1 / 56

Bad Software

Bad Software. Greg Hoglund CTO, Cenzic, Inc. greg@cenzic.com. What is Bad Software?. Software that exposes confidential data to un-authenticate users Software which crashes or grinds to a halt when exposed to faulty inputs Software which allows an attacker to inject code and execute it

dick
Télécharger la présentation

Bad Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bad Software Greg Hoglund CTO, Cenzic, Inc. greg@cenzic.com

  2. What is Bad Software? • Software that exposes confidential data to un-authenticate users • Software which crashes or grinds to a halt when exposed to faulty inputs • Software which allows an attacker to inject code and execute it • Software which executes privileged commands for an attacker

  3. Denver Airport Baggage • Unmanned carts on a track • Bad failure recovery/detection • Piles of fallen bags would not stop the unloaders • Carts got out of sync • Full carts continue to get loaded • Empty carts get unloaded • Delayed airport opening for 11 months • $1 million dollars a day in cost due to interest bond issues

  4. The last photo taken by the Mars Lander before it plunged to it’s death.* *This photo was found on the Internet. It has not been independently verified.

  5. NASA Mars Lander • Failed translation • English units into metric units • major error in spacecraft's path as it approached Mars • Crashed into the planet • Shut off descent engines prematurely • Taxpayer cost: $165 Million

  6. 4 Marines Killed • MV-22 Osprey Helicopter Crash • Burst hydraulic failure • Software caused backup system to fail

  7. Do these look alike?

  8. Navy shoots down Civilian Airliner • IN 1988, the US Vicennes shoots down Airbus 320 • 290 human lives lost • “cryptic and misleading output displayed by the tracking software “

  9. Microsoft’s $8.5 billion mistake • I LOVE YOU was only possible because Microsoft Outlook was designed to execute programs that were mailed to it.

  10. Why we have Bad Software • Networked Software is not designed to withstand a hostile environment • Development tools do not prevent simple security bugs (i.e., buffer overflows) • QA Testing methods do not address security • Customers pay for bad software

  11. Getting Worse • In order to compete, new services must be delivered • New technology is not being properly tested for failures • More connections, devices, and code

  12. More Devices • What happens when buffer overflows and poor access controls lead to mobile code attacks on cellular phones? • Mobile code can effect distributed systems in a matter of hours

  13. More Connections • New protocols, delivery mediums • A high degree of connectivity makes it possible for small failures to propagate and lead to massive outages • Telephone network outages • Power system grid failures

  14. More Code • Technology is being ‘glued’ together • More feature rich, more drivers and libraries • In 1983, Microsoft word was only 27,000 LOC Code Size 400,000 Solaris 7 17 million Netscape 40 million Space Station 10 million Space Shuttle 7 million Boeing 777 35 million NT5 Under 5 million Windows 95 1.5 million Linux

  15. More Exposure • Massive increase in connectivity • A vast network of relationships • Arpanet started with 12 nodes • Machines that used to work behind closed doors are now exposed • Computers are now worn on belt-loops

  16. 5 Million Backdoors • 5 – 50 bugs per 1000/lines of code [Vaos/McGraw]* 1 LOC ~ 10 bytes X 30,000 HOSTS 4.5 Billion X 10% = 500 Million Security Bugs 500 Million X 10% = 5 Million Remote Security Bugs = 3000 EXE’s ~100K per EXE = 10,000 LOC / EXE 5 Bugs/1000 LOC = 50 bugs/EXE 150,000 Bugs/ Host 4.5 Billion bugs

  17. Software is always in the “bleeding edge” phase • Windows 2000 shipped with 63,000 known bugs

  18. Software sucks because you buy it • Yes, YOU the CONSUMER play a part in demanding bad software • To demand new features in a very short time frame creates a time-to-market problem for reliable software • Will you wait two years for the features you want? • Will you pay 10-times as much to get those features?

  19. Deja Vu • The same software bugs just keep hanging around • We knew about buffer overflows 15 years ago • We are slow to adopt ideas • When will customers hold vendors liable for buffer overflows? • Is it reasonable to accept buffer overflows in production code?

  20. Other Industries Get Sued • Software shops gather around to defer bugs, decide which ones to ‘patch later’, and which ones to ignore • In other industries, safety flaws that are not corrected result in major class-action suits

  21. How come vendors don’t fix this stuff? • They can afford not to! • Hardware is expensive to replace – so huge investments are placed into testing hardware prior to release • Intel F00F bug cost $500 million • Software bugs can be patched and downloaded from a web-site • They pass the cost of a bug to the customer

  22. Software is not a Steel Bridge • The methods used for testing in traditional analog systems do not apply to software • With a bridge, you extrapolate results • What happens in between a 1000 kg test and a 10,000 kg test? • The system is continuous • State changes are gradual and predictable

  23. Discrete systems • State changes are not predictable • Numbers can change between 00001111 and 11110000 in an instant

  24. Let the compiler do the Diagnostics • If programmers had to book time on the mainframe two weeks in advance, they would invest countless hours checking their work • Code hackers today just bounce code off the compiler until all the errors go away • This puts the responsibility of “code review” on the compiler

  25. Form follows Failure • Sub-synchronous resonance in power systems • The addition of series AC capacitors in high energy power systems increases electrical stability • However, due to line inductance, the capacitors create electrical oscillations that effect the mechanical generator • Mohave Generating Station, Southern Nevada, 1971 • This snapped the drive shaft on a generator twice before it was properly diagnosed • This phenomenon is now a serious consideration is any power system design

  26. How to Fix Bad Software • Better compilers and languages • More formal, more tractable • Failure analysis and fault-injection • Hold vendors liable • Stop buying it

  27. Security Testing Security testing requires attacking the software. The software should be tested for the unexpected and the unknown. Software will never be placed or deployed into a trusted or predictable environment.

