Transcription
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Tutorial ObjectivesVulnerability Assessment andSecure Coding Practicesfor MiddlewareJames A. KupschComputer Sciences DepartmentUniversity of WisconsinOpen Grid ForumOctober 18, 200712RoadmapSecurity Problems Are Real Part 1: Vulnerability Assessment Process–––––––––– Show how to perform the basics of avulnerability assessment Create more people doing vulnerabilityassessments Show how different types of vulnerabilitiesarise in a system Teach coding techniques that can preventcertain types of vulnerabilities Make your software more secureIntroductionEvaluation processArchitectural analysisComputer processCommunication channelsResource analysisPrivilege analysisData Flow DiagramsComponent analysisVulnerability Discovery ActivitiesEveryone with a computer knows this. If you’re not seeing vulnerability reports andfixes for a piece of software, it doesn’tmean that it is secure. It probably meansthe opposite; they aren’t looking or aren’ttelling. The grid community has been largely lucky(security through obscurity). Part 2: Secure Coding Practices34Many Avenues of AttackImpact of VulnerabilitiesWe’re looking for attacks thatexploit inherent weaknessin your system.FBI estimates computer security incidents costU.S. businesses 67 billion in 2005[CNETnews.com] InternetFirewall:Number of reported vulnerabilities each year isincreasing [CERT stats]wwwserver8000Attack web usingwww protocols600040002000Compromised host5Copyright 2007, James A. KupschInternal bad guy0199419982002200661
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Security Requires IndependentAssessmentSecurity Requires IndependentAssessment (cont.)Fact #1:Software engineers have long known that testinggroups must be independent of developmentgroupsFact #2:Designing for security and the use of securepractices and standards does not guaranteesecurityIndependent vulnerability assessment is crucial but it’s usually not done You can have the best design in the world,but can be foiled by ––––––Coding errorsInteraction effectsSocial engineeringOperational errorsConfiguration errors 78Project GoalsSystems Investigated Develop techniques, tools and procedures forvulnerability assessment focusing on Grid software Apply to production software Improve the security of this software Educate developers about best practices in coding anddesign for security Increase awareness in the grid and distributed systemscommunity about the need for vulnerability assessment Train and build a community of security specialists Univ. of Wisconsin’s Condor Project– Batch queuing workload management system– 600K lines of code, began 15 years ago– http://www.cs.wisc.edu/condor SDSC’s Storage Resource Broker (SRB)– Distributed data store, with metadata and federationcapability– 275K lines of code, began 9 years ago– http://www.sdsc.edu/srb NCSA’s Myproxy (just starting)910Security Evaluation ProcessGoal of Vulnerability Analysis Architectural analysis Resource and privilege analysis Component analysis Codification of techniques anddissemination Overview– Insider - full access to source, documents, developers– Independent - no agenda, no blinders– First principles - let the process guide what toexamine11Copyright 2007, James A. Kupsch Audit a software system looking forsecurity problems Look for vulnerabilities Make the software more secure“A vulnerability is a defect or weakness in systemsecurity procedures, design, implementation, orinternal controls that can be exercised and result in asecurity breach or violation of security policy.”- Gary McGraw, Software Securityi.e., A bad thing122
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Attacker Supplied Data All attacks ultimately arise from attacker(user) communicated data If not, your system is malware– The mere installation causes a securityviolation It is important to know where the systemcan potentially get user supplied dataGet Application Overview Goal of architectural, resource and privilegeanalysis is to learn about the application Meet with the developers to get an overview– What does application do and how does it work– What documentation exists End-user Internal design documents––––What external libraries or environment are usedHow to build, run and controlHow to debug and testPrior bug and vulnerability reports1314General Analysis TechniquesAnalysis By ObservingRunning Process Applies to architectural, resource andprivilege analyses Find needed information– Use existing documentation Often incomplete, out of date, or just wrong– Talk to developers– Experiment with the system– Look at the code - most precise, but most timeconsuming (later slides will have hints on whatto look for) Useful as a starting point Will only reveal information about exercisedpaths in the process System monitoring tools– ps - information about the process– lsof netstat - information about files/network– ptrace strace dtrace truss ltrace - trace ofsystem calls– diff tripwire - can show what objects in the filesystem were modified– purify valgrind - memory access problems1516Architectural AnalysisProcess Configuration Create a detailed big picture view of the system Document and diagram– Execution environment (hosts used in system andexternal resources used by system)– What executables exist and their function– How users interact with them– How executables interact with each other– What privileges they have– What resources they control andaccess– Trust relationships17Copyright 2007, James A. Kupsch How is an executable configured– Configuration files– Hard coded– Other What can be configured– How does it affect the application– Often reveals functional and architecturalinformation183
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Process Attributes user/group used to start process Is the process setuid/setgid Any unusual process attributes– chroot– Limits– Uses capabilitiesExternal Programs Used How are external programs used External servers––––DatabaseWeb serverApplication serverOther External executables launched uid/gid switching uid/gid sensitive behavior– Signs in the code: popen system exec*– What executables1920User Interaction with SystemProcess CommunicationChannels How do users interact with the system– Client executables– API What type of interaction can they have What data do they inject into the system What exists between – Servers– Client and server– Server and external programs DBMS Network services––––DNSLDAPKerberosFile services: NFS AFS ftp http Shows interaction between components2122Communication MethodsCommand Line What does program use and why OS provides a large variety––––Command lineFilesCreating processesIPC PipesFIFO's or named pipesSystem V IPCMemory mapped files– Environment– Sockets– Signals– Directories– Symbolic links23Copyright 2007, James A. Kupsch Null-terminated array of strings passed toa starting process from its parent Convention is that argv[0] is the path toexecutable file Signs in code––––C/C : argc argvPerl: @ARGV 0sh: 0 1 2 # @ *csh: 0 argv244
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Environment Null-terminate array of string passed to aprocess from its parent Convention is that each string is of the formkey value, and key can not contain an equalsign Program can change environment Contents can affect program behavior Inherited by children Signs in code:– C/C : environ getenv setenv putenv– Perl: @ENV– bash/csh: no easy way to tell usesFiles Represented by a path in the file system File descriptors represent files in program– From opening or creating a file– Inherited from parent process– Sent via IPC Contents can be data, configuration,executable code, library code, scripts Signs in code:– C/C : open creat fopen2526Standard File DescriptorsSockets Convention is creating process opens filedescriptors 0, 1 and 2 for use by thecreated process to be used as standard in,out, and err Functions and libraries often implicitly usethese and expect them to be opened Signs in code– C/C : stdin stdout stderrSTDIN FILENO STDOUT FILENOSTDERR FILENO getchar gets scanfprintf vprintf vscanf cin cout cerr Allows creating a communication path– local to the system– between hosts using protocols such as TCP/IP Can be stream or message based Signs in code– C/C : socket bind connect listen acceptsocketpair send sendto sendmsg recvrecvfrom recvmsg getpeername getsocknamesetsockopt getsockopt shutdown– Bash: /dev/tcp/host/port/dev/udp/host/port2728Creating a ProcessSignals When a process is created man properties of theoriginal are inherited such as Asynchronous notification to a processgenerated from the operating system, runtime events or sent from relatedprocesses Essentially a 1 bit message Signs in code–––––User and group idsFile descriptors without close-on-execCurrent and root directoriesProcess limitsMemory contents Exit status communicated back to parent Signs in code– C/C : fork popen system exec* exit exitwait waitpid wait3 wait4– Perl: open system qx exit exit waitwaitpid wait3 wait429Copyright 2007, James A. Kupsch– C/C : kill raise signal sigvecsigaction sigsuspend abort305
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Local IPC Intra-host communication methods Some can pass file descriptors betweenprocesses Signs in code:–––––Pipes: pipe mkfifoSysV Message Q: msgget msgctl msgsnd msgrcvSysV Semaphore: semget shmctl semopSysV Shared Mem: shmget shmctl shmat shmdtMemory mapped files: mmapDirectories Directories contain a list of file system objectssuch as files and directories Directory can be read to get list of names orupdated by creating, renaming or deletingexisting entries Entries have metadata like size, type, and owner Signs in code:– C/C : opendir readdir closedir creatopen(with O CREATE) fdopen mkdir mkfifo mknodsymlink link unlink remove rename rmdirstat fstat3132Symbolic LinksMessaging & File Formats Symbolic links are an entry in a directorythat contain a path (referent) When evaluating a path the operatingsystem follows the referent in the link Referent can be read and used by aprogram Signs in code:– C/C : any function taking a path, symlinkreadlink Document messaging protocols– This is really an API between executables– What is the format and purpose of eachmessage– How are message boundaries and individualpieces of data determined Document file formats– Same thing as for messages– You can think of files as persistentasynchronous messages3334Libraries UsedResource Analysis What libraries does the executable use– Run ldd on executable– Look at link command line– Look for uses of dlopen in the code Need to check it for vulnerabilities and forsafe use (you inherit all its problems)– Audit the library– Rely on reports from others35Copyright 2007, James A. Kupsch A resource is an object that is useful to auser of the system and is controlled by thesystem– Physical things Disk spaceCPU cyclesNetwork bandwidthAttached devices– Data366
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Documenting Resources What resources exist in the system What executables/hosts control theresource What operations are allowed What privileges are required What does an attacker gaining access tothe resource implyPrivilege Analysis Privilege is the authorization for a user toperform an operation on a resource Role is a set of privileges assigned tomultiple users to create types of user suchas admin How is authentication performed, if anattacker can authenticate as another userthey gain their privileges3738Privileges in the SystemInteractions with other privileges What privileges exist in the system Do they map appropriately to operationson resources Are they reasonably fine grained How are they enforced What privilege system are used: OS, DBMSWhat accounts and privileges are usedWhat is the purpose of each accountDoes the system use the other privilegesystem to enforce its privilege model Are the minimal privileges used Use of root or admin accounts requirespecial attention3940TrustBad trust An executable trusts another when– It relies on a behavior in the other– Doesn't or can't verify the behavior Implicit trust– The operating system– Process with root privilege on the same host they can do anything– Processes with same uid on the same host they can do anything to each other– All the code in your executable including libraries41Copyright 2007, James A. Kupsch Not validating data from another trustdomain for proper form (form, length,range) Bad assumptions– User entered data in proper form– Data passed to client is returned unchanged Verification requires a cryptographic signature Commonly occurs with hidden input field andcookies in HTML427
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2More Bad TrustUse/Abuse Cases Bad assumptions (cont.) Use cases– Data is validated only in the client Client can be rewritten or replaced Good to validate on the client, but server validationis required Best to validate data even from trustedexecutables as it provides security indepth Abuse cases– Anti-use case, what an attack might do tobreak the system– Prevents one compromised server from beingused as a conduit for an attack Both will reveal the architecture andpotential security problems4344Data Flow DiagramsData Flow Diagrams Takes information from previous analyses Turns a use/abuse case into a diagramshowing–––––– Document typical use scenarios for thesoftware– Often times created by testing teamHostsComponents such as processesPrivilegesMessage flowsSteps in the case Colors represent privilegeHosts are represented by rectanglesProcesses by circlesCommunication flow by lines with arrowsindicating direction of flow– Labels indicate contents of message or operation Other symbols can be used for other importantobjects in the case such as files We’ve noted that developers often learn thingswhen presented with just these diagrams4546Privileges - Root InstallPrivileges - Non-Root InstallCentral ManagerReal UIDs4. NegotiationCyclerootnegotiatorcondorCentral ManagerReal UIDs4. ollectoruser1. Machine ClassAd4.Negotiation5. ReportCycleMatch5. ReportMatch 3. Job ClassAdSubmit HostUserstartd1. Job Description File2. Job ClassAdsubmitschedd7. ForkShadowCompromise ofanything in redimplies,6. ClaimHostcompromise of the hostand all processes on it1. Machine ClassAdExecute Hoststartd7. forkStarterscheddshadowCopyright 2007, James A. KupschUserstartd6. Claim Host2. Job ClassAd9. Set policy andfork User JobUser Job47Submit Host1. Job Description Filestarter8. Establish Communication Path4.Negotiation5. ReportCycleMatch5. ReportMatch 3. Job ClassAdsubmitschedd7. ForkShadowExecute Hoststartd7. forkStarterscheddstarter8. Establish Communication Pathshadow9. Set policy andfork User JobUser Job488
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Drilling In / Drilling OutComponent Analysis Drill in to focus on sub systems that are morelikely to be vulnerable and lead to large securityfailures Audit the source code of a component the audit is directed by earlier analyses Look for vulnerabilities in a component Need to connect user input to a place inthe code where a vulnerability can betriggered by it Finds deeper problems than black boxtesting than– Deal with security– Control resources– Validate input Drill out to analyze how this system interact withothers– Systems can be secure, but insecure in how it is usedin the whole system– Penetration testing– Fuzzing4950Categories of VulnerabilitiesMany Types of Vulnerabilities Design Flaws– Problems inherent in the design– Hard to automate discoveryOccur aboutequally Implementation Bugs– Improper use of the programming language, or of alibrary API– Localized in the code Operational vulnerabilities– Configuration or environment Social EngineeringBuffer overflowsInjection attacksRace conditionsNot properly droppingprivilegeInsecure permissionsDenial of serviceInformation leaksLack of integrity checksLack of authenticationLack of authorizationCommand injection(in a shell)Format string attacks(in printf/scanf)SQL injectionCross-site scripting or XSS(in HTML)Directory traversalInteger vulnerabilities– Valid users tricked into attacking5152Focusing the SearchDifficulties It's impossible to completely analyze a systemfor vulnerabilities From places where vulnerabilities can occur inthe code with the wrong data From the point of view of an attacker's goal andtry to think of ways the threat can be realized If there were prior security problems look forsimilar problems Focus on subsystem that are one of– Important– Security related– Poorly written– Poorly tested (little used)– Developer/Testing functionality53Copyright 2007, James A. Kupsch Need to trace function call graphs to tracedata flows to determine potential values It is difficult in C to determine functioncall graphs using a textual analysis, due tothe ambiguity of identifiers; the namealone is insufficient to determine theactual function The use of function pointers alsocomplicate this analysis549
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Code Browsing Tools cscope– Doesn’t understand C ctags– Useful for finding definitions of global variables andfunctions, but not uses eclipse– Doesn’t handle size of code and style well Hand written perl scripts to search code– Useful, but really need to parse C/C Static Code Analysis Tools Require a human to analyze the results for false positivesWon't find complex flawsThey aid the assessor, but they're not one-click securityCommercial analyzers––––CoverityFortifySecure http://www.grammatech.com Freely available analyzers– Flawfinderhttp://www.dwheeler.com/flawfinder– RATS (Rough Auditing Tool for Security)http://www.securesoftware.com/rats– ITS4http://www.citigal.com/its4 Compiler warnings5556Vulnerability ReportCondor Vulnerability Report One report per vulnerability Provide enough information for developersto reproduce and suggest mitigations Written so that a few sections can beremoved and the abstracted report is stilluseful to users without revealing too muchinformation to easily create an attack.5758Vulnerability Report ItemsVulnerability Report Items SummaryAffected version(s) and platformFixed version(s)Availability - is it known or being exploitedAccess required - what type of accessdoes an attacker require: local/remotehost? Authenticated? Special privileges? Effort required (low/med/high) - what typeof skill and what is the probability ofsuccess59Copyright 2007, James A. Kupsch Impact/Consequences (low/med/high) how does it affect the system: minorinformation leak is low, gaining rootaccess on the host is high Sections only in full disclosure report– Full details - full description of vulnerabilityand how to exploit it– Cause - root problem that allows it– Proposed fix - proposal to eliminate problem– Actual fix - how it was fixed6010
Vulnerability Assessment and SecureCoding Practices - Part 1 of 2Vulnerability Disclosure Process Disclose vulnerability reports todevelopers Allow developers to mitigate problems in areleaseNow here’s the really hard part: Publish abstract disclosures incooperation with developers. When? Publish full disclosures in cooperation withdevelopers. When?61Copyright 2007, James A. KupschWhen a Vulnerability Is Found Don’t Panic!!! Have a plan.Plan what, how, when and to whom to announcePlan how to fix, and what versionsSeparate security release or combine with otherchanges? When to release full details– are details known or being exploitedexternally– open/closed source projects– allow time for users to upgrade6211
Part 2: Secure Coding Practices 4 Security Problems Are Real Everyone with a computer knows this. If you're not seeing vulnerability reports and fixes for a piece of software, it doesn't mean that it is secure. It probably means the opposite; they aren't looking or aren't teling. The grid community has been largely lucky
