• No results found

Software Security (Misc)

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Software Security (Misc)"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

CSE 484: Computer Security and Privacy

Software Security

(Misc)

Winter 2021

David Kohlbrenner

[email protected]

Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

(2)

Admin

• Lab 1 checkpoint next Wednesday night!

• That is, sploits 1-3

• When you are ‘done’ you stop changing those files.

(3)

Last Words on Buffer Overflows

(4)

Defenses

• ASLR – Randomize where the stack/heap/code starts

• Counters: Information disclosures, sprays and sleds

• Canaries – Put a value on the stack, see if it changes

• Counters: Arbitrary writes

• DEP – Mark sections of memory as non-executable, e.g. the stack

• Counters: ROP, JOP, Code-reuse attacks in general

(5)

Defense: Shadow stacks

• Idea: don’t store return addresses on the stack!

• Store them on… a different stack! • A hidden stack

• On function call/return

• Store/retrieve the return address from shadow stack

• Maybe encrypt/randomize the shadow stack data?

(6)

Challenges With Shadow Stacks

• Where do we put the shadow stack?

• Can the attacker figure out where it is?

• How fast is it to store/retrieve from the shadow stack?

• How big is the shadow stack?

• Is this compatible with all software?

(7)

Other Possible Solutions

• Use safe programming languages, e.g., Rust (or Java?)

• What about legacy C code?

• (Though Rust doesn’t magically fix all security issues ☺)

• Static analysis of source code to find overflows • Dynamic testing: “fuzzing”

(8)

Other Common Software Security

Issues…

(9)

Another Type of Vulnerability

• Consider this code:

CSE 484 - Winter 2021

char buf[80];

void vulnerable() {

int len = read_int_from_network();

char *p = read_string_from_network(); if (len > sizeof buf) {

error("length too large, nice try!"); return;

}

memcpy(buf, p, len); }

void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t;

(10)

Another Example

CSE 484 - Winter 2021

size_t len = read_int_from_network(); char *buf;

buf = malloc(len+5); read(fd, buf, len);

(from www-inst.eecs.berkeley.edu—implflaws.pdf) Breakout Groups: January 15th on Canvas

(11)

Implicit Cast

• Consider this code:

CSE 484 - Winter 2021

char buf[80];

void vulnerable() {

int len = read_int_from_network();

char *p = read_string_from_network(); if (len > sizeof buf) {

error("length too large, nice try!"); return;

}

memcpy(buf, p, len); }

void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t;

If len is negative, may copy huge amounts of

(12)

Integer Overflow

• What if len is large (e.g., len = 0xFFFFFFFF)?

• Then len + 5 = 4 (on many platforms)

• Result: Allocate a 4-byte buffer, then read a lot of data into that buffer.

CSE 484 - Winter 2021

size_t len = read_int_from_network(); char *buf;

buf = malloc(len+5); read(fd, buf, len);

(13)

Another Type of Vulnerability

• Consider this code:

Goal: Write to file only with permission • What can go wrong?

CSE 484 - Winter 2021

if (access(“file”, W_OK) != 0) {

exit(1); // user not allowed to write to file

}

fd = open(“file”, O_WRONLY);

(14)

TOCTOU (Race Condition)

• TOCTOU = “Time of Check to Tile of Use”

Goal: Write to file only with permission

• Attacker (in another program) can change meaning of

“file” between access and open: symlink("/etc/passwd", "file");

CSE 484 - Winter 2021

if (access(“file”, W_OK) != 0) {

exit(1); // user not allowed to write to file

}

fd = open(“file”, O_WRONLY);

(15)

Password Checker

• Functional requirements

• PwdCheck(RealPwd, CandidatePwd) should:

• Return TRUE if RealPwd matches CandidatePwd

• Return FALSEotherwise

• RealPwd and CandidatePwd are both 8 characters long

(16)

Password Checker

• Functional requirements

• PwdCheck(RealPwd, CandidatePwd) should:

• Return TRUE if RealPwd matches CandidatePwd

• Return FALSEotherwise

• RealPwd and CandidatePwd are both 8 characters long

• Implementation (like TENEX system)

• Clearly meets functional description

CSE 484 - Winter 2021

PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do

if (RealPwd[i] != CandidatePwd[i]) then return FALSE

(17)

Attacker Model

• Attacker can guess CandidatePwds through some standard interface

• Naive: Try all 2568 = 18,446,744,073,709,551,616 possibilities

CSE 484 - Winter 2021

PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do

if (RealPwd[i] != CandidatePwd[i]) then return FALSE

(18)

Timing Attacks

• Assume there are no “typical” bugs in the software

• No buffer overflow bugs

• No format string vulnerabilities

• Good choice of randomness

• Good design

• The software may still be vulnerable to timing attacks

• Software exhibits input-dependent timings

• Complex and hard to fully protect against

(19)

Other Examples

Plenty of other examples of timings attacks

• Timing cache misses

• Extract cryptographic keys…

• Recent Spectre/Meltdown attacks • Duration of a rendering operation

• Extract webpage information

• Duration of a failed decryption attempt

• Different failures mean different thing (e.g. Padding oracles)

(20)

Side-channels

• Timing is only one possibility

• Consider:

• Power usage

• Sensors

• EM Outputs

(21)

Software Security:

So what do we do?

(22)

Fuzz Testing

Generate “random” inputs to program

• Sometimes conforming to input structures (file formats, etc.)

See if program crashes

• If crashes, found a bug

• Bug may be exploitable

Surprisingly effective

Now standard part of development lifecycle

(23)

General Principles

• Check inputs

• Check all return values

• Least privilege

• Securely clear memory (passwords, keys, etc.)

• Failsafe defaults

• Defense in depth

• Also: prevent, detect, respond • NOT: security through obscurity

(24)

General Principles

• Reduce size of trusted computing base (TCB)

• Simplicity, modularity

• But: Be careful at interface boundaries!

• Minimize attack surface

• Use vetted components

• Security by design

• But: tension between security and other goals

• Open design? Open source? Closed source?

• Different perspectives

(25)

Does Open Source Help?

• Different perspectives…

• Happy example?

• Linux kernel backdoor attempt thwarted (2003)

(http://www.freedom-to-tinker.com/?p=472)

• Sad example?

• Heartbleed (2014)

• Vulnerability in OpenSSL that allowed attackers to read arbitrary memory from vulnerable servers (including private keys)

(26)

Vulnerability Analysis and Disclosure

What do you do if you’ve found a security problem in a real

system?

Say

• A commercial website? • UW grade database? • Boeing 787? • TSA procedures? CSE 484 - Winter 2021

References

Download now ( PDF - 26 Page - 470.36 KB )

Related documents

Introducing Cubic Transforming the way people travel Intelligent Travel... Made Real

Over the past 20-plus years, Cubic has delivered revenue management systems as well as additional services such as customer support, business support, central system support for

Quarrying the coasts of Crete in antiquity; some geoarchaeological considerations

The reported rock-cut ship sheds and fish tanks from Crete are located in the vicinity of coastal quarries; close to the modern Rhethymnon port, a ship shed, the quarries of

Advanced glycation endproducts increase proliferation, migration and invasion of the breast cancer cell line MDA-MB-231

MG-BSA-AGEs increase the phosphorylation of signaling proteins To optimize incubation time corresponding to the maximal cell signal- ing induced by 100 μg/ml MG-BSA-AGEs

The first Dutch SDHB founder deletion in paraganglioma-pheochromocytoma patients.

Mutation analysis of SDHB and SDHC: novel germline muta- tions in sporadic head and neck paraganglioma and familial paraganglioma and/or pheochromocytoma. Schouten JP, McElgunn

Pengaruh cash turnover, receivable turnover dan inventory turnover terhadap profitabilitas perusahaan (studi empiris pada perusahaan food and beverages yang terdaftar di bursa efek indonesia periode 2012-2016)

Penelitian-penelitian diantaranya yang dilakukan oleh Febrian Andre, Nengah Sudjana dan Sri Sulasmiyati (2017), Analisis Pengaruh Rasio Modal Kerja

Genetics and health costs: some actuarial models

The tables show the percentage increases in premiums for lives starting out without insurance, and before genetic testing, at ages 30, 40 and 50, for different policy terms,

MINUTES HEALTH & HUMAN SERVICES BOARD MEETING ROOM #1, OUTAGAMIE COUNTY ADMINISTRATION BUILDING TUESDAY, MAY 27, 2014

OTHERS PRESENT: Rosemary Davis, Director; John Rathman, Deputy Director; *Dave Rothmann, Brewster Village Administrator; *Dan Grady, County Board Supervisor; *Sally Mielke, Community

Function-integrated Lightweight Design Structures for Next Generation Ground Vehicles , IEA Workshop

Lightweight Specifications Lightweight Concept Lightweight Materials Lightweight Shape Lightweight Specifications Lightweight Concept Lightweight Materials Lightweight