(in)Security

Security

Recently...
What is it?
Buffer Overflow
Command Injection

Recently...

Datamaxxx filed a notice 2024/11/25

Past summer: Heritage Foundation, AT&T

Past year: UK MOD, Truist, Lulu, voting, Change Healthcare?

Recently...

February 2024: Change Healthcare (UnitedHealth) randsomware

Records Processing interrupted.

Related: 2017: Equifax Breach

These companies collect PII

Like SSN, Credit Cards, Payment History

big oof

What is it?

EoD: It is correctness

Correctness: does the program behave how we want it to

Security prevents "undesired" behavior

Security is more than a bug

Security assumes a active and malicious adversary

Testing Cannot solve this fully

Testing proves presence of bugs, not their absence (Dijkstra)

What is it?

Goals:

Of Attacker?

  • Break Confidentiality (read)
  • Break Integrity (write)
  • Break Availability (access)
  • Others?

What is it?

Goals:

Of us?

Raise Bar for Attacker

  • Too Difficult
  • Too Expensive
  • Lower ROI

What is it?

Why are attacks common?

Ultimately Money and Availability

Software is large: millions LoC

Bugs are everywhere

Normal user never sees (or cares about) most bugs

Expensive to fix (prioritize major fixes)

Attackers look for bugs and try to exploit them

What is it?

Our Goal

Minimize undesired behavior

Think like attackers to prevent future attacks

Address bugs AND design flaws

Deeply understand the systems we use and build

  • Software
  • Hardware
  • Economics

Buffer Overflow

Buffer Overflow

Family of vulnerabilities which stem from bounds checking failure

Consider the stack


# vuln.c
void other(){
  char password[5];
  char username[5];
  ...
}
...

Buffer Overflow

Buffer Overflow

Consider the stack


# vuln.c
void other(){
  char password[5];
  char username[5];
  ...
}
...
          

top of stack |_|_|_|_|_|_|_|_|_|_| bottom of stack
              ^ ^ ^ ^ ^ + + + + +

 /* ^ = username
    + = password
*/

Buffer Overflow

Buffer Overflow

Consider the stack


# vuln.c
void other(){
  char password[5];
  char username[5];
  strcpy(password,"pass");
  gets(username)
  ...
}
...
          

top of stack |X|X|X|X|X|P|A|S|S|\0| bottom of stack
              ^ ^ ^ ^ ^ + + + + +

 /* ^ = username
    + = password
*/

Buffer Overflow

Buffer Overflow

Consider the stack


# vuln.c
void other(int arg1){
  char password[5];
  char username[5];
  ...
}
...
          

top of stack |_|_|_|_|_|_|_|_|_|_|_|_|_| 
              ^ ^ ^ ^ ^ + + + + + | | *

 /* ^ = username
    + = password
    | = secret (ebp,eip)
    * args
*/

Buffer Overflow

Buffer Overflow

Basis for Heartbleed many moons ago

Basis for Morris Worm

Enforcing Type safety can prevent

Command Injection cannot be be prevented with type safety

Command Injection

Command Injection:Inject Code as part of user input

Consider the following (python)


ui = input("enter a file to cat: ")
command = "cat " + ui
os.system(command)

Fix

  • Blacklist
  • Sanitize
  • Whitelist