1 10 common programming mistakes that make you vulnerable to attack condor week madison may 3, 2012...
TRANSCRIPT
![Page 1: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/1.jpg)
1
10 common programming mistakes that make you
vulnerable to attack
Condor WeekMadison May 3, 2012
This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the
National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.
Barton P. MillerJim Kupsch
Computer Sciences DepartmentUniversity of Wisconsin
Elisa HeymannComputer Architecture and
Operating Systems DepartmentUniversitat Autònoma de Barcelona
![Page 2: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/2.jpg)
2
Things That We All Know• All software has vulnerabilities• Critical infrastructure software is
complex and large• Vulnerabilities can be exploited by
both authorized users and by outsiders
• Programmers must be security-aware– Designing for security and the use of
secure practices and standards does not guarantee security… but helps
![Page 3: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/3.jpg)
3
What do we do
• Assess Middleware: Make cloud/grid software more secure
• Train: We teach tutorials for users, developers, sys admins, and managers
• Research: Make in-depth assessments more automated and improve quality of automated code analysis
http://www.cs.wisc.edu/mist/papers/VAshort.pdf
![Page 4: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/4.jpg)
4
1. Buffer overflow
![Page 5: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/5.jpg)
5
Buffer Overflow of User Data Affecting Flow of Control
char id[8];int validId = 0; /* not valid */
gets(id); /* reads "evillogin"*/
/* validId is now 110 decimal */if (IsValid(id)) validId = 1; /* not true */if (validId) /* is true */
{DoPrivilegedOp();} /* gets executed */
e v i l l o g i 110
‘n’
\0 \0 \0id validId
\0 \0 \0 \0id validId
![Page 6: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/6.jpg)
6
2. Numeric Errors
![Page 7: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/7.jpg)
9
3. Race Conditions
![Page 8: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/8.jpg)
11
Race Condition Examples
• Your Actions Attackers Actions=strdup("/tmp/zXXXXXX")tempnam(s)// s now "/tmp/zRANDOM" link = "/etc/passwd"
file = "/tmp/zRANDOM"symlink(link, file)
f = fopen(s, "w+")// writes now update// /etc/passwd
time
![Page 9: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/9.jpg)
12
4. Exceptions
![Page 10: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/10.jpg)
Exception Suppression
1. User sends malicious data1. User sends malicious data
boolean Login(String user, String pwd){ boolean loggedIn = true; String realPwd = GetPwdFromDb(user); try { if (!GetMd5(pwd).equals(realPwd)) { loggedIn = false; } } catch (Exception e) { //this can not happen, ignore } return loggedIn;}
user=“admin”,pwd=null
2. System grants access2. System grants access Login() returns true
13
![Page 11: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/11.jpg)
14
5. Too much information
![Page 12: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/12.jpg)
WTMI (Way Too Much Info)
15
Login(… user, … pwd) { try { ValidatePwd(user, pwd); } catch (Exception e) { print("Login failed.\n"); print(e + "\n"); e.printStackTrace(); return; }}
void ValidatePwd(… user, … pwd) throws BadUser, BadPwd { realPwd = GetPwdFromDb(user); if (realPwd == null) throw BadUser("user=" + user); if (!pwd.equals(realPwd)) throw BadPwd("user=" + user + " pwd=" + pwd + " expected=" + realPwd); …
Login failed.BadPwd: user=bob pwd=x expected=passwordBadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71) ...
Login failed.BadPwd: user=bob pwd=x expected=passwordBadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71) ...
User exists
User exists
Entered pwd
Entered pwd User's actual
password ?!?(passwords aren't hashed)
User's actual password ?!?
(passwords aren't hashed)
Reveals internal structure
(libraries used, call structure, version
information)
Reveals internal structure
(libraries used, call structure, version
information)
![Page 13: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/13.jpg)
16
6. Directory Traversal
![Page 14: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/14.jpg)
17
Successful Directory Traversal Attack
1. Users requests1. Users requests File="....//etc/passwd"
2. Server deletes2. Server deletes /etc/passwd
String path = request.getParameter("file");path = "/safedir/" + path;// remove ../'s to prevent escaping out of /safedirReplace(path, "../", "");File f = new File(path);f.delete();
Before Replace path = "/safedir/….//etc/passwd"After Replace path = "/safedir/../etc/passwd"Before Replace path = "/safedir/….//etc/passwd"After Replace path = "/safedir/../etc/passwd"
![Page 15: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/15.jpg)
18
7. SQL Injection Attacks
![Page 16: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/16.jpg)
19
Successful SQL Injection Attack
• Dynamically generated SQL without validation or quoting is vulnerable$u = " '; drop table t --";$sth = $dbh->do("select * from t where u = '$u'");
Database sees two statements:
select * from t where u = ' '; drop table t --'
![Page 17: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/17.jpg)
21
8. Command Injections
![Page 18: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/18.jpg)
Successful OS Injection Attack1. User sends malicious data1. User sends malicious data
3. System executes3. System executes nslookup x.com;rm –rf /*
22
String rDomainName(String hostname) { … String cmd = "/usr/bin/nslookup " + hostname; Process p = Runtime.getRuntime().exec(cmd); …
hostname="x.com;rm –rf /*"
2. Application uses nslookup to get DNS records2. Application uses nslookup to get DNS records
4. All files possible are deleted4. All files possible are deleted
![Page 19: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/19.jpg)
23
9. Code Injection
![Page 20: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/20.jpg)
25
10. Web Attacks
![Page 21: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/21.jpg)
27
Reflected Cross Site Scripting (XSS)
•••
String query = request.getParameter("q");if (query != null) { out.writeln("You searched for:\n" + query);}•••
<html>•••
You searched for:<script>alert('Boo!')</script>•••
</html>
http://example.com?q=<script>alert('Boo!')</script>
3. Generated HTML displayed by browser3. Generated HTML displayed by browser
1. Browser sends request to web server1. Browser sends request to web server
2. Web server code handles request2. Web server code handles request
![Page 22: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/22.jpg)
28
Would you like an expanded tutorial taught at your site?
Tutorials for users, developers, administrators and managers: – Security Risks– Secure Programming– Vulnerability Assessment
Contact us!
Barton P. Miller
Elisa Heymann
![Page 23: 1 10 common programming mistakes that make you vulnerable to attack Condor Week Madison May 3, 2012 This research funded in part by Department of Homeland](https://reader036.vdocuments.site/reader036/viewer/2022070407/56649e375503460f94b26f48/html5/thumbnails/23.jpg)
29
Questions?
http://www.cs.wisc.edu/mist