Famous Buffer Overruns

• The in-famous fingerd vulnerability that allowed a worm to bring down the web.
  See The Morris Worm: A 15 Year Perspective (available on campus from IEEE Security & Privacy Magazine, volume 1 issue 5)
  A brief summary can be found here
  or see Communications of the ACM (CACM) Vol. 32, No. 6, June 1989 , The Worm Story
• JPEG vulnerability at microsoft.com or cert.org

  Executive Summary:

  This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section.

  If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

  Microsoft recommends that customers apply the update immediately.

Preventing bufferoverruns

• Canary on the stack
  Put random value (canaries) on the stack after return address. Check that the random value has not changed before returning. Requires recompilation, small runtime overhead paid for each function call. Has been worked around in some cases, for example, overwriting function pointers. Anatomy of a Stack Smashing Attack and How GCC Prevents It
• Randomizing the stack
  When a program is started, push a random amount of data onto the stack. Used in RH9 (for example), this makes it more difficult to determine where shellcode will reside on the stack. Small initial startup cost, foils old exploits, can be done without recompiling code. Unfortunately, this has been worked around.
• Mark the stack non-executable
  Do not allow the CPU to execute code on the stack.
  Problems: Does not prevent heap overruns. In C one can also pass function pointers (on the stack), these would still be vulnerable. Some applications need an executable stack.
• Don't use bad functions strcpy(), strcat(), sprintf(). Note: strncpy(), strncat() may leave buffer unterminated, encourage off by one errors, so are not as safe as one might think.
  • strncat
  • StringCbCat
• Use safe versions of C libraries (libsafe)
  Intercepts calls to 'bad' functions. Checks that there is sufficient space in the current stack frame for the call.
  Problems: Won't work for statically linked programs. Only catches overflows in library code, for example: while(*c!='\0'){ *p++=*c++; }
• Use safer languages
  Java, C#, ML
  Problems: Might not have a choice. System might (probably will) rely on old libraries which are exploitable.

C functions that don't know their inputs

The general rule: Know your inputs!!

• Know the inputs your software should work on.
• Make sure it works for these inputs.
• If other inputs supplied: quit (or otherwise handle them).

What to do about it?

• Whitelisting: Checks for good inputs and fail otherwise
  VS
  Blacklisting: Check for bad inputs and process otherwise
  First approach usually better!!
• Use regular expressions to check inputs. See regexlib.com for expressions to check email addresses, phone numbers, dates.
• Check all inputs: composition, length, syntax, range. Example: Checking dates.
• Add assertions to methods (which fail if arguments are incorrect).
• Don't assume that information is authentic (ie. data this program wrote last time it was invoked).

Integer overflow

• Width, Arithmetic Overflow, Change of Sign, Exploits (see link below).
• Basic Integer Overflows , width1.c, catvars.c
• Apple QuickTime Integer Overflow

Canonical Naming and Directory Traversal

Heartbleed

• 
  From xkcd.
• Heartbleed Explained
• Basically the following problem...heartbleed.c

Format string vulnerability

What can I trust?

• Not input
• Not library code
• Not even the compiler Reflections on Trusting Trust