Secure Programming (3 and 4)
CSRF example (bank)
A wants to do bank transaction so longs onto bank website, B knows that A is logged in so he makes her click a link, since A is already authenticated the bank site performs the requested task
CSRF (cross-site forgery) scenario
Certain sites as you to authenticate or provide some action when you do some other action, certain sites do not ask for action above
Application based fuzzing
Black box and white box
X86 assembly
6 general purpose registers, 2 special registers (ESP EBP), special register (EIP), 100s of instructions (data movement, arithmetic, jump)
Integers conversions occur as a result of...
A cast of implicitly as required by an operation, can lead to lost/misinterpreted data
Web applications...
Query and dynamically generate web documents, documents generated in standard format to allow support by all browsers (EX: HTML)
Truncation occurs when...
A value is stored in a type that is too small to represent the result
Why is it called XSS?
A visits site, B knows this, website has search, B sends a specially crafted link to steal sensitive data, but SOP will stop it from happening
Security flaw
Software defect that poses a potential security risk, eliminating software defects eliminate security flaws
Problem with smart fuzzing:
Aiming with educated guess
Blackbox fuzzing and mutation
Aiming with luck
Integer vulnerability
An attacker can supply arguments such that the sum of the strings cannot be represented but he unsigned short int total
Truncation error occurs when
An int is converted to a smaller int type and the value of the original int is outside the range of the smaller type, low-order bits of the original value are preserved and high-order bits are lost
Vulnerability analyst
Analyzing vulnerabilities in existing and deployed programs
White box
Application internals are known, requires more effort to run buzzers but highly effective and informative
Conversion of smaller unsigned integer types to larger integer types
Are always safe and typically accomplished by zero-extending the value
Stack RET BOF cause:
At call return address is saved on stack, stack grows downward, local buffers allocated onto the stack, return address is POPed into the EIP, EIP can point to anywhere in the memory
Stack based BOF
At call return address is saved ons tack, stack grows downward, local buffers allocated onto the stack, with no memory protection it can overflow, return address is POPed into the EIP, EIP can point to anywhere in the memory
CSRF
Attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated, about changing the state, can be launched even in the presence of many security measures
Weakness
Behavior that has potential for allowing an attacker to violate the intended security policy, if the behavior is made accessible to the attacker
Javacript
Client side script permits dynamic elements on each page, web browser interprets/runs all scripts, requests/responses are codes written in various languages/scripts, can access files and systems resources (so it's a language) but it is sandboxed in the browser, can read resources but there are security mechanisms to take care of it
Programmer
Concerned with properties of course code such as correctness, performance, and security
Format string conversion specifications
Conversion specifications convert arguments according to a corresponding conversion specifier and write the tesults to an output street, begin with % sign and are interpreted from left to right, if there are more arguments than conversion specifications the extra arguments are ignored, if there are not enough for all conversion specifications the results are undefined
Legacy code
Created an passed on before standardization of the language, higher risk for security flaws because of looser compiler standards and it is harder to secure because of resulting code flaw
Two's complement form of a negative integer
Created by adding one to the one's complement representation, has a single positive value for zero, sign is represented by the most significant bit, notation for positive integers is identical to their designed-magnitude representations
SQL boundary conditions
Data enters a program from an untrusted source,t he data used to dynamically construct a SQL query, consequences=CIA
Proof-of-concept exploits
Developed to prove the existence of a vulnerability, beneficial when properly managed, in the wrong hands can quickly be transformed into a worm or virus used in an attack
Problems in traditional SDLC
Developer approaches an app based on what is intended to do, an attacker is interested in what an app can be made to do and operates on the principle that any action not specifically denied is allowed
Security researcher
Develops mitigation strategies and solutions and who may be employed in industry, academia, or government
SDLC design
Distinction between secure features and security features, security features may be implemented insecurely, security features=strong authentication and firewalls, secure features=rigorous validation and sanitization, attack surface reduction/threat modeling
Why are most vulnerabilities in C or C++?
