1 ISEC0511 Programming for Information System Security Lecture Notes #8 Constructing Secured and Safe C/UNIX Programs.

1

ISEC0511Programming for Information

System Security

Lecture Notes #8Constructing Secured and

Safe C/UNIX Programs

UNIX/Linux Briefs

UNIX was developed during 1970s, written in C. UNIX has many flavors, e.g. Solaris (Sun), HP-UX

(HP), AIX (IBM), BSD, Tru64 (Digital – now HP). UNIX originally had a monolithic kernel. The industry later came up with the concept of

microkernel and module loading. In 1991, Linus Torvalds began developing an OS

kernel, which he named “Linux”. Several organizations combine Linux with other

supporting software, and release it as distributions.

UNIX/Linux is considered by many people as a reliable OS, and are used by many organizations.

2

UNIX

UNIX is a platform of choice in many industries. This includes: Research and teaching in Universities Telecommunication Financial institutes Corporations that used mainframes. Mission-critical systems, e.g. network

management, high-availability servers, billing systems.

3

POSIX

POSIX is a standard developed by the IEEE that is considered by many people as the UNIX interface standard.

POSIX stands for Portable Operating System Interface for Unix and defines the API for software compatible with various flavors of the UNIX OS.

The standard can apply to any OS, it is used mainly in the context of UNIX.

4

Applications on UNIX/Linux

Most applications running under UNIX/Linux are developed using C or C++.

Some applications nowadays are developed using Java.

C and C++ suffer from similar security risks.

5

Security Holes in UNIX

Elevation of privilege Buffer overflow Integer arithmetic bugs Memory exhaustion bug Referencing invalid memory Array bound error Log file area exhaustion CPU exhaustion

6

Privileges in UNIX

Many server programs in UNIX need root privilege.

Having root privilege allow process to, for example, Read/modify processes or memory Access I/O devices Access low socket ports (0-1023)

7

SUID and SGID Programs

Programs that need root privilege are often have setuid root (SUID).

Hackers look for such programs and try to exploit any buffer overflow vulnerabilities.

If they can inject a code and spawn a process while the program is having root privilege, they can control the whole system.

Programs that have setuid root can be found by looking permission on the executable files.

8

SUID and SGID Programs

setgid bit (SGID) is similar to setuid but applies at the group level.

SUID and SGID bits can be modified using chmod command.

Examples of SUID files:

9

-rw-r--r-- 1 root root 1713 Apr 2 2007 /etc/passwd-r-s--x--x 1 root root 18992 Jun 6 2003 /usr/bin/passwd

Principles of Least Privilege

To minimize damages from having special privilege, programs should minimize resources access while having elevated privilege.

Following are some of the guidelines that can be used as safe programming patterns Do not launch new process Do not execute command-line arguments Do not allow connection to transmission

control protocol (TCP) ports 0 to 1023

10

Secured Network Programming

Some secure programming APIs under UNIX/Linux include: GSS-API SSL

11

Generic Security Service Application Program Interface Generic security server application

programming interface (GSS-API) is defined in RFC2473.

GSS-API does not offer any security functions. Instead, security service vendors implement

GSS-API in forms of libraries, allowing applications to be portable at the source-level.

GSS-API has been standardized for C and Java. Through about 45 procedure calls, GSS-API

offers confidentiality, integrity, authentication, and nonrepudiation.

12

SSL and OpenSSL

SSL is the procedure for secure communication on the network that encompasses confidentiality, integrity, and authentication.

SSL can be used for any kind of service on the network.

SSL can be implemented using OpenSSL. OpenSSL supports both SSL (v2 and v3) and

TLS (v1). OpenSSL contains the library for linking with

applications and also many useful command lines to do key/certificate works.

13

SSL vs. TLS

TLS (Transport Layer Security) can be considered as a successor of SSL.

SSL and TLS is not interoperable with each other.

They are “equal” in terms of security. TLS does a insecure handshake first before

entering secure communication. TLS can downgrade to support SSL if

necessary. TLS support secure and insecure

communication over the same port.14

Raw Socket

Raw socket is a way to fully control what is in or out a network port under UNIX.

To do ethical hacking, you may need to use raw sockets to handcraft a special packets to send to the network.

Raw socket allows you to control both header and payload of the packet.

Raw socket is considered a part of underlying OS networking APIs.

Raw socket needs root privilege.

15

Chroot

Chroot is used to restrict access to files and directories for a user or process.

You can chroot during a command session by using chroot command.chroot [-u user] [-g group] newroot

In C program, you can do:chdir(“/foo/bar”);

chroot(“/foo/bar”);

setuid(non zero UID);

16

UNIX Logging

there are two logging interfaces in UNIX. syslog(2): kernel logging syslog(3): application logging

Application logs are stored in /var/log or /var/adm

Some logs include utmp, wtmp, lastlog – login history messages, mail, auth

17

C Program Compiler Steps

Most applications under UNIX are developed using C/C++.

