introduction to information security lecture 2
DESCRIPTION
Introduction to Information Security Lecture 2. Advanced Control Hijacking Secure Architecture Principles. Control Hijacking. Run-time Defenses. Run time checking: StackGuard. Many run-time checking techniques … we only discuss methods relevant to overflow protection - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/1.jpg)
Avishai Wool, lecture 2 - 1
Introduction to Information SecurityLecture 2
Advanced Control HijackingSecure Architecture Principles
![Page 2: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/2.jpg)
Control Hijacking
Run-time Defenses
Avishai Wool, lecture 2 - 2
![Page 3: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/3.jpg)
Run time checking: StackGuard• Many run-time checking techniques …
– we only discuss methods relevant to overflow protection
• Solution 1: StackGuard– Run time tests for stack integrity. – Embed “canaries” in stack frames and verify their integrity
prior to function return.
topof
stack
Frame 1Frame 2
local canary sfp ret args local canary sfp ret args
Avishai Wool, lecture 2 - 3
![Page 4: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/4.jpg)
Canary Types
• Random canary:– Random string chosen at program startup.– Insert canary string into every stack frame.– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To corrupt, attacker must learn current random string.
• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.– Attacker cannot use string functions to corrupt stack.
Avishai Wool, lecture 2 - 4
![Page 5: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/5.jpg)
StackGuard (Cont.)
• StackGuard implemented as a GCC patch.– Program must be recompiled.
• Minimal performance effects: 8% for Apache.
• Note: Canaries don’t provide full proof protection.– Some stack smashing attacks leave canaries unchanged
Avishai Wool, lecture 2 - 5
![Page 6: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/6.jpg)
StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.
args
ret addr
SFP
CANARY
local string buffers
local non-buffer variables
StackGrowth pointers, but no arrays
StringGrowth
copy of pointer args
Protects pointer args and local pointers from a buffer overflow
Avishai Wool, lecture 2 - 6
![Page 7: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/7.jpg)
MS Visual Studio /GS [since 2003]
Compiler /GS option:– Combination of ProPolice and Random canary.– If cookie mismatch, default behavior is to call _exit(3)
Function prolog: sub esp, 8 // allocate 8 bytes for cookie mov eax, DWORD PTR ___security_cookie xor eax, esp // xor cookie with current esp mov DWORD PTR [esp+8], eax // save in stack
Function epilog: mov ecx, DWORD PTR [esp+8] xor ecx, esp call @__security_check_cookie@4 add esp, 8
Enhanced /GS in Visual Studio 2010:– /GS protection added to all functions, unless can be proven unnecessary
Avishai Wool, lecture 2 - 7
![Page 8: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/8.jpg)
/GS stack frame
args
ret addr
SFP
CANARY
local string buffers
local non-buffer variables
StackGrowth pointers, but no arrays
StringGrowth
copy of pointer args
exception handlers
Canary protects ret-addr and exception handler frame
Avishai Wool, lecture 2 - 8
![Page 9: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/9.jpg)
Control Hijacking
Heap Spray Attacks
Avishai Wool, lecture 2 - 9
![Page 10: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/10.jpg)
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
• Suppose vtable is on the heap next to a string object:
ptr
data
Object T
FP1FP2FP3
vtable
method #1method #2
method #3
ptr
buf[256] data
object T
vtable
![Page 11: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/11.jpg)
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
• After overflow of buf we have:
ptr
data
Object T
FP1FP2FP3
vtable
method #1method #2
method #3
ptr
buf[256] data
object T
vtable
shellcode
![Page 12: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/12.jpg)
A reliable exploit? <SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow( overflow-string ); // overflow buf[ ]
</SCRIPT>
Problem: attacker does not know where browser places shellcode on the heap
ptr
buf[256] datashellcodevtable
???
![Page 13: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/13.jpg)
Heap Spraying [SkyLined 2004]
Idea: 1. use Javascript to spray heap with shellcode (and NOP slides)
2. then point vtable ptr anywhere in spray area
heap
vtable
NOP slide shellcode
heap spray area
![Page 14: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/14.jpg)
Javascript heap spraying
var nop = unescape(“%u9090%u9090”)while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array ()for (i=0; i<1000; i++) {x[i] = nop + shellcode;}
• Pointing func-ptr almost anywhere in heap will cause shellcode to execute.
