ch12phanmem
DESCRIPTION
TRANSCRIPT
- 1. Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 12 Software Security
- 2. Software Security
- C nhiu l hng l kt qu ca vic lp trnh u
-
- Nh trong 10 li an ninh ng dng Web m c 5 li lin quan n thiu st ca phn mm
- Thng thng do khng kim tra/kim chng k u vo chng trnh
- Khng c h thng cnh bo l iu nghim trng
- 3. Cht lng v an ton phn mm Software Quality vs Security
- Cht lng v tin cy phn mm
-
- Li s c ca chng trnh
-
- T u vo khng ph hp ngu nhin v l thuyt
-
- Tng cng s dng kim tra v thit k c cu trc
-
- Khng phi c nhiu li, nhng c thng xuyn c nguy c kch hat khng
- An ton phn mm cng lin quan
-
- Nhng k tn cng chn s phn tn ca u vo, c bit nhm ti cc li code khai thc
-
- c kch hat thng xuyn bi u vo khng hp l
-
- Nhng kim tra thng thng khng pht hin c li
- 4. Lp trnh bo v Defensive Programming
- L dng thit k bo v m bo cc chc nng lin tc ca phn mm trnh khi vic s dng khng lng trc
- Yu cu ch n mi kha cnh ca vc thc hin chng trnh, mi trng v x l d liu
- Cng c gi l lp trnh an ton
- Khng tha nhn iu g, phi kim tra mi li c th
- Khng ch tp trung vo gii bi tan cho trc
- Cn kim chng mi gi thit
- 5. M hnh chng trnh tru tng Abstract Program Model
- 6. Security by Design
- Thit k tin cy v an ton l ch ca nhiu ngnh cng ngh
-
- X hi khng khoan dung vi cc li nh v cu, nh,
- Pht trin phn mm cha phi l hon thin
-
- Nhiu li mc cao ang cn c khoan dung
- Tuy c nhiu tiu chun cht lng v pht trin phn mm
-
- Tp trung chnh l vng i pht trin chung
-
- Tng cng xc nh nguy c an ninh l mc tiu chnh
- 7. Kim sot u vo chng trnh Handling Program Input
- incorrect handling a very common failing
- u vo l mi ngun d liu t bn ngoi
-
- D liu c t bn phm, file, mng
-
- Cng nh l mi trng thc thi v d liu cu hnh
- Cn xc nh mi ngun d liu
- V gi thit v tnh ng n tng minh v kch thc v kiu gi tr trc khi s dng
- 8. Input Size & Buffer Overflow
- Thng c gi thit v kch thc b m
-
- Nh u vo ca NSD ch l dng vn bn
-
- Tun th kch thc b m nhng qun kim tra kch thc
-
- Kt qu lm trn b nh m
- Kim tra c th khng xc nh c l hng
-
- V ch tp trung vo u vo thng thng, mong i
- Lp trnh an ton coi mi u vo u nguy him
-
- Nn cn phi x l nh mt chng trnh bo v
- 9. Thng dch u vo Interpretation of Input
- Chng trnh c th dng nh phn hoc vn bn
-
- Thng dch nh phn ph thuc vo m thng thng l ng dng chuyn bit
-
- Vn bn c m trn tp cc k t nh ASCII
-
- Vic quc tn ha c nhiu phng n khc nhau
-
- Cng cn c kim chng thng dch trc khi s dng
-
-
- Nh filename, URL, email address, identifier
-
- B qua kim tra c th dn n l hng bng n
- 10. Tn cng ni x Injection Attacks
- Cc thiu st lin quan n kim sot u vo khng hp l m nh hng n vic thc thi chng trnh
-
- Thng thng c truyn nh tham s ca chng trnh tr gip hay tin ch khc hoc h thng con
- Thng xy ra trong cc ngn ng kch bn
-
- H tr ti s dng cc chng trnh hoc modules khc
-
- Thng thng gp trong kch bn giao din ha chung (web CGI scripts)
- 11. Unsafe Perl Script
- 12. Safer Script
- Chng tn cng bng kim chng u vo
-
- So snh vi mu m t chi cc u vo khng hp l
-
- Xem an v d b sung trong an sau:
- 13. SQL Injection
- L mt tn cng ni x bng n rng ri khc
- Khi u vo s dng trong truy vn SQL n c s d liu
-
- Tng t nh ni x lnh
-
- Ni n cc siu k t SQL
-
- Cn kim tra v kim chng u vo cho chng
- 14. Code Injection
- L mt bin th khc
- u vo gm c code m sau thc thi
-
- Xem cc l hng ni x code PHP t xa
-
-
- variable + global field variables + remote include
-
-
- Kiu tn cng ny c khai thc rng ri
- 15. Tn cng qua Site Scripting
- Tn cng khi u vo t mt NSD sau l u ra ca mt NSD khc (XSS)
- XSS thng c thy trn trang ng dng Web dng ngn ng kich bn
-
- Vi script code t trong u ra ti browser
-
- Mi script c h tr, nh Javascript, ActiveX
-
- Coi nh n t ng dng trn site
- XSS reflection
-
- Code c hi t site
-
- Ko theo xut hin cho cc NSD khc
- 16. XSS Example
- cf. guestbooks, wikis, blogs etc
- Ni c cc nhn xt cha script code
-
- Nh thu thp chi tit cookie ca NSD ang xem
- Cn kim chng d liu c cp
-
- Bao gm vic kim sot mi on m khc nhau c th
- Tn cng c vic kim sot u vo v u ra
- 17. Kim chng c php u vo Validating Input Syntax
- tin tng d liu u vo tha mn gi thit
-
- Nh in c, HTML, email, userid,
- So snh vi nhng ci chp nhn bit
- Khng phi ch ti nhng nguy him bit
-
- C th b qua cc vn mi, phng php qua mt
- Thng thng biu thc chnh qui c s dng
-
- Mu m t cc u vo cho php
-
- Chi tit c th khc nhau gia cc ngn ng
- u vo ti s b t chi hoc cnh bo
- 18. D phng m Alternate Encodings
- C th c nhiu phng tin khc nhau cho cng vn bn m
-
- Ty thuc vo dng cu trc ca d liu, nh HTML
-
- Hoc thng qua vic dng mt s tp k t ln
- Unicode c s dng quc t ha
-
- Dng gi tr 16-bit cho k t
-
- UTF-8 m nh cc dy 1-4 byte
-
- C cc phng n d tha
-
-
- nh l 2F, C0 AF, E0 80 AF
-
-
-
- V vy kim tra ngn chn dng tn file tuyt i!
-
- Cn phi chun ha u vo trc khi dng
- 19. Validating Numeric Input
- C th c d liu th hin gi tr s
- Lu bn trong vi cc gi tr kch thc c nh
-
- Nh 8, 16, 32, 64-bit integers or 32, 64, 96 float
-
- signed or unsigned
- Cn phi thng dch dng vn bn ng
- V sau x l thch hp
-
- C phn so snh du v khng du
-
- Nh khng du dng ln l du m
-
- C th dng do thm kim tra trn b m
- 20. Lm m u vo - Input Fuzzing
- Phng php kim tra mnh s dng phm vi ln cc u vo sinh ngu nhins
-
- kim tra chng trnh c x l ng vi cc u vo bt thng
-
- n gin, khng c gi thit, r
-
- h tr c tin cy v an ton
- C th dng nhp sinh ra cc lp u vo bit ca bi ton
-
- C th b st li, nn s dng cng ngu nhin cng tt
- 21. Writing Safe Program Code
- Phn sau lin quan n x l d liu bng mt thut ton no cho bi ton ang gii
- Dch ra m my hoc thng dch
-
- Thc thi vi cc lnh m my
-
- Thao tc d liu trong b nh v thanh ghi
- Cc vn an ton:
-
- Ci t thut ton ng
-
- Cc lnh m my ng cho thut ton
-
- Thao tc ng d liu
- 22. Correct Algorithm Implementation
- Vn pht trin chng trnh tt
- Kim sot ng mi phng n ca bi ton
-
- Nh li s ngu nhin ca Netscape
-
- c gi thit l khng on trc c nhng cha c
- Khi debug/test code li cng sn phm
-
- c s dng truy cp d liu hoc kim tra qua mt
-
- Nh Morris Worm khai thc sendmail
- Thng dch kim sot khng ng ng ngha
- V vy cn quan tm trong thit k v ci t
- 23. Ngn ng my ng Correct Machine Language
- Tin tng cc lnh my ci t ng chng trnh ca ngn ng bc cao
-
- Cc lp trnh vin thng b qua
-
- Gi s compiler/interpreter l ng
-
- Nh bi bo ca Ken Thompson
- i hi so snh m my vi ngun chnh gc
-
- Chm v kh khn
-
- c i hi cho cc chun chung cao EALs
- 24. Thng dch d liu ng Correct Data Interpretation
- D liu c lu dng bits/bytes trong my
-
- Nhm li thnh words, longwords,
-
- Thng dch ph thuc vo lnh my
- Ngn ng cung cp cc kh nng khc nhau cho vic s dng d liu kim chng v hn ch
-
- Ngn ng kiu mnh hn ch hn, nhng an ton hn
-
- Cc loi khc t do, linh hot v km an ton hn nh C
- 25. S dng ng b nh Correct Use of Memory
- Vn cung cp b nh ng
-
- s dng thao tc cc khi lng d liu cha bit
-
- Cp khi cn v gii phng khi dng xong
- Tht thot b nh nu gii phng khng ng
- Nhiu ngn ng c khng c h tr tng minh cho vic cp b nh ng
-
- Ngya c s dng cc hm th vin chun
-
- Lp trnh vin phi t xin cp v gii phng ng
- Cc ngn ng lp trnh hin i t ng cng vic ny
- 26. Tranh chp b nh chia s
- Khi nhiu threads/processes cng truy cp d liu v b nh chia s
- tr khi truy cp ng b, c th lm sai lch hoc mt d liu v truy cp chng cho nhau
- V vy s dng cc thoa tc c bn ng b thch hp
-
- La chn v dy ng c th khng hin nhin
- C vn b tc (deadlock) trong truy cp
- 27. Interacting with O/S
- programs execute on systems under O/S
-
- mediates and shares access to resources
-
- constructs execution environment
-
- with environment variables and arguments
- systems have multiple users
-
- with access permissions on resources / data
- programs may access shared resources
-
- e.g. files
- 28. Environment Variables
- set of string values inherited from parent
-
- can affect process behavior
-
- e.g. PATH, IFS, LD_LIBRARY_PATH
- process can alter for its children
- another source of untrusted program input
- attackers use to try to escalate privileges
- privileged shell scripts targeted
-
- very difficult to write safely and correctly
- 29. Example Vulnerable Scripts
- using PATH or IFS environment variables
- cause script to execute attackers program
- with privileges granted to script
- almost impossible to prevent in some form
- 30. Vulnerable Compiled Programs
- if invoke other programs can be vulnerable to PATH variable manipulation
-
- must reset to safe values
- if dynamically linked may be vulnerable to manipulation of LD_LIBRARY_PATH
-
- used to locate suitable dynamic library
-
- must either statically link privileged programs
-
- or prevent use of this variable
- 31. Use of Least Privilege
- exploit of flaws may give attacker greater privileges - privilege escalation
- hence run programs with least privilege needed to complete their function
-
- determine suitable user and group to use
-
- whether grant extra user or group privileges
-
-
- latter preferred and safer, may not be sufficient
-
-
- ensure can only modify files/dirs needed
-
-
- otherwise compromise results in greater damage
-
-
-
- recheck these when moved or upgraded
-
- 32. Root/Admin Programs
- programs with root / administrator privileges a major target of attackers
-
- since provide highest levels of system access
-
- are needed to manage access to protected system resources, e.g. network server ports
- often privilege only needed at start
-
- can then run as normal user
- good design partitions complex programs in smaller modules with needed privileges
- 33. System Calls and Standard Library Functions
- programs use system calls and standard library functions for common operations
-
- and make assumptions about their operation
-
- if incorrect behavior is not what is expected
-
- may be a result of system optimizing access to shared resources
-
-
- by buffering, re-sequencing, modifying requests
-
-
- can conflict with program goals
- 34. Secure File Shredder
- 35. Race Conditions
- programs may access shared resources
-
- e.g. mailbox file, CGI data file
- need suitable synchronization mechanisms
-
- e.g. lock on shared file
- alternatives
-
- lockfile - create/check, advisory, atomic
-
- advisory file lock - e.g. flock
-
- mandatory file lock - e.g. fcntl, need release
-
-
- later mechanisms vary between O/S
-
-
-
- have subtle complexities in use
-
- 36. Safe Temporary Files
- many programs use temporary files
- often in common, shared system area
- must be unique, not accessed by others
- commonly create name using process ID
-
- unique, but predictable
-
- attacker might guess and attempt to create own between program checking and creating
- secure temp files need random names
-
- some older functions unsafe
-
- must need correct permissions on file/dir
- 37. Other Program Interaction
- may use services of other programs
- must identify/verify assumptions on data
- esp older user programs
-
- now used within web interfaces
-
- must ensure safe usage of these programs
- issue of data confidentiality / integrity
-
- within same system use pipe / temp file
-
- across net use IPSec, TLS/SSL, SSH etc
- also detect / handle exceptions / errors
- 38. Handling Program Output
- final concern is program output
-
- stored for future use, sent over net, displayed
-
- may be binary or text
- conforms to expected form / interpretation
-
- assumption of common origin,
-
- c.f. XSS, VT100 escape seqs, X terminal hijack
- uses expected character set
- target not program but output display device
- 39. Summary
- discussed software security issues
- handling program input safely
-
- size, interpretation, injection, XSS, fuzzing
- writing safe program code
-
- algorithm, machine language, data, memory
- interacting with O/S and other programs
-
- ENV, least privilege, syscalls / std libs, file lock, temp files, other programs
- handling program output