Upload
hilary-daniels
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Risky Resource ManagementPresented by
Sandeep Naidufor
CS585 – Introduction to Computer Security
Few things every netizen/Security person should remember
“ Internet was not built keeping security in mind; it was built keeping functionality as its target.”
- Anonymous
“No system in this world is completely secure. A system will be resistant against some attacks; it is then analyzed and found to be vulnerable to some other attacks and the process goes on...”
- Sandeep Naidu
Overview
What is it?
What does it do?
What can we do? (to prevent/mitigate it)
How can we do?
Note : It refers to the problem we will be talking about
Programming Errors we will look at
Failure to Constrain Operations within the Bounds of a Memory Buffer
External Control of Critical State Data
External Control of File Name or Path
Untrusted Search Path
Failure to Control Generation of Code (aka 'Code Injection')
Download of Code Without Integrity Check
Improper Resource Shutdown or Release
Improper Initialization
Incorrect Calculation
What are these?
“These are errors/weaknesses related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.”
Failure to Constrain Operations within the Bounds of a Memory Buffer
Weakness Prevalence High
Consequences Code Execution,Denial of Service,Data Loss
Ease of Detection Easy to Moderate
Remediation Cost Low
Attack Frequency Often
Attacker Awareness High
What is the error?
When software permits read or write operations on memory located outside of an allocated range, an attacker may be able to access/modify sensitive information, cause the system to crash, alter the intended control flow, or execute arbitrary code.
Example Scenario
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer
void host_lookup(char *user_supplied_addr){struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); /*routine that ensures user_supply_addr is in the right format for conversion */validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(&hostname, hp->h_name);}
This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then we may overwrite sensitive data or even relinquish control flow to the attacker.
What can we do to avoid it?Use
Languages (Java, Perl) Own memory mangement
Libraries or frameworks (C String Library (SafeStr) and the
Strsafe.h from Microsoft )
Compilers (Visual Studio from Microsoft)
automated static analysis tools
which can mitigate or eliminate these buffer overflows
Check buffer size is as large as specified.(strcpy)
If necessary, truncate all input strings to a reasonable length
before passing them to the copy and concatenation functions.
External control of Critical State Data
Weakness Prevalence High
Consequences Security bypass,Code Execution,Data Loss
Ease of Detection Easy
Remediation Cost Medium
Attack Frequency Often
Attacker Awareness High
What is the error?
The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.
Example Scenario
An application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication.
An authentication flag is read from a browser cookie, thus allowing for external control of user state data.
Java Example: Cookie[] cookies = request.getCookies(); for (int i =0; i< cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue()))
{ authenticated = true; } }
How can we avoid it?
Understand all the potential locations that are accessible to attackers.
Do not keep state information on the client without using encryption and integrity checking, or otherwise having a mechanism on the server side to catch state tampering.
Store state information on the server side only With a stateless protocol such as HTTP, use a
framework that maintains the state for you( include ASP.NET View State and the OWASP ESAPI Session Management feature.)
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side
External Control of Filename or Path
Weakness Prevalence High
Consequences Code Execution,Data Loss
Ease of Detection Easy
Remediation Cost Medium
Attack Frequency Often
Attacker Awareness High
What is the error?
The software allows user input to control or influence paths that are used in filesystem operations.
This could allow an attacker to access or modify system files or other files that are critical to the application.
When can it happen?
Path manipulation errors occur when the following two conditions are met:
1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
Example Scenario
Example 1: The following code uses input from an HTTP request to create a file
name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).
String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); Example 2: The following code uses input from a configuration file to determine
which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.
fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr);
How can we avoid it?
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system
When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links
Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Untrusted Search Path
Weakness Prevalence Low
Consequences Code Execution
Ease of Detection Easy
Remediation Cost Medium
Attack Frequency Rarely
Attacker Awareness High
What is the error?
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.
An attacker could modify that search path to point
to a malicious program.
This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways.
Example Scenario
This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system.
C Example: #define DIR "/restricted/directory" char cmd[500]; sprintf(cmd, "ls -l %480s", DIR); /* Raise privileges to those needed for accessing DIR. */ RaisePrivileges(...); system(cmd); DropPrivileges(...); ... However, because the program does not modify the PATH environment variable, the
following attack would work:PseudoCode Example:
The user sets the PATH to reference a directory under that user's control, such as "/my/dir/".
The user creates a malicious program called "ls", and puts that program in /my/dir The user executes the program. When system() is executed, the shell consults the PATH to find the ls program The program finds the malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because
PATH does not contain "/bin/". The program executes the malicious program with the raised privileges.
How can we avoid it?
Hard-code your search path to a set of known-safe values, or allow them to be specified by the administrator in a configuration file.
Do not allow these settings to be modified by an external party
Sanitize your environment before invoking other programs.
