CIS 4615 meeting -*- Outline -*- * Information Leakage Based on chapter 12 of the book: 24 Deadly Sins of Software Security by M. Howard, D. LeBlanc, and J. Viega (McGraw-Hill, 2010). ** attack ------------------------------------------ ATTACK OVERVIEW 1. Cause the system to reveal This can happen: - intentionally, when - accidentally due to logic error or a side channel or a debugging ------------------------------------------ ... confidential information ... the designers/implementers of the system don't understand whether or if the end user's privacy needs to be protected (often privacy issues) ... error message The information itself may be the goal of the attacker, or it may lead to an attack (as in the previous section) Q: Does this affect any particular programming language? No, it's a design issue ** privacy based on principle 7 in John Viega and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional, 2002. ------------------------------------------ PRIVACY Don't compromise privacy of users Do protect any personal information users give the program Why? ------------------------------------------ ... - it's the right thing to do - you will lose customers otherwise ------------------------------------------ PRIVACY VS. USABILITY Should credit card numbers be saved or forgotten? ------------------------------------------ - saved is more convenient for users "one click shopping" - forgotten is far more secure (defense in depth) What to do? store it, but be really careful - encryption (on a different machine) - don't show card numbers, even to legitimate users ** accidental information leakage *** side channels ------------------------------------------ SIDE CHANNEL A *side channel* is a way of obtaining information other than through the Two main types: - timing channels - storage channels ------------------------------------------ ... inputs and outputs of a program **** timing channels ------------------------------------------ TIMING CHANNELS Measure how long operations take (using a clock) E.g., timing how long it takes to check a login attempt Blind SQL injection attacks: if exists (select * from foo..table) waitfor delay '0:0:5' ------------------------------------------ Q: What does the SQL do? It waits for 5 seconds if the database exists **** storage channels ------------------------------------------ STORAGE CHANNELS Obtain information from data online E.g., name of a file: Plan to Buy Midas Corp.docx length of a network message senders and receivers IP addresses from headers of packets ------------------------------------------ Q: What kind of information might someone get from a file name? That the company plans to buy Midas Corp. Q: What kind of information might an attacker get from message length? whether some operation succeeded... Q: Why might a user not want to have their IP address revealed? If they want their identity to be private (e.g., Ashley Madison case) **** too much information, especially in error messages ------------------------------------------ TOO MUCH INFORMATION Network servers: should be conservative in information given to callers, in case caller is an attacker Version information should be hidden Prelude to an attack: fingerprinting of systems - find out what software and versions is running on a system e.g., web server GET request shows banner ------------------------------------------ ***** host network information ------------------------------------------ HOST NETWORK INFORMATION Leaking internal network information: - MAC addresses - machine names - IP addresses Why not leak that? ------------------------------------------ Normally your firewall's Network Address Translation would prevent this information from getting out ***** application information ------------------------------------------ APPLICATION INFORMATION Error messages shouldn't leak sensitive information ------------------------------------------ Q: What kind of application information shouldn't be leaked? Anything the users don't need to know! and anything that might help an attack Examples: - path information (layout of disk drive) - stack layout information (helps buffer overflow and format string attacks) (would defeat address space layout randomization) ------------------------------------------ FOR YOU TO DO: IS THIS OKAY? Java code: try { // ... } catch(Exception e) { System.out.println(e.toString()); } ------------------------------------------ ... NO! it prints out a stack backtrace! ** information flow security (confidentiality and integrity) ------------------------------------------ BELL-LAPADULA MODEL Confidentiality: who can read what can read user public secret top secret ======================================== top secret ^ | secret ^ | public Integrity: who can write what can write user public secret top secret ======================================== top secret | v secret | v public ------------------------------------------ Q: Which users are the most trusted? the top secret ones Q: Which users can write anywhere? the top secret ones ** remediation ------------------------------------------ REMEDIES First, specify information policy Who needs access to what data? What kinds of information are high value? Protect sensitive data - at rest use ACLs or permissions and encryption or rights management - in transmission, use encryption For error messages: - log problem - only give details to certain users and only if they are local if (IPAddress.IsLoopback(ip)) { // local user } Can perform "output validation" check if output obeys policy ------------------------------------------ ** auditing ------------------------------------------ CODE AUDITING What to look for: - process sending output from - the OS - the run-time system/environment - Operations on sensitive data that don't - accidental use of sensitive/private info - unprotected or weakly protected sensitive data - unprotected or sensitive data sent over insecure channels ------------------------------------------ ... complete in a fixed amount of time Q: How do we know what data is sensitive? Do a threat modeling ------------------------------------------ WHAT TO LOOK FOR Language Keywords/functions ======================================== C/C++ (*nix) errno, strerror, perror C/C++ (Windows) GetLastError() C#, VB.NET, Any exception ASP.NET Python Any exception Ruby Any exception Java Any exception PHP Any exception ------------------------------------------ Q: How to find exceptions? Look for try/catch/throw statements ------------------------------------------ FINDING TIMING CHANNELS 1. Identify secret data 2. Can operations vary in time, based on secret data ------------------------------------------ Q: What could be done with testing? Try to make app fail, look at error messages.