계: Input Validation and Representation
입력 검증 및 표현 문제는 메타 문자, 대체 인코딩 및 숫자 표현 때문에 발생합니다. 보안 문제는 입력을 신뢰하기 때문에 발생합니다. 문제로는 "Buffer Overflows", "Cross-Site Scripting" 공격, "SQL Injection", 그 외 여러 가지가 있습니다.
Integer Overflow
Abstract
Integer overflow를 다루지 않으면 로직 오류 또는 buffer overflow가 발생할 수 있습니다.
Explanation
정수 오버플로 오류는 산술 연산의 결과값이 데이터 형식의 최대값보다 크거나 최소값보다 작을 수 있다는 것을 프로그램이 고려하지 못할 때 발생합니다. 이러한 오류는 종종 사용자 입력이 부호 있는 값과 부호 없는 값 사이의 암묵적 변환과 충돌하는 메모리 할당 함수에서 문제를 일으킵니다. 프로그램이 메모리를 과소 할당하거나 부호 있는 값을 메모리 연산에서 부호 없는 값으로 해석하도록 공격자가 만들 수 있는 경우, 해당 프로그램은 버퍼 오버플로에 취약할 수 있습니다.
예제 1: OpenSSH 3.3에서 발췌한 다음 코드는 integer overflow의 전형적인 경우를 보여 줍니다.
예제 2: 이 예제에서는 일련의 가변 길이 구조로 구성된 사용자 입력을 처리합니다. 입력의 첫 2바이트는 처리할 구조의 크기를 지정합니다.
프로그래머가 구조 크기에 끼치는 상한을 설정했습니다. 구조 크기가
예제 1: OpenSSH 3.3에서 발췌한 다음 코드는 integer overflow의 전형적인 경우를 보여 줍니다.
nresp = packet_get_int();
if (nresp > 0) {
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}
nresp의 값이 1073741824이고 sizeof(char*)의 값이 일반적으로 사용되는 4이면 nresp*sizeof(char*) 작업의 결과가 overflow되며, xmalloc()의 인수는 0이 됩니다. malloc() 구현은 대부분 0바이트 버퍼의 할당을 허용하여 이후 루프가 반복되어 heap buffer response가 overflow됩니다.예제 2: 이 예제에서는 일련의 가변 길이 구조로 구성된 사용자 입력을 처리합니다. 입력의 첫 2바이트는 처리할 구조의 크기를 지정합니다.
char* processNext(char* strm) {
char buf[512];
short len = *(short*) strm;
strm += sizeof(len);
if (len <= 512) {
memcpy(buf, strm, len);
process(buf);
return strm + len;
} else {
return -1;
}
}
프로그래머가 구조 크기에 끼치는 상한을 설정했습니다. 구조 크기가
512보다 크면 입력이 처리되지 않습니다. 문제는 len이 부호 있는 정수여서 최대 구조 길이가 부호 있는 정수를 사용해 확인되지만 memcpy() 호출에서는 len이 부호 없는 정수로 변환된다는 점입니다. len이 음수이면 구조의 크기가 적절한 것으로 표시되지만(if 분기를 가져옴) memcpy()에서 복사하는 메모리 양이 상당히 많아 공격자가 strm의 데이터로 스택을 overflow할 수 있습니다.References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cpp.integer_overflow
Abstract
정수 오버플로를 고려하지 않으면 논리 오류나 버퍼 오버플로를 일으킬 수 있습니다.
Explanation
정수 오버플로 오류는 산술 연산의 결과값이 데이터 형식의 최대값보다 크거나 최소값보다 작을 수 있다는 것을 프로그램이 고려하지 못할 때 발생합니다. 이러한 오류는 종종 사용자 입력이 부호 있는 값과 부호 없는 값 사이의 암묵적 변환과 충돌하는 메모리 할당 함수에서 문제를 일으킵니다. 프로그램이 메모리를 과소 할당하거나 부호 있는 값을 메모리 연산에서 부호 없는 값으로 해석하도록 공격자가 만들 수 있는 경우, 해당 프로그램은 버퍼 오버플로에 취약할 수 있습니다.
예제 1: 다음 코드 발췌는 정수 오버플로의 전형적인 경우를 보여줍니다.
예제 1: 다음 코드 발췌는 정수 오버플로의 전형적인 경우를 보여줍니다.
77 accept-in PIC 9(10).
77 num PIC X(4) COMP-5. *> native 32-bit unsigned integer
77 mem-size PIC X(4) COMP-5.
...
ACCEPT accept-in
MOVE accept-in TO num
MULTIPLY 4 BY num GIVING mem-size
CALL "CBL_ALLOC_MEM" USING
mem-pointer
BY VALUE mem-size
BY VALUE 0
RETURNING status-code
END-CALL
num에 1073741824 값이 있으면 MULTIPLY 4 BY num 연산의 결과가 오버플로되며, malloc()에 대한 mem-size 인수는 0이 됩니다. 대부분의 malloc() 구현에서는 0바이트 버퍼를 할당하는 것이 허용되므로 힙 버퍼 mem-pointer가 후속 명령문에서 오버플로됩니다.References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cobol.integer_overflow