1 ISEC0511 Programming for Information System Security Lecture Notes #8 Constructing Secured and...
-
Upload
ross-mckinney -
Category
Documents
-
view
214 -
download
1
Transcript of 1 ISEC0511 Programming for Information System Security Lecture Notes #8 Constructing Secured and...
1
ISEC0511Programming for Information
System Security
Lecture Notes #8Constructing Secured and
Safe C/UNIX Programs
UNIX/Linux Briefs
UNIX was developed during 1970s, written in C. UNIX has many flavors, e.g. Solaris (Sun), HP-UX
(HP), AIX (IBM), BSD, Tru64 (Digital – now HP). UNIX originally had a monolithic kernel. The industry later came up with the concept of
microkernel and module loading. In 1991, Linus Torvalds began developing an OS
kernel, which he named “Linux”. Several organizations combine Linux with other
supporting software, and release it as distributions.
UNIX/Linux is considered by many people as a reliable OS, and are used by many organizations.
2
UNIX
UNIX is a platform of choice in many industries. This includes: Research and teaching in Universities Telecommunication Financial institutes Corporations that used mainframes. Mission-critical systems, e.g. network
management, high-availability servers, billing systems.
3
POSIX
POSIX is a standard developed by the IEEE that is considered by many people as the UNIX interface standard.
POSIX stands for Portable Operating System Interface for Unix and defines the API for software compatible with various flavors of the UNIX OS.
The standard can apply to any OS, it is used mainly in the context of UNIX.
4
Applications on UNIX/Linux
Most applications running under UNIX/Linux are developed using C or C++.
Some applications nowadays are developed using Java.
C and C++ suffer from similar security risks.
5
Security Holes in UNIX
Elevation of privilege Buffer overflow Integer arithmetic bugs Memory exhaustion bug Referencing invalid memory Array bound error Log file area exhaustion CPU exhaustion
6
Privileges in UNIX
Many server programs in UNIX need root privilege.
Having root privilege allow process to, for example, Read/modify processes or memory Access I/O devices Access low socket ports (0-1023)
7
SUID and SGID Programs
Programs that need root privilege are often have setuid root (SUID).
Hackers look for such programs and try to exploit any buffer overflow vulnerabilities.
If they can inject a code and spawn a process while the program is having root privilege, they can control the whole system.
Programs that have setuid root can be found by looking permission on the executable files.
8
SUID and SGID Programs
setgid bit (SGID) is similar to setuid but applies at the group level.
SUID and SGID bits can be modified using chmod command.
Examples of SUID files:
9
-rw-r--r-- 1 root root 1713 Apr 2 2007 /etc/passwd-r-s--x--x 1 root root 18992 Jun 6 2003 /usr/bin/passwd
Principles of Least Privilege
To minimize damages from having special privilege, programs should minimize resources access while having elevated privilege.
Following are some of the guidelines that can be used as safe programming patterns Do not launch new process Do not execute command-line arguments Do not allow connection to transmission
control protocol (TCP) ports 0 to 1023
10
Generic Security Service Application Program Interface Generic security server application
programming interface (GSS-API) is defined in RFC2473.
GSS-API does not offer any security functions. Instead, security service vendors implement
GSS-API in forms of libraries, allowing applications to be portable at the source-level.
GSS-API has been standardized for C and Java. Through about 45 procedure calls, GSS-API
offers confidentiality, integrity, authentication, and nonrepudiation.
12
SSL and OpenSSL
SSL is the procedure for secure communication on the network that encompasses confidentiality, integrity, and authentication.
SSL can be used for any kind of service on the network.
SSL can be implemented using OpenSSL. OpenSSL supports both SSL (v2 and v3) and
TLS (v1). OpenSSL contains the library for linking with
applications and also many useful command lines to do key/certificate works.
13
SSL vs. TLS
TLS (Transport Layer Security) can be considered as a successor of SSL.
SSL and TLS is not interoperable with each other.
They are “equal” in terms of security. TLS does a insecure handshake first before
entering secure communication. TLS can downgrade to support SSL if
necessary. TLS support secure and insecure
communication over the same port.14
Raw Socket
Raw socket is a way to fully control what is in or out a network port under UNIX.
To do ethical hacking, you may need to use raw sockets to handcraft a special packets to send to the network.
Raw socket allows you to control both header and payload of the packet.
Raw socket is considered a part of underlying OS networking APIs.
Raw socket needs root privilege.
15
Chroot
Chroot is used to restrict access to files and directories for a user or process.
You can chroot during a command session by using chroot command.chroot [-u user] [-g group] newroot
In C program, you can do:chdir(“/foo/bar”);
chroot(“/foo/bar”);
setuid(non zero UID);
16
UNIX Logging
there are two logging interfaces in UNIX. syslog(2): kernel logging syslog(3): application logging
Application logs are stored in /var/log or /var/adm
Some logs include utmp, wtmp, lastlog – login history messages, mail, auth
17
C Program Compiler Steps
Most applications under UNIX are developed using C/C++.
Common steps followed by the compiler are: C Preprocessor: converts a C file into another
complete C file to compile. C Compiler: translate C file into assembly
language. Assembler: translate assembly language into
machine language code (object files). Linker: link all object files together (including
libraries) into an executable file.
18
Common Security Problems with C/C++
C does not impose any restrictions. Programmer are responsible to handle almost everything.
Hackers that are smarter than programmers can exploit the knowledge gap and launch a security attack.
We will discuss several memory-related danger zones.
19
Memory Leak
Programmers are supposed to release any memory allocated by the program back to the OS.
Keep allocating memory and forget to release is a phenomenon called memory leak.
Many resource usage, such as creating a network connection can also allocate memory implicitly.
Memory leak can eventually result in a DoS attack on the computer.
20
Memory Overflow
Memory overflow happens when you write data to a buffer beyond the buffer size.
Many C functions never do bound checking, thus allowing user data write beyond a buffer.
Writing data beyond a buffer can result in unpredicted program behavior (but process still keep running).
In UNIX, if a process tries to write data beyond the process memory, it will give a segmentation fault.
22
Memory Overflow
Common steps the attacker typically follows to achieve an memory overflow. Find suitable existing code with necessary
privileges for attack. Use the buffer overflow technique to inject
attack code within the victim program. The attack code will change the control
flow of the privileged program, so that the attack code can be executed with sufficient privilege.
23
Memory Overflow Example
char fname[9];
strcpy(fname, argv[1]);
if (argc < 2) {
printf(“Usage: display filename\n”);
exit(1);
}
24
Memory Overflow Example
void crash(char *str) {
char bufferOnStack[16];
strcpy(bufferOnStack,str);
}
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = ‘A’;
large_string[255] = ‘\0’;
crash(large _ string);
}
25
Unsafe C Functions
C Functionsstrcpy(char *dest, char *src)
strcat(char *dest, char *src)
getwd(char *buf)
gets(char *s)
fscanf(FILE *stream, char *format)
scanf(char *format)
realpath(char *path, char resolv_path[])
sprintf(char *str, char * format)26
Some unsafe C functions include:
Stack Smashing/Overflow
Stack smashing is a type of buffer overflow.
An attacker exploit buffer overflow to overwrite content of the stack to manipulate program execution.
This is the most common attack to gain control of a victim system.
Attacker targets a privileged program that runs with elevated privilege and injects the attack code through buffer overflow.
27
Process Memory Organization
Text region is used to program and is read-only
Data region is used by static variables and heap allocation (dynamic data allocation during runtime).
Stack region is used to allow function calls and provides region to store local variables inside a function.
29
Process Memory Example
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
void main() {
function(1,2,3);
}
30
32
int OverflowMe(char *str){
char buffer[10];
strcpy(buffer,str);
return 0;
}
int main(int argc, char *argv[]) {
int pass=0;
printf("check me in\n");
if(argc > 1)
OverflowMe(argv[1]);
if(pass == 1)
GoodPass();
else
printf("Uh-Oh cannot pass!!!\n");
printf("end\n");
return 0;
}
int GoodPass(){
printf("******* You are IN! *******\n");
printf("******* This is GoodPass() executing *******\n");
}
Program Output
Shell Code
A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.
It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine.
Shell code is the code that an attacker will try to manipulate a privilege process to run, so that the attacker can perform tasks as a privileged user.
34
Heap Smashing/Overflow
In heap smashing, the attacker exploits buffer overflow to overwrite the content of the heap memory, and manipulate program execution.
Unlike stack, heap allocation does not return fixed location inside the program memory.
Thus, taking control of a program using heap smashing is not easy.
36
Avoiding Security Risks with C/C++ Code
Use safe string Operations, such as strncpy(), strncat(), snprintf().
Use some safe library functions to link with the program, e.g. libsafe and libverify, to overcome overflow vulnerabilities.
Read the manual well. Most C functions under UNIX provide manual pages by using man command.
38