Software and Security(PPT260)

1、 part 4 software 1 software and security part 4 software 2 why software? qwhy is software as important to security as crypto, access control and protocols? qvirtually all of information security is implemented in software qif your software is subject to attack, your security is broken oregardless of

2、 strength of crypto, access control or protocols qsoftware is a poor foundation for security part 4 software 3 bad software qbad software is everywhere! qnasa mars lander (cost $165 million) ocrashed into mars oerror in converting english and metric units of measure qdenver airport obuggy baggage ha

3、ndling system odelayed airport opening by 11 months ocost of delay exceeded $1 million/day qmv-22 osprey oadvanced military aircraft olives have been lost due to faulty software part 4 software 4 software issues attackers qactively look for bugs and flaws qlike bad software qand try to make it misbe

4、have qattack systems thru bad software “normal” users qfind bugs and flaws by accident qhate bad software qbut must learn to live with it qmust make bad software work part 4 software 5 complexity q“complexity is the enemy of security”, paul kocher, cryptography research, inc. netscape17,000,000 spac

5、e shuttle10,000,000 linux1,500,000 windows xp40,000,000 boeing 7777,000,000 systemlines of code (loc) qa new car contains more loc than was required to land the apollo astronauts on the moon part 4 software 6 lines of code and bugs qconservative estimate: 5 bugs/1000 loc qdo the math otypical comput

6、er: 3,000 exes of 100k each oconservative estimate of 50 bugs/exe oabout 150k bugs per computer o30,000 node network has 4.5 billion bugs osuppose that only 10% of bugs security-critical and only 10% of those remotely exploitable othen “only” 4.5 million critical security flaws! part 4 software 7 so

7、ftware security topics qprogram flaws (unintentional) obuffer overflow oincomplete mediation orace conditions qmalicious software (intentional) oviruses oworms oother breeds of malware part 4 software 8 program flaws qan error is a programming mistake oto err is human qan error may lead to incorrect

8、 state: fault oa fault is internal to the program qa fault may lead to a failure, where a system departs from its expected behavior oa failure is externally observable errorfaultfailure part 4 software 9 example char array10; for(i = 0; i 10; +i) arrayi = a; array10 = b; qthis program has an error q

9、this error might cause a fault oincorrect internal state qif a fault occurs, it might lead to a failure oprogram behaves incorrectly (external) qwe use the term flaw for all of the above part 4 software 10 secure software qin software engineering, try to insure that a program does what is intended q

10、secure software engineering requires that the software does what is intended qand nothing more qabsolutely secure software is impossible oabsolute security is almost never possible! qhow can we manage the risks? part 4 software 11 program flaws qprogram flaws are unintentional obut still create secu

11、rity risks qwell consider 3 types of flaws obuffer overflow (smashing the stack) oincomplete mediation orace conditions qmany other flaws can occur qthese are most common part 4 software 12 buffer overflow part 4 software 13 typical attack scenario qusers enter data into a web form qweb form is sent

12、 to server qserver writes data to buffer, without checking length of input data qdata overflows from buffer qsometimes, overflow can enable an attack qweb form attack could be carried out by anyone with an internet connection part 4 software 14 buffer overflow qq: what happens when this is executed?

13、 qa: depending on what resides in memory at location “buffer20” omight overwrite user data or code omight overwrite system data or code int main() int buffer10; buffer20 = 37; part 4 software 15 simple buffer overflow qconsider boolean flag for authentication qbuffer overflow could overwrite flag al

14、lowing anyone to authenticate! buffer f tf o u r s c boolean flag qin some cases, attacker need not be so lucky as to have overflow overwrite flag part 4 software 16 memory organization qtext = code qdata = static variables qheap = dynamic data qstack = “scratch paper” odynamic local variables opara

15、meters to functions oreturn address stack heap data text high address low address sp part 4 software 17 simplified stack example high void func(int a, int b) char buffer10; void main() func(1, 2); : : buffer ret a b return address low sp sp sp sp part 4 software 18 smashing the stack high qwhat happ

