Session 11: Security Policies 1

Similar documents
Developing Secure Software

Session 11: Security Policies 1

Developing Secure Software. Vulnerability Report Statistics

Developing Secure Software!

Developing Secure Software

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Developing Secure Systems. Associate Professor

C1: Define Security Requirements

Attack Pattern: Target Programs That Write to Privileged OS Resources

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

IS 2620: Developing Secure Systems. Building Security In Lecture 2

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Certified Secure Web Application Engineer

C and C++ Secure Coding 4-day course. Syllabus

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

IS 2620: Developing Secure Systems. Lecture 2 Sept 8, 2017

CIT 380: Securing Computer Systems. Software Security

SANS Institute , Author retains full rights.

CSWAE Certified Secure Web Application Engineer

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Development*Process*for*Secure* So2ware

OWASP Top 10 The Ten Most Critical Web Application Security Risks

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Threat Modeling. SecAppDev Copyright 2010 KRvW Associates, LLC

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Software Security Touchpoint: Architectural Risk Analysis

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

NET 311 INFORMATION SECURITY

Copyright

Web Application Security GVSAGE Theater

Secure Programming Techniques

Aguascalientes Local Chapter. Kickoff

Secure Programming. Course material Introduction. 3 Course material. 4 Contents

Secure Programming. Introduction. Ahmet Burak Can Hacettepe University

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Engineering Your Software For Attack

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Software Security Touchpoint: Architectural Risk Analysis

CIT 480: Securing Computer Systems. Software Security

Web Application Vulnerabilities: OWASP Top 10 Revisited

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Overview of Web Application Security and Setup

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

Security Engineering for Software

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Test Harness for Web Application Attacks

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)

Web Application Security. Philippe Bogaerts

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Secure coding practices

CERT Secure Coding Initiative. Define security requirements. Model Threats 11/30/2010

ITT Technical Institute. CS420 Application Security Onsite Course SYLLABUS

Black Hat Webcast Series. C/C++ AppSec in 2014

CS 356 Systems Security Spring 2015

SECURITY TESTING. Towards a safer web world

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Code Reviews. James Walden Northern Kentucky University

Application. Security. on line training. Academy. by Appsec Labs

RKN 2015 Application Layer Short Summary

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Robust Defenses for Cross-Site Request Forgery

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Web Application Penetration Testing

Using Threat Modeling To Find Design Flaws

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Software Security and Exploitation

John Coggeshall Copyright 2006, Zend Technologies Inc.

Buffer overflow background

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

ISA564 SECURITY LAB. Code Injection Attacks

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

Secure Development Processes

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Bank Infrastructure - Video - 1

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Secure Design Principles. CSC 482/582: Computer Security Slide #1

Copyright

Transcription:

Developing Secure Software EECE 412 Session 21 What s cell phones, ATMs, air traffic control systems, emergency service systems, healthcare equipment, and PDAs have in common? Internet security incidents reported to CERT Even if your computer is not compromised, how costly is it to keep it secure enough? 3 break-ins are all too prevalent Vulnerability Report Statistics The Scale in Human Terms What does it mean to have 4,129 vulnerabilities reported in 2002? Read the descriptions 4,129 vulnerabilities * 15 minutes = 129 days Affected by 10% of the vulnerabilities? Install patches on one system 413 vulnerabilities * 1 hour = 52 days Reading reports and patching a single system costs 129 + 52 = 181 days Which vulnerability should I patch first? Remote root in DNS? Web server? Desktop systems? Network equipment? 5 6 Session 11: Policies 1

Outline Why software systems are prone to vulnerabilities? How vulnerabilities are different from defects? How to develop secure software? Why are there so many vulnerabilities in software? 7 What will happen in a moment? x y What makes simple mechanical systems predictable? Linearity (or, piecewise linearity) Continuity (or, piecewise continuity) Small, low-dimensional statespaces Systems with these properties are (1) easier to analyze, and (2) easier to test. 9 10 Other software properties make security difficult Computers enable highly complex systems Software is taking advantage of this Highly non-linear behavior; large, high-dim. state spaces The Trinity of Trouble Connectivity The Internet is everywhere and most software is on it Complexity Networked, distributed, mobile, feature-full Extensibility Systems evolve in unexpected ways and are changed on the fly 11 12 Session 11: Policies 2

How Are Bugs Different? When is a security bug not like a bug? Traditional non-security bugs -- often defined as a violation of a specification. bugs -- additional behavior, not originally intended Meanwhile, it is doing what it is supposed to do Traditional techniques not good at finding Even in inspections, tend to look for missing behavior incorrect behavior Neglect to look for... undesirable side-effects 14 Intended vs. Implemented Behavior Traditional faults Actual Software Functionality Traditional faults Incorrect Supposed to do A but did B instead Intended Functionality Unintended, undocumented, unknown functionality Missing Supposed to do A and B but did only A. 15 16 17 Bugs Side effects Supposed to do A, and it did. In the course of doing A, it also did B Monitoring for side effects and their impact on security can be challenging Side effects can be subtle and hidden Examples: file writes, registry entries, extra network packets with unencrypted data 18 problems are complicated Implementation Flaws Buffer overflow String format Race conditions TOCTOU (time of check to time of use) Unsafe environment variables Unsafe system calls System() Untrusted input problems Design Flaws Misuse of cryptography Compartmentalization problems in design Privileged block protection failure (DoPrivilege()) Catastrophic security failure (fragility) Type safety confusion error Insecure auditing Broken or illogical access control Method over-riding problems (subclass issues) Which ones are more frequent? Session 11: Policies 3

The BUG: buffer overflow Pervasive C problems lead to BUGS Overwriting the bounds of data objects Allocate some bytes, but the language doesn t care if you try to use more char x[12 ]; x[12 ] = \0 ; Why was this done? Efficiency! 19 The most pervasive security problem today void main() { char buf[1024]; gets(buf); } 20 How not to get input Attacker can send an infinite string! Calls to watch out for Hundreds of such calls Use static analysis to find these problems ITS4, SourceScope Careful code review is necessary Some Guidelines How to Develop Secure Software? 1. Reduce the number of all defects by order of magnitude 2. Build security in your development process from beginning 3. Practice principles of designing secure systems 4. Know how systems can be compromised 5. Develop and use guidelines and checklists 6. Choose safer languages, VMs, OSs, etc. 7. Provide tool support 22 Why Software Quality is Important? According to CERT/CC: over 90% of software security vulnerabilities are caused by known software defect types most software vulnerabilities arise from common causes top ten account for 75% of vulnerabilities One design or implementation defect is injected for every 7 to 10 lines of new and changed code produced Even if 99% is removed, 1/1K left (40K defects in Win XP) 1. Produce Quality Software Use well structured effective processes e.g., Capability Maturity Model (CMM), *-CMM Use precise requirements and specifications Formal methods e.g., Praxis Critical Systems approach 0.75-0.04 defects/kloc CleanRoom 0.08 defects/kloc 23 24 Session 11: Policies 4

25 Requirements Definition security requirements (guidelines, analysis, review) 2. Build into Development Process review, validation risk analysis System and software design arch. styles, design principles security tests, test depth analysis, validation external review Implementation and unit testing languages, tools, standards, change tracking static security analysis Integration and system testing Risk Analysis Penetration Testing Operation and Maintenance Adapted from D. Verdon and G. McGraw, "Risk analysis in software design," IEEE & Privacy, vol. 2, no. 4, 2004, pp. 79-84. 26 Follow Best Practices These best practices should be applied throughout the lifecycle Tendency is to start at the end (penetration testing) and declare victory Not cost effective Hard to fix problems Start as early as possible Abuse cases requirements analysis Architectural risk analysis Risk analysis at design External review Test planning based on risks testing (malicious tests) Code review with static analysis tools 27 3. Practice principles of designing secure systems Principles of Designing Secure Systems 1. Least Privilege 2. Fail-Safe Defaults 3. Economy of Mechanism 4. Complete Mediation 5. Open Design 6. Separation of Privilege 7. Least Common Mechanism 8. Psychological Acceptability 9. Defense in depth 10. Question assumptions 4. Know How Systems Can Be Compromised 1. Make the Client Invisible 2. Target Programs That Write to Privileged OS Resources 3. Use a User-Supplied Configuration File to Run Commands That Elevate Privilege 4. Make Use of Configuration File Search Paths 5. Direct Access to Executable Files 6. Embedding Scripts within Scripts 7. Leverage Executable Code in Nonexecutable Files 8. Argument Injection 9. Command Delimiters 10. Multiple Parsers and Double Escapes 11. User-Supplied Variable Passed to File System Calls 12. Postfix NULL Terminator 13. Postfix, Null Terminate, and Backslash 14. Relative Path Traversal 15. Client-Controlled Environment Variables 16. User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth) 17. Session ID, Resource ID, and Blind Trust 18. Analog In-Band Switching Signals (aka Blue Boxing ) 19. Attack Pattern Fragment: Manipulating Terminal Devices 20. Simple Script Injection 21. Embedding Script in Nonscript Elements 22. XSS in HTTP Headers 2823. HTTP Query Strings 24. User-Controlled Filename 25. Passing Local Filenames to Functions That Expect a URL 26. Meta-characters in E-mail Header 27. File System Function Injection, Content Based 28. Client-side Injection, Buffer Overflow 29. Cause Web Server Misclassification 30. Alternate Encoding the Leading Ghost Characters 31. Using Slashes in Alternate Encoding 32. Using Escaped Slashes in Alternate Encoding 33. Unicode Encoding 34. UTF-8 Encoding 35. URL Encoding 36. Alternative IP Addresses 37. Slashes and URL Encoding Combined 38. Web Logs 39. Overflow Binary Resource File 40. Overflow Variables and Tags 41. Overflow Symbolic Links 42. MIME Conversion 43. HTTP Cookies 44. Filter Failure through Buffer Overflow 45. Buffer Overflow with Environment Variables 46. Buffer Overflow in an API Call 47. Buffer Overflow in Local Command-Line Utilities 48. Parameter Expansion 49. String Format Overflow in syslog() Attack pattern example: Make the client invisible Remove the client from the communications loop and talk directly to the server Leverage incorrect trust model (never trust the client) Example: hacking browsers that lie 5. Develop Guidelines and Checklists Example from Open Web Application Project (www.owaspp.org): Validate Input and Output Fail Securely (Closed) Keep it Simple Use and Reuse Trusted Components Defense in Depth By Obscurity Won't Work Least Privilege: provide only the privileges absolutely required Compartmentalization (Separation of Privileges) No homegrown encryption algorithms Encryption of all communication must be possible No transmission of passwords in plain text Secure default configuration Secure delivery No back doors 29 30 Session 11: Policies 5

Secure Programming How-Tos David Wheeler's Secure Programming for Linux and UNIX How-To http://www.dwheeler.com/secure-programs Secure UNIX Programming FAQ http://www.whitefang.com/sup/securefaq.html OWASP (Open Web Application Project) Guide http://www.owasp.org Etc... (Google "secure programming") 6. Choose Safer Languages, VMs, OSs, etc. C or C++? Java or C++? Managed C++ or vanilla C++?.NET CLR or JVM? Windows XP or Windows 2003? Linux/MacOS/Solaris or Windows? 32 7. Make Developers Life Easier: Give Them Good Tools automated tools for formal methods http://www.comlab.ox.ac.uk/archive/formalmethods.html code analysis tools RATS http://www.securesw.com/rats Flawfinder http://www.dwheeler.com/flawfinder ITS4 http://www.cigital.com/its4 ESC/Java http://www.niii.kun.nl/ita/sos/projects/escframe.html PREfast, PREfix, SLAM www.research.microsoft.com Fluid http://www.fluid.cmu.edu JACKPOT research.sun.com/projects/jackpot Many more High Level Secure Coding, Principles and Practices (M.G. Graff and K.R. Van Wyk 2003) Technical Secure Programming Cookbook (J. Viega and M. Messier) Writing Secure Code, 2nd Edition (Howard and Leblanc) Relevant Books 33 Free Relevant Books Improving Web Application : Threats and Countermeasures Roadmap J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan Microsoft Corporation MSDN Library, June 2003 http://msdn.microsoft.com/library/default.asp? url=/library/enus/dnnetsec/html/threatcounter.asp Summary Why software systems are prone to vulnerabilities? How vulnerabilities are different from defects? How to develop secure software? 36 Session 11: Policies 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback