Program Security I
Tom Kelliher, CS 325
Sept. 26, 2011
Project 1 discussion.
- Secure programs.
- Non-Malicious program errors.
- Viruses and other malicious program errors.
Program security II.
- At this level, we're addressing how a program handles security
itself, not assistance it receives from the OS or other, external, security
- What do we mean when we say a program is secure?
- Requires much effort and time to cause a failure.
- Program has been in use for a long time with no failures.
- No faults and, therefore, no failures.
- Meets the level of security specified in the requirements.
- Other measures?
Programmer had no malevolent intent. Perhaps just ``clueless.''
- General idea:
- Overflow a buffer with a code segment.
- Segment overwrites existing code, a return address, etc.
- Original program runs your code as whatever user.
- You now have the privileges of that user.
If root, it's time to party.
- How an we mediate this type of an error?
- Unvalidated, unchecked data values.
- Garbage input values can lead to a program entering an invalid state,
crashing, etc., resulting in denial of service.
Several years ago, numerous standard Unix tools were fed garbage data.
Nearly all crashed.
- Data values are checked and validated, but can be changed before use.
- General idea:
- Submit data that will validate.
- Validation begins and completes.
- Change data.
- Use data.
- Client/Server interactions where client-side does validation.
What prevents a hacker from accessing the server interface directly?
- Internal validation in which there is a delay between validation
and use with the data left accessible.
Example: bank account transactions queued up on a linked list prior to
being applied to the database.
- Result: Gain arbitrary unauthorized access.
- Prevention: Copy data to a secure location; validate and use from
Example: OS kernel copies system call parameters to its own memory space
before validating and using.
Programmer did have malevolent intent.
- Where does this stuff come from?
- Potentially, any executable or source file you download.
- Viruses, spyware.
- Hacked open source repositories.
- Virus: Attaches itself to executable and begins propagating.
- Trojan horse: Contains unexpected functionality.
Innocent example: ``easter eggs.''
- Logic bomb: Activates when certain condition achieved.
- Time bomb: Activates at certain time.
- Trapdoor: Allows unauthorized access.
- Worm: Propagates through network.
- Rabbit: Massive replication, leading to resource exhaustion and
- Root kits. Hide malevolent activity with ``patched'' versions of
standard system utilities, such as
- The Morris worm.
- First Internet worm, unleashed Nov. 2, 1988.
- Not created to ``cause damage,'' but a program flaw caused this to
become a ``rabbit,'' resulting in severe DOS problems.
- Written by Robert Tappan Morris at Cornell; released at MIT for
purposes of disguise. Morris is now an assoc. prof. at MIT.
His father worked for the NSA.
- Exploited flaws in 4 BSD:
- Tried to match encrypted passwords in
through a brute force attack on ``common'' passwords, then words in a
Fixes: Use of shadow password file; password salts; enforced use of
- Buffer overflow in
- Debug trapdoor in
sendmail -- allowed command
execution. At that time,
sendmail commonly ran as root!
- Trusted hosts in
- Overview of infection mechanism, assuming a shell is running on
target machine, or source machine has established an SMTP connection to
target and is transmitting commands:
For details, see
- Establishment of bootstrap on target machine:
- Break-in via
- Commands sent to
sendmail in DEBUG mode.
- Open socket on infecting machine for bootstrap to connect to.
- Bootstrap code connects to source machine (server) and
It retrieves binary copies of the server code for Sun and VAX
architectures as well as source code.
- Across network connection, server would attempt to infect
target. If successful, it would disconnect. If unsuccessful, it
would remove evidence and disconnect.
- The newly-created worm on the newly-infected host hides
- Worm now attempts to determine host connectivity, through use
netstat and reading system host files.
- Worm chooses a set of hosts to attempt to infect.
- Worm attempts to infect other hosts, using:
fingerd's input buffer, causing
execve("/bin/sh", 0, 0) to execute on VAXen.
- Use the
- Attempt to find easy hosts to connect to, searching for
.rhosts, etc. files.
- Tried password attacks. This, in conjunction with
.forward files would lead to likely new
hosts to infect.
Thomas P. Kelliher