Secure Programming (3 and 4)

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

CSRF example (bank)

A wants to do bank transaction so longs onto bank website, B knows that A is logged in so he makes her click a link, since A is already authenticated the bank site performs the requested task

CSRF (cross-site forgery) scenario

Certain sites as you to authenticate or provide some action when you do some other action, certain sites do not ask for action above

Application based fuzzing

Black box and white box

X86 assembly

6 general purpose registers, 2 special registers (ESP EBP), special register (EIP), 100s of instructions (data movement, arithmetic, jump)

Integers conversions occur as a result of...

A cast of implicitly as required by an operation, can lead to lost/misinterpreted data

Web applications...

Query and dynamically generate web documents, documents generated in standard format to allow support by all browsers (EX: HTML)

Truncation occurs when...

A value is stored in a type that is too small to represent the result

Why is it called XSS?

A visits site, B knows this, website has search, B sends a specially crafted link to steal sensitive data, but SOP will stop it from happening

Security flaw

Software defect that poses a potential security risk, eliminating software defects eliminate security flaws

Problem with smart fuzzing:

Aiming with educated guess

Blackbox fuzzing and mutation

Aiming with luck

Integer vulnerability

An attacker can supply arguments such that the sum of the strings cannot be represented but he unsigned short int total

Truncation error occurs when

An int is converted to a smaller int type and the value of the original int is outside the range of the smaller type, low-order bits of the original value are preserved and high-order bits are lost

Vulnerability analyst

Analyzing vulnerabilities in existing and deployed programs

White box

Application internals are known, requires more effort to run buzzers but highly effective and informative

Conversion of smaller unsigned integer types to larger integer types

Are always safe and typically accomplished by zero-extending the value

Stack RET BOF cause:

At call return address is saved on stack, stack grows downward, local buffers allocated onto the stack, return address is POPed into the EIP, EIP can point to anywhere in the memory

Stack based BOF

At call return address is saved ons tack, stack grows downward, local buffers allocated onto the stack, with no memory protection it can overflow, return address is POPed into the EIP, EIP can point to anywhere in the memory

CSRF

Attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated, about changing the state, can be launched even in the presence of many security measures

Weakness

Behavior that has potential for allowing an attacker to violate the intended security policy, if the behavior is made accessible to the attacker

Javacript

Client side script permits dynamic elements on each page, web browser interprets/runs all scripts, requests/responses are codes written in various languages/scripts, can access files and systems resources (so it's a language) but it is sandboxed in the browser, can read resources but there are security mechanisms to take care of it

Programmer

Concerned with properties of course code such as correctness, performance, and security

Format string conversion specifications

Conversion specifications convert arguments according to a corresponding conversion specifier and write the tesults to an output street, begin with % sign and are interpreted from left to right, if there are more arguments than conversion specifications the extra arguments are ignored, if there are not enough for all conversion specifications the results are undefined

Legacy code

Created an passed on before standardization of the language, higher risk for security flaws because of looser compiler standards and it is harder to secure because of resulting code flaw

Two's complement form of a negative integer

Created by adding one to the one's complement representation, has a single positive value for zero, sign is represented by the most significant bit, notation for positive integers is identical to their designed-magnitude representations

SQL boundary conditions

Data enters a program from an untrusted source,t he data used to dynamically construct a SQL query, consequences=CIA

Proof-of-concept exploits

Developed to prove the existence of a vulnerability, beneficial when properly managed, in the wrong hands can quickly be transformed into a worm or virus used in an attack

Problems in traditional SDLC

Developer approaches an app based on what is intended to do, an attacker is interested in what an app can be made to do and operates on the principle that any action not specifically denied is allowed

Security researcher

Develops mitigation strategies and solutions and who may be employed in industry, academia, or government

SDLC design

Distinction between secure features and security features, security features may be implemented insecurely, security features=strong authentication and firewalls, secure features=rigorous validation and sanitization, attack surface reduction/threat modeling

Why are most vulnerabilities in C or C++?

