SlideShare a Scribd company logo

Secure programming - Computer and Network Security

Download as ppt, pdf
S
ssuser30902e

The principles of secure programming, such as input validation, avoiding buffer overflow, secure coding. Some briefs about source code scanners are also discussed.

1 of 40
Download to read offline
1
CMSC 414 Computer and Network Security Lecture 25 Jonathan Katz
2
Secure programming techniques (Based on: “Programming Secure Applications for Unix-Like Systems,” David Wheeler)
3
Overview  Validate all input  Avoid buffer overflows  Program internals…  Careful calls to other resources  Send info back intelligently
4
Validating input  Determine acceptable input, check for match --- don’t just check against list of “non-matches” – Limit maximum length – Watch out for special characters, escape chars.  Check bounds on integer values – E.g., sendmail bug…
5
Validating input  Filenames – Disallow *, .., etc.  Html, URLs, cookies – Cf. cross-site scripting attacks  Command-line arguments – Even argv[0]…  Config files
6
Avoiding buffer overflows  Use arrays instead of pointers (cf. Java)  Avoid strcpy(), strcat(), etc. – Use strncpy(), strncat(), instead – Even these are not perfect… (e.g., no null termination)  Make buffers (slightly) longer than necessary to avoid “off-by-one” errors
7
Program internals…  Avoid race conditions – E.g., authorizing file access, then opening file  Watch out for temporary files in shared directories (e.g., /tmp)  Watch out for “spoofed” IP addresses/email addresses  Simple, open design; fail-safe defaults; completge mediation; etc.  Don’t write your own crypto algorithms – Use crypto appropriately
8
Calling other resources  Use only “safe” library routines  Limit call parameters to valid values – Avoid metacharacters  Avoid calling the shell
9
User output  Minimize feedback – Don’t explain failures to untrusted users – Don’t release version numbers… – Don’t offer “too much” help (suggested filenames, etc.)  Don’t use printf(userInput) – Use printf(“%s”, userInput) instead…
10
Source code scanners  Used to check source code – E.g., flawfinder, cqual  “Static” analysis vs. “dynamic” analysis – Not perfect – Dynamic analysis can slow down execution, lead to bloated code – Will see examples of dynamic analysis later…
11
“Higher-level” techniques
12
Addressing buffer overflows  Basic stack exploit can be prevented by marking stack segment as non-executable, or randomizing stack location. – Code patches exist for Linux and Solaris. – Some complications on x86.  Problems: – Does not defend against `return-to-libc’ exploit. • Overflow sets ret-addr to address of libc function. – Some apps need executable stack (e.g. LISP interpreters). – Does not block more general overflow exploits: • Overflow on heap: overflow buffer next to func pointer.  Patch not shipped by default for Linux and Solaris
13
Run-time checking: StackGuard  Embed “canaries” in stack frames and verify their integrity prior to function return str ret sfp local top of stack canary str ret sfp local canary Frame 1 Frame 2
14
Canary types  Random canary: (used in Visual Studio 2003) – Choose random string at program startup. – Insert canary string into every stack frame. – Verify canary before returning from function. – To corrupt random canary, attacker must learn current random string.  Terminator canary: Canary = 0, newline, linefeed, EOF – String functions will not copy beyond terminator. – Attacker cannot use string functions to corrupt stack
15
Canaries, continued…  StackGuard implemented as a GCC patch – Program must be recompiled  Minimal performance effects:  Not foolproof…
16
Run-time checking: Libsafe  Intercepts calls to strcpy (dest, src) – Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) – If so, does strcpy. Otherwise, terminates application dest ret-addr sfp top of stack src buf ret-addr sfp libsafe main
17
More methods …  Address obfuscation – Encrypt return address on stack by XORing with random string. Decrypt just before returning from function. – Attacker needs decryption key to set return address to desired value.  PaX ASLR: Randomize location of libc – Attacker cannot jump directly to exec function
18
Software fault isolation  Partition code into data and code segments  Code inserted before each load/store/jump – Verify that target address is safe  Can be done at compiler, link, or run time – Increases program size, slows down execution
19
Security for mobile code  Mobile code is particularly dangerous!  Sandboxing – Limit the ability of code to do harmful things  Code-signing – Mechanism to decide whether code should be trusted or not  ActiveX uses code-signing, Java uses sandboxing (plus code-signing)
