15.0. Percent Exceptions 10.0 5.0 0.0



Similar documents
Solution for Homework 2

The use of binary codes to represent characters

Cardinality. The set of all finite strings over the alphabet of lowercase letters is countable. The set of real numbers R is an uncountable set.

Introduction to Finite Automata

ORGANISATION DATA SERVICE ACCESS DATABASE

CSC4510 AUTOMATA 2.1 Finite Automata: Examples and D efinitions Definitions

Save Actions User Guide

NATIONAL BANK OF ROMANIA

Searching for Classes and Course Information Online

Proseminar on Semantic Theory Fall 2013 Ling 720. Problem Set on the Formal Preliminaries : Answers and Notes

2. The scanner examines the scanned data to determine if the barcode represents an XL Type I command or not. In Pseudo-Code:

GETTING STARTED: Office365 OneDrive for Business

Knuth-Morris-Pratt Algorithm

Chapter 4: Computer Codes

Finding Information about your Purchase Orders (POs) and Requisitions

FREQUENTLY ASKED QUESTIONS

Shark Talent Management System Performance Reports

Lecture 4: Exact string searching algorithms. Exact string search algorithms. Definitions. Exact string searching or matching

WEBSITES FOR CHILDCARE PROVIDERS

P2 Asset Support System (PASS) New Registration Manual

Matrix Technical Support Mailer 124 Basic steps to configure SIP extensions in ETERNITY NE

Importing data from Linux LDAP server to HA3969U

The following program is aiming to extract from a simple text file an analysis of the content such as:

Searching your Archive in Outlook (Normal)

Regular Languages and Finite State Machines

Automata Theory. Şubat 2006 Tuğrul Yılmaz Ankara Üniversitesi

Regular Expressions and Automata using Haskell

HOW TO ORGANIZE YOUR PAPER FILES

Lempel-Ziv Coding Adaptive Dictionary Compression Algorithm

ECBS TR 201V2.2.22, MARCH 2003 REGISTER OF EUROPEAN ACCOUNT NUMBERS ITALY 61

Tips for Web Filers. Tips for Web Filers. New Company Registration Page

Unified Monitoring Portal Online Help Account Admin

Data Domain Profiling and Data Masking for Hadoop

TTUHSC Online Contract Accounts Receivable

MAGENTO Migration Tools

Working with Strings and Text in Alice

itrust Medical Records System: Requirements for Technical Safeguards

Third Southern African Regional ACM Collegiate Programming Competition. Sponsored by IBM. Problem Set

BT Cloud Voice. Call Forward Selective. What is it? How do I set up a rule?

Section Transaction Codes. Contents. Transaction Codes... 2 Procedures Tab... 3 Adjustments Tab... 5 Non-billing Codes Tab...

Paging & Messaging at the VCU Medical Center

ecw Weekly Users Tip: My Settings: Template-Friendly Settings & My Favorites: Templates

ITB BERLIN March ITB Berlin Catalogue. Quickfinder. ITB Mobile Guide. Premium Package ITB BERLIN THE WORLD S LEADING TRAVEL TRADE SHOW

Importing Lease Data into Forms Online

Create Mailing Labels from an Electronic File

Security Token User Guide

Background. IBAN Overview

Database Applications Microsoft Access

BSHSI Security Awareness Training

E-Commerce: Designing And Creating An Online Store

FAQ for Refund Reissue. Procedure to apply for refund reissue: 1. Logon on to with your user ID and Password.

