dit-upm software security José A. Mañas < http://www.dit.upm.es/~pepe/> Information Technology Department Universidad Politécnica de Madrid 24 October 2018 dit the problem ⚫ in a world where everything contains software, if the software is not reliable, the system is not reliable ⚫ how do you build reliable software? ◼ shall predict errors and attacks from the environment ◼ shall fail safely shall not inform the attacker shall not fall into a state of unsafe behavior ⚫ security by design, security should not be an afterthought ◼ we should not wait for an attack to start protecting us ◼ cost: design, coding, testing, distribution ◼ bad reputation software security 2 dit why is software unreliable? 1. programmers do not know 2. is boring 3. less functionality 4. reduced performance 5. benefit (ROI) is hard to estimate ⚫ adding secure components does not make a secure system ⚫ insecurity is not necessarily a bug; it is an unacceptable behavior cybersecurity 3 dit security ⚫ preventive ◼ does not occur, occurs less often ⚫ monitor and detect ◼ if something goes wrong, you need an alert ⚫ reliable logging ◼ to prosecute ◼ to learn ⚫ recovery - resilience software security 4 dit vulnerabilidades del software ⚫ Memory safety violations ◼ Buffer overflows and over-reads ◼ Dangling pointers ⚫ Input validation errors ◼ Format string attacks ◼ SQL injection ◼ Code injection ◼ E-mail injection ◼ Directory traversal ◼ Cross-site scripting in web applications ◼ HTTP header injection ◼ HTTP response splitting https://en.wikipedia.org/wiki/Vulnerability_(computing) software security 5 dit vulnerabilidades del software ⚫ Race conditions ◼ Time-of-check-to-time-of-use bugs ◼ Symlink races ⚫ Privilege-confusion ◼ Cross-site request forgery in web applications ◼ Clickjacking ◼ FTP bounce attack ⚫ Privilege escalation ⚫ User interface failures ◼ Warning fatigue or user conditioning. ◼ Blaming the victim ◼ Race Conditions https://en.wikipedia.org/wiki/Vulnerability_(computing) software security 6 dit OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project software security 7 dit SANS top 25 https://www.sans.org/top25-software-errors/archive/2010 software security 8 dit SANS top 25 software security 9 dit SANS top 25 software security 10 dit SANS top 25 software security 11 dit top 25 Rank Score ID Name [1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] 79 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] 76.9 CWE-306 Missing Authentication for Critical Function [6] 76.8 CWE-862 Missing Authorization [7] 75 CWE-798 Use of Hard-coded Credentials [8] 75 CWE-311 Missing Encryption of Sensitive Data [9] 74 CWE-434 Unrestricted Upload of File with Dangerous Type [10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision http://cwe.mitre.org/top25/index.html software security 12 dit SQL injection php http sql software security 13 dit SQL injection $username = isset($_POST['username']) ? $_POST['username'] : ""; $password = isset($_POST['password']) ? $_POST['password'] : ""; $query = sprintf("SELECT * FROM users WHERE username = '%s' AND password = '%s’;”, $username, $password); $result = $db->query($query); $query = sprintf("SELECT * FROM users WHERE username = '%s' AND password = '%s';", SQLite3::escapeString($username), SQLite3::escapeString($password)); $stmt0 = "SELECT * FROM users " . "WHERE username = :user AND password = :pw"; $stmt = $db->prepare($stmt0); $stmt->bindValue(':user', $username, SQLITE3_TEXT); $stmt->bindValue(':pw', $password, SQLITE3_TEXT);http://sqlidemo.altervista.org/index.php $resultsoftware = $stmtsecurity->execute(); 14 dit sql injection http://xkcd.com/327/ software security 15 dit SQL injection ⚫ root cause is to accept user input blindly ◼ no analysis ◼ no sanitization ⚫ Defenses ◼ what the user writes is not reliable ◼ stored procedures ◼ prepared statements ◼ limit access to the database (minimal surface) ◼ beware of error messages software security 16 dit injection ⚫ generic technique ⚫ https://en.wikipedia.org/wiki/Code_injection software security 17 dit OS command injection $ cat _exs/nslookup.html <!DOCTYPE html> <html> <body> <h1>nslookup helper</h1> <form action="nslookup.php" method="post"> $ cat _exs/nslookup.php host: <!DOCTYPE html> <input type="text" name="host" size="100" maxlength="100"> <input type="submit" name="formSubmit" value="Submit"> <html> </form> <body> </body> <h1>nslookup ...</h1> </html> <?php echo '<pre>'; $host = $_POST["host"]; echo "nslookup " . $host . "\n"; system("nslookup " . $host); echo '</pre>'; ?> </body> </html> software security 18 dit rce – remote command execution $ cat _exs/nslookup.php <!DOCTYPE html> <html> <body> <h1>nslookup ...