CSC 382/582: Computer Security - PowerPoint PPT Presentation

csc 382 582 computer security n.
Skip this Video
Loading SlideShow in 5 Seconds..
CSC 382/582: Computer Security PowerPoint Presentation
Download Presentation
CSC 382/582: Computer Security

play fullscreen
1 / 87
Download Presentation
CSC 382/582: Computer Security
Download Presentation

CSC 382/582: Computer Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CSC 382/582: Computer Security Software Security CSC 382/582: Computer Security

  2. Topics • Why Software? • What is Software Security? • Vulnerabilities • CVE Top 8 Security Bugs • Secure design principles and processes • Secure programming • Code reviews • Security testing CSC 382/582: Computer Security

  3. The Problem is Software “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw CSC 382/582: Computer Security

  4. Traditional Security is Reactive • Perimeter defense (firewalls) • Intrusion detection • Over-reliance on cryptography • Penetrate and patch CSC 382/582: Computer Security

  5. Penetrate and Patch Discover flaws after deployment. Often by attackers. Users may not deploy patches. Patches may have security flaws (15%?) Patches are maps to vulnerabilities. Attackers reverse engineer to create attacks. CSC 382/582: Computer Security

  6. A Growing Problem CSC 382/582: Computer Security

  7. Why is Software Security poor? • Security is seen as something that gets in the way of software functionality. • Security is difficult to assess and quantify. • Security is often not a primary skill or interest of software developers. • Time spent on security is time not spent on adding new and interesting functionality. CSC 382/582: Computer Security

  8. The Trinity of Trouble • Complexity • Continually increasing. • Windows 3.1 (3mloc) to Windows XP (40mloc) • Extensibility • Plugins. • Mobile code. • Connectivity • Network access. • Wireless networking. CSC 382/582: Computer Security

  9. Software Complexity 5-50 bugs per/kloc8 • 5/kloc: rigorous quality assurance testing (QA) • 50/kloc: typical feature testing CSC 382/582: Computer Security

  10. Software Connectivity • Internet connectivity nearly ubiquitous. • 802.11 wireless networking. • Bluetooth wireless personal area networking. • Embedded devices often networked. • Can your cellphone get a virus? • Symbian Bluetooth virus released in 2004. • Can your automobile get a virus? • BT discovery reveals embedded BT devices in high-end cars. CSC 382/582: Computer Security

  11. What is Software Security? • Producing software that functions correctly even when under attack. • Integrating security practices throughout the software development lifecycle: • Requirements • Design • Coding • Testing CSC 382/582: Computer Security

  12. What isn’t Software Security? • Software security != Security software • Anti-virus software can be insecure. • Authentication software can be insecure. • Firewalls can be insecure. • Software security isn’t a function • It’s an emergent property like reliability or usability. CSC 382/582: Computer Security

  13. Vulnerabilities • Vulnerability: A defect in software that allows security policy to be violated. • Confidentiality • Integrity • Availability • Ex: Allowing users to create self-replicating objects on a game server. • Exploit: A program that exercises a vulnerability. CSC 382/582: Computer Security

  14. Attack of the Rings • Second Life denial of service attack Nov 19 • Rings multiplied when interacted with. • Heavy database load resulted in DoS attack. • Third attack since September 2006. • Incident response faster than in prior attacks. CSC 382/582: Computer Security

  15. Vulnerability Databases • Collect vulnerability reports. • Vendors maintain databases with patches for their own software. • Security firms maintain databases of vulnerabilities that they’ve discovered. • Well known vulnerability databases • CERT • CVE • NVD • OSVDB CSC 382/582: Computer Security

  16. Why Vulnerability Databases? • Know about vulnerabilities to software that you have deployed so you can mitigate them. • Learn about vulnerability trends. If a JPG library bug is discovered, does the same type of bug exist in GIF or PNG libraries? • Learn about security problems to prevent when you’re programming. CSC 382/582: Computer Security

  17. CVE: Common Vulnerabilities and Exposures • Problem: Different researchers and vendors call vulnerabilities by different names. • Solution: CVE, a dictionary that provides • A common public name for each vulnerability. • A common standardized description. • Allows different tools / databases to interoperate. CSC 382/582: Computer Security

  18. CVE-2002-1185 Name: CVE-2002-1185 Status: Entry Description: Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." References • VULNWATCH:20021211 PNG Deflate Heap Corruption Vulnerability • BUGTRAQ:20021212 PNG Deflate Heap Corruption Vulnerability • EEYE:AD20021211 • MS:MS02-066 • XF:ie-png-bo(10662) • BID:6216 • OVAL:oval:org.mitre.oval:def:393 CSC 382/582: Computer Security

  19. NVD: National Vulnerability DB Collects all publicly available government vulnerability resources. • HTML and XML output at • Uses CVE naming scheme. • Links to industry and govt reports. • Provides CVSS severity numbers. • Links to OVAL repository. CSC 382/582: Computer Security

  20. Categories of Security Flaws • Architectural/design-level flaws: security issues that original design did not consider or solve correctly. • Implementation flaws: errors made in coding the design. • Operational flaws: problems arising from how software is installed or configured. CSC 382/582: Computer Security

  21. Architecture/Design Flaws • Race Condition • Application checks access control, then accesses a file as two separate steps, permitting an attacker to race program and substitute the accessible file for one that’s not allowed. • Replay Attack • If an attacker can record a transaction between a client and server at one time, then replay part of the conversation without the application detecting it, a replay attack is possible. • Sniffing • Since only authorized users could directly access network in original Internet, protocols like telnet send passwords in the clear. CSC 382/582: Computer Security

  22. Implementation Flaws • Buffer overflow • Application with fixed-size buffer accepts unlimited length input, writing data into memory beyond buffer in languages w/o bounds checking like C/C++. • Input validation • Application doesn’t check that input has valid format, such as not checking for “../” sequences in pathnames, allowing attackers to traverse up the directory tree to access any file. • Back door • Programmer writes special code to bypass access control system, often for debugging or maintenance purposes. CSC 382/582: Computer Security

  23. Operational Flaws • Denial of service • System does not have enough resources or ability to monitor resources to sustain availability under large number of requests. • Default accounts • Default username/password pairs allow access to anyone who knows default configuration. • Password cracking • Poor passwords can be guessed by software using dictionaries and permutation algorithms. CSC 382/582: Computer Security

  24. CVE Top 8 Vulnerabilities • Cross-site Scripting • SQL Injection • PHP Includes • Buffer Overflows • Path Traversal • Information Leak • DOS Malformed Input • Integer Overflow CSC 382/582: Computer Security

  25. CVE #1: Cross-site Scripting • Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. • Typical Goal: obtain user auth cookies for • Bank site (transfer money to attacker) • Shopping site (buy goods for attacker) • E-mail CSC 382/582: Computer Security

  26. Anatomy of an XSS Attack Web Server 8. Attacker uses stolen cookie to hijack user session. 1. Login 2. Cookie User Attacker 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil Site saves cookie. CSC 382/582: Computer Security

  27. CVE #2: SQL Injection Web applications pass parameters when accessing a SQL database. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. $sql = “SELECT count(*) from users where username = ‘$username’ and password = ‘$password’”; • Unauthorized Access Attempt: password = ’ or 1=1 -- • SQL statement becomes: • select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- • Checks if password is ‘’ OR 1=1, which is always true. CSC 382/582: Computer Security

  28. CVE #3: PHP Includes A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php //config.php $server_root = '/my/path'; ?> <?php //include.php include($server_root . '/someotherfile.php'); ?> <?php // index.php include('config.php'); include('include.php'); // Script body ?> GET /include.php?server_root= CSC 382/582: Computer Security

  29. CVE-2006-5904 Overview Multiple PHP remote file inclusion vulnerabilities in MWChat Pro 7.0 allow remote attackers to execute arbitrary PHP code via a URL in the CONFIG[MWCHAT_Libs] parameter to (1) about.php, (2) buddy.php, (3) chat.php, (4) dialog.php, (5) head.php, (6) help.php, (7) index.php, and (8) license.php, different vectors than CVE-2005-1869.   Impact CVSS Severity:7.0 (High) Range: Remotely exploitable Authentication: Not required to exploit Impact Type: Provides unauthorized access CSC 382/582: Computer Security

  30. CVE #4: Buffer Overflows A program accepts too much input and stores it in a fixed length buffer that’s too small. char A[8]; short B; gets(A); CSC 382/582: Computer Security

  31. CVE-2006-4565 Overview Heap-based buffer overflow in Mozilla Firefox before, Thunderbird before, and SeaMonkey before 1.0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a JavaScript regular expression with a "minimal quantifier.“ Impact CVSS Severity:7.0 (High) Range: Remotely exploitable Authentication: Not required to exploit Impact Type: Provides unauthorized access , Allows disruption of service CSC 382/582: Computer Security

  32. CVE #5: Directory Traversal The software, when constructing file or directory names from input, does not properly cleanse special character sequences that resolve to a file or directory name that is outside of a restricted directory. $filename = “/usr/local/www/template/$usertemp”; open TEMP, $filename; while (<TEMP>) { print; } GET /vulnerable?usertemp=../../../../etc/passwd CSC 382/582: Computer Security

  33. CVE-2006-6033 Overview Multiple directory traversal vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to read arbitrary files and possibly include arbitrary PHP code via a .. (dot dot) sequence in the blog_theme parameter in (1) index.php, (2) add_cgi.php, (3) add_link.php, (4) login.php, (5) template.php, or (6) contact.php.   Impact CVSS Severity: 7.0 (High) Range: Remotely exploitable Authentication: Not required to exploit Impact Type: Provides unauthorized access CSC 382/582: Computer Security

