Application Security and Vulnerability Analysis

Lecture

• Slides

Homework

Please see the attached specification document for the Client Request Access Protocol. We believe this protocol to be severely flawed and require your assistance in identifying specific vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can (with a minimum of three vulnerabilities).

Required Reading

• TAOSSA Chapter 1: Software Vulnerability Fundamentals
• TAOSSA Chapter 2: Design Reviews
• TAOSSA Chapter 3: Operational Reviews
• Interview with Mark, John, and Justin about TAOSSA

Lecture

• Slides

Homework

Find and describe three flaws in a sample application (sample usage). Assume the application runs on Linux and is compiled with gcc.

• Identify the affected line(s) of code
• Briefly explain the bug class
• Trace user-controllable input to the vulnerable code
• Identify what effect the bug would have on a running application
• Calculate a CVSS score for the bug

This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. There are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Required Reading

• Integer Overflows from Wikipedia and Catching Integer Overflows by Felix von Leitner
• TAOSSA Chapter 6: C Language Issues
• The Fortify Taxonomy of Software Security Flaws (useful reference for the homework)

Lecture

•  Slides

Homework

Find and describe three flaws in the Siberia crimeware pack (pw: infected).

• Identify the affected line(s) of code
• Briefly explain the bug class
• Trace user-controllable input to the vulnerable code
• Identify what effect the bug would have on a running application
• Calculate a CVSS score for the bug

Crimeware packs, or web exploit kits, are simple web applications that fingerprint visitors and attempt to exploit their browser in order to drop a malicious payload. The operator of the crimeware pack accesses it through an admin panel which displays statistics and enables configuration changes, such as modifying the payload that gets sent upon successful exploitation.

The Siberia kit contains live exploit code and will likely set off AV, however, none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilities having been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM.

Required Reading

• Low-level Software Security: Attacks and Defenses (sections one and two)
• Gray Hat Hacking, 3rd Edition: Chapter 10: Programming Survival Skills
• Gray Hat Hacking, 3rd Edition: Chapter 21: Advanced Static Analysis with IDA Pro

Code Audits

• Jared DeMott - Source Code Auditing
• Interview with Vinnie Liu from Microsoft BlueHat 8
• Real-world Code Review with Vinnie Liu from Microsoft BlueHat 8

Vulnerability Classes

• Shatter Attack, Wikipedia
• Setuid Demystified, Hao Chen, David Wagner, Drew Dean
• Java Deserialization Flaws and Oracle's Secure Coding Guidelines

Example Vulnerabilities

• Spot the Vuln, Billy Rios and Brett Hardin
• xorl %eax, %eax
• A Collection of Examples of 64-bit Errors in Real Programs

Fall 2010

• Architecture slides
• Code Audits 101 video and slides
• Code Audits 102 video and slides

In the first homework, students are provided a protocol specification document which contains a number of architectural security issues. The objective for the homework is for the students to identify these issues and informally describe as many of them as they can identify (with a goal of three bugs).

The second homework this semester was broken up into two tasks:

The first task is to download a copy of the Apache HTTPD 2.3.8 source code and find a function dealing with authentication or authorization (password management, verification, cookie, etc). This may be a little tricky, since the Apache code often doesn't call functions directly.

• Provide the full path, name and line number to the authentication or authorization function
• Provide the full path, name and line number for a file which refers to this function

The second task is to find 3 bugs in htpasswd.c (assuming it is run on Linux and is compiled with gcc).

• Identify the affected line(s) of code
• Briefly explain the bug class
• Trace user-controllable input to the vulnerable code
• Identify what effect the bug would have on a running application

Background: htpasswd.c is used to update flat-files that store usernames. When you provide the htpasswd application with the correct username/password to authenticate to it, you are allowed to add usernames to a given flat-file userlist. Users in that userlist are then allowed to access whatever service that passwd file applies to.

The third homework was to find and describe three flaws in a sample application. Assume the application runs on Linux and is compiled with gcc.

• Identify the affected line(s) of code
• Briefly explain the bug class
• Trace user-controllable input to the vulnerable code
• Identify what effect the bug would have on a running application
• Calculate a CVSS score for each bug

This network service simulates a text-based terminal-application. The general purpose of the application is to act as a "news server," or text file service. There are two types of user: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Fall 2009

• Code Audits 101 video and slides
• Code Audits 102 video (slides not available)