Download Lecture 16 - Suraj @ LUMS

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
Document related concepts

Cracking of wireless networks wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Buffer overflow wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Buffer overflow protection wikipedia , lookup

Rainbow table wikipedia , lookup

Malware wikipedia , lookup

Cross-site scripting wikipedia , lookup

Password strength wikipedia , lookup

Computer virus wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Mobile security wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
Security Engineering 1
Agenda Today
• Types of Security Problems
• Integrating Security into Software Process
• Security Toolbag
Threats and Vulnerabilities
• Two major categories of computer security risks
are:
– Threats
• Threats are a person, thing, or event which will compromise
the system
• All systems have potential threats
• Some examples of threats are:
– Natural and Physical – These imperil the physical plant and the
state of the actual equipment
– Unintentional – These are the dangers brought on by ignorance
– Intentional – These are malicious attacks against a system
Threats and Vulnerabilities
(Continued)
– Vulnerabilities
• Vulnerabilities are perceived threats
– If they were exploited, the system would no longer be reliable
– The more vulnerabilities can be perceived, the more threats
can be determined
• Every system is vulnerable to attack
• Some examples of vulnerabilities are
– Physical & Natural – Natural disasters and environmental
threats can adversely impact a facility and its IT resources
– Hardware & Software – IT resources can start malfunctioning
– Media – Disks, tapes, printouts, etc. can be stolen or damaged
– Network – Machines can be remotely breached
– Human – Users can make errors which will put data in jeopardy
Malicious Logic
•
•
•
•
•
Trojan Horse
Virus
Worms
Rabbits (Bacteria)
Logic Bomb
Example
• Shell script on a UNIX system:
cp /bin/sh /tmp/.xyzzy
chmod u+s,o+x /tmp/.xyzzy
rm ./ls
ls $*
• Place in program called “ls” and trick
someone into executing it
• You now have a setuid-to-them shell!
Trojan Horse
• Program with an overt purpose (known to
user) and a covert purpose (unknown to
user)
– Often called a Trojan
• Example: previous script is Trojan horse
– Overt purpose: list files in directory
– Covert purpose: create setuid shell
Example: NetBus
• Designed for Windows NT system
• Victim uploads and installs this
– Usually disguised as a game program, or in
one
• Acts as a server, accepting and executing
commands for remote administrator
– This includes intercepting keystrokes and
mouse motions and sending them to attacker
– Also allows attacker to upload, download files
Replicating Trojan Horse
• Trojan horse that makes copies of itself
– Also called propagating Trojan horse
– Early version of animal game used this to delete
copies of itself
• Hard to detect
– 1976: Karger and Schell suggested modifying
compiler to include Trojan horse that copied itself into
specific programs including later version of the
compiler
– 1980s: Thompson implements this
Viruses
– designed to replicate themselves
• removable storage media, email, file transfer
– intended to cause damage
– need a host program
• attach to and modify host
• execute as part of host
– virus detection
• check program length (virus can hide or compress
program)
• check for virus “signature” (viruses use encryption)
First Reports
• Brain (Pakistani) virus (1986)
– Written for IBM PCs
– Alters boot sectors of floppies, spreads to
other floppies
• MacMag Peace virus (1987)
– Written for Macintosh
– Prints “universal message of peace” on March
2, 1988 and deletes itself
Types of Viruses
•
•
•
•
•
•
•
•
Boot sector infectors
Executable infectors
Multipartite viruses
TSR viruses
Stealth viruses
Encrypted viruses
Polymorphic viruses
Macro viruses
Boot Sector Infectors
• A virus that inserts itself into the boot sector of a
disk
– Section of disk containing code
– Executed when system first “sees” the disk
• Including at boot time …
• Example: Brain virus
– Moves disk interrupt vector from 13H to 6DH
– Sets new interrupt vector to invoke Brain virus
– When new floppy seen, check for 1234H at location 4
• If not there, copies itself onto disk after saving original boot
block
Executable Infectors
Executable code and data
Header
0
Header
0
100
First program instruction to be e xecuted 1000
Executable code and data
Virus code
100
200
1000
• A virus that infects executable programs
1100
– Can infect either .EXE or .COM on PCs
– May prepend itself (as shown) or put itself anywhere,
fixing up binary so it is executed at some point
Multipartite Viruses
• A virus that can infect either boot sectors
or executables
• Typically, two parts
– One part boot sector infector
– Other part executable infector
TSR Viruses
• A virus that stays active in memory after
the application (or bootstrapping, or disk
mounting) is completed
