Language Based Security - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Language Based Security

Description:

http://www.brianweb.net/phpBB2/demo.html. Buffer Overflows. Attacking the Client ... Example: MySpace worm of late 2005. Custom user content included script ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 17
Provided by: bria59
Category:

less

Transcript and Presenter's Notes

Title: Language Based Security


1
Language Based Security
  • Group D Final Presentation
  • 2006-05-23
  • Brian Alliet
  • Ralf Desulme
  • Emmanuel Sarella
  • Timothy Watt

2
Introduction
  • Reverse Engineering
  • Malicious Input
  • Buffer Overflows
  • Attacking the Client

3
Reverse Engineering
4
Malicious Input phpBB Vulnerability
  • preg_replace
  • Optionally allows evaluation of en expression for
    replacement
  • Replacement expression is a string
  • User input unsafely used in the replacement
    string
  • Attackers can execute arbitrary PHP exprs
  • system() function allows arbitrary code to be
    executed

5
Vulnerable Code
  • _at_preg_replace(
  • '(\gt(((?gt(gtlt(?R ))))\lt))se',
  • "_at_preg_replace(
  • '\b(" . str_replace('\\', '\\\\',
    highlight_match) . ")\bi',
  • 'ltspan style\"color" .
    theme'fontcolor3' .
    "\"gtltbgt\\\\1lt/bgtlt/spangt',
  • '\\0')",
  • 'gt' . message . 'lt')

6
Fixes/Mitigation
  • Source code (obvious fix)
  • Ensure proper escaping
  • use preg_replace_callack
  • Mitigation
  • PHP's "safe mode"
  • Taint checking
  • Don't allow "tainted" data to be used in
    "sensitive" functions

7
TaintPHP
  • Designed based on the currrent Zend interpreter
  • Every PHP value has a taint flag associated with
    it
  • String manipulation operations and function "pass
    though" the taint flag
  • Integer conversion, regexp matching, addquotes(),
    etc clear it
  • mysql_query, system, preg_replace, etc won't
    allow tainted strings as arguments

8
Demo
  • Vulnerable version of phpBB installed on a web
    server
  • http//www.brianweb.net/phpBB2
  • http//www.brianweb.net/phpBB2/demo.html

9
Buffer Overflows
10
Attacking the Client
  • Problem Scripts in web pages
  • Multiple trust levels
  • site content
  • other user content
  • One scripting trust level
  • Example MySpace worm of late 2005
  • Custom user content included script
  • performed actions as browser (i.e., viewer)
  • acted on behalf of user modified viewer's
    profile
  • Root cause black-list filter insufficient

11
Attacking the Client (2)
  • Solution proposal trust domains within content
  • extends HTML (applies hierarchically)
  • could do XML (HTML legacy support)
  • privilege dropping (revoking abilities)
  • can be done (generally) at server or client (or
    both)
  • domain marking
  • label accesses with trust domain
  • extends HTTP (requires server modification, too)

12
Attacking the Client (3)
  • Privilege dropping
  • Script detected within 'usercode' trust domain
  • web client does not interpret script
  • May be too restrictive
  • Domain marking
  • POST /editprofile.cgi
  • X-Trust-Domain usercode samy
  • Server script can reject request
  • Mitigates unanticipated attacks (img, CSS, ...)

13
Questions
14
Questions
15
Questions
16
Questions
Write a Comment
User Comments (0)
About PowerShow.com