Software Security

1
Software Security

• Ben Hubbard
• Jason Fletcher
• Szabolcs Palinko
• Amit Tambe
• Ryan Smith
• Keith Gargano

2
Overview

• Discussion
• Data Validation
• General Errors
• Input Sanitation
• Parameter Manipulation
• Code Injection
• Bounds and Type Checking
• Specific Exploits
• Buffer Overflows
• Cross Site Scripting (XSS)
• SQL Injection
• Prevention
• Demonstrations
• Conclusion

3
Discussion

• What causes exploits?
• Failure to meet requirements
• Omissions
• Errors, poor quality assurance
• Etc.

4
Data Validation

• Process of ensuring that a program operates on
  clean, correct and useful data
• Most vulnerabilities are a result of poor data
  validation techniques

5
Data Validation Errors

• Input Sanitation
• Bounds and Type Checking

6
Input Sanitation

• Failure to filter user input
• Leads to Parameter Manipulation and Code Injection

7
Parameter Manipulation

• Ability for input from a form to be changed
• Example
• http//www.example.corsaire.com/buySpatula.jsp?mod
  elNumber234
• http//www.example.corsaire.com/buySpatula.jsp?mod
  elNumber234price0.1

8
Code Injection

• Subverting input so that data is interpreted as
  commands
• Basis of SQL injection and Cross-site Scripting

9
Bounds and Type Checking

• Insuring that any value safely handles input
  outside of expected values
• Expecting positive integers from 1 to 10, getting
  -1
• Expecting an integer, getting a decimal number

10
Vulnerability Examples

• Buffer Overflow
• Cross-site Scripting (XSS)
• SQL Injection

11
Buffer Overflows

• Injecting more data than a particular abstract
  container can hold, and then that data spilling
  over into places it should not be in order to
  cause changes to the system
• Example of Bounds Checking

12
Buffer Overflows

• OS Specific
• Famous example strcpy
• Copies data from a source string to a destination
  string without verifying the size of the
  destination string is large enough to hold the
  data
• Replaced with strncpy
• Strcpy still supported for legacy code
  compatibility

13
Cross-site Scripting (XSS)

• Dynamic web pages can be produced based on user
  input
• Users can input scripts into input sources, thus
  allowing malicious code to be run on a trusted
  site
• Example of Code Injection

14
Cross-site Scripting (XSS)

• http//www.bbc.co.uk/bbcone/listings/index.shtml?s
  ervice_id4223DAYtoday20223E3Cscript20srch
  ttp//www.securitylab.ru/test/sc.js3E3C/script3
  E3C!--

15
Cross-site Scripting (XSS)
16
SQL Injection

• Inserting SQL statements into user input to have
  those commands executed by the database
• Example of Code Injection
• Integration between database and OS allows
  execution of OS commands

17
Prevention

• Reject bad data, accept only known good data
• Regular expressions
• Test all bounds
• Black box testing
• Thorough Quality Assurance

18
Prevention

• Buffer Overflows Use methods that inspect input
  size, manually inspect each input for
  correctness, random addressing
• XSS Disable scripting languages, filter
  characters
• SQL Injection Sanitize user input, use bound
  parameters prepared statements

19
Demonstrations

• IE Buffer Overflow Jamikazu Attack
• Firefox Buffer Overflow
• Metasploit Framework

20
Conclusion

• www.milw0rm.com
• www.metasploit.org