Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Security

696 views

Published on

  • Be the first to comment

  • Be the first to like this

Software Security

  1. 1. CIT 380: Securing Computer Systems Software Security CIT 380: Securing Computer Systems Slide #
  2. 2. Topics <ul><li>Why Software? </li></ul><ul><li>Vulnerability Databases </li></ul><ul><li>Buffer Overflows </li></ul><ul><li>Integer Overflows </li></ul><ul><li>Attack Techniques </li></ul><ul><li>Metasploit </li></ul>CIT 380: Securing Computer Systems Slide #
  3. 3. The Problem is Software <ul><li>“ Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” </li></ul><ul><li>John Viega & Gary McGraw </li></ul>CIT 380: Securing Computer Systems Slide #
  4. 4. Why is Software Security poor? <ul><li>Security is seen as something that gets in the way of software functionality. </li></ul><ul><li>Security is difficult to assess and quantify. </li></ul><ul><li>Security is often not a primary skill or interest of software developers. </li></ul><ul><li>Time spent on security is time not spent on adding new and interesting functionality . </li></ul>CIT 380: Securing Computer Systems Slide #
  5. 5. The Trinity of Trouble <ul><li>Complexity </li></ul><ul><ul><li>Continually increasing. </li></ul></ul><ul><ul><li>Windows 3.1 (3mloc) to Windows XP (40mloc) </li></ul></ul><ul><li>Extensibility </li></ul><ul><ul><li>Plugins. </li></ul></ul><ul><ul><li>Mobile code. </li></ul></ul><ul><li>Connectivity </li></ul><ul><ul><li>Network access. </li></ul></ul><ul><ul><li>Wireless networking. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  6. 6. Software Complexity <ul><li>5-50 bugs per/kloc 8 </li></ul><ul><ul><li>5/kloc: rigorous quality assurance testing (QA) </li></ul></ul><ul><ul><li>50/kloc: typical feature testing </li></ul></ul>CIT 380: Securing Computer Systems Slide # System Lines of Code MS Word 95 2 million MS Windows 3.1 3 million Boeing 777 7 million Space Shuttle 10 million Netscape 17 million MS Windows XP 40 million
  7. 7. Vulnerabilities <ul><li>Vulnerability : A defect in software that allows security policy to be violated. </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><li>Exploit : A program that exercises a vulnerability. </li></ul>CIT 380: Securing Computer Systems Slide #
  8. 8. Vulnerability Databases <ul><li>Collect vulnerability reports. </li></ul><ul><ul><li>Vendors maintain databases with patches for their own software. </li></ul></ul><ul><ul><li>Security firms maintain databases of vulnerabilities that they’ve discovered. </li></ul></ul><ul><li>Well known vulnerability databases </li></ul><ul><ul><li>CERT </li></ul></ul><ul><ul><li>CVE </li></ul></ul><ul><ul><li>NVD </li></ul></ul><ul><ul><li>OSVDB </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  9. 9. Why Vulnerability Databases? <ul><li>Know about vulnerabilities to software that you have deployed so you can mitigate them. </li></ul><ul><li>Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries? </li></ul><ul><li>Learn about security problems to prevent when you’re programming. </li></ul>CIT 380: Securing Computer Systems Slide #
  10. 10. CVE: Common Vulnerabilities and Exposures <ul><li>Problem: Different researchers and vendors call vulnerabilities by different names. </li></ul><ul><li>Solution: CVE, a dictionary that provides </li></ul><ul><ul><li>A common public name for each vulnerability. </li></ul></ul><ul><ul><li>A common standardized description. </li></ul></ul><ul><ul><li>Allows different tools / databases to interoperate. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  11. 11. CVE-2002-1185 <ul><li>Name: CVE-2002-1185 </li></ul><ul><li>Status: Entry </li></ul><ul><li>Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka &quot;Malformed PNG Image File Failure.&quot; </li></ul><ul><li>References </li></ul><ul><ul><li>VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability </li></ul></ul><ul><ul><li>BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability </li></ul></ul><ul><ul><li>EEYE:AD20021211 </li></ul></ul><ul><ul><li>MS:MS02-066 </li></ul></ul><ul><ul><li>XF:ie-png-bo(10662) </li></ul></ul><ul><ul><li>BID:6216 </li></ul></ul><ul><ul><li>OVAL:oval:org.mitre.oval:def:393 </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  12. 12. NVD: National Vulnerability DB <ul><li>Collects all publicly available government vulnerability resources. </li></ul><ul><ul><ul><li>HTML and XML output at http://nvd.nist.gov/ </li></ul></ul></ul><ul><ul><ul><li>Uses CVE naming scheme. </li></ul></ul></ul><ul><ul><ul><li>Links to industry and govt reports. </li></ul></ul></ul><ul><ul><ul><li>Provides CVSS severity numbers. </li></ul></ul></ul><ul><ul><ul><li>Links to OVAL repository. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
  13. 13. Buffer Overflows <ul><li>A program accepts too much input and stores it in a fixed length buffer that’s too small. </li></ul><ul><ul><li>char A[8]; </li></ul></ul><ul><ul><li>short B; </li></ul></ul>CIT 380: Securing Computer Systems Slide # <ul><ul><li>gets(A); </li></ul></ul>A A A A A A A A B B 0 0 0 0 0 0 0 0 0 3 A A A A A A A A B B o v e r f l o w s 0
  14. 14. The Stack <ul><li>Stack is LIFO. </li></ul><ul><li>Every function call allocates a stack frame. </li></ul><ul><li>Return address is address where function was called from and will return to. </li></ul>CIT 380: Securing Computer Systems Slide # Buffer 1 (Local Variable 1) Buffer 2 (Local Variable 2) Return Address Function Arguments Writes go up
  15. 15. Smashing the Stack <ul><li>Program accepts input into local variable 1. </li></ul><ul><li>Attacker sends too much data for buffer, overwriting the return address. </li></ul><ul><li>Attacker data contains machine code for shell. </li></ul><ul><li>Return address overwritten with address of machine code. </li></ul><ul><li>When function returns, attacker’s code is executed. </li></ul>CIT 380: Securing Computer Systems Slide # Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Pointer to machine code. Function Arguments Writes go up
  16. 16. NOP Slide <ul><li>Attacker includes NOPs in front of executable code in case address isn’t precise. </li></ul><ul><li>If pointer points at NOPs, execution will continue to machine code. </li></ul><ul><li>IDS attempt to detect buffer overflows by looking for long strings of NOPs (x90). </li></ul>CIT 380: Securing Computer Systems Slide # NOP NOP NOP Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Pointer to machine code. Function Arguments Writes go up
  17. 17. Integer Overflow <ul><li>An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero. </li></ul>CIT 380: Securing Computer Systems Slide #
  18. 18. 32-bit Integer Quiz <ul><li>What two non-zero integers x and y satisfy the equation x * y = 0? </li></ul><ul><li>What negative integer (-x) has no corresponding positive integer (x)? </li></ul><ul><li>List two integers x and y, such that x + y < 0. </li></ul>CIT 380: Securing Computer Systems Slide #
  19. 19. Quiz Answers <ul><li>65536 * 65536 = 0 </li></ul><ul><li>or 256 * 16777256 = 0 </li></ul><ul><li>or any x * y = 2 32 </li></ul><ul><li>2. -2147483648 </li></ul><ul><li>2147483647 + 1 = -2147483648 </li></ul>CIT 380: Securing Computer Systems Slide #
  20. 20. Are Integer Overflows Important? <ul><li>Broward County November 2004 election </li></ul><ul><ul><li>Amendment 4 vote was reported as tied. </li></ul></ul><ul><ul><li>Software from ES&S Systems reported a large negative number of votes. </li></ul></ul><ul><ul><li>Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  21. 21. Fuzz Testing <ul><li>Black-box input based testing technique. </li></ul><ul><ul><li>Uses random data. </li></ul></ul><ul><ul><li>Easily automated. </li></ul></ul><ul><ul><li>If application crashes or hangs, it fails. </li></ul></ul><ul><li>Results of 1995 study 9 . </li></ul><ul><ul><li>15-43% of utilities from commerical UNIX systems failed. </li></ul></ul><ul><ul><li>9% of Linux utilities failed. </li></ul></ul><ul><ul><li>6% of GNU utilities failed. </li></ul></ul><ul><ul><li>50% of X-Windows utilities failed. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  22. 22. Metasploit <ul><li>Modular exploit system </li></ul><ul><ul><li>Exploit collection: over 100 exploits. </li></ul></ul><ul><ul><li>Payloads: machine code to run </li></ul></ul><ul><ul><li>Command line and web interfaces. </li></ul></ul><ul><li>Payloads </li></ul><ul><ul><li>Bind shell : opens shell backdoor on port. </li></ul></ul><ul><ul><li>Reverse shell : send shell back to attacker. </li></ul></ul><ul><ul><li>Windows VNC : remote desktop access. </li></ul></ul><ul><ul><li>Create user : add new administrative user. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  23. 23. Metasploit <ul><li>http://www.metasploit.com/ </li></ul>CIT 380: Securing Computer Systems Slide #
  24. 24. Using Metasploit <ul><li>Select an exploit </li></ul><ul><ul><li>use exploit_name </li></ul></ul><ul><li>Enter the target </li></ul><ul><ul><li>set RHOST ip_address_of_target </li></ul></ul><ul><li>Select the payload </li></ul><ul><ul><li>set payload payload_name </li></ul></ul><ul><ul><li>set LHOST ip_address_of_your_host </li></ul></ul><ul><li>Run </li></ul><ul><ul><li>exploit </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  25. 25. Advantages of Metasploit <ul><li>Ease of use </li></ul><ul><ul><li>One interface to many exploits. </li></ul></ul><ul><li>Flexibility </li></ul><ul><ul><li>Can choose whatever payload you need. </li></ul></ul><ul><li>Faster development time </li></ul><ul><ul><li>Payloads already written. </li></ul></ul><ul><li>Reliability </li></ul><ul><ul><li>Framework and payloads are well tested. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  26. 26. Uses of Metasploit <ul><li>Vulnerability verification </li></ul><ul><ul><li>Scanners report possible vulnerabilities. </li></ul></ul><ul><ul><li>Metasploit will give you remote access. </li></ul></ul><ul><li>IDS/IPS testing </li></ul><ul><ul><li>Test IDS/IPS with real exploit code. </li></ul></ul><ul><li>Penetration testing </li></ul><ul><ul><li>Easy to develop custom exploits for pen testing. </li></ul></ul><ul><li>Convincing management </li></ul><ul><ul><li>Remote access is more convincing than a report. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  27. 27. References <ul><li>Matt Bishop, Introduction to Computer Security , Addison-Wesley, 2005. </li></ul><ul><li>Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3 rd edition , O’Reilly & Associates, 2003. </li></ul><ul><li>Mark Graff and Kenneth van Wyk, Secure Coding: Principles & Practices , O’Reilly, 2003. </li></ul><ul><li>Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code , Addison-Wesley, 2004. </li></ul><ul><li>Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security , McGraw-Hill Osborne, 2005. </li></ul><ul><li>Michael Howard, David LeBlanc, Writing Secure Code, 2 nd edition , Microsoft Press, 2003. </li></ul><ul><li>Michael Howard and Steve Lipner, The Security Development Lifecycle , Microsoft Press, 2006. </li></ul><ul><li>Gary McGraw, Software Security , Addison-Wesley, 2006. </li></ul><ul><li>John Viega and Gary McGraw, Building Secure Software , Addison-Wesley, 2002. </li></ul><ul><li>David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html , 2003. </li></ul>CIT 380: Securing Computer Systems Slide #

×