Programming errors with security implicationsbuffer overflows, incomplete access

control

protecting programs is at the heart of computer security. So we need to ask two important
questions:

How do we keep programs free from flaws?

How do we protect computing resources against programs that contain flaws

Secure Programs
when we say that a program is "secure." ,security implies some degree of trust that the
program enforces expected confidentiality, integrity, and availability.
What are the problem faced when Fixing Faults in a programme.

The pressure to repair a specific problem encouraged a narrow focus on the fault
itself and not on its context. In particular, the analysts paid attention to the
immediate cause of the failure and not to the underlying design or requirements
faults.
The fault often had nonobvious side effects in places other than the immediate
area of the fault.

The fault could not be fixed properly because system functionality or performance
would suffer as a consequence

A flaw can be either a fault or failure, and a vulnerability usually describes a class of
flaws, such as a buffer overflow. In spite of the inconsistency, it is important for us to
remember that we must view vulnerabilities and flaws from two perspectives, cause and
effect, so that we see what fault caused the problem and what failure (if any) is visible to
the user
to understand program security, we can examine programs to see whether they behave as
their designers intended or users expected. We call such unexpected behavior a program
security flaw; it is inappropriate program behavior caused by a program vulnerability

Program security flaws can derive from any kind of software fault. That is, they cover
everything from a misunderstanding of program requirements to a one-character error in
coding or even typing. The flaws can result from problems in a single code component or
from the failure of several programs or program pieces to interact compatibly through a
shared interface. The security flaws can reflect code that was intentionally designed or
coded to be malicious, or code that was simply developed in a sloppy or misguided way.
Thus, it makes sense to divide program flaws into two separate logical categories:
inadvertent human errors versus malicious, intentionally induced flaws.

1
When a human makes a mistake, called an error, in performing some software activity,
the error may lead to a fault, or an incorrect step, command, process, or data definition in
a computer program

Types of Flaws
the inadvertent flaws fall into six categories

validation error (incomplete or inconsistent)

domain error

serialization and aliasing

inadequate identification and authentication

boundary condition violation

other exploitable logic errors

Nonmalicious Program Errors-:

Buffer Overflows-:A buffer overflow is the computing equivalent of trying to pour two
liters of water into a one-liter pitcher: Some water is going to spill out and make a mess.
And in computing, what a mess these errors have made!

Definition

A buffer (or array or string) is a space in which data can be held. A buffer resides in
memory. Because memory is finite, a buffer's capacity is finite. For this reason, in many
programming languages the programmer must declare the buffer's maximum size so that
the compiler can set aside that amount of space.

Let us look at an example to see how buffer overflows can happen. Suppose a C language
program contains the declaration:

char sample[10];

The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements
of the array, sample[0] through sample[9]. Now we execute the statement:

sample[10] = 'A';

2
The subscript is out of bounds (that is, it does not fall between 0 and 9), so we have a
problem. The nicest outcome (from a security perspective) is for the compiler to detect
the problem and mark the error during compilation. However, if the statement were

sample[i] = 'A';

Incomplete Mediation

Incomplete mediation is another security problem that has been with us for decades.
Attackers are exploiting it to cause security problems.

Definition

Consider the example of the previous section:

http://www.somesite.com/subpage/userinput&parm1=(808)555-
1212&parm2=2004Ja

Time-of-Check to Time-of-Use Errors

The third programming flaw we investigate involves synchronization. To improve

efficiency, modern processors and operating systems usually change the order in which
instructions and procedures are executed. In particular, instructions that appear to be
adjacent may not actually be executed immediately after each other, either because of
intentionally changed order or because of the effects of other processes in concurrent
execution.

