Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security

Risky Resource ManagementPresented by

Sandeep Naidufor

CS585 – Introduction to Computer Security

Few things every netizen/Security person should remember

“ Internet was not built keeping security in mind; it was built keeping functionality as its target.”

- Anonymous

“No system in this world is completely secure. A system will be resistant against some attacks; it is then analyzed and found to be vulnerable to some other attacks and the process goes on...”

- Sandeep Naidu

Overview

What is it?

What does it do?

What can we do? (to prevent/mitigate it)

How can we do?

Note : It refers to the problem we will be talking about

Programming Errors we will look at

Failure to Constrain Operations within the Bounds of a Memory Buffer

External Control of Critical State Data

External Control of File Name or Path

Untrusted Search Path

Failure to Control Generation of Code (aka 'Code Injection')

Download of Code Without Integrity Check

Improper Resource Shutdown or Release

Improper Initialization

Incorrect Calculation

What are these?

“These are errors/weaknesses related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.”

Failure to Constrain Operations within the Bounds of a Memory Buffer

Weakness Prevalence High

Consequences Code Execution,Denial of Service,Data Loss

Ease of Detection Easy to Moderate

Remediation Cost Low

Attack Frequency Often

Attacker Awareness High

What is the error?

When software permits read or write operations on memory located outside of an allocated range, an attacker may be able to access/modify sensitive information, cause the system to crash, alter the intended control flow, or execute arbitrary code.

Example Scenario

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer

void host_lookup(char *user_supplied_addr){struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp); /*routine that ensures user_supply_addr is in the right format for conversion */validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(&hostname, hp->h_name);}

This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then we may overwrite sensitive data or even relinquish control flow to the attacker.

What can we do to avoid it?Use

Languages (Java, Perl) Own memory mangement

Libraries or frameworks (C String Library (SafeStr) and the

Strsafe.h from Microsoft )

Compilers (Visual Studio from Microsoft)

automated static analysis tools

which can mitigate or eliminate these buffer overflows

Check buffer size is as large as specified.(strcpy)

If necessary, truncate all input strings to a reasonable length

before passing them to the copy and concatenation functions.

External control of Critical State Data


Consequences Security bypass,Code Execution,Data Loss

Ease of Detection Easy

Remediation Cost Medium



What is the error?

The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.

Example Scenario

An application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication.

An authentication flag is read from a browser cookie, thus allowing for external control of user state data.

Java Example: Cookie[] cookies = request.getCookies(); for (int i =0; i< cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue()))

{ authenticated = true; } }

How can we avoid it?

Understand all the potential locations that are accessible to attackers.

Do not keep state information on the client without using encryption and integrity checking, or otherwise having a mechanism on the server side to catch state tampering.

Store state information on the server side only With a stateless protocol such as HTTP, use a

framework that maintains the state for you( include ASP.NET View State and the OWASP ESAPI Session Management feature.)

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side

External Control of Filename or Path


Consequences Code Execution,Data Loss





What is the error?

The software allows user input to control or influence paths that are used in filesystem operations.

This could allow an attacker to access or modify system files or other files that are critical to the application.

When can it happen?

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.

2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

Example Scenario

Example 1: The following code uses input from an HTTP request to create a file

name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).

String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete(); Example 2: The following code uses input from a configuration file to determine

which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr);


Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

Untrusted Search Path

Weakness Prevalence Low

Consequences Code Execution



Attack Frequency Rarely


What is the error?

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

An attacker could modify that search path to point

to a malicious program.

This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways.

Example Scenario

This program is intended to execute a command that lists the contents of a restricted directory, then performs other actions. Assume that it runs with setuid privileges in order to bypass the permissions check by the operating system.

C Example: #define DIR "/restricted/directory" char cmd[500]; sprintf(cmd, "ls -l %480s", DIR); /* Raise privileges to those needed for accessing DIR. */ RaisePrivileges(...); system(cmd); DropPrivileges(...); ... However, because the program does not modify the PATH environment variable, the

following attack would work:PseudoCode Example:

The user sets the PATH to reference a directory under that user's control, such as "/my/dir/".

The user creates a malicious program called "ls", and puts that program in /my/dir The user executes the program. When system() is executed, the shell consults the PATH to find the ls program The program finds the malicious program, "/my/dir/ls". It doesn't find "/bin/ls" because

PATH does not contain "/bin/". The program executes the malicious program with the raised privileges.


Hard-code your search path to a set of known-safe values, or allow them to be specified by the administrator in a configuration file.

Do not allow these settings to be modified by an external party

Sanitize your environment before invoking other programs.

