Introduction

CSC 482/582: Computer SecurityInput ValidationCSC 482/582: Computer SecurityCSC 482/582: Computer SecurityTopicsThe Nature of TrustValidating InputEntry PointsWeb Application InputCSC 482/582: Computer SecurityTrust RelationshipsRelationship between multiple entities.Assumptions that certain properties are true.example: input has a certain formatAssumptions that other properties are false.example: input never longer than X bytesTrustworthy entities satisfy assumptions.CSC 482/582: Computer SecurityWho do you trust?Client usersexample: encryption key embedded in clientOperating systemexample: dynamically loaded librariesCalling programexample: environment variablesVendorexample: Borland Interbase backdoor 1994-2001; only discovered when program made open sourceCSC 482/582: Computer SecurityTrust is TransitiveIf you call another program, you are trusting the entities that it trusts:Processes you spawn run with your privileges.Did you run the program you think you did?PATH and IFS environment variablesWhat input format does it use?Shell escapes in editors and mailersWhat output does it send you?

CSC 482/582: Computer SecurityValidate All InputNever trust input.Assume dangerous until proven safe.Prefer rejecting data to filtering data.Difficult to filter out all dangerous inputEvery component should validate data.Trust is transitive.Dont trust calling component.Dont trust called component: shell, SQLCSC 482/582: Computer SecurityValidation TechniquesIndirect SelectionAllow user to supply index into a list of legitimate values.Application never directly uses user input.WhitelistList of valid patterns or strings.Input rejected unless it matches list.BlacklistList of invalid patterns or strings.Input reject if it matches list.CSC 482/582: Computer SecurityValidation ActionsSanitizeAttempt to fix input by removing dangerous parts.RejectRefuse to use invalid input.Reject with ExplanationExplain problems with input to user.Refuse to use invalid input.LogRecord invalid input in log file.AlertSend an alert to an administrator about input.

CSC 482/582: Computer SecurityTrust BoundariesSafe SyntaxAppLogicSyntax ValidationSemantic ValidationRawInputRawInputRawInputTrust BoundariesCSC 482/582: Computer SecurityWrap Dangerous FunctionsInput is context sensitive.Need more context than is available at front end.Solution: create secure APIApply context-sensitive input validation to all input.Maintain input validation login in one place.Ensure validation always applied.Use static analysis to check for use of dangerous functions replaced by API.Existing Enterprise Security Services/LibrariesOWASP ESAPI10Images from owasp.org.CSC 482/582: Computer SecurityUsability Validation Security ValidationUsability Validation helps legitimate usersCatch common errors.Provide easy to understand feedback.Client-side feedback is helpful for speed.Security Validation mitigates vulnerabilitiesCatches potential attacks, including unusual, unfriendly types of input.Provide little to no feedback on reasons for blocking input.Cannot trust client. Always server side.CSC 482/582: Computer SecurityCheck Input LengthLong input can result in buffer overflows.Can also cause DoS due to low memory.Truncation vulnerabilities8-character long username column in DB.User tries to enter admin x as username.DB returns no match since name is 9 chars.App inserts data into DB, which truncates.Later SQL queries will return both names, since MySQL ignores trailing spaces on string comparisons.12Wordpress 2.6.1 had a SQL column truncation vulnerability. See www.milw0rm.com/exploits/6397 .CSC 482/582: Computer SecurityEntry PointsCommand line argumentsEnvironment variablesFile descriptorsSignal handlersFormat stringsPathsShell inputWeb application inputDatabase inputOther input typesCSC 482/582: Computer SecurityCommand Line ArgumentsAvailable to program as **argv.execve() allows user to specify arguments.May be of any lengtheven program name, argv[0]argv[0] may even be NULL

CSC 482/582: Computer SecurityEnvironment VariablesDefault: inherit parents environment.

execve() allows you to specify environment variables for execd process.environment variables can be of any length.

Telnet environment propagation to serverServer receives client shells environment.Server runs setuid program login.ssh may use users ~/.ssh/environment file.15Telnet Environment Advisory:http://www.cert.org/advisories/CA-1995-14.htmlCSC 482/582: Computer SecurityDangerous Environment VariablesLD_PRELOADPrograms loads functions from library specified in LD_PRELOAD before searching for system libraries.Can replace any library function.setuid root programs dont honor this variable.LD_LIBRARY_PATHSpecify list of paths to search for shared libs.Store hacked version of library in first directory.Modern libc implementation disallow for setuid/setgid.16Similar problems exist with Windows DLLs. If start a program by clicking on document, directory containing document is searched first for DLLs.CSC 482/582: Computer SecurityDangerous Environment VariablesPATHSearch path for binariesAttacker puts directory with hacked binary first in PATH so his ls used instead of system lsAvoid . as attacker may place hacked binaries in directory program sets CWD toIFSInternal field separator for shellUsed to separate command line into argumentsAttacker sets to /: /bin/ls becomes bin and ls17LC_ALL, NLSPATH, and other locale vars may also be dangerous.This is not an exhaustive list of dangerous environment variables by any meansCSC 482/582: Computer SecurityEnvironment Storage FormatAccess Functionssetenv(), getenv()Internal Storage Formatarray of character pointers, NULL terminatedstring format: NAME=value, NULL termMultiple environment variables can have same name.Did you check the same variable that you fetched? First or last variable that matches?CSC 482/582: Computer SecuritySecuring Your Environment/* BSS, pp. 318-319 */extern char **environ;static char *def_env[] = {PATH=/bin:/usr/bin,IFS= \t\n,0};static void clean_environment() {int i = -1;while( environ[++i] != 0 );while(i--) environ[i] = 0;while(def_env[i]) putenv(def_env[i++]);}19Some UNIX versions require TZ be set as well.CSC 482/582: Computer SecuritySecuring Your EnvironmentSecure Environment in Shell/usr/bin/env PATH=/bin:/usr/bin IFS= \t\n cmd

Secure Environment in Perl%ENV = (PATH => /bin:/usr/bin,IFS => \t\n);CSC 482/582: Computer SecurityFile DescriptorsDefault: inherited from parent processstdin, stdout, stderr usually fds 0, 1, and 2Parent process may have closed or redirected standard file descriptorsParent may have left some fds openCannot assume first file opened will have fd 3Parent process may not have left enough file descriptors for your programCheck using code from BSS, p. 315CSC 482/582: Computer SecuritySignal HandlersDefault: inherited from parent process.

/* BSS, p. 316 */#include

int main( int argc, char **argv ) {int i;for(i=0; i