Introduction to Software Security

software security

What is Security?

Security /sɪˈkjʊərɪti/

noun

the state of being free from danger or threat.

synonyms:  certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness

A successful organization should have multiple layers of security in place:

—Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse.

—Personal security: to protect the (group of) authorized individual.

—Operations security: to protect the details of a particular operation or series of activities.

—Communications security: to protect an organization’s communications media, technology, and content.

—Network security: to protect networking components, connections, and contents.

—Information security

Basic Components

An Information System is secure if it supports CIA:

—Confidentiality

a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms.

—Integrity

a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed).

—Availability

this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.

cia

The History of Information Security

Began immediately following development first mainframes

—Developed for code-breaking computations

—During World War II

—Multiple levels of security were implemented

Physical controls

Elementary

—Mainly composed of simple document classification

—Defending against physical theft, espionage, and sabotage

The need for computer security, or the need to secure the physical location of hardware from outside threats, began almost immediately after the first mainframes were developed.

Groups developing code-breaking computations during World War II created the first modern computers .

Badges, keys, and facial recognition of authorized personnel controlled access to sensitive military locations.

In contrast, information security during these early years was elementary and mainly composed of simple document classification schemes.

There were no application classification projects for computers or operating systems at this time, because the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.

The 1960s

Original communication by mailing tapes

Advanced Research Project Agency (ARPA)

—Examined feasibility of networked communications

Larry Roberts developed ARPANET

Plan

—Link computers

—Resource sharing

—Link 17 Computer Research Centers

—Cost 3.4M $

ARPANET is predecessor to the Internet

During the 1960s, the Department of Defence’s Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information.

Larry Roberts, known as the founder of the Internet, developed the project from its inception.

ادامه مطلب و دانلود فایل مقاله

References

Matt Bishop, Computer Security: Art and Science, the author homepage, 2004.

Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011.

Chris Clifton, CS 526: Information Security course, Purdue university, 2010.

Secure Programming: Buffer Overflow

buffer00

Definition of Buffer Overflow

Buffer overflows  = buffer overruns

Buffer overflow is an event that occurs when we have:

—Fixed-length data buffer (e.g., string)

—At least one value intended for buffer is written outside that buffer’s boundaries (usually past its end)

Some definitions also include reading outside buffer

NIST’s definition:
“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”

Buffer Overflow: A Well Known Problem

• Noted in “Computer Security Technology Planning Study” (1972)

• If exploitable

—Attacker can often completely control program

—Attacker can typically cause denial-of-service

– Many defenses simply downgrade from “control program” to DoS

• Still of major concern due to

—legacy of widely deployed buggy codes

—careless programming techniques

• 2 Types:

—Stack overrun.  Buffer in stack; attack is called “stack smashing”

—Heap overrun.  Buffer in heap; attack is called “heap smashing”

Buffer overflow Examples

• 1988: Morris worm – took down Internet

— – via gets() in fingerd command

• 1998: University of Washington IMAP (mail) server

• 1999: RSA crypto reference implementation

— – Subverted PGP, OpenSSH, Apache’s ModSSL, etc.

• 2001: Code Red worm – buffer overflow in Microsoft’s Internet Information Services (IIS) 5.0

• 2003: SQL Slammer worm compromised machines running Microsoft SQL Server 2000

• ~2008: Twilight hack – unlocks Nintendo Wii consoles

— – Creates a strange long horse name for “The Legend of Zelda: Twilight Princess” that includes a program

Importance of Buffer Overflow

• “Practically every worm that has been unleashed in the Internet has exploited a buffer overflow vulnerability in some networking software.”*

A Real Buffer Overflow Example:
telnet service

• The Telnet protocol (telnet command) allows a user to establish a terminal session on a remote machine for the purpose of executing commands there.

• telnet is not a secure service, so, remote terminal sessions are now created with the SSH command

• But it is still used:

—- By human users to gain terminal access to other hosts

—- For some computer-to-computer exchanges within networks

How TELNET Works?

• Telnet server monitors port 23 for incoming connection requests from Telnet clients

• a client runs telnet program to establish a connection with a remote server

• the client sends its socket number to the server

• Socket number = IP + port number

• The server receives the client socket number and send beck its own socket number

Attack on Telnet

• (10 Feb 2007) US-CERT (United States Computer Emergency Readiness Team) issued the following Vulnerability Note:

Vulnerability Note VU#881872

OVERVIEW: A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.

Description: The Sun Solaris telnet daemon may accept authentication information vis the USER environment variable. However, the daemon does not properly sanitize this information before passing it

on to the login program and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. …..

This vulnerability is being exploited by a worm …

• (31 Dec 2004) CISCO issued the following security advisory:

Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability

Document ID: 61671

Revision 2.4

Summary:

A specifically crafted TCP connection to a telnet or a revers e telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, remote shell (RSH), secure shell (SSH), and in some cases HTTP access to the Cisco device.  Data Link Switching (DLSw) and protocol translation connections may also be affected.  Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior to exploitation are not affected.

….

This vulnerability affects all Cisco devices that permit access via

telnet or reverse telnet…….

….

Telnet, RSH, and SSH are used for remote management of Cisco I

OS devices. …

• (7 Feb 2002) Microsoft released the following security bulletin:

Microsoft Security Bulletin MS02-

Problem:  A vulnerability exists in some Microsoft Telnet Se

rver products that may cause a denial-of-service or allow an attacker to execute code on the system.

Platform:  Telnet Service in Microsoft Windows 2000

Damage:    A successful attack could cause the Telnet Server to fail, or in some cases, may allow an attacker to execute

code of choice on the system.

…..

Vulnerability Assessment:  The risk is HIGH.  Exploiting this vulnerability may allow an attacker

complete control of the system.

Summary:

Unchecked buffer in telnet server could lead to arbitrary code execution

…..

The server implementation ….. contains unchecked buffers in code that handles the processing of telnet protocol options

Buffer Overflow Basics

• Caused by programming error

• Allows more data to be stored than capacity available in a fixed sized buffer

— – buffer can be on stack, heap, global data

• Overwriting adjacent memory locations

— – corruption of program data

— – unexpected transfer of control

— – memory access violation

— – execution of code chosen by attacker

buffer1

Programming languages & buffer overflow

• Some languages allow buffer overflow

— – C, C++, Objective-C, Vala, Forth, assembly language

• Most languages counter buffer overflow…

— – Ada strings, Pascal: Detect/prevent overflow

— – Java, Python, perl, Ada unbounded_string: Auto-resize

• Using other languages doesn’t give immunity

— – Most language implementations are in C/C++

— – Many libraries/components/OSs include C/C++

— – Some languages/compilers allow disabling protection

• Including languages C# and Ada

— – Choosing another language helps – but not completely

ادامه مطلب و دانلود مقاله

References

Avinash Kak, Buffer Overflow Attack, Computer & Network Security, Purdue University, April 2016.

David A. Wheeler, Secure Software Design & Programming: Low-level attacks (Buffer overflow and friends), SWE 681/ISA 681, George Mason University, Aug 2014.

Hossein Saiedian, Computer Security: Principles and Practice, Chapter 10: Buffer Overflow, University of Kansas, Fall 2014.

UO Security Club, Stack Buffer Overflow, Fall 2014.

Top Security Problems in Programming

problems-with-security-event-sources-01

Introduction

introduction

Introduction: HTTP GET and POST

– Two HTTP Request Methods: GET and POST

Two commonly used methods for a request-response between a client and server are:

—GET – Requests data from a specified resource

—POST – Submits data to be processed to a specified resource

– The GET Method

—Note that the query string (name/value pairs) is sent in the URL of a GET request:

/test/demo_form.asp?name1=value1&name2=value2

Some other notes on GET requests:

. GET requests can be cached

. GET requests remain in the browser history

. GET requests can be bookmarked

. GET requests should never be used when dealing with sensitive data

. GET requests have length restrictions

.GET requests should be used only to retrieve data

Note that the query string (name/value pairs) is sent in the HTTP message body of a POST request:

POST /test/demo_form.asp HTTP/1.1
Host: w3schools.com
name1=value1&name2=value2

– Some other notes on POST requests:

—. POST requests are never cached

—. POST requests do not remain in the browser history

—. POST requests cannot be bookmarked

—. POST requests have no restrictions on data length

Compare GET vs. POST

compare get

OWASP Top 10

OWASP: Open Web Application Security Project

The OWASP Foundation is a not-for-profit entity that ensures the project’s long-term success.

Historically, OWSP produces a new Top 10 every 3 years: 2004, 2007, 2010, 2013, 2016/2017 !?

A1- Injection

A2- Broken Authentication and Session Management

A3- Cross-Site Scripting (XSS)

A4- Insecure Direct Object References

A5- Security Misconfiguration

A6- Sensitive Data Exposure

A7- Missing Function Level Access Control

A8- Cross-Site Request Forgery (CSRF)

A9- Using Components with Known Vulnerabilities

A10- Unvalidated Redirects and Forwards

owasp2

owasp3

CWE/Sans Top 25 Most Dangerous Programming Errors

• The Common Weakness Enumeration (CWE):

—A formal list of software weakness types

—Sponsored by the National Cyber Security Division in the US Department of Homeland Security

• The SANS (SysAdmin, Audit, Network, Security) Institute

—Established in 1989 as a cooperative research and education organization—

• Source: http://www.sans.org/top25errors/

• Category of weaknesses:

—Insecure Interaction Among Components
(6 errors)

– Related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems

—Risky Resource Management (8 errors)

–  Related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

—Porous Defences (11 errors)

– Related to defensive techniques that are often misused, abused, or just plain ignored.

ادامه مطلب و دانلود مقاله

 

Static Security Analysis

Static Security Analysis

Introduction

– Static analyzer of a code is similar to spell checker!

– A clean detected by an static analysis doesn’t guarantee that this code is perfect;

– It just indicates that it is free of certain kinds of common problems

– Security problems can result from

—the same kind of simple mistakes that lead a good speller to occasionally make a typo

—lack of understanding about what secure programming needs.

Capabilities of Static Analysis

Static analysis tools apply checks thoroughly and consistently, without any of the bias that a programmer might have

—about which pieces of code are “interesting” from a security perspective or

—which pieces of code are easy to exercise through dynamic testing.

By examining the source code, static analysis tools can often point to the root cause of a security problem, not just one of its symptoms.

This is important for making sure that vulnerabilities are fixed properly

Static analysis can find errors early in development, even before the program is run for the first time.

—reduces the cost of fixing the error

—the quick feedback cycle can help programmer

A programmer has the opportunity to correct mistakes he or she wasn’t previously aware could even happen.

static analysis tool act as a means of knowledge transfer.

When a new attack is discovered, static analysis tools make it easy to recheck a large body of code

—Some security defects exist in software for years before they are discovered, which makes the ability to review legacy code for newly discovered types of defects invaluable.

Limitations of Static Analysis

false positive is a problem reported in a program when no problem actually exists.

false negative: a problem exists in the program, but the tool does not report it.

The most common complaint against static analysis tools is too many false positives, AKA false alarms. (too much noise)

—False positives are certainly undesirable, but from a security perspective, false negatives are much worse.

For a static analysis tool to catch a defect, the defect must be visible in the code.

—It is often hard to derive the design vulnerabilities only form the implementation.

Categories of Static Analysis Tools

Static analysis is used more widely than many people realize, partially because there are many kinds of static analysis tools

Categories

—- Type checking

—- Style checking

—- Program understanding

—- Program verification

—- Property checking

—- Bug finding

—- Security review

Type Checking

The most widely used form of static analysis

Most programmers are familiar with

The rules of the type checking are typically defined by the programming language and enforced by the compiler

So, programmer gets little say in when the analysis is performed or how the analysis works.

