Software Security

Memory Model

Stack Buffer Overflows

• Stack pointer: marks the end of the stack
• Frame pointer: marks the beginning of the current function's space

When a new function is called, the current position of the frame pointer is saved in the stack, and the frame pointer changes to point at its location. The stack pointer decreases (because the stack grows downward) to “allocate” more memory. When the function ends, the stack pointer is changed to match the frame pointer, and the frame pointer takes the value of the old frame pointer.

What happens if we try to write to more memory than allocated?

void func(char *str){
	char buf[128];
	strcpy(buf, str);
	use(buf);
}

strcpy will copy the contents of the string until it reaches a \0. If it contains more than 128 chars, then there will be a buffer overflow, and the attacker will be able to write code to the stack. By overwriting the return address, it is possible to make the program run code that was not intended.

Heap Buffer Overflow

Similar to stack buffer overflows, but, since it depends on dynamic memory allocation, it can vary across OS and hardware, so exploiting it is much harder. Candidate targets can include function pointers, exception handlers, ...

Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)

• DEP, also known as Write or Execute, is a policy that states that if a block of memory is executable, then it can't be written, and if it can be written, it can't be executed.
• ASLR makes sure that critical parts of a program are shuffled in each execution.

Systems Security

Fundamental Principles

• Economy of Mechanism: A system shall have only the necessary functionalities, avoid nice to have functionalities.
• Fail-safe Defaults: The configuration of any system shall, by default, enforce a conservative level of protection.
• Open Design: The security architecture and the inner working of a system shall be public, the security argument should not be based on hiding the security mechanisms.
• Least Common Mechanism: Sharing resources of access mechanisms shall be minimized (like reusing passwords).
• Least Privilege: Each user / program shall have only the least privileges / permissions to accomplish its role.
• Separation of Privilege: All compartments shall only have access to its necessary resources.
• Complete Mediation: Every resource shall have a clear security policy.

Reference Monitor

To cause critical damage, a user-mode process has to invoke a system call. So, implementing monitoring mechanisms that control the security perimeter can prevent attacks. It has to always be present, if it terminates, then all monitored processes have to be terminated (fail-safe defaults). It also has to be simple, to make it easier to analyze without validating the whole system (economy of mechanism).

System Calls

B
C (talvez A)

A

A
A
B
A
A
D
A
B
C
B

A
D
D
A
A
D
B
B
B

B
D
C
B
D

#REsit 1

A
C
D
B

C
A (d se o prof n fumasse)
C
A
A
D
A

C
C

A
D
D
A
A
D
B
D
C
C

B
D
C
C
A
B