Vulnerability Assessment and Secure Coding Practices for Middleware by tfs31371


									Vulnerability Assessment and Secure
Coding Practices

                                                                                          Tutorial Objectives
        Vulnerability Assessment and                                           • Show how to perform the basics of a
          Secure Coding Practices                                                vulnerability assessment
               for Middleware                                                  • Create more people doing vulnerability
                          James A. Kupsch                                      • Show how different types of vulnerabilities
                         and Barton P. Miller                                    arise in a system
                         Computer Sciences Department
                            University of Wisconsin
                                                                               • Teach coding techniques that can prevent
                                                                                 certain types of vulnerabilities
                                  OGF25, Catania, Italy
                                     March 2, 2009                             • Make your software more secure

                                               1                                                       2

                                     Roadmap                                      Security Problems Are Real
      • Part 1: Vulnerability Assessment Process                                  Everyone with a computer knows this.
        –   Introduction                                                                               
        –   Evaluation process                                                 If you’re not seeing vulnerability reports and
        –   Architectural analysis
        –   Computer processes
                                                                                    fixes for a piece of software, it doesn’t
        –   Communication channels                                                 mean that it is secure. It probably means
        –   Resource analysis                                                     the opposite; they aren’t looking or aren’t
        –   Privilege analysis                                                                       telling.
        –   Data Flow Diagrams                                                                         
        –   Component analysis
        –   Vulnerability Discovery Activities
                                                                               The grid community has been largely lucky
      • Part 2: Secure Coding Practices                                                (security through obscurity).

                                               3                                                       4

              Many Avenues of Attack                                                   Impact of Vulnerabilities
                         We’re looking for attacks that                         FBI estimates computer security incidents cost
                          exploit inherent weakness                                   U.S. businesses $67 billion in 2005
                                in your system.                                                []
        Internet                                                                Number of reported vulnerabilities each year is
                                                                                           increasing [CERT stats]
             Attack web using
             www protocols                                                      6000
                                        Compromised host    Internal bad guy       1994         1998          2002          2006
                                               5                                                       6

Vulnerability Assessment and Secure
Coding Practices

       Security Requires Independent                                      Security Requires Independent
                Assessment                                                     Assessment (cont.)
      Fact #1:                                                        • You can have the best design in the world,
        Software engineers have long known that testing                 but can be foiled by …
        groups must be independent of development
                                                                          –   Coding errors
                                                                          –   Interaction effects
      Fact #2:
        Designing for security and the use of secure                      –   Social engineering
        practices and standards does not guarantee                        –   Operational errors
        security                                                          –   Configuration errors
      Independent vulnerability assessment is crucial…                    –   …
      …but it’s usually not done 

                                         7                                                                 8

                          Project Goals                                            Systems Investigated
      • Develop techniques, tools and procedures for                  •   Univ. of Wisconsin’s Condor Project
        vulnerability assessment focusing on Grid software                – Batch queuing workload management system
      • Apply to production software                                      – 600K lines of code, began 16 years ago
      • Improve the security of this software                             –

      • Educate developers about best practices in coding and         •   SDSC’s Storage Resource Broker (SRB)
        design for security                                               – Distributed data store, with metadata and federation capability
                                                                          – 275K lines of code, began 10 years ago
      • Increase awareness in the grid and distributed systems
        community about the need for vulnerability assessment             –
                                                                      •   NCSA’s Myproxy (just starting)
      • Train and build a community of security specialists
                                                                          – Credential management system
                                                                          – 25K lines of code, began 9 years ago
                                                                      •   NIKHEF's glExec (in progress)

                                         9                                                                 10

          Security Evaluation Process                                     Goal of Vulnerability Analysis
      • Understand Application                                        • Understand a software system to focus
         – Architectural analysis
                                                                        search for security problems
         – Resource and privilege analysis
         – Data flow diagrams                                         • Find vulnerabilities
      • Search for Vulnerabilities                                    • Make the software more secure
         – Component analysis
      • Codification and dissemination                                    “A vulnerability is a defect or weakness in system
                                                                          security procedures, design, implementation, or
        of techniques
                                                                          internal controls that can be exercised and result in a
      • Overview                                                          security breach or violation of security policy.”
         – Insider - full access to source, documents, developers                - Gary McGraw, Software Security
         – Independent - no agenda, no blinders
         – First principles - let the process guide what to examine
                                                                          i.e., A bad thing

