Ch03Programs.pptx
Security in Computing,Fifth Edition
Chapter 3: Programs and Programming
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
1
Brief Review Chapter 2
Authentication is someone proving who they are
Authorization is about access control
Certification Error
1
2
2
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Objectives for Chapter 3
Learn about memory organization, buffer overflows, and relevant countermeasures
Common programming bugs, such as off-by-one errors, race conditions, and incomplete mediation
Survey of past malware and malware capabilities
Virus detection
Tips for programmers on writing code for security
3
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Program Security
This chapter deals with writing of programs and will be built upon in later chapters.
Is a program secure?
What characteristics?
Time to break security
Run for a time without failure
Zero tolerance
Factor of QUALITY
Quantity and types of faults as evidence of quality
4
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Terminology
: A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
Error: When a human makes a mistake (non malicious) in performing some software activity, the error may lead to a fault, or an incorrect step, command, process, or data definition in a computer program.
Failure: Is a departure from the system's required behavior.
5
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
5
Types of Flaws
Validation error (incomplete or inconsistent): permission checks
Domain error: controlled access to data
Serialization and aliasing: program flow order
Inadequate identification and authentication: basis for authorization
Boundary condition violation: failure on first or last case
Other exploitable logic errors
6
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Memory Allocation
7
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Much of this chapter requires basic knowledge of how memory is organized, and this is a nice, simple diagram to refresh students on how it works. The key takeaways: code and data separated, with the heap growing up toward high addresses and the stack growing down from the high addresses.
7
Data vs. Instructions
8
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
The same hex value in the same spot in memory can either be a meaningful data value or a meaningful instruction depending on whether the computer treats it as code or data. This will be the basis of the attacks in the following slides.
8
Buffer Overflows
Occur when data is written beyond the space allocated for it, such as a 10th byte in a 9-byte array
In a typical exploitable buffer overflow, an attacker’s inputs are expected to go into regions of memory allocated for data, but those inputs are instead allowed to overwrite memory holding executable code
The trick for an attacker is finding buffer overflow opportunities that lead to overwritten memory being executed, and finding the right code to input
9
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
How Buffer Overflows Happen
char sample[10];
int i;
for (i=0; i<=9; i++)
sample[i] = ‘A’;
sample[10] = ‘B’;
10
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
This is a very simple buffer overflow. 10 bytes to store buffer, but Character B is placed in memory that wasn’t allocated by or for this procedure.
This is a very simple buffer overflow. Character B is placed in memory that wasn’t allocated by or for this procedure.
10
Memory Organization
11
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Similar to the earlier picture on memory organization, only this one shows where the system data/code reside vs. where the program code and its local data reside. This context is important for understanding how an attack that takes place inside a given program can affect that program vs. how it can affect the rest of the system.
11
Where a Buffer Can Overflow
12
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
The memory that’s overwritten depends on where the buffer resides.
Examples of buffer overflow effects in the context of the earlier AAAAAAAAAAB example. The memory that’s overwritten depends on where the buffer resides.
12
The Stack
13
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
13
The Stack after Procedure Calls
14
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
When procedure A calls procedure B, procedure B gets added to the stack along with a pointer back to procedure A. In this way, when procedure B is finished running, it can get popped off the stack, and procedure A will just continue executing where it left off.
When procedure A calls procedure B, procedure B gets added to the stack along with a pointer back to procedure A. In this way, when procedure B is finished running, it can get popped off the stack, and procedure A will just continue executing where it left off.
14
Compromised Stack
15
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Instead of pointing at procedure B in this case, the program counter is pointing at code that’s been placed on the stack as a result of an overflow.
15
Overwriting Memory for Execution
Overwrite the program counter stored in the stack
Overwrite part of the code in low memory, substituting new instructions
Overwrite the program counter and data in the stack so that the program counter points to the stack
16
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Harm from Buffer Overflows
Overwrite:
Another piece of your program’s data
An instruction in your program
Data or code belonging to another program
Data or code belonging to the operating system
Overwriting a program’s instructions gives attackers that program’s execution privileges
Overwriting operating system instructions gives attackers the operating system’s execution privileges
17
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Overflow Countermeasures
Staying within bounds
Check lengths before writing
Confirm that array subscripts are within limits
Double-check boundary condition code for off-by-one errors
Limit input to the number of acceptable characters
Limit programs’ privileges to reduce potential harm
Many languages have overflow protections
Code analyzers can identify many overflow vulnerabilities
Canary values in stack to signal modification
18
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Incomplete Mediation
Mediation: Verifying that the subject is authorized to perform the operation on an object
Preventing incomplete mediation:
Validate all input
Limit users’ access to sensitive data and functions
19
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
19
Time-of-Check to Time-of-Use
Mediation performed with a “bait and switch” in the middle
Example: A student is buying a school book that costs $100. The student removes five $20 bills from a wallet, carefully counts them in front of the seller, and lays them on the table. Then the seller turns around to write a receipt. While the seller's back is turned, the student takes back one $20 bill. When the seller turns around, the student hands over the stack of bills, takes the receipt, and leaves with the book. Between the time the security was checked (counting the bills) and the access (exchanging the sculpture for the bills), a condition changed: What was checked is no longer valid when the object (that is, the sculpture) is accessed.
20
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
20
Time-of-Check to Time-of-Use
Mediation performed with a “bait and switch” in the middle
21
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
To carry out this authorization sequence, the access control mediator would have to look up the file name (and the user identity and any other relevant parameters) in tables. The mediator could compare the names in the table to the file name in the data structure to determine whether access is appropriate. More likely, the mediator would copy the file name into its own local storage area and compare from there. Comparing from the copy leaves the data structure in the user's area, under the user's control. It is at this point that the incomplete mediation flaw can be exploited. While the mediator is checking access rights for the file my_file, the user could change the file name descriptor to your_file, the value shown in Figure 3-3. Having read the work ticket once, the mediator would not be expected to reread the ticket before approving it; the mediator would approve the access and send the now-modified descriptor to the file handler.
21
Race Conditions
22
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Example 1 (no race condition): A booker books the last seat on the plane, and thereafter the system shows no seat available. See next slide to continue.
22
Race Conditions
23
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Example 2 (race condition): Before the first booker can complete the booking for the last available seat, a second booker looks for available seats. This system has a race condition, where the overlap in timing of the requests causes errant behavior.
23
Other Programming Oversights
Undocumented access points (backdoors)
Off-by-one errors
Integer overflows
Unterminated null-terminated string
Parameter length, type, or number errors
Unsafe utility libraries
24
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Malware
Programs planted by an agent with malicious intent to cause unanticipated or undesired effects
Virus
A program that can replicate itself and pass on malicious code to other nonmalicious programs by modifying them
Worm
A program that spreads copies of itself through a network
Trojan horse
Code that, in addition to its stated effect, has a second, nonobvious, malicious effect
25
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Types of Malware
26
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Types of Malware (cont.)
27
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
History of Malware
28
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
History of Malware (cont.)
29
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Harm from Malicious Code
Harm to users and systems:
Sending email to user contacts
Deleting or encrypting files
Modifying system information, such as the Windows registry
Stealing sensitive information, such as passwords
Attaching to critical system files
Hide copies of malware in multiple complementary locations
Harm to the world:
Some malware has been known to infect millions of systems, growing at a geometric rate
Infected systems often become staging areas for new infections
30
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Transmission and Propagation
Setup and installer program
Attached file
Document viruses
Autorun
Using nonmalicious programs:
Appended viruses
Viruses that surround a program
Integrated viruses and replacements
31
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Malware Activation
One-time execution (implanting)
Boot sector viruses
Memory-resident viruses
Application files
Code libraries
32
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Virus Effects
33
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for Users
Use software acquired from reliable sources
Test software in an isolated environment
Only open attachments when you know them to be safe
Treat every website as potentially harmful
Create and maintain backups
34
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Virus Detection
Virus scanners look for signs of malicious code infection using signatures in program files and memory
Traditional virus scanners have trouble keeping up with new malware—detect about 45% of infections
Detection mechanisms:
Known string patterns in files or memory
Execution patterns
Storage patterns
35
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Virus Signatures
36
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for Developers
Modular code: Each code module should be
Single-purpose
Small
Simple
Independent
Encapsulation
Information hiding
Mutual Suspicion
Confinement
Genetic diversity
37
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Code Testing
Unit testing
Integration testing
Function testing
Performance testing
Acceptance testing
Installation testing
Regression testing
Penetration testing
38
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Design Principles for Security
Least privilege
Economy of mechanism
Open design
Complete mediation
Permission based
Separation of privilege
Least common mechanism (no sharing)
Ease of use
39
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Other Countermeasures
Good
Proofs of program correctness—where possible
Defensive programming – to ensure the continuing function of a piece of software under unforeseen circumstances.
Design by contract (DbC) – specify pre-/post- conditions.
Bad
Penetrate-and-patch
Security by obscurity (secrecy of design)
40
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Flaws & Controls
Two classes of security flaws: those that compromise or change data and those that affect computer service.
There are three controls on such activities: development controls, operating system controls, and administrative controls.
Development controls limit software development activities, making it harder for a developer to create malicious programs. These same controls are effective against inadvertent mistakes made by developers. Program controls help produce better software.
The operating system provides some degree of control by limiting access to computing system objects. They limit access as a way of promoting the safe sharing of information among programs.
Administrative controls limit the kinds of actions people can take, and improves system usability, reusability, and maintainability.
