Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Similar documents
An Attack Surface Driven Approach to Evaluation

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

CSWAE Certified Secure Web Application Engineer

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

ShiftLeft. Real-World Runtime Protection Benchmarking

Certification Report

RiskSense Attack Surface Validation for Web Applications

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Certified Secure Web Application Engineer

COMMON CRITERIA CERTIFICATION REPORT

Web Application Penetration Testing

Certification Report

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Certification Report

Web Application Security. Philippe Bogaerts

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

IT Security Evaluation : Common Criteria

Security Solutions. Overview. Business Needs

Micro Focus Fortify Application Security

C1: Define Security Requirements

Solutions Business Manager Web Application Security Assessment

C and C++ Secure Coding 4-day course. Syllabus

Certification Report

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Application Security Approach

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Important Points to Note

COMP9321 Web Application Engineering

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

MBFuzzer - MITM Fuzzing for Mobile Applications

CC Part 3 and the CEM Security Assurance and Evaluation Methodology. Su-en Yek Australasian CC Scheme

Certification Report

Smart TV Security Solution V2.0 for Samsung Knox. Certification Report

Engineering Your Software For Attack

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

HP 2012 Cyber Security Risk Report Overview

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

FED 5. Certification Report

Smart TV Security Solution V3.0 for Samsung Knox. Certification Report

Certification Report

Development*Process*for*Secure* So2ware

COMMON CRITERIA CERTIFICATION REPORT

SECURITY TESTING. Towards a safer web world

Product Security. for Consumer Devices. Anton von Troyer Codenomicon. all rights reserved.

Certification Report

Certification Report

Copyright

Tools for Security Testing

Bank Infrastructure - Video - 1

GOING WHERE NO WAFS HAVE GONE BEFORE

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Certification Report

Security Testing White Paper

COMMON CRITERIA CERTIFICATION REPORT

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

COMP9321 Web Application Engineering

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Juniper Networks EX3200 and EX4200 Switches running JUNOS 9.3R2

Certification Report

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Certification Report

TRAINING CURRICULUM 2017 Q2

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

INNOV-09 How to Keep Hackers Out of your Web Application

Certification Report

Human vs Artificial intelligence Battle of Trust

Hacking by Numbers OWASP. The OWASP Foundation

Product Security Briefing

SoK: Eternal War in Memory

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Penetration testing.

Certification Report

Mobiledesk VPN v1.0 Certification Report

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Developing Secure Systems. Associate Professor

Certification Report

Transcription:

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009.

Product Testing in Common Criteria

Product Testing in Common Criteria Functional and penetration testing are important tools for gaining assurance in the evaluated product

Product Testing in Common Criteria Functional and penetration testing are important tools for gaining assurance in the evaluated product

Product Testing in Common Criteria Functional and penetration testing are important tools for gaining assurance in the evaluated product

Product Testing in Common Criteria Functional and penetration testing are important tools for gaining assurance in the evaluated product Problem: the testing methodology defined in CC is underspecified results are difficult to reproduce affects the public s perception of the value of evaluations

Outline Introduction Current situation with product testing in CC Recent advancements in testing and their potential use in CC Proposal Modular assurance packages based on interface-specific attacks Benefits from using such packages Conclusions and future work

Product testing according to CEM

Product testing according to CEM The goal is to test the behavior of TOE as described in ST and as specified in the evaluation evidence the focus is on testing the security functionality, defined by the SFRs

Product testing according to CEM The goal is to test the behavior of TOE as described in ST and as specified in the evaluation evidence the focus is on testing the security functionality, defined by the SFRs Evaluators test TSF by devising own test cases re-running a subset of developer s test cases

Product testing according to CEM The goal is to test the behavior of TOE as described in ST and as specified in the evaluation evidence the focus is on testing the security functionality, defined by the SFRs Evaluators test TSF by devising own test cases re-running a subset of developer s test cases

Product testing according to CEM The goal is to test the behavior of TOE as described in ST and as specified in the evaluation evidence the focus is on testing the security functionality, defined by the SFRs Evaluators test TSF by devising own test cases re-running a subset of developer s test cases CEM suggests alternate approaches only when it is impractical to test directly specific functionality such as source code analysis

Limitations of testing defined in CEM

Limitations of testing defined in CEM Traditionally, emphasis is given to functional testing of security features deterministic positive and negative testing prevails in the software industry accepted by CEM and prioritized by relevance to SFRs: SFR-enforcing TSFIs are covered SFR-supporting or SFR-non-interfering TSFIs are largely ignored

Limitations of testing defined in CEM Traditionally, emphasis is given to functional testing of security features deterministic positive and negative testing prevails in the software industry accepted by CEM and prioritized by relevance to SFRs: SFR-enforcing TSFIs are covered SFR-supporting or SFR-non-interfering TSFIs are largely ignored The deterministic functional testing is good for confirming the overall security architecture and design of the product.

Limitations of testing defined in CEM

Limitations of testing defined in CEM Recent advances in testing technology have shown that deterministic functional testing is not sufficient for gaining assurance in the security features of a product hackers pioneered random fuzzing of interfaces intended to penetrate them fuzz testing is becoming more and more accepted by major software vendors and incorporated in product development introduces the concept of probabilistic assurance

Fuzz Testing

Fuzz Testing Fuzz testing has evolved as black box testing to uncover hidden vulnerabilities and implementation bugs

Fuzz Testing Fuzz testing has evolved as black box testing to uncover hidden vulnerabilities and implementation bugs Fuzz testing of a given interface (API, protocol, etc) can be Brute-force invoke the interface with a completely random input data Adaptive use semi-random/semi-malformed input data

Fuzz Testing Fuzz testing has evolved as black box testing to uncover hidden vulnerabilities and implementation bugs Fuzz testing of a given interface (API, protocol, etc) can be Brute-force invoke the interface with a completely random input data Adaptive use semi-random/semi-malformed input data Open questions: What is the proper cost/benefit ratio for this type of testing? Can we map Fuzz testing results to EAL levels?

Fuzz testing

Fuzz testing Fuzz testing has been used successfully to uncover implementation bugs responsible for system crashes memory leaks unhandled exceptions buffer overflows dangling threads dangling pointers Most of these are code quality indicators, but they have direct security implications

Fuzz testing Fuzz testing has been used successfully to uncover implementation bugs responsible for system crashes memory leaks unhandled exceptions buffer overflows dangling threads dangling pointers Most of these are code quality indicators, but they have direct security implications

Fuzz testing Fuzz testing has been used successfully to uncover implementation bugs responsible for system crashes memory leaks unhandled exceptions buffer overflows dangling threads dangling pointers Most of these are code quality indicators, but they have direct security implications

Fuzz Testing

Fuzz Testing Open questions: What is the proper cost/benefit ratio for this type of testing? Hackers, developers have different perspectives Where do evaluators stand? Can we incorporate this type of testing in CC? Can we map Fuzz testing results to EAL levels?

Limitations of testing defined in CEM

Limitations of testing defined in CEM Observation: TSFIs cannot be reliably prioritized for CC testing as SFR-enforcing SFR-supporting SFR-non-interfering This issue is particularly relevant for low (<4) EAL evaluations

Limitations of testing defined in CEM Observation: TSFIs cannot be reliably prioritized for CC testing as SFR-enforcing SFR-supporting SFR-non-interfering This issue is particularly relevant for low (<4) EAL evaluations Observation: Any TOE interface exposed to attackers may be security relevant Hence, it should be tested thoroughly

Limitations of testing defined in CEM Observation: TSFIs cannot be reliably prioritized for CC testing as SFR-enforcing SFR-supporting SFR-non-interfering This issue is particularly relevant for low (<4) EAL evaluations Observation: Any TOE interface exposed to attackers may be security relevant Hence, it should be tested thoroughly Observation: Fuzzing and interface-specific tests provide a good framework for this

Interface-specific testing

Interface-specific testing Why Interface-specific testing? Interface-specific classes of attacks have emerged e.g., XSS for Web interfaces As software technology standardizes, so do the attacks Just recently hackers pulled off a major break-in using a classic SQL injection Heartland Payment Systems 2009 breach compromised 130+ Mil accounts data

Interface-specific testing Why Interface-specific testing? Interface-specific classes of attacks have emerged e.g., XSS for Web interfaces As software technology standardizes, so do the attacks Just recently hackers pulled off a major break-in using a classic SQL injection Heartland Payment Systems 2009 breach compromised 130+ Mil accounts data Well-known classes of interface-specific attacks lead to standard frameworks of tests that are naturally adapted to the type of interface allow for state-of-the-art coupling - atsec public with - fuzzing for testing multilayered interfaces/protocols

Example: Well-known attacks/testing techniques for Web Interfaces Cross-Site Scripting (reflected, Stored, DOM based XSS) Session Hijacking (session fixation, session side-jacking) Cross-site Request Forgery (also known as session-riding) Path Reversal Code Injection (PHP, HTML, SQL Injection) Command injection (LDAP, XPath, XSLT, HTML, XML, OS) File inclusions Use of poor encoding practice (base 64)/ Insecure cryptographic storage Insecure direct object reference Information Leakage and Improper Error Handling

Combining Fuzzing w/ Well-Known Tests for Discovering Input-Based Vulnerabilities (Pseudo-)Randomly choose an input from the entire input space Example: HTTP Header Fuzzing 7K:>6]"=:&X<ZE`,`)7?:0=/'53#.DMO:/_2`RZN6QB9 GET M?40G);>@!5#/>L5P_`+\@V3WB+_2_ HTTP/1.0 Invoke the application with that input Observe the resulting output Look for 'odd' behavior Exploit odd behavior GET http://www.foobar.com/m?40g);>@!5#/>l5p HTTP/1.0 GET http://www.foobar.com/so6gyhsiwgic.html HTTP/1.0 GET http://www.foobar.com/so6gyhsiwgic.pl HTTP/ 1.0 GET http://www.foobar.com/so6gyhsiwgic.ado HTTP/1.0 GET http://www.foobar.com/so6gyhsiwgic.jsp HTTP/ 1.0 GET http://www.foobar.com/so6gyhsiwgic.hs HTTP/

Our Goal Promote the development of an interfacebased testing methodology for CC that complements the general interface-independent testing methodology of CEM maps easily to EAL levels improves reproducibility of test results enhances the value of the evaluation

Approaches to Adopting Interface-Based Testing in CC Develop testing-related assurance packages combining fuzzing with interface-specific knowledge-based tests Modular assurance packages tailored to specific product types e.g., Web product test package Cross-Site Scripting (reflected, Stored, DOM based XSS) Session Hijacking (session fixation, session side-jacking) Cross-site Request Forgery (also known as session-riding) Path Reversal Code Injection (PHP, HTML, SQL Injection) Command injection (LDAP, XPath, XSLT, HTML, XML, OS) File inclusions Use of poor encoding practice (base 64)/ Insecure cryptographic storage Insecure direct object reference Information Leakage and Improper Error Handling Fuzzing on interface parameters

Modular assurance packages and EAL Some Interfaces Tested by Some Interface-Specific Tests With Some Fuzzing EAL low Most Interfaces Tested by Some Interface-Specific Tests With Some Fuzzing Most Interfaces Tested by Most Interface-Specific Tests With Some Fuzzing Most Interfaces Tested by Most Interface-Specific Tests With More Fuzzing All Interfaces Tested by Most Interface-Specific Tests With More Fuzzing All Interfaces Tested by All Interface-Specific Tests With Most Fuzzing EAL high

Benefits from modular test assurance packages

Benefits from modular test assurance packages For developers Adopting state-state-of-the-art tests early in development cycle saves expensive bug fixes during product evaluation Improves the quality of the product and helps avoid embarrassing post-release discoveries

Benefits from modular test assurance packages For developers Adopting state-state-of-the-art tests early in development cycle saves expensive bug fixes during product evaluation Improves the quality of the product and helps avoid embarrassing post-release discoveries For evaluators Improves the likelihood of the discovery of critical security problems by shifting the focus for known attacks from AVA to ETE Improves the repeatability of evaluations and addresses a weakness in the standard

Benefits from modular test assurance packages For developers Adopting state-state-of-the-art tests early in development cycle saves expensive bug fixes during product evaluation Improves the quality of the product and helps avoid embarrassing post-release discoveries For evaluators Improves the likelihood of the discovery of critical security problems by shifting the focus for known attacks from AVA to ETE Improves the repeatability of evaluations and addresses a weakness in the standard For consumers Increases the security assurances provided by the product Increases the value of certification

Conclusions

Conclusions Rigorously defined testing modules lead to state-of-the-art testing techniques

Conclusions Rigorously defined testing modules lead to state-of-the-art testing techniques

Conclusions Rigorously defined testing modules lead to state-of-the-art testing techniques Evaluators can reliably identify more security flaws and systematically increase the rigor of CC testing

Conclusions Rigorously defined testing modules lead to state-of-the-art testing techniques Evaluators can reliably identify more security flaws and systematically increase the rigor of CC testing

Conclusions Rigorously defined testing modules lead to state-of-the-art testing techniques Evaluators can reliably identify more security flaws and systematically increase the rigor of CC testing The definition of modular test packages can be formalized to integrate in CC

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback