L6 by xiangpeng

VIEWS: 6 PAGES: 59

									      CSSE 492
Software Dependability
            Seattle University
  Computer Science & Software Engineering

               Winter 2007

         Prof. Roshanak Roshandel



               CSSE 492 - Winter 2007
           Software Security
   Introduction
   Software Security vs. Security Software
   Risk Analysis
   Worms, Viruses, …
   Writing Secure Code (or common sins)




                    CSSE 492 - Winter 2007
Software Security vs.
 Security Software




        CSSE 492 - Winter 2007
  The Security Problem

                                              Modified
Cyber terrorism           Denial             Databases
                            of
                          Service
 Espionage                                    Virus
              Worm
  Equipment                                Identity
    Theft          Stolen                   Theft
                  Customer
                    Data
                  CSSE 492 - Winter 2007
CERT: Vulnerabilities Reported
         1999-2006 http://www.cert.org/stats/
6000

5000

4000

3000

2000

1000

   0




                                                                                        Q1-
       1995

              1996
                     1997
                            1998
                                   1999

                                          2000
                                                  2001

                                                            2002
                                                                   2003

                                                                          2004

                                                                                 2005
               Vulnerabilities                               Notes
                                   CSSE 492 - Winter 2007
                Discussion
   What do you think the major trends in
    vulnerabilities are?




                    CSSE 492 - Winter 2007
     The Trends of Security Attacks

1.   Automation; speed of attack tools
2.   Increasing sophistication of attack tools
3.   Faster discovery of vulnerabilities
4.   Increasing permeability of firewalls
5.   Increasing asymmetric treat
6.   Increasing threat from infrastructure
     attacks



                    CSSE 492 - Winter 2007
               Time Changes Everything!
                               Packet Forging
                                                                                            New
                                                                                            Internet
                                                                                            Attacks
                                                                        & Spoofing



                                                               DDOS           Stealth
                                                                              Diagnostics

                                          Sweepers                 Sniffers


                                               Hijacking Sessions
Volume




                      Back Doors                                              Sophistication
                                                                              of Hacker
         Self-Replicating            Disabling Audits                         Tools
         Code
                        Password
                        Cracking
              Password
              Guessing

                                   Time   CSSE 492 - Winter 2007
                  Automation
   Increase in the level of automation in
    attacks tools
    •   Scanning for potential victims
    •   Compromising vulnerable systems
    •   Propagate the attack
    •   Coordinated management of attack tools




                       CSSE 492 - Winter 2007
                 Sophistication
   Attack tools are becoming more advanced
   Difficult to discover signatures through analysis
     • Anti-forensics
     • Dynamic behavior
     • Modularity of tools




                        CSSE 492 - Winter 2007
     Discovery of Vulnerabilities
   The number of newly discovered
    vulnerabilities are more than doubled each
    year
   Intruders find the problems faster than
    the vendors can fix them
   “time to patch” is becoming very small




                    CSSE 492 - Winter 2007
       Permeability of Firewalls
   Firewalls are expected to provide primary
    protection from intruders
    • New technologies are able to bypass the
      firewall configurations
    • Some protocols marketed as firewall friendly
      actually bypass the firewall configurations
   Mobile code (ActiveX, Java and JavaScript
    add additional challenges)



                      CSSE 492 - Winter 2007
          Asymmetric Threat
   Security on the Internet is very
    interdependent
   A single attacker can relatively easily
    employ a large number of distributed
    systems to launch attacks against a single
    victim




                    CSSE 492 - Winter 2007
             Infrastructure Attacks
        Attacks that broadly affect key components of
         the Internet
     •     More people, organizations, and business online
1.       Distributed denial of service (DDoS)
     •     Multiple systems to attack one or more victims with
           the intent of denying service to legitimate users of the
           victim’s system
             Controlled and launched by Single attacker
     •     Searching address blocks known to contain high
           concentration of vulnerable systems



                              CSSE 492 - Winter 2007
             Infrastructure Attacks II
2.       Worms
     •       Self propagating malicious code (unlike virus)
     •       Allow a large number of systems to be compromised within
             hours
              Code Red infected more than 250K systems in just 9 hours in July
               2001
     •       Effectively launching a DDoS in part of the Internet

3.       Internet Domain Name Systems (DNS)
     •       Cache poisoning (cache bogus info) can redirect the traffic to
             a bogus site under the attacker’s control
              Compromised data
              Denial of service
              Domain high jacking




                                     CSSE 492 - Winter 2007
                   Routers
   Routers as attack platforms
   Denial of service
   Exploitation of trust relationship between
    routers




                    CSSE 492 - Winter 2007
     What is Software Security?
   Software is secure if it can handle
    intentionally malformed input
   Software Security: engineering software
    that continues to function “correctly”
    under malicious attack




                    CSSE 492 - Winter 2007
           Goal of Software Security
                   Approach
   Understand software-induced security
    risks and how to manage them
    • Develop practices for all phases of software
      development life cycle
    • Good software engineering principles
          Think about security early on
          Design for security
          Know and understand common pitfalls
          Objective risk analysis and testing for all artifacts



                             CSSE 492 - Winter 2007
    Why Is this a Growing Problem?

   Current trends in the software world have
    the biggest impact on the problem
    • Connectivity
    • Extensibility
    • Complexity




                      CSSE 492 - Winter 2007
    What Are We Headed For?
   The case – 25 years ago
    • Banking, airline, …?
   The Modern Society
    •   Software is everywhere
    •   The Internet
    •   COTS systems (black box)
    •   Mobile code
   Security threats
     • from mild or disastrous
   Software Security throughout the SDLC

                             CSSE 492 - Winter 2007
Modern Software System
                                      Security Compromise




                                              Challenge: Dependencies



  Enterprise Network
  Application Infrastructure



    Operating Systems




                    CSSE 492 - Winter 2007
                   Extensibility
   Extensible software is attractive
    • Double edge sword
   Software evolution
   Mobile code
   Example:
    • Web browsers’ use of plug-ins
    • Operating systems’ use of dynamically loadable modules
      and libraries
    • Applications’ use of applets, components, and scripting
    • Patches
   Web Services and Service Oriented Architecture



                          CSSE 492 - Winter 2007
                 Complexity
   Increase in size and complexity of
    software systems
    • E.g., growth in Windows software code over
      the years
   The rate of defects tends to go up as the
    square of code size




                     CSSE 492 - Winter 2007
                           Growth of Windows Code
                                              Windows Complexity

                         45
Millionss of Lines




                         40
                         35
                         30
                         25
                         20
                         15
                         10
                          5
                          0
                                    0)        96           7)           8)            9)         0)        0 1)        1)
                                                         9                          9
                                 99         19        19            99           19            00        20         00
                              (1        N
                                          T         (            (1            (            (2          (         (2
                          3.
                            1
                                     in          95         4.
                                                               0           98          et
                                                                                          a          2k       X
                                                                                                                P
                       in          W          in          T            in             b           in
                     W                      W          N             W            2k           W
                                                                               0
                                                                            5.
                                                                          T
                                                              CSSE 492 - Winter 2007
                                                                        N
    Bug, Flaw, Defect, Failure, …
   Defect: implementation or design vulnerability; may lie
    dormant for years
   Bug: implementation level software problem; may exist but
    never executed; can be easily discovered and remedied
   Flaw: subtle and deep; instantiated at the implementation
    level but is rooted at the design level
   Risk: The probability that a flaw or bug will impact the
    purpose of the software
    (risk = probability x impact)
   Failure: Manifestation of a defect or flaw during operation




                          CSSE 492 - Winter 2007
       Buffer Overflow – A Bug
   45% of all software security problems
    reported to CERT were caused by buffer
    overflow
    • Example?


   Stack-allocated buffers
   Heap-allocated buffers



                    CSSE 492 - Winter 2007
    What is Wrong with This Code?

void main (){
    char buf [1024];
    gets(buf);
}




                   CSSE 492 - Winter 2007
    A Design Flaw: Microsoft Bob
   Windows ME and Windows 98
   MS Bob would pop up when the program
    determined that the user was stuck doing
    something
    • 3 times attempts to enter a password
    • “I see you have forgotten your password,
      please enter a new password”.




