Week 7 Lecture
Software & System Security I Vulnerabilities & Defenses
FIT2093 INTRODUCTION TO CYBERSECURITY
www.monash.edu.au
Copyright By PowCoder代写 加微信 powcoder
Software & System Security: Vulnerabilities & Defenses
● Basic Concepts
● CommonVulnerabilities&Defenses
○ bufferoverflow:#1(alsorelatedto#3,#5)
○ commandinjection:#11(alsorelatedto#2,#3,#6,#9) ○ integerrangeoverflow:#8
● Software&SystemSecurityDesignPrinciples 2
Basic Concepts of Software Security
Basic Concepts
Software & System Security: Vulnerabilities & Defenses
● Recap: security = vs attacks on assets ● software assets: system data / code
● The Problem: attacks on software
○ viaaccess:read(leakage),write(unauthorizedchanges)
○ viaexploitingsoftwarefunctionality(inclchangebehaviour)
● The Solution: software security
• regulate the access, manage the risks/threats of exploitation
# What it ain’t #
Software & System Security: Vulnerabilities & Defenses
● CyberSecurityfeatures≠Softwaresecurity
○ e.g. cryptography:
“if you think your problem can be solved by cryptography,
you don’t understand cryptography & you don’t understand your problem”
[ , security guru]
Q: Give an example of a difference between software security requirements and functional software engineering requirements?
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
3) Add your “hearts” to your favourite responses
# What it ain’t #
Software & System Security: Vulnerabilities & Defenses
● SoftwareSecurity⊆SoftwareEngineering
● Software engineering lifecycle: requirements, design, code, test, deploy
● conventionalSE:
○ qualitysoftware=correctnessofeachstagematchingrequirements
● realworld:
○ qualitysoftware=correct,reliable,evenifattackerstrytoexploit/attack
Basic Concepts
Software & System Security: Vulnerabilities & Defenses
● Softwaresecurity
○ quality(correctness)&reliability(robustness)
● non-functional security should be integral to design, right from start ○ likehowtestingshouldbeintegral
Difference between Functionality Testing and Security Testing
Universe of all possible system capabilities
Capabilities the system should NOT have (Security testing)
Capabilities the system should have (Functional testing)
(source: , Testing web security, p. 17)
# Top Software Errors #
Software & System Security: Vulnerabilities & Defenses
● Common Weakness Enumeration (CWE)/SANS Top 25 Errors [www.sans.org/top25-software-errors/]
# Top Software Errors #
Software & System Security: Vulnerabilities & Defenses
● 1: Improper Restriction of Operations within the Bounds of a Memory Buffer
● 2: Cross-site Scripting (XSS)
● 3: Improper Input Validation
● 4: Information Exposure
● 5: Out-of-bounds Read
● 6: SQL Injection
● 8: Integer Overflow or Wraparound
● 10: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
● Q: which vulnerability threatens which security goal: C,I,A + A ? 11
# Top Software Errors #
Software & System Security: Vulnerabilities & Defenses
● 11: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
● 12: Out-of-bounds Write
● 13: Improper Authentication
● 15: Incorrect Permission Assignment for Critical Resource
● 16: Unrestricted Upload of File with Dangerous Type
● 18: Improper Control of Generation of Code (‘Code Injection’)
● 20: Uncontrolled Resource Consumption
● 24: Improper Privilege Management
Buffer Overflow
Buffer Overflow
Software & System Security: Vulnerabilities & Defenses
● #1 software error for many years … ● TheVulnerability:
○ SoftwareallocatesbufferoflengthNforuserinput
○ thencopiesinputdataintobufferwithoutcheckinginputlength
● TheExploit:
○ if length(input) > buffer length N:
• excess input data overwrites memory addresses after buffer
Buffer Overflow: & System Security: Vulnerabilities & Defenses
Buffer start boundary
program variable stored in memory, in contiguous manner overwrite beyond boundary, goes into other neighbouring locations
e.g. buffer length N = 8 but |userInput| = 10
Buffer end boundary
No overflow
Buffer Overflow
Software & System Security: Vulnerabilities & Defenses
● excess input data overwrites memory addresses after buffer …
○ normal users: program crash because overwritten with non-relevant data
○ attackers:
• Overwrite critical program variables/data [Example 1]
• Overwrite function return address, to point to elsewhere, e.g.
• desired existing program code [Example 2] or
• code injected by hacker, e.g. a root user shell: “shellcode” [Lab]
Processes & Memory
Software Security: Vulnerabilities & Defenses
● for execution, program code&data moved from disk to RAM
● process = when a program is executed
● process code&data allocated in
RAM/virtual memory, each has an address
● memory divided into many segments of different types
○ to store code, data, …
○ our examples relate to stack memory
Functions & Stack Memory
Software & System Security: Vulnerabilities & Defenses
● when function called,
code & data stored in stack mem
e.g. function A called,
func. B called by func. A,
func. C called by func. B
● code & data put into stack like
putting a stack of papers into
a tray: last in first out (LIFO); stack pointer (SP) tracks top of stack
Q: why useful for function calls?
#Fu nctions & Stack Memory #
Software & System Security: Vulnerabilities & Defenses
LIFO stack useful for function calls?
Why not FIFO?
# Functions & Stack Memory #
Software & System Security: Vulnerabilities & Defenses
● e.g.1 DrawSquare calls DrawLine
○ DrawSquare code & data saved in stack
○ followed by DrawLine
• input parameters
• return address
• local variables
○ DrawLine completes execution first
so its code/data in stack cleared first: LIFO
Stack grows from highàlow address
# Buffer Overflow Example 1 # Software & System Security: Vulnerabilities & Defenses
● input to program: password, via argv[ ] param
● main() function calls check_auth() function
int main(int argc, char *argv[]) {
if(check_auth(argv[1]))
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
● auth_flag initialized to 0 (wrong pwd by default)
● buffer: password_buffer of 16 chars
● input password copied to buffer with strcopy, without length check
printf(“\nAccess Denied.\n”);
int check_auth(char *password) { int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password); if(strcmp(password_buffer,”mypasswd”)==0)
auth_flag = 1; return auth_flag;
# Buffer Overflow Example 1 # Software & System Security: Vulnerabilities & Defenses
● input password copied to buffer with strcopy, without length check
int check_auth(char *password) { int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password); if(strcmp(password_buffer,”mypasswd”)==0)
auth_flag = 1; return auth_flag;
int main(int argc, char *argv[]) {
if(check_auth(argv[1]))
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
Q: How could a malicious user of this program cause a buffer overflow? How could it help get access granted?
printf(“\nAccess Denied.\n”);
# Buffer Overflow Example 1 # Software & System Security: Vulnerabilities & Defenses
● strcmp compares two strings, returns 0 if equal
○ 0 = false, non-zero = true
○ 0 means buffer value = correct passwd
• auth_flag set to 1
● auth_flag returned to main func
● if(auth_flag):
○ 0 = false, non-zero = true
int check_auth(char *password) { int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password); if(strcmp(password_buffer,”mypasswd”)==0)
auth_flag = 1; return auth_flag;
int main(int argc, char *argv[]) {
if(check_auth(argv[1]))
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-
printf(“\nAccess Denied.\n”);
# Buffer Overflow Example 1 # Software & System Security: Vulnerabilities & Defenses
Buffer Overflow example 1 [HTAE]:
Overwrite critical program variables auth_overflow.c:
int check_auth(char *password) { int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password);
if(strcmp(password_buffer,”mypasswd”)==0) auth_flag = 1;
return auth_flag;
int main(int argc, char *argv[]) { if(check_auth(argv[1]))
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”); printf(” Access Granted.\n”); printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
Memory Contents after strcpy of password “ABCDEFGHIJKLMNOPQ” = 41H,42H, … 4FH, 50H, 51H
0xbffff7a0 0xbffff7a8 0xbffff7b0 0xbffff7b8 0xbffff7c0 0xbffff7c8 0xbffff7d0
password_buffer
check_auth ret addr *password argument
0x44434241
0x48474645
0x4c4b4a49
0x504f4e4d
0x00000051
0xbffff7c0
0xa0003300
0xb0005300
printf(“\nAccess Denied.\n”);
Buffer allocated for passwords up to 16 chars length: longer passwords overflow into auth_flag local variable
Overflow by 1 byte!
# Buffer Overflow Example 1 # Software & System Security: Vulnerabilities & Defenses
● assumption:
○ auth_flag only becomes non-0 if password
int check_auth(char *password) { int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password); if(strcmp(password_buffer,”mypasswd”)==0)
auth_flag = 1; return auth_flag;
int main(int argc, char *argv[]) {
if(check_auth(argv[1]))
printf(“\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n”);
printf(” Access Granted.\n”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-
printf(“\nAccess Denied.\n”);
correct, as a result of the strcmp
○ so if non-0,
• must be passwd correct
● but can exploit buffer overflow ○ to make auth_flag be non-0
● input: ABCDEFGHIJKLMNOPQ
○ give password longer than 16
○ Q is written into next space, i.e. auth_flag
# Buffer Overflow Example 2 # Software & System Security: Vulnerabilities & Defenses
What if password_buffer is stored after local vars? buffer overflow cannot overwrite auth_flag variable
Solution: attacker overwrites return address to jump to desired code
auth_overflow2.c:
int check_auth(char *password) {
char password_buffer[16];
int auth_flag[1];
auth_flag[0] = 0; strcpy(password_buffer, password); if(strcmp(password_buffer, “mypasswd”) ==
Memory Contents after strcpy of password
0xbffff7a0 0xbffff7a8 0xbffff7b0 0xbffff7b8 0xbffff7c0 0xbffff7c8 0xbffff7d0
“\x80\x85\x04\x08” x 10
auth_flag password_buffer
check_auth return address
0x00000000
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580
int main(int argc, char *argv[]) { if(check_auth(argv[1])) here: address 0x8048580 {…
auth_flag[0] = 1;
return auth_flag[0];
attacker wants to return exec.