Common steps followed by the compiler are: C Preprocessor: converts a C file into another

complete C file to compile. C Compiler: translate C file into assembly

language. Assembler: translate assembly language into

machine language code (object files). Linker: link all object files together (including

libraries) into an executable file.

18

Common Security Problems with C/C++

C does not impose any restrictions. Programmer are responsible to handle almost everything.

Hackers that are smarter than programmers can exploit the knowledge gap and launch a security attack.

We will discuss several memory-related danger zones.

19

Memory Leak

Programmers are supposed to release any memory allocated by the program back to the OS.

Keep allocating memory and forget to release is a phenomenon called memory leak.

Many resource usage, such as creating a network connection can also allocate memory implicitly.

Memory leak can eventually result in a DoS attack on the computer.

20

Memory Corruption Vulnerability

Memory Overflow Stack Smashing/Overflow Heap Smashing/Overflow

21

Memory Overflow

Memory overflow happens when you write data to a buffer beyond the buffer size.

Many C functions never do bound checking, thus allowing user data write beyond a buffer.

Writing data beyond a buffer can result in unpredicted program behavior (but process still keep running).

In UNIX, if a process tries to write data beyond the process memory, it will give a segmentation fault.

22

Memory Overflow

Common steps the attacker typically follows to achieve an memory overflow. Find suitable existing code with necessary

privileges for attack. Use the buffer overflow technique to inject

attack code within the victim program. The attack code will change the control

flow of the privileged program, so that the attack code can be executed with sufficient privilege.

23

Memory Overflow Example

char fname[9];

strcpy(fname, argv[1]);

if (argc < 2) {

printf(“Usage: display filename\n”);

exit(1);

}

24

Memory Overflow Example

void crash(char *str) {

char bufferOnStack[16];

strcpy(bufferOnStack,str);

}

void main() {

char large_string[256];

int i;

for( i = 0; i < 255; i++)

large_string[i] = ‘A’;

large_string[255] = ‘\0’;

crash(large _ string);

}

25

Unsafe C Functions

C Functionsstrcpy(char *dest, char *src)

strcat(char *dest, char *src)

getwd(char *buf)

gets(char *s)

fscanf(FILE *stream, char *format)

scanf(char *format)

realpath(char *path, char resolv_path[])

sprintf(char *str, char * format)26

Some unsafe C functions include:

Stack Smashing/Overflow

Stack smashing is a type of buffer overflow.

An attacker exploit buffer overflow to overwrite content of the stack to manipulate program execution.

This is the most common attack to gain control of a victim system.

Attacker targets a privileged program that runs with elevated privilege and injects the attack code through buffer overflow.

27

Process Memory Organization

28

Stack

Data (Heap)

Text

Low memory

High memory

Stack growth

Process Memory Organization

Text region is used to program and is read-only

Data region is used by static variables and heap allocation (dynamic data allocation during runtime).

Stack region is used to allow function calls and provides region to store local variables inside a function.

29

Process Memory Example

void function(int a, int b, int c) {

char buffer1[5];

char buffer2[10];

}

void main() {

function(1,2,3);

}

30

Process Memory Example

31

Stack

cb

reta

sfp

buffer1

buffer2

…Top of stack

32

int OverflowMe(char *str){

char buffer[10];

strcpy(buffer,str);

return 0;

}

int main(int argc, char *argv[]) {

int pass=0;

printf("check me in\n");

if(argc > 1)

OverflowMe(argv[1]);

if(pass == 1)

GoodPass();

else

printf("Uh-Oh cannot pass!!!\n");

printf("end\n");

return 0;

}

int GoodPass(){

printf("******* You are IN! *******\n");

printf("******* This is GoodPass() executing *******\n");

}

Program Output

Stack Smashing Example

33

strretsfp

buffer

…Top of stack

Overflow target

Buffer growth direction

Shell Code

A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.

It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine.

Shell code is the code that an attacker will try to manipulate a privilege process to run, so that the attacker can perform tasks as a privileged user.

34

Shell Code Example

Below is an example of a shell code to spawn a command shell under UNIX.

35

Heap Smashing/Overflow

In heap smashing, the attacker exploits buffer overflow to overwrite the content of the heap memory, and manipulate program execution.

Unlike stack, heap allocation does not return fixed location inside the program memory.

Thus, taking control of a program using heap smashing is not easy.

36

Example

void main() {

char *buf = (char *)malloc(10);

strcpy(buf, argv[1]);

}

37

Avoiding Security Risks with C/C++ Code

Use safe string Operations, such as strncpy(), strncat(), snprintf().

Use some safe library functions to link with the program, e.g. libsafe and libverify, to overcome overflow vulnerabilities.

Read the manual well. Most C functions under UNIX provide manual pages by using man command.

38

Avoiding Security Risks with C/C++ Code

39

C Source File

C Source File

CompilerCompiler

Object FilesObject Files

LinkerLinker

ExecutableExecutable

libsafelibsafe