                     CSSE 492 - Winter 2007
       Security Defects: Bugs & Flaws
Bugs                                    Flaws
Buffer overflow: stack smashing         Method over-riding problems (subclass
                                        issues)
Buffer overflow: one stage attacks Compartmentalization problems in design

Buffer overflow: string format          Privileged block protection failure
attacks                                 (DoPrivilege())
Race conditions (TOCTOU)                Error-handling problems (fails open)

Unsafe Environment Variables            Type safety confusion error

Unsafe system calls (fork (),           Insecure audit log design
exec(), system())
Incorrect input validation (black       Broken or illogical access control (role
list vs. white list)                    based access control over tiers)
                                        Signing too much code
                                    CSSE 492 - Winter 2007
                    Bug vs. Flaw
   Security defects are 50% bug and 50%
    flaw
   Solution
    • Code review
    • What are other options?
          Can we “prove” security?
   How to measure the impact of a bug or
    flaw?
    • Classification

                           CSSE 492 - Winter 2007
    Application Security vs. Software
                 Security
   What is application security?
   What is the most effective way to protect
    software? How to fight back?




                    CSSE 492 - Winter 2007
    Application Security Testing Tools

   How does an attacker think?
     • “Fuzz” the system to find “holes”
     • Take software apart and painstakingly analyze it to find
       flaws
   The tools treat software as a black box
     • At best they can tell you that your software does not
       have any known security defect
           How good is that?
     • Measure the “badness”
   What does a firewall or intrusion detection
    system does?

                                CSSE 492 - Winter 2007
     Solution to the Problem…
   The “solution” requires a major cultural
    shift

                                     Software
                                    Engineering



                Programming                   Security
                 Languages                   Engineering




                    CSSE 492 - Winter 2007
     The Pillars of Software Security

1.   Applied Risk Management
2.   Software Security Touchpoints
3.   Knowledge




                   CSSE 492 - Winter 2007
      Applied Risk Management
   An overall Risk Management Framework
    expanding over software development life
    cycle
    • Tracking and mitigating risks as a full life cycle
      activity
          Business-level decision support tool




                            CSSE 492 - Winter 2007
         Software Security Touchpoints
                   during SDLC
       Security Software vs. Software Security
       Software security expands over system-wide issues
        including security mechanisms and design for security

        Security
        Requirements
                                        Code Review            Penetration
                                        (Tools)                Testing
Abuse         Risk       Risk-based               Risk                 Security
Cases         Analysis   Security Tests           Analysis             Operations




                 Arch
                          Test
Requirmts.        &                          Code      Tests    Feedback
                          Plans
                Design        CSSE 492 - Winter 2007
     Security during the Software
        Development Lifecycle
   Requirements and Policies
   Architecture and Design
   Software Piracy and Protection
   Trusting Software Components
   Secure Software Deployment
   Secure Computation, not Secure
    Computers



                   CSSE 492 - Winter 2007
     Security and Requirements
   “Security like beauty is in the eyes of the
    beholder”
    • Business context and user preference
   Organizational issues (e.g., policies)
   Manifestation of a high-level
    organizational policy in the detailed
    requirement of a specific system
   Non-functional requirement
    • Typically developed after functional
      requirements have been completed

                      CSSE 492 - Winter 2007
Security Requirements & Policies –
            Overview
   Models
    • Mandatory access control (MAC)
    • Discretionary access control (DAC)
    • Multi-level security model
   Challenges
    • Unifying security with system engineering
    • Unifying security with system models
         Unified design of systems and security policies;
          modularity, compactness, and reuse in policy
          representation, forward and reverse engineering tools
          and techniques


                          CSSE 492 - Winter 2007
    Architecture & Design of Secure
                Systems
   Re-engineering for security
    • The case of performance and reliability
    • Shoehorn policy enforcement mechanisms to a
      pre-existing design
    • The case advances in networking and open
      standards
   Challenges
    • Legacy security mismatches
    • Separating security “Aspect”


                      CSSE 492 - Winter 2007
    Architecture & Design of Secure
                Systems
   Re-engineering for security
    • The case of performance and reliability
    • Shoehorn policy enforcement mechanisms to a
      pre-existing design
    • The case advances in networking and open
      standards
   Challenges
    • Legacy security mismatches
    • Separating security “Aspect”