16、ens if buffer overflows? : : buffer a b ret low sp sp sp sp retoverflow qprogram “returns” to wrong location not! ? qa crash is likely overflow part 4 software 19 smashing the stack high qattacker has a better idea : : evil code a b low sp sp sp sp retret qcode injection qattacker can run any code o

17、n affected system! part 4 software 20 smashing the stack qattacker may not know oaddress of evil code olocation of ret on stack qsolutions oprecede evil code with nop “landing pad” oinsert lots of new ret evil code : : : : ret ret : nop nop : ret ret part 4 software 21 stack smashing summary qa buff

18、er overflow must exist in the code qnot all buffer overflows are exploitable othings must line up correctly qif exploitable, attacker can inject code qtrial and error likely required olots of help available online osmashing the stack for fun and profit, aleph one qalso possible to overflow the heap

19、qstack smashing is “attack of the decade” part 4 software 22 stack smashing example qprogram asks for a serial number that the attacker does not know qattacker also does not have source code qattacker does have the executable (exe) qprogram quits on incorrect serial number part 4 software 23 example

20、 qby trial and error, attacker discovers an apparent buffer overflow qnote that 0 x41 is “a” qlooks like ret overwritten by 2 bytes! part 4 software 24 example qnext, disassemble bo.exe to find qthe goal is to exploit buffer overflow to jump to address 0 x401034 part 4 software 25 example qfind that

21、 0 x401034 is “p4” in ascii qbyte order is reversed? why? qx86 processors are “little-endian” part 4 software 26 example qreverse the byte order to “4p” and qsuccess! weve bypassed serial number check by exploiting a buffer overflow qoverwrote the return address on the stack part 4 software 27 examp

22、le qattacker did not require access to the source code qonly tool used was a disassembler to determine address to jump to ocan find address by trial and error onecessary if attacker does not have exe ofor example, a remote attack part 4 software 28 example qsource code of the buffer overflow qflaw e

23、asily found by attacker qeven without the source code! part 4 software 29 stack smashing prevention q1st choice: employ non-executable stack o“no execute” nx bit (if available) oseems like the logical thing to do, but some real code executes on the stack! (java does this) q2nd choice: use safe langu

24、ages (java, c#) q3rd choice: use safer c functions ofor unsafe functions, there are safer versions ofor example, strncpy instead of strcpy part 4 software 30 stack smashing prevention qcanary orun-time stack check opush canary onto stack ocanary value: constant 0 x000aff0d or value depends on ret hi

25、gh : : buffer a b low overflowret canaryoverflow part 4 software 31 microsofts canary qmicrosoft added buffer security check feature to c+ with /gs compiler flag quses canary (or “security cookie”) qq: what to do when canary dies? qa: check for user-supplied handler qhandler may be subject to attack

26、 oclaimed that attacker can specify handler code oif so, formerly safe buffer overflows become exploitable when /gs is used! part 4 software 32 buffer overflow qthe “attack of the decade” for 90s qwill be the attack of the decade for 00s qcan be prevented ouse safe languages/safe functions oeducate

27、developers, use tools, etc. qbuffer overflows will exist for a long time olegacy code obad software development part 4 software 33 incomplete mediation part 4 software 34 input validation qconsider: strcpy(buffer, argv1) qa buffer overflow occurs if len(buffer) len(argv1) qsoftware must validate the

28、 input by checking the length of argv1 qfailure to do so is an example of a more general problem: incomplete mediation part 4 software 35 input validation qconsider web form data qsuppose input is validated on client qfor example, the following is valid http:/ if not, goto 1 qbrain did nothing malic

29、ious part 4 software 47 morris worm qfirst appeared in 1988 qwhat it tried to do odetermine where it could spread ospread its infection oremain undiscovered qmorris claimed it was a test gone bad q“flaw” in worm code it tried to re-infect already-infected systems oled to resource exhaustion oadverse

30、 effect was like a so-called rabbit part 4 software 48 morris worm qhow to spread its infection? qtried to obtain access to machine by ouser account password guessing oexploited buffer overflow in fingerd oexploited trapdoor in sendmail qflaws in fingerd and sendmail were well- known at the time, bu