20
Code signing  Code producer signs code  Binary notion of trust  What if code producer compromised?  Lack of PKI => non-scalable approach
21
“Proof-carrying code”  Input: code, safety policy of client  Output: safety proof for code  Proof generation expensive – Proof verification cheaper – Prove once, use everywhere (with same policy)  Prover/compiler need not be trusted – Only need to trust the verifier
22
Sandboxing in Java  Focus on preventing system modification and violations of user privacy – Denial of service attacks much harder to prevent, and not handled all that well  We will discuss some of the basics, but not all the most up-to-date variants of the Java security model
23
Sandboxing  A default sandbox applied to untrusted code  Users can change the defaults… – Can also define “larger” sandboxes for “partially trusted” code – Trust in code determined using code-signing…
24
Some examples…  Default sandbox prevents: – Reading/writing/deleting files on client system – Listing directory contents – Creating new network connections to other hosts (other than originating host) – Etc.
25
Sandbox components  Verifier, Class loader, and Security Manager  If any of these fail, security may be compromised
26
Verifier  Java program is compiled to platform- independent Java byte code  This code is verified before it is run – Prevents, for example, malicious “hand- written” byte code  Efficiency gains by checking code before it is run, rather than constantly checking it while running
27
Verifier…  Checks: – Byte code is well-formatted – No forged pointers – No violation of access restrictions – No incorrect typing  Of course, cannot be perfect…
28
Class loader  Helps prevent “spoofed” classes from being loaded – E.g., external class claiming to be the security manager  Whenever a class needs to be loaded, this is done by a class loader – The class loader decides where to obtain the code for the class
29
Security manager  Restricts the way an applet uses Java API calls – All calls to the OS are mediated by the security manager  Security managers are browser-dependent!
30
System call monitoring  Monitor all system calls – Enforce particular policy – Policy may be loaded in kernel  Hand-tune policy for individual applications  Similar to Java security manager – Difference in where implemented
31
Viruses/malicious code
32
Viruses/malicious code  Virus – passes malicious code to other non- malicious programs – Or documents with “executable” components  Trojan horse – software with unintended side effects  Worm – propagates via network – Typically stand-alone software, in contrast to viruses which are attached to other programs
33
Viruses  Can insert themselves before program, can surround program, or can be interspersed throughout program – In the last case, virus writer needs to know about the specifics of the other program  Two ways to “insert” virus: – Insert virus in memory at (old) location of original program – Change pointer structure…
34
Viruses…  Boot sector viruses – If a virus is loaded early in the boot process, can be very difficult (impossible?) to detect  Memory-resident viruses – Note that virus might complicate its own detection – E.g., removing virus name from list of active programs, or list of files on disk
35
Some examples  BRAIN virus – Locates itself in upper memory; resets the upper memory bound below itself – Traps “disk reads” so that it can handle any requests to read from the boot sector – Not inherently malicious, although some variants were
36
Morris worm (1988)  Resource exhaustion (unintended) – Was supposed to have only one copy running, but did not work correctly…  Spread in three ways – Exploited buffer overflow flaw in fingerd – Exploited flaw in sendmail debug mode – Guessing user passwords(!) on current network  Bootstrap loader would be used to obtain the rest of the worm
37
Chernobyl virus (1998)  When infected program run, virus becomes resident in memory of machine – Rebooting does not help  Virus writes random garbage to hard drive  Attempts to trash FLASH BIOS – Physically destroys the hardware…
38
Melissa virus/worm (1999)  Word macro… – When file opened, would create and send infected document to names in user’s Outlook Express mailbox – Recipient would be asked whether to disable macros(!) • If macros enabled, virus would launch
39
Code red (2001)  Propagated itself on web server running Microsoft’s Internet Information Server – Infection using buffer overflow… – Propagation by checking IP addresses on port 80 of the PC to see if they are vulnerable
40
Detecting viruses  Can try to look for “signatures” – Unreliable unless up-to-date – Encrypted viruses – Polymorphic viruses  Examine storage – Sizes of files, “jump” instruction at beginning of code – Can be hard to distinguish from normal software  Check for (unusual) execution patterns – Hard to distinguish from normal software…
CMSC 414 Computer and Network Security Lecture 25 Jonathan Katz
Secure programming techniques (Based on: “Programming Secure Applications for Unix-Like Systems,” David Wheeler)
Overview  Validate all input  Avoid buffer overflows  Program internals…  Careful calls to other resources  Send info back intelligently
Validating input  Determine acceptable input, check for match --- don’t just check against list of “non-matches” – Limit maximum length – Watch out for special characters, escape chars.  Check bounds on integer values – E.g., sendmail bug…
Validating input  Filenames – Disallow *, .., etc.  Html, URLs, cookies – Cf. cross-site scripting attacks  Command-line arguments – Even argv[0]…  Config files
Avoiding buffer overflows  Use arrays instead of pointers (cf. Java)  Avoid strcpy(), strcat(), etc. – Use strncpy(), strncat(), instead – Even these are not perfect… (e.g., no null termination)  Make buffers (slightly) longer than necessary to avoid “off-by-one” errors
Program internals…  Avoid race conditions – E.g., authorizing file access, then opening file  Watch out for temporary files in shared directories (e.g., /tmp)  Watch out for “spoofed” IP addresses/email addresses  Simple, open design; fail-safe defaults; completge mediation; etc.  Don’t write your own crypto algorithms – Use crypto appropriately
Calling other resources  Use only “safe” library routines  Limit call parameters to valid values – Avoid metacharacters  Avoid calling the shell
User output  Minimize feedback – Don’t explain failures to untrusted users – Don’t release version numbers… – Don’t offer “too much” help (suggested filenames, etc.)  Don’t use printf(userInput) – Use printf(“%s”, userInput) instead…
Source code scanners  Used to check source code – E.g., flawfinder, cqual  “Static” analysis vs. “dynamic” analysis – Not perfect – Dynamic analysis can slow down execution, lead to bloated code – Will see examples of dynamic analysis later…
“Higher-level” techniques
Addressing buffer overflows  Basic stack exploit can be prevented by marking stack segment as non-executable, or randomizing stack location. – Code patches exist for Linux and Solaris. – Some complications on x86.  Problems: – Does not defend against `return-to-libc’ exploit. • Overflow sets ret-addr to address of libc function. – Some apps need executable stack (e.g. LISP interpreters). – Does not block more general overflow exploits: • Overflow on heap: overflow buffer next to func pointer.  Patch not shipped by default for Linux and Solaris
Run-time checking: StackGuard  Embed “canaries” in stack frames and verify their integrity prior to function return str ret sfp local top of stack canary str ret sfp local canary Frame 1 Frame 2
Canary types  Random canary: (used in Visual Studio 2003) – Choose random string at program startup. – Insert canary string into every stack frame. – Verify canary before returning from function. – To corrupt random canary, attacker must learn current random string.  Terminator canary: Canary = 0, newline, linefeed, EOF – String functions will not copy beyond terminator. – Attacker cannot use string functions to corrupt stack
Canaries, continued…  StackGuard implemented as a GCC patch – Program must be recompiled  Minimal performance effects:  Not foolproof…
Run-time checking: Libsafe  Intercepts calls to strcpy (dest, src) – Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) – If so, does strcpy. Otherwise, terminates application dest ret-addr sfp top of stack src buf ret-addr sfp libsafe main
More methods …  Address obfuscation – Encrypt return address on stack by XORing with random string. Decrypt just before returning from function. – Attacker needs decryption key to set return address to desired value.  PaX ASLR: Randomize location of libc – Attacker cannot jump directly to exec function
Software fault isolation  Partition code into data and code segments  Code inserted before each load/store/jump – Verify that target address is safe  Can be done at compiler, link, or run time – Increases program size, slows down execution
Security for mobile code  Mobile code is particularly dangerous!  Sandboxing – Limit the ability of code to do harmful things  Code-signing – Mechanism to decide whether code should be trusted or not  ActiveX uses code-signing, Java uses sandboxing (plus code-signing)
Code signing  Code producer signs code  Binary notion of trust  What if code producer compromised?  Lack of PKI => non-scalable approach
“Proof-carrying code”  Input: code, safety policy of client  Output: safety proof for code  Proof generation expensive – Proof verification cheaper – Prove once, use everywhere (with same policy)  Prover/compiler need not be trusted – Only need to trust the verifier
Sandboxing in Java  Focus on preventing system modification and violations of user privacy – Denial of service attacks much harder to prevent, and not handled all that well  We will discuss some of the basics, but not all the most up-to-date variants of the Java security model
Sandboxing  A default sandbox applied to untrusted code  Users can change the defaults… – Can also define “larger” sandboxes for “partially trusted” code – Trust in code determined using code-signing…
Some examples…  Default sandbox prevents: – Reading/writing/deleting files on client system – Listing directory contents – Creating new network connections to other hosts (other than originating host) – Etc.
Sandbox components  Verifier, Class loader, and Security Manager  If any of these fail, security may be compromised
Verifier  Java program is compiled to platform- independent Java byte code  This code is verified before it is run – Prevents, for example, malicious “hand- written” byte code  Efficiency gains by checking code before it is run, rather than constantly checking it while running
Verifier…  Checks: – Byte code is well-formatted – No forged pointers – No violation of access restrictions – No incorrect typing  Of course, cannot be perfect…
Class loader  Helps prevent “spoofed” classes from being loaded – E.g., external class claiming to be the security manager  Whenever a class needs to be loaded, this is done by a class loader – The class loader decides where to obtain the code for the class
Security manager  Restricts the way an applet uses Java API calls – All calls to the OS are mediated by the security manager  Security managers are browser-dependent!
System call monitoring  Monitor all system calls – Enforce particular policy – Policy may be loaded in kernel  Hand-tune policy for individual applications  Similar to Java security manager – Difference in where implemented
Viruses/malicious code
Viruses/malicious code  Virus – passes malicious code to other non- malicious programs – Or documents with “executable” components  Trojan horse – software with unintended side effects  Worm – propagates via network – Typically stand-alone software, in contrast to viruses which are attached to other programs
Viruses  Can insert themselves before program, can surround program, or can be interspersed throughout program – In the last case, virus writer needs to know about the specifics of the other program  Two ways to “insert” virus: – Insert virus in memory at (old) location of original program – Change pointer structure…
Viruses…  Boot sector viruses – If a virus is loaded early in the boot process, can be very difficult (impossible?) to detect  Memory-resident viruses – Note that virus might complicate its own detection – E.g., removing virus name from list of active programs, or list of files on disk
Some examples  BRAIN virus – Locates itself in upper memory; resets the upper memory bound below itself – Traps “disk reads” so that it can handle any requests to read from the boot sector – Not inherently malicious, although some variants were
Morris worm (1988)  Resource exhaustion (unintended) – Was supposed to have only one copy running, but did not work correctly…  Spread in three ways – Exploited buffer overflow flaw in fingerd – Exploited flaw in sendmail debug mode – Guessing user passwords(!) on current network  Bootstrap loader would be used to obtain the rest of the worm
Chernobyl virus (1998)  When infected program run, virus becomes resident in memory of machine – Rebooting does not help  Virus writes random garbage to hard drive  Attempts to trash FLASH BIOS – Physically destroys the hardware…
Melissa virus/worm (1999)  Word macro… – When file opened, would create and send infected document to names in user’s Outlook Express mailbox – Recipient would be asked whether to disable macros(!) • If macros enabled, virus would launch
Code red (2001)  Propagated itself on web server running Microsoft’s Internet Information Server – Infection using buffer overflow… – Propagation by checking IP addresses on port 80 of the PC to see if they are vulnerable
Detecting viruses  Can try to look for “signatures” – Unreliable unless up-to-date – Encrypted viruses – Polymorphic viruses  Examine storage – Sizes of files, “jump” instruction at beginning of code – Can be hard to distinguish from normal software  Check for (unusual) execution patterns – Hard to distinguish from normal software…
Ad

Recommended

Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
Sandun Perera
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Ch14 security
Ch14 securityCh14 security
Ch14 security
Welly Dian Astika
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
Wiliam Ferraciolli
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
Amr Thabet
 
Ns
NsNs
Ns
Deepenti123
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Commix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdfCommix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdf
ssuser387cf0
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
BeStorm Introduction
BeStorm IntroductionBeStorm Introduction
BeStorm Introduction
Amit Shirolkar
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
Mohammed Adam
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
computerviruses-171008143158.ppt
computerviruses-171008143158.pptcomputerviruses-171008143158.ppt
computerviruses-171008143158.ppt
ssuser342286
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
Firewalls-Intro
Firewalls-IntroFirewalls-Intro
Firewalls-Intro
Aparna Bulusu
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptxWeek 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
dayananda54
 
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptxSemi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
studyshubham18
 

More Related Content

Similar to Secure programming - Computer and Network Security (20)

Ns
NsNs
Ns
Deepenti123
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Commix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdfCommix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdf
ssuser387cf0
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
BeStorm Introduction
BeStorm IntroductionBeStorm Introduction
BeStorm Introduction
Amit Shirolkar
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
Mohammed Adam
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
computerviruses-171008143158.ppt
computerviruses-171008143158.pptcomputerviruses-171008143158.ppt
computerviruses-171008143158.ppt
ssuser342286
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
Firewalls-Intro
Firewalls-IntroFirewalls-Intro
Firewalls-Intro
Aparna Bulusu
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Ns
NsNs
Ns
Deepenti123
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Commix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdfCommix Detecting And Exploiting.pdf
Commix Detecting And Exploiting.pdf
ssuser387cf0
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
BeStorm Introduction
BeStorm IntroductionBeStorm Introduction
BeStorm Introduction
Amit Shirolkar
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
Mohammed Adam
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
computerviruses-171008143158.ppt
computerviruses-171008143158.pptcomputerviruses-171008143158.ppt
computerviruses-171008143158.ppt
ssuser342286
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
Firewalls-Intro
Firewalls-IntroFirewalls-Intro
Firewalls-Intro
Aparna Bulusu
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 

Recently uploaded (20)

Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptxWeek 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
dayananda54
 
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptxSemi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
studyshubham18
 
Impurities of Water and their Significance.pptx
Impurities of Water and their Significance.pptxImpurities of Water and their Significance.pptx
Impurities of Water and their Significance.pptx
dhanashree78
 
Flow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docxFlow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docx
rifka575530
 
Ppt on the related on the solar power system for electric vehicle engineering
Ppt on the related on the solar power system for electric vehicle engineeringPpt on the related on the solar power system for electric vehicle engineering
Ppt on the related on the solar power system for electric vehicle engineering
ravindrabodke
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
djiceramil
 
Pavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible PavementsPavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible Pavements
Sakthivel M
 
Artificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowyArtificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowy
dominikamizerska1
 
Third Review PPT that consists of the project d etails like abstract.
Third Review PPT that consists of the project d etails like abstract.Third Review PPT that consists of the project d etails like abstract.
Third Review PPT that consists of the project d etails like abstract.
Sowndarya6
 
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODSWIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
samueljackson3773
 
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) ProjectMontreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Alexandra N. Martinez
 
IOt Based Research on Challenges and Future
IOt Based Research on Challenges and FutureIOt Based Research on Challenges and Future
IOt Based Research on Challenges and Future
SACHINSAHU821405
 
operationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagementoperationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagement
SNIGDHAAPPANABHOTLA
 
社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .
NABLAS株式会社
 
How Binning Affects LED Performance & Consistency.pdf
How Binning Affects LED Performance & Consistency.pdfHow Binning Affects LED Performance & Consistency.pdf
How Binning Affects LED Performance & Consistency.pdf
Mina Anis
 
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journeyRigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Yannis
 
Strength of materials (Thermal stress and strain relationships)
Strength of materials (Thermal stress and strain relationships)Strength of materials (Thermal stress and strain relationships)
Strength of materials (Thermal stress and strain relationships)
pelumiadigun2006
 
3. What is the principles of Teamwork_Module_V1.0.ppt
3. What is the principles of Teamwork_Module_V1.0.ppt3. What is the principles of Teamwork_Module_V1.0.ppt
3. What is the principles of Teamwork_Module_V1.0.ppt
engaash9
 
Présentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptxPrésentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptx
KHADIJAESSAKET
 
Structural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant ConversionStructural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant Conversion
DanielRoman285499
 
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptxWeek 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
dayananda54
 
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptxSemi-Conductor ppt ShubhamSeSemi-Con.pptx
Semi-Conductor ppt ShubhamSeSemi-Con.pptx
studyshubham18
 
Impurities of Water and their Significance.pptx
Impurities of Water and their Significance.pptxImpurities of Water and their Significance.pptx
Impurities of Water and their Significance.pptx
dhanashree78
 
Flow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docxFlow Chart Proses Bisnis prosscesss.docx
Flow Chart Proses Bisnis prosscesss.docx
rifka575530
 
Ppt on the related on the solar power system for electric vehicle engineering
Ppt on the related on the solar power system for electric vehicle engineeringPpt on the related on the solar power system for electric vehicle engineering
Ppt on the related on the solar power system for electric vehicle engineering
ravindrabodke
 
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
362 Alec Data Center Solutions-Slysium Data Center-AUH-Glands & Lugs, Simplex...
djiceramil
 
Pavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible PavementsPavement and its types, Application of rigid and Flexible Pavements
Pavement and its types, Application of rigid and Flexible Pavements
Sakthivel M
 
Artificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowyArtificial Power 2025 raport krajobrazowy
Artificial Power 2025 raport krajobrazowy
dominikamizerska1
 
Third Review PPT that consists of the project d etails like abstract.
Third Review PPT that consists of the project d etails like abstract.Third Review PPT that consists of the project d etails like abstract.
Third Review PPT that consists of the project d etails like abstract.
Sowndarya6
 
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODSWIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
WIRELESS COMMUNICATION SECURITY AND IT’S PROTECTION METHODS
samueljackson3773
 
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) ProjectMontreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Montreal Dreamin' 25 - Introduction to the MuleSoft AI Chain (MAC) Project
Alexandra N. Martinez
 
IOt Based Research on Challenges and Future
IOt Based Research on Challenges and FutureIOt Based Research on Challenges and Future
IOt Based Research on Challenges and Future
SACHINSAHU821405
 
operationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagementoperationg systemsdocumentmemorymanagement
operationg systemsdocumentmemorymanagement
SNIGDHAAPPANABHOTLA
 
社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .社内勉強会資料_Chain of Thought .
社内勉強会資料_Chain of Thought .
NABLAS株式会社
 
How Binning Affects LED Performance & Consistency.pdf
How Binning Affects LED Performance & Consistency.pdfHow Binning Affects LED Performance & Consistency.pdf
How Binning Affects LED Performance & Consistency.pdf
Mina Anis
 
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journeyRigor, ethics, wellbeing and resilience in the ICT doctoral journey
Rigor, ethics, wellbeing and resilience in the ICT doctoral journey
Yannis
 
Strength of materials (Thermal stress and strain relationships)
Strength of materials (Thermal stress and strain relationships)Strength of materials (Thermal stress and strain relationships)
Strength of materials (Thermal stress and strain relationships)
pelumiadigun2006
 
3. What is the principles of Teamwork_Module_V1.0.ppt
3. What is the principles of Teamwork_Module_V1.0.ppt3. What is the principles of Teamwork_Module_V1.0.ppt
3. What is the principles of Teamwork_Module_V1.0.ppt
engaash9
 
Présentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptxPrésentation_gestion[1] [Autosaved].pptx
Présentation_gestion[1] [Autosaved].pptx
KHADIJAESSAKET
 
Structural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant ConversionStructural Design for Residential-to-Restaurant Conversion
Structural Design for Residential-to-Restaurant Conversion
DanielRoman285499
 
Ad

Secure programming - Computer and Network Security

  • 1. CMSC 414 Computer and Network Security Lecture 25 Jonathan Katz
  • 2. Secure programming techniques (Based on: “Programming Secure Applications for Unix-Like Systems,” David Wheeler)
  • 3. Overview  Validate all input  Avoid buffer overflows  Program internals…  Careful calls to other resources  Send info back intelligently
  • 4. Validating input  Determine acceptable input, check for match --- don’t just check against list of “non-matches” – Limit maximum length – Watch out for special characters, escape chars.  Check bounds on integer values – E.g., sendmail bug…
  • 5. Validating input  Filenames – Disallow *, .., etc.  Html, URLs, cookies – Cf. cross-site scripting attacks  Command-line arguments – Even argv[0]…  Config files
  • 6. Avoiding buffer overflows  Use arrays instead of pointers (cf. Java)  Avoid strcpy(), strcat(), etc. – Use strncpy(), strncat(), instead – Even these are not perfect… (e.g., no null termination)  Make buffers (slightly) longer than necessary to avoid “off-by-one” errors
  • 7. Program internals…  Avoid race conditions – E.g., authorizing file access, then opening file  Watch out for temporary files in shared directories (e.g., /tmp)  Watch out for “spoofed” IP addresses/email addresses  Simple, open design; fail-safe defaults; completge mediation; etc.  Don’t write your own crypto algorithms – Use crypto appropriately
  • 8. Calling other resources  Use only “safe” library routines  Limit call parameters to valid values – Avoid metacharacters  Avoid calling the shell
  • 9. User output  Minimize feedback – Don’t explain failures to untrusted users – Don’t release version numbers… – Don’t offer “too much” help (suggested filenames, etc.)  Don’t use printf(userInput) – Use printf(“%s”, userInput) instead…
  • 10. Source code scanners  Used to check source code – E.g., flawfinder, cqual  “Static” analysis vs. “dynamic” analysis – Not perfect – Dynamic analysis can slow down execution, lead to bloated code – Will see examples of dynamic analysis later…
  • 12. Addressing buffer overflows  Basic stack exploit can be prevented by marking stack segment as non-executable, or randomizing stack location. – Code patches exist for Linux and Solaris. – Some complications on x86.  Problems: – Does not defend against `return-to-libc’ exploit. • Overflow sets ret-addr to address of libc function. – Some apps need executable stack (e.g. LISP interpreters). – Does not block more general overflow exploits: • Overflow on heap: overflow buffer next to func pointer.  Patch not shipped by default for Linux and Solaris
  • 13. Run-time checking: StackGuard  Embed “canaries” in stack frames and verify their integrity prior to function return str ret sfp local top of stack canary str ret sfp local canary Frame 1 Frame 2
  • 14. Canary types  Random canary: (used in Visual Studio 2003) – Choose random string at program startup. – Insert canary string into every stack frame. – Verify canary before returning from function. – To corrupt random canary, attacker must learn current random string.  Terminator canary: Canary = 0, newline, linefeed, EOF – String functions will not copy beyond terminator. – Attacker cannot use string functions to corrupt stack
  • 15. Canaries, continued…  StackGuard implemented as a GCC patch – Program must be recompiled  Minimal performance effects:  Not foolproof…
  • 16. Run-time checking: Libsafe  Intercepts calls to strcpy (dest, src) – Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) – If so, does strcpy. Otherwise, terminates application dest ret-addr sfp top of stack src buf ret-addr sfp libsafe main
  • 17. More methods …  Address obfuscation – Encrypt return address on stack by XORing with random string. Decrypt just before returning from function. – Attacker needs decryption key to set return address to desired value.  PaX ASLR: Randomize location of libc – Attacker cannot jump directly to exec function
  • 18. Software fault isolation  Partition code into data and code segments  Code inserted before each load/store/jump – Verify that target address is safe  Can be done at compiler, link, or run time – Increases program size, slows down execution
  • 19. Security for mobile code  Mobile code is particularly dangerous!  Sandboxing – Limit the ability of code to do harmful things  Code-signing – Mechanism to decide whether code should be trusted or not  ActiveX uses code-signing, Java uses sandboxing (plus code-signing)
  • 20. Code signing  Code producer signs code  Binary notion of trust  What if code producer compromised?  Lack of PKI => non-scalable approach