Attacker uses repeated return address to avoid needing to know exact location of check_auth return address relative to buffer start
# Buffer Overflow Example 2 # Software & System Security: Vulnerabilities & Defenses
● disassemble the program using a debugger: get assembly language
check if return value = 0 if = 0, go elsewhere 27 else continue
# Buffer Overflow Example 2 # Software & System Security: Vulnerabilities & Defenses
● disassemble the program using a debugger: get assembly language
if = 0, go elsewhere else continue
# Buffer Overflow Example 2 # Software & System Security: Vulnerabilities & Defenses
● exploit buffer overflow
○ to change return address to where program
goes if passwd correct
● overflow 0x08048580 x(manytimes)
○ password_buffer will overflow into other locations incl return address
○ when function returns, will go to
that location i.e. same as where program goes if passwd correct
auth_flag password_buffer
0x00000000
0x08048580
0x08048580
0x08048580
0x08048580
0x08048580 SFP
0x08048580
check_auth return address
0x08048580
0x08048580
0x08048580
0x08048580
# Buffer Overflow Example 2 # Software & System Security: Vulnerabilities & Defenses
○ red: buffer
○ red: input written into
buffer & nearby region incl return address
Buffer Overflow: Defenses
Software & System Security: Vulnerabilities & Defenses
● Problem:userinputnotchecked ● Solution:
○ checkthatboundsofallocatedmemoryarenotexceeded
● Lessons:
○ Don’ttrustuserinput
○ Defenseprinciple:validateallinputs ○ Don’tuseunsafefunctioncalls
• e.g. gets()/strcpy() in C do not check user input size
Buffer Overflow: Defenses
Software & System Security: Vulnerabilities & Defenses
● Defensesbyoperatingsystems: ○ e.g. address randomization
● Defenses by compilers: ○ e.g. use canaries:
• known values inserted into stack between buffer & other critical data • 1st to be corrupted if buffer overflow (since right after it)
• Run time tests for stack integrity
• verify their integrity prior to function return
• e.g. StackGuard (compiler extension) & ProPolice for gcc compiler
Buffer Overflow: Defenses
Software & System Security: Vulnerabilities & Defenses
Command Injection
Command Injection
Software & System Security: Vulnerabilities & Defenses
○ User input includes extra command
○ Code does not check user input to prevent/remove extra commands
● common types
○ C Format String vulnerabilities
○ OS command injection
○ SQL Injection [later weeks]
○ Cross-Site Scripting (XSS) [later weeks]
# Command Injection Example # Software & System Security: Vulnerabilities & Defenses
int main ()
char command[50];
strcpy(command, “ls -l”);
system(command); return(0);
● systemcodeputintovariablecommand ● system( ) runs a command in the host
Q: Suppose we change the red line in the code to:
strcpy(command, “ls –l; cat file.txt”);
What would happen if we run this program?
● passed to & run in host environment
# Command Injection Example # Software & System Security: Vulnerabilities & Defenses
● Normal usage: check ls
● results in system command: ● time ls
● (reports execution time of ls)
● Malicious exploit: check ls; cat /etc/shadow
Check.c program code:
int main(int argc, char **argv)
char command[256]; …
strcat(command, “time “); strcat(command, argv[1]); system(command);
e.g. Running ‘check ls’ will cause argv[0] = ‘check’, argv[1] = ‘ls’, which means ‘time ls’ will be run at command prompt
● resultsinsystemcommand:
● time ls; cat /etc/shadow
● (reports execution time of ls and then displays
contents of /etc/shadow password file!) ○ appended extra commands via user input!
● [https://www.owasp.org/index.php/Command_Injection]
# Command Injection Example # Software & System Security: Vulnerabilities & Defenses
● The Problem:
○ no input validation, can append any malicious
command via semicolon ;
○ original application still runs, but extra commands
int main(int argc, char **argv)
char command[256]; …
strcat(command, “time “); strcat(command, argv[1]); system(command);
run after it
● gist: program expects to get only data input and data appended to program to be run,
● but extra commands appended within the data field, and all executed one after another via semicolon ;
● extra command will be run with privileges of program owner (e.g. root)
Command Injection: Defenses
Software & System Security: Vulnerabilities & Defenses
● sanitizealluserinputdata
● avoidpassinguser-givenargumentstoOSprograms
● useacommandexecutionAPIthattakesthecommand&argumentsasseparate parameters:
● Command parameters not controlled by user input but by app code
● Argument parameter based on user input: cannot be interpreted by
system as a command!
