Implementation Flaws

© 2003 School of Computing, University of Leeds© 2003 School of Computing, University of LeedsSY32 Secure Computing, Lecture 15SY32 Secure Computing, Lecture 15

Implementation FlawsImplementation Flaws

Part 3: RandomnessPart 3: Randomnessand Timing Issuesand Timing Issues

22SY32 Secure Computing, Lecture 15SY32 Secure Computing, Lecture 15

OutlineOutline

• Randomness IssuesRandomness Issues Flaws of traditional PRNGsFlaws of traditional PRNGs Cryptographically-strong PRNGsCryptographically-strong PRNGs Entropy collectionEntropy collection

• Timing IssuesTiming Issues Race conditionsRace conditions Time of check, time of use (TOC-TOU)Time of check, time of use (TOC-TOU)


Random Number GenerationRandom Number Generation

• Computers, being deterministic, are not good at Computers, being deterministic, are not good at generating random numbersgenerating random numbers

• So-called ‘random number generators’ (RNGs) So-called ‘random number generators’ (RNGs) are, in fact, are, in fact, pseudopseudo-random number generators -random number generators (PRNGs)(PRNGs) Common example: linear congruential algorithmCommon example: linear congruential algorithm

• PRNGs are PRNGs are seededseeded with input data with input data Allows for reproducibility where necessary; a given Allows for reproducibility where necessary; a given

seed always produces same output sequenceseed always produces same output sequence Seeds are typically 32-bit integersSeeds are typically 32-bit integers


Attacks Against PRNGsAttacks Against PRNGs

• Cryptanalytic attackCryptanalytic attack

• Discovery of internal stateDiscovery of internal state Observe enough output values and we can figure out Observe enough output values and we can figure out

how generator was seededhow generator was seeded Knowledge of seed allows us to predict outputKnowledge of seed allows us to predict output Easier than you might think!...Easier than you might think!...


Cigital’s Internet Poker ExploitCigital’s Internet Poker Exploit

Ourcards

We can’t see other players’cards…

…but we can compute what they will be!


Cigital’s Internet Poker ExploitCigital’s Internet Poker Exploit

• Flawed PRNG used for deck shufflingFlawed PRNG used for deck shuffling Non-cryptographic algorithmNon-cryptographic algorithm 32-bit seed, so 52! (about 232-bit seed, so 52! (about 2226226) possible shuffles ) possible shuffles

reduces to around 4 billionreduces to around 4 billion

• PRNG seed chosen poorlyPRNG seed chosen poorly Milliseconds since midnight on system clock used, so Milliseconds since midnight on system clock used, so

4 billion shuffles reduces to 86,400,0004 billion shuffles reduces to 86,400,000 If we can sync closely to server’s clock, we can If we can sync closely to server’s clock, we can

reduce this figure significantly…reduce this figure significantly…


Synchronise clock & hit Shuffle button

Program calculates shuffle, and predicts other players’ hands!

Specify your 2 cards and first 3 from ‘flop’


Success!Success!


A More Serious ScenarioA More Serious Scenario

• SSL uses randomly-generated session key to SSL uses randomly-generated session key to perform symmetric encryption of dataperform symmetric encryption of data

• Public key cryptography is used to exchange Public key cryptography is used to exchange session key securelysession key securely

• No need to break that encryption if we can No need to break that encryption if we can predict what the session key should be!predict what the session key should be!

• 1996: Netscape 1.11996: Netscape 1.1 PRNG seed could be determined from time of day PRNG seed could be determined from time of day

and process IDsand process IDs


Better PRNGsBetter PRNGs

• Cryptographic PRNGs produce numbers that are Cryptographic PRNGs produce numbers that are hard to predict, even when attacker has full hard to predict, even when attacker has full knowledge of the algorithmknowledge of the algorithm

• Typical techniquesTypical techniques Encrypt a secret counter with a secret keyEncrypt a secret counter with a secret key Compute MD5 or SHA-1 hash of secret counterCompute MD5 or SHA-1 hash of secret counter

• Critical dependence on seed qualityCritical dependence on seed quality


Entropy CollectionEntropy Collection

• EntropyEntropy of a seed measures its randomness; the of a seed measures its randomness; the more entropy we have, the better the seedmore entropy we have, the better the seed

