ࡱ> Nh  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMPgRSTUVWXYZ[\]^_`abcdefRdO)8OPowerPoint Document(SummaryInformation(Q+DocumentSummaryInformation84g(( Ab/ 0DArialngs~ ~ `ss& "DWingdings~ ~ `ss&  ` .  @n?" dd@  @@`` @8FL FG 0     0e0e A@A5%8c8c     ?1d0u0@Ty2 NP'p<'p@A)BCD|E?@89 :  ʚ;2Nʚ;g4FdFds{ Wp ppp@ <4!d!d:pgʚ;<4dddd:pgʚ;<4BdBd:pgʚ;ph___PPT2001D<4X?Z-12/13/04 .Craig E. Ward, CMSI 601O =h?]Implications of Programming Language Selection on the Construction of Secure Software SystemsVA presentation of the paper for CMSI 601 Graduate Seminar, Loyola Marymount UniversityWWCAgendaIntroduction Approach to selecting Programming Languages Vulnerabilities Four vulnerabilities will be presented Conclusions Questions and Comments6#&J#&JDProgramming LanguagescMore than just one type Imperative Object-oriented Interpreted Virtual machine byte code FunctionalGProgramming LanguagesHVulnerabilitiesRange from general to specific General vulnerabilities that present problems for all programming languages Vulnerabilities that present risks to just a particular programming language Vulnerabilities that effect particular implementation of a programming language   IVulnerabilitiesList a group of similar vulnerabilities Use one to illustrate the group Some vulnerabilities could fit into more-than-one group so these groupings are not absolute.&H]H]KGeneral VulnerabilitiesMalicious Input Race ConditionsLMalicious InputfPrograms that blindly accept input from external sources are vulnerable to exploits Especially problematic if this input is executed Input should be sanitized using a  white list Q Malicious InputC (and C++) The library routine system() is dangerous Java Runtime.exec() almost as dangerous Perl Some protection with taint mode (if you turn it on) ML OS.Process.system() is dangerous too *#4% *#4  %R Overflow VulnerabilitiesKInteger Overflow Format String Vulnerabilities Stack Overflow Heap OverflowSInteger Overflow\Attempting to store an integer larger than will fit in the allocated space Most overflows wrap; some saturate Can be used to break protections around  bad C library routinesTInteger OverflowC/C++ Loss of precision from automatic conversions Overflow from calculation Change of sign Java Signed only Compiler prevents loss of precision from assignments TVBVBUInteger OverflowPerl Scalars interpreted at runtime as integer, float, string ML No automatic conversions or casts Throws exception on overflowL9?9?VObject Vulnerabilities(Java Inner Classes Class compare by nameXJava Inner ClassesNested classes given access to outer class members JVM does not recognize a difference between regular and inner classes To give appearance of access by inner classes, accessed members given package scopeYJava Inner ClassesZJava Inner Classes[Java Inner ClassesC++ does not automatically give nested classes access to outer class Perl does not enforce any encapsulation Everyone expected to play nice ML does not have inner classes or notion of  friend class. Uses signatures. Is Java wrong for being orthogonal?<mqmq\Narrow Vulnerabilities2Pointer Subterfuge Arc Injection C++ VPTR Exploit ]Pointer SubterfugeA counterattack to preventative measures on some Unix systems Exploit targets Linux on IA32 StackGuard canary before return address If stack overwritten, canary would change StackShield return address stack If return address different from saved, abortT*!.*!.^Pointer SubterfugeCharacteristics of a  protected program that cause protection to fail: A pointer located next to a buffer A misused library routine that can overflow into the pointer A second copy that uses the pointer without the pointer being initialized  wu-ftpd 2.5 mapped_path bug 6HH_Pointer SubterfugeUse the overflowed pointer to change the return address without damaging the canary Use the overflowed pointer to change list of exit routines to trick StackShield Use the overflowed pointer to change address of copy function to system` Conclusions>Security is important and must be considered when choosing a programming language. Speed isn t everything. No programming language is completely safe Object orientation only minimally helps Functional programming may help Use static analysis tools designed for the language you are using  bQuestions or Comments?/TFWa ` 33PP` 3333` ___MMM` 13` 333fpKNāvI` j@v۩ῑ΂H` Q_{>?" dd@,?n<d@ `7 `2@`7``2 n?" dd@   @@``PR    @ ` ` p>>     (    <" <   Td" <   <"U_ <   T@d">& <   N"P <   <"p <   S ~ ?d?"" <   6 "U  T Click to edit Master title style! !$  0  "   RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6`  "@  P*   6  "@`   R*   6 "`  R* B  s *޽h ? 3333  Blends7      q (  ZZ P@ # "Dwoh  s *"PP  Bd" P@ZZ P 0  # "Nyh  s *"P    Bd"P 0 x   B" a*f   0"   <C ?"pP  T Click to edit Master title style! !   00C " `    W#Click to edit Master subtitle style$ $  6C "`p   T*   60C "`p   V*   6PC "`  V*   S ~pC?d?" %& < B  s *޽h ? 3333  |t` (     `\K ??P    P*     `0C ??    R*  v  6 ??  F   `K ?? @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S   fK ??`P   P*     fK ??`   R*  H  0޽h ? 33  @|(  |l | C @xD pP  l | C wD  `    H | 0޽h ? 3333   p( <= l  C K U   l  C `K    H  0޽h ? 3333   ( aabbccdd l  C K U   l  C K    H  0޽h ? 3333   F> /( XXXYYY[[[\\\ l  C K U   *j p /#"* 9@=p  T@K ??"0  \Windows XP, Mac OS X @`  T`K ??" 0 VMoscow ML 2.01 @`  TK ??"p  S Standard ML   @`  T0 ??"05   PMac OS X   @`  T ??"5 0  K5.8 @`  TP ??"p5   LPerl @`  T ??"0 5  PMac OS X   @`  T0 ??" 05  OGCC 3.3 @`   T ??"p 5  KC++ @`   T ??"0  XMac OS X, Cygwin @`   T ??"0  OGCC 3.3 @`   T ??"p  IC @`   TP ??"0V PMac OS X   @`  Tp ??"V0 M1.4.2 @`  T0 ??"pV LJava @`  T ??"0V PPlatform   @`  T ??"0V OVersion @`  TN ??"pV PLanguage   @`B  Zo ??"pB  T1 ??"pVVB  T1 ??"pB  T1 ??"p  B  T1 ??"p5 5 B  T1 ??"p  B  Zo ??"pB  Zo ??"ppB  T1 ??"B  T1 ??"00B   Zo ??"H  0޽h ? 3333   (  l  C O U   l  C pO    H  0޽h ? 3333   ( aabbccdd l  C PQ U   l  C P    H  0޽h ? 3333   ( XXXYYY[[[\\\ l  C R U   l  C Q    H  0޽h ? 3333   ( aabbccdd l  C P U   l  C R    H  0޽h ? 3333   (  l  C S U   l  C S    H  0޽h ? 3333   ( XXXYYY[[[\\\ l  C U U   l  C pU    H  0޽h ? 3333   ( aabbccdd l  C 0V U   l  C U    H  0޽h ? 3333   $(  r  S pX U   r  S X    H  0޽h ? 3333    $(  r  S Y U   r  S 0Y    H  0޽h ? 3333   0( XXXYYY[[[\\\ l  C  U   l  C `    H  0޽h ? 3333   @( XXXYYY[[[\\\ l  C  U   l  C      H  0޽h ? 3333  PX( aabbccdd l  C ` U     Z ??@ "public class Flag { class InnerFlag { public void incFlag() { flag++; } public void showFlag() { System.out.println("The hidden flag is " + flag); } } public Flag(int flag) { this.flag = flag * 5; } private int flag; }H  0޽h ? 3333  LD`( 0t r  S  U   *  Z ??J pCompiled from "Flag.java" public class Flag extends java.lang.Object{ private int flag; public Flag(int); static int access$008(Flag); static int access$000(Flag); } Compiled from "Flag.java" class Flag$InnerFlag extends java.lang.Object{ private final Flag this$0; Flag$InnerFlag(Flag); public void incFlag(); public void showFlag(); }qqH  0޽h ? 3333   0( XXXYYY[[[\\\ l  C mD U   l  C uD    H  0޽h ? 3333   p( aabbccdd l  C  U   l  C     H  0޽h ? 3333   ( aabbccdd l  C ` U   l  C     H  0޽h ? 3333   ( aabbccdd l  C @ U   l  C     H  0޽h ? 3333   ( aabbccdd l  C ` U   l  C     H  0޽h ? 3333   ( aabbccdd l  C b U   l  C c    H  0޽h ? 3333d   ( ~ 33 l  C d U   H  0޽h ? 3333 tlP(  R  3    r  # `K @    H  0޽h ? 331 ( XXXYYY[[[\\\ R  3      C d @   {Modular wrapping goes back to smallest representation; Saturation wrapping keeps the highest possible value representation.H  0޽h ? 33 m( XXXYYY[[[\\\ R  3      C e @   {gCanary either NULL CR LF EOF (0x000daff) to stop string buffer routines or a randomly generated number.H  0޽h ? 33cxp^RЀ3ÿ lHbP  @AL G@;b `B&V