</h1> <?php echo '<pre>'; $host = $_POST["host"]; echo "nslookup " . $host . "\n"; system("nslookup " . $host); echo '</pre>'; ?> </body> </html> software security 19 dit [classic] buffer overflow ⚫ typical problem in C y C++ lack of bound checking software security 20 dit buffer overflow char buff[10]; buff[10] = 'a'; strcpy(buff, “mas de 10 caracteres”); software security 21 dit stack smash ⚫ C: when a function is called, the stack saves ◼ return address ◼ call arguments ◼ local variables ⚫ when a local buffer overflows, ◼ arguments can be modified ◼ return address can be changed (jump somewhere else) software security 22 dit C stack function call software security 23 dit buffer overflow ⚫ remedies ◼ safe coding safe libraries ◼ tools to analyse source code (static analysis) no gets(), strcmp(), strcpy(), … ◼ pattern detection (nop slide, virtual nops, …) on download (IDS) ◼ executable space protection ◼ canary ◼ … https://en.wikipedia.org/wiki/Buffer_overflow https://en.wikipedia.org/wiki/Buffer_overflow_protection software security 24 dit languages Direct Language / Compiled or Strongly Safe or Memory Environment Interpreted Typed Unsafe Access Java, Java Virtual Both Yes No Safe Machine (JVM) .NET Both Yes No Safe Perl Both Yes No Safe Python - interpreted Intepreted Yes No Safe Ruby Interpreted Yes No Safe C/C++ Compiled No Yes Unsafe Assembly Compiled No Yes Unsafe COBOL Compiled Yes No Safe https://www.owasp.org/index.php/Buffer_Overflows software security 25 dit XSS - cross-site scripting ⚫ when the attacker succeeds to execute javascript on user’s browser ◼ when the server copies attacker’s text into web response ◼ reflected ◼ stored ◼ DOM-based dynamic modification of html ⚫ typical usage: send session ids (i.e. cookies) software security 26 dit stored xss (persistent) https://excess-xss.com/ software security 27 dit reflected xss https://excess-xss.com/ software security 28 dit DOM-based xss (client-side) https://excess-xss.com/ software security 29 dit XSS - defenses ⚫ difficult to remove entirely ⚫ input validation (stored) ⚫ encoded output ⚫ https://excess-xss.com/ ⚫ https://www.google.com/about/appsecurity/learning/xss/ software security 30 Authentication & authorization dit ⚫ when we step into a critical task without sound authentication ◼ sensible data leak ◼ denial of service ⚫ when the server blindly trust clinet side authentication ⚫ remedy ◼ design task classification: normal, priviledged, administrative environment authentication ◼ source code inspection: revise critical areas software security 31 dit Use of Hard-coded Credentials ⚫ crypto keys or passwords in … ◼ in code (source or executable) ◼ in configuration files (obfuscated) ◼ in registry (obfuscated) ⚫ reverse engineer to access ◼ decompile ◼ memory dump ◼ step by step execution ⚫ if the secret is revealed, (white hat | black hat) it is very difficult to repair ◼ downloaded programs ◼ client-server coordination software security 32 dit Use of Hard-coded Credentials ⚫ remedies (partial) ◼ store hash to check correct data input ◼ limit the life of the key in clear ◼ OTP – reduced lifetime software security 33 dit secrets in code $ cat EncodedPW.java $ strings EncodedPW.class public class EncodedPW { user private String user= "pepe"; Ljava/lang/String; private String pw= "my key"; <init> Code } LineNumberTable SourceFile EncodedPW.java pepe my key EncodedPW java/lang/Object software security 34 dit secrets in code $ cat EncodedPW.java public class EncodedPW { private String user= "pepe"; private String pw= “my key"; $ javap -c EncodedPW.class } Compiled from "EncodedPW.java" public class EncodedPW { public EncodedPW(); Code: 0: aload_0 1: invokespecial #1 // Method java/lang/Object."<init>":()V 4: aload_0 5: ldc #2 // String pepe 7: putfield #3 // Field user:Ljava/lang/String; 10: aload_0 11: ldc #4 // String my key 13: putfield #5 // Field pw:Ljava/lang/String; 16: return } software security 35 dit secrets in code $ cat EncodedPW.java public class EncodedPW { private String user= "pepe"; private String pw= “my key"; } http://www.javadecompilers.com/ software security 36 dit secrets in code $ cat check_admin.c #include <stdio.h> #include <string.h> $ strings check_admin.exe int main(int argc, char* argv[]) { … … … char* password= argv[0]; @B/70 if (strcmp(password, "Mew!")) { B/81 printf("Incorrect Password!\n"); B/92 return(0); tgr5 } cyggcj-16.dll printf("Entering Diagnostic Mode...\n");_Jv_RegisterClasses return(1); Mew! } Incorrect Password! Entering Diagnostic Mode... GCC: (GNU) 5.4.0 20160603 (Fedora Cygwin 5.4.0-2) GCC: (GNU) 5.4.0