● Removepotentiallydamagingcharacters
● Whitelist:beexplicitonwhat’spermitted,don’tassume
Integer Range Overflow
# Integer Range Overflow #
Software & System Security: Vulnerabilities & Defenses
● Integervariables:commonlyforarrayindexing&arithmetic ○ e.g. typically on a 32-bit machine in C:
Q: Suppose we have x=216–1=65535 inC code for an unsigned short variable x, and we run the increment code
x = x + 1;
What will be the value of x now?
● unsigned int : 32 bit
● possible values: [0, 232–1]
● unsigned short : 16 bit
● possible values: [0, 216–1]
(hex [0x00000000,0xffffffff]) (hex [0x0000,0xffff])
● int : 32 bit
● range: [–231, 231–1] (hex [0x10000000,0x7fffffff])
● MSBit = sign bit: Negative numbers (–231 <= x < 0) represented as the number x (mod 232)
# Integer Range Overflow #
Software & System Security: Vulnerabilities & Defenses
● int : 32 bit
○ range: [–231, 231–1] (hex [0x10000000,0x7fffffff])
○ MSBit = sign bit: Negative numbers (–231 <= x < 0) represented as the number x (mod 232)
○ e.g. –1 represented as 232-1 = 0xffffffff
○ e.g. for 3 bit numbers:
• +ve: 000, 001, 010, 011 are 0, 1, 2, 3
• –1representedas23–1=8–1=7=111
• –2representedas23–2=8–2=6=110...
• so -4, –3, –2, –1, 0, 1, 2, 3
= 23+(–4), 23+(–3), 23+(–2), 23+(–1), 23+0, 23+1, 23+2, 23+3
# Integer Range Overflow #
Software & System Security: Vulnerabilities & Defenses
● –3, –2, –1, 0, 1, 2, 3
= 23+(–3), 23+(–2), 23+(–1), 23+0, 23+1, 23+2, 23+3
● Integer variables can overflow if one writes a value larger or smaller than the range of possible values for the integer type
● Maliciously-chosen integer overflows can also change program behaviour, and can be exploitable by attackers
# Integer Range Overflow Example # Software & System Security: Vulnerabilities & Defenses
● Whenanarithmeticexpressioninvolvinganintegeroverflowsthemaxforthat type, the result (with most compilers) is reduced modulo (max+1)
○ unsigned short num = 0xffff; // 0xffff = 65535 = max
○ num = num + 2; (addition overflow)
○ printf("num = 0x%x\n", num);
○ Output: num = 0x01 // (65535+2) mod (max+1) = 65537 mod 65536 = 1
○ unsigned short num_mul = 0x4000; // 0x4000 = 65536/4
○ num = num * 4; (multiplication overflow)
○ printf("num = 0x%x\n", num);
○ Output: num = 0x0 // 65536 mod 65536 = 0
# Integer Range Overflow Example # Software & System Security: Vulnerabilities & Defenses
int catvars(char *buf1, char *buf2, unsigned short len1, unsigned short
char mybuf[256]; /* allocate 256 byte buffer mybuf */ if((len1 + len2) > 256) /* overflow check flawed
{ return -1; }
memcpy(mybuf, buf1, len1);
memcpy(mybuf+len1, buf2, len2);
doSomeStuff(mybuf);
/*copy len1 bytes into mybuf*/
/*then copy len2 bytes */
because of len1+len2 sum overflow! */
Honest input (no overflow)
len1+len2 integer overflow
mybuf overflow
Malicious input (overflow) 25
# Integer Range Overflow Example # Software & System Security: Vulnerabilities & Defenses
● How attacker bypasses buffer overflow check using integer overflow: ○ Call catvars() function with attacker supplied length inputs:
• len1=0x000a =10
• len2=0xfffc(=216 –4)=65,532
○ Length sum overflow:
○ len1 + len2 should be (if no overflow) = 216 + 6
○ Due to unsigned int overflow, it becomes(len1 + len2) mod 2^16 = 6
○ Passes the buffer overflow test i.e. ( if((len1 + len2) > 256))
• because (len1 + len2)overflows to (len1 + len2) mod 2^16 = 6 < 256
• Yet len2 > 256 byte mybuf length
• à Second memcpy() call to copy len2 bytes overflows mybuf!
Integer Range Overflow: Defenses
Software & System Security: Vulnerabilities & Defenses
● validateinputs:
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com