  28. Reliability Reliability Performance Functional Performance Functional Security The Missing Leg of Software Reliability Traditional QA testing methods have never addressed security. Software systems cannot be reliable unless they are secure.

  29. Security Testing History • Attack and Pen • Source Code Review • Network Scanning • Fault Injection • Full Disclosure

  30. Fault Injection • Source code changes require recompile • Binary instrumentation requires host agent • API input testing requires test harness • Network input testing requires additional network node

  31. Black Box • Can be automated • Can easily find ‘low hanging fruit’ • Automated Tools: • ISICS • Spike • Hailstorm™ • PROTOS

  32. MSQL Overflow with Spike s_binary("12 01 00 34 00 00 00 00 00 00 15 00 06 01 00 1b"); s_binary("00 01 02 00 1c 00 0c 03 00 28 00 04 ff 08 00 02"); //this is probably a length field s_binary("10 00 00 00"); //make this big s_string_variable("MSSQLServer"); s_binary("00 24 01 00 00");

  33. UDP-1434 SQL Overflow Buffer Attack Injected Into Protocol Statement

  34. 0040e890 e87b8cffff call 0040e895 c3 ret 0040e896 8bc0 mov FAULT ->0040e898 8b10 mov 0040e89a 33c9 xor

  35. White Box • IDA-Pro (reverse assemble) • More expensive and requires an expert • Very time consuming

  36. IDA reverse of popular app-server’s “CanonicalizeURIPath”

  37. A Fusion – Grey Box • Combines: • A runtime debugger • SoftIce • GDB • A white box tool • IDA • A black box tool • Hailstorm™

  38. Using Instrumentation • Using Rational Purify™ • Using API call hooks • Using Code-coverage (gcov, etc) • Cananocalization routines • Filtering routines • Decision logic • Parsers

  39. Hailstorm™ crashes MS-SQL 7

  40. Input Path Tracing • Path tracing • ltrace • truss • Data tracing • Gdb breakpoints • Modified ltrace • Where is user-data getting placed? • Trusted API calls?

  41. Boron Tagging with GDB .text:00056140 INTutil_uri_is_evil_internal: .text:00056140 ldsb [%o0], %o1 .text:00056144 mov 1, %o3 .text:00056148 mov 2, %o4 .text:0005614C cmp %o1, 0 .text:00056150 be,pn %icc, loc_561F4 .text:00056154 mov %o0, %o5 .text:00056158 mov %o2, %o0 .text:0005615C mov 0, %o2 .text:00056160 cmp %o1, 0x2F .text:00056164 .text:00056164 loc_56164: .text:00056164 bne,a %icc, loc_561DC (gdb) x/8s $o0 0x97f030: “/iplanet/servers/TEST_STRING” 0x97f064: "ervers/docs" 0x97f070: "/usr/local/iplanet/docs" 0x97f090: "" 0x97f091: "\227ð\230" 0x97f095: "" 0x97f096: "" 0x97f097: "" TEST_STRING

  42. Using TRUSS on Solaris # truss -u *:: -vall -xall -p 2307 2>&1 | grep –v read | grep –v poll The 2>&1 tag is required since truss does not deliver all of it’s data on the stdout pipe. The output of the command will look something like: /67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 50 /67: -> libns-httpd40:__0FT_util_strftime_convPciTCc(0xff2ed342, 0x2, 0x2, 0 /67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 0xff2ed345 /67: <- libns-httpd40:INTutil_strftime() = 20 /67: -> libns-httpd40:INTsystem_strdup(0xff2ed330, 0x9, 0x41, 0x50) /67: -> libns-httpd40:INTpool_strdup(0x9e03a0, 0xff2ed330, 0x0, 0x0) /67: -> libc:strlen(0xff2ed330, 0x0, 0x0, 0x0) /67: <- libc:strlen() = 20 /67: <- libns-httpd40:INTpool_strdup() = 0x9f8b10 /67: <- libns-httpd40:INTsystem_strdup() = 0x9f8b10 /67: <- libns-httpd40:time_cache_curr_strftime_logfmt() = 0x9f8b10 /67: -> libc:strcpy(0xf7400710, 0x9f8b10, 0x0, 0x7efefeff) /67: <- libc:strcpy() = 0xf7400710 /67: -> libc:strlen(0xf7400710, 0x9f8b28, 0xf7400710, 0x0) /67: <- libc:strlen() = 20 /67: -> libc:strlen(0x9f4f48, 0x34508f, 0x0, 0x7efefeff) /67: <- libc:strlen() = 25

  43. Win32 hook on strcpy

  44. If there is code for it… • What if? • Assume filters fail • Assume API call input can be controlled • Map the capability of every DLL • Controlled by process permissions and access control

  45. Every DLL that calls SetSecurityDescriptorDACL

  46. User Input • What can the user directly control in terms of API calls? • Authentication calls • Filesystem • Database • Command shell

  47. Remote Capability • Do any of the native calls operate over the network? • Domain specification • Data source specification • Ip address • NTFS Path name

  48. Authentication • Response aggregation • User/password enumeration when errors differ • No lockout • Brute force • Failed logging • Alternative requests • Can you specify a remote domain or target? • Proxied attacks

  49. Filesystem • Can you control a filesystem path • What is the entire set of characters? • Can you create files in a target directory • Create files that will be interpreted in a server context • Can you use remote pathname • //machine_name/etc

More Related