mawc – radford university 2010 © the notes on these slides are derived from: unix and internet...

MAWC – Radford University 2010© The notes on these slides are derived from: UNIX and Internet Security (Garfinkel and Spafford); Security in Computing (Pfleeger and Pfleeger). Compiled by Prem Uppuluri, w/ tweaks by Ian Barland.

Threats/Vulnerabilities/Attacks:Part 1

Input size validation exploits (Buffer overflow)


Organization of this lecture

• Threats, vulnerabilities and attacks can be categorized into: – Physical (e.g., vandalism).– Personnel (e.g., criminal background)– Technological

• (e.g., cross site scripting attacks, worms etc.)

• While we will discuss all three types, our focus will be on the third type (technological).


Physical security.

• What threats to computing infrastructures are you familiar with that are physical in nature?


Physical Security Threats/Vulnerabilities (1)

• Environment dangers.– Fire: ? – Water damage?– Smoke. – Dust– Earthquake– Explosions– Extreme temperatures– Bugs (the real ones – the ones that are yucky!). – Electrical noise. – Lightning– Vibration– Humidity

Slide from text in Practical UNIX and Internet Security © Simson Garfinkel and Gene Spafford 3rd Edition. ISBN-10: 0596003234ISBN-13: 978-0596003234


Physical Security (2)

• Accidents– Food and drink.

• Access– Raised floors and dropped ceilings. – Air ducts– Glass walls

• Vandalism– Types: meant as fairly-harmless vs vindictive.– Examples: exploit on ventilation holes on CRT

monitors in MIT; Network cables. • Espionage, war.

© Practical UNIX and Internet Security © Simson Garfinkel and Gene Spafford 3rd Edition




• Preventing Theft– Laptops/portable computers

• Locks

Practical UNIX and Internet Security © Simson Garfinkel and Gene Spafford 3rd Edition




• Preventing Theft– RAM theft– Encryption

• Protecting your data– Eavesdropping– Wiretapping– Eavesdropping by RADIO and the use of TEMPEST– Reading Homework: http://www.fas.org/irp/program/security/tempest.htm– And: Section 8.4.1.4– Fiber Optic cable

• Protecting backups– Verifying backups.– Protect backups.

• Sanitizing media before disposal (srm; drill/smash/burn)• Protecting local storage• Key switches



http://www.fas.org/irp/program/security/tempest.htm


Next: Personnel Security.• “without people, we wouldn’t have any security

problems”. • Examples of security incidents involving personnel:

– Goldman Sachs incident June 2009– Aldrich James, Robert Hanson, etc…; Wikileaks– AmEx: lost laptop => had to re-issue cards for thousands

• Personnel security issues: – All employees are involved.– All things done to employees is involved:

• Hiring, training, monitoring and their departure from the job. – Two types of perpetrators:

• Unwitting. • Malicious intent

• How to protect?


Slide from text in Practical UNIX and Internet Security © Simson Garfinkel and Gene Spafford 3 rd Edition. ISBN-10: 0596003234ISBN-13: 978-0596003234


Personnel Security: controls

• Pre-job hiring: Background Checks.• Initial training.

– Ongoing training and awareness.• Performance reviews and monitoring.• Auditing. • Departure procedures. • Other people?

– System operators, administrators. – Cleaning/maintenance personnel– Security guards– Temporary workers/contractors– Consultants. – Auditors

June 1, 2004 Computer Security: Art and Science©2004 Matt Bishop

Slide #23-9

Slide from text in Practical UNIX and Internet Security © Simson Garfinkel and Gene Spafford 3 rd Edition. ISBN-10: 0596003234ISBN-13: 978-0596003234

Two guidelines:- Principle of Least Privilege- Separation of dutiesAs always: it's a trade-off: security for effort/cost


Next.

• Technological security vulnerabilities

the vulnerabilities in software applications running on a computing infrastructure… .


The problem with technological vulnerabilities

• Problem: too many such vulnerabilities.

• Why? Software is complex. The interactions between software applications is even more complex.