Type checking removes entire categories of programming mistakes

Type checking suffers from false positives and false negatives just like all other static analysis techniques

Interestingly, programmers rarely complain about a type checker’s limitations

Type Checking False Positive Examples

type1

type2

Style Checking

Style Checkers generally enforce a pickier and more superficial set of rules than a type checker.

Pure style checkers enforce rules related to whitespace, naming, deprecated functions, commenting, program structure, ….

Because many programmers are attached to their own version of good style, most style checkers are quite flexible about the set of rules they enforce.

The errors produced by style checkers often affect the readability and the maintainability of the code but do not indicate that a particular error will occur

Over time, some compilers have implemented optional style checks

Many open source and commercial style checkers are available. a famous one is lint

ادامه مطلب و دانلود مقاله

References

Secure Programming with Static Analysis, Brian Chess, Jacob West, 2008, Chapters 2, 3 ,4.

Secure Software Development

software security

Software Security

Software security as part of the larger problem of developing robust, reliable code

Describe the relationship between software security and:

• Corporate information security policies

• Corporate risk strategies

Why is most software insecure?

Many developers don’t know how to develop secure software

—•Most universities don’t have it in their syllabi

Or it’s optional graduate level, not required in undergrad

—•Programming books/courses don’t teach it

—•Some common operations intrinsically dangerous (esp. C)

—•Most developers don’t think like an attacker

“How could this be attacked?”

—•Developers don’t learn from others’ security mistakes

Most vulnerabilities caused by same mistakes over 40+ years

Customers can’t easily evaluate software security

Managers don’t always resource/train adequately

What is “Software Security”?

NOT just a set of features

Secure software > Security software

Although tools and experts are helpful,

—•You can’t just deploy a magical tool and expect all vulnerabilities to disappear

—•You can’t outsource all of your security knowledge

Even if you are using a security library, know how to use it properly

NOT just a set of features

NOT a problem for just mathematicians

NOT just using Cryptography

—•Cryptography

– Is important and needed

        – Cannot solve all of your security problems

Proofs, access control rules, and verification are helpful, but inherently incomplete

NOT a problem for just networking and operating systems

Software had security problems long before we had the internet

If you left a window open in your house, would you try to fix the roads?

A reality that everyone must face

—- Not just developers, all stakeholders

A learnable mindset for software engineers

The ability to prevent unintended functionality

—- At all layers of the stack

—- In all parts of your system

Myths

Security is only required in the OS

—- 15% are OS vulns

I only need a good patch strategy

—- Mean time to attack: 330 days -> 2 weeks

I have a firewall, AntiVirus and IDS

—- 92% of vulns are software, not network

Functional testing finds security defects

—- Good practices from design to deploy are required

I use tested components in Java (or .NET)

—- Only helps with some classes of problem

I use cryptography

—- Helps with some threats, but just one tool in the toolbox

Which Approach?

Defense in depth: Having multiple defense mechanisms (“layers”) in place, so that an attacker has to defeat multiple mechanisms to perform a successful attack

Defense in breadth: Applying approaches to develop secure software throughout the lifecycle

Developing secure software requires actions throughout lifecycle

—- “Defense-in-breadth”

Traditional Software Engineering

Many years of software development experience created a well defined application software development lifecycle

software

There are many software development methodologies (ex. XP, waterfall, etc) they all have these basic steps

Capability Maturity Model for Software (SW-CMM), is used to measure quality of methodologies employed

ادامه مطلب و دانلود مقاله

References

David Wheeler, Secure Software Design & Programming, SWE 681/ISA 681, George Mason University, Jan 2015.

SE 331- Engineering Secure Software,  Rochester Institute of Technology, May 2014.

Dimitry Averin, Security Engineering for Software , CS996 – Information Security Management, NYU Polytechnic School of Engineering, 2005.

Pascal Meunier, Secure Software Engineering, Purdue University

Security Development Lifecycle, Microsoft.