Causes of Security Vulnerabilities

FlashSky (know chuangyu) Space

I have been engaged in security vulnerability research for some years. I have been thinking about the underlying causes of security vulnerabilities. I want to list some of my thinking results, and I am welcome to discuss them.

1. User Data Input lacks correct and effective detection

Buffer overflow. Most injections belong to this type. The deeper reason is the mixed data channels.

In the past, there was a famous saying: When data channels and command channels are mixed, security problems will inevitably occur. However, with the development of technology, I think this argument is not completely true. I can only describe the situation of a single data channel. If there is a multi-data channel, hybrid data channels can also cause security problems. In modern operating systems, there are multiple data channels, even if the data channel cannot affect the command channel, however, it may affect other data channels that are not directly controllable by users, which also brings many security problems. This may affect the logic of the program (such as pass authentication detection, execute unexpected code segments, and obtain unexpected data) and malicious presentation (fraud) to the user. For example: scripts and databases cannot be injected, but HTML injection can also cause many security problems, such as spoofing and redirection. Therefore, the new conclusion should be that as long as there is a mix of data channels for different roles (including command channels, which can be seen as a system-level data channel), there will inevitably be security issues.

Ideally, secure computer systems should not only be isolated from data channels and command channels, but also data channels belonging to different controllers and permissions (or roles, for example, the user submits data and the HTML data displayed on the website. However, it is basically impossible to achieve this ideal state. It is very difficult to isolate only the data tunnel and command channel. In many application levels, the data tunnel and command channel are mixed into a complete system, such as HTML, allowing script commands and activex, it is the header in the pure HTML specification and allows the existence of such commands as redirection.

At present, the GS and SAFESEH added by VISTA (WIN7) in the system level are mainly protecting these two key command channels and discovering and heap protection after being affected by data channels, it indicates the mutual impact between different data channels (between heap blocks. In the SDL process, we mainly rely on the cultivation of security programming specifications, the implementation of SAL in development, the programmer REVIEW each other and some code detection tools, and construct a large number of malformed data format tests to prevent the test phase.

At the vulnerability mining level, the vulnerability is detected by constructing Malformed Data Format tests, or simulating symbols to perform analysis and process user input and condition control.

2. Design insecure functions or modes

The design itself is not safe. For example, in WMF, you can use the OLE method to directly execute user-submitted data. In programming, strings are used as code execution functions provided in many languages (I personally think, from a security perspective, the implementation of this function should be canceled in the language ). Insecure mode, such as lack of authentication, use of insecure encryption or even no encryption, and playback.

Such security problems are difficult to modify and can only be controlled at the initial stage of the design. If they are developed, they can only be replaced by post-patching. Therefore, at the system protection level, it is difficult to achieve protection. Generally, some general guidelines are designed during the SDL process, and the design reviews are controlled by the Security Department.

At the vulnerability mining level, it is also difficult to use automated tools to achieve this. Generally, it depends on experienced security personnel to implement code reading or document reading for discovery.

3. Logical Vulnerability

The formation of logical vulnerabilities is complex. Generally, this is a complicated logic, which makes it difficult for people to think comprehensively, leading to some ineffective detection. However, there are many different reasons for subdivision.

3. 1. common logic error

Because the logic is not rigorous or complicated, some logical branches are not processed or are not correctly processed. Such errors are very concealed and related to the function (business) logic. It is difficult to use automated tools for troubleshooting, experienced programmers or security personnel who do not even know the functions and business logic are difficult to troubleshoot. One of these security vulnerabilities is that some features may be used out of authorization, the previous correct user data detection may fail, or the deadlock or DOS may occur.

3. 2. The logic of the competition condition is incorrect.

When resources are used, there is a problem in the judgment of the competition condition by the program. There are two types of such vulnerabilities. One is that the competition condition of resources is not detected among multiple threads, branch that causes deadlocks or execution errors. One is to detect insufficient competition conditions for system-level resources shared by other processes outside the system, such as insufficient memory and HANDEL, branches that cause deadlocks, execution errors, and even data overwrites.

3. 3. Status logic error

This kind of status detection requires the program to complete itself, mainly involving the C/S or B/S interactive applications. For example, DOS may occur when some service ports send messages that do not conform to the protocol sequence. For applications that lack system-level capabilities such as B/S, it is obvious that, one of the most famous vulnerabilities is a WEB vulnerability that allows an IM software to change the password of an arbitrary number. The procedure is as follows:

PAGE1: the number to be modified

PAGE2: Password issue for verification submission

The password is successfully transferred to PAGE3, And the password cannot be changed to PAGE1

Logically, there is no problem, but the problem is that WEB applications lack system-level capabilities. Attackers can directly access PAGE1, PAGE2, PAGE3, if the application layer does not detect the status after PAGE2 passes or fails, attackers can bypass the PAGE2 detection logic set by programmers,

3. 4 programmers neglect logical errors

There is nothing to say about this. Most of them write> 3> = 3 and so on. In general, such logic errors can be detected through the Boundary Value detection in the white box test. However, in some cases, human thinking is very strange. All kinds of unreasonable errors may occur, and boundary value detection cannot be completely avoided.

It is difficult to prevent and detect logical vulnerabilities. However, it is possible to detect and discover logical vulnerabilities that have some characteristics, such as the competition conditions caused by other external program resources, it can simulate testing when external resources are consumed. (For example, I know that many applications may encounter exceptions when the memory is insufficient, and even data code can be executed, however, such security problems are difficult to use remotely, and most of them can only be controlled locally. Therefore, such security problems should be meaningful for service-level applications ). From the perspective of security detection, the formal specification may be the only way to completely solve the problem of logical vulnerabilities.

4. Others

Some are caused by insecure basic systems, such as eavesdropping, man-in-the-middle, ARP spoofing, and syn flood attacks, which are hard to be solved at the development level.

In a hurry, there are many mistakes

You are welcome to check for missing information.

Reprinted please indicate the source and know chuangyu, thank you