How Attackers Attack Programs, and How to Write More Secure Programs

List of slides

Slide 1: How Attackers Attack Programs, and How to Write More Secure Programs
Slide 2: Author Information
Slide 3: Goals of This Talk
Slide 4: About This Talk
Slide 5: More About This Talk
Slide 6: Brief Table of Contents
Slide 7: Brief Table of Contents (con
Slide 8: Brief Table of Contents (con
Slide 9: Overview
Slide 10: Key Concepts
Slide 11: Interesting Programs
Slide 12: Heart of the Problem
Slide 13: End of Overview
Slide 14: Attacking Programs
Slide 15: Where To Look
Slide 16: Network Servers
Slide 17: Local Servers
Slide 18: Setuid, Setgid Programs
Slide 19: Clients
Slide 20: Basic Problems
Slide 21: Users and Privileges
Slide 22: Looking for Problems
Slide 23: Looking Around (Static)
Slide 24: Looking Around (Dynamic)
Slide 25: Identifying Users
Slide 26: Changing Privileges
Slide 27: Spawning Subprocesses
Slide 28: More Subprocesses
Slide 29: Identify Users Incorrectly
Slide 30: Environment Variables
Slide 31: Examples
Slide 32: Example Use (Direct)
Slide 33: Example Use (Indirect)
Slide 34: Finding Environment Variables
Slide 35: More Source Code
Slide 36: Emphasize This
Slide 37: Order of Evaluation
Slide 38: Finding Environment Variables
Slide 39: Attack: Change Them
Slide 40: Requires
Slide 41: Attack: Give Interesting Values
Slide 42: Requires
Slide 43: Attacking: Give Multiple Values
Slide 44: How Do You Do It?
Slide 45: Pseudocode Example
Slide 46: Use of Example
Slide 47: Requires
Slide 48: Looking for Environment Variables
Slide 49: Buffer Overflows
Slide 50: Process Memory Structure
Slide 51: Typical Stack Structure
Slide 52: Idea
Slide 53: In Pictures
Slide 54: In Words
Slide 55: Required
Slide 56: Also Required
Slide 57: Quick Test
Slide 58: Where to Put Shell Code
Slide 59: Data Segment Buffer Overflows
Slide 60: Example: login Problem
Slide 61: In Pictures
Slide 62: Requires
Slide 63: Selective Buffer Overflow
Slide 64: Sendmail Configuration File
Slide 65: In Pictures
Slide 66: Problems and Solutions
Slide 67: Attack: Whacking the Heap
Slide 68: Attack: Changing the Heap
Slide 69: Things To Alter
Slide 70: Requires
Slide 71: Numeric Overflows
Slide 72: Attack: NFS UIDs
Slide 73: Obvious Question
Slide 74: Results of the Attack
Slide 75: Requires
Slide 76: strn Functions
Slide 77: Validation and Verification
Slide 78: Meta-Characters
Slide 79: Examples from Shells
Slide 80: Format Strings
Slide 81: How to Use This
Slide 82: What To Do
Slide 83: Attack: Signals
Slide 84: Attack: Who Checks
Slide 85: Attack: Check at Wrong Place
Slide 86: In Detail
Slide 87: Attacking the Fixed Version
Slide 88: Requirements
Slide 89: Network Problems
Slide 90: What To Look For
Slide 91: Attacking the Client
Slide 92: Look At What Server Trusts
Slide 93: Race Conditions
Slide 94: TOCTTOU Flaw
Slide 95: Check and Use
Slide 96: Requires
Slide 97: Programming Condition
Slide 98: Referencing Files
Slide 99: Bounds of Interval
Slide 100: Detecting the Condition
Slide 101: Quick and Dirty
Slide 102: Environmental Condition
Slide 103: Trustworthiness
Slide 104: What It Means
Slide 105: Attack
Slide 106: Example: sendmail
Slide 107: But
Slide 108: Amusing Aftermath
Slide 109: About the Script
Slide 110: Races and Signals
Slide 111: Dangerous Code
Slide 112: FTP Race Condition
Slide 113: Denial of Service
Slide 114: Example of Overwhelmed
Slide 115: Attack: Fork Bomb
Slide 116: Blocked
Slide 117: In Pictures
Slide 118: Required
Slide 119: Second Example
Slide 120: Doing This
Slide 121: How To Check For This
Slide 122: Good General Advice for Attacking
Slide 123: End of Attacking Programs
Slide 124: Writing Better Security-Related Programs
Slide 125: Why is This Hard?
Slide 126: Example: Message Transfer Agent
Slide 127: Design Principles
Slide 128: Security Design Principles
Slide 129: Principle of Least Privilege
Slide 130: Principle of Fail-Safe Defaults
Slide 131: Principle of Economy of Mechanism
Slide 132: Principle of Complete Mediation
Slide 133: Principle of Open Design
Slide 134: Principle of Separation of Privilege
Slide 135: Principle of Least Common Mechanism
Slide 136: Principle of Psychological Acceptability
Slide 137: End of Writing Better Security-Related Programs
Slide 138: Users and Privilege
Slide 139: Users and UIDs
Slide 140: Example
Slide 141: Setuid, Setgid Bits
Slide 142: Why Saved UID?
Slide 143: Obtaining These UIDs
Slide 144: Warnings and Limits
Slide 145: Setting UIDs
Slide 146: More Setting UIDs
Slide 147: Groups and GIDs
Slide 148: More Groups
Slide 149: And Still More
Slide 150: Getting User Names
Slide 151: Getting Group Names
Slide 152: Getting Login Names
Slide 153: Are You Running With Privileges?
Slide 154: Starting Safe
Slide 155: Review: What Is Privilege
Slide 156: Key Difference
Slide 157: How Important?
Slide 158: Remember the Games?
Slide 159: Create a Restricted User
Slide 160: Create a Restricted Group
Slide 161: Setuid vs. Setgid
Slide 162: Caution
Slide 163: Practice
Slide 164: Practice: Changing UIDs
Slide 165: Practice: Spawning Processes
Slide 166: Practice: Identifying Users
Slide 167: End of Users and Privileges
Slide 168: Environment
Slide 169: Environment
Slide 170: Environment Variables
Slide 171: First Example
Slide 172: Where Is the Privilege?
Slide 173: The First Attack
Slide 174: Practice: PATH
Slide 175: Not yet
Slide 176: The Second Attack
Slide 177: Design: IFS Variable
Slide 178: Fixing This
Slide 179: Subtlety
Slide 180: Dynamic Loading
Slide 181: The Environment
Slide 182: How Dynamic Loading Works
Slide 183: Finding the Libraries
Slide 184: Dynamic Loading
Slide 185: Continuing, the Attack
Slide 186: Fix #1
Slide 187: Again, Not Enough
Slide 188: Example: The sync Account
Slide 189: The Attack
Slide 190: What Happened?
Slide 191: Combining These
Slide 192: Another Aspect
Slide 193: Practice: Using Environment Variables
Slide 194: Practice: More on Environment Variables
Slide 195: Programming Tip: Controlling Environment Variables
Slide 196: Analysis of These Problems
Slide 197: Practice: Don't Dynamically Load
Slide 198: Design: Know What You Trust
Slide 199: The Heart of the Matter
Slide 200: Practice: Right Way
Slide 201: End of Environment
Slide 202: Validation and Verification
Slide 203: Starting Example
Slide 204: Exploit
Slide 205: What Can You Trust?
Slide 206: This Includes All Arguments
Slide 207: The syslogd Bug
Slide 208: The Problem
Slide 209: Design Tip: Buffer Overflow
Slide 210: Practice: Handling Arrays
Slide 211: Common Error
Slide 212: Invalid Input
Slide 213: The Faulty DNS
Slide 214: User Specifying Arbitrary Input
Slide 215: More Dangerous Input
Slide 216: Practice: Unreliable Information
Slide 217: Other Sources
Slide 218: Ownership and Permission
Slide 219: The at Attack
Slide 220: What Happened
Slide 221: Another Failure to Check
Slide 222: Overwriting Any File
Slide 223: Why?
