(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Transcription

1 (General purpose) Program security These ideas apply also to OS and DB. Read Chapter 3. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls. Has run for 9 weeks with no failure. Contains no potential security flaw. A program fault is an unexpected (bad) behavior of a pgm Which program is more secure? 1. pgm with 100 faults discovered and fixed. 2. a similar pgm with 20 faults discovered and fixed. 1

2 Early computer security was penetrate and patch. Not a good solution because: narrow focus on a fault ignores the context. fault may have nonobvious side effects. fixing one problem may cause another. fault not fixed because the fixed system wouldn t work. 2

3 A better approach to computer security (via software engineering). Program security flaw = pgm behavior not what designers intended or users expected. Flaws may be either inadvertent human errors or malicious, intentional flaws. Unintentional human error are more common than deliberate malicious ones, and they cause more damage. Computer security terms differ IEEE standard terms: error, fault, failure 3

4 Program security is hard and we can t avoid all flaws because: pgms are complicated; it is hard to describe all unexpected behavior. A thm in CS 526 says that it is NP-complete to decide whether a program is secure. software engineering advances faster than security But we can still do something and make most programs secure. 4

5 Landwehr et al. [1994] classified flaws as: Intentional flaws 1. malicious 2. nonmalicious Inadvertent errors: 1. validation: incomplete or inconsistent permission check 2. domain: controlled access to data 3. serialization and aliasing: program flow order 4. failed authorization due to bad identification/authentication 5. boundary condition violation: first or last case failure 6. other exploitable logic errors 5

6 Three classic nonmalicious program errors (pre- Internet) 1. Buffer overflows Memory is finite and so are arrays and strings (buffers). Example: int buff[10]; for (i=0; i<10; i++) buff[i]=2; buff[10]=3; The last instruction may write 3 into 1. the user s data 2. the user s program code 3. another user s data 4. another user s program code 5. system data 6. system program code 6

7 A malicious attacker who knows about a buffer overflow error in a program he can use may use the error to write malicious code. Data may become code. Overflow a stack to change parameters. Example: passwd, browser URL parameter Control: test after each input character; OS memory protection. Control: use only string utilities with bounded length. Control: paging may help: different pages for intructions and data. 7

8 2. Incomplete mediation (checking) Not checking whether input data is valid or in range. Example: date 17 Jan 2012 okay, 37 Jat 1843 not okay. Control: check input correctness or use dropdown box. Example: Ebusiness, order form returns total price, and customer changes it. 8

9 3. Time-of-check to time-of-use error. Synchronization problem Check before use; approve in work ticket ; user changes the request in the ticket before the order is executed. Example: open file (one you may open); after approval, change file name to one you may not open. Control: copy the ticket so the user can t access it. If it is too big to copy and must remain accessible to the user, then save its hash value. 9

10 Undocumented access point. Often added during pgm development for testing. Also called a back door or trap door. May be added by an intruder who succeeded once. Control: document it; careful code checking. 10

11 Integer overflow. Consider 16-bit unsigned integer case. Max value is = 65535, so = 0. Do not loop until i = or while i < 65536, because that will never hold or aways hold. Control: know the limits for each size of integer. 11

12 Null-terminated strings have variable length. A C pgm that uses such a string does not know its length until it reads the whole string. Java stores the length of a variable string separately. Control: use only C string utilities with bounded length. Use strncpy(to,from,max), not strcpy(to,from). 12

13 Race condition or serialization flaw. Two processes running concurrently. Example. Two ticket agents selling a seat on the same flight. Example. Tripwire chooses a name for its log file, checks to see whether that name exists, and then writes into it. An attacker changes the name to the system log file and hides his work. 13

14 So far, we have discussed mostly unintentional mistakes. Malicious code A computer may get malicious code during installation of (good) code, setup, or download of other code. Malicious code runs as you and can do anything you can. Malicious code has been around at least since

15 Malware definitions Malicious code = rogue program = whole program or code that does unexpected or unintended actions caused by an agent intent on damage. agent = person who wrote or distributed the malicious code. virus = malicious code that can replicate itself by modifying nonmalicious code. transient virus = virus that stops when its attached program stops. resident virus = virus that puts itself in memory and keeps going even when its attached program stops. 15

16 Worm = whole program that spreads copies of itself through a network, does not attach to other programs. Bot (sort of robot) = worm used in huge numbers. Some are benign and search the web for search engine hosts. Trojan horse = malicious code that has a benign primary effect and a nonobvious malicious effect. Example: passwd, editor, compiler 16

17 Rabbit = virus or worm that replicates without bound, exhausting time or memory. Logic bomb = malicious code that does something bad when a condition happens (a file is opened). Time bomb = logic bomb with a certain date/- time as condition Dropper = pgm that just copies other malware, like a virus. 17

18 Trapdoor = backdoor = program feature that lets anyone have special privileges by entering a secret code. Example: ATM program with secret PIN May be used for maintenance or to erase record of crime Script attack = malicious code in JavaScript that is downloaded with a page. 18

19 Spyware = pgm that intercepts and secretly communicates user activities, like login info. Zombie = malware under control of a remote pgm. It sleeps until activated. Browser hijacker = code that redirects a browser to another site. Rootkit = code installed in root of OS; hard to detect. 19

20 Tool or toolkit = pgm with a set of tests for vulnerabilities. Each successful test identifies a vulnerable host that can be attacked. Scareware = false warning of malware attack; may suggest remedial action to fix a problem, but actually creates one. 20