Does not protect programmers, imprecise of how logical abstractions translate into machine-level instructions, lack of safety (signed/unsigned), programmer errors (failing to catch overflows/truncations, failing to prevent writing beyond the boundaries of an array)

SDLC verification

Dynamic program analysis, fuzzing, revisiting threat model/attack surface

Solutions to security issues

Educating developers in security, language/standard/compilers/tools evolve

Software defect

Encoding of a human error into the software, including omissions

Converting an unsigned into a signed int of...

Equal size=preserve bit pattern and high order bit becomes sign bit, greater size=value is zero-extended then converted, lesser size=preserve low-order bits

For each signed type there is an...

Equivalent though interpreted differently unsigned type

Main segments of a compiled code

Executable code (text segment), initialized data (data segment), uninitialized data (bfs segment), heap (dynamic memory allocation), executable code and data of needed shared libraries (dynamically loaded into the space), the program stack

SDLC threat modeling

Exercise to identify possible security vulnerabilities and ways they may be exploited, involves analyzing systems data flow, performed before code is written, addressing similar issues after coding has begun could take months of reengineering effort

Attacker

Exploits vulnerabilities to achieve an objective, can vary depending on threat, referred to as the adversary, malicious user, or other alias

Approach to vulnerability detection

Find weakness in software (sink), find source of tainted input (source), find tainted path from source to sink

Same origin policy

For absolute URL's the origin is the triple (protocol, host, port), two resources are considered to be of the same origin if and only if these values are exactly the same

Format string errors

Formatted output functions consist of a format string and a variable number of arguments, format string provides set of instructions that are interpreted by the formatted output function, by controlling the content of the format string a user can control execution of the formatted output function, the cdecl calling convention is used

New stack layout

Function paramters, function return address, frame pointer, cookie, exception handler frame, locally declared variables and buffers, callee save registers

Overflow condition

If result can't be represented in signed int, the allocation routine can appear to succeed but allocate an area that is too small, application can write beyond the end of the allocated buffer resulting in heap-based buffer overflow

Underlying assumption for fuzzing:

If the unintended behavior is dependent on an input, an attacker can craft such an input to exploit the bug

High level code vs low level representation

Higher level code->low-level representation, separate variables->contiguous memory address, contiguous memory locations allow for boundary violations, side effects=over/underflow, sensitive data corruption, control data corruption

Microsoft CL BOF protection

Implemented in CL compiler as GS flaw, based on concept of canary, protects buffer if an array that is larger than 4 bytes, a buffer allocated by using the _alloca function, or any class or structure that contains a GS buffer

Protection of saved RET GCC approach:

Stack guard protection, different prologue (push canary onto the stack, it's a constant 0x000aff0d)

SDLC release

Incident response team, optional=penetration testing, vulnerability analysis, root cause analysis

VUzzer:

Input preference with path-prioritization static analysis, mutate only interesting offsets and with interesting values (magic-bytes), execute and monitor and also perform taintflow to determine interesting offsets/values, for new edge: is it handling BB? If not, interesting

VUzzer technical:

Inputs, mutate offset X, execute and monitor edges, if new edge bit flip and replace arithmetic for mutate offset, if yes add input to q

Integer overflow occurs when

Integer is increased beyond max value or decreased beyond min value

Overflow occurs when...

Integer operations generate a value that is out of range for a particular type

It is possible to prevent vulnerabilities resulting from integer range errors if...

Integer type range checking is properly applied and safe integer operations are used for values that can pass out of range

Int vulnerabilities are result of...

Integer type range errors

System integrator

Integrates new and existing software components to create programs/systems that satisfy customer requirements

Typical web model

Interaction between browser and server, personalized dynamic contents, ay also run client-side scripts that change internet browser into an interface, modern websites allow capture/processing/storage transmission of sentivie customer data

Why is java not usually a viable option?

Investment in C source code, programming expertise, development environments

ASLR

Predictability of memory addresses reduced by randomizing the address space layout for each instantiation of a program, thus heap and stack and bss and text sections of the program get different addresses, mostly only stack is randomized in most of the implementation

System administrator

Managing and securing one of more systems including installing and removing software, installing patches, and managing system privelages

Network administrators

Managing the secure operations of networks

Data flow information

Many properties analyzed by data flow information (example taintflow analysis), abstract interpretation, data flow equation based on semantics of instructions and also format to actual arg mapping, 100s of instructions is a problem

Strategies for fuzzing

Memory-less and evolutionary

Safe functions

Memset and calloc rather than malloc

Phishing

Method used to steal personal information through impersonation (email spam, fake sites)

Mitigation

Method/techniques that can prevent or limit exploits against vulnerabilities, at source-level code mitigation might be replacing an unbounded string copy operating with a bounded one, system/network level might involve turning off a port or filtering traffic to prevent an attacker from accessing a vulnerability

Sign errors result from...