Does not protect programmers, imprecise of how logical abstractions translate into machine-level instructions, lack of safety (signed/unsigned), programmer errors (failing to catch overflows/truncations, failing to prevent writing beyond the boundaries of an array)
SDLC verification
Dynamic program analysis, fuzzing, revisiting threat model/attack surface
Solutions to security issues
Educating developers in security, language/standard/compilers/tools evolve
Software defect
Encoding of a human error into the software, including omissions
Converting an unsigned into a signed int of...
Equal size=preserve bit pattern and high order bit becomes sign bit, greater size=value is zero-extended then converted, lesser size=preserve low-order bits
For each signed type there is an...
Equivalent though interpreted differently unsigned type
Main segments of a compiled code
Executable code (text segment), initialized data (data segment), uninitialized data (bfs segment), heap (dynamic memory allocation), executable code and data of needed shared libraries (dynamically loaded into the space), the program stack
SDLC threat modeling
Exercise to identify possible security vulnerabilities and ways they may be exploited, involves analyzing systems data flow, performed before code is written, addressing similar issues after coding has begun could take months of reengineering effort
Attacker
Exploits vulnerabilities to achieve an objective, can vary depending on threat, referred to as the adversary, malicious user, or other alias
Approach to vulnerability detection
Find weakness in software (sink), find source of tainted input (source), find tainted path from source to sink
Same origin policy
For absolute URL's the origin is the triple (protocol, host, port), two resources are considered to be of the same origin if and only if these values are exactly the same
Format string errors
Formatted output functions consist of a format string and a variable number of arguments, format string provides set of instructions that are interpreted by the formatted output function, by controlling the content of the format string a user can control execution of the formatted output function, the cdecl calling convention is used
New stack layout
Function paramters, function return address, frame pointer, cookie, exception handler frame, locally declared variables and buffers, callee save registers
Overflow condition
If result can't be represented in signed int, the allocation routine can appear to succeed but allocate an area that is too small, application can write beyond the end of the allocated buffer resulting in heap-based buffer overflow
Underlying assumption for fuzzing:
If the unintended behavior is dependent on an input, an attacker can craft such an input to exploit the bug
High level code vs low level representation
Higher level code->low-level representation, separate variables->contiguous memory address, contiguous memory locations allow for boundary violations, side effects=over/underflow, sensitive data corruption, control data corruption
Microsoft CL BOF protection
Implemented in CL compiler as GS flaw, based on concept of canary, protects buffer if an array that is larger than 4 bytes, a buffer allocated by using the _alloca function, or any class or structure that contains a GS buffer
Protection of saved RET GCC approach:
Stack guard protection, different prologue (push canary onto the stack, it's a constant 0x000aff0d)
SDLC release
Incident response team, optional=penetration testing, vulnerability analysis, root cause analysis
VUzzer:
Input preference with path-prioritization static analysis, mutate only interesting offsets and with interesting values (magic-bytes), execute and monitor and also perform taintflow to determine interesting offsets/values, for new edge: is it handling BB? If not, interesting
VUzzer technical:
Inputs, mutate offset X, execute and monitor edges, if new edge bit flip and replace arithmetic for mutate offset, if yes add input to q
Integer overflow occurs when
Integer is increased beyond max value or decreased beyond min value
Overflow occurs when...
Integer operations generate a value that is out of range for a particular type
It is possible to prevent vulnerabilities resulting from integer range errors if...
Integer type range checking is properly applied and safe integer operations are used for values that can pass out of range
Int vulnerabilities are result of...
Integer type range errors
System integrator
Integrates new and existing software components to create programs/systems that satisfy customer requirements
Typical web model
Interaction between browser and server, personalized dynamic contents, ay also run client-side scripts that change internet browser into an interface, modern websites allow capture/processing/storage transmission of sentivie customer data
Why is java not usually a viable option?
