Download ApplicationSecurity

Application Security
corresponds with Chapter 3: program security; Chapter 4:
OS security and Chapter 5, with additional notes from
various sources.
Throughout these ages
our operating systems
infested by bugs
The ignorant world
turns to Windows for safety
Safety from themselves
It is now the time
for the world to realize
that we all feel pain
By DilDog
Ninja Strike Force (Cult of the Dead Cow)
Sensei of the Undocumented Opcode.
From the slides of Vitaly Shmatikov – Univ of Texas
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
So far
• We looked at:
– Various vulnerabilities
– Fundamentals of Cryptography
• Encryption/decryption
• Secure hash functions.
• Next: Software application security
(roughly corresponds to chapter 3 – though I have added additional
notes from sources other than the textbook)
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Applications
• Food for thought:
– If a computer does not run any software, then it cannot
be attacked.
• Hence, “host-based attacks” are all due to
software applications.
– Host-based is different from network-based attacks.
– Host-based attacks focus on the information stored on a
“host” computer, while network based attacks focus on
information in transit across networks.
• Application security involves studying “host-based”
security.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
What does application security entail?
• There are several software applications varying in
complexity:
– E.g,
•
Simple editors, Web Servers, Database Management Systems, Operating Systems.
While they have some common vulnerabilities, each of them have
unique/specific security vulnerabilities.
• Difficult/impossible(?) to study the security of every type
of software application.
• Hence, in this part of the course we will limit our study to:
– Secure Design principles that apply to any software application.
– Application of secure design principles to Operating Systems
(Windows and Linux) and Database Management Systems
(Oracle)
– Examples of secure programming principles for programming in
Java.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Secure Design principles
• Design principles are different from
implementation principles. Design
deals with what facilities etc., that
you will offer.
• What principles do you think you will
follow when designing a software
application?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Secure Design principles (2)
• Originally formulated in 1975 by
Jerome Saltzer and Michael Shroeder.
• Other principles were added later.
• Complete list from website maintained by
the Department of Homeland Security:
https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
List of principles of software security.
•
•
•
•
•
•
•
•
•
•
•
•
Least Privilege
Economy of Mechanism
Complete Mediation
Separation of Privilege
Least Common Mechanism
Securing the weakest link.
Defense in depth
Failing Securely
Reluctance to trust
Never assuming that your secrets are safe
Promoting Privacy.
Psychological acceptability
• One more principle from the original authors: Open design.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Principles of software security (2)
• Least Privilege
• Give the least privilege for the least time to get the job done.
• The time factor is important.
• When implementing code or any system – use features that will
limit time.
• E.g., if someone logs in as an administrator and the account is idle,
log the person out!
• Economy of Mechanism
• Based on the mantra “KISS”: Keep it simple, stupid!
• How does it translate to implementation/design of secure code?
– Reuse components of any code (make code modular).
– Do not re-implement security algorithms (e.g., DES cryptography) – use
standard APIs.
– Create a choke point when developing code – choke points are interfaces
from which all the code must pass.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Principles of software security (2)
– Complete Mediation
• Security checks in applications cannot be bypassed/circumvented.
• E.g., the single user mode in Linux or the “safe mode” in Windows
allow login without entering password: This is a violation of
complete mediation.
– Open Design
• No secrets.
• E.g., the security of encryption should not depend on keeping the
encryption algorithm secret.
– Separation of Privilege (or “separation of duty”)
• E.g., multiple authentication criteria. (we will see more of this when
discussing OS security)
– Least Common Mechanism
• E.g, do not share certain resources.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Other principles
•
Securing the weakest link.
•
Defense in depth
•
Failing Securely
•
Reluctance to trust
•
Never assuming that your secrets are safe
•
Promoting Privacy.
– E.g., if you haven’t fixed buffer overflow, don’t bother installing retinascanning-based authentication
– Have a layered approach if possible for software.
– E.g., in the Java code you would want to run the code with certain
protection.
– Do not let your code or software simply crash!
– Or if it crashes, do not let it expose any secrets – e.g., by passing too
much information to the exception handling routines.
– Never assume that the user will use the code the way you design.
– Don’t rely on an obscure implementation (similar to Open design)
–
We will look at this when discussing database security.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Next: Example 1: How principles of
software security design apply to the
design of general purpose OSes
Corresponds to Chapter 4
w/ additional notes by Prem Uppuluri
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
General purpose OS.
• Examples:
– Windows NT family
• 2000, XP, Vista, 7
– Linux (multi-user)
– FreeBSD
– Solaris
• Specifically, any OS that is designed to run multipurpose software.
• Excluded from this list: Mobile OSes (iPhone,
Android, Windows mobile etc.). Why? These use a
subset of general purpose OS security
mechanisms.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
What is an Operating System?
• What is the function of an Operating
System (OS)?
• It is software that:
– mediates access to, and
– enforces the sharing of
system resources,
by all other programs on the machine.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Two key characteristics of a general
purpose OS
• Most general purpose OSes these days:
– Support multi processing
(multiple processes can share the CPU).
– Support multi users
(multiple users can work at the same time).
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Functions of an OS
• Some functions of an OS
– Creation/removal of processes: OSes allow users to start
new processes and end them.
– Memory management: Operating Systems allocate
memory and manage the memory (e.g., free memory) etc.,
when processes are being executed.
– Process scheduling: When multiple processes are
competing with each other to run on ONE CPU, an OS is
responsible for scheduling which process runs next?
– Handling I/O and Interrupts
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
What needs to be protected in a
general purpose OS? (1)
• So based on the functions of an OS, it is clear
that
– When multiprocessing (with multiple users) several
hardware resources are shared and thus need protection:
(Examples:
•
•
•
•
•
Memory
I/O systems
Disks
Networks
Sharable data/programs )
• So how do OSes protect these? And against
whom?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
What needs to be protected in a general
purpose OS? (1)
• Examples of where security is needed:
– User level processes should not interfere with
each other. E.g., a Word process should not be
able to access the memory of a Chrome process.
– Permissions on user directories (folders) and
files.
– Sharing of I/O resources (e.g., multiple users
on a computer should not be able to view each
other's print jobs, or keystrokes).
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
OS security using separation.
• OSes achieve security using the concept of separation of
access to resources.
• Some examples of separation include:
– Access control
• (who can access the resources of a system?)
– Identity and credential management
• (what is the identity of the current user? Can this identity be
changed?)
– Audit and Integrity checks.
• (Keeps track of who performed what actions at what time. Also,
have any files been changed? Are different measures consistent?)
– Information flow.
• E.g., What can be cut and pasted? What can be copied and pasted?
What info can be sent out on the network?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Next:
• How does an Operating System
achieve separation?
• What are the key issues in doing so?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Main challenge: Policing the Police… or
protecting the Operating System itself!
• An OS is responsible for separation, however,
there is a problem:
– Given that an OS is a software program.
 What prevents other software programs from
circumventing the OS? i.e., why cannot the OS be
bypassed?
Or, can an OS be bypassed?
Example: Is it possible for you to write a program
that directly accesses the resources by
circumventing the OS's memory management,
process management and other mechanisms?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Circumventing the OS
• An OS can be circumvented in certain
cases:
– E.g., when you boot an OS from a CD or a DVD –
you are circumventing the OS on the disk.
• The OS installed on the disk will be unable to mediate
any of your processes access to the CPU.
• However, once you “load” an operating
system – it cannot be circumvented (or it
should not be if implemented securely).
Why cannot it be circumvented?
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
The Architecture-OS dance.
• Various architectures (Intel, AMD, SPARC etc.)
provide some hardware security features (think
of them as switches) such that:
– The first software that gets loaded when you start a computer
grabs the controls of these hardware features.
– Without control of these hardware features, hardware
resources cannot be accessed.