Misinterpretation of the sign bit but do not result in a loss of data

CSRF example (IP)

Most wifi routers come with default IP, not many users know how to configure so they look for a guide online, guide page has hidden link, imagine how much user traffic goes through your machine

Apply more heuristics to:

Mutate better, learn good inputs

Input generation fuzzing

Mutation based=mutate seed inputs to create new input tests (problems: lots of invalid inputs due to random mutation), generation based=learn/create the format/model on the input and based on the learned model, generate new input (problems: it is hard to get format grammar for inputs)

Input based fuzzing

Mutational and generative

Computer security

Preventing attackers from achieving objectives through unauthorized access or unauthorized use of computer and networks

Security analyst

Properties of security flaws and how to identify them

Buffer overflow (super basic)

Putting more memory than intended, memory corruption

Do script from one web site have access to information sent to another site?

NO!

SDLC requirements

Need to consider security and privacy up front, establish minimum acceptable levels of security and privacy quality

Cross-site scripting (XSS)

One of the top OWASP top 1- attacks, allows an attacker to retrieve crucial information from a victim's machine or execute code, typical example of web-app vulnerability, data and code are confused for one another, occurs when user inputs are reflected back

SQ injection

One of the top OWASP top 10 attacks, allows an attacker to retrieve crucial information from a web server's database, main cause is the inability to separate data and code

Black box

Only interface is known, no idea baout code coverage

BOF exploit conditions

Overflow the buffer to inject out shell code onto the stack, out of all general purpose resists at least one is pointing to shell code's beginning, should be able to overwrite the EIP to some memory location whose address is predictable and it does not throw error, exists an instruction at that location that will allow us to access/jump to the register pointing towards shell code

Dynamic analysis tools combined with testing can be used as...

Part of a quality assurance process, particularly if boundary conditions are properly evaluated

Exploit

Piece of software/technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy, vulnerabilities in software are subject to exploitations (can come in many forms like trojans, viruses, and worms)

Vulnerability resulting from incorrect range checking of pos

Pos is declared as signed int, both positive and negative values can be passed to the function, and out-of-range positive value would be caught but a negative would not

Evolutionary fuzzing

Rather than throwing inputs, evolve them, underlying assumption=inputs are passed enough before going further deeper in execution

SDLC training

Receive appropriate training to stay informed about security basics and recent trends in security and privacy (secure design like attack surface, threat modeling, secure coding, security testing)

Pharming

Redirecting to fake sites by exploiting vulnerabilities in DNS

Types of XSS:

Reflexive=the user input is reflected back to html output immediately, persistent (non-reflexive, stored)=the user input is stored in DB and is reflected back later, DOM XSS=the user input is used in DOM, which is later displayed back to output, it does not come from server

Secure development lifecycle

Requirement analysis (functional aspects), design, implementation (focused towards functional requirements), testing (functional testing), evolution

Function epilogue

Retrieve saved clone RET and check it with the RET from the stack, replace or exit

Function prologue

Return address is copied from the stack to retarray and retprt is incremented

Fuzzing

Run program on many abnormal/malformed inputs, look for unintended behavior like a crash

Stackshield protection:

Save return addresses in an alternate memory space named retarray (size 256), rettop (initialized on startup and is the address in memory where retarray ends), retprt (address where the next clone is to be saved)

Browser authors contain risk using:

Scripts run in a sandboxed in which they can only perform web-related actions not general purpose programming tasks, scripts are constrained by the same origin policy

Uninitialized read

Stack/heap memory reused, on allocation it is not cleaned, if not initialized it contains garbage, lead to crashes or other undefined behavior because of garbage

