Mind your language(s), A Discussion about Languages and Security

1. Mind your Language(s)! A discussion about languages and security Eric Jaeger Olivier Levillain Pierre Chifflier High Integrity Software Conference, 2014-10-23

2. ANSSI ANSSI (French Network and Information Security Agency) has InfoSec (and no Intelligence) missions: I detect and early react to cyber attacks I prevent threats by supporting the development of trusted products and services I provide reliable advice and support I communicate on information security threats and the related means of protection These missions concern: I governmental entities I companies I the general public Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! 2/29

3. Foreword What this presentation is about I the impact of the language on security properties is understudied I it covers a broad spectrum of subjects I since 2005, two studies: JavaSec and LaFoSec I each time, our partners did not at

4. rst share (or even understand) our concerns I the following examples do not aim at criticising particular languages I no language was armed during our work1 1They were already like that when we began. Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! 3/29

5. Outline 1 Illustrations 2 About assurance 3 Lessons learned Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations 4/29

6. Outline 1 Illustrations Encapsulation Types, casts and overloading Side eects No comments From source code to execution Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Encapsulation) 5/29

7. [Java] Objection Object encapsulation: a security mechanism? Source (snippets/java/Introspect.java) import java . lang . reflect .*; class Secret { private int x = 42; } public class Introspect { public static void main ( String [] args ) { try { Secret o = new Secret (); Class c = o. getClass (); Field f = c. getDeclaredField (x); f. setAccessible ( true ); System . out . println (x =+ f. getInt (o)); } catch ( Exception e) { System . out . println (e); } } } I Some keywords may be confusing I Even if possible, introspection cannot easily be banned in practice Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Encapsulation) 6/29

8. [OCaml] The danger of 1/2 OCaml also has encapsulation mechanisms: modules Source (snippets/ocaml/hsm.ml) module type Crypto = sig val id: int end ;; module C : Crypto = struct let id= Random . self_init (); Random . int 8192 let key = Random . self_init (); Random . int 8192 end ;; It is a sealed box, where id is visible, but not key C.id returns - : int = 2570 C.key returns Error: Unbound value C.key Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Encapsulation) 7/29

9. [OCaml] The danger of 2/2 Yet this encapsulation is not robust, since the box can be compared on a weighing scale Source (snippets/ocaml/hsmoracle.ml) let rec oracle o1 o2 = let o = (o1 + o2)/2 in let module O = struct let id=C.id let key =o end in if ( module O: Crypto ) ( module C: Crypto ) then oracle o1 o else (if ( module O: Crypto ) ( module C: Crypto ) then oracle o o2 else o);; oracle 0 8192;; Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Encapsulation) 8/29

10. Outline 1 Illustrations Encapsulation Types, casts and overloading Side eects No comments From source code to execution Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 9/29

11. [Shell] True, False, FILE NOT FOUND 1/2 How many values a boolean condition (e.g. x=y) can take? Source (snippets/shell/login.sh) #!/ bin / bash PIN =1234 echo -n Please type PIN code (4 digits ): read -s PIN_TYPED ; echo if [ $PIN -ne $PIN_TYPED ]; then echo Invalid PIN code .; exit 1 else echo Authentication OK ; exit 0 fi Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 10/29

12. [Shell] True, False, FILE NOT FOUND 1/2 How many values a boolean condition (e.g. x=y) can take? Source (snippets/shell/login.sh) #!/ bin / bash PIN =1234 echo -n Please type PIN code (4 digits ): read -s PIN_TYPED ; echo if [ $PIN -ne $PIN_TYPED ]; then echo Invalid PIN code .; exit 1 else echo Authentication OK ; exit 0 fi In shell, the following excerpt shows a third option should be treated. A bad PIN will be rejected, but foo will be accepted Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 10/29

13. [C] True, False, FILE NOT FOUND 2/2 A recent vulnerability on GnuTLS may now sound familiar (March 2014, lwn.net) But this bug is arguably much worse than Apple's, as it has allowed crafted certi

14. cates to evade validation check for all versions of GnuTLS ever released since that project got started in late 2000.[...] The check_if_ca function is supposed to return true (any non-zero value in C) or false (zero) depending on whether the issuer of the certi