• Next: an overview of “common” software vulnerabilities.


Technological vulnerabilities

• There are several such vulnerabilities. • Impossible for any security expert to know all

of them! • Instead, what we need to know is:

– The expert resources available to us that list out the common vulnerabilities.

– Some standard/common vulnerabilities that keep occurring all the time.

– The fundamental issues in software development that allow the vulnerabilities to creep in.

• The last two points above are covered in-depth, in ITEC 445.

These notes compiled by Prem Uppuluri


Some resources that list out software vulnerabilities.

1. Mitre corporation’s Common Weakness Enumeration (CWE)– URL: cwe.mitre.org – Free for public usage; Measures software weaknesses and ranks them. – Great resources: a list of weaknesses that every student must learn:

cwe.mitre.org/top25/profiles.html#ProfileEduc– Together with SANS Institute (www.sans.org) publishes the famous TOP 25

Most Dangerous Software Errors: cwe.mitre.org/top25.

2. Open Web Application Software Project (OWASP) – Focuses on Web server/client vulnerabilities. – Non-profit – free to the public. – Great resource: OWASP top ten project (web application security issues):

www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

3. CERT (Community Emergency Response Teams)– www.cert.org– Lists out the most recent vulnerabilities (usually hackers submit vulnerability information

to CERT).– Publishes guides on how to securely code in various languages (C/C++/Java etc.).– Publishes guides on how to secure systems.

4. Homeland Security: nvd.nist.gov Makes machine-readable list.


http://www.sans.org/

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.cert.org/

http://www.cert.org/


Most dangerous programming flaws

• In class: Take a look at the most dangerous programming errors: cwe.mitre.org/top25

• In the list above, what word(s) keeps cropping up most often across the vulnerabilities?


http://cwe.mitre.org/top25


Most dangerous programming flaws (2)

• In class: Take a look at the most dangerous programming errors: cwe.mitre.org/top25

• In the list above, what word(s) keeps cropping up most often across the vulnerabilities?

• Answer: “input”.

• Next: why “input”?



The “effect of input”

• Observation: – If an application doesn’t accept input over the internet, it

cannot be attacked from across the internet. – Hence, most application level attacks exploit weakness in

how an application accepts and processes input.

• These vulnerabilities are called “input validation vulnerabilities”.

• For the moment we ignore other forms of attacks such as denial of service.


Input Validation Attacks

• The attack boils down to this question: Do you trust your users?

• Consider a spell check application. • Here is its, intended use:

• Input: English sentence. • Output: Sentence with corrected spelling.

Spell_CheckLet’s acheive security Let’s achieve security

Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


Input Validation Attacks

• How would you program this? – Just explain a brief algorithm will suffice.

Spell_CheckLet’s acheive security Let’s achieve security

Example slide provided with the textbook: Foundations of Security: Neil Daswani et al.

©Neil Daswani



Spell_Check Function

void spellCheck( char input[], char output[] ) { char next_word[MAX_WORD_LENGTH]; int i=0,j=0;

while (j < strlen(input)) { // copy `input` into `next_word` until a space: for( ; input[j] != ' '; i++,j++) next_word[i] = input[j]; next_word[i] = '\0';

if (!dictionary_get(next_word)) strcat(output, nearestWord(input)); else strcat(output, input); strcat(output," "); i=0; j++; }}

Here is an example of a simple spell check implementation in C. Can you spot any issues? Note: even if you don’t know C, the syntax is not very dissimilar to Java.

Example slide accompanies Foundations of Security: Neil Daswani et al., updated by Ian Barland.©Neil Daswani , ISBN-13: 978-1590597842


Input Validation Problem

• In the last slide, the problem in the code was the word to be spell-checked was only “MAX_WORD_LENGTH” length long.

• What if user inputs a word longer than MAX_WORD_LENGTH?

• What would your program do?

• Unfortunately a lot of programs are written without paying attention to such cases.

• This causes a major vulnerability called: buffer overflow.

Spell_Check

Supercagafragilisticmakesmealadocious ???


