Software Security

521
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
521
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Fragmentation, ping of death DOS attacks rely on buffer overflows. Use buffer overflow Java demo app from http://nsfsecurity.pr.erau.edu/bom/
  • Software Security

    1. 1. CIT 380: Securing Computer Systems Software Security CIT 380: Securing Computer Systems Slide #
    2. 2. Topics <ul><li>Why Software? </li></ul><ul><li>Vulnerability Databases </li></ul><ul><li>Buffer Overflows </li></ul><ul><li>Integer Overflows </li></ul><ul><li>Attack Techniques </li></ul><ul><li>Metasploit </li></ul>CIT 380: Securing Computer Systems Slide #
    3. 3. The Problem is Software <ul><li>“ Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” </li></ul><ul><li>John Viega & Gary McGraw </li></ul>CIT 380: Securing Computer Systems Slide #
    4. 4. Why is Software Security poor? <ul><li>Security is seen as something that gets in the way of software functionality. </li></ul><ul><li>Security is difficult to assess and quantify. </li></ul><ul><li>Security is often not a primary skill or interest of software developers. </li></ul><ul><li>Time spent on security is time not spent on adding new and interesting functionality . </li></ul>CIT 380: Securing Computer Systems Slide #
    5. 5. The Trinity of Trouble <ul><li>Complexity </li></ul><ul><ul><li>Continually increasing. </li></ul></ul><ul><ul><li>Windows 3.1 (3mloc) to Windows XP (40mloc) </li></ul></ul><ul><li>Extensibility </li></ul><ul><ul><li>Plugins. </li></ul></ul><ul><ul><li>Mobile code. </li></ul></ul><ul><li>Connectivity </li></ul><ul><ul><li>Network access. </li></ul></ul><ul><ul><li>Wireless networking. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    6. 6. Software Complexity <ul><li>5-50 bugs per/kloc 8 </li></ul><ul><ul><li>5/kloc: rigorous quality assurance testing (QA) </li></ul></ul><ul><ul><li>50/kloc: typical feature testing </li></ul></ul>CIT 380: Securing Computer Systems Slide # System Lines of Code MS Word 95 2 million MS Windows 3.1 3 million Boeing 777 7 million Space Shuttle 10 million Netscape 17 million MS Windows XP 40 million
    7. 7. Vulnerabilities <ul><li>Vulnerability : A defect in software that allows security policy to be violated. </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><li>Exploit : A program that exercises a vulnerability. </li></ul>CIT 380: Securing Computer Systems Slide #
    8. 8. Vulnerability Databases <ul><li>Collect vulnerability reports. </li></ul><ul><ul><li>Vendors maintain databases with patches for their own software. </li></ul></ul><ul><ul><li>Security firms maintain databases of vulnerabilities that they’ve discovered. </li></ul></ul><ul><li>Well known vulnerability databases </li></ul><ul><ul><li>CERT </li></ul></ul><ul><ul><li>CVE </li></ul></ul><ul><ul><li>NVD </li></ul></ul><ul><ul><li>OSVDB </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    9. 9. Why Vulnerability Databases? <ul><li>Know about vulnerabilities to software that you have deployed so you can mitigate them. </li></ul><ul><li>Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries? </li></ul><ul><li>Learn about security problems to prevent when you’re programming. </li></ul>CIT 380: Securing Computer Systems Slide #
