Language Based Security

1
Language Based Security

• Group D Final Presentation
• 2006-05-23
• Brian Alliet
• Ralf Desulme
• Emmanuel Sarella
• Timothy Watt

2
Introduction

• Reverse Engineering
• Malicious Input
• Buffer Overflows
• Attacking the Client

3
Reverse Engineering
4
Malicious Input phpBB Vulnerability

• preg_replace
• Optionally allows evaluation of en expression for
  replacement
• Replacement expression is a string
• User input unsafely used in the replacement
  string
• Attackers can execute arbitrary PHP exprs
• system() function allows arbitrary code to be
  executed

5
Vulnerable Code

• _at_preg_replace(
• '(\gt(((?gt(gtlt(?R ))))\lt))se',
• "_at_preg_replace(
• '\b(" . str_replace('\\', '\\\\',
  highlight_match) . ")\bi',
• 'ltspan style\"color" .
  theme'fontcolor3' .
  "\"gtltbgt\\\\1lt/bgtlt/spangt',
• '\\0')",
• 'gt' . message . 'lt')

6
Fixes/Mitigation

• Source code (obvious fix)
• Ensure proper escaping
• use preg_replace_callack
• Mitigation
• PHP's "safe mode"
• Taint checking
• Don't allow "tainted" data to be used in
  "sensitive" functions

7
TaintPHP

• Designed based on the currrent Zend interpreter
• Every PHP value has a taint flag associated with
  it
• String manipulation operations and function "pass
  though" the taint flag
• Integer conversion, regexp matching, addquotes(),
  etc clear it
• mysql_query, system, preg_replace, etc won't
  allow tainted strings as arguments

8
Demo

• Vulnerable version of phpBB installed on a web
  server
• http//www.brianweb.net/phpBB2
• http//www.brianweb.net/phpBB2/demo.html

9
Buffer Overflows
10
Attacking the Client

• Problem Scripts in web pages
• Multiple trust levels
• site content
• other user content
• One scripting trust level
• Example MySpace worm of late 2005
• Custom user content included script
• performed actions as browser (i.e., viewer)
• acted on behalf of user modified viewer's
  profile
• Root cause black-list filter insufficient

11
Attacking the Client (2)

• Solution proposal trust domains within content
• extends HTML (applies hierarchically)
• could do XML (HTML legacy support)
• privilege dropping (revoking abilities)
• can be done (generally) at server or client (or
  both)
• domain marking
• label accesses with trust domain
• extends HTTP (requires server modification, too)

12
Attacking the Client (3)

• Privilege dropping
• Script detected within 'usercode' trust domain
• web client does not interpret script
• May be too restrictive
• Domain marking
• POST /editprofile.cgi
• X-Trust-Domain usercode samy
• Server script can reject request
• Mitigates unanticipated attacks (img, CSS, ...)

13
Questions
14
Questions
15
Questions
16
Questions