10 common programming mistakes that make you vulnerable to attack
DESCRIPTION
10 common programming mistakes that make you vulnerable to attack. Elisa Heymann Computer Architecture and Operating Systems Department Universitat Aut ònoma de Barcelona [email protected]. Barton P. Miller Jim Kupsch Computer Sciences Department University of Wisconsin - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/1.jpg)
1
10 common programming mistakes that make you
vulnerable to attack
Condor WeekMadison May 3, 2012
This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). Past funding has been provided by NATO grant CLG 983049, National Science Foundation grant OCI-0844219, the
National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.
Barton P. MillerJim Kupsch
Computer Sciences DepartmentUniversity of Wisconsin
Elisa HeymannComputer Architecture and
Operating Systems DepartmentUniversitat Autònoma de Barcelona
![Page 2: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/2.jpg)
2
Things That We All Know• All software has vulnerabilities• Critical infrastructure software is
complex and large• Vulnerabilities can be exploited by
both authorized users and by outsiders
• Programmers must be security-aware– Designing for security and the use of
secure practices and standards does not guarantee security… but helps
![Page 3: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/3.jpg)
3
What do we do• Assess Middleware: Make cloud/grid
software more secure• Train: We teach tutorials for users,
developers, sys admins, and managers• Research: Make in-depth assessments
more automated and improve quality of automated code analysis
http://www.cs.wisc.edu/mist/papers/VAshort.pdf
![Page 4: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/4.jpg)
4
1. Buffer overflow
![Page 5: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/5.jpg)
5
Buffer Overflow of User Data Affecting Flow of Control
char id[8];int validId = 0; /* not valid */
gets(id); /* reads "evillogin"*/
/* validId is now 110 decimal */if (IsValid(id)) validId = 1; /* not true */if (validId) /* is true */
{DoPrivilegedOp();} /* gets executed */
e v i l l o g i 110
‘n’\0 \0 \0
id validId
\0 \0 \0 \0id validId
![Page 6: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/6.jpg)
6
2. Numeric Errors
![Page 7: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/7.jpg)
9
3. Race Conditions
![Page 8: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/8.jpg)
11
Race Condition Examples• Your Actions Attackers Action
s=strdup("/tmp/zXXXXXX")tempnam(s)// s now "/tmp/zRANDOM" link = "/etc/passwd"
file = "/tmp/zRANDOM"symlink(link, file)
f = fopen(s, "w+")// writes now update// /etc/passwd
time
![Page 9: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/9.jpg)
12
4. Exceptions
![Page 10: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/10.jpg)
Exception Suppression
1. User sends malicious data
boolean Login(String user, String pwd){ boolean loggedIn = true; String realPwd = GetPwdFromDb(user); try { if (!GetMd5(pwd).equals(realPwd)) { loggedIn = false; } } catch (Exception e) { //this can not happen, ignore } return loggedIn;}
user=“admin”,pwd=null
2. System grants access Login() returns true
13
![Page 11: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/11.jpg)
14
5. Too much information
![Page 12: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/12.jpg)
WTMI (Way Too Much Info)
15
Login(… user, … pwd) { try { ValidatePwd(user, pwd); } catch (Exception e) { print("Login failed.\n"); print(e + "\n"); e.printStackTrace(); return; }}
void ValidatePwd(… user, … pwd) throws BadUser, BadPwd { realPwd = GetPwdFromDb(user); if (realPwd == null) throw BadUser("user=" + user); if (!pwd.equals(realPwd)) throw BadPwd("user=" + user + " pwd=" + pwd + " expected=" + realPwd); …
Login failed.BadPwd: user=bob pwd=x expected=passwordBadPwd: at Auth.ValidatePwd (Auth.java:92) at Auth.Login (Auth.java:197) … com.foo.BadFramework(BadFramework.java:71) ...
User exists
Entered pwd User's actual
password ?!?(passwords aren't hashed)
Reveals internal structure
(libraries used, call structure, version
information)
![Page 13: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/13.jpg)
16
6. Directory Traversal
![Page 14: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/14.jpg)
17
Successful Directory Traversal Attack
1. Users requests File="....//etc/passwd"
2. Server deletes /etc/passwd
String path = request.getParameter("file");path = "/safedir/" + path;// remove ../'s to prevent escaping out of /safedirReplace(path, "../", "");File f = new File(path);f.delete();
Before Replace path = "/safedir/….//etc/passwd"After Replace path = "/safedir/../etc/passwd"
![Page 15: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/15.jpg)
18
7. SQL Injection Attacks
![Page 16: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/16.jpg)
19
Successful SQL Injection Attack
• Dynamically generated SQL without validation or quoting is vulnerable$u = " '; drop table t --";$sth = $dbh->do("select * from t where u = '$u'");
Database sees two statements: select * from t where u = ' '; drop table t --'
![Page 17: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/17.jpg)
21
8. Command Injections
![Page 18: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/18.jpg)
Successful OS Injection Attack1. User sends malicious data
3. System executes nslookup x.com;rm –rf /*
22
String rDomainName(String hostname) { … String cmd = "/usr/bin/nslookup " + hostname; Process p = Runtime.getRuntime().exec(cmd); …
hostname="x.com;rm –rf /*"
2. Application uses nslookup to get DNS records
4. All files possible are deleted
![Page 19: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/19.jpg)
23
9. Code Injection
![Page 20: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/20.jpg)
25
10. Web Attacks
![Page 21: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/21.jpg)
27
Reflected Cross Site Scripting (XSS)
•••
String query = request.getParameter("q");if (query != null) { out.writeln("You searched for:\n" + query);}•••
<html>•••
You searched for:<script>alert('Boo!')</script>•••
</html>
http://example.com?q=<script>alert('Boo!')</script>
3. Generated HTML displayed by browser
1. Browser sends request to web server
2. Web server code handles request
![Page 22: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/22.jpg)
28
Would you like an expanded tutorial taught at your site?
Tutorials for users, developers, administrators and managers: – Security Risks– Secure Programming– Vulnerability Assessment
Contact us!Barton P. [email protected]
Elisa [email protected]
![Page 23: 10 common programming mistakes that make you vulnerable to attack](https://reader034.vdocuments.site/reader034/viewer/2022051423/5681692e550346895de0738d/html5/thumbnails/23.jpg)
29
Questions?
http://www.cs.wisc.edu/mist