• Sources of entropy:Sources of entropy: Radioactive decay (needs special hardware)Radioactive decay (needs special hardware) Images of chaotic processes: Images of chaotic processes: http://www.lavarnd.org/http://www.lavarnd.org/

Keyboard and mouse eventsKeyboard and mouse events Events internal to OS (e.g., thread timing)Events internal to OS (e.g., thread timing)


Practical Sources of RandomnessPractical Sources of Randomness

• WindowsWindows CryptGenRandomCryptGenRandom call from Win32 API call from Win32 API

• Entropy gathered from huge range of sources, including time, Entropy gathered from huge range of sources, including time, CPU counters, interrupt info, PID, paging info…CPU counters, interrupt info, PID, paging info…

RNGCryptoServiceProviderRNGCryptoServiceProvider class in .NET class in .NET

• LinuxLinux Standard devices, which we open & read like filesStandard devices, which we open & read like files

• /dev/random/dev/random (processed entropy) (processed entropy)

• /dev/urandom/dev/urandom (pseudo-random numbers) (pseudo-random numbers)


Race ConditionsRace Conditions

• Common problem in multithreaded apps, or Common problem in multithreaded apps, or apps where multiple processes share resourcesapps where multiple processes share resources

• Very difficult to detect and fixVery difficult to detect and fix

• Application will not be robust…Application will not be robust…

• ……and there could be security problemsand there could be security problems


Exploiting a Race ConditionExploiting a Race Condition

• Attacker ‘races’ to invalidate an assumption Attacker ‘races’ to invalidate an assumption made by programmer in the interval between made by programmer in the interval between operationsoperations

• If attacker wins, program will behave incorrectlyIf attacker wins, program will behave incorrectly

• Period during which violating the assumption Period during which violating the assumption leads to incorrect behaviour is leads to incorrect behaviour is window of window of vulnerabilityvulnerability


Time Of Check, Time Of UseTime Of Check, Time Of Use

• Special class of RC involving file access—often Special class of RC involving file access—often abbreviated to TOC-TOUabbreviated to TOC-TOU

• Window of vulnerability occurs between check Window of vulnerability occurs between check on some file property and use of the fileon some file property and use of the file

• More of a problem for UNIX than for WindowsMore of a problem for UNIX than for Windows System calls such as System calls such as accessaccess use pathnames rather use pathnames rather

than a filehandle…than a filehandle… ……and a pathname can be made to reference a and a pathname can be made to reference a

different file within window of vulnerability!different file within window of vulnerability!


Canonical TOC-TOU ExampleCanonical TOC-TOU Example

• A program is running ‘setuid root’A program is running ‘setuid root’ Grants program the privileges of root, regardless of Grants program the privileges of root, regardless of

the user executing itthe user executing it

• Program must write to a file owned by user Program must write to a file owned by user running the program…running the program…

• ……so program must take care not to write to that so program must take care not to write to that file unless file unless actual useractual user is permitted to do so is permitted to do so


Canonical TOC-TOU AttackCanonical TOC-TOU Attack

FILE* outfile;...if (access(filename, W_OK) == 0) { outfile = fopen(filename, "wb+"); writeDataTo(outfile);}else { fprintf(stderr, "Not permitted to open %s\n", filename); exit(1);}

Check whether real UID has write permission

Open file for writing

Window ofvulnerability


How The Attack WorksHow The Attack Works

$ touch dummy$ ln –s dummy symlink

$ rm symlink; ln –s /etc/passwd symlink

Creates a zero-length, dummy filewith attacker’s permissions

Creates a symbolic link pointing to the dummy file

Within window of vulnerability:

Link now points to /etc/passwd, but program thinks it is attacker’s file;password file is overwritten!

Preparation:


SummarySummary

• When generating pseudo-random numbers:When generating pseudo-random numbers: Use a cryptographically-strong PRNGUse a cryptographically-strong PRNG Collect enough entropy to provide a good seedCollect enough entropy to provide a good seed

• Watch out for race conditions in multithreaded or Watch out for race conditions in multithreaded or multi-process applicationsmulti-process applications

• Beware of TOC-TOU problems with file accessBeware of TOC-TOU problems with file access Avoid system calls that use filenames, if possible; file Avoid system calls that use filenames, if possible; file

could change after you start dealing with it!could change after you start dealing with it!

Documents

Implementation Flaws