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory
Use other functions that require explicit paths. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
Failure to Control Generation of Code(aka 'Code Injection')
Weakness Prevalence Medium
Consequences Code Execution
Ease of Detection Moderate
Remediation Cost High
Attack Frequency Sometimes
Attacker Awareness Medium
What is the error?
The product does not sufficiently filter code (control-plane) syntax from user-controlled input (data plane) when that input is used within code that the product generates.
This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism.
The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.
Example Scenario
$MessageFile = "cwe-94/messages.out"; if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E <?php system("/bin/ls -l");?>
Live example union select 2, concat_ws(char(58),email,password) from user
How can we avoid it?
Refactor your program so that you do not have to dynamically generate code.
Assume all input is malicious. Use an "accept known good" input validation strategy (i.e., use a whitelist). Reject any input that does not strictly conform to specifications, or transform it into something that does. Use a blacklist to reject any unexpected inputs and detect potential attacks.
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your software.
Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection
Download of Code without Integrity Check
Weakness Prevalence Medium
Consequences Code Execution
Ease of Detection Moderate
Remediation Cost Medium to High
Attack Frequency Rarely
Attacker Awareness Low
What is the error?
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Example Scenario
URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new
URLClassLoader(classURLs); Class loadedClass =
Class.forName("loadMe", true, loader);
How can we avoid it?
Perform proper forward and reverse DNS lookups to detect DNS spoofing. This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit.
Encrypt the code with a reliable encryption scheme before transmitting.
Use integrity checking on the transmitted code.(using cryptographic signatures)
Use code signing technologies such as Authenticode
Improper Resource Shutdown or Release
Weakness Prevalence Medium
Consequences Code Execution,Denial of Service
Ease of Detection Easy to Moderate
Remediation Cost Medium
Attack Frequency Rarely
Attacker Awareness Low
What is the error?
The program fails to release - or incorrectly releases - a system resource before it is made available for re-use.
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Example Scenario
In this example, the program fails to use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.
C++ Example: class A { void foo(); }; void A::foo(){ int *ptr; ptr = (int*)malloc(sizeof(int)); delete ptr; } Refer few more good examples Online
How can we avoid it?
Use a language with features that can automatically mitigate or eliminate resource-shutdown weaknesses.( languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory
for objects that have been deallocated. Memory should be allocated/freed using matching functions such
as malloc/free, new/delete, and new[]/delete[].
When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions
Improper Initialization
Weakness Prevalence Medium
Consequences Code Execution,Data Loss
Ease of Detection Easy
Remediation Cost Low
Attack Frequency Sometimes
Attacker Awareness Low
What is the error?
The software does not follow the proper procedures for initializing a resource, which might leave the resource in an improper state when it is accessed or used.
This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Example Scenario
Example 1: Here, a boolean initiailized field is consulted to ensure that initialization
tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
Java Example:private boolean initialized = true;public void someMethod() {if (!initialized) {// perform initialization tasks... initialized = true;} Example 2:The following code intends to limit certain operations to the administrator only.Perl Example:$username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);}# do stuffif ($uid == 0) {DoAdminThings();}
How can we avoid it?
Use a language with features that can automatically mitigate or eliminate weaknesses related to initialization.
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Avoid race conditions during initialization routines
Run or compile your software with settings that generate warnings about uninitialized variables or data.
Incorrect Calculation
Weakness Prevalence High
Consequences Code Execution,Denial of Service,Data Loss
Ease of Detection Easy to Difficult
Remediation Cost Low
Attack Frequency Often
Attacker Awareness Medium
What is the error?
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things.
What is the error? (contd..)
Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.
Example Scenario This code attempts to calculates a football team's average number of
yards gained per touchdown. Java Example:... int touchdowns = team.getTouchdowns(); int yardsGained = team.getTotalYardage(); System.out.println(team.getName() + " averages " + yardsGained / touchdowns
+ "yards gained for every touchdown scored"); ... The code does not consider the event that the team they are querying has
not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly.
C Example:inv_item_t table_ptr; /*10kb struct containing item info */int num_items;...num_items = get_num_items();table_ptr = (inv_item_t*)malloc(sizeof(inv_item_t)*num_items);...This code intends to allocate a list of length num_items, however as
num_items grows large, the calculation determining the size of the list will eventually overflow
How can we avoid it ?
Perform input validation on any numeric inputs by ensuring that they are within the expected range.
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values
that could never be negative, such as height, width, or other numbers related to quantity.
Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++)
Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.
Viruses to laugh at
Airline VirusYou're in Dallas, but your data is in Singapore.
Health Care VirusTests your system for a day, finds nothing wrong, and sends you a bill for $4,500.
Joey Buttafuoco VirusOnly attacks minor files.
Disney VirusEverything in the computer goes Goofy.
Ellen Degeneres VirusYour IBM suddenly claims it's a MAC.
Questions & Comments ???
THANK YOU for your time !!!