15. cate is a certi

16. cate authority (CA). A true return should mean that the certi

17. cate passed muster and can be used further, but the bug meant that error returns were misinterpreted as certi

18. cate validations. Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 11/29

19. [C] True, False, FILE NOT FOUND 2/2 A recent vulnerability on GnuTLS may now sound familiar (March 2014, lwn.net) But this bug is arguably much worse than Apple's, as it has allowed crafted certi

20. cates to evade validation check for all versions of GnuTLS ever released since that project got started in late 2000.[...] The check_if_ca function is supposed to return true (any non-zero value in C) or false (zero) depending on whether the issuer of the certi

21. cate is a certi

22. cate authority (CA). A true return should mean that the certi

23. cate passed muster and can be used further, but the bug meant that error returns were misinterpreted as certi

24. cate validations. The same aw was pre-existant in OpenSSL... in 2008 Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 11/29

25. [JavaScript] Castastrophe Source (snippets/js/cast2.js) if ( '0 '==0) print ( '0 '==0) ; else print ( '0 ' 0); if (0== '0.0 ') print (0== '0.0 ') ; else print (0 '0.0 '); if ( '0 '== '0.0 ') print ( '0 '== '0.0 '); else print ( '0 ' '0.0 '); Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 12/29

26. [JavaScript] Castastrophe Source (snippets/js/cast2.js) if ( '0 '==0) print ( '0 '==0) ; else print ( '0 ' 0); if (0== '0.0 ') print (0== '0.0 ') ; else print (0 '0.0 '); if ( '0 '== '0.0 ') print ( '0 '== '0.0 '); else print ( '0 ' '0.0 '); '0'==0, 0=='0.0' and '0''0.0' Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 12/29

27. [JavaScript] Castastrophe Source (snippets/js/cast2.js) if ( '0 '==0) print ( '0 '==0) ; else print ( '0 ' 0); if (0== '0.0 ') print (0== '0.0 ') ; else print (0 '0.0 '); if ( '0 '== '0.0 ') print ( '0 '== '0.0 '); else print ( '0 ' '0.0 '); '0'==0, 0=='0.0' and '0''0.0' Source (snippets/js/cast3.js) a =1; b =2; c='Foo '; print (a+b+c); print (c+a+b); print (c+(a+b)); Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 12/29

28. [JavaScript] Castastrophe Source (snippets/js/cast2.js) if ( '0 '==0) print ( '0 '==0) ; else print ( '0 ' 0); if (0== '0.0 ') print (0== '0.0 ') ; else print (0 '0.0 '); if ( '0 '== '0.0 ') print ( '0 '== '0.0 '); else print ( '0 ' '0.0 '); '0'==0, 0=='0.0' and '0''0.0' Source (snippets/js/cast3.js) a =1; b =2; c='Foo '; print (a+b+c); print (c+a+b); print (c+(a+b)); 3Foo, Foo12 and Foo3 Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 12/29

29. [Php] Iconocast 1/2 Source (snippets/php/castincr.php) $x =2 d8 ; print ($x +1) ; print (n); $x =2 d8 ; print (++ $x .n); print (++ $x . n); print (++ $x . n); if (0 xF9 ==249) { print ( Equal n); } else { print ( Different n); } Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 13/29

30. [Php] Iconocast 1/2 Source (snippets/php/castincr.php) $x =2 d8 ; print ($x +1) ; print (n); $x =2 d8 ; print (++ $x .n); print (++ $x . n); print (++ $x . n); if (0 xF9 ==249) { print ( Equal n); } else { print ( Different n); } The

31. rst line produces 3 (an int) Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 13/29

33. rst line produces 3 (an int) The second displays 2d9 (string), 2e0 (string) then 3 ( oat). Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 13/29

35. rst line produces 3 (an int) The second displays 2d9 (string), 2e0 (string) then 3 ( oat). The third prints Equal Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 13/29

36. [Php] Iconocast 2/2 This may lead to security concerns Source (snippets/php/hash.php) $s1 =' QNKCDZO '; $h1 =md5( $s1); $s2 = '240610708 '; $h2 = md5 ( $s2 ); $s3 =' A169818202 '; $h3 = md5 ( $s3 ); $s4 =' aaaaaaaaaaaumdozb '; $h4 = md5 ($s4); $s5 =' badthingsrealmlavznik '; $h5 = sha1 ($s5 ); if ( $h1 == $h2 ) print ( Collision n); if ( $h2 == $h3 ) print ( Collision n); if ( $h3 == $h4 ) print ( Collision n); if ( $h4 == $h5 ) print ( Collision n); Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 14/29

37. [Php] Iconocast 2/2 This may lead to security concerns Source (snippets/php/hash.php) $s1 =' QNKCDZO '; $h1 =md5( $s1); $s2 = '240610708 '; $h2 = md5 ( $s2 ); $s3 =' A169818202 '; $h3 = md5 ( $s3 ); $s4 =' aaaaaaaaaaaumdozb '; $h4 = md5 ($s4); $s5 =' badthingsrealmlavznik '; $h5 = sha1 ($s5 ); if ( $h1 == $h2 ) print ( Collision n); if ( $h2 == $h3 ) print ( Collision n); if ( $h3 == $h4 ) print ( Collision n); if ( $h4 == $h5 ) print ( Collision n); Collision is printed 4 times, but we did not break Md5 nor Sha1 Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Types, casts and overloading) 14/29

38. Outline 1 Illustrations Encapsulation Types, casts and overloading Side eects No comments From source code to execution Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 15/29

39. [OCaml] Mutatis mutandis In OCaml, code is static and strings are mutable. What about strings appearing in code? Source (snippets/ocaml/mutable.ml) let check c = if c then OK else KO ;; let f= check false in f.[0] - 'O '; f.[1] - 'K ';; check true ;; check false ;; Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 16/29

40. [OCaml] Mutatis mutandis In OCaml, code is static and strings are mutable. What about strings appearing in code? Source (snippets/ocaml/mutable.ml) let check c = if c then OK else KO ;; let f= check false in f.[0] - 'O '; f.[1] - 'K ';; check true ;; check false ;; Both check calls return OK Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 16/29

41. [OCaml] Mutatis mutandis In OCaml, code is static and strings are mutable. What about strings appearing in code? Source (snippets/ocaml/mutable.ml) let check c = if c then OK else KO ;; let f= check false in f.[0] - 'O '; f.[1] - 'K ';; check true ;; check false ;; Both check calls return OK Such mutable shared strings may be used to determine control ow, or to escape characters (Char.escaped) Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 16/29

42. [Python] Global variables Python allows for comprehension lists, which is another syntax for a map application Source (snippets/python/listcomp.py) l = [s+1 for s in [1 ,2 ,3]] l [2, 3, 4] Now, what is the value of s? Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 17/29

43. [Python] Global variables Python allows for comprehension lists, which is another syntax for a map application Source (snippets/python/listcomp.py) l = [s+1 for s in [1 ,2 ,3]] l [2, 3, 4] Now, what is the value of s? Unless you use Python 3, s is 3, whereas the s variable should have been local (bound). Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (Side eects) 17/29

44. Outline 1 Illustrations Encapsulation Types, casts and overloading Side eects No comments From source code to execution Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (No comments) 18/29

45. [C] No comments ? Syntax matters... Source (snippets/c/comments2.c) # include stdio .h int main ( void ) { // /! DO NOT REMOVE COMMENTS IN NEXT BLOCK /! /********************************************** const char status []= Safe ; // /! SET TO SAFE ONLY FOR TESTS /! **********************************************/ // /! NEXT LINE REALLY IMPORTANT /! const char status []= Unsafe ; printf ( Status : %sn, status ); } I C trigrams I UTF-8 characters / encoding allowed in Java Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (No comments) 19/29

46. Outline 1 Illustrations Encapsulation Types, casts and overloading Side eects No comments From source code to execution Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 20/29

47. [C] Story of a real kernel bug Source (snippets/c/badoptim.c) struct tun_struct *tun = __tun_get ( tfile ); struct sock *sk = tun -sk; if (! tun ) return POLLERR ; /* use *sk for write operations */ This particular unde

48. ned behavior led to an optimisation, which is now known as CVE-2009-1897. Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 21/29