                                        11                                                                 12

Vulnerability Assessment and Secure
Coding Practices

                 User Supplied Data                                     Application Overview
      • All attacks ultimately arise from attacker           •   Meet with the developers
        (user) communicated data                             •   What does application do
                                                             •   How does it work
      • If not, your system is malware
                                                             •   What documentation exists
        – mere installation causes a security violation          – End-user
      • Important to know where the system gets                  – Internal design documents
        user supplied data                                   • What external libraries and environment are
                                                             • How to build, run and control
                                                             • How to debug and test
                                                             • Prior bugs and vulnerabilities

                                   13                                                           14

        General Analysis Techniques                                    Observational Analysis
      • Applies to architectural, resource and               • Useful as a starting point
        privilege analyses                                   • Will only reveal information about exercised
                                                               paths in the process
      • Find needed information                              • System monitoring tools
        – Use existing documentation                             – ps - information about the process
            • Often incomplete, out of date, or just wrong       – lsof netstat - information about files/network
        – Talk to developers                                     – ptrace strace dtrace truss - trace of system
        – Experiment with the system                             – ltrace - trace of library calls
        – Look at the code - most precise, but most time         – diff tripwire - can show what objects in the file
          consuming (later slides will have hints on what          system were modified
          to look for)                                           – purify valgrind - memory problems

                                   15                                                           16

               Architectural Analysis                                  Process Configuration
      • Create a detailed big picture view of the            • How is an executable configured
        system                                                   – Configuration file
                                                                    • Format
      • Document and diagram
                                                                    • Other instructions in file such as process another
        – What processes/hosts exist and their function               configuration file
        – How users interact with them                              • Search path to find
                                                                    • Processing language
        – How executables interact with each other
                                                                 – Hard coded
        – What privileges they have
                                                                 – Other
        – What resources they control and
          access                                             • What can be configured
                                                                 – How does it affect the application
        – Trust relationships
                                                                 – Often reveals functional and architectural information

                                   17                                                           18

Vulnerability Assessment and Secure
Coding Practices

                  Process Attributes                                External Services Used
      • What user/group is the process started as         • How are external programs used
      • Is the process setuid/setgid                      • External services
      • Any unusual process attributes                      –   Database (DBMS, LDAP, DNS, …)
        – chroot                                            –   Web server
        – Process limits                                    –   Application server
        – Uses capabilities                                 –   Other
      • uid/gid switching                                 • External executables launched
      • uid/gid sensitive behavior                          – Signs in the code: popen system exec*
                                                            – What executables

                                  19                                                     20

                                                                    Process Communication
        User Interaction with System
      • How do users interact with the system             • What exists between…
        – Client executables                                – Servers
        – API                                               – Client and server
                                                            – Client/Server and external programs
      • What type of interaction can they have                  •   DBMS
      • What data can users inject into the system              •   DNS
                                                                •   LDAP
                                                                •   Kerberos
                                                                •   File services: NFS AFS ftp http …
                                                                •   Helper applications
                                                          • Shows interaction between components

                                  21                                                     22

             Communication Methods                                          Command Line
      • OS provides a large variety of                    • Null-terminated array of strings passed to
        communication methods                               a starting process from its parent
        –   Command line               – Environment      • Convention is that argv[0] is the path to
        –   Files                      – Sockets            executable file
        –   Creating processes         – Signals          • Signs in code
        –   IPC                        – Directories        –   C/C++: argc argv
            • Pipes                    – Symbolic links     –   Perl: $0 @ARGV
            • FIFO's or named pipes
                                                            –   Sh: $0 $1 $2… $# $@ $*
            • System V IPC
                                                            –   Csh: $0 argv
            • Memory mapped files

                                  23                                                     24

Vulnerability Assessment and Secure
Coding Practices

                      Environment                                                Files
      • Null-terminate array of string passed to a        • Represented by a path
        process from its parent
      • Convention is that each string is of the form
                                                          • File descriptors represent files in program
        key=value, and key can not contain an equal         – From opening or creating a file
        sign                                                – Inherited from parent process
      • Program can change environment                      – Sent via IPC
      • Contents can affect program behavior
                                                          • Contents can be data, configuration,
      • Inherited by children
                                                            executable code, library code, scripts
      • Signs in code:
        – C/C++: environ getenv setenv putenv             • Signs in code:
        – Perl: @ENV                                        – C/C++: open creat fopen dlopen *stream
        – bash/csh: not easy to tell uses
                                25                                                  26