31、t not widely patched part 4 software 49 morris worm qonce access had been obtained to machine q“bootstrap loader” sent to victim oconsisted of 99 lines of c code qvictim machine compiled and executed code qbootstrap loader then fetched the rest of the worm qvictim even authenticated the sender! part

32、 4 software 50 morris worm qhow to remain undetected? qif transmission of the worm was interrupted, all code was deleted qcode was encrypted when downloaded qdownloaded code deleted after decrypting and compiling qwhen running, the worm regularly changed its name and process identifier (pid) part 4

33、software 51 result of morris worm qshocked the internet community of 1988 qinternet designed to withstand nuclear war oyet it was brought down by a graduate student! oat the time, morris father worked at nsa qcould have been much worse not malicious qusers who did not panic recovered quickest qcert

34、began, increased security awareness othough limited actions to improve security part 4 software 52 code red worm qappeared in july 2001 qinfected more than 250,000 systems in about 15 hours qin total, infected 750,000 out of 6,000,000 susceptible systems qexploited buffer overflow in microsoft iis s

35、erver software qthen monitored traffic on port 80 for other susceptible servers part 4 software 53 code red worm qwhat it did oday 1 to 19 of month: tried to spread infection oday 20 to 27: distributed denial of service attack on qlater versions (several variants) oincluded trapdo

36、or for remote access orebooted to flush worm, leaving only trapdoor qhas been claimed that code red may have been “beta test for information warfare” part 4 software 54 sql slammer qinfected 250,000 systems in 10 minutes! qcode red took 15 hours to do what slammer did in 10 minutes qat its peak, sla

37、mmer infections doubled every 8.5 seconds qslammer spread too fast q“burned out” available bandwidth part 4 software 55 sql slammer qwhy was slammer so successful? oworm fit in one 376 byte udp packet ofirewalls often let small packet thru, assuming it could do no harm by itself othen firewall monit

38、ors the connection oexpectation was that much more data would be required for an attack oslammer defied assumptions of “experts” part 4 software 56 trojan horse example qa trojan has unexpected function qprototype of trojan for the mac qfile icon for freemusic.mp3: qfor a real mp3, double click on i

39、con oitunes opens omusic in mp3 file plays qbut for freemusic.mp3, unexpected results part 4 software 57 trojan example qdouble click on freemusic.mp3 oitunes opens (expected) o“wild laugh” (probably not expected) omessage box (unexpected) part 4 software 58 trojan example qhow does freemusic.mp3 tr

40、ojan work? qthis “mp3” is an application, not data! qthis trojan is harmless, but qcould have done anything user can do odelete files, download files, launch apps, etc. part 4 software 59 malware detection qthree common methods osignature detection ochange detection oanomaly detection qwell briefly

41、discuss each of these oand consider advantages and disadvantages of each part 4 software 60 signature detection qa signature is a string of bits found in software (or could be a hash value) qsuppose that a virus has signature 0 x23956a58bd910345 qwe can search for this signature in all files qif we

42、find the signature are we sure weve found the virus? ono, same signature could appear in other files obut at random, chance is very small: 1/264 osoftware is not random, so probability is higher part 4 software 61 signature detection qadvantages oeffective on “traditional” malware ominimal burden fo

43、r users/administrators qdisadvantages osignature file can be large (10,000s) omaking scanning slow osignature files must be kept up to date ocannot detect unknown viruses ocannot detect some new types of malware qby far the most popular detection method! part 4 software 62 change detection qviruses

44、must live somewhere on system qif we detect that a file has changed, it may be infected qhow to detect changes? ohash files and (securely) store hash values orecompute hashes and compare oif hash value changes, file might be infected part 4 software 63 change detection qadvantages ovirtually no fals

45、e negatives ocan even detect previously unknown malware qdisadvantages omany files change and often omany false alarms (false positives) oheavy burden on users/administrators oif suspicious change detected, then what? omight still need signature-based system part 4 software 64 anomaly detection qmon