©Neil DaswaniExample slide provided with the textbook: Foundations of Security: Neil Daswani et al.

©Neil Daswani , ISBN-13: 978-1590597842


WANTED

Name: Slammer worm.Alias: SQL Slammer worm.Claim to fame: Crashed the Internet in 15 minutes. Technology superiority: Medium.First known act of violence: January 2003.

WANTED

Name: Slammer worm.Alias: SQL Slammer worm.Claim to fame: Crashed the Internet in 15 minutes. Technology superiority: Medium.First known act of violence: January 2003.

Example of an exploit that takes advantage of an input validation vulnerability:

Slammer worm.

InternetInternet

Step 1: Identifying a victim(server): randomly generate an IP address.

Step 1: Identifying a victim(server): randomly generate an IP address. Step 2:

Attack the server, assuming it is running the Microsoft SQL Server DBMS.

Step 2: Attack the server, assuming it is running the Microsoft SQL Server DBMS.

Step 3: SQL server accepts database connection requests from remote computers. Connection requests can only be “fixed size”!Enter buffer overflow – inject the worm’s code.

Step 3: SQL server accepts database connection requests from remote computers. Connection requests can only be “fixed size”!Enter buffer overflow – inject the worm’s code.

Step 4: Hijacked program now propagates the worm to another machine on the Internet. The cycle continues.

Step 4: Hijacked program now propagates the worm to another machine on the Internet. The cycle continues.

Some major exploitsusing Buffer Overflow:

1. Conficker Worm (Microsoft offering $250000 to catch worm creator) (November 2008) [Source: http://www.networkworld.com/news/2009/021209-conflickr-bounty-microsoft.html]

2. Estonia DOS attack (April 2007) – buffer overflow used to gain control of many systems “botnets” that launched these attacks

3. Slammer (2003)4. Nimda (2002)5. Code Red Worm (2000)6. Morris Worm (1988)

Worm image source from Internet website: http://computerworm.net/.

These notes compiled by Prem Uppuluri, and tweaked by Ian Barland. Worm image source from Internet website: http://computerworm.net/.

http://www.networkworld.com/news/2009/021209-conflickr-bounty-microsoft.html

http://www.networkworld.com/news/2009/021209-conflickr-bounty-microsoft.html

http://computerworm.net/




Flavors of Input Validation: different types of input validation attacks.

• Buffer Overflows.• HTTP Splitting• Web Cache Poisoning.• Cross Site Request Forgery.• Cross Site Scripting.• SQL Injection• Network based attack examples:

– Teardrop, land


Buffer Overflows

• Allows an attacker to “inject” code into an otherwise benign software application.

• First discovered by Robert Morris: The Morris Worm (http://en.wikipedia.org/wiki/Morris_worm)

• The graph below shows the number of buffer overflow alerts in millions.

Graph ©: Foundations of Security: Neil Daswani et al. ©Neil Daswani


http://en.wikipedia.org/wiki/Morris_worm

http://en.wikipedia.org/wiki/Morris_worm


Buffer Overflows

• Buffer: memory used to store user input

• Buffer overflow: a condition that occurs when more user input is provided than can fit in the buffer


©Neil DaswaniExample slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


Simple example of a buffer overflow

• Unfortunately, explicit memory (de-)allocation and use of pointer results in: lots of errors. – Example: Can you spot an error in the following

program?

Such errors can be used by attackers, to execute what they want !Called as buffer overflow attacks.

void function(char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; for(int i = 0; i < 255; i++)

large_string[i] = 'A'; large_string[255] = '\0'; function(large_string); }

These notes compiled by Prem Uppuluri. Code on the slide from: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


Next:

• Understanding the working of a buffer overflow attack.

• For this, we will need a background on: – How processes use memory when

executing.– The role of a “stack” in process execution.



Discussion: Process memory• Process is nothing a “program in execution”.• Process is organized in memory into 3 main

regions:– Code or Text segment

• This is where the code of a process in machine code is stored.

• Usually, most Operating systems set the code segment to a “read-only” mode. This is because, in almost all cases, the process code is not changed once it starts execution. Exceptions are when debuggers are used.

– Data segment ("heap")• This is where a process stores its “static” variables,

“final” values and memory which is dynamically allocated.

– E.g., Integer x = new Integer(4). » Here, x is a reference variable. What is that? » Hence, memory for integer 4 is stored on the data

segment.– Stack Segment: (next slide)



Usage of stack by Operating Systems when executing programs

• When main() invokes function(char *str).– How does function(char

*str)access variables passed to it?

• E.g., large_string– How will the OS know where

to resume execution of main(), when function(char *str). has terminated?

• Solution: use a stack – Elements on stack represent

current location of a program.

– The stack works just like a regular stack data structure, with push and pop.


large_string[i] = 'A'; function(large_string); }

These notes compiled by Prem Uppuluri. Code on the slide from: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


return address

void f(char *str) { 6 char buffer[16]; 7 strcpy(buffer,str); } void main() { 1 char large_string[16]; 2 for(int i = 0; i < 16; i++) 3 large_string[i] = 'A'; 4 f(large_string); 5 printf(“done”); }

Example stack when executing a process

Empty stack

buffer

First instruction of function “f” is allocating space for buffer:

(c) push(buffer)

Continued on next slide …

16 bytes long

The first instruction involves creating memory for “large_string” in stack. This is a push operation.

(a) push(large_string)

large_string

When the OS reaches instruction “4”, it has to call method “f”. However, before it starts executing “f”, it must somehow remember where to return to after executing “f”. It has to return to instruction “5” after finishing ‘f’. It remembers this information by storing return address “5” on stack.

(b) push(return_address 5)

These notes compiled by Prem Uppuluri, Code on the slide from: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


return address

void f(char *str) { 6 char buffer[16]; 7 strcpy(buffer,str); } void main() { 1 char large_string[16]; 2 for(int i = 0; i < 16; i++) 3 large_string[i] = 'A'; 4 f(large_string); 5 printf(“done”); }

Example stack when executing a process (2)

Empty stack

buffer

After executing “strcpy” the method “f” has ended. Now the next instruction that must be executed is the instruction following the call to “f” in main. How does the OS know what that instruction is?

Here’s how: it first pops out all the entries it made for f.

16 bytes long

large_string

Pop the entries of “f”

from stack!

After popping out the frame of function f, the OS uses the return address to goto instruction “5”.

This involves popping the value of return address into the program counter.

Attack idea: change the return address by overflowing a buffer s.t., the return address

points to “attack” code.

buffer



return address


large_string[i] = 'A'; function(large_string); }

Using stack segment to attack (overwrite return addr)Let’s see the use of stack for our code.

Previous stack content

buffer

(c) push(buffer)

(d) strcpy

16 bytes long

This region is now filled with data from str

(a) push(large_string)

large_string

str

(b) push(return_address)

These notes compiled by Prem Uppuluri. Code on this slide and subsequent slides from: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 978-1590597842


str

Buffer overflow attack

If this piece of data is carefully selected, we can point the OS to go wherever we want.

When the system returns from the function call, it will begin executing code from the beginning of str

return address

Previous stack content

buffer

large_string



Digression.

• Slides 34 – 41 contain material on how attackers craft strings for buffer overflows.

• This is provided for information only.

• Not part of the syllabus.These notes compiled by Prem Uppuluri


Causing a stack buffer overflow

• To cause a buffer overflow, attackers have to carefully craft an input that will:– (a) overflow the buffer

• writing into the next memory location• continue writing till it reaches a return address.

– (b) Overwriting the return address with a pointer to within the process's code. • Why?

– (c) Injecting the code the attacker wants to execute.

• E.g., suppose the attacker wants to attack our toy code. Let us see steps to take.



Causing a stack buffer overflow (2)

• Toy program Stack void f(char* str) { 3 char buffer1[4]; 4 char buffer2[4]; 5 strcpy(buffer2, str); }int main(int argc, char* argv[]){ 1 f(argv[1]); 2 printf(“done”);}

argv[1]

Frame ptr

Return addr

Buffer 1

Buffer 2

Attack goal: make the program execute a root shell.





argv[1]

Frame ptr

Return addr

Buffer 1

Buffer 2STEP 1: Identify the buffer to overflow. Need to check various buffers. This is a trial and error process. How to check?