Lab 4.4 Secret Messages: Indexing, Arrays, and Iteration

Chapter 2 Introduction to SPSS

EE 261 Introduction to Logic Circuits. Module #2 Number Systems

Regular Expression Syntax

ASSEMBLY LANGUAGE PROGRAMMING (6800) (R. Horvath, Introduction to Microprocessors, Chapter 6)

Guarantee Trust Life Insurance Company. Agent Portal Agent Portal Guide

Gentran_Director_Create_a_partner.ppt Page 1 of 60

Online Trading Manual Guide

EDIFACT Standards Overview Tutorial Learn About Key E-commerce Trends and Technologies at Your Own Pace

GETTING STARTED WITH ONENOTE CLASS NOTEBOOK

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Memory is implemented as an array of electronic switches

Cyber Security Workshop Encryption Reference Manual

If you want to skip straight to the technical details of localizing Xamarin apps, start with one of these platform-specific how-to articles:

03 - Lexical Analysis

10 Java API, Exceptions, and Collections

CHAPTER 5. Obfuscation is a process of converting original data into unintelligible data. It

SEC External Guide for Using the Encryption Solution

Merchant Returns Service

PREPARED BY Carmen Costea

Microsoft Access 2007

Number Representation

Filter NEW IN FIRSTCLASS CLIENT WHAT S NEW IN FIRSTCLASS 9.0. New Look. Login screen. List View Sort Order. Filtering Containers.

Guidelines for Establishment of Contract Areas Computer Science Department

International Securities Identification Number (ISIN)

Symbol Tables. Introduction

Client Instructions - ID Tech Configuration Instructions

Introduction to iprocurement

Clever Devices IVN GPS Broadcast over Ethernet Interface Control Document

Automatic transfer of funds

CPSC 121: Models of Computation Assignment #4, due Wednesday, July 22nd, 2009 at 14:00

ithenticate User Manual

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

Tips on Encoding the Unique Item Identifier (UII) Mark and Building the Concatenated UII

APPOLYCET-2016 ADMISSIONS

Access 2010: The Navigation Pane

Transcription:

WhyCOTSSoftwareIncreasesSecurityRisks GaryMcGraw ReliableSoftwareTechnologies 21515RidgetopCircle,Suite250,Sterling,VA20166 phone:(703)404-9293,fax:(703)404-9295 email:gem@rstcorp.com http://www.rstcorp.com Abstract UnderstandingtherisksinherentinusingCOTS softwareisimportantbecauseinformationsystemstodayarebeingbuiltfromevergreateramountsofreused andpre-packagedcode.securityanalysisofcomplex softwaresystemshasalwaysbeenaseriouschallenge withmanyopenresearchissues.unfortunately,cots softwareservesonlytocomplicatematters.often, codethatisacquiredfromavendorisdeliveredinexecutableformwithnosourcecode,makingsometraditionalanalysesimpossible.theupshotisthatrelyingontoday'scotssystemstoensuresecurityis ariskyproposition,especiallywhensuchsystemsare meanttoworkovertheinternet.thisshortpaper touchesontherisksinherentsomeoftoday'smore popularcotssystems,includingoperatingsystems andjavavirtualmachines.ialsopresentrobustness resultsgatheredbyaresearchprototypecalledrid- DLE(RandomandIntelligentDataDesignLibrary Environment),whichwasusedtoassesstherobustnessofnativeWindowsNTsystemutilitiesaswellas Win32portsoftheGNUutilities. 1COTSinAction (or,cotsinaction) LiketherestoftheDepartmentofDefense,the UnitedStatesNavyismandatedtouseCommercial O-The-Shelf(COTS)technologyinordertostandardizeandtosavemoney.TheNavy'sSmartShip initiative,whichiscurrentlybeingtestedasapilot studyontheaegismissilecruiserussyorktown,is aprimeexampleofthemovetocots.amajorpart ThisworkissponsoredundertheDefenseAdvancedResearchProjectsAgency(DARPA)ContractF30602-97-C-0117. theviewsandconclusionscontainedinthisdocument arethoseoftheauthorsandshouldnotbeinterpreted asrepresentingtheofficialpolicies,eitherexpressed orimplied,ofthedefenseadvancedresearchprojects agencyortheu.s.government. oftheinitiativeistomigratesystemstothemicrosoft WindowsNTOperatingSystem.WhatrecentlyhappenedtotheYorktownservestounderscorethenature ofsecurityrisksinherentincots-basedsystems. InSeptember1997,theYorktownwasunderwayin maneuversothevirginiacoast.duringthemaneuvers,theyorktownsueredaserioussystemsfailure causedbyadividebyzeroerrorinanntapplication. AccordingtotheRISKSdigest(Volume18,Issue88), thezeroseemstohavebeenanerroneousdataitem enteredbyasystemuser.asaresultoftheerror,the shipwasdeadinthewaterforovertwoandahalf hours. Thissomewhatamusinganecdotewouldturnoutto beaveryseriousandpotentiallydeadlyproblemduringwartime.windowsntisknowntohaveanumber offailuremodes,anyoneofwhichcouldbeleveraged intoaninformationwarfareweapon.nevertheless, sincentisquicklybecomingadefactostandardin industry,thedodisunlikelytoabandonitseortto adoptit.insteadofbecominglesslikely,problems suchasthoseexperiencedontheyorktownareahint ofthingstocome. 2COTSProblemsPercolateUp DespitetheproliferationofNTWorkstationsin business-criticalandmission-criticalenvironments,littleanalysisofthesoftwarethatcomprisesthentplatformhasbeenperformed.thisimpliesthattheextent towhichnthasinherentsecurityrisks,systemsbuilt withacotsarchitecturethatincludentinheritthe samerisks. OperatingSystemsarenotaloneinthisproblem. Anythird-partysoftwareincludedinasystemhas thesamerisk-percolationproperty,whetherthesoftwareispackagedatthecomponentlevelorhigher. ThatmeansthatCOTSpartsofelectroniccommerce systemsnowonthedrawingboard,includingweb

