Computer Security: Lessons from the Morris Worm and Buffer Overflows, Study notes of Computer Science

A series of lecture notes from a computer and network security course taught by professor jaeger at penn state university in fall 2006. The notes cover topics such as the morris worm, engineering disasters, buffer overflows, and buffer overflow prevention. The morris worm is discussed in detail, including how it disabled the internet in 1988. Buffer overflows are also covered, with a focus on how they can be used to take over a host and install root kits, use as spam bots, or launch other attacks. The document also discusses buffer overflow prevention techniques such as stackguard.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-d9h
koofers-user-d9h 🇺🇸

9 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger
CSE 543 - Computer Security
(Fall 2006)
Lecture 22 - Language-based security
November 16, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Computer Security: Lessons from the Morris Worm and Buffer Overflows and more Study notes Computer Science in PDF only on Docsity!

CSE 543 - Computer Security

(Fall 2006)

Lecture 22 - Language-based security

November 16, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/

The Morris Worm

Robert Morris, a 23 doctoral student from Cornell

Wrote a small (99 line) program

November 3rd, 1988

Simply disabled the Internet

How it did it

Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words

Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related

• Tries cracked passwords at related hosts (if necessary)

• Uses whatever services are available to compromise other hosts

Scanned local interfaces for network information

Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)

Buffer Overflows

One means by which the bad guys take over a host

install root kits

use as SPAM bots

use as zombies

launch other attacks

There are many attacks, but this is most prevalent

It all starts with some programmer mistake

e.g., bad software TEXT DATA HEAP STACK 0x000.... 0xfff....

Buffer Overflows (continued.)

Stack frame

how local variables and program state is stored in most modern programming languages

The Attack

overwrite buffer on stack with new return pointer pointing to adversary code

Return from function lands program counter into bad guys downloaded code

Game over -- they now control that host SP ret a b buf myret evil evil evil evil

Other Input Problems

Function Pointers

Overwrite a local function pointer variable

Q: What can be done?

Heap overflow

Overflow a buffer on the heap

Integer Overflow

For signed 8-bit integers

Malformed Character Input

What does URL “/scripts/..%c0%af../winnt/ system32” decode to?

Java World

Type Safe Language

No buffer/heap/ptr overflows

No unsafe casts

Still have integer overflows?

Java Virtual Machine

Interpret bytecodes (or compile together)

Security Manager (reference monitor for JVM)

Q: What is the trust model of a Java application?

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page C Analysis

  • Assume Type Safety in Analysis
    • On what basis?
    • Trust that the programmer does not subvert
  • Is this a reasonable assumption?
    • Unsound analysis
      • False negatives are possible
    • Sound analysis
      • If no unsafe behavior relative to analysis can be assumed
  • Actually, lots of work in this area
  • Used in production code: Microsoft 10

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Source Code Analysis

  • Shallow tools for bug finding
    • Prefix, Prefast -- Microsoft
  • Companies that will check your code
    • Coverity -- based on MC
  • Deep tools for verifying correctness
    • SLAM -- for device drivers
  • Add security to legacy code
    • Generate LSM
    • Generate reference monitor for X Server
  • Lots of other topics
    • Privilege separation
    • Domain transition
    • Error reporting 11

Information-flow control

What is it?

Simple security & -property

Why?

Leandro Aragoncillo, e.g.

Problem: Information release

Solution: Information Flow Control

Stronger enforcement than reference monitors {NUC, EUR, US} {NUC, EUR} {NUC, US} {EUR, US} {NUC} {EUR} {US} Access to all compartments Access to no compartments

Label and monitor

Key:

tag data

monitor flows

RMs tag actual data

all data/processes have label

central security monitor checks op- erations, data access against policy

Security-typed languages use virtual tags

data types are labeled

type checker validates flows Label all data Monitor flows

Labeling types

Key insight: label types with security levels

Security-typing is compositional Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; Example 2 String{low} proc(Object{high} o); ... main() { Object{high} obj; String{low} s; s = proc_obj(obj); ... }

X

Implicit flows

int Low mydata = 0; int Low mydata2 = 0; if (test High

mydata = 1; else mydata = 2; mydata2 = 0; print Low (mydata2); print Low (mydata); … Static (virtual) tagging Causes type error at compile-time mydata contains information about test so it can no longer be Low, but mydata2 is outside the conditional, so it is untainted by test

Open challenges

System-wide security

Certifying compilation

Abstraction-violating attacks

Dynamic policies

Practical issues

Variations of static analysis

Take away

“The inability to express or enforce end-to-end security policies is a serious problem with our current computing infrastructure, and language-based techniques appear to be essential to any solution to this problem.”