CSCE 548 Secure Software Development Information Leakage + Failing to Handle Errors

CSCE 548 CSCE 548 Secure Software Secure Software

DevelopmentDevelopment

Information Leakage +Information Leakage +Failing to Handle ErrorsFailing to Handle Errors

CSCE 548 - Farkas 2

ReadingReading This lecture: Howard et al., 19 deadly sins: Chapters 6, 13, 12,

11

Howard et al., 24 deadly sins: Chapters 11, 12, 17, 19

Identification Identification

Establishes the identity of an individual/system/ap-plication/etc.

Proof of identity: password, driver’s license, Id card, etc.

CSCE 522 - Farkas 3

CSCE 522 - Farkas 4

AuthenticationAuthentication Allows an entity (a user or a system) to prove its

identity within a context, e.g., computer system Typically, the entity whose identity is verified

reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals

knowledge of S to the verifier without revealing S to the verifier

CSCE 522 - Farkas 5

Vulnerabilities of PasswordsVulnerabilities of Passwords Inherent vulnerabilities

– Easy to guess or snoop– No control on sharing

Practical vulnerabilities– Visible if unencrypted in distributed and network

environment– Susceptible for replay attacks if encrypted naively

Password advantage– Easy to modify compromised password.

Digital CertificatesDigital Certificates

Most common digital certificate: X.509Initially issued in 1988Rely on PKI and hierarchy of certificate

authoritiesCertificate Authority: issue and revoke

digital certificates, accepts user notifications, publishes revocation list

CSCE 522 - Farkas 6

Problem with X.509Problem with X.509

Large fileLong duration needs validation of

certificate for revocationWhy are digital certificates revoked?

– Exposure of private key– Incorrect/unauthorized issuance– Termination of assignment

CSCE 522 - Farkas 7

Return to Multiple Return to Multiple AuthenticationAuthentication

CSCE 522 - Farkas 8

I am Ann. Here is my X.509

System 1

System 3

System 2I am Ann. Here is my X.509

I am Ann. Here is my X.509

CA

Verify Certificate

Single Sign OnSingle Sign On

CSCE 522 - Farkas 9

I am Ann. Here is my X.509. Give me a locally verifiable token.

System 1

System 3

System 2I am Ann. Here is mySAML token

I am Ann. Here is my SAML token

SAML token

CA

Verify Certificate

CSCE 548 - Farkas 10

Information ProtectionInformation Protection During transit During use During storage


Access ControlAccess Control

Access control: ensures that all direct accesses to object are authorized

Protects against accidental and malicious threats by regulating the reading, writing and execution of data and programs

Need:– Proper user identification and authentication– Information specifying the access rights is protected

form modification


ImplementationImplementationAccess Control List (column)

File 1 File 2Joe:Read Joe:ReadJoe:Write Sam:ReadJoe:Own Sam:Write

Sam:OwnCapability List (row)Joe: File 1/Read, File 1/Write, File 1/Own, File 2/ReadSam: File 2/Read, File 2/Write, File 2/Own

Access Control TriplesSubject Access ObjectJoe Read File 1Joe Write File 1Joe Own File 1Joe Read File 2Sam Read File 2Sam Write File 2Sam Own File 2

(ACL)


Problem AreasProblem Areas

Too much access– Not following least privilege

Security violations – Deny access – unavailability– World readable – information disclosure– Write for everyone – incorrect execution, denial

of service, taking over the system


RecommendationRecommendation

Use the operating system’s security technologies

Keep secrets out of harm’s wayUse security technology (access control

support, encryption, etc.) properlyScrub the memory securely once finished

with secret data


Weak Access ControlWeak Access Control

Set access control and grants write access to low privileged user

Creates an object without setting access control and creates object in a place writable by low-privileged user

Writes configuration information into a shared area

Writes sensitive information into a shared area


Information LeakageInformation Leakage

By accidentBy intention


Communication ChannelsCommunication Channels Overt Channel: designed into a system and

documented in the user's manual– Information leakage: designers and developers DO

NOT understand security needs of the application Covert Channel: not documented. Covert

channels may be deliberately inserted into a system, but most such channels are accidents of the system design.

– Information leakage: slow information flow to unauthorized recipient


Information FlowInformation Flow

Direct Flow:– Bell-LaPadula example

Indirect flow:– Covert channel– Inference channel

TS-subject

S-object

read info-flow

TS-object

S-subject

write info-flow


Non-InterferenceNon-Interference

High-security data does not influence lower security data

How to guarantee it?


Covert ChannelCovert ChannelTiming Channel: based on system timesStorage channel: not time related

communicationCan be turned into each other


Covert ChannelCovert Channel Need:

– Two active participants and encoding schema OR– Access to the system and knowledge about the system

Example: sender modulates the CPU utilization level with the data stream to be transmittedSender:

repeat get a bit to send if the bit is 1 wait one second (don't use CPU

time) else busy wait one second (use CPU time)endif

until done


Covert ChannelsCovert ChannelsProblems:

– Noise– Need sophisticated synchronization

Protection (user state, system state)– Removal– Slow down– Audit


Cryptographic Timing AttackCryptographic Timing Attack

How long does it take to perform encryption– Table look ups– Non-constant time– Partial guesses faster performance

Measure the duration between messages, where message content depends on secret data


Inference ChannelsInference ChannelsStatistical Database InferencesGeneral Purpose Database Inferences


Statistical DatabasesStatistical Databases Goal: provide aggregate information about groups

of individuals– E.g., average grade point of students

Security risk: specific information about a particular individual– E.g., grade point of student John Smith

Meta-data:– Working knowledge about the attributes– Supplementary knowledge (not stored in database)


