's a MAC.
Questions & Comments ???
THANK YOU for your time !!!