browsersandjavavirtualmachines,introducesimilarconcerns[2]. IfCOTSintroducemorerisks,whyusethem? Unfortunately,theissueisnotcompletelycut-anddry.COTShaveanumberofimportantbenetsthat shouldnotbeoverlooked.considercomponentre-use inprogrammingsystemslikevisualbasic.today's applicationsaremorecomplicatedthanever,andthe timepressuretogetthemdoneandputthemintouse isgreaterthanever.visualbasiccomponentssave bothtimeandeort.thereisnoreasonthatthe softwareindustryshouldnotlearnfromelectricalengineeringwhereprefabricatedcomponentshavebeen usedforyears. Therealproblemisthis: COTSoftensuerfromdependability,security,andsafetyproblems.Whatcanwedoto analyzecotsandmeasurethemaccording totheseproperties? ThisproblemisexacerbatedbythefactthatCOTS areusuallydeliveredwithnoguaranteesabouttheir behaviorinblackboxform.itishardenoughtotry todeterminewhataprogramwilldogivenitssource code.withoutthesourcecode,theproblembecomes muchharder. 3RisksinJava:Acasestudy TheJavaprogramminglanguagefromSunMicrosystemsmakesaninterestingcasestudyfroma COTSsecurityperspective.Javawas,afterall,designedwithsecurityinmind.Java'ssecuritymechanismsarebuiltonafoundationoftypesafety andincludeanumberoflanguage-basedenforcement mechanisms[4].unfortunately,aswithanycomplex system,javahashaditsproblemswithsecurity.it turnsouttobeveryhardtodothingsexactlyright, andexactlyrightiswhatisdemandedbysecurity. EdFeltenandIhavedenedfourbroadcategories ofattackswithwhichtounderstandjava'ssecurity risks.thesecategoriescanbeusedtocategorizeall mobilecoderisks: 1.Systemmodicationattacksoccurwhenan attackerexploitsasecurityholetotakeoverand modifythetargetsystem.theseattacksarevery seriousandcanbeusedforanynumberofnefariousends,including:installingavirus,installing atrapdoor,installingalisteningpost,reading privatedata,andsoon. 2.Invasionofprivacyattackshappenwhena pieceofjavacodegetsaccesstodatameanttobe keptprivate.suchdataincludespasswordles, personaldirectorynames,andthelike. 3.Denialofserviceattacksmakeitimpossible touseamachineforlegitimateactivities.these kindsofattacksarealmosttrivialintoday'ssystems(javaorotherwise)andareanessentialrisk categoryfore-commerceanddefense. 4.Antagonismattacksaremeanttoharassor annoyalegitimateuser.theseattacksmight includedisplayingobscenepicturesorplaying soundlesforever. Unfortunately,allfourcategoriesofattackcanbe carriedoutinjavasystems.byfarthemostdangerousattacks,systemmodication,leverageholesinthe JavaVirtualMachinetowork.ThoughJava'sinternal defensesagainstsuchattacksarestrong,atleastfteenmajorsecurityholeshavebeendiscoveredinjava (andsincepatched).thelatestsuchhole,aproblem withclassloadinginthejdk1.2beta3,wasdiscoveredinjuly1998. Ifsupposedly-securesystemslikeJavaVirtualMachines(itemscommonlyincludedasCOTSinsystemsrangingfromsmartcardsandembeddeddevices towebbrowsers)havesecurityrisks,whatdoesthis sayaboutlesssecurity-consciouscots?thesomewhatdisturbingansweristhatothersystemsaremuch worseo.microsoft'sactivexsystem,forexample, presentsanumberoffarmoreserioussecurityproblemsthanjavadoes. 4BlackBoxAnalysis Mostsoftwaresecurityvulnerabilitiesresultfrom twofactors:programbugsandmaliciousmisuse. Technologiesandmethodologiesforanalyzingsoftware inordertodiscoverthesevulnerabilities(andpotentialavenuesforexploitation)areacurrenttopicof computersecurityresearch.dynamicsoftwareanalysistechnologiesusuallyrequireprogramsourcecode. However,mostCOTSsoftwareapplicationsaredeliveredintheformofbinaryexecutables(including hookstodynamiclibraries),renderingsource-code{ basedtechniquesuseless.thus,alternativemethods foranalyzingsoftwarevulnerabilityundermalicious misuseorattackarerequired. Dynamicblack-boxanalysisisanimportantapproachtosoftwarevulnerabilitylocalizationthat, giventoday'sinexpensivehardware,canbeperformed relativelycheaply.thisanalysisisavariantontraditionalsoftwaretestingthatisparticularlyattractive becauseitcanbeappliedtobinaryexecutables,includingcotsandlegacyexecutables.thisapproach