    10. 10. CVE: Common Vulnerabilities and Exposures <ul><li>Problem: Different researchers and vendors call vulnerabilities by different names. </li></ul><ul><li>Solution: CVE, a dictionary that provides </li></ul><ul><ul><li>A common public name for each vulnerability. </li></ul></ul><ul><ul><li>A common standardized description. </li></ul></ul><ul><ul><li>Allows different tools / databases to interoperate. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    11. 11. CVE-2002-1185 <ul><li>Name: CVE-2002-1185 </li></ul><ul><li>Status: Entry </li></ul><ul><li>Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka &quot;Malformed PNG Image File Failure.&quot; </li></ul><ul><li>References </li></ul><ul><ul><li>VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability </li></ul></ul><ul><ul><li>BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability </li></ul></ul><ul><ul><li>EEYE:AD20021211 </li></ul></ul><ul><ul><li>MS:MS02-066 </li></ul></ul><ul><ul><li>XF:ie-png-bo(10662) </li></ul></ul><ul><ul><li>BID:6216 </li></ul></ul><ul><ul><li>OVAL:oval:org.mitre.oval:def:393 </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    12. 12. NVD: National Vulnerability DB <ul><li>Collects all publicly available government vulnerability resources. </li></ul><ul><ul><ul><li>HTML and XML output at http://nvd.nist.gov/ </li></ul></ul></ul><ul><ul><ul><li>Uses CVE naming scheme. </li></ul></ul></ul><ul><ul><ul><li>Links to industry and govt reports. </li></ul></ul></ul><ul><ul><ul><li>Provides CVSS severity numbers. </li></ul></ul></ul><ul><ul><ul><li>Links to OVAL repository. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
    13. 13. Buffer Overflows <ul><li>A program accepts too much input and stores it in a fixed length buffer that’s too small. </li></ul><ul><ul><li>char A[8]; </li></ul></ul><ul><ul><li>short B; </li></ul></ul>CIT 380: Securing Computer Systems Slide # <ul><ul><li>gets(A); </li></ul></ul>A A A A A A A A B B 0 0 0 0 0 0 0 0 0 3 A A A A A A A A B B o v e r f l o w s 0
    14. 14. The Stack <ul><li>Stack is LIFO. </li></ul><ul><li>Every function call allocates a stack frame. </li></ul><ul><li>Return address is address where function was called from and will return to. </li></ul>CIT 380: Securing Computer Systems Slide # Buffer 1 (Local Variable 1) Buffer 2 (Local Variable 2) Return Address Function Arguments Writes go up
    15. 15. Smashing the Stack <ul><li>Program accepts input into local variable 1. </li></ul><ul><li>Attacker sends too much data for buffer, overwriting the return address. </li></ul><ul><li>Attacker data contains machine code for shell. </li></ul><ul><li>Return address overwritten with address of machine code. </li></ul><ul><li>When function returns, attacker’s code is executed. </li></ul>CIT 380: Securing Computer Systems Slide # Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Pointer to machine code. Function Arguments Writes go up
    16. 16. NOP Slide <ul><li>Attacker includes NOPs in front of executable code in case address isn’t precise. </li></ul><ul><li>If pointer points at NOPs, execution will continue to machine code. </li></ul><ul><li>IDS attempt to detect buffer overflows by looking for long strings of NOPs (x90). </li></ul>CIT 380: Securing Computer Systems Slide # NOP NOP NOP Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Pointer to machine code. Function Arguments Writes go up
    17. 17. Integer Overflow <ul><li>An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero. </li></ul>CIT 380: Securing Computer Systems Slide #
    18. 18. 32-bit Integer Quiz <ul><li>What two non-zero integers x and y satisfy the equation x * y = 0? </li></ul><ul><li>What negative integer (-x) has no corresponding positive integer (x)? </li></ul><ul><li>List two integers x and y, such that x + y < 0. </li></ul>CIT 380: Securing Computer Systems Slide #
    19. 19. Quiz Answers <ul><li>65536 * 65536 = 0 </li></ul><ul><li>or 256 * 16777256 = 0 </li></ul><ul><li>or any x * y = 2 32 </li></ul><ul><li>2. -2147483648 </li></ul><ul><li>2147483647 + 1 = -2147483648 </li></ul>CIT 380: Securing Computer Systems Slide #
    20. 20. Are Integer Overflows Important? <ul><li>Broward County November 2004 election </li></ul><ul><ul><li>Amendment 4 vote was reported as tied. </li></ul></ul><ul><ul><li>Software from ES&S Systems reported a large negative number of votes. </li></ul></ul><ul><ul><li>Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    21. 21. Fuzz Testing <ul><li>Black-box input based testing technique. </li></ul><ul><ul><li>Uses random data. </li></ul></ul><ul><ul><li>Easily automated. </li></ul></ul><ul><ul><li>If application crashes or hangs, it fails. </li></ul></ul><ul><li>Results of 1995 study 9 . </li></ul><ul><ul><li>15-43% of utilities from commerical UNIX systems failed. </li></ul></ul><ul><ul><li>9% of Linux utilities failed. </li></ul></ul><ul><ul><li>6% of GNU utilities failed. </li></ul></ul><ul><ul><li>50% of X-Windows utilities failed. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    22. 22. Metasploit <ul><li>Modular exploit system </li></ul><ul><ul><li>Exploit collection: over 100 exploits. </li></ul></ul><ul><ul><li>Payloads: machine code to run </li></ul></ul><ul><ul><li>Command line and web interfaces. </li></ul></ul><ul><li>Payloads </li></ul><ul><ul><li>Bind shell : opens shell backdoor on port. </li></ul></ul><ul><ul><li>Reverse shell : send shell back to attacker. </li></ul></ul><ul><ul><li>Windows VNC : remote desktop access. </li></ul></ul><ul><ul><li>Create user : add new administrative user. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    23. 23. Metasploit <ul><li>http://www.metasploit.com/ </li></ul>CIT 380: Securing Computer Systems Slide #
    24. 24. Using Metasploit <ul><li>Select an exploit </li></ul><ul><ul><li>use exploit_name </li></ul></ul><ul><li>Enter the target </li></ul><ul><ul><li>set RHOST ip_address_of_target </li></ul></ul><ul><li>Select the payload </li></ul><ul><ul><li>set payload payload_name </li></ul></ul><ul><ul><li>set LHOST ip_address_of_your_host </li></ul></ul><ul><li>Run </li></ul><ul><ul><li>exploit </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    25. 25. Advantages of Metasploit <ul><li>Ease of use </li></ul><ul><ul><li>One interface to many exploits. </li></ul></ul><ul><li>Flexibility </li></ul><ul><ul><li>Can choose whatever payload you need. </li></ul></ul><ul><li>Faster development time </li></ul><ul><ul><li>Payloads already written. </li></ul></ul><ul><li>Reliability </li></ul><ul><ul><li>Framework and payloads are well tested. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    26. 26. Uses of Metasploit <ul><li>Vulnerability verification </li></ul><ul><ul><li>Scanners report possible vulnerabilities. </li></ul></ul><ul><ul><li>Metasploit will give you remote access. </li></ul></ul><ul><li>IDS/IPS testing </li></ul><ul><ul><li>Test IDS/IPS with real exploit code. </li></ul></ul><ul><li>Penetration testing </li></ul><ul><ul><li>Easy to develop custom exploits for pen testing. </li></ul></ul><ul><li>Convincing management </li></ul><ul><ul><li>Remote access is more convincing than a report. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    27. 27. References <ul><li>Matt Bishop, Introduction to Computer Security , Addison-Wesley, 2005. </li></ul><ul><li>Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3 rd edition , O’Reilly & Associates, 2003. </li></ul><ul><li>Mark Graff and Kenneth van Wyk, Secure Coding: Principles & Practices , O’Reilly, 2003. </li></ul><ul><li>Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code , Addison-Wesley, 2004. </li></ul><ul><li>Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security , McGraw-Hill Osborne, 2005. </li></ul><ul><li>Michael Howard, David LeBlanc, Writing Secure Code, 2 nd edition , Microsoft Press, 2003. </li></ul><ul><li>Michael Howard and Steve Lipner, The Security Development Lifecycle , Microsoft Press, 2006. </li></ul><ul><li>Gary McGraw, Software Security , Addison-Wesley, 2006. </li></ul><ul><li>John Viega and Gary McGraw, Building Secure Software , Addison-Wesley, 2002. </li></ul><ul><li>David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html , 2003. </li></ul>CIT 380: Securing Computer Systems Slide #

    ×