Software can be correct without being secure Intended behavior doesnt always equal actual behavior Software does extra things its not supposed to do This is where many security vulnerabilities exist
Application
File Systems
OS, Kernel provides memory, file pointers, time, date and other functions File System provides data stored in binary or text format User Interface (UI) set of APIs that gets inputs from keyboards, mouse and other devices API other software that provides input to the software application
Interaction between the application and the file system is rarely tested File system is entrusted to store sensitive data, passwords, other persistent info Is this info stored in publicly accessible areas?
Application information must pass through memory at one time or another Cleartext info could be leaked if memory is accessed by unauthorized users or programs Low memory, crash dump areas need to be investigated
Applications rely on other software to accomplish their tasks Application is only as secure as the other software it uses Build a catalog of external components the application uses Software component interdependency is important
What fault would have caused this vulnerability? What were the failure symptoms that would alert a tester to the presence of the vulnerability? What testing technique would find this vulnerability? This created 4 attack categories
Software dependency attacks UI attacks Application design attacks Design implementation attacks
Simulates failures in the applications environment Error handling routines are subjected to far less testing than the functional code theyre designed to protect Source-based Fault injection Modify source statements to trigger faulty behavior Runtime Fault Injection Intercepting OS function calls
2 basic approaches
When to apply
Test is designed to ensure the application doesnt behave insecurely if software libraries fail to load Applications rely on library code for validation routines If calls cant be executed or return unexpected errors, the applications error handlers might not respond securely.
Sensitive data dumped? What happens if the application continues to run despite failing to load modules properly? Application that fails to display error when modules arent loaded may not have good error handlers in place Data corruption? Failure to perform critical validation tasks
How to conduct the attack? Find out which libraries the application accesses and when Try to figure out which libraries might impact security Block access to a library and see what happens. Watch for insecure behavior
Sensitive data dumped? What tasks were being performed when it tried to load the library>
Whenever a registry key is read or written by the application Not all info stored in the registry is secured from other users or applications Does the application trust information from the registry?
Trust Applications trust data from the registry especially if it wrote data there in the first place Piracy, theft or disclosure of sensitive data
Read the registry keys User-access info, implementation clues, confidential information
Once registry keys are identified, alter their values and see how application responds
Make sure application handles bad data gracefully without exposing sensitive data or allowing insecure behavior
UI data usually ok File system data usually not because most testing is done on the UI
DOS attack? Application dies when it reads bad data Buffer overrun Corrupt data displayed on screen displays
Identify a file the application will use and change it in some way the software doesnt expect
Any time the application reads/writes to the file system, launches an executable or accesses functionality from a library Previous attack tried to get the software to process corrupt data
Applications tend to trust the file system as an input source Library and executables trust is implicit
Goal: test whether application allows us to do something we shouldnt be able to do First, watch the application and see which files it accesses Second, determine when its accessed and for what purpose Look for data files, libraries that can be replaced with malicious or trojaned versions Web apps that use cookies are good targets
w/o sufficient memory or disk space, most applications will not work Appls that rely on shared data also rely on the net Stress test the appl by blocking a resource when the appl most needs it Disk space: look for periods of read/write
Memory: launch multiple copies to use up memory Fill up disk space using infinite loop
List the libraries the application uses Find out the registry values it uses Find what files it opens and uses Alter the libraries and files Try disk, memory, network DOS
Fault model tells us most security bug result from additional, unintended and undocumented user behavior Goal is privilege escalation, information disclosure
Most high level languages are immune to BO because they detect and prevent them explicitly or automatically resize arrays Applicable any time software accepts alphanumeric input from a user GUI, command prompt or API
Application crash send long strings to the application and see if it crashes Identify input field as target Look for data gathered from untrusted user via WWW I/F or data files Look for applications that run at higher priv levels
Use longstrings.doc Use 1234567890, increase length by 10 each time Look for error messages that quote the string. Theyre storing the data somewhere in the program and could be overflowed
Applications are tolerant of user input from default configs How does it react when these configs are changed?
Developers may not consider all of the possible configs as they attempt to secure input
Some code paths include security procedures, others dont. This lets us do the penetrate and patch
Command line switches forced the application to execute underutilized code Get around input string filters.
Look at previous releases, look for obscure switches, options Try different command line options
Find out which characters of combinations of characters are treated differently Force application to process special characters and commands
Poorly constrained input Web apps, input scripts
Possible DOS by sending bad input to a remote application Craft an input string to force the appl to perform unauthorized actions Applications usually have 2 parts
Form that GATHERS data Server applications that PROCESSES data
What OS does the appl run on? What language is it written? What libraries, scripts, dbs and external applications does the user data get passed to? What are the character sets, reserved words, commands that the application components use?
NUL
MS-DOS uses NUL terminated strings in system functions Program interrupt character
Unix uses EOT as an EOF
^C (ETX)
^D (EOT)
Embedded Nulls may cause all chars following it to be ignored Program may abort EOT may cause the shell to terminate
^J, LF
^Q, ^S XON/XOFF
Windows uses CR/LF, could cause persistent data problems Unix handles this differently
Attack 9: try common default, test account names and passwords Attack 10: Use Holodeck to expose unprotected test APIs.
Holodeck is available from www.howtobreaksoftware.com/security Monitors applications and its interaction with system calls
Some data is trusted implicitly based on its source This attack ensures the application verifies the source of data and that the level of trust that extends to the source is appropriate
Trust is usually extended on identification w/o authentication Network data might be poorly authenticated
Attack 13: Create loop conditions in any application that interprets script
Take benign commands and repeat them over and over to DOS users or processes
Command loops can cause the application to DOS itself or users Successful DOS
Attack 13: Create loop conditions in any application that interprets script
Any user inputs that get processed as more than just a string Parsed values like HTML fields
<SCRIPT Language=VbScript> On Error Resume Next Dim a Dim i For i=1 to 100 Set a = CreateObject(Word.Application) Next </SCRIPT> If placed at a www site, will attempt to open 100 instances of Word
Example: how many ways can you open a Word doc Type the path in the Run dialog box Double-click on the icon in Explorer Type the path, filename in Explorer Type the path, filename in Internet Explorer Select it from My Recent Documents on the start tab Type the file name in the Open dialog box within Word Is security in place for all of these paths?
Software inherits characteristics from its environment May restrict input from one source but forgot about multiple sources like keyboard shortcut (Ctl-N in Windows)
If user is able to perform restricted actions Copy and paste issues
Was it successful
Applies to all types of software Leave fields blank, click FINISH instead of NEXT, etc. Are default values in place?
Software allows variables to have illegal or non-existent default values Missing user input allows garbage input because s/w doesnt have defaults
Software crashed if data introduced remotely Do default values leave the application in a vulnerable state?
Enter data, delete it and see if youre allowed to proceed
Try common default password and userids Launch application under Holodeck and look for libraries loaded by the application Port scan the system Fake the source of input data Try to force the application into a loop through user data supplied remotely Explore alternate routes to run the program or supply data Try null values to force application to accept default values
Attacking Implementation
Implementation often is less secure than the design Functional requirements are easy to test for security Implementation isnt
Data is at risk whenever you can separate the functions that check security from the functions that actually uses it. TOD & TOU: too much time passes between the time the data is checked and its used
Some actions arent atomic and involve multiple steps
If you can escalate your privilege over some part of the application or its data Look for gaps between when a privilege is checked and it is used
Attack 17: Create files with the same name as higher privileged files
Dll file
Sometimes libraries are usually loaded by name w/o further checks Attack targets is applicable any time the application makes execution or privilege decisions based on filename
Attack 17: Create files with the same name as higher privileged files
Search order of applications for libraries Windows appls have a very specific sequence of directories they search when looking for libraries Files treated as special cases based on their name AUX used to represent devices WordPad properly recognized AUX as a fileneme. IE doesnt (pre SP2)
Attack 17: Create files with the same name as higher privileged files
Attacker is allowed to perform a restricted action by manipulating or creating a file that bypasses normal security controls Application processes a file depending on the file name that causes different treatments of the file or its contents
Attack 17: Create files with the same name as higher privileged files
Pick a feature that interacts with the file system Think about the files, file types that this feature may try to read
By trying to cause error messages, we are testing the robustness of the data input section of the code
Error handlers are usually added after testers have broken functionality Error handlers written at different times to handle similar data
Application may be breached by malicious data Sensitive data may be revealed by error messages
Test applications robustness to erroneous input Review error messages to ensure they dont reveal sensitive data
Attack 19: Use Holodeck to locate temp files and screen contents
Temp files can hold sensitive info Find creative ways to gain insecure access to these files
Temp files, cookies can leak info
Attack 19: Use Holodeck to locate temp files and screen contents
Identify sensitive applications Launch application under Holodeck Watch for CreateFile calls Pause execution to view temp files Open the files and examine their content
Reference
All material for this unit was taken from How to break software security by James A. Whittaker, Herbert H. Thompson, Pearson Addison-Wesley, ISBN: 0-32119433-0 Holodeck was developed by the authors