Security 101. An Overview of Security Issues in Application Software Benjamin Khoo, PhD New York Institute of Technology School of Management firstname.lastname@example.org. Acknowledgement.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Security 101 An Overview of Security Issues in Application Software Benjamin Khoo, PhDNew York Institute of Technology School of Managementkkhoo@nyit.edu
Acknowledgement Materials for many of these slides had been adapted from the web and also from security-based companies such as Outscheme Inc., Holub Associates, Security Innovation, Klocwork, Compuware, Microsoft, Secure Software, Cigital, Fortify Software, SPI Dynamics, Logic Gear, etc Their contributions to this set of slides is gratefully acknowledged. Ben
Agenda • Understanding the Basics • Introduction • Security Issues • Application Security • Security Through Obfuscation • Summary
What is Computer Security? • Computer security is a combination of many protective measures taken to ensure the safety of the data and resources of both the owners and the users of the computer systems. • Computer security involves both keeping private information safe and preventing loss of resources. • Computer security concerns active attacks from external sources, internal abuse and inadvertent loss of information.
What is Computer Security? (2) • We often think of an “attack” as coming from a malicious outsider trying to wreak havoc or steal information. However, this is just one type of security vulnerability. • Another type of security vulnerability is failure to enforce restrictions on access to the data that are based on the authorization level of the user. –For example, not all internal employees need access to the same data. Providing complete access to all employees' health information to everyone in the Human Resources department is a security risk. In this case the application must provide varying access to the data, based on the privileges (security authorization) of the user. The system must also authenticate the user to verify their identity within the computer system.
What are We Protecting? • Protecting data –Integrity-Ensuring that business transaction data is not altered or corrupted. If something has been changed or modified since it was created, verifying that the changes are legitimate. –Confidentiality-Ensuring unauthorized access to information will be denied. –(User’s Data) Privacy-For example, Web sites and applications should have a privacy statement that defines how user information will be handled. In addition, the producer also needs to put in a concerted effort to protect user’s data.
What are We Protecting? (2) –As intellectual property-Ensuring that asset such as business intelligence, source code, and any data related to intellectual property is safeguarded. –Availability-Ensuring that data availability is as expected. A denial-of-service attack or a natural disaster is an example of data availability threats. • Protecting network computing resources-Ensuring that unauthorized uses of network resources are denied.
Introduction Area Changes • Business usage of Internet and related networks has changed to an interconnected, transactional model • More reasons for connectivity: partnerships, outsourcing, consumer service • Evolving to address concerns around: - technology controls • integrity of financial data • privacy needs for personal information Internet Usage • Growing in complexity • Outsourcing of more functions Supply Chains • Have been developed, extended, or interconnected to support an emerging model of networked business Applications Regulations
APPLICATION SECURITY SYSTEM NETWORK • Firewalls • Intrusion Detection • VPN • Filtering • Single sign-on • Biometrics • Web services • ISP Packaged Apps • Code Inspections • Automated Flaw Discovery • Remediation • Certification `96 - Present 2004+ • Beginning `00 Introduction (2) The Security Problem 83 per cent of global financial institutions admitted their systems have been compromised in the past year, compared to only 39 per cent in 2002. - Deloitte's 2004 Global Security Survey Recovering from a security breach takes an average 22 hours and causes $2 million in lost revenues. - Aberdeen Group Demand that providers of all software — both 'shrink-wrapped' and custom — demonstrate the use of security vulnerability testing during development. - Gartner
Introduction (3) Emerging Threats • Today’s threat is not simply hackers looking for computing resources, defacement opportunities, or simple network and host access • Convergence between criminal activities and technology leveraged attacks is here • Phishing attacks, data theft, identity theft • Today’s threat is: • Direct attacks from technologically enabled criminals • Attacks targeted at business logic and process • Resource target is data theft, often for financial gain
Introduction (4) • Secrecy ≠ Security. – Secrecy: You can't find the safe. – Security: You can't open the safe, even if you know how it works. – Secret systems are never secure! • The best way to assure that an encryption algorithm is secure is to have thousands of knowledgeable people try to break it. • Security ≠ Technology – Security comes from well-thought-out protocols (in the diplomatic sense). – Technology only gives you a means to implement a portion of the protocol.
Security is about risk and liability • If the cost of fixing a security breach is higher than the cost of writing off the loss, businesses will take the loss. • Security is all about lowering risk to a reasonable level, not eliminating risk. • Ultimately, security comes from a “web of contracts” (in the legal sense) that impose liability when security is compromised. – E.g. Insurance is an important component of a secure eBusiness system. (SSL ≠ security).
e-Commerce Security Example Web security is an essential element that provides consumers and producers confidence and acceptance in the use of commercial applications. An e-commerce site needs to address the following security issues: – The interactions and transactions between a buyer and merchant must be strictly confidential and data integrity must be preserved. – A buyer and merchant must be able to verify eachother’s identity. – The transaction records must be in a form that will hold up in a court of law.
