软体品质与资讯安全ppt课件

1、軟體品質與資訊安全交通大學資訊工程系黃世昆1;.2OutlineoBackgroundoSoftware Attack BasicoSoftware Process VulnerabilityoSoftware ExploitabilityoDynamic and Static DefenseoConclusion34Software Engineering and Wormso1968 (conference on software crisis after IC invention, with more complex software)o1988 (Nov 2) Internet Wor

2、mo2001 (July 19) Code Red Worm (after 1988)o2003 (Aug 11) Blaster Worm (impact MS)o2005 nWorms Anywhere and Anytime nMicrosoft Software auto-updates more frequently Software Attack Basic5;.6The Strength of Cryptographyo“128-bit keys mean strong security, while 40-bit keys are weak”o“triple-DES is mu

3、ch stronger than single DES”o“2,048 RSA is better than 1,024 bit RSA”o“lock your front door with four metal pins, each of which in one of 10 positions”. There will be 10,000 possible keys almost impossible to break in oNO !7Strength of CryptographyoBurglars wont try every possible keys or pick the l

4、ock.oThey smash windows, kick in doors, and use chainsaw to the house wall.oMost of us design, analyze and break cryptographic system. Few try to do research on published algorithms, protocols and actual products.8From Bruce SchneieroWe dont have to try every possible key or even find flaws in the a

5、lgorithms.oWe exploit n errors in design,n errors in implementation, andn errors in installation.oSometimes we invent a new trick to break a system, but most of the time we exploit the same old mistakes that designers make over and over again.910Security AttackoDynamic Event occur during the executi

6、on of a piece of software.oAttack made possible:n weaknesses must exist in the systemn sequence of weakness exploiting input signals to the system is required11Threatothreat: an agent outside of a software system to exploit a vulnerability through attacks12Vulnerabilityopotential defect or weakness

7、in an information systemoknowledge required to exploit the defect13State Space VulnerabilitySystem state: current configuration of the entities in the systemAuthorized or unauthorized state: given initial state using a set of state transitions defined by security policy Vulnerability state: authoriz

8、ed state from which an unauthorized state can be reached using authorized stateCompromised state: the authorized state aboveAttack: begins in vulnerability state14State Space AttackVulnerability StateAuthorized State(compromised by the attack)Unauthorized StateAttack15軟體系統缺陷運用o軟體發展過程差異n 狀態溢寫（Y2K，mal

9、icious buffer overflow)n 密碼模組設計與實作弱點n 可執行內涵的安全（Web Internet Platform Security)n 網路伺服應用軟體缺陷利用16Software Process VulnerabilityoImprecise Requirement SpecificationoDesign VulnerabilityoImplementation FlawsoMismatch between development and run-time environment oImproper Configuration and Application17So

10、ftware AttacksoImplementation flaws: Buffer Overflow Attacksn Stack Overflown Heap Overflowsn Data Segment, Shared Memory SegmentoEnvironment mismatch: Type System Attacksn type containment not sound n mismatch between dynamic loaded library and actual arguments18Buffer Overflow AttacksoInternet Wor

11、m fingerd in Nov 2, 1988.oOverflow the buffer of a remote daemon or a setuid program n inject malicious machine code to the programs address spacen overwrite the return address of some functionoLack of a good string or buffer data type in C and misuse of the standard C librarys string function.19Ove

12、rflow Attack Made Possible whenever Software Fault (bugs) not removedoDeviation between process transition (inter-process) and Phase inconsistency between analysis, design, implementation and application.oInter-process inconsistency: communication flaws when requirement analysis, language type incon

13、sistency when program implementation,improper configuration when in application20環境差異的安全問題o有缺陷的軟體o有缺陷的軟體環境n 編譯環境與程式庫的差異n 執行環境與發展環境的差異 (Web security and Type system attack)21ProblemsoInterface Compatibility n Semantics of linking differed between distributed environmentn Semantic Gap between security

14、 protocols and implementation22Environment TransitionRestriction: A program can only change its type context , to a new type context in a way such that the new context is a consistent extension of the original context.Component Composition: what is the consistent extension of component environment ?

15、23Security Problems Related to Software QualityoSystem Exploitability: the system can be compromised from an authorized state to any unauthorized states oAny System exploitable ? How to exploit it?oAny System Failure exploitable ? How to do it?oIf the crash site detected, is the system exploitable ?

16、 How to do it?oIf the corrupt site detected, is the system exploitable ? How to do it?24ImaginationoWe dont have solutions to the above problems, but can have a partial exploitation method with constraints.oOnce I captured Microsoft window crash site information, a computer aided exploitation tool c

17、an be employed to test it. oTo the badnOnce any Windows AP failed and waw caught, Microsoft will sit on thorns. (remember the RPC flaw, the Blaster worm, and the Sasser Worm ?) oTo the goodnWe can better understand the system failures.25ThoughtsoThough most COTS software have been tested, there are

18、still vulnerabilities inside and that cause the software crashed, even to be exploited.oWe may find the root cause of the vulnerabilities from the crash site.26Security Breach due to Quality Problems oPrograms crash occasionally.nVulnerabilities inside cause the program crashednTo find if we can Exp

19、loit this crashoCould runtime execution auditing be helpful to exploit this crash? oInstance: crash due to stack and heap overrun nThe situation of stack overrun still exists.nDetect these situations systematically.nPossible to develop exploitive attacks in general.27Crash-Only SoftwareoSoftware is

20、destined to failnWe can proof the existence of a bugnWe cannot proof the inexistence of all bugsoSoftware Bugs: Faults and FailuresnFaults: not conform to system specificationsnFailures: control flow crash, indefinite hang, panic resource accessoExploitability Testing: to test if crash-type failures

21、 are exploitable 28Steps for ExploitationoPhase I: how to lead the program crash?nIdea: using the test driver to feed the input data systematically.nBrute force testing using instrument tooloPhase II: Is the crash site caused by buffer overrun? Crash Site Approximation: Find out the crash site as pr

22、ecisely as possible.oPhase III: How to exploit?nDealing with non-executable stack and one-bye overrun nForging Payload29Searching for Vulnerabilities oTracingn tool:truss in solaris, strace in linux,n , RegMon in Windowsn Watching the program interacting with OS.o Debuggerso Guideline-Based Auditing

23、n Watching for difference with design document or specoSniffersn Watching the interaction between the server and client.onm, objdump30Using Disassemblerodisassemble owatching for referencing to vulnerable library functions, If found then goto 5. osearch for sub esp, . (find local variable)If found t

24、hen goto 5.olook for heap overflows and logic errorsofigure out how to get execution into your vulnerable function31What do we need?oExecution path to vulnerable functionnCrash site approximation by stack checkpointoWhere is the malicious input?nI/O interception by system call wrapper/Input Pollutan

25、t TraceroBuffer sizenExploit payload32Corrupt Site DetectionoConsiderationsnLimitation of Debugger( such as gdb) : cannot get the call stack from the core the crash is caused by corruption of call stack( EBP, return).nWe could use tools to checkpoint the call stack periodically to discover whether i

26、f buffer overrun occurs.33Corrupt site and Crash siteFunction A() Function B() call Function A();Function C() call Function B()Function crash-here(input) char buf10 ; . statements to corrupt stack sprintf(buf,”%s”,input); call Function A(); Further Operations ;Corrupt SiteCrash Site34Corrupt Site De

27、tectionnormalcorruptionException handlercrashKernel32-main-.?-.Kerner32-exception handler-.IDEA: stack invariant detection1. In normal situations, call stack can be traced back to the main function.2. Invariant Violation: Cant be traced back to main-Stack Corrupted or-Interrupted, or-Enter exception

28、 handlerConsideration:1. The process of Corruption wont be too long, 2. It is a challenge to fine calibratethe granularity of stack checkpoint3. Another Solution:Function call wrapper35COTS Software Security事前事發事終事後oSource Code AuditingoBuffer Overflow DetectionoTerminate ProcessoRecover return addr

29、ess and saved frame pointeroWhite Hat: Bug TrackingoBlack Hat: Developing Exploit oVendor Patch36Related WorksoAnomaly Detection Using Call Stack Information, IEEE S&P03oHEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications, IEEE DSN 2003oRun-Time Detection of Hea

30、p-based Overflows, USENIX LISA 200337Related WorkoInstrumentingnStackGuard (A Compiler for stack protection from smashing attacks)nProPolice(GCC extension for protecting from stack-smashing attacks )nStackShield(A stack smashing technique protection tool for Linux )oFat-pointersnCyclone(A Safe Diale

31、ct of C)nCCured(A source-to-source translator for C to prevent all memory safety violations. )38Related WorkoPurify (memory corruption and leak detection) oValgrind(a memory debugger)oBidirectional DebuggingnBitan Biswas and R. Mall, “Reverse Execution of Programs”, ACM SIGPLAN Notices, Apr, 1999nBob Boothe, “Efficient Algorithms for Bidirectional Debugging”, PLDI 200039Stack Guardocanarynrandom canarynterminator canaryparameter 2parameter 1return addresscanarybase pointerlocal variable 1local variable 2buffer 40Stack ShieldoGlobal ret stacknarray of 256 entriesnsaved retu