Course 2: Programming Issues,Section 6Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated September 28, 2004Developed thanks to the support of Symantec Corporation,NSF SFS Capacity Building Program (Award Number 0113725) andthe Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.
About These Slides
Developed thanks to Symantec’s support
Reviewed by Symantec engineers
– Special thanks to:
Jared Robinson
Alan Krassowski
Craig Ozancin
Free to use
– Notes, comments, suggestions, or modified slides areappreciated ([email protected])
If you modify them, please keep this slide and adda note stating that you modified them
Course 2 Learning Plan
Buffer Overflows
Format String Vulnerabilities
Code Injection and Input Validation
Cross-site Scripting Vulnerabilities
Links and Race Conditions
Temporary Files and Randomness
Canonicalization and Directory Traversal
Learning objectives
Understand why creating files in insecuredirectories like /tmp is difficult but useful
Learn why OS-provided function calls helptremendously
Understand the need for good randomness
Learn which OS-provided function calls helpprovide good random numbers
Learn how to create random file names
Temporary Files and Randomness: Outline
Temporary Files
– Problem Statement
– Survey of functions
UNIX
Windows
Randomness
– Need
– Types of random numbers
– Devices
– Windows API
Temporary Files
Space for temporary files is found in directoriessuch as /tmp, /var/tmp or C:\TEMP, whereeveryone can write
Space may be purged regularly (e.g., "every night,files older than 5 days are deleted") and duringreboot
Space used by many UNIX or Windows utilities,installers and programs
UNIX systems are often configured so that thisspace is not counted as part of user quota
– Allow large, temporary jobs
Temporary Files Issues
Need an unpredictable name to avoid a collisionbetween links and your files or directories
There's a race condition between testing if a fileexists and creating it
Need correct permissions
There's a race condition between creating andsetting permissions
Need OS support!
Name Collisions Attacks
What if the name of your temporary file (lock file orother) in /tmp is constant or predictable?
– Your program using a lock file may never run or do whatit's supposed to!
Run the lock.c example from part A, but this time, create alock file beforehand... Your program will never get past thelock file test (obviously)
Lock files need to be put where other users can't create files
– It's easy to make a symlink pointing to a sensitive file
Symlink attacks are easier if the name of thetemporary file is predictable
How Not to Choose a Random Name
Use the process ID
Use the user ID
Use the time of day
Use a counter
Use a bad random number generator
etc...
OS Support for Temporary Files
The following take a filename “template” as input
– mktemp - generate temporary file name (unique)
– mkstemp - also create the file
– mkstemps - generate temporary file name with suffix
– mkdtemp - create a directory
Overwrite part of a template to create a uniquename
Some of these functions used to create namesusing parts of the date or process ID, etc... andwere insecure
mktemp (1) (3)
Section (1): command line (shell scripts)
– BSD/MacOS X:
– creates file with mode 0600unique name
Section (3): C programs
– Race condition between getting the name and creatingthe file!
– The program must use "open" with the O_CREAT |O_EXCL flags, and loop until the file is successfullycreated, or use a different function
Command Line Example
% mktemp "testXXXX"
testpnbE
% ls -al
-rw------- pascal staff testpnbE
mkstemp
Creates name
Creates file open for reading and writing with mode0600
Returns a file descriptor
No race condition!
Recommended function
Usage for extremely paranoid people:“Unlink” the hard link pointing to the descriptorimmediately afterwards (this is a race condition)
The file still exists but nobody else (except withdifficulty, the superuser) can access it
Mini Lab
Take the previous lock.c example
Modify it to use mkstemp to generate a temporary
file with a unique name
Of course, the temporary file created that way isnot a lock file anymore, and would be used to storetemporary data instead
Windows
No equivalent to mkstemp()
GetTempFileName
– Creates names by incrementing a counter!
– Predictable file name
Race condition between getting the name andcreating the file
– Attacker could create the file to prevent you from using it
– If you use the CREATE_ALWAYS flag, see next slide
Under Windows, you have no choice but to writeyour own function
Still a race condition, limitation due to lack of OSsupport
Windows CreateFile Problems
Recommended use with the "CREATE_ALWAYS"flag is dangerous
– "CREATE_ALWAYS" flag recommended by MSDN,Howard and Leblanc 2003
Overwrites the file
Does not set the security descriptor specified by theSECURITY_ATTRIBUTES structure
– Do the SECURITY_ATTRIBUTES matter to your application?
