Ch12phanmem

1. Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 12 Software Security

2. Software Security

C nhiu l hng l kt qu ca vic lp trnh u

Nh trong 10 li an ninh ng dng Web m c 5 li lin quan n thiu st ca phn mm

Thng thng do khng kim tra/kim chng k u vo chng trnh

Khng c h thng cnh bo l iu nghim trng

3. Cht lng v an ton phn mm Software Quality vs Security

Cht lng v tin cy phn mm

Li s c ca chng trnh

T u vo khng ph hp ngu nhin v l thuyt

Tng cng s dng kim tra v thit k c cu trc

Khng phi c nhiu li, nhng c thng xuyn c nguy c kch hat khng

An ton phn mm cng lin quan

Nhng k tn cng chn s phn tn ca u vo, c bit nhm ti cc li code khai thc

c kch hat thng xuyn bi u vo khng hp l

Nhng kim tra thng thng khng pht hin c li

4. Lp trnh bo v Defensive Programming

L dng thit k bo v m bo cc chc nng lin tc ca phn mm trnh khi vic s dng khng lng trc

Yu cu ch n mi kha cnh ca vc thc hin chng trnh, mi trng v x l d liu

Cng c gi l lp trnh an ton

Khng tha nhn iu g, phi kim tra mi li c th

Khng ch tp trung vo gii bi tan cho trc

Cn kim chng mi gi thit

5. M hnh chng trnh tru tng Abstract Program Model

6. Security by Design

Thit k tin cy v an ton l ch ca nhiu ngnh cng ngh

X hi khng khoan dung vi cc li nh v cu, nh,

Pht trin phn mm cha phi l hon thin

Nhiu li mc cao ang cn c khoan dung

Tuy c nhiu tiu chun cht lng v pht trin phn mm

Tp trung chnh l vng i pht trin chung

Tng cng xc nh nguy c an ninh l mc tiu chnh

7. Kim sot u vo chng trnh Handling Program Input

incorrect handling a very common failing

u vo l mi ngun d liu t bn ngoi

D liu c t bn phm, file, mng

Cng nh l mi trng thc thi v d liu cu hnh

Cn xc nh mi ngun d liu

V gi thit v tnh ng n tng minh v kch thc v kiu gi tr trc khi s dng

8. Input Size & Buffer Overflow

Thng c gi thit v kch thc b m

Nh u vo ca NSD ch l dng vn bn

Tun th kch thc b m nhng qun kim tra kch thc

Kt qu lm trn b nh m

Kim tra c th khng xc nh c l hng

V ch tp trung vo u vo thng thng, mong i

Lp trnh an ton coi mi u vo u nguy him

Nn cn phi x l nh mt chng trnh bo v

9. Thng dch u vo Interpretation of Input

Chng trnh c th dng nh phn hoc vn bn

Thng dch nh phn ph thuc vo m thng thng l ng dng chuyn bit

Vn bn c m trn tp cc k t nh ASCII

Vic quc tn ha c nhiu phng n khc nhau

Cng cn c kim chng thng dch trc khi s dng

Nh filename, URL, email address, identifier

B qua kim tra c th dn n l hng bng n

10. Tn cng ni x Injection Attacks

Cc thiu st lin quan n kim sot u vo khng hp l m nh hng n vic thc thi chng trnh

Thng thng c truyn nh tham s ca chng trnh tr gip hay tin ch khc hoc h thng con

Thng xy ra trong cc ngn ng kch bn

H tr ti s dng cc chng trnh hoc modules khc

Thng thng gp trong kch bn giao din ha chung (web CGI scripts)

11. Unsafe Perl Script

12. Safer Script

Chng tn cng bng kim chng u vo

So snh vi mu m t chi cc u vo khng hp l

Xem an v d b sung trong an sau:

13. SQL Injection

L mt tn cng ni x bng n rng ri khc

Khi u vo s dng trong truy vn SQL n c s d liu

Tng t nh ni x lnh

Ni n cc siu k t SQL

Cn kim tra v kim chng u vo cho chng

14. Code Injection

L mt bin th khc

u vo gm c code m sau thc thi

Xem cc l hng ni x code PHP t xa

variable + global field variables + remote include

Kiu tn cng ny c khai thc rng ri

15. Tn cng qua Site Scripting

Tn cng khi u vo t mt NSD sau l u ra ca mt NSD khc (XSS)

