Software Flaws and Malware I
CS 3IS3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada
Acknowledgments: Material based on Information Security by Mark Stamp (Chapters 11.1-11.2)
Ryszard Janicki
Software Flaws and Malware I 1/34
Why Software?
Why is software as important to security as cryptography, access control, protocols?
Virtually all information security features are implemented in software
If your software is subject to attack, your security can be broken
Regardless of strength of cryptography, access control, or protocols
Software is a poor foundation for security
Ryszard Janicki
Software Flaws and Malware I 2/34
Bad Software is Ubiquitous
NASA Mars Lander (cost $165 million) Crashed into Mars due to. . .
. . . error in converting English and metric units of measure Believe it or not
Denver airport
Baggage handling system – very buggy software Delayed airport opening by 11 months
Cost of delay exceeded $1 million/day
MV-22 Osprey
Advanced military aircraft Faulty software can be fatal
There are many other examples…
Ryszard Janicki
Software Flaws and Malware I 3/34
Software Issues
Alice and Bob
Find bugs and flaws by accident
Hate bad software. . .
…but they learn to live with it
Must make bad software work
Trudy
Actively looks for bugs and flaws
Likes bad software. . .
…and tries to make it misbehave
Attacks systems via bad software
Ryszard Janicki
Software Flaws and Malware I 4/34
Complexity
Complexity
“Complexity is the enemy of security”, Paul “Complexity is the enemy of security”, Paul Kocher,
Kocher, Cryptography Research, Inc.
Cryptography Research, Inc.
System
Lines of Code (LOC)
Netscape
17 million
Space Shuttle
10 million
Linux kernel 2.6.0
5 million
Windows XP
40 million
Mac OS X 10.4
86 million
Boeing 777
7 million
A new car contains more LOC than was required required to land the Apollo astronauts on the moon.
A new car contains more Lines of Code (LOC) than was
to land the Apollo astronauts on the moon
This is also a wrong culture of current programmers “the
Part 4 moSroeftLwOareC the better programmer I am”. This culture is also6
often cultivated by many software companies!
Ryszard Janicki
Software Flaws and Malware I 5/34
Lines of Code and Bugs
Conservative estimate: 5 bugs/10,000 LOC
Do the math:
Typical computer: 3k exe’s of 100k LOC each Conservative estimate: 50 bugs/exe
Implies about 150k bugs per computer
So, 30,000 – node network has 4.5 billion bugs
Maybe only 10% of bugs security-critical and only 10% of those remotely exploitable
Then “only” 45 million critical security flaws!
Ryszard Janicki
Software Flaws and Malware I 6/34
Software Security Topics
Basic Program Flaws (unintentional) Buffer overflow
Incomplete mediation Race conditions
Malicious Software (intentional) Viruses
Worms
Other breeds of malware
Ryszard Janicki
Software Flaws and Malware I 7/34
An error may lead to incorrect state: fault Program Flaws
o A fault is internal to the program
An error is a programming mistake. To err is human
A fault may lead to a failure, where a An error may lead to incorrect state: fault
system departs from its expected behavior
A fault is internal to the program
A fault may lead to a failure, where a system departs from its
o A failure is externally observable expected behavior – a failure is externally observable
error fault failure
Example
Example
Part 4 Software
9
char array[10];
for(i = 0; i < 10; ++i)
array[i] = `A`; array[10] = `B`;
This program has an error This program has an error
This error might cause a fault
This error might cause a fault - incorrect internal state
o Incorrect internal state
If a fault occurs, it might lead to a failure
If a fault occurs, it might lead to a failure Program behaves incorrectly (external)
o Program behaves incorrectly (external)
We use the term flaw for all of the above
We use the term flaw for all
Ryszard Janicki
of the above
Software Flaws and Malware I 8/34
Secure Software
In software engineering, try to ensure that a program does what is intended
Secure software engineering requires that software does what is intended. . .
. . . and nothing more
Absolutely secure software? Dream on. . . Absolute security anywhere is impossible How can we manage software risks?
Ryszard Janicki
Software Flaws and Malware I 9/34
Program Flaws
Program flaws are unintentional But can still create security risks
We will consider 3 types of flaws Buffer overflow (smashing the stack)
Incomplete mediation Race conditions
These are the most common flaws (but there are other..)
