Lecture 12 Protection Thierry Sans 15-349: Introduction to Computer

advertisement
Lecture 12
Protection
Thierry Sans
15-349: Introduction to Computer
and Network Security
Protecting Programs
➢
How to lower the risk of a program security
faw resulting from a bug?
•
During development
•
•
Writing safer code
Good practices in software engineering
During the execution
•
Protection of memory
•
Protection of fles
•
Protection of the kernel
The OS as a shield
Part 1: During the development
➢
Writing safer code
•
The choice of the programming language
•
Modularity, encapsulation, and information hiding
•
Confnement
•
Philosophy of good programming practices
•
Testing and penetration testing
•
Static analysis
•
Formal methods for software engineering
Safe Programs
➢
➢
[Cervesato]
Do not crash
•
Even without confnement in protected memory
•
Cannot corrupt even their own memory
Cannot access arbitrary addresses
•
Otherwise it could open the door to attacks
The choice of the programming language [Cervesato]
➢
Safe programs can be written in any language,
but
•
Some languages allow writing only safe programs
Safety usually ensured by type checking
•
•
Some languages isolate potentially unsafe code
•
•
Pure Lisp, pure Java, ADA, ML
Modula-3, Java with native methods, C#
Some languages are hopeless
•
Assembly languages, C
Choosing safer libraries
➢
If you choose (or have to) write a program
using unsafe programming language then
•
Use safe libraries (which are NOT the standard
libraries most of the time)
Stack-smashing protection
➢
Checking that the stack has not been altered
when a function returns
•
•
•
If it has been altered, the program exits with a
segmentation fault
Verifcation embedded into program by the
compiler
Examples of such systems are:
•
Libsafe
•
StackGuard
•
ProPolice (gcc patches)
•
Microsoft's Data Execution Prevention
Good practice in software engineering
➢
Things that you learn in software engineering
are good for:
•
Designing complex application
•
Reusing code
•
Maintaining the program throughout its life cycle
•
Security
Modularity, encapsulation, information hiding
➢
Modularity
•
•
➢
➢
Have separate modules for separate functionalities
Easier to fnd security faws when components are
as independent as possible
Encapsulation
•
Hiding implementation details to other components
•
Limits the interaction between the components
Information hiding
•
Black box model
Has been verifed
wrong in practice
Be a “security aware” software designer
➢
When writing a program
•
•
•
Check the inputs, even between components that
belongs to the same application (mutual
suspicion)
Be “fault tolerant” by having a consistent policy
to handle failure (managing exceptions)
Reuse known and widely used code by using
design patterns and existing libraries
Testing and Penetration testing
➢
“Regular” tests
•
➢
Check the functionalities of the program
What the program is expected to do
•
Unit test
•
Integration test
•
Performance test and so on ...
Penetration tests
•
Try to make the software fail by pushing the
limits of a “normal” usage
What the program is not suppose to do
•
Lecture 16: Security Assurance
Formal methods for software verifcation
➢
Static analysis
•
Analyzing the code to detect security faws
•
•
➢
Control fow structure: analyzing a sequence of
instructions
•
Data fow structure: analyzing how the date are accessed
•
Data structure: analyzing how data are organized
We have mature techniques now
Abstract interpretation [Cousot]
•
Verifcation of critical embedded software in Airbus
aircrafts
Formal methods for software engineering
Mathematical description of the problem
More or less automated
Refnement steps
Proof of correctness
Better if the code is
generated automatically
Executable code
or hardware design
... remember 15-312 :)
Formals methods in the “real life”
➢
Formal methods are not in research labs only
but they are used for real applications
•
Hardware design (VHDL, Verilog)
•
•
Used by semi-conductor companies such as Intel
Critical embedded software (B method, Z)
•
Used for public transportation system design by Alstom
... to be completed.
Advantages and Drawbacks
➢
Nothing better than a mathematical proof
•
➢
Development is time and effort (and so
money) consuming
•
➢
A code “proven safe” is safe
Should be balanced with the time spent on testing
and on maintaining the code (patches) developed
with “traditional” methods
Do not prevent from specifcation bugs
•
Example: network protocols
Part 2: During the execution
➢
The OS as a shield
•
Protecting the memory
•
Confned execution context
•
Protecting the kernel system calls (Syslog)
•
Protecting the fles (access control)
Memory and address protection
➢
Idea
•
•
•
Programs (and data) used the same address
space
So, they should not access memory addresses
that has not been allocated to them
Therefore, as soon as a program tries to access
to an authorized memory address, an exception
should be raised
•
The well known “segmentation fault”
Segmentation
Idea: Cutting the program into pieces (segments) that can
be located dynamically wherever in the memory (useful for
caching)
Security: A program can access a segment only if it appears
in the segment table
Segmentation (and paging)
➢
Good because ...
•
➢
If a program “goes crazy” it cannot affects the
memory used by other programs
But still not enough :(
•
A shell code can be inserted in the same segment
(Buffer overfow attacks)
Tagged Architecture
Idea: Tagging memory cells as data or
instructions during execution
Security: Data in a buffer cannot be turned
into a instructions like in buffer overfow
attacks
Requirements: A processor implementing
this tagging mechanism and an OS using it
Intel XD (EDB) or AMD64 NX (EVP)
+ Windows Vista
Relocation and encryption
➢
Randomize stack location and/or encrypt
return address on stack by XORing with
random string
•
•
Attacker won’t know what address to use in his
string
Implemented in Windows Vista
Confned execution environment: Sandbox
➢
Idea
•
➢
A sandbox is tightly-controlled set of resources
for untrusted programs to run in
Examples
•
Web applets
•
Java applets
•
Flash applets
•
Linux's chroot
•
Virtual machines
Intrusion Detection and/or Prevention System
➢
SYSLOG: monitoring kernel system calls
•
•
Hybrid approach of intrusion detection
•
Signatures
(well known programs)
•
Learning behaviors
(unknown programs)
Prevention mode
•
•
Can block suspicious system calls
Vulnerable to malicious programs residing in the
kernel: rootkits
Conclusion
➢
What is your conclusion?
Tip of the day
➢
As a user, what should I do?
•
➢
Be updated! (not to hard nowadays)
As a system administrator, what should I do?
•
•
•
Be aware of security alerts (CERT)
Be updated (for minor software patch and
update)
When a major new version appears, wait for
security experts, hackers and users to shake it
before adopting it
Download