Identifying unknown Vulnerabilities

Size: px

Start display at page:

Download "Identifying unknown Vulnerabilities"

Colleen Atkinson
5 years ago
Views:

in-depth Analysis ISSS Security Lunch Zürich 6.

1 Identifying unknown Vulnerabilities Kostengünstige Identifizierung von Sicherheitslücken mit Rapid in-depth Analysis ISSS Security Lunch Zürich 6. Oktober 2010 Prof. Dr. Hartmut Pohl, Peter Sakal B.Sc., M.Sc.

Final Reporting Remediation, Workarounds Exploiting published Vulnerabilities Remote Services

2 Penetration Testing Subprocesses Information Gathering: Foot- & Fingerprinting Network Surveying Evading Firewalls Port Scanning & Services Identification Vulnerability Scanning Reviewing Logs Final Reporting Remediation, Workarounds Exploiting published Vulnerabilities Remote Services Web-based based Authentication Password Cracking Escalation of Privileges Testing Denial of Service (DoS)

3 1. Unknown Vulnerabilities? Less-Than-Zero-Day-Vulnerabilities

4 Attack Surface, Attack Paths Attack Paths Attack Surface Organisation Information System Permitted Ports Firewall, Intrusion Detection, Unpatched and unpublished Vulnerabilities. Obfuscation Patched Vulnerabilities COTS: Applications, Servers, SQL, IIS, Mails, FTP, CRM Assets - Data Anti-Virus Software, Worms Encryption, Keys

5 Rapid in-depth Analysis (RiDA) vs. Penetration Testing Black Risk Vulnerability-free Phase seemingly! Product Shipment Vulnerability discovered Exploit developed Rapid in-depth Analysis (RiDA)

Grey Risk Vulnerability discovered and used Zero Day Product Shipment

6 Rapid in-depth Analysis (RiDA) vs. Penetration Testing Black Risk Vulnerability-free Phase seemingly! Grey Risk Vulnerability discovered and used Zero Day Product Shipment Vulnerability discovered Exploit developed Vulnerability published Exploit published Rapid in-depth Analysis (RiDA) Penetration Testing

7 Rapid in-depth Analysis (RiDA) vs. Penetration Testing Black Risk Vulnerability-free Phase seemingly! Grey Risk Vulnerability discovered and used White Risk Vulnerability fully disclosed: Manufacturer Zero Day Product Shipment Vulnerability discovered Exploit developed Vulnerability published Exploit published Patch published Patched System Early Error Detection Rapid in-depth Analysis (RiDA) Late Error Detection Penetration Testing higher Costs of Error Correction

8 Unpublished, un-identified Vulnerabilities Less-Than-Zero-Day-Vulnerabilities Vulnerabilities since Software Delivery Attacks not observable What you do not know, you cannot notice and you cannot search for

9 Unpublished, un-identified Vulnerabilities Less-Than-Zero-Day-Vulnerabilities Vulnerabilities since Software Delivery Attacks not observable What you do not know, you cannot notice and you cannot search for

10 2. Exploiting unpublished, un-identified Vulnerabilities

11 Herr Preatoni

12 Herr Preatoni

13 Consumer, Users, Fees Organized crime Companies Intelligence Services: CIA, Mossad, FSB, For computer espionage, economic espionage, sabotage $ $ -...

18 Titan Rain Moonlight Maze, Since 2003 with growing intensity (China) 2010? Effective attacks in > 50 countries Companies and governmental agencies Systematic, organised approach: Exploits, Trojan horse, keystroke logger, system monitor - business hours Network Crack Program Hacker group (NCPH): 4 core programmers, 10 associates, manager: Wicked Rose counter-hacked by Shawn Carpenter Classsified in USA (since 7/2007), in Germany also

19 Future: Stealth & targeted t Attacks, Obfuscation 0 % Recognizability Stealth Virtualisation DoS-Attacks Intrusion Root-Kits Less-Than-Zero-Day Exploits ( Stealth ) Targeted 100 % ( ), py, Storm Worm stuxnet Viren, Würmer, Spam, Phishing, (Botnets), Spyware, Adware Level of Automation

20 Baseline Protection Access Control: Rights Management, Logging, g, Analysis Anti-Virus, Worms, Spam, Spyware, Adware, Firewalls Verschlüsselung Intrusion Detection, Intrusion Protection Anonymization

21 Baseline Protection Access Control: Rights Management, Logging, g, Analysis unsecure, noneffective Anti-Virus, Worms, Spam, Spyware, Adware, Firewalls unsecure, noneffective Verschlüsselung unsecure, noneffective Intrusion Detection, Intrusion Protection Anonymization unsecure, noneffective

22 Gartner: 75% Cost Savings! If only 50 percent of software vulnerabilities were removed prior to production use [ ] costs would be reduced by 75 percent [Gartner 2005]

23 Costs Benefit: Cost of Bug Elimination 100 x 10 x 1 x 6 x Phase Design Implementation Verification Release [NIST 2007]

24 3. Experiences

25 Partner in R&D Project softscheck

26 Threat Modeling Threat Modeling Requirements Design Implementation Verification Release

27 Threat Modeling Process Understand the Adversary s View Characterize the Security of the System Entry Points Use Scenarios Assets Assumptions & D d i Dependencies Trust Levels Determine Threats Identify Threats Analyse Threats/ determine Vulnerabilities Model the System

28 Threat Modeling Techniques Data Flow Diagrams Attack Trees STRIDE categorization DREAD risk evaluation Quantifying risk

29 Data Flow Diagrams Data Files User Request Service Requested File(s) Audit Data Aud dit Writ te Aud dit Rea ad Audit Engine Authn Engine Au udit Requ uests Au udit In nfo Get Creds Admin Credentials Set/Get Creds Mnmgt. Tool [Baier 2006]

30 Data Flow Diagrams Data Files User Request Decrypt Company Secrets Service Requested File(s) Audit Data Aud dit Writ te Aud dit Rea ad Audit Engine Authn Engine Au udit Requ uests Au udit In nfo Get Creds Admin Credentials Set/Get Creds Mnmgt Tool [Baier 2006]

31 Attack Tree Threat #1 Decrypt Company Secrets and 1.1 Obtain Encrypted File 1.2 Obtain Password/Key Bribe the Sysadmin Hack the Database Brute Force Password/Key Use Keylogger

32 STRIDE Categorization Attack- and Threat Identification S Type of threats Spoofing Tamperingp g Repudiation Information disclosure Denial of service Elevation of privilege il Examples Forge messages Replay authentication packets Alter data during transmission Change data in files Deny an action e.g. deleting a critical file Purchase a product and later deny it Expose information in error messages Expose code on Web sites Flood a network with SYN packets Flood with forged ICMP packets Exploit buffer overruns to gain system privileges Gaining administrator privileges illegitimately

33 DREAD Risk Evaluation 1. Use DREAD to rate each threat [1 10] 10] 2. Calculate Risk metric: Probability * Damage potential 3. Identify most critical Risks 4. Choose Mitigation Strategy Damage Reproducibility Exploitability Affected Users Discoverability

34 DREAD Risk Evaluation Identify most critical Risks and Mitigation Strategy

35 DREAD Risk Evaluation Identify most critical Risks and Mitigation Strategy

36 Fuzzing Threat Modeling Fuzzing Requirements Design Implementation Verification Release

37 Fuzzing Identify Input Interfaces Generate Fuzz Send Fuzz e.g. Sniffer Fuzzer Monitoring: Recognize Failures Monitor Reporting Generate Report Vulnerabilities Analysis Identification & Analysis g Application pp Target State: {Fail, Working}

38 Fuzzing Identify Input Interfaces Generate Fuzz Send Fuzz e.g. Sniffer Monitoring: Recognize Failures Monitor Fuzzer Reporting Generate Report Vulnerabilities Analysis Identification & Analysis Code Coverage g Application pp Target State: {Fail, Working}

39 > 250 Fuzzer (Fuzzing Tools) Which one is the right one for YOUR App?

40 Fuzzer Taxonomy Brute-Force- Based Static Dumb Smart Intelligent Capture- Replay Based Grammar Based Block Based Generation Based Session-Data Mutation- Call-Flow- Stateless Stateful Model-Based Based Based Aware Dynamic- Model- Traffic- Generation Inference Analysis Based Based Based Evolutionary

41 Evaluation Parameters 100% Number identified Vulnerabilities 80% 60% Cost 40% 20% Reporting 0% Future Developments Training Expenses Tool 1 Tool 2 Tool 3 Tool 4 Tool 5 Tool 6

42 4. Commercial Results

43 Secure Software Development Lifecycle RiDA Certification start t end Rapid in-depth Analysis (RiDA RiDA) Threat Modeling Static Analysis Fuzzing Requirements Design Implementation Verification Release Functional error correction Pre-Release Patch, Fix etc. Costs of Error Correction

44 RiDA Detected Vulnerabilities Unknown & Known Intended Application Actual Application Vulnerabilities Functional Errors Known Unknown Unpublished

45 Vulnerabilities in Webapplication Achievements using Threat Modeling: Project example Rating the vulnerabilities critical 1 high 29 medium 26 low Number identified vulnerabilities

46 Vulnerabilities in Webapplication Achievements using Fuzzing: Project example Rating the vulnerabilities critical 1 high 29 medium 26 low Number identified vulnerabilities

47 Scenarios: RiDA Software Companies Secure Software Development (from the start) Identification of vulnerabilities in released software Enduser Identification of vulnerabilities in company-critical software (in-house developed or not) Acceptance testing software Tool Developer Technology consulting

48 Finding all the Vulnerabilities: RiDA # Tools Technology- and Toolkomposition Fuzzing 20 Static Analysis 10 Threat Modeling # identified Vulnerabilities

49 Types of evaluated Software COTS Software - Enterprise Resource Planning (ERP) - Customer Relationship Management (CRM) - Database Systems (DBMS) - Browser - Operating Systems - Network Protocols Custom Software - Web Applications - Customized COTS Software Industrial Sector specific Software - Supervisory Control and Data Acquisition (SCADA) - Automotive

50 Achievements Rapid in-depth Analysis (RiDA) > 40 target Application < 5 Mio. Lines of Code Ø identified (unknown) critical vulnerabilities: 50 Overall Result: Very cost-effective method before software delivery

51 Prof. Dr. Hartmut Pohl +49 (2241) Peter Sakal B.Sc., M.Sc. com +49 (2241)

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Threat Modeling. Bart De Win Secure Application Development Course, Credits to Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,