Ryszard Janicki
Software Flaws and Malware I 10/34
Buffer Overflow: Attack Scenario
Users enter data into a Web form
Web form is sent to server
Server writes data to array called buffer, without checking length of input data
Data “overflows” buffer
Such overflow might enable an attack
If so, attack could be carried out by anyone with Internet
Buffer Overflow
access
Buffer overflow:
int main(){
int buffer[10];
buffer[20] = 37;}
Q: WhQatuehsatpiopne:nsWwhhaetnhcaopdpenis wexhencuctoede?is executed? Answer: Depending on what resides in memory at location
A: Depending on what resides in memory “buffer[20]”
at location “buffer[20]”
Might overwrite user data or code o Might overwrite user data or code
Might overwrite system data or code
o Might overwrite system data or code
Or program could work just fine
o Or program could work just fine
Ryszard Janicki
Software Flaws and Malware I 11/34
Simple Buffer Overflow
Simple Buffer Overflow
Consider boolean flag for authentication Consider Boolean flag for authentication
Buffer overflow could overwrite flag
Buffer overflow could overwrite flag allowing anyone to
allowing anyone to authenticate
authenticate
Boolean flag
buffer
F O U R S C ... TF
In some cases, Trudy need not be so lucky
In some cases, Trudy need not be so lucky as in this example
as in this example
Part 4 Software 16
Ryszard Janicki
Software Flaws and Malware I 12/34
Memory Organization
Memory Organization
Text code Text - code
Data static variables Data - static variables
Heap - dynamic data Heap dynamic data
low address
text
data
heap
stack
Stack - “scratch paper”
Stack “scratch paper”
stack pointer (SP)
Dynamic local variables o DynamiPcarlaomcaetlevrsartoiables
o Parameters to functions Return address
functions
o Return address
Part 4 Software 17
high address
Ryszard Janicki
Software Flaws and Malware I 13/34
Simplified Stack Example
Simplified Stack Example
void func(int a, int b){
char buffer[10];
}
void main(){
func(1,2); }
Part 4 Software 18
low
:
:
high
SP
rSePturn address
SP SP
buffer
ret
a
b
Ryszard Janicki
Software Flaws and Malware I 14/34
Smashing the Stack I
Smashing the Stack
What happens if What happens if buffer
buffer overflows? overflows?
Program “returns” wrong location
Program “returns” to
to wrong location
A crash is likely
A crash is likely
Part 4 Software 19
low
:
??? :
SP
buffer
high
rSePt... NOT! SP
SP
overerftlow
ovearflow
b
Ryszard Janicki
Software Flaws and Malware I 15/34
Smashing the Stack II
Smashing the Stack
Trudy has a better idea...
Trudy has a better idea. . .
Code injection Code injection
Trudy can run
Trudy can run code of her
code of her
choosing. . .
. . . on your machine
choosing...
o ...on your machine
Part 4 Software 20
low
:
:
high
SP
SP SP SP
evil code
ret
a
b
Ryszard Janicki
Software Flaws and Malware I 16/34
Smashing the Stack
Smashing the Stack III
udy may not know...
: :
Address of evil code
Trudy may not know. . .
1 Address of evil code 2 Location of ret on
Location of ret on stack stack
lutions
Precede evil code with
Trudy’s solutions
1 Precede evil code with NOP (‘do nothing’ instruction) “landing pad”
ret
NOP “landing pad”
2 Insert ret many times Insert ret many times
Software
:
: 21
NOP
:
NOP
evil code
ret
ret
:
ret
Ryszard Janicki
Software Flaws and Malware I 17/34
r o
4
Stack Smashing Summary
A buffer overflow must exist in the code Not all buffer overflows are exploitable Things must align properly
If exploitable, attacker can inject code Trial and error is likely required
Stack smashing is “attack of the decade”. . .
. . . for many recent decades
Also heap and integer overflows, format strings, etc.
Ryszard Janicki
Software Flaws and Malware I 18/34
Stack Smashing Example
Stack Smashing Example
Suppose program asks for a serial number tShuapptosTerpurodgryamdaoseksfonroatsekrinalonwumber that Trudy does
not know
Also, Trudy does not have source code Also, Trudy does not have source code
Trudy only has the executable (exe) Trudy only has the executable (exe)
Program quits on incorrect serial number
Program quits on incorrect serial number
Part 4 Software 23
Ryszard Janicki
Software Flaws and Malware I 19/34
Buffer Overflow Present?
Buffer Overflow Present?
By trial and error, Trudy discovers
By trial and error (or magic),Trudy discovers apparent buffer
aopvperaflorwent buffer overflow
Note that 0x41 is ASCII for “A” Note that 0x41 is ASCII for “A”
Looks like ret overwritten by 2 bytes! Looks like ret overwritten by 2 bytes!
Part 4 Software 24
Ryszard Janicki
Software Flaws and Malware I 20/34
Disassemble Code
Disassemble Code
Next, disassemble bo.exe to find Next, disassemble bo.exe to find
The goal is to exploit buffer overflo The goal is to exploit buffer overflow to jump to address
to jump to address 0x401034 0x401034
Part 4 Software 2
Ryszard Janicki
Software Flaws and Malware I 21/34
w
5
Buffer Overflow Attack
Buffer Overflow Attack
Find that, in ASCII, 0x401034 is “@^P4” Find that, in ASCII, 0x401034 is “@ˆP4”
Byte order is reversed? What the ...
Byte order is reversed?
X86 processors are “little-endian”
It happens for some processors, like X86, but not all
Part 4 Software
Ryszard Janicki
Software Flaws and Malware I 22/34
26
Overflow Attack, Take 2
Reverse the byte order to “4^P@” and... Reverse the byte order to “4ˆP@” and. . .