46、itor system for anything “unusual” or “virus-like” or potentially malicious qwhat is unusual? ofiles change in some unusual way osystem misbehaves in some way ounusual network activity ounusual file access, etc., etc. qbut must first define “normal” oand normal can change! part 4 software 65 anomaly

47、 detection qadvantages ochance of detecting unknown malware qdisadvantages ounproven in practice oattacker can make anomaly look normal omust be combined with another method (such as signature detection) qalso popular in intrusion detection (ids) qa difficult unsolved (unsolvable?) problem! oas diff

48、icult as ai? part 4 software 66 future of malware qpolymorphic and metamorphic malware qfast replication/warhol worms qflash worms, slow worms, etc. qfuture is bright for malware ogood news for the bad guys obad news for the good guys qfuture of malware detection? part 4 software 67 polymorphic malw

49、are qpolymorphic worm (usually) encrypted qnew key is used each time worm propagates othe encryption is weak (repeated xor) oworm body has no fixed signature oworm must include code to decrypt itself osignature detection searches for decrypt code qdetectable by signature-based method othough more ch

50、allenging than non-polymorphic part 4 software 68 metamorphic malware qa metamorphic worm mutates before infecting a new system qsuch a worm can avoid signature-based detection systems qthe mutated worm must do the same thing as the original qand it must be “different enough” to avoid detection qdet

51、ection is currently unsolved problem part 4 software 69 metamorphic worm qto replicate, the worm is disassembled qworm is stripped to a base form qrandom variations inserted into code orearrange jumps oinsert dead code omany other possibilities qassemble the resulting code qresult is a worm with sam

52、e functionality as original, but very different signature part 4 software 70 warhol worm q“in the future everybody will be world- famous for 15 minutes” andy warhol qa warhol worm is designed to infect the entire internet in 15 minutes qslammer infected 250,000 systems in 10 minutes o“burned out” ba

53、ndwidth oslammer could not have infected all of internet in 15 minutes too bandwidth intensive qcan a worm do “better” than slammer? part 4 software 71 warhol worm qone approach to a warhol worm qseed worm with an initial hit list containing a set of vulnerable ip addresses odepends on the particula

54、r exploit otools exist for finding vulnerable systems qeach successful initial infection would attack selected part of ip address space qno worm this sophisticated has yet been seen in the wild (as of 2004) oslammer generated random ip addresses qcould infect entire internet in 15 minutes! part 4 so

55、ftware 72 flash worm qpossible to do “better” than warhol worm? qcan entire internet be attacked in (xx2xy+yy) othe if() conditional is always false qattacker will waste time analyzing dead code part 4 software 115 code obfuscation qcode obfuscation sometimes promoted as a powerful security techniqu

56、e qdiffie and hellmans original ideas for public key crypto were based on similar ideas! qrecently it has been shown that obfuscation probably cannot provide strong security oon the (im)possibility of obfuscating programs osome question significance of result (thomborson) qobfuscation might still ha

57、ve practical uses! oeven if it can never be as strong as crypto part 4 software 116 authentication example qsoftware used to determine authentication qultimately, authentication is 1-bit decision oregardless of method used (pwd, biometric, ) qsomewhere in authentication software, a single bit determ

58、ines success/failure qif attacker can find this bit, he can force authentication to always succeed qobfuscation makes it more difficult for attacker to find this all-important bit part 4 software 117 obfuscation qobfuscation forces attacker to analyze larger amounts of code qmethod could be combined

59、 with oanti-disassembly techniques oanti-debugging techniques ocode tamper-checking qall of these increase work (and pain) for attacker qbut a persistent attacker will ultimately win! part 4 software 118 software cloning qsuppose we write a piece of software qwe then distribute an identical copy (or

60、 clone) to each customers qif an attack is found on one copy, the same attack works on all copies qthis approach has no resistance to “break once, break everywhere” (bobe) qthis is the usual situation in software development part 4 software 119 metamorphic software qmetamorphism is used in malware q