[Caml-list] How to secure an OCaml server

[Caml-list] How to secure an OCaml server

[David MENTRE]

Hello,

I'm currently writing a server in Objective Caml. This server is using a
specific protocol (in XDR format) over TCP sockets.

I would like to secure my server against usual attacks (buffer overflow,
etc.).

While there is plenty of doc for C and C++, there is nothing for
OCaml. At what kind of issues should I look to avoid attacks? Has
anybody written a documentation or a tool to secure OCaml applications?

Many thanks in advance for any advice,
Yours,
d.
-- 
 David Mentré <dmentre@linux-france.org>

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[David MENTRE]

David MENTRE <dmentre@linux-france.org> writes:

> I would like to secure my server against usual attacks (buffer overflow,
> etc.).
>
> While there is plenty of doc for C and C++, there is nothing for
> OCaml. At what kind of issues should I look to avoid attacks? Has
> anybody written a documentation or a tool to secure OCaml applications?

Judging from answers I've received, I've probably been not clear
enough. I know that the security topic is large but I've explicitely not
mentionned cryptographic issues (authentication, information hiding,
etc.). I just want to secure my server enough so that a bad guy can't
crash it or launch a shell with it. I've left other security topics to
the near future.

I'm not the first one to write a server in OCaml, so I wanted to use
experience of previous work. If nobody has written such a document, I'll
might give it a try.

Any useful comments still appreciated,
Yours,
d.
-- 
 David Mentré <dmentre@linux-france.org>

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Yutaka OIWA]

Hello David, 

>> On Sat, 28 Feb 2004 16:10:08 +0100, David MENTRE <dmentre@linux-france.org> said:

David> Hello,
David> I'm currently writing a server in Objective Caml. This server is using a
David> specific protocol (in XDR format) over TCP sockets.

David> I would like to secure my server against usual attacks (buffer overflow,
David> etc.).

David> While there is plenty of doc for C and C++, there is nothing for
David> OCaml. At what kind of issues should I look to avoid attacks? Has
David> anybody written a documentation or a tool to secure OCaml applications?

Programming in Objective Caml (and other "safe languages") is
relatively safe.  However, in my opinion, it is wise to care about
almost same kind of safety issues as those for C language, except
dangling pointers.

Unlike C and C++, Objective Caml has strong builtin protection for
array boundary overflow.  You can expect that inputs which usually
cause arbitrary code execution (like viruses and worms) do not cause
such catastrophe, but only make your programs report runtime exception
and then halt.  However, you should not rely on this feature in
production code, especially if you are writing your own decoders or
encoders for existing protocols.  If an encoded data packet contains
both secure and insecure data, improper handling of data length fields
in a decoding routine may cause other security problems such as data
leakage or memory exhaustion.

Dangling pointers never appear in Objective Caml program; the garbage
collector frees only unused data, unlike free() in C and delete
operator in C++. It also prevents memory leakage in many cases.

Other security issues such as sanitizing of user-input data like
username, pathname, HTML fragment, etc. should be handled carefully in
the same manner as in other languages.  The things you referred as
"plenty of doc" may help you.

In general, effective use of high-level language features such as
builtin string, list type, and user-defined datatype may reduce
cumbersome needs for boundary checking outside codec routines.  The
garbage collection helps this style of programming, since with GC
you can use those high-level data structures without fearing about
memory leakage or dangling pointers.

-- 
Yutaka Oiwa              Yonezawa Lab., Dept. of Computer Science,
      Graduate School of Information Sci. & Tech., Univ. of Tokyo.
                    <oiwa@yl.is.s.u-tokyo.ac.jp>, <yutaka@oiwa.jp>
PGP fingerprint = C9 8D 5C B8 86 ED D8 07  EA 59 34 D8 F4 65 53 61

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Richard Jones]

On Sun, Feb 29, 2004 at 01:44:10AM +0900, Yutaka OIWA wrote:
> Unlike C and C++, Objective Caml has strong builtin protection for
> array boundary overflow.  You can expect that inputs which usually
> cause arbitrary code execution (like viruses and worms) do not cause
> such catastrophe, but only make your programs report runtime exception
> and then halt.

Remember the corollary of having safe arrays is that people can DoS
your server by opening a socket and writing .. and writing .. and
writing.  It's always a good idea to either implement your own
sensible maximums on the length of strings / arrays, or at least run
your module with a BSD resource-style limit (setrlimit(2)).

