Course 2: Programming Issues,Section 6Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated September 28, 2004Developed thanks to the support of Symantec Corporation,NSF SFS Capacity Building Program (Award Number 0113725) andthe Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.

About These Slides

Developed thanks to Symantec’s support

Reviewed by Symantec engineers

– Special thanks to:

Jared Robinson

Alan Krassowski

Craig Ozancin

Free to use

– Notes, comments, suggestions, or modified slides areappreciated (pmeunier@purdue.edu)

If you modify them, please keep this slide and adda note stating that you modified them

Course 2 Learning Plan

Buffer Overflows

Format String Vulnerabilities

Code Injection and Input Validation

Cross-site Scripting Vulnerabilities

Links and Race Conditions

Temporary Files and Randomness

Canonicalization and Directory Traversal

Learning objectives

Understand why creating files in insecuredirectories like /tmp is difficult but useful

Learn why OS-provided function calls helptremendously

Understand the need for good randomness

Learn which OS-provided function calls helpprovide good random numbers

Learn how to create random file names

Temporary Files and Randomness: Outline

Temporary Files

– Problem Statement

– Survey of functions

UNIX

Windows

Randomness

– Need

– Types of random numbers

– Devices

– Windows API

Temporary Files

Space for temporary files is found in directoriessuch as /tmp, /var/tmp or C:\TEMP, whereeveryone can write

Space may be purged regularly (e.g., "every night,files older than 5 days are deleted") and duringreboot

Space used by many UNIX or Windows utilities,installers and programs

UNIX systems are often configured so that thisspace is not counted as part of user quota

– Allow large, temporary jobs

Temporary Files Issues

Need an unpredictable name to avoid a collisionbetween links and your files or directories

There's a race condition between testing if a fileexists and creating it

Need correct permissions

There's a race condition between creating andsetting permissions

Need OS support!

Name Collisions Attacks

What if the name of your temporary file (lock file orother) in /tmp is constant or predictable?

– Your program using a lock file may never run or do whatit's supposed to!

Run the lock.c example from part A, but this time, create alock file beforehand... Your program will never get past thelock file test (obviously)

Lock files need to be put where other users can't create files

– It's easy to make a symlink pointing to a sensitive file

Symlink attacks are easier if the name of thetemporary file is predictable

How Not to Choose a Random Name

Use the process ID

Use the user ID

Use the time of day

Use a counter

Use a bad random number generator

etc...

OS Support for Temporary Files

The following take a filename “template” as input

– mktemp - generate temporary file name (unique)

– mkstemp - also create the file

– mkstemps - generate temporary file name with suffix

– mkdtemp - create a directory

Overwrite part of a template to create a uniquename

Some of these functions used to create namesusing parts of the date or process ID, etc... andwere insecure

mktemp (1) (3)

Section (1): command line (shell scripts)

– BSD/MacOS X:

– creates file with mode 0600unique name

Section (3): C programs

– Race condition between getting the name and creatingthe file!

– The program must use "open" with the O_CREAT |O_EXCL flags, and loop until the file is successfullycreated, or use a different function

Command Line Example

% mktemp "testXXXX"

testpnbE

% ls -al

-rw------- pascal staff testpnbE

mkstemp

Creates name

Creates file open for reading and writing with mode0600

Returns a file descriptor

No race condition!

Recommended function

Usage for extremely paranoid people:“Unlink” the hard link pointing to the descriptorimmediately afterwards (this is a race condition)

The file still exists but nobody else (except withdifficulty, the superuser) can access it

Mini Lab

Take the previous lock.c example

Modify it to use mkstemp to generate a temporary

file with a unique name

Of course, the temporary file created that way isnot a lock file anymore, and would be used to storetemporary data instead

Windows

No equivalent to mkstemp()

GetTempFileName

– Creates names by incrementing a counter!

– Predictable file name

Race condition between getting the name andcreating the file

– Attacker could create the file to prevent you from using it

– If you use the CREATE_ALWAYS flag, see next slide

Under Windows, you have no choice but to writeyour own function

Still a race condition, limitation due to lack of OSsupport

Windows CreateFile Problems

Recommended use with the "CREATE_ALWAYS"flag is dangerous

– "CREATE_ALWAYS" flag recommended by MSDN,Howard and Leblanc 2003

Overwrites the file

Does not set the security descriptor specified by theSECURITY_ATTRIBUTES structure

– Do the SECURITY_ATTRIBUTES matter to your application?

Perfect opportunity to trick you into overwriting asensitive file

– e.g., with a hard link

– Can't use the flag to not follow reparse points

Windows CreateFile

TRUNCATE_EXISTING will follow a hard link andcould truncate something else than intended

Use "CREATE_NEW"

– "The function fails if the specified file already exists. "(MSDN)

– You need to check for errors and loop until the file issuccessfully created

GetTempPath

MSDN recommends that software use theGetTempPath function to get the location of thetemp dir, but this is dangerous

Checks for the existence of environment variablesin the following order and uses the first path found:

1. The path specified by the TMP environment variable.

2. The path specified by the TEMP environment variable.

3. The path specified by the USERPROFILE environmentvariable.

4. The Windows directory."

Are the environment variables safe to use?

– Probably not unless you set them yourself

Exercise (Windows): Creating Temporary Files

Go tohttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/base/creating_and_using_a_temporary_file.asp

Discuss things that you would do differently,compared to the example, when creating atemporary file in Windows

– Find the race condition (hint: MoveFileEx)

Exercise Answers

Possible answers:

– They used the CREATE_ALWAYS flag instead ofCREATE_NEW

Add a loop until success

– Use randomly generated file names

How to do that on Windows? (see next slides)

The Need for Random Numbers

Unique file or directory names

Session IDs that carry proof of authentication(nonces), passwords

Games (data, behavior, opponent generation,character generation)

Encryption

Cryptographic protocols

How Random Numbers Are Generated

Linear Congruential Generators

– Simple way to generate pseudo-random numbers

– Easily cracked

– Produce finite sequences of numbers

– Each number is tied to the others

– Some sequences of numbers will not ever be generated

Cryptographic random number generators

Entropy sensors (i.e., extracted randomness)

Seeded Random Number Generators

Pseudo-random generators depend solely on aseed, which determines the entire sequence ofnumbers returned

How random is the seed?

– Process ID, UserID: Bad Idea

– Current time: if you’re running NTP (Network TimeProtocol) all systems are synchronized up to someprecision. If you use the time, maybe I can guess whichseed you used (microsecond part might be difficult toguess, but is limited)

How to Cheat At Random Number Generation

Find a seed that will produce the numbers you want

Seed the generator with it

Convince someone: "it's random, see?"

– RPG Character generation, etc...

Roll Your Own Generator?

What matters is not only the average and thevariance of the numbers generated

All sequences of numbers must be possible

LCGs travel definite, limited “paths” through theuniverse of possible sequences

Need to incorporate entropy as it becomesavailable

Need to avoid betraying the internal state of thegenerator...

It's difficult to do correctly

Which Generator to use?

Read description, avoid Linear CongruentialGenerators such as these:

– “C” rand(3)

– rand (Windows)

– Perl rand

– C# Random

– PHP rand

Good Generators

Hardware-based

– Noise

Cryptographical quality software, entropy-seeded

– Fast, secure

Pure Entropy

– Random timing of events

Packets

Mouse movement, clicks

Keyboard

– Slow

Linux/UNIX Devices

/dev/random:

– MacOS X: same as urandom

– Linux: this is a blocking call that returns only whensufficient entropy has been captured

– Good for seeding pseudo-random number generators

/dev/urandom:

– Implements a fairly complex algorithm that variesbetween “random” and a well-seeded LCG depending onthe availability of entropy

– Non-blocking call

– Try "cat /dev/urandom"

Portability

FreeBSD, OpenBSD, NetBSD compatible

Several projects ported the functionality to Solaris,HP-UX, AIX, IRIX

MacOS X implements Yarrow for both random andurandom (so the behavior of “random” isunexpected).

Windows

Windows developers must use the functionCryptGenRandom(), which uses the same idea as/dev/urandom

There is no directly accessible entropy collectorprovided by the OS

– Reference: "Secure Programming Cookbook", section11.4 (Viega et al.)

Mini-lab

Take the previous mini-lab (lock.c)

Modify it to use random numbers from/dev/urandom instead of mkstemp, to generate a

temporary file with a unique name

– To obtain random bytes, open the device and read from it

Questions or Comments?

§

About These Slides

You are free to copy, distribute, display, and perform the work; and

to make derivative works, under the following conditions.

– You must give the original author and other contributors credit

– The work will be used for personal or non-commercial educational uses

only, and not for commercial activities and purposes

– For any reuse or distribution, you must make clear to others the terms of

use for this work

– Derivative works must retain and be subject to the same conditions, and

contain a note identifying the new contributor(s) and date of modification

– For other uses please contact the Purdue Office of Technology

Commercialization.

Developed thanks to the support of SymantecCorporation

Pascal Meunierpmeunier@purdue.eduContributors:Jared Robinson, Alan Krassowski, Craig Ozancin, TimBrown, Wes Higaki, Melissa Dark, Chris Clifton, GustavoRodriguez-Rivera