Characteristics of a Secure System • Access control: – Only authorized individuals can access it. • Confidentiality: – Only authorized individuals can read the text. • Authentication: – The writers are who they say they are. • Non-repudiation: – The writers can't claim they didn't write it. • Integrity: – The document you received is the one I sent.
People are Human, not Stupid Any system that depends on abnormal behavior is insecure. The following behaviors are reasonable: –“Hi. This is Fred from IT. Can I have your password so I can check the system?” – “I can’t remember 50 passwords, so I use the same password everywhere.” • At one point 80% of the passwords at Berkeley were characters from the Lord of the Rings. – “I can’t remember long passwords.” – “I don’t have a clue what all that junk in the Security-Options dialog means!” • “If I enable security, I can’t browse!” • “The email came from a friend and got through the virus check, so why can’t I click on it?”
Hackers Exploit Bugs • Attacks that don’t exploit human factors exploit bugs. • All software has bugs in it. • Firewalls don’t protect against bugs. • The more popular (pervasive) the system, the more people will try to attack it. • Bad design (e.g. activeX) is a bug.
Worry about the right thing! • Nobody intercepts credit-card transmissions on the internet. • Lots of people hack into merchant databases and “harvest” credit-card numbers by the thousand. – Until recently, VISA did not require credit card numbers to be encrypted. – Even now, most merchant databases are still not encrypted, since there’s no mandatory audit requirement. – There are solutions (e.g. CitiCard single-use numbers)
Worry about the right thing(2) • Firewalls don’t protect against denial of service or bug-based attacks. • Firewalls have bugs too! • If your router is your firewall, someone can simultaneously hack into both! – Typically, layered systems with multiple firewalls (from different vendors) are used. • A bug in a subroutine in an app server is behind all of the above, and can be accessed through all of them.
How long will it take? • Not: "is it breakable?" But: "how long will it take to break it?“ – Will the information have value at that time? • Consider a 4-wheel combination lock. How long to try every combination? – 10,000 possibilities (~13 bits), 1 every 2 seconds == 20,000 seconds (~5.5 hours) – 2 people, each trying ½ the codes: 2.750 hours – 4 people, each trying ¼ the codes: 1.375 hours – 10,000 people, each trying 1 code: 2 seconds
Cost of a Brute-Force Attack • Breaking a cipher is a function of: – number of possible keys (10,000 possibilities = ~13 bits) – cost of the hardware (number of processors) – time • Given enough time or enough money, you can crack anything. – Will the value of the text outlive the time required to break the encryption?
Risk Assessment A simplistic quantitative model SLE = AV x EF SLE: Single Loss Expectancy AV: Asset Value EF: Exposure Factor (0 - 100%) ALE = SLE x ARO ALE: Annualized Loss Expectancy ARO: Annualized Rate of Occurrence (0.0 = Never; 1.0 = Always; this is frequency rather than probability). E.g., a threat occurring once every 10 years has an ARO of 1/10 or 0.1; a threat occurring 10 times a year has an ARO of 10. Source: A Guide to Building Secure Web Applications and Web Services, The Open Web Application Security Project, http://www.owasp.org
What Affects Security? • Viruses, worms, Trojan horses • Phishing, identity theft • Physical security • Firewalls, network security • Defects in platform / patches • Authentication / authorization • Application security
Hacking tools freely available Business applications exposed on internet Increasing tangible and intangible costs Security Attacks On the Rise (2) Network 75 percent of hacks happen at the application Application Database Server Web Server App Server Operating System
Business At Risk • Brand and Intellectual Property losses • Legal / Regulatory costs • System abuse • System access denied • Data stolen, deleted, or modified • IT and end-user productivity costs
Security … Security … Security • Security incidents reported to CERT grew by 2,099% between 1998 and 2002 • Estimates put the cost of the MyDoom worm alone at over $4 billion • …several new versions have surfaced on the Internet … That could mean that bigger Doom is on the way …
Poor Software quality - Root Cause of Security Vulnerabilities 35% of all successful attacks are a result of software defects Most vulnerabilities come from software implementation (coding) errors (Congressional Testimony, Richard D. Pethia, CERT Director) Traditional testing will not identify security problems, since it looks for predictable user behavior, not unpredictable hacker attacks (Watts Humphreys of the SEI Institute)
How serious are we about software quality? • U.S. Average Defect Rate – 5.9 to 7 defects per thousand lines of code (Software Assessments, Benchmarks, and Best Practices by Capers Jones) • Software defects rates have increased 15% in 1999-2000 compared to 1997-1998 (Meta Group,January 2002)
The Defender’s Dilemma • The defender must defend all points • The defender can defend only against known attacks • The defender must be constantly vigilant • The defender must play by the rules
The Attacker’s Advantage • The attacker can choose the weakest point. • The attacker can probe for unknown vulnerabilities • The attacker can strike at will • The attacker can play dirty
The Defender’s Dilemma and the Attacker’s Advantage • The defender must defend all points; the attacker can choose the weakest point. • The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities • The defender must be constantly vigilant; the attacker can strike at will • The defender must play by the rules; the attacker can play dirty
Understanding the adversary • What would you do if you wanted to better understand your adversaries? • Talk to them? • Hackers tend to be one-trick ponies and focus on what worked yesterday • Hackers are not bound by ship pressure, no need to be efficient • Truth is studying hackers will just depress you • They have low-level C and assembly skills • They have access to thousands of freeware hacking tools • They read the thousands of hacker sites out there chock full of tips, hints and tutorials • We really need to understand all adversaries • Study today’s hacks and look forward to tomorrow’s • Understand how to close these issues efficiently and effectively • The answer: study how the hackers get in
Entry points are everywhere Login screens Web forms Custom clients … OS Resource starvation Secret content … Application Under Test User Input Libraries/ network Exec. content Remote files Corrupt files Secret content … Missing/Trojaned libraries Corrupt packets Bandwidth attacks RPC/Web Services … files
From entry point to breach • A system can be breached in one of three* ways: • By sending it input it can’t or shouldn’t handle • Code hidden in data • Long strings • Format strings • Magic bullets, … • By rigging its environment • Hiding code in files • Trojaning resources, … • By turning its own logic against it • Alternate code paths • Time of check, time of use • Loop conditions, … • *Not counting social engineering and the insider threat
Proactive Security Development As defenders, software developers must always be vigilant and work smart. Security Principles to live by: • Secure by Design, Default and Deployment • Learn from Mistakes • Minimize Your Attack Surface • Use Least Privilege • Assume External Systems are Insecure • Remember that Security Features != Secure Features • Never Depend on Security by Obscurity Alone • Fix Security Issues Correctly • Plan on Failure
When Hackers Attackwhy? • Monetary • Denial of Service/Publicity • Spammers • Extortionists • Eavesdropping ($$$) • Intellectual Property/Idea Theft • Script Kiddie fame • Black Hat
What Applications Need Protection? • Anything on the Internet • Any application contains IP that competitors would benefit from • If you have a reason to make something closed source
Categories of Application Security • Data Security • Encryption • Client-side Application Security • Licensing • IP Protection • Code Theft • Server Security • Limited to Interactional Interface
Data Security • Encryption works well for data • Sometimes, it's effectively perfect • All Encryption algorithms are crackable • It just might take millions of years • Small problems are usually solved • Keeping the key secret • Transporting the key
Vulnerability Client Interface Reverse-engineering interactional Network Interface Application
Networked/Interactional Application Security
Interactional Security • In this context, we almost always want protection • Insecure apps can compromise servers • Compromised servers can be used as spambots or attack launch points
Interactional Security • Must limit interface vulnerability • The “max-security VS min-usage” problem • No direct access to the running application • Indeed if we had that, we probably no longer care about the server itself • Many possible attacks here • Infamous buffer overrun • Unexpected input
Interactional Security • Input Validation • Language environments such as Java/.NET prevent memory overwriting attacks • Prevent SQL injection • Prevent injected executables • Verify Ranges
Interactional Security • For most attacks good (perfect?) security is possible • Diligence in input validation • Smart information disclosure • Unpredictable session keys • No vital info in cookies • No informational errors to the client • DOS attacks • More complex, often app-external solutions
Network Security • Port Scan • nmap -sS -v -p1-65535 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 69/tcp filtered tftp 80/tcp open http 135/tcp filtered msrpc • For on-demand services there is port-knocking • Packet Sniffing/Spoofing
Network Security • Packet Sniffing • Ethereal, Sniffit, Tcpdump • Packet Spoofing • Wardriving • Netstumbler • WEP Cracking • Airsnort
Application Security Access to the source
Applications are not Data* • At least as far as security goes* • Encryption doesn't work well for applications • Computers can't run encrypted programs • Problem = Deliver code a computer can understand that humans cannot • Encrypting class loaders worked (java) • For a minute or two anyway