Types of StatisticsTypes of Statistics Macro-statistics: collections of related statistics presented

in 2-dimensional tables

Micro-statistics: Individual data records used for statistics after identifying information is removed

Sex\Year 1997 1998 Sum

Female 4 1 5

Male 6 13 19

Sum 10 14 24

Sex Course GPA Year

F CSCE 590 3.5 2000

M CSCE 590 3.0 2000

F CSCE 790 4.0 2001


Statistical CompromiseStatistical CompromiseExact compromise: find exact value of an

attribute of an individual (e.g., John Smith’s GPA is 3.8)

Partial compromise: find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)


Inferences in General-Purpose Inferences in General-Purpose DatabasesDatabases

Queries based on sensitive dataInference via database constraintsInferences via updates


Queries based on sensitive dataQueries based on sensitive dataSensitive information is used in selection

condition but not returned to the user.Example: Salary: secret, Name: public

NameSalary=$25,000

Protection: apply query of database views at different security levels


Database ConstraintsDatabase ConstraintsIntegrity constraintsDatabase dependenciesKey integrity


Integrity ConstraintsIntegrity ConstraintsC=A+B A=public, C=public, and B=secretB can be calculated from A and C, i.e.,

secret information can be calculated from public data


Database DependenciesDatabase DependenciesMetadata:Functional dependenciesMulti-valued dependenciesJoin dependenciesetc.


Functional DependencyFunctional Dependency FD: A B, that is for any two tuples in the

relation, if they have the same value for A, they must have the same value for B.

Example: FD: Rank Salary

Secret information: Name and Salary together– Query1: Name and Rank– Query2: Rank and Salary– Combine answers for query1 and 2 to reveal Name and

Salary together


Key integrityKey integrityEvery tuple in the relation have a unique

keyUsers at different levels, see different

versions of the databaseUsers might attempt to update data that is

not visible for them


ExampleExample

Name (key) Salary Address

Black P 38,000 P Columbia S

Red S 42,000 S Irmo S

Secret View


Black P 38,000 P Null P

Public View


UpdatesUpdatesPublic User:


Black P 38,000 P Null P

1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000, Manassas)IfRefuse update: covert channelAllow update: • Overwrite high data – may be incorrect• Create new tuple – which data it correct

(polyinstantiation) – violate key constraints


UpdatesUpdates


Black P 38,000 P Columbia S

Red S 42,000 S Irmo S

Secret user:

1. Update Black’s salary to 45,000IfRefuse update: denial of serviceAllow update: • Overwrite low data – covert channel• Create new tuple – which data it correct

(polyinstantiation) – violate key constraints


Inference ProblemInference ProblemNo general technique is available to solve

the problemNeed assurance of protectionHard to incorporate outside knowledge

Failing to Handle ErrorsFailing to Handle Errors



Failing to Handle ErrorsFailing to Handle Errors Affected languages:

– Any language that uses function error return values, e.g., PHP, C, C++, etc.

– Any language that relies on exceptions, e.g., C#, Java, etc.

Consequences:– Yielding too much information– Ignoring errors– Misinterpreting errors– Using useless error values– Handling the wrong exceptions– Handling all exceptions


Yielding Too Much InformationYielding Too Much Information

Error message carries information that can be misused by the attacker

Avoid: do not tell the user why his input failed

Problem: reduces usability


Ignoring ErrorsIgnoring Errors

Error return values: indicate a failure condition, enabling the code to react accordingly

How serious the error is?– Return value rarely checked, e.g., printf – Return value must be checked, e.g., Windows impersonation

functions if failed, the thread still has the processes identity Exception handling

– Catch exceptions at compile time– Some exceptions are not required to be caught, e.g.,

NullPointerException miss logic error Handling exceptions and errors


Misinterpreting Errors and Misinterpreting Errors and Useless Error ValuesUseless Error Values

Functions with special errors– E.g., recv():

Successful completion: # of bytes received No msg. and orderly shut down: 0 Error: -1

No error value– E.g., strncpy:

Returns a pointer to the destination buffer, regardless of the state of the copy

Buffer overrun?


Handling the Wrong Exceptions, Handling the Wrong Exceptions, Handling All ExceptionsHandling All Exceptions

Which exception is going to be thrown?– Standard, expected exceptions– Unexpected exceptions program terminates

because the exception is not caughtAll exceptions handled: code may not be

able to handle the exception or mask the error– Error may resurface at a later stage hard to

detect


Detecting Error Handling FlawsDetecting Error Handling Flaws

Code review– Look for key words– See page 79

Some tools are available Redemption steps:

– Handle the appropriate exceptions in your code– Don’t handle ALL exceptions– Check return values, in particular

Security related functions Functions that changes user setting or machine-wide setting


Design PatternsDesign Patterns

Capture security effective techniques that should be replicated

Distill and document these techniques – design patters

CMU.SEI 2009 security design patterns– Architectural– Design-level – Implementation0level

Each PatternEach Pattern Intent Also known as Example Motivation Applicability structure Participants consequence Implementation Sample code Example resolved Known uses


ExampleExample

SOA Message screening pattern, from http://www.soapatterns.org/message_screening.php

Problem:An attacker can transmit messages with malicious or malformed content to a service, resulting in undesirable behavior.

Solution The service is equipped or supplemented with special screening routines that assume that all input data is harmful until proven otherwise.


Example cont. Example cont.

Application:When a service receives a message, it makes a number of checks to screen message content for harmful data.

Impacts:Extra runtime processing is required with each message exchange, and the screening logic requires additional, specialized routines to process binary message content, such as attachments. It may also not be possible to check for all possible forms of harmful content.


Example cont. Example cont.


Next ClassNext Class

Buffer overflow and SQL Injection


Documents

CSCE 548 Secure Software Development Information Leakage + Failing to Handle Errors