41
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
41
Summary
Buffer overflow attacks can take advantage of the fact that code and data are stored in the same memory in order to maliciously modify executing programs
Programs can have a number of other types of vulnerabilities, including off-by-one errors, incomplete mediation, and race conditions
Malware can have a variety of harmful effects depending on its characteristics, including resource usage, infection vector, and payload
Developers can use a variety of techniques for writing and testing code for security
For fun:
42
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
42
image2.png
image3.emf
image4.emf
image5.emf
image6.png
image7.emf
image8.emf
image9.emf
image10.emf
image11.emf
image12.emf
image13.png
Microsoft_Word_Document.docx
Code Type |
Characteristics |
Virus |
Code that causes malicious behavior and propagates copies of itself to other programs |
Trojan horse |
Code that contains unexpected, undocumented, additional functionality |
Worm |
Code that propagates copies of itself through a network; impact is usually degraded performance |
Rabbit |
Code that replicates itself without limit to exhaust resources |
Logic bomb |
Code that triggers action when a predetermined condition occurs |
Time bomb |
Code that triggers action when a predetermined time occurs |
Dropper |
Transfer agent code only to drop other malicious code, such as virus or Trojan horse |
Hostile mobile code agent |
Code communicated semi-autonomously by programs transmitted through the web |
Script attack, JavaScript, Active code attack |
Malicious code communicated in JavaScript, ActiveX, or another scripting language, downloaded as part of displaying a web page |
image14.png
Microsoft_Word_Document1.docx
Code Type |
Characteristics |
RAT (remote access Trojan) |
Trojan horse that, once planted, gives access from remote location |
Spyware |
Program that intercepts and covertly communicates data on the user or the user’s activity |
Bot |
Semi-autonomous agent, under control of a (usually remote) controller or “herder”; not necessarily malicious |
Zombie |
Code or entire computer under control of a (usually remote) program |
Browser hijacker |
Code that changes browser settings, disallows access to certain sites, or redirects browser to others |
Rootkit |
Code installed in “root” or most privileged section of operating system; hard to detect |
Trapdoor or backdoor |
Code feature that allows unauthorized access to a machine or program; bypasses normal access control and authentication |
Tool or toolkit |
Program containing a set of tests for vulnerabilities; not dangerous itself, but each successful test identifies a vulnerable host that can be attacked |
Scareware |
Not code; false warning of malicious code attack |
image15.png
Microsoft_Word_Document2.docx
Year |
Name |
Characteristics |
1982 |
Elk Cloner |
First virus; targets Apple II computers |
1985 |
Brain |
First virus to attack IBM PC |
1988 |
Morris worm |
Allegedly accidental infection disabled large portion of the ARPANET, precursor to today’s Internet |
1989 |
Ghostballs |
First multipartite (has more than one executable piece) virus |
1990 |
Chameleon |
First polymorphic (changes form to avoid detection) virus |
1995 |
Concept |
First virus spread via Microsoft Word document macro |
1998 |
Back Orifice |
Tool allows remote execution and monitoring of infected computer |
1999 |
Melissa |
Virus spreads through email address book |
2000 |
IloveYou |
Worm propagates by email containing malicious script. Retrieves victim’s address book to expand infection. Estimated 50 million computers affected. |
2000 |
Timofonica |
First virus targeting mobile phones (through SMS text messaging) |
2001 |
Code Red |
Virus propagates from 1st to 20th of month, attacks whitehouse.gov web site from 20th to 28th, rests until end of month, and restarts at beginning of next month; resides only in memory, making it undetected by file-searching antivirus products |
image16.png
Microsoft_Word_Document3.docx
Year |
Name |
Characteristics |
2001 |
Code Red II |
Like Code Red, but also installing code to permit remote access to compromised machines |
2001 |
Nimda |
Exploits known vulnerabilities; reported to have spread through 2 million machines in a 24-hour period |
2003 |
Slammer worm |
Attacks SQL database servers; has unintended denial-of-service impact due to massive amount of traffic it generates |
2003 |
SoBig worm |
Propagates by sending itself to all email addresses it finds; can fake From: field; can retrieve stored passwords |
2004 |
MyDoom worm |
Mass-mailing worm with remote-access capability |
2004 |
Bagle or Beagle worm |
Gathers email addresses to be used for subsequent spam mailings; SoBig, MyDoom, and Bagle seemed to enter a war to determine who could capture the most email addresses |
2008 |
Rustock.C |
Spam bot and rootkit virus |
2008 |
Conficker |
Virus believed to have infected as many as 10 million machines; has gone through five major code versions |
2010 |
Stuxnet |
Worm attacks SCADA automated processing systems; zero-day attack |
2011 |
Duqu |
Believed to be variant on Stuxnet |
2013 |
CryptoLocker |
Ransomware Trojan that encrypts victim’s data storage and demands a ransom for the decryption key |
image17.emf
Microsoft_Word_Document4.docx
· Virus Effect |
How It Is Caused |
Attach to executable program |
· Modify file directory · Write to executable program file |
· Modify directory · Rewrite data · Append to data · Append data to self |
|
Remain in memory |
· Intercept interrupt by modifying interrupt handler address table · Load self in non-transient memory area |
Infect disks |
· Intercept interrupt · Intercept operating system call (to format disk, for example) · Modify system file · Modify ordinary executable program |
Conceal self |
· Intercept system calls that would reveal self and falsify result · Classify self as “hidden” file |
Spread infection |
· Infect boot sector · Infect systems program · Infect ordinary program · Infect data ordinary program reads to control its execution |
Prevent deactivation |
· Activate before deactivating program and block deactivation · Store copy to reinfect after deactivation |