                      CSSE 492 - Winter 2007
    Software Piracy and Protection

   What is the root cause of piracy?
    • Ethical issues
   A good model of economics of piracy is
    needed to keep otherwise honest people
    honest




                       CSSE 492 - Winter 2007
             Systems Verification
   Rigorous formal methods to show
    • properties of computing systems
          Access control, information flow, …
    • Properties of cryptographic protocols
          Authentication
    • How confident can we be about a system with
      formal verification?
   Challenge:
    • Implementation-base verification methods


                            CSSE 492 - Winter 2007
Software Deployment and Security

   Component software
   Incompatibility issues
   Post deployment secure configuration
    management (Secure PDCM)
   Challenges:
    • Controlled delegation
    • Privacy protections




                      CSSE 492 - Winter 2007
    Secure Computation, Not Secure
             Computers
   The need to make sure that a system acts
    correctly (even when under attack)
   Proof checkers
    • Performance issues
   Use of secure data structures (stacks,
    queues, …), use of coprocessors, RAM,
    etc.



                     CSSE 492 - Winter 2007
         Aspects of Security
   Safeguard of sensitive information from
    unauthorized access – confidentiality
   Safeguard of data against modification
    and destruction – integrity
   Ensuring the usability of the resources by
    authorized users – availability




                    CSSE 492 - Winter 2007
Risk Management




     CSSE 492 - Winter 2007
      Risk Assessment is Hard!
   Communication Problem

        If X has Y number
           X has Y
        of failures, then
         number miss the
         we will of
          failures
        Q1 numbers by $2M




                        What does
                        that mean?
                      CSSE 492 - Winter 2007
    The Five Stages of Activities



      1                  2                                 3             4
Understand the      Identify the                                  Define the Risk
                                                 Synthesize &
  Business          Business &                                      Mitigation
                                                 Rank the Risks
   Context        Technical Risks                                    Strategy
                  Artifact Analysis

                 Business Context
                                                           5
                                               Carry Out Fixes
                                                 & Validate




                                  CSSE 492 - Winter 2007
            identify                        Continuous but
                                            not necessarily
                                              sequential
  report

                                             track
               Risk


measure

                                    store
                                               Project level
           CSSE 492 - Winter 2007
                                               SDLC level
                                               Artifact level
Security Software




      CSSE 492 - Winter 2007
     What is Security Software?
   Software programs used to improve the
    security of computers and applications
    •   Antivirus
    •   IPSec
    •   Cryptography Products
    •   Firewalls
    •   SSL, TLS




                       CSSE 492 - Winter 2007
Cryptography




   CSSE 492 - Winter 2007
          Why Cryptography?
   Confidential information must be
    communicated via insecure network
    channels
   Confidential information are stored and
    may be accessed without proper
    authorization
   Cryptography is the science that makes
    this systematically more difficult


                    CSSE 492 - Winter 2007
                Security Aspects
   Confidentiality                        Encryption
    • encryption                             • Only authorized parties
   Authenticity                               can understand an
                                               encrypted message
    • encryption/signatures
                                           Signatures
   Integrity
                                             • Allow people to verify
    • encryption/signatures                    the authenticity of a
   Non-repudiation                            message
    • signature




                         CSSE 492 - Winter 2007
      Modern Cryptography
1. Public Key Cryptography
2. Shared key Cryptography




                 CSSE 492 - Winter 2007
      Shared Key Cryptography
   The limit is the computational complexity
   Parties:
    • Sender
    • Receiver
    • Key
   Algorithms
    • DES (Data Encryption Standard) - 1977
    • AES (Advanced Encryption Standard) - 2002


                          CSSE 492 - Winter 2007
       Public Key Cryptography
   Parties
    • Sender
    • Receiver
    • Public/Private pair of keys
   Everyone knows the public key
   Only the owner knows the private key




                       CSSE 492 - Winter 2007
                           Mechanism
   If the message is encrypted with the private key
     • Everyone with the public key can recover the
       message
     • Only the owner can generate encrypted
       message
   If the message is encrypted with the public key
     • Only the owner can decrypt it using the private
       key
   Algorithm
     • RSA (Rivest.Shamir.Adelman)
          most important digital signature algorithm

                                   CSSE 492 - Winter 2007

								
To top