  • 21. “Proof-carrying code”  Input: code, safety policy of client  Output: safety proof for code  Proof generation expensive – Proof verification cheaper – Prove once, use everywhere (with same policy)  Prover/compiler need not be trusted – Only need to trust the verifier
  • 22. Sandboxing in Java  Focus on preventing system modification and violations of user privacy – Denial of service attacks much harder to prevent, and not handled all that well  We will discuss some of the basics, but not all the most up-to-date variants of the Java security model
  • 23. Sandboxing  A default sandbox applied to untrusted code  Users can change the defaults… – Can also define “larger” sandboxes for “partially trusted” code – Trust in code determined using code-signing…
  • 24. Some examples…  Default sandbox prevents: – Reading/writing/deleting files on client system – Listing directory contents – Creating new network connections to other hosts (other than originating host) – Etc.
  • 25. Sandbox components  Verifier, Class loader, and Security Manager  If any of these fail, security may be compromised
  • 26. Verifier  Java program is compiled to platform- independent Java byte code  This code is verified before it is run – Prevents, for example, malicious “hand- written” byte code  Efficiency gains by checking code before it is run, rather than constantly checking it while running
  • 27. Verifier…  Checks: – Byte code is well-formatted – No forged pointers – No violation of access restrictions – No incorrect typing  Of course, cannot be perfect…
  • 28. Class loader  Helps prevent “spoofed” classes from being loaded – E.g., external class claiming to be the security manager  Whenever a class needs to be loaded, this is done by a class loader – The class loader decides where to obtain the code for the class
  • 29. Security manager  Restricts the way an applet uses Java API calls – All calls to the OS are mediated by the security manager  Security managers are browser-dependent!
  • 30. System call monitoring  Monitor all system calls – Enforce particular policy – Policy may be loaded in kernel  Hand-tune policy for individual applications  Similar to Java security manager – Difference in where implemented
  • 32. Viruses/malicious code  Virus – passes malicious code to other non- malicious programs – Or documents with “executable” components  Trojan horse – software with unintended side effects  Worm – propagates via network – Typically stand-alone software, in contrast to viruses which are attached to other programs
  • 33. Viruses  Can insert themselves before program, can surround program, or can be interspersed throughout program – In the last case, virus writer needs to know about the specifics of the other program  Two ways to “insert” virus: – Insert virus in memory at (old) location of original program – Change pointer structure…
  • 34. Viruses…  Boot sector viruses – If a virus is loaded early in the boot process, can be very difficult (impossible?) to detect  Memory-resident viruses – Note that virus might complicate its own detection – E.g., removing virus name from list of active programs, or list of files on disk
  • 35. Some examples  BRAIN virus – Locates itself in upper memory; resets the upper memory bound below itself – Traps “disk reads” so that it can handle any requests to read from the boot sector – Not inherently malicious, although some variants were
  • 36. Morris worm (1988)  Resource exhaustion (unintended) – Was supposed to have only one copy running, but did not work correctly…  Spread in three ways – Exploited buffer overflow flaw in fingerd – Exploited flaw in sendmail debug mode – Guessing user passwords(!) on current network  Bootstrap loader would be used to obtain the rest of the worm
  • 37. Chernobyl virus (1998)  When infected program run, virus becomes resident in memory of machine – Rebooting does not help  Virus writes random garbage to hard drive  Attempts to trash FLASH BIOS – Physically destroys the hardware…
  • 38. Melissa virus/worm (1999)  Word macro… – When file opened, would create and send infected document to names in user’s Outlook Express mailbox – Recipient would be asked whether to disable macros(!) • If macros enabled, virus would launch
  • 39. Code red (2001)  Propagated itself on web server running Microsoft’s Internet Information Server – Infection using buffer overflow… – Propagation by checking IP addresses on port 80 of the PC to see if they are vulnerable
  • 40. Detecting viruses  Can try to look for “signatures” – Unreliable unless up-to-date – Encrypted viruses – Polymorphic viruses  Examine storage – Sizes of files, “jump” instruction at beginning of code – Can be hard to distinguish from normal software  Check for (unusual) execution patterns – Hard to distinguish from normal software…