Software security Vulnerabilities, exploits and November 14th, possible countermeasures 2012 Roman OliynykovAssociated Professor of Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Kharkov Ukraine ROliynykov@gmail.com
Lecture outline List of topics I suppose you already understand Importance of secure software for customers on the modern highly competitive consumer electronics market Example of vulnerable network daemon for Linux, and exploit for it (buffer overflow demo) Possible countermeasures against software vulnerabilities together with new hackers’ tricks against them Need for permanent attention for software security
For this lectureI suppose you understandC programming language source code main terms of operation system architecture (process, address space, stack, heap, etc.) x86 assembler language source code (preferably AT&T notation) basics of Linux (command line) network utilities (ping, telnet)
Importance of secure software forcustomers on the modern highlycompetitive consumer electronicsmarket
Importance of secure software A smartphone is a mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone [Wikipedia] Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
Financial threats tosmartphone users via malware Invisible to user automatic premium number calls and SMS Mobile banking application credentials theft via: mobile banking application attacks (Zeus malware for mobiles, etc.) access to bank card readers connected to the smartphone via microphone port, NFC chip, etc.
Other threats to smartphoneusers via malware Privacy threats (spying) for remote transmission to the hacker group: voice recording video and photo contact list, sms, etc. customer location via GPS data, etc. Customer incrimination to be a source of the cybercrime attack when his/her smartphone is a part of the botnet
New attacks on smartphones:‘visual malware’Automated malicious softwarebased on camera photos for3D model creation of indoorenvironment and stealing dataof financial documents,information on monitors, etc.
Importance of secure software A Smart TV is the phrase used to describe the current trend of integration of the Internet and Web 2.0 features into modern television sets and set-top boxes, as well as the technological convergence between computers and these television sets [Wikipedia] Mobile operating system: Linux (Android, Bada, etc.), potentially vulnerable to malware (viruses, worms, Trojan horses, etc.)
Threats to Smart TV users:almost the same Financial: banking application credentials theft Privacy threats (spying) for remote transmission to the hacker group from customer’s house: voice recording video and photo blackmails for confidential recording at user’s home Family digital data lost (photos, videos, contacts, etc. - example) Customer incrimination to be a source of the cybercrime attack when his/her Smart TV is a part of the botnet or hacker’s proxy node
Example of vulnerable networkdaemon (service) for Linux,and exploit for it
netcalcd – vulnerable daemon(service) for Linux (x86) intentionally written for this lecture and contains intentionally man-made vulnerabilities processes simple network text requests for basic calculations prints debug information about its stack on the server console
netcacld source code in asm:get_result() function
Vulnerability in get_result() functionstrcpy( &dst, &src ) in contrast tostrncpy( &dst, &src, sizeof (dst) )takes into account onlydestination string length (buffersize) and copies data until findstermination zero in src
netcalcd stack after strcpy() call withmalicious data (hacker’s code) from thenetwork
After encoding the rest part of theshellcode runs web server at port 8801 or does everything intruder wants to do with the vulnerable process privileges
How to protect our softwareagainst such an attack?
Possible countermeasuresagainst buffer overflow write secure code based on secure functions calls and all necessary user input verification (the most important recommendation) make your operation system to use Address Space Layout Randomization (ASLR) make your operation system use processor NX bit (on x86 platform) keep on canary words in your compiler run the code with the least necessary privileges
Write secure code based onsecure functions callsstrcpy( &dst, &src ) fills destination buffer without taking into account its size;strncpy( &dst, &src, sizeof( dst ) ) won’t write outside the destination buffer (butit’s possible the lost of terminating zero)
Write secure code based onsecure functions calls And many other recommendations for writing secure code…
Security check of existingprojects: automated tools But no guarantee that all vulnerabilities are discovered
Address Space LayoutRandomization computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a processs address space [wikipedia] Each running time stack, heap, etc. are put at random addresses in the process address space
Address Space LayoutRandomization (example)It’s difficult to guess correct return address to be written on the stacksmashing. But it is possible: only16 less bits of address are changedRunning code addresses are NOT changed
ASLR appeared: Linux kernel support: 2.6.12 (released June 2005) Microsofts Windows Vista (released January 2007), Windows Server 2008, Windows 7, and later have ASLR enabled by default Android 4.0 Ice Cream Sandwich provides ASLR…
ASLR evasion techniques brute force address search attempt return into code on non-randomized memory jmp *esp (ret address points to such bytes in code) etc.
Make your operation system useprocessor NX bit (on x86 platform)NX bit, which stands for Never eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data
NX bit protection evasion:return-to-libc attack no code in the stack (no processor exception) return address is overwritten and points to the existing code intruder calls standard function and passes arbitrary arguments to it in Windows it is possible to call a sequence of functions due to _stdcall_ convention
Never switch off canary words in your compilerCanary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows
Canary words Implementation: GCC Stack-Smashing Protector (ProPolice) Microsoft Visual Studio 2003 and higher ( /GS ) etc. What cannot be handled: buffer overflows in the heap (intruder uses pointers to functions in virtual method tables of dynamic objects)
There is no universal silver bullet for security If a system switched on and running we may have up-do-date security solutions onlySecurity is a process, not a state
Conclusions (I) Security is important (and sometimes is a crucial factor) for consumer acceptance Secure code is a major element of the secure system Writing secure code is much more effective than later security improvement
Conclusions (II) Effective methods for security level improvement for existing applications: Address Space Layout Randomization (ASLR) NX bit on x86 processors canary words in your compiler code running with the least necessary privileges
Conclusions (III) All acceptable security features of the operation system should be used There is no universal “silver bullet” for security Security is a process, not a state