isnottypicalvanillatesting,butratherfocusedtestingwiththeexpresspurposeofdeterminingacomponent'stolerancetoattack.thoughthisapproach neitherrequiresfunctionalspecicationsforcomponentsnorfunctionalrequirements,itdoesrequirethe usertocharacterizewhatasecurityviolationis(based onsite-specicsecuritypolicy). 4.1RIDDLE:NTrobustness ResearchatReliableSoftwareTechnologiesisaddressingtheproblemofCOTSsecurityanalysisby beginningwiththeproblemofcomponentrobustness [1].Thisfollowsthefootstepsoftworesearcheorts: Fuzz[5]andBallista[3],bothofwhichconsideredthe robustnessofunixsystemsoftware.riddle'starget isnt. TheRandomandIntelligentDataDesignLibrary Environment(RIDDLE)enablesanalysisofcommercialo-the-shelf(COTS)softwarebyusingblack-box testingtechniques.riddlepermitsstresstestingof applicationsoftware,systemutilities,com/dcom components,sharedlibraries,andsystemfunctions. Unliketraditionalblack-boxtestingapproaches,RID- DLEstresstestssoftwareusingunexpected,intelligentlycraftedtestcases.Thegoalofthisresearch istodeterminewhatrobustnessgaps,ifany,existin WindowsNTsoftware. Testcasesaregeneratedwithrandom,intelligent inputusingtheinputgrammarofthecomponentunderanalysis.ratherthansimplygeneratingrandom inputthatdoesnotmeetthebasicsyntaxoftheprogram'sinput,generatinginputintelligentlyusingthe inputgrammarofthecomponentpermitsstresstestingofmoreofthesoftware'sfunctions.riddleprovidesanenvironmenttocombinerandominput,maliciousinput,andboundaryvalueconditionsinthelegalgrammaroftheprogramtotestitsbehaviormore thoroughlyunderanomalousconditions. 4.2Results RIDDLEwasusedtoperformrobustnesstestson twocategoriesofwindowsntsoftware.therst categoryismadeupofwindowsntcommandline utilitiesthataresuppliedwiththeoperatingsystem. Theutilitiestestedareattrib,chkdsk,comp,expand, fc,find,help,label,andreplace.thesecondcategoryofsoftwarethatwastestedwasagroupofgnu commandlineutilitiesthathavebeenportedtothe WindowsNToperatingsystemaspartoftheCygnus project.theportedgnuutilitiestested arecat,chmod,chksum,cp,ls,mv,rm,andwc. Theexperimentationcoveredmanycombinationsof thestringlengthsandcharactersets.inall,therewere 64,000testsrunontheGNUutilities,and114,000 Utility Group 5.0 1 15.0 Figure1:Percentageofunhandledexceptionsforall testcasesrunagainstthenativewindowsntand utilities.thevastmajorityofunhandled exceptionswerememoryaccessviolationsthatresult intheabortedexecutionoftheprogrambeingtested. testsrunonthenativewindowsntutilities.rid- DLEdetecteddistinctterminationstatesfromthe programsthatweretested.theexitstatesdetermine whentheprogramterminatesnormally,whentheprogramishung,andwhentheprogramterminatesdue toanunhandledexception.threetypesofexceptions werecaughtbytheriddlemonitorintheseexperiments:memoryaccessviolationexceptions,privileged instructionexceptions,andillegalinstructionexceptions.iftheseexceptionsariseduringtheexecution ofaprogram,thentheprogramhasfailedtoperform robustlybyfailingtohandletheexceptioninternally. Figure1summarizestheresultsofthetestingofnativeWindowsNTutilitiesandtheutilities.InallthetestcasesrunagainstthenativeWindowsNTutilities,only0.338%ofthetestcasesresultedinfailureaccordingtoourfailuremetric.On theotherhand,theutilitiesexitwithan unhandledexception10.64%ofthetime.thedistributionofexceptionsfavoredmemoryaccessviolations soheavily(approximately7000to1for, and100to1forwindowsnt)thattheothertypesof exceptionsarestatisticallyinsignicant. Furtheranalysisoftheresultsshow thatthe10.64%failurerateisfairlyconsistentacross theeightgnuutilitiesthatweretested.thevast majorityoftheexceptionsoccurredwhenthechar-

