270 likes | 446 Views
CIT 380: Securing Computer Systems. Software Security. Topics. Why Software? Vulnerability Databases Buffer Overflows Integer Overflows Attack Techniques Metasploit. The Problem is Software.
E N D
CIT 380: Securing Computer Systems Software Security CIT 380: Securing Computer Systems
Topics • Why Software? • Vulnerability Databases • Buffer Overflows • Integer Overflows • Attack Techniques • Metasploit CIT 380: Securing Computer Systems
The Problem is Software “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw CIT 380: Securing Computer Systems
Why is Software Security poor? • Security is seen as something that gets in the way of software functionality. • Security is difficult to assess and quantify. • Security is often not a primary skill or interest of software developers. • Time spent on security is time not spent on adding new and interesting functionality. CIT 380: Securing Computer Systems
The Trinity of Trouble • Complexity • Continually increasing. • Windows 3.1 (3mloc) to Windows XP (40mloc) • Extensibility • Plugins. • Mobile code. • Connectivity • Network access. • Wireless networking. CIT 380: Securing Computer Systems
Software Complexity 5-50 bugs per/kloc8 • 5/kloc: rigorous quality assurance testing (QA) • 50/kloc: typical feature testing CIT 380: Securing Computer Systems
Vulnerabilities • Vulnerability: A defect in software that allows security policy to be violated. • Confidentiality • Integrity • Availability • Exploit: A program that exercises a vulnerability. CIT 380: Securing Computer Systems
Vulnerability Databases • Collect vulnerability reports. • Vendors maintain databases with patches for their own software. • Security firms maintain databases of vulnerabilities that they’ve discovered. • Well known vulnerability databases • CERT • CVE • NVD • OSVDB CIT 380: Securing Computer Systems
Why Vulnerability Databases? • Know about vulnerabilities to software that you have deployed so you can mitigate them. • Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries? • Learn about security problems to prevent when you’re programming. CIT 380: Securing Computer Systems
CVE: Common Vulnerabilities and Exposures • Problem: Different researchers and vendors call vulnerabilities by different names. • Solution: CVE, a dictionary that provides • A common public name for each vulnerability. • A common standardized description. • Allows different tools / databases to interoperate. CIT 380: Securing Computer Systems
CVE-2002-1185 Name: CVE-2002-1185 Status: Entry Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." References • VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability • BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability • EEYE:AD20021211 • MS:MS02-066 • XF:ie-png-bo(10662) • BID:6216 • OVAL:oval:org.mitre.oval:def:393 CIT 380: Securing Computer Systems
NVD: National Vulnerability DB Collects all publicly available government vulnerability resources. • HTML and XML output at http://nvd.nist.gov/ • Uses CVE naming scheme. • Links to industry and govt reports. • Provides CVSS severity numbers. • Links to OVAL repository. CIT 380: Securing Computer Systems
Buffer Overflows A program accepts too much input and stores it in a fixed length buffer that’s too small. char A[8]; short B; • gets(A); CIT 380: Securing Computer Systems
The Stack • Stack is LIFO. • Every function call allocates a stack frame. • Return address is address where function was called from and will return to. Function Arguments Return Address Buffer 1 (Local Variable 1) Buffer 2 (Local Variable 2) Writes go up CIT 380: Securing Computer Systems
Smashing the Stack • Program accepts input into local variable 1. • Attacker sends too much data for buffer, overwriting the return address. • Attacker data contains machine code for shell. • Return address overwritten with address of machine code. • When function returns, attacker’s code is executed. Function Arguments Pointer to machine code. Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Writes go up CIT 380: Securing Computer Systems
NOP Slide • Attacker includes NOPs in front of executable code in case address isn’t precise. • If pointer points at NOPs, execution will continue to machine code. • IDS attempt to detect buffer overflows by looking for long strings of NOPs (x90). Function Arguments Pointer to machine code. NOP NOP NOP Machine code exec(/bin/bash) Buffer 2 (Local Variable 2) Writes go up CIT 380: Securing Computer Systems
Integer Overflow An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero. CIT 380: Securing Computer Systems
32-bit Integer Quiz • What two non-zero integers x and y satisfy the equation x * y = 0? • What negative integer (-x) has no corresponding positive integer (x)? • List two integers x and y, such that x + y < 0. CIT 380: Securing Computer Systems
Quiz Answers • 65536 * 65536 = 0 or 256 * 16777256 = 0 or any x * y = 232 2. -2147483648 • 2147483647 + 1 = -2147483648 CIT 380: Securing Computer Systems
Are Integer Overflows Important? Broward County November 2004 election • Amendment 4 vote was reported as tied. • Software from ES&S Systems reported a large negative number of votes. • Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes. CIT 380: Securing Computer Systems
Fuzz Testing Black-box input based testing technique. • Uses random data. • Easily automated. • If application crashes or hangs, it fails. Results of 1995 study9. • 15-43% of utilities from commerical UNIX systems failed. • 9% of Linux utilities failed. • 6% of GNU utilities failed. • 50% of X-Windows utilities failed. CIT 380: Securing Computer Systems
Metasploit Modular exploit system • Exploit collection: over 100 exploits. • Payloads: machine code to run • Command line and web interfaces. Payloads • Bind shell: opens shell backdoor on port. • Reverse shell: send shell back to attacker. • Windows VNC: remote desktop access. • Create user: add new administrative user. CIT 380: Securing Computer Systems
Metasploit • http://www.metasploit.com/ CIT 380: Securing Computer Systems
Using Metasploit • Select an exploit use exploit_name • Enter the target set RHOST ip_address_of_target • Select the payload set payload payload_name set LHOST ip_address_of_your_host • Run exploit CIT 380: Securing Computer Systems
Advantages of Metasploit • Ease of use • One interface to many exploits. • Flexibility • Can choose whatever payload you need. • Faster development time • Payloads already written. • Reliability • Framework and payloads are well tested. CIT 380: Securing Computer Systems
Uses of Metasploit • Vulnerability verification • Scanners report possible vulnerabilities. • Metasploit will give you remote access. • IDS/IPS testing • Test IDS/IPS with real exploit code. • Penetration testing • Easy to develop custom exploits for pen testing. • Convincing management • Remote access is more convincing than a report. CIT 380: Securing Computer Systems
References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Mark Graff and Kenneth van Wyk, Secure Coding: Principles & Practices, O’Reilly, 2003. • Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004. • Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, 2005. • Michael Howard, David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003. • Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. • Gary McGraw, Software Security, Addison-Wesley, 2006. • John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. • David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html, 2003. CIT 380: Securing Computer Systems