  34. CVE #8: Integer Overflow An integer overflow is when integer operations produce a value that exceeds the computer’s maximum integer value, causing the value to “wrap around” to a negative value or zero. CSC 382/582: Computer Security

  35. 32-bit Integer Quiz • What two non-zero integers x and y satisfy the equation x * y = 0? • What negative integer (-x) has no corresponding positive integer (x)? • List two integers x and y, such that x + y < 0. • What is the unique negative integer x that has the propery x + x = 0? CSC 382/582: Computer Security

  36. Quiz Answers • 65536 * 65536 = 0 or 256 * 16777256 = 0 or any x * y = 232 2. -2147483648 • 2147483647 + 1 = -2147483648 • -2147483648 + -2147483648 = 0 CSC 382/582: Computer Security

  37. Are Integer Overflows Important? • Broward County November 2004 election • Amendment 4 vote was reported as tied. • Software from ES&S Systems reported a large negative number of votes. • Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes. CSC 382/582: Computer Security

  38. How can design securely? What about using checklists? • Learn from our and others’ mistakes. • Avoid known errors: buffer overflow, code injection, race conditions, etc. • Too many known problems. • What about unknown problems? CSC 382/582: Computer Security

  39. How can design securely? • Think about security from the beginning. • Evaluate threats and risks in requirements. • Once we understand our threat model, then we can begin designing an appropriate solution. • Security requirements • Confidentiality • Integrity • Availability CSC 382/582: Computer Security

  40. How can design securely? Apply Secure Design Principles • Guidelines for security design. • Not a guarantee of security. • Tradeoffs between different principles CSC 382/582: Computer Security

  41. Security Design Principles • Least Privilege • Fail-Safe Defaults • Economy of Mechanism • Complete Mediation • Open Design • Separation of Privilege • Least Common Mechanism • Psychological Acceptability CSC 382/582: Computer Security

  42. Least Privilege • A subject should be given only those privileges necessary to complete its task. • Function, not identity, controls. • Rights added as needed, discarded after use. • Minimal protection domain. • Most common violation: • Running as administrator or root. • Use runas or sudo instead. CSC 382/582: Computer Security

  43. Least Privilege Example • Problem: A web server. • Serves files under /usr/local/http. • Logs connections under /usr/local/http/log. • HTTP uses port 80 by default. • Only root can open ports < 1024. • Solution: • Web server runs as root user. • How does this solution violate the Principle of Least Privilege and how could we fix it? CSC 382/582: Computer Security

  44. How do we run with least privilege? • List required resources and special tasks • Files • Network connections • Change user account • Backup data • Determine what access you need to resources • Access Control model • Do you need create, read, write, append, etc.? CSC 382/582: Computer Security

  45. Fail-Safe Defaults • Default action is to deny access. • If an entity isn’t explictly given access, it does not have access to a resource. • Example: Use whitelists to accept valid input instead of blacklists to deny bad input. • Question • When a switch receives too many MAC addresses to store MAC address/port mappings, it reverts to behaving as a hub: sending all packets to all ports. • Do switches follow the principle of fail-safe defaults? CSC 382/582: Computer Security

  46. Fail Safe Defaults Example • Problem: Retail credit card transaction. • Card looked up in vendor database to check for stolen cards or suspicious transaction pattern. • What happens if system cannot contact vendor? • Solution • No authentication, but transaction is logged. • How does this system violate the Principle of Fail-Safe Defaults? CSC 382/582: Computer Security

  47. Economy of Mechanism • Keep it as simple as possible (KISS). • Use the simplest solution that works. • Fewer cases and components to fail. • Reuse known secure solutions • i.e., don’t write your own cryptography. CSC 382/582: Computer Security

  48. Economy of Mechanism Example • Problem: SMB File Sharing Protocol. • Used since late 1980s. • Newer protocol version protects data integrity by employing packet signing technique. • What do you do about computers with older versions of protocol? • Solution: • Let client negotiate which SMB version to use. • How does this solution violate economy of mechanism? CSC 382/582: Computer Security

  49. Complete Mediation • Check every access. • Usually checked once, on first access: • UNIX: File ACL checked on open(), but not on subsequent accesses to file. • If permissions change after initial access, unauthorized access may be permitted. • Performance vs. security tradeoff. CSC 382/582: Computer Security

  50. Open Design • Security should not depend on secrecy of design or implementation. • Popularly misunderstood to mean that source code should be public. • “Security through obscurity” • Refers to security policy and mechanism, not simple user secrets like passwords and cryptographic keys. CSC 382/582: Computer Security