Depends on the application.

E.g., CISCO router -- check with packets (or) web server (check with URLs)

If program segmentation faults -- then bound checking is not being done!

4b

4b4b





argv[1]

Frame ptr

Return addr

Buffer 1

Buffer 2STEP 2: Find return address and Compute the distance from “victim” buffer to the return address.

Finding return address by disassembling code (I.e., looking at the code binary). Example discussed in class.

Then use your knowledge of stack layout to compute distance

4b

4b4b




argv[1]

Frame ptr

Return addr

Buffer 1

Buffer 2

STEP 3: Craft a string to fill the buffer till you reach the return address. Usually a nop is inserted.

STEP 4: Replace return address with some other address.

Which address? And why?

This new address in the “return” address field will contain the code that we want the program to execute.

Remember: return address points to an address in the code segment which is read only. Hence, we now have to change return address to some address in stack or data segment where we will insert the code we want to execute.

Where can we easily insert the code we want this program to execute?

4b

4b4b




Stack

argv[1]

Frame ptr

Return addr

Buffer 1

Buffer 2

Usually attackers insert the code to be executed in the stack itself . E.g., in the picture the code is inserted in the area where previously the stack contained “argv[1]”. Remember by code, we are talking about a memory instruction.

E.g., call execve(“/bin/sh”) is an instruction that will call the execve system call which in turn executes the program “sh” (which is a UNIX shell).

4b

4b4b

Call execve("/bin/sh")

Replace “Frame ptr” and argv[1] with new instruction



Stack

Call exec(sh)

Return addr

Buffer 1

Buffer 2

Now the return address will simply be the address of the location of the framepointer in stack.

4b

4b4b

New return address will point to the instruction we just injected.



Stack

Call exec(sh)

Return addr

Buffer 1

Buffer 2

Putting it all together.

The attacker must therefore craft a string shown next to the stack:

4b

4b4b

“0000

0000

Addr of Frame ptr

call execve (“/bin/sh” )


Next:

• Other types of input validation attacks.


Input size validation helps prevent buffer overflows, but this is not

enough …

• Need to also validate “type” of input.– Just validating the size isn’t enough!!

• Next: examples of attacks where “type” of input matters.


Digression: Vulnerability Practice Session: Using OWASP Live CD.

• For your HW2, we will look at certain types of input validation vulnerabilities and exploits.

• We will be using a Live CD that I setup on the security servers called “OWASP live CD”. – http://www.owasp.org/index.php/Cate

gory:OWASP_Live_CD_Project

• Contains insecure implementations of web and database servers.

http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project


Using OWASP Live CD.• If you are confused by this Quick Start Guide below, then

please read pages: 17-20 in the OWASP WebGoat guide on the liveCD (and on the web).

• Starting it up – Run VMPlayer from a terminal: simply type vmplayer– Use “Fileopen” and goto the folder “owasp-livecd”.– Select the “owasp-livecd.vmx” file and click open. – Wait for Linuxto boot up.

• On Windows and Linux, you can also simply click on the .vmx file in the OwaspLiveCd folder (directory).


Vulnerabilities, Threats and Attacks

• We will use OWASP live CD.

– Start up OWASP Live CD.

– Open a terminal • Execute: webgoat start80• Start firefox browser.• Go to website: http://localhost/WebGoat/attack

– Note: This is case sensitive. “W” and “G” are upper case.

– Get familiar with starting a proxy application.• Click on foxyproxy WebScarab.• We will use WebScarab

– Proxy and spidering tool.


http://localhost/WebGoat/attack

mawc – radford university 2010 © the notes on these slides are derived from: unix and internet...

Documents

spafford security

internet security garfinkel

computing pfleeger

gene spafford

ian barland

w tweaks

prem uppuluri

edition slide