XSS thng c thy trn trang ng dng Web dng ngn ng kich bn

Vi script code t trong u ra ti browser

Mi script c h tr, nh Javascript, ActiveX

Coi nh n t ng dng trn site

XSS reflection

Code c hi t site

Ko theo xut hin cho cc NSD khc

16. XSS Example

cf. guestbooks, wikis, blogs etc

Ni c cc nhn xt cha script code

Nh thu thp chi tit cookie ca NSD ang xem

Cn kim chng d liu c cp

Bao gm vic kim sot mi on m khc nhau c th

Tn cng c vic kim sot u vo v u ra

17. Kim chng c php u vo Validating Input Syntax

tin tng d liu u vo tha mn gi thit

Nh in c, HTML, email, userid,

So snh vi nhng ci chp nhn bit

Khng phi ch ti nhng nguy him bit

C th b qua cc vn mi, phng php qua mt

Thng thng biu thc chnh qui c s dng

Mu m t cc u vo cho php

Chi tit c th khc nhau gia cc ngn ng

u vo ti s b t chi hoc cnh bo

18. D phng m Alternate Encodings

C th c nhiu phng tin khc nhau cho cng vn bn m

Ty thuc vo dng cu trc ca d liu, nh HTML

Hoc thng qua vic dng mt s tp k t ln

Unicode c s dng quc t ha

Dng gi tr 16-bit cho k t

UTF-8 m nh cc dy 1-4 byte

C cc phng n d tha

nh l 2F, C0 AF, E0 80 AF

V vy kim tra ngn chn dng tn file tuyt i!

Cn phi chun ha u vo trc khi dng

19. Validating Numeric Input

C th c d liu th hin gi tr s

Lu bn trong vi cc gi tr kch thc c nh

Nh 8, 16, 32, 64-bit integers or 32, 64, 96 float

signed or unsigned

Cn phi thng dch dng vn bn ng

V sau x l thch hp

C phn so snh du v khng du

Nh khng du dng ln l du m

C th dng do thm kim tra trn b m

20. Lm m u vo - Input Fuzzing

Phng php kim tra mnh s dng phm vi ln cc u vo sinh ngu nhins

kim tra chng trnh c x l ng vi cc u vo bt thng

n gin, khng c gi thit, r

h tr c tin cy v an ton

C th dng nhp sinh ra cc lp u vo bit ca bi ton

C th b st li, nn s dng cng ngu nhin cng tt

21. Writing Safe Program Code

Phn sau lin quan n x l d liu bng mt thut ton no cho bi ton ang gii

Dch ra m my hoc thng dch

Thc thi vi cc lnh m my

Thao tc d liu trong b nh v thanh ghi

Cc vn an ton:

Ci t thut ton ng

Cc lnh m my ng cho thut ton

Thao tc ng d liu

22. Correct Algorithm Implementation

Vn pht trin chng trnh tt

Kim sot ng mi phng n ca bi ton

Nh li s ngu nhin ca Netscape

c gi thit l khng on trc c nhng cha c

Khi debug/test code li cng sn phm

c s dng truy cp d liu hoc kim tra qua mt

Nh Morris Worm khai thc sendmail

Thng dch kim sot khng ng ng ngha

V vy cn quan tm trong thit k v ci t

23. Ngn ng my ng Correct Machine Language

Tin tng cc lnh my ci t ng chng trnh ca ngn ng bc cao

Cc lp trnh vin thng b qua

Gi s compiler/interpreter l ng

Nh bi bo ca Ken Thompson

i hi so snh m my vi ngun chnh gc

Chm v kh khn

c i hi cho cc chun chung cao EALs

24. Thng dch d liu ng Correct Data Interpretation

D liu c lu dng bits/bytes trong my

Nhm li thnh words, longwords,

Thng dch ph thuc vo lnh my

Ngn ng cung cp cc kh nng khc nhau cho vic s dng d liu kim chng v hn ch

Ngn ng kiu mnh hn ch hn, nhng an ton hn

Cc loi khc t do, linh hot v km an ton hn nh C

25. S dng ng b nh Correct Use of Memory

Vn cung cp b nh ng

s dng thao tc cc khi lng d liu cha bit

Cp khi cn v gii phng khi dng xong

Tht thot b nh nu gii phng khng ng

Nhiu ngn ng c khng c h tr tng minh cho vic cp b nh ng

Ngya c s dng cc hm th vin chun

Lp trnh vin phi t xin cp v gii phng ng

Cc ngn ng lp trnh hin i t ng cng vic ny

26. Tranh chp b nh chia s

Khi nhiu threads/processes cng truy cp d liu v b nh chia s

tr khi truy cp ng b, c th lm sai lch hoc mt d liu v truy cp chng cho nhau

V vy s dng cc thoa tc c bn ng b thch hp

La chn v dy ng c th khng hin nhin

C vn b tc (deadlock) trong truy cp

27. Interacting with O/S

programs execute on systems under O/S

mediates and shares access to resources

constructs execution environment

with environment variables and arguments

systems have multiple users

with access permissions on resources / data

programs may access shared resources

e.g. files

28. Environment Variables

set of string values inherited from parent

can affect process behavior

e.g. PATH, IFS, LD_LIBRARY_PATH

process can alter for its children

another source of untrusted program input

attackers use to try to escalate privileges

privileged shell scripts targeted

very difficult to write safely and correctly

29. Example Vulnerable Scripts

using PATH or IFS environment variables

cause script to execute attackers program

with privileges granted to script

almost impossible to prevent in some form

30. Vulnerable Compiled Programs

if invoke other programs can be vulnerable to PATH variable manipulation

must reset to safe values

if dynamically linked may be vulnerable to manipulation of LD_LIBRARY_PATH

used to locate suitable dynamic library

must either statically link privileged programs

or prevent use of this variable

31. Use of Least Privilege

exploit of flaws may give attacker greater privileges - privilege escalation

hence run programs with least privilege needed to complete their function

determine suitable user and group to use

whether grant extra user or group privileges

latter preferred and safer, may not be sufficient

ensure can only modify files/dirs needed

otherwise compromise results in greater damage

recheck these when moved or upgraded

32. Root/Admin Programs

programs with root / administrator privileges a major target of attackers

since provide highest levels of system access

are needed to manage access to protected system resources, e.g. network server ports

often privilege only needed at start

can then run as normal user

good design partitions complex programs in smaller modules with needed privileges

33. System Calls and Standard Library Functions

programs use system calls and standard library functions for common operations

and make assumptions about their operation

if incorrect behavior is not what is expected

may be a result of system optimizing access to shared resources

by buffering, re-sequencing, modifying requests

can conflict with program goals

34. Secure File Shredder

35. Race Conditions

programs may access shared resources

e.g. mailbox file, CGI data file

need suitable synchronization mechanisms

e.g. lock on shared file

alternatives

lockfile - create/check, advisory, atomic

advisory file lock - e.g. flock

mandatory file lock - e.g. fcntl, need release

later mechanisms vary between O/S

have subtle complexities in use

36. Safe Temporary Files

many programs use temporary files

often in common, shared system area

must be unique, not accessed by others

commonly create name using process ID

unique, but predictable

attacker might guess and attempt to create own between program checking and creating

secure temp files need random names

some older functions unsafe

must need correct permissions on file/dir

37. Other Program Interaction

may use services of other programs

must identify/verify assumptions on data

esp older user programs

now used within web interfaces

must ensure safe usage of these programs

issue of data confidentiality / integrity

within same system use pipe / temp file

across net use IPSec, TLS/SSL, SSH etc

also detect / handle exceptions / errors

38. Handling Program Output

final concern is program output

stored for future use, sent over net, displayed

may be binary or text

conforms to expected form / interpretation

assumption of common origin,

c.f. XSS, VT100 escape seqs, X terminal hijack

uses expected character set

target not program but output display device

39. Summary

discussed software security issues

handling program input safely

size, interpretation, injection, XSS, fuzzing

writing safe program code

algorithm, machine language, data, memory

interacting with O/S and other programs

ENV, least privilege, syscalls / std libs, file lock, temp files, other programs

handling program output

Technology

Ch12phanmem