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
http://www.YouUnlimited.co.uk/ - management courses

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Thomas Fischbacher]

On Sat, 28 Feb 2004, Richard Jones wrote:

> On Sun, Feb 29, 2004 at 01:44:10AM +0900, Yutaka OIWA wrote:
> > Unlike C and C++, Objective Caml has strong builtin protection for
> > array boundary overflow.  You can expect that inputs which usually
> > cause arbitrary code execution (like viruses and worms) do not cause
> > such catastrophe, but only make your programs report runtime exception
> > and then halt.
> 
> Remember the corollary of having safe arrays is that people can DoS
> your server by opening a socket and writing .. and writing .. and
> writing.  It's always a good idea to either implement your own
> sensible maximums on the length of strings / arrays, or at least run
> your module with a BSD resource-style limit (setrlimit(2)).

Yes. Another interesting issue that frequently comes up in such situations 
is provoking hash collisions.


-- 
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))                  (Debian GNU)

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Richard Jones]

On Sat, Feb 28, 2004 at 06:06:01PM +0100, Thomas Fischbacher wrote:
> 
> On Sat, 28 Feb 2004, Richard Jones wrote:
> 
> > On Sun, Feb 29, 2004 at 01:44:10AM +0900, Yutaka OIWA wrote:
> > > Unlike C and C++, Objective Caml has strong builtin protection for
> > > array boundary overflow.  You can expect that inputs which usually
> > > cause arbitrary code execution (like viruses and worms) do not cause
> > > such catastrophe, but only make your programs report runtime exception
> > > and then halt.
> > 
> > Remember the corollary of having safe arrays is that people can DoS
> > your server by opening a socket and writing .. and writing .. and
> > writing.  It's always a good idea to either implement your own
> > sensible maximums on the length of strings / arrays, or at least run
> > your module with a BSD resource-style limit (setrlimit(2)).
> 
> Yes. Another interesting issue that frequently comes up in such situations 
> is provoking hash collisions.

Yes, right!  I forgot about that one, but it's very important.  IIRC
Perl 5.8.0 changed hashes so there is some randomness in the hashing
function, which reduces the possibility of this sort of attack.

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
PTHRLIB is a library for writing small, efficient and fast servers in C.
HTTP, CGI, DBI, lightweight threads: http://www.annexia.org/freeware/pthrlib/

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[David MENTRE]

Hello Thomas,

Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE> writes:

> Yes. Another interesting issue that frequently comes up in such situations 
> is provoking hash collisions.

Could you elaborate more on this? I don't understand about which hash
your are talking.

Yours,
d.
-- 
 David Mentré <dmentre@linux-france.org>

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Richard Jones]

On Sat, Feb 28, 2004 at 08:41:13PM +0100, David MENTRE wrote:
> Hello Thomas,
> 
> Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE> writes:
> 
> > Yes. Another interesting issue that frequently comes up in such situations 
> > is provoking hash collisions.
> 
> Could you elaborate more on this? I don't understand about which hash
> your are talking.

This is a new type of vulnerability discovered fairly recently.  With
much webserver software written in Perl it is (was) possible to upload
patterns of data which would cause degenerate cases in hashes.  That's
to say that the data would be chosen so that it all hashed into the
same bucket in the hash.  This would cause servers to perform O(n^2)
operations, slowing them down and effectively creating a denial of
service.

There is some more information here:

http://www.cs.rice.edu/~scrosby/hash/

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
http://www.YouUnlimited.co.uk/ - management courses

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Thomas Fischbacher]

On Sat, 28 Feb 2004, Richard Jones wrote:

> This is a new type of vulnerability discovered fairly recently. 

I am not sure about this, as I can hardly imagine that some clever souls 
may not have thought of such problems much earlier. I suppose, the big 
problem is the seductive easiness of hashes and their popularization by 
perl...

-- 
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))                  (Debian GNU)

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Richard Jones]

On Sat, Feb 28, 2004 at 09:28:07PM +0100, Thomas Fischbacher wrote:
> 
> On Sat, 28 Feb 2004, Richard Jones wrote:
> 
> > This is a new type of vulnerability discovered fairly recently. 
> 
> I am not sure about this, as I can hardly imagine that some clever souls 
> may not have thought of such problems much earlier. I suppose, the big 
> problem is the seductive easiness of hashes and their popularization by 
> perl...

Of course _I_ always recommend using assoc lists instead of Hashtbl
with OCaml nowadays.  This has the feature that it's _always_
O(big something) so DoS attacks are never a problem :-)

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
'There is a joke about American engineers and French engineers. The
American team brings a prototype to the French team. The French team's
response is: "Well, it works fine in practice; but how will it hold up
in theory?"'