• (unless you use a physical attack, such as removing a hard disk from
the computer).
• If the first software is the OS (as is usually the
case), it controls these hardware features.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
What is separation?
• What are these hardware features?
– Two key ones:
• Interrupts (programmable
interrupts) and
• Rings.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Privilege rings in OS.
•
Most CPUs come with multiple
“rings”.
•
When a software wants to access
any hardware resource, it has to
grab a certain ring number.
•
Ring 0: allows access to all the
hardware resources…
Ring 3: doesn’t allow any access to
hardware.
Ring 1 will allow access to a few
etc...
•
•
Image source:l Wikipedia
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
© LOTR
Privilege rings in OS (2).
• So how does a software
grab a ring?
(A)
(B)
(C)
(D)
Defeating Lord Sauron.
Using Orcs.
Capture Gollum.
Using interrupts.
Answer: D
Image source:l Wikipedia
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Privilege rings in OS (3).
•
•
Interrupts
Every architecture (intel x86, SPARC etc) provides
certain hardware switches called interrupts.
•
Interrupts can be “thrown” or triggered using
machine language instructions that the architecture
supports.
– E.g., 0x80h is an assembly op code (in Intel x86
architecture) that allows a software to grab ring
0.
Image source:l Wikipedia
• Every interrupt is associated with a software
method (program).
• ONLY that software program can be executed
when the interrupt is thrown.
The first software that gets loaded on boot-up, will also install the
software programs associated with each interrupt
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Privilege rings in OS (4).
• So an OS (as it is the first process that must be
loaded into the memory):
– Loads the software methods associated with
each interrupt.
– E.g., In Intel x86 architecture, interrupt 80 is
associated with grabbing the ring 0.
• So with this interrupt, the OS associates software
methods (or functions or sub routines) that allow
access to hardware resources.
• These software methods are called “system calls”.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
System calls in an OS
• Every OS provides a set of system calls
– Think of these as an API to access and/or
modify various resources
– E.g.,
• in Linux:
–
–
sys_open, allows a program to access files on a disk. (so access to the hardware:
disk).
Sys_fork, allows the creation of a new process (thus accessing the resources of
memore etc.).
• In Windows:
–
NtCreateProcess: creates a new process (similar to fork).
• Complete list of system calls in Linux:
• Look at the file: /usr/include/unistd.h on any Linux machine.
• Complete list of system calls in Windows:
• http://www.metasploit.com/users/opcode/syscalls.html
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
System calls in OS
• There are many system calls as you saw in the links
on previous slides.
• System calls are organized into an “array”. Think
of this as an array of methods.
– System_call[] syscalls …
– Each index associated with one system call.
• E.g., syscalls[3] may be the method “fork” system call.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
System calls summary.
• When a software process calls a system call, let us
say “Open”, then:
– Interrupt 80 is thrown. (So the software program now
has access to ring 0).
– However remember when an interrupt is thrown: only the
software associated with that interrupt can be executed.
– This software (a whole bunch of system call
implementations) is provided by the OS.
– The appropriate system call method is searched (in this
case “open”) and executed.
• Hence, OS can control complete access to
hardware resources by other software process.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Another way to look at how OS can prevent any process from
directly accessing hardware..
•
if a software process wants to access the hard disk – it has to grab
ring 0.
•
However, it can only grab ring 0 by throwing the interrupt 0x80 (on
Intel x86).
•
However, if it throws interrupt 0x80, then only the code
associated with that interrupt can get executed.
•
The first process loaded when the system boots up gets the first
shot at associating software with each interrupt.
•
If the first process is the OS itself – then the OS can control the
software associate with each interrupt.
•
Hence, any other software program can only use the OS’s software
to access hardware resources.
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.
Next:
• Overview of security provided by the
operating system in accessing:
– Memory
– Files
– Etc..
SlidesMaterial
by Premmainly
Uppuluriderived
based on
material
from various
sources.
ITEC 245.
from
Pfleeger;
Daswani
or Stallings.