Vulnerability

Set of conditions that allows an attacker to violate an explicit or implicit security policy, not all security flaws lead to vulnerabilities, security flaw can cause a program to be vulnerable to an attack, vulnerabilities can also exist without a security flaw

Security policy

Set of rules/practices that specify or regulate how a system organization provides security services to protect sensitive and critical system resources

Int vulnerability tests

Should include boundary conditions for all integer variables, if type range checks are inserted into the code test that they function correctly for upper and lower bounds, if boundary tests have not been included test for min and max integer values for various integer sized used, use white box testing to determine types of int variables, if source code is not available run tests with various max and min values for each type

Ways to represent numbers

Signed int, unsigned int, short/long

Steps in TM

Step 1: decompose the application (external interaction, entry points, produce data flow diagrams) step 2: determine and rank threats (threat categorization such as STRIDE, cause of identified (threats), step 3: determine countermeasures and mitigation

Web applications allow users to:

Submit and retrieve fata to/from a database

When unsigned integer types are converted to corresponding signed integer types

The bit pattern is preserved (no data lost), the high-order bit becomes the sign bit, if the sign bit is set both the sign and the magnitude of the value changes

PaX ASLR

User address space consists of 3 areas (executable, mapped, stack), base of each area shifted by a random "delta", executable (16-bit random shift), mapped (16-bit random shift), stack (24-bit random shift)

Signed int overflow occurs when

Value is carried over to the sign bit

Limiting integer inputs to a valid range can prevent...

The introduction of arbitrarily large or small numbers that can be used to overflow integer types

When larger unsigned int is converted to a smaller unsigned int

The larger value is truncated, low-order bits are preserved

Most javascript related security bugs are breaches of either...

The same origin policy or sandbox

Key to preventing int vulnerabilities:

Understand integer behavior in digital systems

If the value of the signed int is not negative...

The value is unchanged

Apply more analysis (static/dynamic) to:

Understand the application behavior

Integer operations can resolve to...

Unexpected values as a result of overflow, sign error, or truncation

SDLC implementation

Use approved tools, deprecated unsafe functions, static analysis

Signed integers

Used to represent both positive and negative values, on a computer using two's complement arithmetic a signed int ranges from -2^n-1 through 2^n-1

Unsigned integers

Values range from 0 to a maximum that depends on size of the type, maximum is 2^n-1 where n is the number of bits used to represent the unsigned type

Multiplication precondition

To prevent an overflow when multiplying unsigned int, check that a*b>max_int can be tested using the expression a>max_b/b (division is expensive)

Microsoft secure development lifecycle

Training, requirements, design, implementation, verification, release, response

If the value of a signed int is negative...

Typically a large positive value

Unsigned int overflow occurs when

Underlying representation can no longer represent a value

For smart code-coverage based fuzzer it is important to have some knowledge about it:

Where (which offsets in input) to apply mutation, what values to replace with, how to avoid traps (paths leading to error handling code)

Why does RET GCC approach work?

With strcpy() the 0x00 will stop strcpy from copying further, saved RET not changed. With fgets() writing 0x00 is fine, but 0x0a would stop it, called terminator canaries

WOX protection

Write or execute, memory pages have permission either writable or executable, subclass of DEP, protects against attacks that rely on code execution on data segments

Can int errors be detected?

Yes before they occur, based on preconditions, to prevent: test from overflowing code test as max

Calling conventions

cdicl (parameters pushed onto stack, caller cleans the stack), std call (parameters pushed onto the stack, callee cleans the stack), fastcall (first three parameters passed in EAX, EDX, ECX, rest on stack), thiscall (OOP, pointer to class object in ecx, rest are on stack)

Converting a signed int into an unsigned int of..

equal size=bit pattern of original int is preserved, greater size=value is sign=extended then converted, lesser size=preserve low-order bits

To hack with SQL injection

input: uname= anybody, password = ' OR 'n=n'

HTTP

simple client-server model, security was never a concern


Set pelajaran terkait

Life Insurance, Policy Provisions, Options, and Riders

View Set

Chapter 6: Memory- Remembrance of Things Past and Future

View Set

Biology 114- Chapter 10 Learnsmart

View Set

Abeka 8th History section 16.5 review

View Set

EMT Chapter 31 - Abdominal & Genitourinary

View Set