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Thomas Fischbacher]

On Sat, 28 Feb 2004, Richard Jones wrote:

> Of course _I_ always recommend using assoc lists instead of Hashtbl
> with OCaml nowadays.  This has the feature that it's _always_
> O(big something) so DoS attacks are never a problem :-)

Seriously, log(N) is bounded by a not too large constant in this universe, 
and hence, balanced binary trees are good enough a data structure for 
virtually all applications. It is hard to be grossly wrong by using a 
balanced tree. (But I do have a counter-example in my pocket.)

-- 
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))                  (Debian GNU)

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Thomas Fischbacher]

> Hello Thomas,
> 
> Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE> writes:
> 
> > Yes. Another interesting issue that frequently comes up in such situations 
> > is provoking hash collisions.
> 
> Could you elaborate more on this? I don't understand about which hash
> your are talking.

This is a quite general situation that comes up when you store data on 
your server in a hash in such a way that an external source can control at 
least part of the hash keys.

A very simple and quite harmless example would be creating access 
statistics from webserver logs similar to:

perl -e 'while(<>){s/^(\S+)/$h{$1}++/e;}; printf "%-50s => %6d\n", $_, $h{$_} for sort keys %h;' access_log


with access_log entries of the format

glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/tf.html HTTP/1.0" 200 7142
glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/tutorials.html HTTP/1.0" 200 4767
glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/interests.html HTTP/1.0" 200 1282
glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/misc.html HTTP/1.0" 200 14094
glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/fun.html HTTP/1.0" 200 714
glockner.cip.physik.uni-muenchen.de - - [20/Feb/2004:00:30:11 +0100] "GET /~tf/links.html HTTP/1.0" 200 497


Suppose we have a bad guy that controls his own DNS. If we sends me 
thousands of queries which were crafted in such a way that all are mapped 
to the same hash key by my hashing function, he can degrade an O(N log N) 
algorithm to an O(N^2) algorithm with very little effort, effectively 
bringing the program to a standstill.


-- 
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))                  (Debian GNU)

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[David MENTRE]

Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE> writes:

> This is a quite general situation that comes up when you store data on 
> your server in a hash in such a way that an external source can control at 
> least part of the hash keys.

Ok, thanks for the explanation. 

That might be an issue in my program as I'm using a lot of hash tables
(Perl habits ;). I still need to determine if those hash tables are
influenced by external output, in current and next design. Or I might
drop those hash tables in favor of more suitable data structures for
performance and security reason. I've not yet considered performance
issues.

Any way, many thanks Thomas and Richard for your explanations.

And thank you also Yutaka for your initial comments.

Yours,
david
-- 
 David Mentré <dmentre@linux-france.org>

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Yamagata Yoriyuki]

From: Yutaka OIWA <oiwa@yl.is.s.u-tokyo.ac.jp>
Subject: Re: [Caml-list] How to secure an OCaml server
Date: Sun, 29 Feb 2004 01:44:10 +0900

> The garbage collection helps this style of programming, since with
> GC you can use those high-level data structures without fearing
> about memory leakage or dangling pointers.

On the other hand, relaying GC means data reside in the memory for
unpredictable amount of time, and may swap out to the disk.  Moreover,
current GC of OCaml does not seem to wipe out the contents when a
memory block is reclaimed, and String.create does not initialize the
contents either.  This could leak information which is otherwise
inaccessible.

So overwrite explicitly sensible data when they are no longer used,
and use String.make instead of String.create.

(Actually, I feel String.create is deprecated, or initializes the
contents by null, but there would be a performance concern.)

--
Yamagata Yoriyuki

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] How to secure an OCaml server

[Thomas Fischbacher]

On Sun, 29 Feb 2004, Yamagata Yoriyuki wrote:

> From: Yutaka OIWA <oiwa@yl.is.s.u-tokyo.ac.jp>
> Subject: Re: [Caml-list] How to secure an OCaml server
> Date: Sun, 29 Feb 2004 01:44:10 +0900
> 
> > The garbage collection helps this style of programming, since with
> > GC you can use those high-level data structures without fearing
> > about memory leakage or dangling pointers.
> 
> On the other hand, relaying GC means data reside in the memory for
> unpredictable amount of time, and may swap out to the disk.

In case we are talking about linux, may I recommend using cryptoapi to 
encrypt the swapspace (you can do a losetup -e blowfish /dev/loop7 
swapfile; mkswap /dev/loop7; swapon /dev/loop7 at every boot - getting 
losetup to use a random string may perhaps need a bit of patching...)?

What is swap good for nowadays that machines have RAM close to the 4 GB 
boundary anyway? I suppose it is mostly used just to slow the machine down 
enough so that root can react and kill processes by hand if some task 
goes haywire. Hence, encrypting swap will even help to slightly improve 
this. ;->

-- 
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))                  (Debian GNU)

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners