CS计算机代考程序代写 Java x86 assembler Software Flaws and Malware I

Software Flaws and Malware I
CS 3IS3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada
Acknowledgments: Material based on Information Security by Mark Stamp (Chapters 11.1-11.2)
Ryszard Janicki
Software Flaws and Malware I 1/34

Why Software?
Why is software as important to security as cryptography, access control, protocols?
Virtually all information security features are implemented in software
If your software is subject to attack, your security can be broken
Regardless of strength of cryptography, access control, or protocols
Software is a poor foundation for security
Ryszard Janicki
Software Flaws and Malware I 2/34

Bad Software is Ubiquitous
NASA Mars Lander (cost $165 million) Crashed into Mars due to. . .
. . . error in converting English and metric units of measure Believe it or not
Denver airport
Baggage handling system – very buggy software Delayed airport opening by 11 months
Cost of delay exceeded $1 million/day
MV-22 Osprey
Advanced military aircraft Faulty software can be fatal
There are many other examples…
Ryszard Janicki
Software Flaws and Malware I 3/34

Software Issues
Alice and Bob
Find bugs and flaws by accident
Hate bad software. . .
…but they learn to live with it
Must make bad software work
Trudy
Actively looks for bugs and flaws
Likes bad software. . .
…and tries to make it misbehave
Attacks systems via bad software
Ryszard Janicki
Software Flaws and Malware I 4/34

Complexity
Complexity
 “Complexity is the enemy of security”, Paul “Complexity is the enemy of security”, Paul Kocher,
Kocher, Cryptography Research, Inc.
Cryptography Research, Inc.
System
Lines of Code (LOC)
Netscape
17 million
Space Shuttle
10 million
Linux kernel 2.6.0
5 million
Windows XP
40 million
Mac OS X 10.4
86 million
Boeing 777
7 million
 A new car contains more LOC than was required required to land the Apollo astronauts on the moon.
A new car contains more Lines of Code (LOC) than was
to land the Apollo astronauts on the moon
This is also a wrong culture of current programmers “the
Part 4 moSroeftLwOareC the better programmer I am”. This culture is also6
often cultivated by many software companies!
Ryszard Janicki
Software Flaws and Malware I 5/34

Lines of Code and Bugs
Conservative estimate: 5 bugs/10,000 LOC
Do the math:
Typical computer: 3k exe’s of 100k LOC each Conservative estimate: 50 bugs/exe
Implies about 150k bugs per computer
So, 30,000 – node network has 4.5 billion bugs
Maybe only 10% of bugs security-critical and only 10% of those remotely exploitable
Then “only” 45 million critical security flaws!
Ryszard Janicki
Software Flaws and Malware I 6/34

Software Security Topics
Basic Program Flaws (unintentional) Buffer overflow
Incomplete mediation Race conditions
Malicious Software (intentional) Viruses
Worms
Other breeds of malware
Ryszard Janicki
Software Flaws and Malware I 7/34

 An error may lead to incorrect state: fault Program Flaws
o A fault is internal to the program
An error is a programming mistake. To err is human
 A fault may lead to a failure, where a An error may lead to incorrect state: fault
system departs from its expected behavior
A fault is internal to the program
A fault may lead to a failure, where a system departs from its
o A failure is externally observable expected behavior – a failure is externally observable
error fault failure
Example
Example
Part 4  Software
9
char array[10];
for(i = 0; i < 10; ++i) array[i] = `A`; array[10] = `B`;  This program has an error This program has an error  This error might cause a fault This error might cause a fault - incorrect internal state o Incorrect internal state If a fault occurs, it might lead to a failure  If a fault occurs, it might lead to a failure Program behaves incorrectly (external) o Program behaves incorrectly (external) We use the term flaw for all of the above  We use the term flaw for all Ryszard Janicki of the above Software Flaws and Malware I 8/34 Secure Software In software engineering, try to ensure that a program does what is intended Secure software engineering requires that software does what is intended. . . . . . and nothing more Absolutely secure software? Dream on. . . Absolute security anywhere is impossible How can we manage software risks? Ryszard Janicki Software Flaws and Malware I 9/34 Program Flaws Program flaws are unintentional But can still create security risks We will consider 3 types of flaws Buffer overflow (smashing the stack) Incomplete mediation Race conditions These are the most common flaws (but there are other..) Ryszard Janicki Software Flaws and Malware I 10/34 Buffer Overflow: Attack Scenario Users enter data into a Web form Web form is sent to server Server writes data to array called buffer, without checking length of input data Data “overflows” buffer Such overflow might enable an attack If so, attack could be carried out by anyone with Internet Buffer Overflow access Buffer overflow: int main(){ int buffer[10]; buffer[20] = 37;}  Q: WhQatuehsatpiopne:nsWwhhaetnhcaopdpenis wexhencuctoede?is executed? Answer: Depending on what resides in memory at location  A: Depending on what resides in memory “buffer[20]” at location “buffer[20]” Might overwrite user data or code o Might overwrite user data or code Might overwrite system data or code o Might overwrite system data or code Or program could work just fine o Or program could work just fine Ryszard Janicki Software Flaws and Malware I 11/34 Simple Buffer Overflow Simple Buffer Overflow  Consider boolean flag for authentication Consider Boolean flag for authentication  Buffer overflow could overwrite flag Buffer overflow could overwrite flag allowing anyone to allowing anyone to authenticate authenticate Boolean flag buffer F O U R S C ... TF  In some cases, Trudy need not be so lucky In some cases, Trudy need not be so lucky as in this example as in this example Part 4  Software 16 Ryszard Janicki Software Flaws and Malware I 12/34 Memory Organization Memory Organization  Text  code Text - code  Data  static variables Data - static variables Heap - dynamic data  Heap  dynamic data  low address text data heap   stack Stack - “scratch paper”  Stack  “scratch paper”  stack pointer (SP) Dynamic local variables o DynamiPcarlaomcaetlevrsartoiables o Parameters to functions Return address functions o Return address Part 4  Software 17  high address Ryszard Janicki Software Flaws and Malware I 13/34 Simplified Stack Example Simplified Stack Example void func(int a, int b){ char buffer[10]; } void main(){ func(1,2); } Part 4  Software 18 low  : : high   SP  rSePturn address  SP  SP buffer ret a b Ryszard Janicki Software Flaws and Malware I 14/34 Smashing the Stack I Smashing the Stack What happens if What happens if buffer buffer overflows? overflows? Program “returns” wrong location Program “returns” to to wrong location A crash is likely A crash is likely Part 4  Software 19 low  : ??? :  SP buffer high   rSePt... NOT!  SP  SP overerftlow ovearflow b Ryszard Janicki Software Flaws and Malware I 15/34 Smashing the Stack II Smashing the Stack Trudy has a better idea... Trudy has a better idea. . . Code injection Code injection Trudy can run Trudy can run code of her code of her choosing. . . . . . on your machine choosing... o ...on your machine Part 4  Software 20 low  : : high   SP  SP  SP  SP evil code ret a b Ryszard Janicki Software Flaws and Malware I 16/34 Smashing the Stack Smashing the Stack III udy may not know... : : Address of evil code Trudy may not know. . . 1 Address of evil code 2 Location of ret on Location of ret on stack stack lutions Precede evil code with Trudy’s solutions 1 Precede evil code with NOP (‘do nothing’ instruction) “landing pad”  ret NOP “landing pad” 2 Insert ret many times Insert ret many times  Software : : 21 NOP : NOP evil code ret ret : ret Ryszard Janicki Software Flaws and Malware I 17/34 r o 4 Stack Smashing Summary A buffer overflow must exist in the code Not all buffer overflows are exploitable Things must align properly If exploitable, attacker can inject code Trial and error is likely required Stack smashing is “attack of the decade”. . . . . . for many recent decades Also heap and integer overflows, format strings, etc. Ryszard Janicki Software Flaws and Malware I 18/34 Stack Smashing Example Stack Smashing Example  Suppose program asks for a serial number tShuapptosTerpurodgryamdaoseksfonroatsekrinalonwumber that Trudy does not know  Also, Trudy does not have source code Also, Trudy does not have source code  Trudy only has the executable (exe) Trudy only has the executable (exe)  Program quits on incorrect serial number Program quits on incorrect serial number Part 4  Software 23 Ryszard Janicki Software Flaws and Malware I 19/34 Buffer Overflow Present? Buffer Overflow Present?  