Perfect opportunity to trick you into overwriting asensitive file
– e.g., with a hard link
– Can't use the flag to not follow reparse points
Windows CreateFile
TRUNCATE_EXISTING will follow a hard link andcould truncate something else than intended
Use "CREATE_NEW"
– "The function fails if the specified file already exists. "(MSDN)
– You need to check for errors and loop until the file issuccessfully created
GetTempPath
MSDN recommends that software use theGetTempPath function to get the location of thetemp dir, but this is dangerous
Checks for the existence of environment variablesin the following order and uses the first path found:
1. The path specified by the TMP environment variable.
2. The path specified by the TEMP environment variable.
3. The path specified by the USERPROFILE environmentvariable.
4. The Windows directory."
Are the environment variables safe to use?
– Probably not unless you set them yourself
Exercise (Windows): Creating Temporary Files
Go tohttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/base/creating_and_using_a_temporary_file.asp
Discuss things that you would do differently,compared to the example, when creating atemporary file in Windows
– Find the race condition (hint: MoveFileEx)
Exercise Answers
Possible answers:
– They used the CREATE_ALWAYS flag instead ofCREATE_NEW
Add a loop until success
– Use randomly generated file names
How to do that on Windows? (see next slides)
The Need for Random Numbers
Unique file or directory names
Session IDs that carry proof of authentication(nonces), passwords
Games (data, behavior, opponent generation,character generation)
Encryption
Cryptographic protocols
How Random Numbers Are Generated
Linear Congruential Generators
– Simple way to generate pseudo-random numbers
– Easily cracked
– Produce finite sequences of numbers
– Each number is tied to the others
– Some sequences of numbers will not ever be generated
Cryptographic random number generators
Entropy sensors (i.e., extracted randomness)
Seeded Random Number Generators
Pseudo-random generators depend solely on aseed, which determines the entire sequence ofnumbers returned
How random is the seed?
– Process ID, UserID: Bad Idea
– Current time: if you’re running NTP (Network TimeProtocol) all systems are synchronized up to someprecision. If you use the time, maybe I can guess whichseed you used (microsecond part might be difficult toguess, but is limited)
How to Cheat At Random Number Generation
Find a seed that will produce the numbers you want
Seed the generator with it
Convince someone: "it's random, see?"
– RPG Character generation, etc...
Roll Your Own Generator?
What matters is not only the average and thevariance of the numbers generated
All sequences of numbers must be possible
LCGs travel definite, limited “paths” through theuniverse of possible sequences
Need to incorporate entropy as it becomesavailable
Need to avoid betraying the internal state of thegenerator...
It's difficult to do correctly
Which Generator to use?
Read description, avoid Linear CongruentialGenerators such as these:
– “C” rand(3)
– rand (Windows)
– Perl rand
– C# Random
– PHP rand
Good Generators
Hardware-based
– Noise
Cryptographical quality software, entropy-seeded
– Fast, secure
Pure Entropy
– Random timing of events
Packets
Mouse movement, clicks
Keyboard
– Slow
Linux/UNIX Devices
/dev/random:
– MacOS X: same as urandom
– Linux: this is a blocking call that returns only whensufficient entropy has been captured
– Good for seeding pseudo-random number generators
/dev/urandom:
– Implements a fairly complex algorithm that variesbetween “random” and a well-seeded LCG depending onthe availability of entropy
– Non-blocking call
– Try "cat /dev/urandom"
Portability
FreeBSD, OpenBSD, NetBSD compatible
Several projects ported the functionality to Solaris,HP-UX, AIX, IRIX
MacOS X implements Yarrow for both random andurandom (so the behavior of “random” isunexpected).
Windows
Windows developers must use the functionCryptGenRandom(), which uses the same idea as/dev/urandom
There is no directly accessible entropy collectorprovided by the OS
– Reference: "Secure Programming Cookbook", section11.4 (Viega et al.)
Mini-lab
Take the previous mini-lab (lock.c)
Modify it to use random numbers from/dev/urandom instead of mkstemp, to generate a
temporary file with a unique name
– To obtain random bytes, open the device and read from it
Questions or Comments?
§
About These Slides
You are free to copy, distribute, display, and perform the work; and
to make derivative works, under the following conditions.
– You must give the original author and other contributors credit
– The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes
– For any reuse or distribution, you must make clear to others the terms of
use for this work
– Derivative works must retain and be subject to the same conditions, and
contain a note identifying the new contributor(s) and date of modification
– For other uses please contact the Purdue Office of Technology
Commercialization.
Developed thanks to the support of SymantecCorporation
Pascal [email protected]:Jared Robinson, Alan Krassowski, Craig Ozancin, TimBrown, Wes Higaki, Melissa Dark, Chris Clifton, GustavoRodriguez-Rivera