1 / 23

10 common programming mistakes that make you vulnerable to attack

10 common programming mistakes that make you vulnerable to attack. Elisa Heymann Computer Architecture and Operating Systems Department Universitat Aut ònoma de Barcelona Elisa.Heymann@uab.es. Barton P. Miller Jim Kupsch Computer Sciences Department University of Wisconsin

aldan
Download Presentation

10 common programming mistakes that make you vulnerable to attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10 common programming mistakes that make you vulnerable to attack Elisa Heymann Computer Architecture andOperating Systems Department UniversitatAutònoma de Barcelona Elisa.Heymann@uab.es Barton P. Miller Jim Kupsch Computer Sciences Department University of Wisconsin bart@cs.wisc.edu Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.

  2. Things That We All Know • All software has vulnerabilities • Critical infrastructure software is complex and large • Vulnerabilities can be exploited by both authorized users and by outsiders • Programmers must be security-aware • Designing for security and the use of secure practices and standards does not guarantee security… but helps 2

  3. What do we do • Assess Middleware: Makecloud/grid software more secure • Train:Weteachtutorialsforusers, developers, sysadmins, and managers • Research:Make in-depthassessments more automated and improvequality of automatedcodeanalysis http://www.cs.wisc.edu/mist/papers/VAshort.pdf

  4. 1. Buffer overflow

  5. Buffer Overflow of User Data Affecting Flow of Control char id[8]; intvalidId = 0; /* not valid */ gets(id); /* reads "evillogin"*/ /* validId is now 110 decimal */ if (IsValid(id)) validId = 1; /* not true */ if (validId) /* is true */ {DoPrivilegedOp();} /* gets executed */ id validId id validId

  6. 2. Numeric Errors

  7. 3. Race Conditions

  8. Race Condition Examples time • Your Actions Attackers Action s=strdup("/tmp/zXXXXXX")tempnam(s)// s now "/tmp/zRANDOM"link = "/etc/passwd" file = "/tmp/zRANDOM"symlink(link, file)f = fopen(s, "w+")// writes now update// /etc/passwd

  9. 4. Exceptions

  10. Exception Suppression 1. User sends malicious data 2. System grants access 13

  11. 5. Too much information

  12. WTMI (Way Too Much Info) Login(… user, … pwd) { try { ValidatePwd(user, pwd); } catch (Exception e) { print("Login failed.\n"); print(e + "\n"); e.printStackTrace(); return; } } void ValidatePwd(… user, … pwd) throws BadUser, BadPwd { realPwd = GetPwdFromDb(user); if (realPwd == null) throw BadUser("user=" + user); if (!pwd.equals(realPwd)) throw BadPwd("user=" + user + " pwd=" + pwd + " expected=" + realPwd); … User exists Entered pwd User's actual password ?!? (passwords aren't hashed) Login failed. BadPwd: user=bob pwd=x expected=password BadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71) ... Reveals internal structure (libraries used, call structure, version information) 15

  13. 6. Directory Traversal

  14. Successful Directory Traversal Attack 1. Users requests File="....//etc/passwd" /etc/passwd 2. Server deletes Before Replace path = "/safedir/….//etc/passwd" After Replace path = "/safedir/../etc/passwd" 17

  15. 7. SQL Injection Attacks

  16. Successful SQL Injection Attack • Dynamically generated SQL without validation or quoting is vulnerable $u = " '; drop table t --"; $sth = $dbh->do("select * from t where u = '$u'"); Database sees two statements:select * from t where u = ' '; drop table t --'

  17. 8. Command Injections

  18. Successful OS Injection Attack 1. User sends malicious data 2. Application uses nslookup to get DNS records 3. System executes 4. All files possible are deleted 22

  19. 9. Code Injection

  20. 10. Web Attacks

  21. Reflected Cross Site Scripting (XSS) 3. Generated HTML displayed by browser 1. Browser sends request to web server 2. Web server code handles request

  22. Would you like an expanded tutorial taught at your site? Tutorials for users, developers, administrators and managers: • Security Risks • Secure Programming • Vulnerability Assessment Contact us! Barton P. Miller bart@cs.wisc.edu Elisa Heymann Elisa.Heymann@uab.es

  23. Questions? http://www.cs.wisc.edu/mist

More Related