49. [Java] Serial killer Source (snippets/java/Deserial.java) import java .io .*; class Friend { } // Unlikely to be dangerous ! class Deserial { public static void main ( String [] args ) throws FileNotFoundException , IOException , ClassNotFoundException { FileInputStream fis = new FileInputStream ( friend ); ObjectInputStream ois = new ObjectInputStream (fis); Friend f=( Friend ) ois . readObject (); System . out . println ( Hello world ); } } Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 22/29

50. [Java] Serial killer Source (snippets/java/Deserial.java) import java .io .*; class Friend { } // Unlikely to be dangerous ! class Deserial { public static void main ( String [] args ) throws FileNotFoundException , IOException , ClassNotFoundException { FileInputStream fis = new FileInputStream ( friend ); ObjectInputStream ois = new ObjectInputStream (fis); Friend f=( Friend ) ois . readObject (); System . out . println ( Hello world ); } } At runtime, we may read Bad things happen! since the serialised

51. le contained an object of a dierent class. The cast might fail, but it might be too late. Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 22/29

52. [Java] Serial killer Source (snippets/java/Deserial.java) import java .io .*; class Friend { } // Unlikely to be dangerous ! class Deserial { public static void main ( String [] args ) throws FileNotFoundException , IOException , ClassNotFoundException { FileInputStream fis = new FileInputStream ( friend ); ObjectInputStream ois = new ObjectInputStream (fis); Friend f=( Friend ) ois . readObject (); System . out . println ( Hello world ); } } At runtime, we may read Bad things happen! since the serialised

53. le contained an object of a dierent class. The cast might fail, but it might be too late. Not controlling which code is run may be dangerous (CVE-2008-5353) Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 22/29

54. Some concerns about memory management When dealing with interpreted languages and Garbage collectors I what chmod -x does? I can the memory pages be marked as non-executable? I how can we really enforce W ^ X? I what does a JIT compiler change? I how can I be sure a data is not spread by a mark and copy strategy? I can I have guarantees on a key lifetime? I can I zeroise it in some way? Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Illustrations (From source code to execution) 23/29

55. Outline 1 Illustrations 2 About assurance 3 Lessons learned Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : About assurance 24/29

56. [Java] Clone Wars The ocial Java speci

57. cation about Object.clone() The general intent is that, for any object x, the expression: x.clone()!= x will be true, and that the expression: x.clone().getClass()== x.getClass() will be true, but these are not absolute requirements. While it is typically the case that: x.clone().equals(x) will be true, this is not an absolute requirement. Serialisation speci

58. cations (writeObject and readObject functions) are also worth reading Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : About assurance 25/29

59. [C] Specs and checks In The C programming language (Second edition), by B. W. Kernighan D. M. Ritchie The direction of truncation for / and the sign of the result for % are machine-dependent for negative operands, as is the action taken on over ow or under ow. How would you check that a compiler complies to this non-deterministic speci

60. cation? Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : About assurance 26/29

61. [C] Specs and checks In The C programming language (Second edition), by B. W. Kernighan D. M. Ritchie The direction of truncation for / and the sign of the result for % are machine-dependent for negative operands, as is the action taken on over ow or under ow. How would you check that a compiler complies to this non-deterministic speci

62. cation? Would your check reject a compiler changing its mind at each division, which would lead to 1/-2==1/-2 being false. This is an instance of the Re

63. nement Paradox Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : About assurance 26/29

64. Outline 1 Illustrations 2 About assurance 3 Lessons learned Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Lessons learned 27/29

65. Lessons learned I Programming languages can impact software security I There is room for improvement in them I We could bene

66. t from more research and tools I Writing secure software requires a broad vision in many aspects of computer science I Teaching should take more those aspects into account Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Lessons learned 28/29

67. Questions? Thank you for your attention olivier.levillain@ssi.gouv.fr Jaeger, Levillain Chiier, HIS 2014 Mind your Language(s)! : Lessons learned 29/29

Mind your language(s), A Discussion about Languages and Security

More Related Content

What's hot (10)

Viewers also liked (20)

Similar to Mind your language(s), A Discussion about Languages and Security (20)

More from AdaCore (19)

Recently uploaded (20)

Mind your language(s), A Discussion about Languages and Security