软体品质与资讯安全.ppt

軟體品質與資訊安全 交通大學資訊工程系黃世昆 Outline BackgroundSoftwareAttackBasicSoftwareProcessVulnerabilitySoftwareExploitabilityDynamicandStaticDefenseConclusion SoftwareEngineeringandWorms 1968 conferenceonsoftwarecrisisafterICinvention withmorecomplexsoftware 1988 Nov2 InternetWorm2001 July19 CodeRedWorm after1988 2003 Aug11 BlasterWorm impactMS 2005WormsAnywhereandAnytimeMicrosoftSoftwareauto updatesmorefrequently SoftwareAttackBasic TheStrengthofCryptography 128 bitkeysmeanstrongsecurity while40 bitkeysareweak triple DESismuchstrongerthansingleDES 2 048RSAisbetterthan1 024bitRSA lockyourfrontdoorwithfourmetalpins eachofwhichinoneof10positions Therewillbe10 000possiblekeys almostimpossibletobreakinNO StrengthofCryptography Burglarswon ttryeverypossiblekeysorpickthelock Theysmashwindows kickindoors andusechainsawtothehousewall Mostofusdesign analyzeandbreakcryptographicsystem Fewtrytodoresearchonpublishedalgorithms protocolsandactualproducts FromBruceSchneier Wedon thavetotryeverypossiblekeyorevenfindflawsinthealgorithms Weexploiterrorsindesign errorsinimplementation anderrorsininstallation Sometimesweinventanewtricktobreakasystem butmostofthetimeweexploitthesameoldmistakesthatdesignersmakeoverandoveragain SecurityAttack DynamicEventoccurduringtheexecutionofapieceofsoftware Attackmadepossible weaknessesmustexistinthesystemsequenceofweaknessexploitinginputsignalstothesystemisrequired Threat threat anagentoutsideofasoftwaresystemtoexploitavulnerabilitythroughattacks Vulnerability potentialdefectorweaknessinaninformationsystemknowledgerequiredtoexploitthedefect StateSpaceVulnerability Systemstate currentconfigurationoftheentitiesinthesystemAuthorizedorunauthorizedstate giveninitialstateusingasetofstatetransitionsdefinedbysecuritypolicyVulnerabilitystate authorizedstatefromwhichanunauthorizedstatecanbereachedusingauthorizedstateCompromisedstate theauthorizedstateaboveAttack beginsinvulnerabilitystate StateSpaceAttack VulnerabilityState AuthorizedState compromisedbytheattack UnauthorizedState Attack 軟體系統缺陷運用 軟體發展過程差異狀態溢寫 Y2K maliciousbufferoverflow 密碼模組設計與實作弱點可執行內涵的安全 WebInternetPlatformSecurity 網路伺服應用軟體缺陷利用 SoftwareProcessVulnerability ImpreciseRequirementSpecificationDesignVulnerabilityImplementationFlawsMismatchbetweendevelopmentandrun timeenvironmentImproperConfigurationandApplication SoftwareAttacks Implementationflaws BufferOverflowAttacksStackOverflowHeapOverflowsDataSegment SharedMemorySegmentEnvironmentmismatch TypeSystemAttackstypecontainmentnotsoundmismatchbetweendynamicloadedlibraryandactualarguments BufferOverflowAttacks InternetWormfingerdinNov2 1988 Overflowthebufferofaremotedaemonorasetuidprograminjectmaliciousmachinecodetotheprogram saddressspaceoverwritethereturnaddressofsomefunctionLackofagoodstringorbufferdatatypeinCandmisuseofthestandardClibrary sstringfunction OverflowAttackMadePossiblewheneverSoftwareFault bugs notremoved Deviationbetweenprocesstransition inter process andPhaseinconsistencybetweenanalysis design implementationandapplication Inter processinconsistency communicationflawswhenrequirementanalysis languagetypeinconsistencywhenprogramimplementation improperconfigurationwheninapplication 環境差異的安全問題 有缺陷的軟體有缺陷的軟體環境編譯環境與程式庫的差異執行環境與發展環境的差異 WebsecurityandTypesystemattack Problems InterfaceCompatibilitySemanticsoflinkingdifferedbetweendistributedenvironmentSemanticGapbetweensecurityprotocolsandimplementation EnvironmentTransition Restriction Aprogramcanonlychangeitstypecontext toanewtypecontextinawaysuchthatthenewcontextisaconsistentextensionoftheoriginalcontext ComponentComposition whatistheconsistentextensionofcomponentenvironment SecurityProblemsRelatedtoSoftwareQuality SystemExploitability thesystemcanbecompromisedfromanauthorizedstatetoanyunauthorizedstatesAnySystemexploitable Howtoexploitit AnySystemFailureexploitable Howtodoit Ifthecrashsitedetected isthesystemexploitable Howtodoit Ifthecorruptsitedetected isthesystemexploitable Howtodoit Imagination Wedon thavesolutionstotheaboveproblems butcanhaveapartialexploitationmethodwithconstraints OnceIcapturedMicrosoftwindowcrashsiteinformation acomputeraidedexploitationtoolcanbeemployedtotestit TothebadOnceanyWindowsAPfailedandwawcaught Microsoftwillsitonthorns remembertheRPCflaw theBlasterworm andtheSasserWorm TothegoodWecanbetterunderstandthesystemfailures Thoughts ThoughmostCOTSsoftwarehavebeentested therearestillvulnerabilitiesinsideandthatcausethesoftwarecrashed eventobeexploited Wemayfindtherootcauseofthevulnerabilitiesfromthecrashsite SecurityBreachduetoQualityProblems Programscrashoccasionally VulnerabilitiesinsidecausetheprogramcrashedTofindifwecanExploitthiscrashCouldruntimeexecutionauditingbehelpfultoexploitthiscrash Instance crashduetostackandheapoverrunThesituationofstackoverrunstillexists Detectthesesituationssystematically Possibletodevelopexploitiveattacksingeneral Crash OnlySoftware SoftwareisdestinedtofailWecanprooftheexistenceofabugWecannotprooftheinexistenceofallbugsSoftwareBugs FaultsandFailuresFaults notconformtosystemspecificationsFailures controlflowcrash indefinitehang panicresourceaccessExploitabilityTesting totestifcrash typefailuresareexploitable StepsforExploitation PhaseI howtoleadtheprogramcrash Idea usingthetestdrivertofeedtheinputdatasystematically BruteforcetestingusinginstrumenttoolPhaseII Isthecrashsitecausedbybufferoverrun CrashSiteApproximation Findoutthecrashsiteaspreciselyaspossible PhaseIII Howtoexploit Dealingwithnon executablestackandone byeoverrunForgingPayload SearchingforVulnerabilities Tracingtool trussinsolaris straceinlinux FileMon RegMoninWindowsWatchingtheprograminteractingwithOS DebuggersGuideline BasedAuditingWatchingfordifferencewithdesigndocumentorspecSniffersWatchingtheinteractionbetweentheserverandclient nm objdump UsingDisassembler disassemblewatchingforreferencingtovulnerablelibraryfunctions Iffoundthengoto5 searchfor subesp findlocalvariable Iffoundthengoto5 lookforheapoverflowsandlogicerrorsfigureouthowtogetexecutionintoyourvulnerablefunction Whatdoweneed ExecutionpathtovulnerablefunctionCrashsiteapproximationbystackcheckpointWhereisthemaliciousinput I Ointerceptionbysystemcallwrapper InputPollutantTracerBuffersizeExploitpayload CorruptSiteDetection ConsiderationsLimitationofDebugger suchasgdb cannotgetthecallstackfromthecorefileifthecrashiscausedbycorruptionofcallstack EBP return Wecouldusetoolstocheckpointthecallstackperiodicallytodiscoverwhetherifbufferoverrunoccurs CorruptsiteandCrashsite FunctionA FunctionB callFunctionA FunctionC callFunctionB Functioncrash here input charbuf 10 statementstocorruptstacksprintf buf s input callFunctionA FurtherOperations CorruptSite CrashSite CorruptSiteDetection normal corruption Exceptionhandler crash Kernel32 main Kerner32 exceptionhandler IDEA stackinvariantdetection1 Innormalsituations callstackcanbetracedbacktothemainfunction 2 InvariantViolation Can tbetracedbacktomainStackCorruptedorInterrupted orEnterexceptionhandler Consideration 1 TheprocessofCorruptionwon tbetoolong 2 Itisachallengetofinecalibratethegranularityofstackcheckpoint3 AnotherSolution Functioncallwrapper COTSSoftwareSecurity RelatedWorks AnomalyDetectionUsingCallStackInformation IEEES P 03HEALERS AToolkitforEnhancingtheRobustnessandSecurityofExistingApplications IEEEDSN2003Run TimeDetectionofHeap basedOverflows USENIXLISA2003 RelatedWork InstrumentingStackGuard ACompilerforstackprotectionfromsmashingattacks ProPolice GCCextensionforprotectingfromstack smashingattacks StackShield A stacksmashing techniqueprotectiontoolforLinux Fat pointersCyclone ASafeDialectofC CCured Asource to sourcetranslatorforCtopreventallmemorysafetyviolations RelatedWork Purify memorycorruptionandleakdetection Valgrind amemorydebugger BidirectionalDebuggingBitanBiswasandR Mall ReverseExecutionofPrograms ACMSIGPLANNotices Apr 1999BobBoothe EfficientAlgorithmsforBidirectionalDebugging PLDI2000 StackGuard canaryrandomcanaryterminatorcanary StackShield Globalretstackarrayof256entriessavedreturnaddrwhenfunctionalloverwritewhenfunctionreturnRetrangecheckProtectionoffunctionpointeraglobalvariableasboundaryaddress ProPolice Rearrangelocalvariables Libsafe wrapvulnerablefunctionstrcpy strcat getwd gets scanf realpath sprintfsafeboundaryLibverifyaddingreturnaddresscheck Sourcelevelsecurityauditingtools RATS RoughAuditingToolforSecurity LocatepotentialvulnerabilitiesinC C Python PHP andPerl200items 軟體安全已成為軟體工程研究重要的課題 軟體有缺陷就像堅固的房屋開一扇脆弱的玻璃窗 在堆疊覆寫攻擊中可見粉碎堆疊 smashingthestack 就像打破門窗一樣容易 一旦密碼模組有此缺失 不管用多長的金鑰都鎖不住資料 網路服務程式有此弱點 形同大開網路安全漏洞 系統程式若有此問題 系統安全認證也將猶如虛設