Slide 224: Fixes
Slide 225: End of Validation and Verification
Slide 226: Race Conditions
Slide 227: Opening Files
Slide 228: Ownership on Creation
Slide 229: File Creation Permissions
Slide 230: Programming Tip: umask
Slide 231: Design: Directory, File Permissions
Slide 232: Sendmail Hole
Slide 233: Sendmail Attack
Slide 234: One Partial Fix
Slide 235: Practice: Files, Directories
Slide 236: access System Call
Slide 237: A Classic Race Condition
Slide 238: Another Instance
Slide 239: access(2) Usage
Slide 240: access(2) Safe Usage
Slide 241: Practice: Using access(2)
Slide 242: Care in Process Co-ordination
Slide 243: The lpr Attack
Slide 244: Analysis
Slide 245: In Detail
Slide 246: Similar To sendmail Problem
Slide 247: Problem: More Detail
Slide 248: Very Old UNIX Bug
Slide 249: What Could Happen
Slide 250: How To Fix This
Slide 251: Design: Atomicity
Slide 252: Programming Tip: Atomicity
Slide 253: Shell Scripts
Slide 254: Window of Vulnerability
Slide 255: Practice: Setuid Scripts
Slide 256: Logging
Slide 257: The xterm Logging Facility
Slide 258: xterm and Logfiles
Slide 259: First Iteration
Slide 260: But It Not Over
Slide 261: Next Iteration
Slide 262: Better Solution
Slide 263: Saved UIDs
Slide 264: Design: Closing Vulnerabilities
Slide 265: Key Point
Slide 266: End of Race Conditions
Slide 267: Files and Subprocesses
Slide 268: File Descriptors
Slide 269: Example Program
Slide 270: Design: Open Files
Slide 271: Practice: Closing Across exec
Slide 272: Umask Is Inherited
Slide 273: A General Observation
Slide 274: Design: KISS
Slide 275: Setuid Shell Scripts
Slide 276: On Some Systems
Slide 277: Design Tip: Assumptions
Slide 278: Programming Tip: Names
Slide 279: End of Files and Subprocesses
Slide 280: Error Handling
Slide 281: That Old su Bug (Apocryphal?)
Slide 282: Design Tip: Error Recovery
Slide 283: Design Tip: When to Recover
Slide 284: Programming Tip: errno
Slide 285: Warning
Slide 286: End of Error Handling
Slide 287: System and Library Calls
Slide 288: Practice: Calling Functions
Slide 289: System and Library Calls
Slide 290: access(2)
Slide 291: chmod (2)
Slide 292: chown(2)
Slide 293: chroot (2)
Slide 294: Why This Is Dangerous
Slide 295: chroot Problem #1
Slide 296: chroot Problem #2
Slide 297: creat (2), open(O_CREAT)
Slide 298: Nope
Slide 299: Other Ways to Lock Things
Slide 300: exec(2)
Slide 301: fcntl (2)
Slide 302: fork(2)
Slide 303: fsync (2)
Slide 304: getpgid (2), getpgrp (2)
Slide 305: TIOCGPGRP, TIOCSPGRP
Slide 306: Control Terminal
Slide 307: Attack
Slide 308: Fix
Slide 309: kill(2)
Slide 310: link(2)
Slide 311: read(2), write(2)
Slide 312: Secure Temporary File
Slide 313: Advantages and Disadvantages
Slide 314: rename(2)
Slide 315: signal(2 or 3)
Slide 316: More on Signals
Slide 317: More on Signal
Slide 318: Re-entrant Handlers
Slide 319: Doing Them Right
Slide 320: stat(2)
Slide 321: Example
Slide 322: stat(2) Races
Slide 323: umask (2)
Slide 324: utimes (2)
Slide 325: crypt(3)
Slide 326: End of System and Library Calls
Slide 327: Miscellaneous Points
Slide 328: Password Testing
Slide 329: Memory Use
Slide 330: getusershell (3)
Slide 331: mktemp (3)
Slide 332: mkstemp (3)
Slide 333: Pseudo-Random Number Generation
Slide 334: Seeding the PRNG
Slide 335: Programming Tip: Good Style
Slide 336: End to Miscellaneous Points
Slide 337: Examples
Slide 338: Example Programs/Functions
Slide 339: lsu Suite
Slide 340: Design Considerations #1
Slide 341: Design Considerations #2
Slide 342: Design Considerations #3
Slide 343: Design Considerations #4
Slide 344: Design Considerations #5
Slide 345: Design Considerations #6
Slide 346: Notes
Slide 347: More Notes
Slide 348: And Some Problems
Slide 349: Some Reflections
Slide 350: Reference Monitor
Slide 351: Applications to UNIX System Programming
Slide 352: Privileged Servers
Slide 353: More Privileged Servers
Slide 354: Compartmentalization
Slide 355: What UNIX Systems Really Need
Slide 356: Applying This to lsu
Slide 357: mpopen , msystem
Slide 358: What It Does
Slide 359: Altering the Default
Slide 360: Return Values
Slide 361: Design Consideration #1
Slide 362: Design Consideration #2
Slide 363: Design Consideration #3
Slide 364: trustfile
Slide 365: Example Use
Slide 366: Algorithm
Slide 367: Return Codes
Slide 368: Implementation Consideration #1
Slide 369: Implementation Consideration #2
Slide 370: Implementation Consideration #3
Slide 371: End of Examples
Slide 372: Resources
Slide 373: Books
Slide 374: Papers
Slide 375: Papers
Slide 376: Papers
Slide 377: Web Sites
Slide 378: End of Resources
Slide 379: Conclusion