– TSR is “Terminate and Stay Resident”
• Examples: Brain, Jerusalem viruses
– Stay in memory after program or disk mount
is completed
Stealth Viruses
• A virus that conceals infection of files
• Example: IDF virus modifies DOS service
interrupt handler as follows:
– Request for file length: return length of
uninfected file
– Request to open file: temporarily disinfect file,
and reinfect on closing
– Request to load file for execution: load
infected file
Encrypted Viruses
• A virus that is enciphered except for a small
deciphering routine
– Detecting virus by signature now much harder as
most of virus is enciphered
Virus code
Deciphering
routine
Enciphered virus code
Deciphering k ey
Polymorphic Viruses
• A virus that changes its form each time it inserts
itself into another program
• Idea is to prevent signature detection by
changing the “signature” or instructions used for
deciphering routine
• At instruction level: substitute instructions
• At algorithm level: different algorithms to achieve
the same purpose
• Toolkits to make these exist (Mutation Engine,
Trident Polymorphic Engine)
Example
• These are different instructions (with different bit
patterns) but have the same effect:
–
–
–
–
add 0 to register
subtract 0 from register
xor 0 with register
no-op
• Polymorphic virus would pick randomly from
among these instructions
Macro Viruses
• A virus composed of a sequence of
instructions that are interpreted rather than
executed directly
• Can infect either executables (Duff’s shell
virus) or data files (Highland’s Lotus 1-2-3
spreadsheet virus)
• Independent of machine architecture
– But their effects may be machine dependent
Example
• Melissa
– Infected Microsoft Word 97 and Word 98 documents
• Windows and Macintosh systems
– Invoked when program opens infected file
– Installs itself as “open” macro and copies itself into
Normal template
• This way, infects any files that are opened in future
– Invokes mail program, sends itself to everyone in
user’s address book
Computer Worms
• A program that copies itself from one computer
to another
• Origins: distributed computations
– Schoch and Hupp: animations, broadcast messages
– Segment: part of program copied onto workstation
– Segment processes data, communicates with worm’s
controller
– Any activity on workstation caused segment to shut
down
Example: Internet Worm of
1988
• Targeted Berkeley, Sun UNIX systems
– Used virus-like attack to inject instructions into
running program and run them
– To recover, had to disconnect system from Internet
and reboot
– To prevent re-infection, several critical programs had
to be patched, recompiled, and reinstalled
• Analysts had to disassemble it to uncover
function
• Disabled several thousand systems in 6 or so
hours
Rabbits, Bacteria
• A program that absorbs all of some class of
resources
• Example: for UNIX system, shell commands:
while true
do
mkdir x
chdir x
done
• Exhausts either disk space or file allocation table
(inode) space
Logic Bombs
• A program that performs an action that violates
the site security policy when some external
event occurs
• Example: program that deletes company’s
payroll records when one particular record is
deleted
– The “particular record” is usually that of the person
writing the logic bomb
– Idea is if (when) he or she is fired, and the payroll
record deleted, the company loses all those records
Buffer overflow
• The most important avenue for
vulnerabilities
• Good programming practice: always verify
that the input you receive from
uncontrolled source conforms to expected
format
Normal Stack State
Modified Stack State
Authentication
•
Four classic ways to authenticate:
1.
2.
3.
4.
•
something you know (passwords)
something you have (smartcard)
something you are (fingerprint)
something you do (usage signature)
None of these is perfect
Identity theft
•
•
•
Fastest rising crime in the US
FBI won’t help unless losses above
$100,000.
Someone can steal an identity with just a
social security number!!!
Passwords
• Account - person using the system
• Username - Identity of account (public)
– limited characters, alphanumeric & special characters
– typically related to real name of user (not always), certain
names reserved
– unique on system
– fixed at account creation
• Passwords – Verification of identity (private)
– Less limited length and characters
– Fixed until changed
– Non-unique passwords – (both users have bad password)
Password Security
• Password security depends on ONLY you
knowing the password
– Secure selection
– Secure handling
– Secure storage
Password Attacks
• Easy to Hard
– Given password
– Grab password
– Generate password
– Guess password
Denial of Service Attack (DoS)
• Attempts to "flood" a network, thereby
preventing legitimate network traffic;
Remote Execution
• remote execution
– upload and start code on remote machine
– mobile agent: may migrate among machines
• unlike worm, relies on legitimate servers for
migration
Eavesdropping
• Reads plain text communicated through a
channel.
Identity Spoofing
(IP Address Spoofing)
• Packets appears to be generated by a
valid IP address but they are actually
generated by a hacker.
Social Engineering
• Sometimes breaking into a network is
as simple as calling new employees,
telling them you are from the IT
department, and asking them to verify
their password for your records.
Problem Sources
1.
2.
3.
4.
5.
6.
7.
8.
9.
Requirements definitions, omissions, and mistakes
System design flaws
Hardware implementation flaws, such as wiring and chip flaws
Software implementation errors, program bugs, and compiler bugs
System use and operation errors and inadvertent mistakes
Willful system misuse
Hardware, communication, or other equipment malfunction
Environmental problems and natural causes.
Evolution, maintenance, faulty upgrades, and decommissions
Security Defects
• We live in an age with constant threat of
security breaches
– Holes in web software
– Flaws in server software
• Security defects very easy to make
– Blaster worm defect only two lines long
– One line error can be catastrophic
• Here we look at 19 common security
defects (sins of security)
Sin 1 : Buffer Overruns
• You’ve heard this one many times…
• Occurs when a program allows input to
write beyond the end of the allocated
buffer
– Program might crash or allow attacker to gain
control
– Still possible in languages like C#, Java since
they use libraries written in C/C++ but more
unlikely
Spotting Buffer Overflows
• Look for input read from the network, a
file, the user interface, or the command
line
• Transfer of data from input to internal
structures
• Use of unsafe string handling calls
• Use of arithmetic to calculate an allocation
size or remaining buffer size
Sin 2 : Format String Problems
• A C/C++ type of problem
• First mentioned June 23, 2000
void main(int argc, char * argv[])
{
printf(argv[1]);
}
• Pretty simple, what could go wrong?
Format String
• What if the program is invoked as :
bug.exe “%x %x”
• Output something like:
12FFC0 4011E5
The %x specifier reads the stack
4 bytes at a time and outputs them
Leaks important info to the attacker
Format String
• Another obscure format string: %n
unsigned int bytes;
printf(“%s%n\n”, argv[1], &bytes);
printf(“Input is %d characters long.\n”, bytes);
Usage:
bug.exe “Hello“
Hello
Input is 5 characters long
The %n specifier writes
4 bytes at a time based on the length
of the previous argument
Carefully crafted, allows an attacker
to place own data into the stack
Sin 3 : Integer Overflows
• When an unsigned integer gets too big for the
number of bits allocated, it overflows back to 0
– For signed integers, positive numbers suddenly
become negative numbers
• “Obvious” errors where integers are
multiplied/added/etc. and overflow
– Result can be very bad and unpredictable behavior if
relational operators suddenly behave the opposite of
how they are supposed to
• Also many less obvious errors
Casting
• Implicit type casting is a frequent cause of
integer overflows
• Most languages require the same types to
be compared so an up-cast is done
const long MAX_LEN = 0x7FFF;
short len = strlen(input);
if (len < MAX_LEN)
{
// Do stuff
}
If a short is 2 bytes and
input > 32767, then len becomes
a negative number
Casting
• Signed int to Larger signed int
– Smaller value is sign-extended
• 0x7F to an int becomes 0x0000007F
• 0x80 to an int becomes 0xFFFFFF80
• Signed int to Larger unsigned int
– Positive numbers behave as expected
– Negatives unexpected
• (char) -1 becomes 0xFFFFFFFFF or
4,294,967,295
Overflow Problem
• Problem here to detect whether two
unsigned 16-bit numbers would overflow
when added?
bool IsValidAddition(unsigned short x, unsigned short y)
{
if (x + y < x)
return false;
return true;
}
Overflow Problem in C#?
• Following code throws a compiler error,
how would you fix it?
byte a, b;
a = 255;
b = 1;
byte c = (a + b);
ERROR: Cannot implicitly convert type ‘int’ to ‘byte’
Spotting the Overflow Sin
• Anything doing arithmetic
• Especially if input provided by the user
• Focus especially on array index calculations
• Redemption
– Use size_t type in C/C++
– Use unsigned integers if appropriate, easier to verify
– Avoid “clever” code in favor of straightforward code
Sin 4 : SQL Injection
• How do bad guys get credit card numbers
from sites?
– Break into server using exploit like buffer
overrun
– Go through open port with sysadmin
password
– SQL injection attacks
SQL Injection Example
• PHP code
$id = $_REQUEST[“id”];
$pass = $_REQUEST[“password”];
$qry = “SELECT ccnum FROM cust WHERE id = $id AND pass=$pass”;
SQL Injection Example
• PHP code
$id = $_REQUEST[“id”];
$pass = $_REQUEST[“password”];
$qry = “SELECT ccnum FROM cust WHERE id = ‘$id’ AND
pass=‘$pass’”;
User inputs id of user to attack
For password, enters: ‘ OR 1=1 –
-- is the comment operator, to ignore whatever comes afterwards
Spotting the Sin
•
•
•
•
Takes user input
Does not check user input for validity
Uses user input data to query a database
Uses string concatenation or string
replacement to build the SQL query or
uses the SQL Exec command
Sin 5 : Command Injection
• In 1994, one could get a root shell on an SGI
computer running IRIX by sending the following
to a printer:
FRED; xterm&
• Code:
char buf[1024];
snprintf(buf, “system lpr –P %s”, user_input, sizeof(buf) -1);
system(buf);
Spotting the Sin
• Look for calls to system(), exec()
• Java too:
– Class.forName(String name);
• Dynamically load and run Java code
– Runtime.exec()
• Redemption
– Check the data to make sure it is ok
Sin 6 : Failing to Handle Errors
• Not properly handling errors.
• May result into inadvertent access to the
system by the hacker.
Sin 7 : Cross Site Scripting
• Somewhat misnamed, as crossing sites is
not always necessary to exploit this bug
• Sin is straightforward:
– Web app takes input from a user
– Input is stored or echoed back to the user
– That’s it
PHP Example
<?php
if($_SERVER['REQUEST_METHOD'] != "POST")
{
header("Content-Type: text/html");
print("<HTML><HEAD><TITLE>My Page</TITLE>");
print("</HEAD>");
print("<BODY>");
print("<FORM method=post action='cssSin.php'>");
print("Enter your comment.<p>");
print("<INPUT type=text name='comment'>");
print("<INPUT type=submit value='Submit'>");
print("</FORM>");
print("<HR>");
print("<B>Here is the comment log:</B><p>");
PHP Example
$f = fopen("c:\\comments.txt","r");
print("<UL>");
while (!feof($f))
{
$line = fgets($f,2000);
print("<li>" . $line . "</LI>");
}
fclose($f);
print("</UL>");
}
else {
$comment = $_REQUEST['comment'];
$f = fopen("c:\\comments.txt", "a");
fprintf($f, "\n" . $comment);
fclose($f);
print("Thank you, your comment has been saved.");
}
?>
CSS Problem
• Malicious user can inject script code that is then
executed when another user views that page
• Even if the input is merely echoed, a malicious
user might:
– Lure victim to their page
– Get victim to click on a link which refers victim to the
vulnerable site with the CSS bug
– Script code is run under domain of the server and
could get cookies or modify any elements of the DOM
like tweak all links to point to porn sites
Spotting the Sin
• The web app takes input from a header,
form, or query string
• App does not check the input for validity
• App echoes back data from a user into the
browser
• Redemption
– Restrict input to valid input onl
– HTML encode the output ; &lt; &gt; etc.
Sin 8 : Failing to Protect Network
Traffic
• Mostly skipping
• Network vulnerable to
– Eavesdropping
– Replay
– Spoofing
– Tampering
– Hijacking
• Use SSL / TLS for session security
Sin 9 : Magic URLs and Hidden
Form Fields
• Magic URLs:
– http://www.xyz.com/?val=1&q=foo&user=n58
– http://www.xyz.com/?id=TKSJDARJ$J14$J==
• Hidden Form Fields to pass variables
<form action = “ …”
<input type=text name=“product”>
<input type=hidden name=“price” value=“300”>
</form>
Redemption
• Use SSL or store data on server side
• Session variables, encrypted
Sin 10 : Improper Use of SSL and
TLS
• If server authentication not done properly,
attacker can eavesdrop or modify
conversations
– Especially vulnerable when key associated
with certificate
• Feeling that site is impenetrable simply
because it uses SSL
– Still can have overflow, SQL injection, etc…
Sin 11 : Use of Weak Passwords
• People hate passwords, it is a battle to
force people to use strong passwords
• Consider password content policy
– Length, characters, reset frequency…
– Password storage?
• Storage in the clear is bad
– How to recover a lost password?
• Paris Hilton T-Mobile Sidekick phone hijack
• Broke into server side by getting username and
asking for a password reset
– Challenge question: “What is the name of your favorite
pet?”
Guidelines for Password Resets
• Locking users out of accounts for too many bad
password attempts may result in DoS
• Recommendations
– Limit number of attempts to reasonable number like
20/hour
– Slow down authentication process after certain
number of bad attempts
– Make users provide multiple pieces of information to
reset a password, might require “thing they have” like
a ID card
– Use more obscure questions
Tenex Bug
• TENEX Operating System pseudocode to
validate:
For i = 0 to len(typed_password)
if i >= len(actual_password) fail;
if typed_password[i] != actual_password[i] fail;
if i < len(actual_password) fail;
Success;
Flaw: Attacker could put candidate password in memory overlapping
page boundaries. First letter on one page, second letter on the next, if the
first letter was correct there was a pause while the page for the second letter
loaded
Sin 12 : Failing to Store and Protect
Data Securely
• Unix: tendency to give permissions to all
• Windows: Access Control Lists can be mind
boggling as which objects to consider what can
be controlled
– Don’t take the easy way out and give out too many
permissions
• Don’t embed secret data in code
– E.g. passwords
– Use DPAPI or KeyChain or at least store passwords
somewhere not hard-coded in the app
Sin 13 : Information Leakage
• Attacker gets information, implicitly or
explicitly, that could provide more
information for the attacker to reach their
goal
• Examples:
– Name of server software, versions
– Debugging information (e.g. left on in PHP)
– Error messages that reveal code structure
Sin 14: Improper File Access
• Watch out for race conditions among accessing
files
– Perl:
#!/usr/bin/perl
my $file = “$ENV{HOME}/.config”;
read_config($file) if –r $file;
Between the file check and read, the file may disappear
if there are multiple processes handling this file
• Manipulation of pathnames to overwrite
important files
Sin 15 : Trusting Network Name
Resolution
• Not too difficult to have an unsecure name
server, e.g. might use WINS
• Skipping
• Might ensure connections running over
SSL
Sin 16 : Race Conditions
• Common bug in multi-threaded applications, which
includes web apps
• Actual bug from a DB web application, sometimes the
queries were UPDATE to a shared field
try
{
sqlComm.sqlConn.Open();
comm.ExecuteNonQuery();
sqlComm.sqlConn.Close();
}
catch(Exception f)
{
sqlComm.sqlConn.Close();
}
Sin 16 : Race Conditions
• Lock access to any query for mutual
exclusion
lock(sqlComm.sqlConn)
{
try
{
sqlComm.sqlConn.Open();
comm.ExecuteNonQuery();
sqlComm.sqlConn.Close();
}
catch(Exception f)
{
sqlComm.sqlConn.Close();
}
}
Spotting the Sin
• Multiple threads or processes that write to
the same source
• Creating files or directories in common
areas
• Signal handlers
Sin 17 : Unauthenticated Key
Exchange
Sin 18 : Cryptographically Strong
Random Numbers
• Seeds for pseudo-random number
generators may not be that difficult to
regenerate, then use to test a sequence of
random values and determine what the
next “random” number will be
• Can try true random number generators
– Mouse, keyboard, etc.
Sin 19 : Poor Usability
• Poor usability can also mean poor security
– Always clicking “OK” when given lots of
dialogs
– Cryptic error or status messages
Related documents
Viruses - StantonAPBiology
Viruses - StantonAPBiology
(journal3.pdf)
(journal3.pdf)
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
Security
Security
Deardorff COBRE seminar 082913 (PDF)
Deardorff COBRE seminar 082913 (PDF)
Understanding viruses classwork
Understanding viruses classwork
ITS_8_Security Vocab Answers
ITS_8_Security Vocab Answers
Chapter 24- Viruses, section review answers
Chapter 24- Viruses, section review answers
Delivery Partner Guide - Homes and Communities Agency
Delivery Partner Guide - Homes and Communities Agency
Virus Textbook Assignment
Virus Textbook Assignment
Viruses - BealBio
Viruses - BealBio