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory

Use other functions that require explicit paths. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

Failure to Control Generation of Code(aka 'Code Injection')

Weakness Prevalence Medium


Ease of Detection Moderate

Remediation Cost High

Attack Frequency Sometimes

Attacker Awareness Medium

What is the error?

The product does not sufficiently filter code (control-plane) syntax from user-controlled input (data plane) when that input is used within code that the product generates.

This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism.

The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.

Example Scenario

$MessageFile = "cwe-94/messages.out"; if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);} name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E <?php system("/bin/ls -l");?>

Live example union select 2, concat_ws(char(58),email,password) from user


Refactor your program so that you do not have to dynamically generate code.

Assume all input is malicious. Use an "accept known good" input validation strategy (i.e., use a whitelist). Reject any input that does not strictly conform to specifications, or transform it into something that does. Use a blacklist to reject any unexpected inputs and detect potential attacks.

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your software.

Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection

Download of Code without Integrity Check



Ease of Detection Moderate

Remediation Cost Medium to High


Attacker Awareness Low

What is the error?

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Example Scenario

URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new

URLClassLoader(classURLs); Class loadedClass =

Class.forName("loadMe", true, loader);


Perform proper forward and reverse DNS lookups to detect DNS spoofing. This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit.

Encrypt the code with a reliable encryption scheme before transmitting.

Use integrity checking on the transmitted code.(using cryptographic signatures)

Use code signing technologies such as Authenticode

Improper Resource Shutdown or Release


Consequences Code Execution,Denial of Service

Ease of Detection Easy to Moderate




What is the error?

The program fails to release - or incorrectly releases - a system resource before it is made available for re-use.

When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.

Example Scenario

In this example, the program fails to use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.

C++ Example: class A { void foo(); }; void A::foo(){ int *ptr; ptr = (int*)malloc(sizeof(int)); delete ptr; } Refer few more good examples Online


Use a language with features that can automatically mitigate or eliminate resource-shutdown weaknesses.( languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory

for objects that have been deallocated. Memory should be allocated/freed using matching functions such

as malloc/free, new/delete, and new[]/delete[].

When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions

Improper Initialization


Consequences Code Execution,Data Loss



Attack Frequency Sometimes


What is the error?

The software does not follow the proper procedures for initializing a resource, which might leave the resource in an improper state when it is accessed or used.

This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

Example Scenario

Example 1: Here, a boolean initiailized field is consulted to ensure that initialization

tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.

Java Example:private boolean initialized = true;public void someMethod() {if (!initialized) {// perform initialization tasks... initialized = true;} Example 2:The following code intends to limit certain operations to the administrator only.Perl Example:$username = GetCurrentUser();$state = GetStateData($username);if (defined($state)) {$uid = ExtractUserID($state);}# do stuffif ($uid == 0) {DoAdminThings();}


Use a language with features that can automatically mitigate or eliminate weaknesses related to initialization.

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Avoid race conditions during initialization routines

Run or compile your software with settings that generate warnings about uninitialized variables or data.

Incorrect Calculation


Consequences Code Execution,Denial of Service,Data Loss

Ease of Detection Easy to Difficult



Attacker Awareness Medium

What is the error?

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things.

What is the error? (contd..)

Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.

Example Scenario This code attempts to calculates a football team's average number of

yards gained per touchdown. Java Example:... int touchdowns = team.getTouchdowns(); int yardsGained = team.getTotalYardage(); System.out.println(team.getName() + " averages " + yardsGained / touchdowns

+ "yards gained for every touchdown scored"); ... The code does not consider the event that the team they are querying has

not scored a touchdown, but has gained yardage. In that case, we should expect an ArithmeticException to be thrown by the JVM. This could lead to a loss of availability if our error handling code is not set up correctly.

C Example:inv_item_t table_ptr; /*10kb struct containing item info */int num_items;...num_items = get_num_items();table_ptr = (inv_item_t*)malloc(sizeof(inv_item_t)*num_items);...This code intends to allocate a list of length num_items, however as

num_items grows large, the calculation determining the size of the list will eventually overflow

How can we avoid it ?

Perform input validation on any numeric inputs by ensuring that they are within the expected range.

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values

that could never be negative, such as height, width, or other numbers related to quantity.

Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.

Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++)

Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.

Viruses to laugh at

Airline VirusYou're in Dallas, but your data is in Singapore.

Health Care VirusTests your system for a day, finds nothing wrong, and sends you a bill for $4,500.

Joey Buttafuoco VirusOnly attacks minor files.

Disney VirusEverything in the computer goes Goofy.

Ellen Degeneres VirusYour IBM suddenly claims it's a MAC.

Questions & Comments ???

THANK YOU for your time !!!

Documents

Risky Resource Management Presented by Sandeep Naidu for CS585 – Introduction to Computer Security