Definition

Access control is a fundamental part of computer security; we want to make sure that
only those who should access an object are allowed that access. (We explore the access
control mechanisms in operating systems in greater detail in Chapter 4.) Every requested
access must be governed by an access policy stating who is allowed access to what; then
the request must be mediated by an access policy enforcement agent. But an incomplete
mediation problem occurs when access is not checked universally. The time-of-check to
time-of-use (TOCTTOU) flaw concerns mediation that is performed with a "bait and
switch" in the middle. It is also known as a serialization or synchronization flaw

Viruses and Other Malicious Code

Types of Malicious Code.

3
Code Type Characteristics

Virus Attaches itself to program and propagates copies of itself to other programs

Trojan horse Contains unexpected, additional functionality

Logic bomb Triggers action when condition occurs

Time bomb Triggers action when specified time occurs

Trapdoor Allows unauthorized access to functionality

Worm Propagates copies of itself through a network

Rabbit Replicates itself without limit to exhaust resource

How Viruses Attach-:
Appended Viruses-:A program virus attaches itself to a program; then, whenever
the program is run, the virus is activated. This kind of attachment is usually easy to
program.
In the simplest case, a virus inserts a copy of itself into the executable program file before
the first executable instruction. Then, all the virus instructions execute first; after the last
virus instruction, control flows naturally to what used to be the first program instruction.
Such a situation is shown in

4
Viruses That Surround a Program-:An alternative to the attachment is a virus that runs
the original program but has control before and after its execution. For example, a virus
writer might want to prevent the virus from being detected. If the virus is stored on disk,
its presence will be given away by its file name, or its size will affect the amount of space
used on the disk. The virus writer might arrange for the virus to attach itself to the
program that constructs the listing of files on the disk. If the virus regains control after
the listing program has generated the listing but before the listing is displayed or printed,
the virus could eliminate its entry from the listing and falsify space counts so that it
appears not to exist. A surrounding virus is shown in

5
Integrated Viruses and Replacements-:A third situation occurs when the virus replaces
some of its target, integrating itself into the original code of the target. Such a situation is
shown in figure . Clearly, the virus writer has to know the exact structure of the original
program to know where to insert Finally, the virus can replace the entire target, either
mimicking the effect of the target or ignoring the expected effect of the target and
performing only the virus effect. In this case, the user is most likely to perceive the loss
of the original program

6
Document Viruses-:Currently, the most popular virus type is what we call the document
virus, which is implemented within a formatted document, such as a written document, a
database, a slide presentation, or a spreadsheet. These documents are highly structured
files that contain both data (words or numbers) and commands (such as formulas,
formatting controls, links). The commands are part of a rich programming language,
including macros, variables and procedures, file accesses, and even system calls. The
writer of a document virus uses any of the features of the programming language to
perform malicious actions

How Viruses Gain Control?

Homes for Viruses? The virus writer may find these qualities appealing in a virus:

It is hard to detect.
It is not easily destroyed or deactivated.

It spreads infection widely.

It can reinfect its home program or other programs.

It is easy to create.

It is machine independent and operating system independent

Let us look more closely at the issue of viral residence?

7
One-Time Execution, Boot Sector Viruses, Memory-Resident Viruses

Virus Signatures
Prevention of Virus Infection-:

Test all new software on an isolated computer. If you must use software from a
questionable source, test the software first on a computer with no hard disk, not
connected to a network, and with the boot disk removed. Run the software and
look for unexpected behavior, even simple behavior such as unexplained figures
on the screen. Test the computer with a copy of an up-to-date virus scanner,
created before running the suspect program. Only if the program passes these tests
should it be installed on a less isolated machine.
Open attachments only when you know them to be safe. What constitutes "safe" is
up to you, as you have probably already learned in this chapter. Certainly, an
attachment from an unknown source is of questionable safety. You might also
distrust an attachment from a known source but with a peculiar message.

Make a recoverable system image and store it safely. If your system does become
infected, this clean version will let you reboot securely because it overwrites the
corrupted system files with clean copies. For this reason, you must keep the image
write-protected during reboot. Prepare this image now, before infection; after
infection it is too late. For safety, prepare an extra copy of the safe boot image.

