(software security)securesw.dankook.ac.kr/iss19-2/ln(grad)_2019 ss_02...software software is...
TRANSCRIPT
소프트웨어보안(Software Security)
조성제 (Cho, Seong-je)
Fall, 2019
Computer Security & OS Lab.
Dankook University
CS412 Software Security
Mathias Payer -- Spring semester 2019
https://nebelwelt.net/teaching/19-412-SoSe/
Computer Security & OS Lab, DKU 2
Many slides taken from Prof. Mathias Payer’s Lecture
Software Security: Principles, Policies, and Protection (SS3P)
A Free Book : https://nebelwelt.net/SS3P/softsec.pdf
CS412 Software Security• https://nebelwelt.net/teaching/19-412-SoSe/
Course overviewThis course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with common security pitfalls.
Course objectiveSoftware running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).
Computer Security & OS Lab, DKU 3
CS412 Software Security (Prof. Mathias Payer)
Learning outcomesStudents who complete the course will have demonstrated the ability to do the following:
● Explain the top 20 most common weaknesses in software security (CWE top 20) and understand how such problems can be avoided in software.
● Identify common security threats, risks, and attack vectors for software systems.
● Evaluate and assess current security best practices and defense mechanisms for current software systems. Become aware of limitations of existing defense mechanisms and how to avoid them.
● Identify security problems in source code and binaries, assess the associated risks, and reason about their severity and exploitability.
● Assess the security of given source code or applications.
4Computer Security & OS Lab, DKU
CS412 Software Security (Prof. Mathias Payer)
Schedule
● Course introduction (2019/09/??)
● Basic principles (2019/09/ )
● Secure software lifecycle (2019/09/ ) [1]
● Reverse engineering (2019/09/ )
● Security policies (2019/10/ ) [2], [3], [4] [5] [6]
● Software bugs (2019/10/ )
● Attack vectors (2019/10/ )
● Mitigations (2019/10/ )
● Advanced mitigations (2019/11/ ) [9], [10] [13] [14]
● Testing: Sanitization (2019/11/ ) [11]
● Testing: Fuzzing (2019/11/ )
● Web security (2019/11/ )
● Mobile security (2019/12/ )
● Summary (2019/12/ )
5Computer Security & OS Lab, DKU
Software and Software Security
Vulnerability
Computer Security & OS Lab, DKU 6
Quiz
What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, personal computers, public key infrastructure systems, and firewalls have in common?
7Computer Security & OS Lab, DKU
8Computer Security & OS Lab, DKU
9
Software is ubiquitous
The information age, in fact, is an extension of the industrial age, characterized by the focus on production of physical goods.
● Ubiquitous software is a characteristic of the information age.
Software is essential to the operation of the Nation’s critical infrastructure.
● The nation's critical infrastructure (energy, transportation, telecommunications, etc.), businesses, and services are extensively and increasingly controlled and enabled by software.
Software is used today for communications, production, financial transactions, transportation, and utilities to name just a few of its varied and countless uses
● Government, education, healthcare, banking, retail, wholesale, insurance, and media sectors
10Computer Security & OS Lab, DKU
SW is everywhere
11Computer Security & OS Lab, DKU
Software
Software is everywhere● A modern product delivery’ survey found that 23% of products now contain software in
some form
● In 2001, cars had a minimal amount of code in them. A new car now has about 100 million lines of code. What’s more, it is expected that more than 150 million connected cars will be on America’s highways and byways by 2020
With software, technical solutions to business problems are possible
FinTech, AI, Big data, Cloud, Blockchain, …
With software, we can all be connected.
12Computer Security & OS Lab, DKU
Software is imperfect.
Software is imperfect, just like the people who make it● No matter how much work goes into a new version of software, it will
still be fallible.
The Reasons Why Software Is Vulnerable● Software is vulnerable due to complexity and inevitable human error.
● Many vendors (e.g., Microsoft, Sun, Oracle, and others) that developed and built their software in the 90's didn't write code that was secure from heap overflows or format string bugs, because these issues were not widely known at the time.
Outdated software is the root of evil
13Computer Security & OS Lab, DKU
Why YOUR software is a valuable target:
Because it’s flawed.
Because software vendors can hardly keep up with the way cyber criminals exploit vulnerabilities in their products.
● Vulnerability
− A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
− a mistake in software that can be directly used by a hacker to gain access to a system or network
Because it’s used by millions.
Because it gives them access to your computer in minutes.
Because you’re sometimes careless when using the Internet. (We’ve all been there, trust me.)
Source: https://heimdalsecurity.com/blog/vulnerable-software-infographic/
14Computer Security & OS Lab, DKU
Software vs. Vulnerability
Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services
● Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network
Vulnerabilities in that software put those resources at risk.
● The risk is compounded by software size and complexity, the use of software produced by unvetted suppliers, and the interdependence of software systems.
15Computer Security & OS Lab, DKU
Compound: 악화시키다, 더 심각하게 만들다. ~으로 구성되다.vet : (내용품질 등을) 점검하다. (어떤 직책을 맡게 될 사람에 대해) 심사하다.unvetted : (내용품질 등을) 검열 받지 않은, 점검 받지 않은
The most vulnerable players of 2017
https://techtalk.gfi.com/the-most-vulnerable-players-of-2017/
CVE: Common Vulnerabilities & Exposures (source: https://cve.mitre.org/)
● In 2016, 6,447 vulnerabilities were reported. In 2017, that number increased to 14,709
16Computer Security & OS Lab, DKU
The most vulnerable players of 2017
The top kinds of vulnerabilities include DoS meaning the vulnerability would allow hackers to not allow users from logging in or their computers not to work, and code execution where codes can be manipulated easily.
17Computer Security & OS Lab, DKU
The most vulnerable players of 2017
Vendors
● Though Google had significantly more vulnerabilities than Oracle, the numbers below also include mobile devices. With the number of products Google has, it must be a real challenge for them to keep up with vulnerabilities. They top out the list of having 1000 reported CVEs in 2017 with Oracle not too far behind.
18Computer Security & OS Lab, DKU
The most vulnerable players of 2017
Operating system
● The increase in vulnerabilities in mobile devices has gone up over the years, and we do not believe the trend is going to subside anytime soon.
19Computer Security & OS Lab, DKU
The most vulnerable players of 2017
Browsers
● All someone has to do is click a link that downloads malicious software, and your network is compromised.
● Though Edge had 202 vulnerabilities in 2017, it only had 3.78% of the market share according to the NetMarketShare.
20Computer Security & OS Lab, DKU
● Chrome is currently the most used browser and has experienced a substantial increase in market share from 2015 by climbing from 27.61% to 58.9% in 2017.
The most vulnerable players of 2017
Mobile devices
The popularity trend of more market share = more vulnerabilities can be seen once more and with Android having around 80% market share in smartphone OS
21Computer Security & OS Lab, DKU
ApplicationsApplications were also in need of patching last year especially ImageMagick which comes in as number one. The application allowed Yahoo private mail users to view images. Unfortunately, the vulnerability was discovered by hackers, causing the “YahooBleed Bug” to emerge. To save face, Yahoo retired the ImageMagick library altogether.
2015’s MVPs – The most vulnerable players
Mobile devices● not sure if Windows
Phone doesn’t show up because it’s so secure, or because it’s such a tiny slice of the market
Applications
22Computer Security & OS Lab, DKU
The most vulnerable players of 2017
We should also note that there is a very low number of vulnerabilities in Adobe Flash which we have not experienced in recent years. ● However, other Adobe applications topped the list right after ImageMagick.
● There are reports that Adobe Flash will phase out by 2020 which could indicate little development on the application.
Being informed of the kinds of vulnerabilities that keep your network open to potential threats is only one part of the game.● No network is safe.
The number of vulnerabilities continues to go up every year and keeping up with patches is daunting.
daunting: 벅찬, 주눅이들게하는 (daunt: 겁먹게[기죽게]하다.)
23Computer Security & OS Lab, DKU
CVE (Common Vulnerabilities & Exposures)
a vulnerability is a state in a computing system (or set of systems) that either:
● allows an attacker to execute commands as another user
● allows an attacker to access data that is contrary to the specified access restrictions for that data
● allows an attacker to pose as another entity
● allows an attacker to conduct a DoS
Examples of vulnerabilities include:
● phf (remote command execution as user "nobody")
● rpc.ttdbserverd (remote command execution as root)
● world-writeable password file (modification of system-critical data)
● default password (remote command execution or other access)
● DoS problems that allow an attacker to cause a Blue Screen of Death
● smurf (denial of service by flooding a network)
24Computer Security & OS Lab, DKU
Gateways to Infection: Exploiting SW Vulnerabilities
Source: TREND Micro
(http://about-threats.trendmicro.com/RelatedThreats.aspx?language=tw&name=Gateways+to+Infection%3A+Exploiting+Software+Vulnerabilities)
25Computer Security & OS Lab, DKU
What is a software vulnerability?
A software vulnerability is a security flaw, glitch, or weakness found in software or in an OS that can lead to security concerns.
● An example of a software flaw is a buffer overflow This is when software becomes unresponsive or crashes when users open a file that may be "too heavy" for the program to read.
This commonly encountered error becomes a security concern when attackers uncover the vulnerability, conduct research about it, and create a malicious code or exploit that targets this glitch to launch their schemes.
● Some schemes may include gaining administrator privileges which gives attackers control over the vulnerable system or infecting it with malware.
Vulnerabilities are found in all software and OSs and are not limited to a particular software vendor.
● For 1Q 2012, Apple posted the highest number of reported vulnerabilities and also issued their largest number of patches during the same time period.
Users tend to not notice software vulnerabilities.
● An attacker may target one without the software showing any sign of an attack.
Attackers can also target vulnerabilities without user having to visit a malicious site or download an exploit such as attacks that target CVE-2012-2526 and CVE-2012-1852.
26Computer Security & OS Lab, DKU
What is an exploit?
An exploit is a code purposely created by attackers to abuse or target a software vulnerability. [from TREND Micro]
● This code is typically incorporated into malware.
● Once the exploit code is successfully executed, the malware drops a copy of itself into the vulnerable system.
In some cases, an exploit can be used as part of a multi-component attack.
● Instead using a malicious file, the exploit may instead drop another malware, which can include backdoor Trojans and spyware that can steal user information from the infected systems.
27Computer Security & OS Lab, DKU
What is an exploit?
An exploit (from the English verb to exploit, meaning "using something to one’s own
advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability [from wikipedia]
● There are several methods of classifying exploits The most common is by how the exploit contacts the vulnerable software.
● A remote exploit works over a network and exploits the security vulnerability without any prior access to the vulnerable system.
● A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator.
28Computer Security & OS Lab, DKU
Security Vulnerability [from webopedia]
An unintended flaw in software code or a system that leaves it open to the
potential for exploitation in the form of unauthorized access or malicious
behavior such as viruses, worms, Trojan horses and other forms of malware.
Security vulnerabilities can result from software bugs, weak passwords or software that’s already been infected by a computer virus or script code injection, and
● these security vulnerabilities require patches, or fixes, in order to prevent the potential for compromised integrity by hackers or malware.
29Computer Security & OS Lab, DKU
Software Vulnerabilities
Memory safety violations, such as:
● Buffer overflows and over-reads
● Dangling pointers
Input validation errors, such as:
● Format string attacks
● SQL injection
● Code injection
● E-mail injection
● Directory traversal
● Cross-site scripting in web applications
● HTTP header injection
● HTTP response splitting
30Computer Security & OS Lab, DKU
Race conditions, such as:
● Time-of-check-to-time-of-use bugs
● Symlink races
Privilege-confusion bugs, such as:
● Cross-site request forgery in web applications
● Clickjacking
● FTP bounce attack
Privilege escalation
User interface failures, such as:
● Warning fatigue[31] or user conditioning.
● Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it[32]
● Race Conditions[33][34]
Vulnerability
a weakness which allows an attacker to reduce a system's information assurance● a mistake in software that can be directly used by a hacker to gain access to a system or
network
A weakness of an asset or group of assets that can be exploited by one or more threats. (by ISO 27005)
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. (by IETF RFC 2828)
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. (by NIST)
The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC) (by ENISA)
31Computer Security & OS Lab, DKU
Software Security
Commercial security is reactive.
Building secure software• Enhancing the development life cycle to produce secure software, SW Assurance
Forum, Oct. 2008
• Security in the Software Life Cycle, Karen Mercedes Goertzel, OMG SwA Workshop, Mar. 2007.
Computer Security & OS Lab, DKU 32
Threats to software
External ● Human attackers
● Malicious processes
Inside ● Rogue developers
● Rogue administrators
● Rogue users
Embedded ● Malicious logic
● Intentional vulnerabilities
● Backdoors
33Computer Security & OS Lab, DKU
When software is threatened
In development and maintenance, by ● “Rogue” developer sabotage and subversion by planting
− malicious code (“ bombs” and other undocumented functions)
− intentional faults, weaknesses, vulnerabilities
− exploitable backdoors, trapdoors
In distribution and deployment, by ● External attackers (intercepting and tampering with distribution)
● Insider threats (administrators intentionally tampering, misconfiguring, planting malware, rootkits, etc.)
In operation, by ● External attackers (level of exposure varies with level of network
connectivity/exposure)
● Insider threats (users and administrators abusing privileges, not applying patches)
34Computer Security & OS Lab, DKU
Categories of attack patterns
Direct attacks
● To exploit known or suspected faults, vulnerabilities, weaknesses, backdoors
● To insert malicious code
● To execute malicious code already embedded in the software
● To observe or reverse engineer the software
Indirect attacks
● Intentional activation of external faults at the software’s boundaries
● Intentional changes to execution environment state
● “Hogging” of the software’s processing resources
● Sabotage or subversion of external services or defense-in-depth measures on which the software relies
Hogging: 독차지하는것, 독점하는것
35Computer Security & OS Lab, DKU
Attack objectives (desired direct results)
Reconnaissance ● To learn more about the software in order to craft more effective attacks
Subversion● To change the software’s functionality, by tampering or insertion of logic
Sabotage ● To make the software fail
− suddenly crash or gradually degrade in performance
● To make the software inaccessible
− by moving or deleting its executable
− by corrupting its user interface or communications capability
● Note: changing the executable’s file system permissions would have the same result, but is a system-level threat.
36Computer Security & OS Lab, DKU
What makes software vulnerable?
It’s big and complicated, and getting more so – humans can no longer fully comprehend it.
Component-based development: COTS, OSS, and reuse means no-one really knows where most of it comes from, or how it was built.
It contains lots of faults and weaknesses. Many of these are exploitable.
It comes in binary executable form, which makes finding those faults and weaknesses a lot harder.
It’s exposed to threats all the time, even while it’s under development.
37Computer Security & OS Lab, DKU
Where vulnerabilities originate (1)
During development
● Inadequate or spurious requirements
● Inadequate architecture, assembly option, detailed design
● Use of vulnerable processing models, software technologies
● Insecure use of development tools, languages, libraries
● Use of insecure development tools, languages, libraries
● Poor coding practices
● Coding errors
● Use of vulnerable/unpatched components
● Incorrect or mismatched security assumptions
● Inadequate reviews, testing, assessments
● Sabotaged test results
● Residual backdoors
● Sensitive info about software problems in user-viewable comments/error messages
● Inadequate configuration documentation
● Insecure installation procedures, scripts, tools
38Computer Security & OS Lab, DKU
Malicious code planted during development
Trojan horses ● Software that seems to do one thing, but actually does another
Time bombs ● Software whose execution is triggered at a predefined time (on computer
clock)
Logic bombs● Software whose execution is triggered by a predefined event or input
Malicious undocumented functions (“rotten Easter eggs”)
39Computer Security & OS Lab, DKU
Hard Problem:
Software of Unknown Pedigree (SOUP)
Pedigree: 족보, 내력, 계보
40Computer Security & OS Lab, DKU
Where vulnerabilities originate (2)
During deployment and operation
Insecure configuration of software and its environment
Inadequate allocation of resources
Failure to apply patches
Software aging
41Computer Security & OS Lab, DKU
Secure Software …
Preserves all of its required properties in the face of threats to those properties
● Dependability is the #1 desirable property for all software
− If it doesn’t work correctly and predictably at all times, what good is it?
Can resist and/or tolerate most threats that attempt to subvert or sabotage it● Integrity can be subverted by attacks
● Availability can be sabotaged by attacks
Can terminate, limit the damage, and rapidly recover from the few that succeed
42Computer Security & OS Lab, DKU
Dependability properties
Quality (correctness and predictability)
Reliability
Fault-tolerance
Trustworthiness
Safety (the above intensified: failure threatens human life or health)
43Computer Security & OS Lab, DKU
Security properties
Integrity ● can’t be subverted (subvert: 전복시키다, 체제를뒤엎다, 파멸시키다)
Availability ● can’t be sabotaged (sabotage: 방해공작을벌이다, 고의로방해하다. 파괴하다, 태업하다)
Trustworthiness ● won’t do the unexpected
− not the same as trustworthiness of software as non-human “user”
Confidentiality (of the software itself) ● as a subject: behaviors, states, actions
● as an object: executable file location, characteristics, contents
● deters reconnaissance, reverse engineering
● less likely to be a requirement for software than for information
Assurability● ability to verify software’s required properties, including security
● aided by smallness, simplicity, traceability
Source: Security Challenges for Systems Built from Nondevelopmental Software Components—Brown Bag 02.22.07
44Computer Security & OS Lab, DKU
What makes software secure?
Attack-resistance
● Components and whole system recognize and resist attack patterns.
● System recognizes suspicious component behavior and either
− isolates/constrains that behavior
− terminates execution of the component
Attack-tolerance
● Components keep operating in spite of errors caused attacks – System keeps operating in spite of attack-caused component errors/failures
Attack-resilience
● System constrains damage from attacks it could not tolerate, isolates itself from attack source
● System rapidly recovers (at least to minimum acceptable performance)
45Computer Security & OS Lab, DKU
The Challenge of Building Secure Software
To be considered secure, software must exhibit three properties:
1. Dependability: Dependable software executes predictably and operates correctly under all conditions, including hostile conditions, including when the software comes under attack or runs on a malicious host.
2. Trustworthiness: Trustworthy software contains few if any vulnerabilities or weaknesses that can be intentionally exploited to subvert or sabotage the software’s dependability.
● In addition, to be considered trustworthy, the software must contain no malicious logic that causes it to behave in a malicious manner.
3. Survivability (also referred to as “Resilience”): Survivable—or resilient—software is software that is resilient enough to (1) either resist (i.e., protect itself against) or tolerate (i.e., continue operating dependably in spite of) most known attacks plus as many novel attacks as possible, and (2) recoveras quickly as possible, and with as little damage as possible, from those attacks that it can neither resist nor tolerate.
46Computer Security & OS Lab, DKU
Security Threats
47Computer Security & OS Lab, DKU
Identifying/classifying security threats (security attacks)
Security Threats
48Computer Security & OS Lab, DKU
Identifying/classifying security threats (security attacks)● Microsoft STRIDE model
● Attacks against security goals
Microsoft STRIDE chart
49Computer Security & OS Lab, DKU
Security Services
Relation between STRIDE security attributes and security service
50Computer Security & OS Lab, DKU
Software Security
The practice of building software to be secure and to function properly under malicious attack
● The idea of engineering software so that it continues to function correctly under malicious attack
● Software security unifies the two sides of software security – attack and defense, exploiting and designing, breaking and building – into a coherent whole
− Software security requires a careful balance
51Computer Security & OS Lab, DKU
Cost, Effort and Time for Fixing Vulnerabilities
52Computer Security & OS Lab, DKU
Software Security
Cyber criminals use flaws in software and exploit them for their own malicious intents
What is software security?● Its all about building secure software!
● The process of designing, building, and testing software for security
● Taking the pro-active approach: building security INTO the software as opposed to securing it after building it
Software security is● the idea of engineering software so that it continues to function correctly
under malicious attack
● about building secure software: designing software to be secure, making sure that software is secure and educating software developers, architects and users about how to build secure things
53Computer Security & OS Lab, DKU
Software security vs. Application security
Software security
● the process of designing, building and testing software for security
− identifies and expunges problems in the software itself
Application security
● about protecting software and the systems that software runs in a post facto way, after development is complete.
− Issues critical to this subfield include sandboxing code (as the Java virtual machine does), protecting against malicious code, obfuscating code, locking down executables, monitoring programs as they run (especially their input), enforcing the software use policy with technology and dealing with extensible systems.
● Application security follows naturally from a network-centric approach to security, by embracing standard approaches such as penetrate and patch and input filtering (trying to block malicious input) and by providing value in a reactive way.
− Put succinctly, application security is based primarily on finding and fixing known security problems after they’ve been exploited in fielded systems.
Source: https://www.cigital.com/blog/software-security/
54Computer Security & OS Lab, DKU
Summary
Software is everywhere
Define vulnerabilities and exploits● Security threats
SDLC (Software Development Lifecycle)
Software security
55Computer Security & OS Lab, DKU
A Key Comment
• Do not try attacks at home or school!
• Our goal is to educate so you can defend, not attack
56Computer Security & OS Lab, DKU