1 17-DefensiveProgramming


DefensiveProgramming/joke-developer-problems.jpg
or at least go find more existing problems…

1.1 Screencasts

1.2 Introduction

Software security is not all memory issues and buffer overflows, despite what some older textbooks may cover.

1.2.1 Extra reading

1.2.2 Software security issues

1.2.3 Software error super-categories:

  1. Insecure interaction between components
  2. Risky resource management
  3. Porous defenses

1.2.3.1 1) Component interaction

DefensiveProgramming/image5a.png

1.2.3.2 2) Resource management

DefensiveProgramming/image5b.png

1.2.3.3 3) Porous defenses

DefensiveProgramming/image5c.png

1.2.4 Quality vs. Security

To what extent are these the same?

1.2.5 Defensive programming

1.2.6 What are all the program inputs?

DefensiveProgramming/f1-crop.png

Neat/atypical example:

model-stealing
attacking deep learning vision models, model-stealing

model-poisoning
https://arxiv.org/pdf/2310.13828.pdf
https://venturebeat.com/ai/meet-nightshade-the-new-tool-allowing-artists-to-poison-ai-models-with-corrupted-training-data/

Sometimes poisoning is better than hiding.
For example, web browsers that crawl random sites to pollute your internet history.

1.2.7 Defensive programming

1.2.8 Security by design

1.3 Program input

Handling program input safely

1.3.1 Input size

Input size and buffer overflow

1.3.2 Input interpretation

A broad problem, one example of which is the SQLi attack we covered last time.

1.3.2.1 Interpretation of program input

1.3.2.2 Command injection attacks

https://www.hacksplaining.com/exercises/command-execution
(do this in lecture)

../../ComputationalThinking/Content/24-EvilEval.html

bash injection of perl
Attack: xxx; echo attack ­success; ls -l finger*
DefensiveProgramming/image12a.png
Bash command injection attack on finger command (display user)
DefensiveProgramming/image12b.png

SQL injection
An input such as "Bobby'; drop table suppliers" results in the specified record being retrieved, followed by deletion of the entire table!
DefensiveProgramming/image13.png
But, the safer version below uses a function to sanitize the input before building a string (sanitization function not shown).

PHP code injection

Cross Site Scripting (XSS) Attacks
Do this exercise in lecture: https://www.hacksplaining.com/exercises/xss-stored

+++++++++++++++++ Cahoot-17.1

1.3.2.3 Validating input syntax

1.3.2.3.1 Alternate encodings

A means to avoid sanitization and input-validation in the arms race.

Example in SQLi defense
attempting to exclude some characters may not work if you miss one of the encodings!

1.3.2.3.2 Validating numerical input

1.3.3 Input fuzzing

https://en.wikipedia.org/wiki/Fuzzing
https://www.fuzzingbook.org/

1.3.4 Unexpected executable sources

Examples:

++++++++++++++++++++++ Cahoot-17.2

1.4 Safe coding

Writing safe program code

1.4.1 Correct algorithm implementation

Algorithm problem: TCP/IP exploit

Algorithm problem: Deep learning

Artifactual debugging code (backdoor)

1.4.2 Binary matches algorithm?

Might you have a malicious compiler?

1.4.3 Interpretation of data values?

Correct data interpretation

1.4.4 Use of memory

1.4.5 Race conditions with shared memory

1.5 OS-program, program-program

Operating system interaction

1.5.1 Environment variables

Example (do in class)
$ printenv lists these variables in Linux.
$ env let’s you pre-modify the environment that programs run in by passing a set of variable definitions into a command like this:
A script: DefensiveProgramming/vuln.sh

#!/bin/bash

echo $HOME
echo $PATH
echo $VAR1

Can see the environment:
env VAR1="hacked" bash vuln.sh
or
VAR1="hacked" bash vuln.sh

Decent tutorial:
https://www.digitalocean.com/community/tutorials/how-to-read-and-set-environmental-and-shell-variables-on-a-linux-vps

Compiled programs are also vulnerable

Mention: fixed env vulnerability in a popular program here…

In general, try not to rely on environment variables!

1.5.2 Least privilege

Principle of least privilege

Admin privilege

1.5.3 System calls and standard libraries

1.5.3.1 Secure file deletion

DefensiveProgramming/image20.png
Secure delete operations don’t make it to the disk as expected because of “efficient” OS procedures
chattr +s filetosecurelydelete
Not universally reliable thought — better off just encrypting the full disk.

1.5.4 Race conditions with system resources

1.5.4.1 Preventing race conditions

Lockfile creation should happen as one event
DefensiveProgramming/image21.png
Rather than as a check for existence and then creation. Why?

1.5.5 Safe temporary files

Show
stat /tmp
ll /tmp

1.5.6 Interaction with other programs

1.6 Handling program output safely