Make and retain backup copies of executable system files. This way, in the event
of a virus infection, you can remove infected files and reinstall from the clean
backup copies (stored in a secure, offline location, of course).

Use virus detectors (often called virus scanners) regularly and update them daily.
Many of the virus detectors available can both detect and eliminate infection from
viruses. Several scanners are better than one, because one may detect the viruses
that others miss. Because scanners search for virus signatures, they are constantly
being revised as new viruses are discovered. New virus signature files, or new
versions of scanners, are distributed frequently; often, you can request automatic
downloads from the vendor's web site. Keep your detector's signature file up-to-
date.

Targeted Malicious Code

What is a Trapdoors?

Causes of Trapdoors

8
Developers usually remove trapdoors during program development, once their intended
usefulness is spent. However, trapdoors can persist in production programs because the
developers

forget to remove them

intentionally leave them in the program for testing

intentionally leave them in the program for maintenance of the finished program,
or

intentionally leave them in the program as a covert means of access to the

component after it becomes an accepted part of a production system

Salami Attack-:

Examples of Salami Attacks

Controls Against Program Threats-;

Developmental Controls

specify the system, by capturing the requirements and building a model of how
the system should work from the users' point of view
design the system, by proposing a solution to the problem described by the
requirements and building a model of the solution

implement the system, by using the design as a blueprint for building a working
solution

test the system, to ensure that it meets the requirements and implements the
solution as called for in the design

review the system at various stages, to make sure that the end products are
consistent with the specification and design models

document the system, so that users can be trained and supported

manage the system, to estimate what resources will be needed for development
and to track when the system will be done

maintain the system, tracking problems found, changes needed, and changes
made, and evaluating their effects on overall quality and functionality

9
how we recognize high-quality secure software?

Modularity, Encapsulation, and Information Hiding

Modularity--:The goal is to have each component meet four conditions:

single-purpose: performs one function

small: consists of an amount of information for which a human can readily grasp
both structure and content

simple: is of a low degree of complexity so that a human can readily understand

the purpose and structure of the module

independent: performs a task isolated from other modules

There are several advantages to having small, independent components.?

Maintenance. If a component implements a single function, it can be replaced

easily with a revised one if necessary. The new component may be needed
because of a change in requirements, hardware, or environment. Sometimes the
replacement is an enhancement, using a smaller, faster, more correct, or otherwise
better module. The interfaces between this component and the remainder of the
design or code are few and well described, so the effects of the replacement are
evident.
Understandability. A system composed of many small components is usually
easier to comprehend than one large, unstructured block of code.

Reuse. Components developed for one purpose can often be reused in other
systems. Reuse of correct, existing design or code components can significantly
reduce the difficulty of implementation and testing.

Correctness. A failure can be quickly traced to its cause if the components

perform only one task each.

Testing. A single component with well-defined inputs, output, and function can be
tested exhaustively by itself, without concern for its effects on other modules
(other than the expected function and output, of course

Coupling

10
Encapsulation-:encapsulation is the "technique for packaging the information
[inside a component] in such a way as to hide what should be hidden and make
visible what is intended to be visible

Information Hiding-:Information hiding is desirable, because developers cannot

easily and maliciously alter the components of others if they do not know how the
components work

Peer Reviews-:There are careful distinctions among three types of peer reviews:

Review: The artifact is presented informally to a team of reviewers; the goal is

consensus and buy-in before development proceeds further.
Walk-through: The artifact is presented to the team by its creator, who leads and
controls the discussion. Here, education is the goal, and the focus is on learning
about a single document.

Inspection: This more formal process is a detailed analysis in which the artifact is
checked against a prepared list of concerns. The creator does not lead the
discussion, and the fault identification and correction are often controlled by
statistical measurements.

Control against programme threats

peer reviews
hazard analysis

testing

good design

prediction

static analysis

configuration management

analysis of mistakes

11
12