Programming Faults

Programming Errors that Lead to Compromised Systems

Definition of Information Security

• Confidentiality == assurance that information is not disclosed to unauthorized entities or processes

• Integrity == quality of an information system that reflects its logical correctness and reliability

• Availability == timely, reliable access to data and information services for authorized users

Definition of a Fault

• Fault == defect that does not change state

• Failure == manifestation of a fault

• “A programming mistake is a latent fault until that code is invoked by the system.”

• “If a fault affects the delivered service, a failure occurs.”

Programming Faults and Intrusion Detection

• Intrusion Detection Systems monitor for attempts to exploit Programming Faults

• Exploits become rules in signature databases used by IDS software to detect the failures caused by activating the flaws

Confidentiality Faults

• Buffer Overruns

• Environment Variables

• Interactive Input

• Handling Sensitive Data

• Executing Other Programs

Buffer Overruns

• Subvert the normal course of execution to execute code written by the cracker

• Exploit root privileged programs to gain root authority

• Result of mismanaging arrays and pointers (mostly character arrays)

• Write past the end of the buffer to overwrite other data in memory

• Two types of buffers - static and dynamic

• Dynamic buffers are allocated from the stack at run time

• As part of the stack, they are in the same area of memory as data used by kernels in OSes which do not maintain separate user and kernel modes

void function (char *str) { char buffer[16]; strcpy(buffer, str);}void main() { char large_string[256]; int i for (i=0; i<255; i++) large_string[i]=‘A’; function(large_string);}

top of stack

bottom of memory

<------------------------------<

|Buffer Sfp Ret *Str |. . .

|[ ][ ] [ ] [ ] |. . .

<------------------------------<

top of memory

bottom of stack

#include <stdio.h>void main() { char *name[2]; name[0] = “/bin/sh”; name[1] = “NULL; execve(name[0], name, NULL);}

char shellcode[] =“\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00]x00\x00”“\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80”“\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff”“\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3”;

• If the IDS captures a long series of NOOPs being transmitted to a protected system, it should flag that as a potential exploit attempt.

• alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:5;)

Buffer Overruns and IDS

Environment Variables

• Environment variables are sources of user input

• Depending on how a program handles the variable, it’s possible to insert an exploit to either cause a failure, or to take advantage of poor logic

Suppose IFS (variable to control whitespace designator) is set to ‘/’ (the pathname seperator).

Thenexec(“/bin/sh”,”-c”,”/bin/mail userbob”);

Becomesbin mail userbob

Environment Variables and IDS

• If the IDS detects an IFS setting being transmitted to a protected system, should it flag that as a potential exploit attempt?

Integrity Flaws

• Executing Input

• Links

• Regular Files

• Race Conditions

• Resource Sharing

Executing Input

• From an old version of a web browser:sprintf(buf, telnet %s”, resid_url);system(buf);

• Internet clients that try to be helpful by downloading & executing content.

User Input and IDS

• Formatted commands to network services make good signatures for IDS.

• alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flow:to_server,established; offset:32; classtype:attempted-user; sid:681; rev:4;)

Links

• Replace a temporary file used by a privileged program with a link to another file.

• Can capture data, or trick the program into corrupting system files.

• Ex: suppose /tmp/abc123 is used by a root program and to temporarily store data.

• If the program doesn’t verify that /tmp/abc123 doesn’t already exist, a user can pre-create /tmp/abc123 -> /etc/passwd.

• The program follows the link, and clobbers the password file.

File Manipulations and IDS

• How can a network device tell the difference between creating a link to exploit a program, or creating a link to create a link?

• Host Based IDS are required to detect file changes (ie file integrity checkers).

Availability Faults

• Local System DOS

• Network DOS

• Buffer Overruns

• System Overload

• Spoofing

Local System DOS

• Fill up the filesystemint main() {int ifd;char buf[8192];ifd=open(“./attack”, O_WRITE|O_CREATE, 0777);unlink(“./attack”);while(1) write(ifd, buf, sizeof(buf));

}

• Use up inodes, fill up the process table, use up memory…

Local DOS and IDS

• Look for error messages indicating system problems.

• Good system administration practices probably more important.Filesystem monitoringMemory statistics monitoringCPU load monitoring…

Network DOS

• Manipulate the network protocols to cause a failure on the target.

• Ex: >6 bytes data in a SYN packet• Ex: ICMP ECHO requests > 65507 octets• Ex: setting packet header flags to

nonsensical values• …

• More often than not protocols and standards are not properly or fully implemented, creating flaws that lead to denial of service.

• RFCs provide the structure and behavior guidelines; following the RFC reduces flaws; testing the RFC finds the flaws.

Network DOS and IDS

• Use the IDS to monitor network traffic for packets in unexpected parts of network; malformed packets; or just certain types of packets.

• alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388; classtype:misc-activity; rev:4;)

Conclusion(s)

• Use good programming techniques to avoid perpetuating the same old flaws.

• The same flaws that existed in the dawn of the Internet still exist. Example - the Morris Worm and the Blaster Worm used the same techniques to exploit a system and spread themselves to other systems.

• IDS systems, network based and host based, are an important layer in the Defense-in-Depth approach to good information security.

• IDS systems also make good system administration tools.

Works Consulted

• Aleph One. Smashing the Stack for Fun and Profit. Phrack. Vol 7, Num 49.

• Forbes, Liam. Secure Programming in the UNIX Environment. UAF CS Dept., 1998.

• Patterson, David A. An Introduction to Dependability. ;login: The Magazine of USENIX & SAGE. August 2002, Vol 27, Num 4.