Success! We’ve bypassed serial number
check by exploiting a buffer overflow
Success! We have bypassed serial number check by exploiting
a buffer overflow
What just happened? What has just happened?
o Overwrote return address on the stack
Part 4 Software 27
We overwrote return address on the stack
Ryszard Janicki
Software Flaws and Malware I 23/34
Overflow Attack, Take 2
Buffer Overflow
Trudy did not require access to the source code
Only tool used was a disassembler to determine address to jump to
Find desired address by trial and error?
Necessary if attacker does not have exe For example, a remote attack
Ryszard Janicki
Software Flaws and Malware I 24/34
Source code for buffer overflow example
Source Code
Source code for buffer overflow example
Flaw easily exploited by
Flaw eastiltyaecxpkloeitre...d by attacker. . .
...without
... withoutaccessto access to
source code!
source code!
Part 4 Software 29
Ryszard Janicki
Software Flaws and Malware I 25/34
Stack Smashing Defenses
Employ non-executable stack
“No execute” NX bit (if available, often impossible)
Seems like the logical thing to do, but some real code executes on the stack (Java, for example)
Use a canary
Canaries or canary words are known values that are placed
between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data will therefore alert of an overflow, which can then be handled, for example, by invalidating the corrupted data.
Address space layout randomization (ASLR) Use safe languages (Java, C#)
Use safer C functions
For unsafe functions, safer versions exist For example, strncpy instead of strcpy
Ryszard Janicki
Software Flaws and Malware I 26/34
Canary
Canary
o Run-time stack check
Run-time stack check Push canary onto stack
low
:
:
buffer
ocvaenrfaloryw
overreftlow
a
b
o Push canary onto stack
o Canary value:
Constant 0x000aff0d
ConOsrt,amnaty0dxe0p0en0dasffo0ndret Or, may depends on ret
Part 4 Software 31
Canary value:
high
Ryszard Janicki
Software Flaws and Malware I 27/34
Stack Smashing Defenses
Address Space Layout Randomization (ASLR)
Randomize place where code loaded in memory
Makes most buffer overflow attacks probabilistic
Windows 10 uses 256 random layouts
So about 1/256 chance buffer overflow works
Similar thing in MacOS X and other OSs
Attacks against Microsoft’s ASLR do exist Possible to “de-randomize”
Ryszard Janicki
Software Flaws and Malware I 28/34
Buffer Overflow
A major security threat yesterday, today, and tomorrow
The good news?
It ispossible to reduce overflow attacks (safe languages,NX
bit, ASLR, education, etc.)
The bad news?
Buffer overflows will exist for a long time
Why? Legacy code (bad but not good! Very old is actually good!), bad development practices, clever attacks, etc.
Ryszard Janicki
Software Flaws and Malware I 29/34
Incomplete Mediation - Input Validation
Consider: strcpy(buffer, argv[1]) A buffer overflow occurs if
len(buffer) < len(argv[1])
Software must validate the input by checking the length of argv[1]
Failure to do so is an example of a more general problem: incomplete mediation
Consider web form data
Suppose input is validated on client
For example, the following is valid http://www.things.com/orders/final&custID=112 &num=55A&qty=20&price=10&shipping=5&total=205 Suppose input is not checked on server
Why bother since input checked on client?
Then attacker could send http message
http://www.things.com/orders/final&custID=112
&num=55A&qty=20&price=10&shipping=5&total=25
Ryszard Janicki
Software Flaws and Malware I 30/34
Incomplete Mediation
Linux kernel
Research revealed many buffer overflows Lots of these due to incomplete mediation
Linux kernel is “good” software since
Open-source
Kernel - written by coding gurus, but not necessary
believers in formal methods...
Tools exist to help find such problems
But incomplete mediation errors can be subtle And tools useful for attackers too!
Ryszard Janicki
Software Flaws and Malware I 31/34
Race Condition
Security processes should be atomic Occur “all at once”
mkdir Race Condition in stages
Race conditions can arise when security-critical process occurs
Attacker makes change between stages
Often, between stage that gives authorization, but before
mkdir creates new directory stage that transfers ownership
HowEmxamkpdle:irUniisxmskduiprposedtowork mkdir creates new directory
How mkdir is supposed to work?
mkdir
2. Transfer ownership
1. Allocate space
Ryszard Janicki
Software Flaws and Malware I 32/34
How mkdir is supposed to work
The mkdir race condition
Part 4 Software
mkdir Attack
The mkdir race condition
4 Software 41
mkdir
3. Transfer ownership
1. Allocate space
2. Create link to password file
NotNorteraealllyaa“r“arcea”ce”
o But attacker’s timing is critical
But attacker’s timing is critical
mkdir
mkdir A 2. Transfer
ownership
1. Allocate
ttack
space
Ryszard Janicki
Software Flaws and Malware I 33/34
Race Conditions
Race conditions are common, especially for concurrent systems Race conditions may be more prevalent than buffer overflows
But race conditions harder to exploit (a few danger cases in medical devices)
Buffer overflow is “low hanging fruit” today
To prevent race conditions, make security-critical processes atomic:
Occur all at once, not in stages
Not always easy to accomplish in practice
Ryszard Janicki
Software Flaws and Malware I 34/34