Secure Programming: Jonathan Care

Secure Programming
Jonathan Care
Secure Programming - Jonathan Care 2
An Observation
"Frequently the most important or

critical applications in a network are run
on the least secure machines, due to lack
of upgrades/ patches, mandated by the
very criticality of the application..."
Statements for discussion
99.9% of bugs are avoidable (sacrifice the

remaining 0.1% to Goedel)
Most of these are due to slopp programming!
"e do not learn the lessons of securit# even $ith

hindsight and in the aftermath of reall ma%or
securit incidents...
&mongst the prime causes of this are commercial

'perating (stems# legac applications# and
ignorance
The really irritating thing about
computer security
)*+ (&M+ ,-'./+M( 0'M+ 1,
&G&23 &34 &G&23 &34 &G&23 &34
&G&23 &34 &G&23 &34 &G&23 &34
&G&23
Network attacks in a nutshell
)he same attac5s on net$or5ed hosts that

$ere used in the 60s# 70s and earl 90s are
still in use toda in the same $a as older
ones (smtp# ftp)
Moreover these get conceptuall re8 used to

attac5 ne$ protocols (gopher# http# 999)
"*:9
ecause
programmers are ignorant $hen leaving college
companies can sell $idgets better than securit to

the mar5etplace
legac apps hamper us (tr to convince a vendor

to drop sendmail)
legislation ties up technologies that can help (eg;

1( crpto e<port)
... &34...
Personal Cynicism
(= pragma personal> cnicism 1)
2 strongl suspect that nobod reall cares?
(? e<cept for the people $ho have to clear up the mess)
So what are the problems that
keep returning!
@iruses
(tac5 over$riting
)rusting insanitar data
&uthentication spoofing (direct or indirect)
'@+-,'"+-A1/ ('A)"&-+ -13323G

"2)* +B0+(( ,-2@2/+G+
... and poor encrption session 5e generation (not

covered in this presentation 1st rev.)
"iruses
,ossibl the one form of securit bug that is
more !social! than !erroneous! in nature
/i5e life; so long as there is e<change of
data there $ill be the possibilit that
something nast is piggbac5ing a ride#
inside
Stack Overruns # blame the
programmer
0an cause;
denial of service
sstem crash (at protocol level)
hac5er infestation
Stack Overruns # common causes
gets() (Morris "orm)
sprintf()
strcat()
strcp()
insanitar calls to read()

... into smallC undersiDed memor buffers
Stack Overflows # a Ta$onomy
read()
buffer
Before
subroutine
return address
Stac gro!th
landing pad
of NOPs
padding
Viral
Code
After
Stack Overflows re%uire a
certain creative bent to
programming
viral paload usuall hand8 tooled

assembler code
circumstances ma dictate that paload

contains no 3/s# 0-s# 31/s# etcE can
lead to ver creative solutions
... but an moron can e<ecute one that is

pac5aged up adeFuatel.
Stack Overflows # instances
Morris "orm; ;unbounded gets() on soc5et
(endmail; sslog() routine called strcat() on

unbounded data read from soc5et
,ing; 32(G host resolver librar did

sprintf() on argvH1I from command lineJ
instant (124 hac5# no net$or5 involved.
(nb; made more subtle as reFuired 4//s)
Stack Overflows
,robabl the most straightfor$ard of the

ma%or holes that $e $ill be loo5ing at toda
&nsanitary data
2nsanitar 4ata
Aar more subtle class of bugs
generall due to meddlingC trusting things

that are beond our control in the first
case...
so $hat ?is? under our control9

'nder your control!
& good Fuestion# nearl metaphsical;
filesC filestore9
e<ecutable code9
input streams9
environment variables9
(iles under your control!
Mabe# but $atch out for;
user8 provided filenames

K
direct input or thru env vars
K
(,&)*# termcapC terminfo# !at!)
fi<ed filenames
K
director perms# time races in code
K
(! ps!# !mail!# ...)
filestore perms holding config files or parent

directories thereof.
K
(! chmod 666 C!# G24 of !C etc!)
Code under your control!
&las# probabl not.
stac5 overflo$sC buffer spams
ne$ dnamism;
shared libraries
K
(/4> ,-+/'&4# /0> 0'//&)+# runpath#
/4> /2.-&-:> ,&)*# ...)
ever since $e gave users dl> open() or

similar...
&nput under your control!
No!
4ata servers that are subvertable

K
(43(# 32(# 3A(# Lerberos)
old das; )2'0()2
ne$ das; )0, segment in%ectionC spoof
inbound spams (see further do$n)
!$ho 5no$s $hatMs coming do$n the pipe ne<t9!

)nvironment under your control!
No!
4o not e<pect contents of an env var to be sane to

child processes
-emember that env vars $ill propagate
.e suspicious of our abilit to unset a variable

before for5ing a child
PATH=/ bin:/ usr/ bin:...
IFS=/
IFS=/
...
(multiple instance)
)nvironment under your control
'nl sane $a to approach env vars;
1) do not trust anthing
N) do not propagate anthing that ou did not
create
!everthing is forbidden e<cept that $hich
is e<plicitl permitted!
Cinderella Attack
Aorge (eg;) poorl8 authenticated 3),

pac5ets.
use this method to $ind the cloc5 on the

target host for$ard to r O0008 odd
(oft$are licenses for securit soft$are on

target machine e<pire
Aire$all bastion host turns into pump5in
3et$or5 turns into pump5in pie.

*ow do & ensure that my
programs are under my control!
4'3M) )-1()
&3:)*23G
(and es# our code reall does matter# it is
important to 5no$ this)
&nbound +ecord ,elimiters
one of the great# perpetual mista5es 8 totall

obvious $hen it is e<plained# but re8 occurs
a lotJ either programmers forget that the
problem e<ists# or become blithe in their
trust of some other service $hich leaves
them open to subversion.
&nbound record delimiters bug-
./01s
2A( variableJ field separators define notion of

!$hitespace!# in a shellscript...
IFS=/ ; /bin/ ls -> "bin" "ls"
so# create CtmpC bin that does something nast# and;

ep!rt IFS=/
ep!rt PATH=/ tmp:" PATH
suidscriptname = calls CbinC ls# invo5es !C tmpC bin!
... $or5s for an char# eg; "IFS= n" -> "/ bi" "/ ls"
&nbound record delimiters bug-
./21s
43( reverse loo5up hostname set to;
#n$"%/ bin/ se& -e '()/*"/ &'%/ bin/ s+"# nH:
)e<t interpolates into (endmailMs control file;
H$ecei,e&- -r!m: H.ST/A01. site. 2!main
becomes;
H$ecei,e&- -r!m:
$"%/ bin/ se& -e '(./*"/ &'%/ bin/ s+"
H: .site. &!main
... ma5es bogus recipient record in config#
due to lac5 of chec5ing for ne$lines in input.
"iral input bug- ./21s
/og into 320 to do !$hois! Fuer...

3 4+!is 5/ bin/ s+ 6 /&e,/ tt7 >/ &e,/ tt7 8>9 (5
... escapes from captive environment.

"iral &nput bug- .//13s
... $orse still...

+ttp:// site/ c:i- bin/ -!!;< =>rm?< 82r-?< 8F< =>
(P rm 8rf CP gets evalMed b poor 0G2 script)
http;CC siteC cgi8 binC perl9...

Authentication spoofing
"hat does this mean9
.road definition;
K
meddling $ith an established communications
channel
K
forging credentials to lie about $ho ou are
K
cheating an authentication process
Authentication spoofing
+<amples;
sniffingC guessing reusable pass$ords
replaing authentication coo5ies

K
eg; *)M/ document pass$ords QQ bRSencode(!
username; pass$ord!)
pre8empting challengeC response schemes

K
eg; hi%ac5ing (C Le sessions (a5a; !beat the cloc5!)
)0, stream hi%ac5ing or resetting through forged

addresses or seFuence numbers
Spoofing e$amples
*o$ man people 5no$ that != is not a legal
character in a .rhosts file9
)$ea5 43(;
=. foo. ac. u5 N7700 03&M+ host. foo. ac. u5.

" pin: @
+!st. -!!. ac. uA is ali,e
Go one step further# set !=! as reverse ,)- record#

and log into an host $ith a bad .rhosts file...
Spoofing )$amples
... but thatMs *&-4 compared to %ust plain
ling.
!G! in hosts. eFuiv# !m name is MrootM... honest!
forged !admind! reFuests from PP localhostMM
source routed 3A( traffic to implement a @,3
forged )0, -()s to disconnect sessions
(:3 flooding probabl fits this categor# too

TCP4&P is not fit for use as an
authenticator
so $h do people insist on using it as if it $ere9
. no$# ou should be able to tell me.

&rritations of e$cess privilege
&ttitude amongst 'C ( designers often is;

!files e<ecuted b root ma be o$ned b
anone at all...!
&ttitude should be;

!&s much as possible should be root8
o$ned but almost nothing should be root8
e<ecuted since this automaticall limits
damage...!
&rritations of e$cess privilege
perms on !C etc!# r$<r$<r8 <# uidQ root

gidQ bin
K
therefore anone $ho can get !bin can get
root.
o$nership on older CvarC spool dirs Quucp

therefore anone $ho can get !uucp can
get root (eg; forge a sendmail Fueuefile)
... and so forth.

)$cess privilege
,roblem cuts both $as;

K
not onl use of root permissions for programs
that do not reFuire them...
K
... but also e<cessive promiscuit of data that
shouldnMt reall be public
)he .&3+ of our /2@+(

)$cess privilege
+ncrpted cipherte<ts
K
(ho$ man ears before shado$ pass$ords
gained common acceptance9)
4ata users donMt need to see# and data users

donMt need to be able to modif.
K
sslog data# etc...
K
$orld $ritable ttMs# CdevC console# etc...
K
lots of stupid little things# but...
Security is holistic
)$cess privilege # T*)
)5A6P7)
!sendmail!
"h run as root9

K
!cho$n! mailbo<es to users9 1se groups.
K
protect intermediate files9 1ni< fileperms.
K
odds and sods9 1se (124 modules.
K
)0, port NT access9 1se inetdC fd8 passing
"hat is there about a mail daemon that

reFuires root9
The principle of least privilege
4esign our soft$are such that it runs

$ithout reFuiring privileges that are
unavailable to normal users.
)r not to scre$ up.

The )nd

Secure Programming: Jonathan Care

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Secure Programming: Jonathan Care

Transféré par

Droits d'auteur :

Formats disponibles

Secure Programming

"Frequently the most important or

99.9% of bugs are avoidable (sacrifice the

Most of these are due to slopp programming!

"e do not learn the lessons of securit# even $ith

&mongst the prime causes of this are commercial

)he same attac5s on net$or5ed hosts that

Moreover these get conceptuall re8 used to

programmers are ignorant $hen leaving college

companies can sell $idgets better than securit to

legac apps hamper us (tr to convince a vendor

legislation ties up technologies that can help (eg;

)rusting insanitar data

&uthentication spoofing (direct or indirect)

'@+-,'"+-A1/ ('A)"&-+ -13323G

... and poor encrption session 5e generation (not

sstem crash (at protocol level)

gets() (Morris "orm)

insanitar calls to read()

viral paload usuall hand8 tooled

circumstances ma dictate that paload

... but an moron can e<ecute one that is

Morris "orm; ;unbounded gets() on soc5et

(endmail; sslog() routine called strcat() on

,ing; 32(G host resolver librar did

,robabl the most straightfor$ard of the

Aar more subtle class of bugs

generall due to meddlingC trusting things

so $hat ?is? under our control9

user8 provided filenames

filestore perms holding config files or parent

stac5 overflo$sC buffer spams

ever since $e gave users dl> open() or

4ata servers that are subvertable

old das; )2'0()2

ne$ das; )0, segment in%ectionC spoof

inbound spams (see further do$n)

!$ho 5no$s $hatMs coming do$n the pipe ne<t9!

4o not e<pect contents of an env var to be sane to

-emember that env vars $ill propagate

.e suspicious of our abilit to unset a variable

Aorge (eg;) poorl8 authenticated 3),

use this method to $ind the cloc5 on the

(oft$are licenses for securit soft$are on

Aire$all bastion host turns into pump5in

3et$or5 turns into pump5in pie.

one of the great# perpetual mista5es 8 totall

2A( variableJ field separators define notion of

so# create CtmpC bin that does something nast# and;

/og into 320 to do !$hois! Fuer...

... escapes from captive environment.

... $orse still...

(P rm 8rf CP gets evalMed b poor 0G2 script)

http;CC siteC cgi8 binC perl9...

"hat does this mean9

sniffingC guessing reusable pass$ords

replaing authentication coo5ies

pre8empting challengeC response schemes

)0, stream hi%ac5ing or resetting through forged

=. foo. ac. u5 N7700 03&M+ host. foo. ac. u5.

Go one step further# set !=! as reverse ,)- record#

!G! in hosts. eFuiv# !m name is MrootM... honest!