Avishai Wool, lecture 2 - 14
![Page 15: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/15.jpg)
Vulnerable buffer placement
• Placing vulnerable buf[256] next to object O:– By sequence of Javascript allocations and frees
make heap look as follows:
– Allocate vuln. buffer in Javascript and cause overflow
– Successfully used against a Safari PCRE overflow [DHM’08]
object O
free blocks
heap
![Page 16: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/16.jpg)
Many heap spray exploits
• Improvements: Heap Feng Shui [S’07]
– Reliable heap exploits on IE without spraying– Gives attacker full control of IE heap from Javascript
[RLZ’08]
![Page 17: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/17.jpg)
(partial) Defenses
• Protect heap function pointers (e.g. PointGuard)
• Better browser architecture:– Store JavaScript strings in a separate heap from browser heap
• OpenBSD heap overflow protection:
• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap
non-writable pages
prevents cross-pageoverflows
Avishai Wool, lecture 2 - 17
![Page 18: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/18.jpg)
Secure ArchitecturePrinciples
Isolation and Least Privilege
Avishai Wool, lecture 2 - 18
![Page 19: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/19.jpg)
Basic idea: Isolation
A Seaman's Pocket-Book, 1943 (public domain)
Avishai Wool, lecture 2 - 19
![Page 20: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/20.jpg)
Principles of Secure Design• Compartmentalization
– Isolation– Principle of least privilege
• Defense in depth– Use more than one security mechanism– Secure the weakest link– Fail securely
• Keep it simple
Avishai Wool, lecture 2 - 20
![Page 21: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/21.jpg)
Principle of Least Privilege• Privilege
– Ability to access or modify a resource
• Principle of Least Privilege– A system module should only have the minimal
privileges needed for intended purposes
• Requires compartmentalization and isolation– Separate the system into independent modules – Limit interaction between modules
Avishai Wool, lecture 2 - 21
![Page 22: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/22.jpg)
Example: Android process isolation• Android application sandbox
– Isolation: Each application runs with its own UID in own VM• Provides memory protection• Communication protected using Unix domain sockets• Only ping, zygote (spawn another process) run as root
– Interaction: reference monitor checks permissions on inter-component communication
– Least Privilege: Applications announces permission • Whitelist model – user grants access
– Questions asked at install time, to reduce user interruption
Avishai Wool, lecture 2 - 22
![Page 23: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/23.jpg)
Secure ArchitecturePrinciples
Access Control Concepts
Avishai Wool, lecture 2 - 23
![Page 24: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/24.jpg)
Access control
• Assumptions– System knows who the user is
• Authentication via name and password, other credential – Access requests pass through gatekeeper (reference monitor)
• System must not allow monitor to be bypassed
ResourceUser
process
Referencemonitor
access request
policy
?
Avishai Wool, lecture 2 - 24
![Page 25: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/25.jpg)
Access control matrix [Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m
read write read write read
Subjects
Objects
Avishai Wool, lecture 2 - 25
![Page 26: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/26.jpg)
Two implementation concepts
• Access control list (ACL)– Store column of matrix with the resource
• Capability– User holds a “ticket” for each resource– Two variations
• store row of matrix with user, under OS control• unforgeable ticket in user space
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m
Read write write
Access control lists are widely used, often with groupsSome aspects of capability concept are used in many systems
Avishai Wool, lecture 2 - 26
![Page 27: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/27.jpg)
ACL vs Capabilities• Access control list
– Associate list with each object– Check user/group against list– Relies on authentication: need to know user
• Capabilities– Capability is unforgeable ticket
• Random bit sequence, or managed by OS• Can be passed from one process to another
– Reference monitor checks ticket• Does not need to know identify of user/process
Avishai Wool, lecture 2 - 27
![Page 28: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/28.jpg)
ACL vs Capabilities
Process PUser U
Process QUser U
Process RUser U
Process PCapabilty c,d,e
Process Q
Process RCapabilty c
Capabilty c,e
Avishai Wool, lecture 2 - 28
![Page 29: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/29.jpg)
ACL vs Capabilities
• Delegation– Cap: Process can pass capability at run time– ACL: Try to get owner to add permission to list?
• More common: let other process act under current user• Revocation
– ACL: Remove user or group from list– Cap: Try to get capability back from process?
• Possible in some systems if appropriate bookkeeping– OS knows which data is capability– If capability is used for multiple resources, have to revoke all or
none …• Indirection: capability points to pointer to resource
– If C P R, then revoke capability C by setting P=0
Avishai Wool, lecture 2 - 29
![Page 30: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/30.jpg)
Roles (also called Groups)
• Role = set of users– Administrator, PowerUser, User, Guest– Assign permissions to roles; each user gets permission
• Role hierarchy– Partial order of roles– Each role gets
permissions of roles below– List only new permissions given to each role
Administrator
Guest
PowerUser
User
Avishai Wool, lecture 2 - 30
![Page 31: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/31.jpg)
Role-Based Access Control
Individuals Roles Resources
engineering
marketing
human res
Server 1
Server 3
Server 2
Advantage: users change more frequently than rolesAvishai Wool, lecture 2 - 31
![Page 32: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/32.jpg)
Secure ArchitecturePrinciples
Operating Systems
Avishai Wool, lecture 2 - 32
![Page 33: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/33.jpg)
Unix access control• File has access control list (ACL)
– Grants permission to user ids– Owner, group, other
• Process has user id– Inherit from creating process– Process can change id
• Restricted set of options– Special “root” id
• Bypass access control restrictions
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m
Read write write
Avishai Wool, lecture 2 - 33
![Page 34: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/34.jpg)
Unix file access control list• Each file has owner and group• Permissions set by owner
– Read, write, execute– Owner, group, other– Represented by vector of four octal values
0755 (rwxr-xr-x) public directory or executable 0644 (rw-r--r--) public file 0600 (rw-------) private file
• Only owner, root can change permissions– This privilege cannot be delegated or shared
• Setid bits – Discuss in a few slides
rwx rwxrwx-
ownr grp othr
setid
Avishai Wool, lecture 2 - 34
![Page 35: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/35.jpg)
Question
• Owner can have fewer privileges than other– What happens?
• Owner gets access?• Owner does not?
Prioritized resolution of differences if user = owner then owner permission else if user in group then group permission else other permission
Avishai Wool, lecture 2 - 35
![Page 36: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/36.jpg)
Process effective user id (EUID)
• Each process has three Ids (+ more under Linux)– Real user ID (RUID)
• same as the user ID of parent (unless changed)• used to determine which user started the process
– Effective user ID (EUID)
• from set user ID bit on the file being executed, or sys call• determines the permissions for process
– file access and port binding
– Saved user ID (SUID)
• So previous EUID can be restored
• Real group ID, effective group ID, used similarly Avishai Wool, lecture 2 - 36
![Page 37: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/37.jpg)
Process Operations and IDs• Root
– ID=0 for superuser root; can access any file
• Fork and Exec– Inherit three IDs, except exec of file with setuid bit
• Setuid system calls – seteuid(newid) can set EUID to
• Real ID or saved ID, regardless of current EUID• Any ID, if EUID=0
• Details are actually more complicated– Several different calls: setuid, seteuid, setreuid
Avishai Wool, lecture 2 - 37
![Page 38: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/38.jpg)
Setid bits on executable Unix file• Three setid bits
– Setuid – set EUID of process to ID of file owner– Setgid – set EGID of process to GID of file– Sticky
• Off: if user has write permission on directory, can rename or remove files, even if not owner
• On: only file owner, directory owner, and root can rename or remove file in the directory
Avishai Wool, lecture 2 - 38
![Page 39: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/39.jpg)
Example
…;…;exec( );
RUID 25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID 25EUID 18
RUID 25EUID 25
-rw-r--r--
file
-rw-r--r--file
Owner 18
Owner 25
read/write
read/write
Owner 18
Avishai Wool, lecture 2 - 39
![Page 40: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/40.jpg)
Setuid programming• Be Careful with Setuid 0 !
– Root can do anything; don’t get tricked– Principle of least privilege – change EUID when root
privileges no longer needed
Avishai Wool, lecture 2 - 40
![Page 41: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/41.jpg)
Access control in Windows (since NTFS)
• Some basic functionality similar to Unix– Specify access for groups and users
• Read, modify, change owner, delete
• Some additional concepts– Tokens– Security attributes
• Generally– More flexibility than Unix
• Can define new permissions• Can give some but not all administrator privileges
Avishai Wool, lecture 2 - 41
![Page 42: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/42.jpg)
Identify subject using SID
• Security ID (SID)– Identity (replaces UID)
• SID revision number• 48-bit authority value• variable number of
Relative Identifiers (RIDs), for uniqueness
– Users, groups, computers, domains, domain members all have SIDs
![Page 43: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/43.jpg)
Process has set of tokens• Security context
– Privileges, accounts, and groups associated with the process or thread
– Presented as set of tokens• Security Reference Monitor
– Uses tokens to identify the security context of a process or thread
• Impersonation token – Used temporarily to adopt a different security
context, usually of another user
Avishai Wool, lecture 2 - 43
![Page 44: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/44.jpg)
Object has security descriptor
• Security descriptor associated with an object– Specifies who can perform what actions on the object
• Several fields– Header
• Descriptor revision number • Control flags, attributes of the descriptor
– E.g., memory layout of the descriptor
– SID of the object's owner– SID of the primary group of the object – Two attached optional lists:
• Discretionary Access Control List (DACL) – users, groups, …• System Access Control List (SACL) – system logs, ..
Avishai Wool, lecture 2 - 44
![Page 45: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/45.jpg)
Example access request
Group1: AdministratorsGroup2: Writers
Control flags
Group SIDDACL PointerSACL Pointer Deny Writers Read, Write Allow Mark Read, Write
Owner SID
Revision Number
Access token
Security descriptor
Access request: writeAction: denied
• User Mark requests write permission
• Descriptor denies permission to group
• Reference Monitor denies request
User: Mark
Order of ACEs in ACL matters!Windows reads ACL until permission is granted/Denied
ACE1
ACE2Avishai Wool, lecture 2 - 45
![Page 46: Introduction to Information Security Lecture 2](https://reader034.vdocuments.site/reader034/viewer/2022042421/56813b5d550346895da45645/html5/thumbnails/46.jpg)
Impersonation Tokens (compare to setuid)
• Process adopts security attributes of another– Client passes impersonation token to server
• Client specifies impersonation level of server– Anonymous
• Token has no information about the client– Identification
• server obtain the SIDs of client and client's privileges, but server cannot impersonate the client
– Impersonation• server identify and impersonate the client
– Delegation• lets server impersonate client on local, remote systems