Investment in C source code, programming expertise, development environments
ASLR
Predictability of memory addresses reduced by randomizing the address space layout for each instantiation of a program, thus heap and stack and bss and text sections of the program get different addresses, mostly only stack is randomized in most of the implementation
System administrator
Managing and securing one of more systems including installing and removing software, installing patches, and managing system privelages
Network administrators
Managing the secure operations of networks
Data flow information
Many properties analyzed by data flow information (example taintflow analysis), abstract interpretation, data flow equation based on semantics of instructions and also format to actual arg mapping, 100s of instructions is a problem
Strategies for fuzzing
Memory-less and evolutionary
Safe functions
Memset and calloc rather than malloc
Phishing
Method used to steal personal information through impersonation (email spam, fake sites)
Mitigation
Method/techniques that can prevent or limit exploits against vulnerabilities, at source-level code mitigation might be replacing an unbounded string copy operating with a bounded one, system/network level might involve turning off a port or filtering traffic to prevent an attacker from accessing a vulnerability
Sign errors result from...
Misinterpretation of the sign bit but do not result in a loss of data
CSRF example (IP)
Most wifi routers come with default IP, not many users know how to configure so they look for a guide online, guide page has hidden link, imagine how much user traffic goes through your machine
Apply more heuristics to:
Mutate better, learn good inputs
Input generation fuzzing
Mutation based=mutate seed inputs to create new input tests (problems: lots of invalid inputs due to random mutation), generation based=learn/create the format/model on the input and based on the learned model, generate new input (problems: it is hard to get format grammar for inputs)
Input based fuzzing
Mutational and generative
Computer security
Preventing attackers from achieving objectives through unauthorized access or unauthorized use of computer and networks
Security analyst
Properties of security flaws and how to identify them
Buffer overflow (super basic)
Putting more memory than intended, memory corruption
Do script from one web site have access to information sent to another site?
NO!
SDLC requirements
Need to consider security and privacy up front, establish minimum acceptable levels of security and privacy quality
Cross-site scripting (XSS)
One of the top OWASP top 1- attacks, allows an attacker to retrieve crucial information from a victim's machine or execute code, typical example of web-app vulnerability, data and code are confused for one another, occurs when user inputs are reflected back
SQ injection
One of the top OWASP top 10 attacks, allows an attacker to retrieve crucial information from a web server's database, main cause is the inability to separate data and code
Black box
Only interface is known, no idea baout code coverage
BOF exploit conditions
Overflow the buffer to inject out shell code onto the stack, out of all general purpose resists at least one is pointing to shell code's beginning, should be able to overwrite the EIP to some memory location whose address is predictable and it does not throw error, exists an instruction at that location that will allow us to access/jump to the register pointing towards shell code
Dynamic analysis tools combined with testing can be used as...
Part of a quality assurance process, particularly if boundary conditions are properly evaluated
Exploit
Piece of software/technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy, vulnerabilities in software are subject to exploitations (can come in many forms like trojans, viruses, and worms)
Vulnerability resulting from incorrect range checking of pos
Pos is declared as signed int, both positive and negative values can be passed to the function, and out-of-range positive value would be caught but a negative would not
Evolutionary fuzzing
Rather than throwing inputs, evolve them, underlying assumption=inputs are passed enough before going further deeper in execution
SDLC training
Receive appropriate training to stay informed about security basics and recent trends in security and privacy (secure design like attack surface, threat modeling, secure coding, security testing)
Pharming
Redirecting to fake sites by exploiting vulnerabilities in DNS
Types of XSS:
Reflexive=the user input is reflected back to html output immediately, persistent (non-reflexive, stored)=the user input is stored in DB and is reflected back later, DOM XSS=the user input is used in DOM, which is later displayed back to output, it does not come from server
Secure development lifecycle
Requirement analysis (functional aspects), design, implementation (focused towards functional requirements), testing (functional testing), evolution
Function epilogue
Retrieve saved clone RET and check it with the RET from the stack, replace or exit
Function prologue
Return address is copied from the stack to retarray and retprt is incremented
Fuzzing
Run program on many abnormal/malformed inputs, look for unintended behavior like a crash
Stackshield protection:
Save return addresses in an alternate memory space named retarray (size 256), rettop (initialized on startup and is the address in memory where retarray ends), retprt (address where the next clone is to be saved)
Browser authors contain risk using:
Scripts run in a sandboxed in which they can only perform web-related actions not general purpose programming tasks, scripts are constrained by the same origin policy
Uninitialized read
Stack/heap memory reused, on allocation it is not cleaned, if not initialized it contains garbage, lead to crashes or other undefined behavior because of garbage
Vulnerability
Set of conditions that allows an attacker to violate an explicit or implicit security policy, not all security flaws lead to vulnerabilities, security flaw can cause a program to be vulnerable to an attack, vulnerabilities can also exist without a security flaw
Security policy
Set of rules/practices that specify or regulate how a system organization provides security services to protect sensitive and critical system resources
Int vulnerability tests
Should include boundary conditions for all integer variables, if type range checks are inserted into the code test that they function correctly for upper and lower bounds, if boundary tests have not been included test for min and max integer values for various integer sized used, use white box testing to determine types of int variables, if source code is not available run tests with various max and min values for each type
Ways to represent numbers
Signed int, unsigned int, short/long
Steps in TM
Step 1: decompose the application (external interaction, entry points, produce data flow diagrams) step 2: determine and rank threats (threat categorization such as STRIDE, cause of identified (threats), step 3: determine countermeasures and mitigation
Web applications allow users to:
Submit and retrieve fata to/from a database
When unsigned integer types are converted to corresponding signed integer types
The bit pattern is preserved (no data lost), the high-order bit becomes the sign bit, if the sign bit is set both the sign and the magnitude of the value changes
PaX ASLR
User address space consists of 3 areas (executable, mapped, stack), base of each area shifted by a random "delta", executable (16-bit random shift), mapped (16-bit random shift), stack (24-bit random shift)
Signed int overflow occurs when
Value is carried over to the sign bit
Limiting integer inputs to a valid range can prevent...
The introduction of arbitrarily large or small numbers that can be used to overflow integer types
When larger unsigned int is converted to a smaller unsigned int
The larger value is truncated, low-order bits are preserved
Most javascript related security bugs are breaches of either...
The same origin policy or sandbox
Key to preventing int vulnerabilities:
Understand integer behavior in digital systems
If the value of the signed int is not negative...
The value is unchanged
Apply more analysis (static/dynamic) to:
Understand the application behavior
Integer operations can resolve to...
Unexpected values as a result of overflow, sign error, or truncation
SDLC implementation
Use approved tools, deprecated unsafe functions, static analysis
Signed integers
Used to represent both positive and negative values, on a computer using two's complement arithmetic a signed int ranges from -2^n-1 through 2^n-1
Unsigned integers
Values range from 0 to a maximum that depends on size of the type, maximum is 2^n-1 where n is the number of bits used to represent the unsigned type
Multiplication precondition
To prevent an overflow when multiplying unsigned int, check that a*b>max_int can be tested using the expression a>max_b/b (division is expensive)
Microsoft secure development lifecycle
Training, requirements, design, implementation, verification, release, response
If the value of a signed int is negative...
Typically a large positive value
Unsigned int overflow occurs when
Underlying representation can no longer represent a value
For smart code-coverage based fuzzer it is important to have some knowledge about it:
Where (which offsets in input) to apply mutation, what values to replace with, how to avoid traps (paths leading to error handling code)
Why does RET GCC approach work?
With strcpy() the 0x00 will stop strcpy from copying further, saved RET not changed. With fgets() writing 0x00 is fine, but 0x0a would stop it, called terminator canaries
WOX protection
Write or execute, memory pages have permission either writable or executable, subclass of DEP, protects against attacks that rely on code execution on data segments
Can int errors be detected?
Yes before they occur, based on preconditions, to prevent: test from overflowing code test as max
Calling conventions
cdicl (parameters pushed onto stack, caller cleans the stack), std call (parameters pushed onto the stack, callee cleans the stack), fastcall (first three parameters passed in EAX, EDX, ECX, rest on stack), thiscall (OOP, pointer to class object in ecx, rest are on stack)
Converting a signed int into an unsigned int of..
equal size=bit pattern of original int is preserved, greater size=value is sign=extended then converted, lesser size=preserve low-order bits
To hack with SQL injection
input: uname= anybody, password = ' OR 'n=n'
HTTP
simple client-server model, security was never a concern