By trial and error, Trudy discovers By trial and error (or magic),Trudy discovers apparent buffer aopvperaflorwent buffer overflow  Note that 0x41 is ASCII for “A” Note that 0x41 is ASCII for “A”  Looks like ret overwritten by 2 bytes! Looks like ret overwritten by 2 bytes! Part 4  Software 24 Ryszard Janicki Software Flaws and Malware I 20/34 Disassemble Code Disassemble Code Next, disassemble bo.exe to find Next, disassemble bo.exe to find The goal is to exploit buffer overflo The goal is to exploit buffer overflow to jump to address to jump to address 0x401034 0x401034 Part 4  Software 2 Ryszard Janicki Software Flaws and Malware I 21/34 w 5 Buffer Overflow Attack  Buffer Overflow Attack Find that, in ASCII, 0x401034 is “@^P4” Find that, in ASCII, 0x401034 is “@ˆP4” Byte order is reversed? What the ... Byte order is reversed? X86 processors are “little-endian” It happens for some processors, like X86, but not all Part 4  Software Ryszard Janicki Software Flaws and Malware I 22/34 26   Overflow Attack, Take 2  Reverse the byte order to “4^P@” and... Reverse the byte order to “4ˆP@” and. . .  Success! We’ve bypassed serial number check by exploiting a buffer overflow Success! We have bypassed serial number check by exploiting a buffer overflow  What just happened? What has just happened? o Overwrote return address on the stack Part 4  Software 27 We overwrote return address on the stack Ryszard Janicki Software Flaws and Malware I 23/34 Overflow Attack, Take 2 Buffer Overflow Trudy did not require access to the source code Only tool used was a disassembler to determine address to jump to Find desired address by trial and error? Necessary if attacker does not have exe For example, a remote attack Ryszard Janicki Software Flaws and Malware I 24/34 Source code for buffer overflow example Source Code Source code for buffer overflow example Flaw easily exploited by Flaw eastiltyaecxpkloeitre...d by attacker. . .  ...without ... withoutaccessto access to source code! source code! Part 4  Software 29 Ryszard Janicki Software Flaws and Malware I 25/34 Stack Smashing Defenses Employ non-executable stack “No execute” NX bit (if available, often impossible) Seems like the logical thing to do, but some real code executes on the stack (Java, for example) Use a canary Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data will therefore alert of an overflow, which can then be handled, for example, by invalidating the corrupted data. Address space layout randomization (ASLR) Use safe languages (Java, C#) Use safer C functions For unsafe functions, safer versions exist For example, strncpy instead of strcpy Ryszard Janicki Software Flaws and Malware I 26/34 Canary  Canary o Run-time stack check Run-time stack check Push canary onto stack low  : : buffer ocvaenrfaloryw overreftlow a b o Push canary onto stack o Canary value: Constant 0x000aff0d ConOsrt,amnaty0dxe0p0en0dasffo0ndret  Or, may depends on ret Part 4  Software 31 Canary value:  high  Ryszard Janicki Software Flaws and Malware I 27/34 Stack Smashing Defenses Address Space Layout Randomization (ASLR) Randomize place where code loaded in memory Makes most buffer overflow attacks probabilistic Windows 10 uses 256 random layouts So about 1/256 chance buffer overflow works Similar thing in MacOS X and other OSs Attacks against Microsoft’s ASLR do exist Possible to “de-randomize” Ryszard Janicki Software Flaws and Malware I 28/34 Buffer Overflow A major security threat yesterday, today, and tomorrow The good news? It ispossible to reduce overflow attacks (safe languages,NX bit, ASLR, education, etc.) The bad news? Buffer overflows will exist for a long time Why? Legacy code (bad but not good! Very old is actually good!), bad development practices, clever attacks, etc. Ryszard Janicki Software Flaws and Malware I 29/34 Incomplete Mediation - Input Validation Consider: strcpy(buffer, argv[1]) A buffer overflow occurs if len(buffer) < len(argv[1]) Software must validate the input by checking the length of argv[1] Failure to do so is an example of a more general problem: incomplete mediation Consider web form data Suppose input is validated on client For example, the following is valid http://www.things.com/orders/final&custID=112 &num=55A&qty=20&price=10&shipping=5&total=205 Suppose input is not checked on server Why bother since input checked on client? Then attacker could send http message http://www.things.com/orders/final&custID=112 &num=55A&qty=20&price=10&shipping=5&total=25 Ryszard Janicki Software Flaws and Malware I 30/34 Incomplete Mediation Linux kernel Research revealed many buffer overflows Lots of these due to incomplete mediation Linux kernel is “good” software since Open-source Kernel - written by coding gurus, but not necessary believers in formal methods... Tools exist to help find such problems But incomplete mediation errors can be subtle And tools useful for attackers too! Ryszard Janicki Software Flaws and Malware I 31/34 Race Condition Security processes should be atomic Occur “all at once” mkdir Race Condition in stages Race conditions can arise when security-critical process occurs Attacker makes change between stages Often, between stage that gives authorization, but before mkdir creates new directory stage that transfers ownership HowEmxamkpdle:irUniisxmskduiprposedtowork mkdir creates new directory How mkdir is supposed to work? mkdir 2. Transfer ownership 1. Allocate space Ryszard Janicki Software Flaws and Malware I 32/34   How mkdir is supposed to work The mkdir race condition Part 4  Software mkdir Attack  The mkdir race condition 4  Software 41 mkdir 3. Transfer ownership 1. Allocate space 2. Create link to password file NotNorteraealllyaa“r“arcea”ce” o But attacker’s timing is critical But attacker’s timing is critical mkdir mkdir A 2. Transfer ownership 1. Allocate ttack space Ryszard Janicki Software Flaws and Malware I 33/34 Race Conditions Race conditions are common, especially for concurrent systems Race conditions may be more prevalent than buffer overflows But race conditions harder to exploit (a few danger cases in medical devices) Buffer overflow is “low hanging fruit” today To prevent race conditions, make security-critical processes atomic: Occur all at once, not in stages Not always easy to accomplish in practice Ryszard Janicki Software Flaws and Malware I 34/34