lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules

Lecture 5_ application security - simple attacks.md (4449B)

      1 +++
      2 title = "Lecture 5: application security - simple attacks"
      3 +++
      4 
      5 # Lecture 5: application security - simple attacks
      6 ## Buffer overflow
      7 
      8 Example program:
      9 
     10 ```c
     11 #include <stdio.h>
     12 #include <string.h>
     13 void hello(char *name) {
     14     char buf[16];           # limited space
     15     strcpy(buf, name);      # no limit on copied data => buffer overflow
     16     printf("hello %s\n", buf);
     17 }
     18 int main(int argc, char **argv) {
     19     hello(argv[1]);
     20     return 0;
     21 }
     22 ```
     23 
     24 Three types of memory:
     25 - stack: stores local (non-static variables)
     26 - heap: stores explicitly allocated memory (malloc, new)
     27 - global: memory stores global and static variables
     28 
     29 In the example, `buf` is on the stack.
     30 
     31 Stack frames:
     32 - functions reserve part of stack for own use ("stack frame")
     33 - stores variables, frame pointer (caller's stack frame), return address, saved registers
     34 - stack pushed to at call, popped from at return
     35 - stack grows downward (high address to low address, pushes decrement the stack pointer by words (8 bytes))
     36 
     37 The buffer overflow in the example overwrites the return address, so the program fails when jumping to an invalid address.
     38 
     39 Terminology:
     40 - fault: incorrect step, process, or data definition in program
     41 - error: difference between computed/observed/measured value and true/specified/correct value (in example, corrupted return address and/or frame pointer)
     42 - failure: inability of system/component to perform required function within specified performance requirement
     43 - vulnerability: faults with security impact (in example, missing size check before `strcpy`)
     44 - exploit: passing input to program that triggers vulnerability (in example, argument of length >15)
     45 - exploit impact: denial of service (breaks availability), privilege escalation (breaks confidentiality and/or integrity)
     46 
     47 ## Local privilege escalation
     48 Local attacks: attacker can already execute code, privileges are restricted -- you want to impersonate another user with higher privileges
     49 
     50 UNIX permissions:
     51 - read (for directory, listing)
     52 - write (for directory, creating/deleting files)
     53 - execute (for directory, access files)
     54 
     55 Files are owned by a user and group.
     56 Three sets of permission bits for user, group, and others.
     57 
     58 Process:
     59 - container for state of running program
     60 - state includes user on whose behalf it runs (UID and GID)
     61 - process can access files based on user
     62 - process owner starts with shell for user who logged in, child process inherit user
     63 
     64 Impersonation:
     65 - sometimes user needs to legit access a secure file
     66 - setuid/setgid bits: program runs on behalf of file owner
     67 
     68 Setuid process has multiple UIDs:
     69 - effective: used for privilege checks, changed by setuid
     70 - real: actual user, not modified by setuid
     71 - saved: lets process return to old UID
     72 
     73 For local attacks, you usually target setuid root binaries, or operating system kernel.
     74 
     75 ## Simple attacks
     76 Program behavior depends on
     77 - code being run (well-configured system shouldn't let attackers supply code)
     78 - data being processed (commonly supplied by attacker)
     79 - environment where program runs (security policies, attacker able to change config?)
     80 
     81 Performing an attack:
     82 - find a target: privileged code we can manipulate, look for vulnerabilities
     83 - deployment vulnerabilities: privilege level, file access, etc
     84 - implementation vulnerabilities: incorrect input/error handling, wrong assumptions on order of execution
     85 
     86 environment attacks:
     87 - programs run inside processes
     88     - fork() starts a clone of the process, replace the program using execv().
     89     - easier ways: system() to run command string using shell, popen() also creates pipe to communicate with new program, execvp() looks up program using \$PATH
     90 - the easier ways depend on the environment, which can be attacked (change \$PATH, \$HOME, inject commands/arguments, etc).
     91 - solutions:
     92     - always watch out with user input: sanitize it, fail on unexpected inputs
     93     - escaping: make sure special characters are processed as regular characters
     94 
     95 file system attacks:
     96 - symbolic links allow a file to point to another file
     97 - program may open file without checking that it's a symbolic link
     98 - if it's setuid, you end up with privilege escalation
     99 
    100 race conditions: time-of-check to time-of-use attack (what if permission at time of use differs from time of check? e.g. symlink changes)
    101 
    102 principle of least privilege:
    103 
    104 > Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.