1 5.0 8.0 4.0 6.0 4.0 Figure2:Distributionofunhandledexceptionsamong 3.0 2.0 Figure3:Thepercentageoftestcasesthatresulted 2.0 Alphabetical Printable 1-0 - character. rangeofthelastcolumn,[0,255],includesthenull cludesallcharactersexceptthenullcharacter.the dierentcontenttypes.thecharacterrange[1,255]in- Character Set dramaticallywhenthecharactersetisalteredtoincludethenullcharacter,orwhenitconsistsonlyocialcharacters.thenumberofexceptionsdecreases mostlikelyduetotheprogram'sinterpretationofspe- range[1,255](excludingthenullcharacter).thisis actersetbeingusedforstringgenerationwasinthe input.thiswouldexplainwhytherearefewerunhandledexceptionswhenthischaracterisusedinlighacterofastring,eectivelylimitingthelengthofthe charactermaybeinterpretedastheterminationchar- printablecharactersintherange[33,127].thenull Figure3).Anotherpossibilityisthatifthenullcharacterisinterpretedaseithertheendofastringorthe ofthecorrelationbetweenlengthandexceptions(see endoftheparameterlist,thentheparametersmay theutilitymayimmediatelyrejectthetestcase. nolongerconstituteavaliduseoftheapplicationand eryprintableandnon-printablecharacterexceptfor thecharactersetrange[1,255].thissetincludesevtiesaremostvulnerabletoinputthatissampledfrom showninfigure2.clearly,theutili- Thedistributionofexceptionsbycontenttypeis set(includingnon-printablecharacters)thatresulted lengthwithnearlytheentirerangeofthecharacter ceptions.instead,itisthecombinationofverylong thealphabeticalandprintablesetresultedinfewex- thenullcharacter.evenverylonglengthinputin 1.0 inexceptionsasafunctionofthelengthoftheinput strings. 8 250 800 1500 4096 String Length (Characters) inthemostunhandledexceptions. oftheexceptionratiosshowthatasthe stringincreasesasillustratedinfigure3.thegraph istheincreaseinunhandledexceptionsasthelengthof fromthetestsperformedontheutilities Themostsignicanttrendinthedatacollected whenthelengthofthestringusedwaseither8or putgrammar.signicantlyfewerexceptionsoccurred failuretohandleanomalousinputwithinproperin- lengthofinputisincreasedfrom8to4096bytes,the 250characters.Becausetheexceptionthatoccurred numberofexceptionsrisesdramaticallyindicatinga longinputprobablypointstoaregionofthememory theinstructionpointerthatwasoverwrittenwiththe legalpointerontheprogramstack.inotherwords, ismostlikelyanover-writtenbuerthatplacedanil- mostoftenwasamemoryaccessviolation,thecause thatisinaccessiblefortheprogram,oritmaypoint todatathatisnotavalidinstructionopcode.this utilitiestobueroverrunattacks. resultpointstopotentialvulnerabilitiesinthegnu Theexpandutilityhadafailurepatternsimilartothe ofthem,compandexpandproducedanyexceptions. ture.ofthenineutilitiesthatweretested,onlytwo tivewindowsntutilitiespaintsaverydierentpic- Thedatacollectedfromthetestsrunonthena- complex.thecomputilityfailedmostfrequentlywhen stringswerelongerandthecharactersetsweremore utilities.itfailedmoreoftenwhenthe

was250. 5TowardsManagingCOTSRisks thecharactersetwasalphabetic,andthestringlength inmind(likethejavavm)suerfromserioussecurityproblems,wecanonlycringeatthethoughtof GiventhatCOTSspecicallydesignedwithsecurity COTSarebecomingasubiquitousassoftwareitself. derstandingthesecurityimplicationsofusingcots. Itisclearthatmuchworkremainstobedoneinun- therisksthatlesscarefully-designedcotsintroduce. desktopapplications,andole/com/dcomcomponents.futureresearchwillinvolvetestingtheseother supporttestingofnetworkservers,sharedlibraries, behaviorofablackboxcotssystemisauseful exercise.riddleiscurrentlybeingexpandedto TheRIDDLEexperimentsshowthatprobingthe securityholes. gapstodeterminetheirpotentialtobeexploitedinto classesofntsoftwareaswellasexploringrobustness AcknowledgementsTheRIDDLEworksketchedherewas ReliableSoftwareTechnologies.See[1]foramorethorough performedbyanupghosh,mattschmid,andvirenshahof [1]A.Ghosh,M.Schmid,andV.Shah.Testingthe References treatmentofthesubject. [2]A.K.Ghosh.E-CommerceSecurity:WeakLinks, November4-71998. robustnessofwindowsntsoftware.toappear, [3]P.Koopman,J.Sung,C.Dingman,D.Siewiorek, BestDefenses.JohnWiley&Sons,NewYork, robustnessbenchmarks.inproceedingsofthe16th andt.marz.comparingoperatingsystemsusing NY,1998.ISBN0-471-19223-6. [4]G.McGrawandE.Felten.JavaSecurity:Hostile pages72{79,october1997. IEEESymposiumonReliableDistributedSystems, [5]B.P.Miller,D.Koski,C.P.Lee,V.Maganty, R.Murthy,A.Natarajan,andJ.Steidl.Fuzzrevisted:Are-examinationofthereliabilityofunix 1995. ofwisconsin,computersciencesdept,november Sons,NewYork,1996. Applets,Holes,andAntidotes.JohnWileyand utilitiesandservices.technicalreport,university

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information