            Standard File Descriptors                                         Sockets
      • Convention is creating process opens file         • creates a communication path
        descriptors 0, 1 and 2 for use by the               – processes on same host
        created process to be used as standard in,          – between hosts using protocols such as TCP/IP
        out, and err                                      • Can be stream or message based
      • Functions and libraries often implicitly use      • Signs in code
        these and expect them to be opened                  – C/C++: socket bind connect listen accept
      • Signs in code                                         socketpair send sendto sendmsg recv
                                                              recvfrom recvmsg getpeername getsockname
        – C/C++: stdin stdout stderr                          setsockopt getsockopt shutdown
                                                            – Bash: /dev/tcp/host/port
          STDERR_FILENO getchar gets scanf                           /dev/udp/host/port
          printf vprintf vscanf cin cout cerr

                                27                                                  28

                             IPC                                           Directories
      • Inter- and Intra-host communication methods       • List of named file system objects
      • Some can pass file descriptors between            • Directory can be read to get list of names or
        processes                                           updated by creating, renaming or deleting
      • Signs in code:                                      existing entries
        –   Pipes: pipe                                   • Entries have metadata like type, size, and owner
        –   SysV Message Q: msgget msgctl msgsnd msgrcv   • Signs in code:
        –   SysV Semaphore: semget shmctl semop             – C/C++: opendir readdir closedir creat
        –   SysV Shared Mem: shmget shmctl shmat shmdt        open(with O_CREATE) fdopen mkdir mkfifo mknod
        –   Memory mapped files: mmap                         symlink link unlink remove rename rmdir

                                29                                                  30

Vulnerability Assessment and Secure
Coding Practices

                   Symbolic Links                                            Creating a Process
      • File system object that contains a path              • Inherited properties
                                                               –   User and group ids
                                                               –   File descriptors without close-on-exec
      • When evaluating a path the operating                   –   Current and root directories
        system follows the referent in the link                –   Process limits
                                                               –   Memory contents
      • Referent can be read and used by a
                                                             • Exit status communicated back to parent
                                                             • Signs in code
      • Signs in code:                                         – C/C++: fork popen system exec* exit _exit
                                                                 wait waitpid wait3 wait4
        – C/C++: implicitly in any function taking a path,
          symlink readlink                                     – Perl: open system qx ` exit _exit wait
                                                                 waitpid wait3 wait4

                               31                                                                32

                          Signals                                                 Libraries Used
      • Asynchronous notification to a process               • What libraries does the executable use
        generated from the operating system, run-              – Run ldd on executable
        time events or sent from related                       – Look at link command line
        processes                                              – Look for uses of dlopen in the code
      • Essentially a 1 bit message                          • Program inherits library's security issues
      • Signs in code                                        • Need to check it for vulnerabilities and for
        – C/C++: kill raise signal sigvec                      safe use
          sigaction sigsuspend abort
                                                               – Rely on reports from others
                                                               – Audit the library

                               33                                                                34

          Messaging & File Formats                                           Resource Analysis
      • Document messaging protocols                         • A resource is an object that is useful to a user of
        – This is really an API between processes              the system and is controlled by the system
                                                               – Data
        – What is the format and purpose of each                    • files
          message                                                   • DBMS
        – How are message boundaries and individual                 • memory
          pieces of data determined                            – Physical entities
                                                                    •   Disk space
      • Document file formats                                       •   CPU cycles
        – Same thing as for messages                                •   Network bandwidth
                                                                    •   Attached devices (sensors, controllers)
        – You can think of files as persistant
          asynchronous messages

                               35                                                                36

Vulnerability Assessment and Secure
Coding Practices

            Documenting Resources                                            Privilege Analysis
      • What resources exist in the system                      • Privilege is the authorization for a user to
      • What executables/hosts control the                        perform an operation on a resource
        resource                                                • Role is a set of privileges assigned to
      • What operations are allowed                               users to creates classes of users such as
      • What privileges are required                              admin
      • What does an attacker gaining access to                 • Authentication
        the resource imply                                          – Is it performed correctly and securely
                                                                    – If an attacker can authenticate as another
                                                                      user they gain their privileges

                                      37                                                    38

             Privileges in the System                                External Privilege Systems
      • What privileges exist in the system                     • System used: OS, DBMS, …
      • Do they map appropriately to operations                 • Accounts and privileges used
        on resources                                            • Purpose of each account
      • Are they fine grained enough                            • Does the program use external privileges
      • How are they enforced                                     to enforce its privilege model
      • Is decision code centralized                            • Are minimal privileges used
        – consistent                                            • Use of root or admin accounts require
        – easy to audit                                           special attention

                                      39                                                    40

                                 Trust                                               Bad trust
      • An executable trusts another when                       • Not validating data from another trust
        – It relies on a behavior in the other                    domain for proper form (form, length,
        – Doesn't or can't verify the behavior                    range)
      • Implicit trust
                                                                • Bad assumptions
        – The operating system
        – Process with root privilege on the same host              – User supplied data is in proper form
           • they can do anything                                   – Data passed through client is unchanged
        – Processes with same uid on the same host                    • Need a cryptographic signature
           • they can do anything to each other                       • Happens with hidden input field and cookies in
        – All the code in your executable including libraries           HTML

                                      41                                                    42

Vulnerability Assessment and Secure
Coding Practices

                                   More Bad Trust                                                                                                        Use/Abuse Cases
      • Bad assumptions (cont.)                                                                                            • Use cases
        – Client validated data                                                                                                – Document typical use scenarios for the
               • Client can be rewritten or replaced                                                                             software
               • Good to validate on the client, but server validation                                                         – Often times created by testing team
                 is required
                                                                                                                           • Abuse cases
      • Not validating data from trusted processes
                                                                                                                               – Anti-use case
        – Allows an attack to spread
                                                                                                                               – what an attacker might do
        – Not defense in depth
                                                                                                                           • Both will reveal the architecture and
                                                                                                                             potential security problems

                                                            43                                                                                                                    44

                           Data Flow Diagrams                                                                                                     Data Flow Diagrams
      • Takes information from previous analyses                                                                           •   Colors represent privilege
      • Turns a use/abuse case into a diagram                                                                              •   Hosts are represented by rectangles
        showing                                                                                                            •   Processes by ovals
        –   Hosts                                                                                                          •   Communication flow by lines with arrows
                                                                                                                               indicating direction of flow
        –   Components such as processes
                                                                                                                               – Labels indicate contents of message or operation
        –   Privileges
                                                                                                                           • Other symbols can be used for other important
        –   Message flows                                                                                                    objects in the case such as files
        –   Steps in the case                                                                                              • We’ve noted that developers often learn things
                                                                                                                             when presented with just these diagrams

                                                            45                                                                                                                    46

                         Privileges - Root Install                                                                                     Privileges - Non-Root Install
         Real UIDs                                               Central Manager                                                Real UIDs                                               Central Manager
                 root                                                 4. Negotiation                                                    root                                                 4. Negotiation
                                                                          Cycle                                                                                                                  Cycle
                 condor                                   negotiator                   collector                                        condor                                  negotiator                    collector
                 user                                                                                                                   user
                                                                                       1. Machine ClassAd                                                                                                     1. Machine ClassAd

                                                                            5. Report
                                                                                              Execute Host                                                                    4.Negotiation
                                                                                                                                                                                                  5. Report
                                                                                                                                                                                                                     Execute Host
                                                            Cycle             Match                                                                                               Cycle             Match
                                                          5. Report                                                                                                             5. Report
                      Submit Host                          Match 3. Job ClassAd                  startd        7. fork                       Submit Host                         Match 3. Job ClassAd                   startd        7. fork
                                                                                                               Starter                                                                                                                Starter

               User                      startd            Compromise of                                                              User                      startd
                                                                     6. implies,
                                                       anything in redClaim Host                schedd                                                                                        6. Claim Host            schedd
                                                       compromise of the host
        1. Job Description File                         and all processes on it                                                1. Job Description File
                                         schedd                                                                                                                 schedd
                                                                                                 starter                                                                                                                starter
                        2. Job ClassAd                                                                                                         2. Job ClassAd
                                             7. Fork   8. Establish Communication Path                                                                              7. Fork   8. Establish Communication Path
                                                                                                       9. Set policy and                                                                                                      9. Set policy and
                                             Shadow                                                                                                                 Shadow
                                                                                                         fork User Job                                                                                                          fork User Job
             submit                      shadow                                                                                     submit                      shadow
                                                                                               User Job                                                                                                               User Job

                                                            47                                                                                                                    48

Vulnerability Assessment and Secure
Coding Practices

              Varying Level of Focus                                           Component Analysis
      • Drill in to focus on sub systems that are more             • Audit the source code of a component…
        likely to be vulnerable and lead to large security           … the audit is directed by earlier analyses
        failures …                                                 • Look for vulnerabilities in a component
        – Deal with security
                                                                   • Need to connect user input to a place in
        – Control resources
                                                                     the code where a vulnerability can be
        – Validate input
      • Drill out to analyze how this system interacts
        with its ecosystem
                                                                   • Finds deeper problems than black box
        – Secure systems can be insecure when combined
        – How this system can be used to attack others
                                                                      – Penetration testing (known problems)
                                                                      – Fuzzing (random testing)

                                  49                                                                50

         Categories of Vulnerabilities                                Many Types of Vulnerabilities
      • Design Flaws                                               Buffer overflows                      Race conditions
        – Problems inherent in the design            Occur about   Injection attacks                     Not properly dropping
        – Hard to automate discovery                   equally        Command injection                     privilege
                                                                        (in a shell)
      • Implementation Bugs                                                                              Insecure permissions
                                                                      Format string attacks
        – Improper use of the programming language, or of a             (in printf/scanf)                Denial of service
          library API                                                 SQL injection                      Information leaks
        – Localized in the code                                       Cross-site scripting or XSS        Lack of integrity checks
      • Operational vulnerabilities                                     (in HTML)
                                                                                                         Lack of authentication
        – Configuration or environment                             Directory traversal
                                                                                                         Lack of authorization
      • Social Engineering                                         Integer vulnerabilities
        – Valid users tricked into attacking

                                  51                                                                52

                Focusing the Search                                                       Difficulties
      • It's impossible to completely analyze a system             • Need to trace function call graphs to trace
        for vulnerabilities
                                                                     data flows to determine potential values
      • From critical resources and try to think of ways
        an attack can be realized                                  • It is difficult in C++ to determine function
      • From vulnerabilities can occur in the code to                call graphs using a textual analysis, due to
        resources                                                    the ambiguity of identifiers; the name
      • If there were prior security problems look for               alone is insufficient to determine the
        similar problems                                             actual function
      • Focus on subsystem/resources that are
        – Important                – Security related              • The use of function pointers also
        – Poorly written           – Poorly tested (little used)     complicate this analysis
        – Developer/Testing functionality

                                  53                                                                54

Vulnerability Assessment and Secure
Coding Practices

                 Code Browsing Tools                                         Static Code Analysis Tools
      • cscope                                                       •   Require a human to analyze the results for false positives
          – Doesn’t understand C++                                   •   Won't find complex problems
                                                                     •   They aid the assessor, but they're not one-click security
      • ctags                                                        •   Commercial analyzers
          – Useful for finding definitions of global variables and       –   Coverity  
            functions, but not uses                                      –   Fortify   
      • eclipse                                                          –   Secure Software
                                                                         –   Grammatech
          – Doesn’t handle size of code and style well               • Freely available analyzers
      • Hand written perl scripts to search code                         – Flawfinder  
          – Useful, but really need to parse C/C++                       – RATS (Rough Auditing Tool for Security)
                                                                         – ITS4        
                                                                     • Compiler warnings

                                     55                                                              56

                  Vulnerability Report                                        Condor Vulnerability Report
      • One report per vulnerability
      • Provide enough information for developers
        to reproduce and suggest mitigations
      • Written so that a few sections can be
        removed and the abstracted report is still
        useful to users without revealing too much
        information to easily create an attack.

                                     57                                                              58

            Vulnerability Report Items                                       Vulnerability Report Items
      • Summary                                                      • Impact/Consequences (low/med/high) -
      • Affected version(s) and platform                               how does it affect the system: minor
      • Fixed version(s)                                               information leak is low, gaining root
                                                                       access on the host is high
      • Availability - is it known or being exploited
                                                                     • Only in full report
      • Access required - what type of access                            – Full details - full description of vulnerability
        does an attacker require: local/remote                             and how to exploit it
        host? Authenticated? Special privileges?                         – Cause - root problem that allows it
      • Effort required (low/med/high) - what type                       – Proposed fix - proposal to eliminate problem
        of skill and what is the probability of                          – Actual fix - how it was fixed
                                     59                                                              60

Vulnerability Assessment and Secure
Coding Practices

      Vulnerability Disclosure Process                     When a Vulnerability Is Found
      • Disclose vulnerability reports to              • Don’t Panic!!! Have a plan.
        developers                                     • Plan what, how, when and to whom to announce
      • Allow developers to mitigate problems in a     • Plan how to fix, and what versions
        release                                        • Separate security release or combine with other
      Now here’s the really hard part:                 • When to release full details
      • Publish abstract disclosures in                    – exploit known or being exploited
        cooperation with developers. When?                   externally
      • Publish full disclosures in cooperation with       – open/closed source projects
        developers. When?                                  – allow time for users to upgrade

                            61                                                      62


To top