introduction to software security software vulnerabilities...
TRANSCRIPT
Prof. Seong-je Cho
Computer Security & Operating Systems Lab,
Dept. of Software Science, Dankook University, Korea
Introduction to Software Security
Software Vulnerabilities (3)
- 2 -
Sources / References
Information Security: Principles and Practice, 2nd edition by Mark Stamp, Wiley, 2011
N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku
Nicholas Weaver, Computer Science 161: Computer Security, Berkeley
Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh
Lecture 12 Program Security, CS 450/650 Lecture
CSC 593: Secure Software Engineering Seminar
Please do not duplicate and distribute
Computer Security & OS Lab, DKU
- 3 -
Contents
Software Complexity
Software Cost
Penetrate and Patch approach
Bug vs. Vulnerability in Software
Secure Software
Computer Security & OS Lab, DKU
- 4 -
Software Security Issues
“Normal” users Find bugs and flaws by accident
Hate bad software…
… but must learn to live with it
Must make bad software work
Computer Security & OS Lab, DKU
Attackers Actively look for bugs (flaws)
Like bad software…
… and try to make it misbehave
- Buffer overflow
- Integer overflow
- Format string bug
Attack systems thru bad software
- 5 -
Complexity
“Complexity is the enemy of security”, Paul Kocher, Cryptography Research, Inc.
Computer Security & OS Lab, DKU
An autonomous vehicle contains more LOC than was required to land the Apollo astronauts on the moon
Netscape 17,000,000
Space shuttle 10,000,000
Linux 1,500,000
Windows XP 40,000,000
Boeing 777 7,000,000
System Lines of code (LOC)
- 6 -
Lines of Code and Bugs
Conservative estimate: 5 bugs/1000 LOC (5 bugs/1K LOC)
Do the math Typical computer: 3,000 exe’s of 10KB each
Conservative estimate of 50 bugs/exe
About 3K X 50 = 150K bugs per computer
30,000 node network has 4.5 billion bugs 30,000 X 150,000 = 4500,000,000 = 4.5 billion
Suppose that only 10% of bugs security-critical and only 10% of those remotely exploitable
Then “only” 45 million critical security flaws!
1 billion X 0.01 = 10 million
Computer Security & OS Lab, DKU
- 7 -
Software costs
Software errors cost the U.S. economy $60 billion annually in rework, lost productivity, and actual damages.
Software costs often dominate computer system costs.
Software costs more to maintain than to develop.
For systems with a long life, maintenance costs may be several times development costs
Computer Security & OS Lab, DKU
Source: CS 389 – Software Engineering (https://slide-finder.com/view/CS-389--Software.323946.html)
- 8 -
Penetrate and Patch
In the early days, security was shown by finding faults and patching them
Discover flaws after deployment
Often by attackers
Users may not deploy patches
Developers can only patch problems which they know about.
Patch only fix the symptoms
Patches may have security flaws (15%?)
Patches are map to vulnerabilities
Attackers reverse engineer to create attacks
Computer Security & OS Lab, DKU
- 9 -
Penetrate and Patch approach
Usual approach to S/W development
Develop product as quickly as possible
Release it without adequate testing
Design stage (?)
Patch the code as flaws are discovered
In security, this is “penetrate and patch”
A bad approach to S/W development
An even worse approach to secure software
Computer Security & OS Lab, DKU
- 10 -
Comparing the feedback cycle of various development techniques
Computer Security & OS Lab, DKU
Figure shows, the reason why the agile cost of change curve has flattened is because we follow techniques which reduce the feedback cycle. Agile techniques, shown in green, have short feedback cycles and therefore are at the flat end of the curve.Traditional techniques, shown in red, have longer feedback cycles and therefore are at the higher-cost end of the curve.
Source: http://www.agilemodeling.com/essays/costOfChange.htm
Vulnerability vs. Secure Software
Redefine Terminology
Computer Security & OS Lab, DKU
- 12 -
Program Flaws
An error오류 is a programming mistake To err is human
An error may lead to incorrect state: fault결점
A fault is internal to the program
A fault may lead to a failure실패, where a system departs from its expected behavior A failure is externally observable
Computer Security & OS Lab, DKU
Error Fault Failure
- 13 -
Example
This program has an error
This error might cause a fault
Incorrect internal state
If a fault occurs, it might lead to a failure
Program behaves incorrectly (external)
We use the term flaw결함 for all of the above
Computer Security & OS Lab, DKU
char array[10];
for(i = 0; i < 10; ++i)
array[i] = `A`;
array[10] = `B`;
- 14 -
Bug
Bug
A flaw in a computer program or system that results in an unexpected outcome.
SW bug: a flaw in a program that causes it to misbehave in an unintended way
a flaw in computer code that can compromise the security of a computer system
HW Bug: a flaw in a system
SW Bugs results in crashes and unintended program state
are due to human mistake in the source code, compiler, or runtime system
are triggered through specific input (e.g., console, file, network, or environmental input)
Computer Security & OS Lab, DKU
- 15 -
Bug vs. Vulnerability
If the bug can be controlled by an adversary to escalate privileges,
e.g., gaining code execution, changing the system state, or leaking system information
then it is called a vulnerability.
Vulnerability
A SW weakness that allows an attacker to exploit a software bug
It requires 3 key components
System is susceptible to flaw
Adversary has access to the flaw (e.g., through information flow)
Adversary has capability to exploit the flaw
Computer Security & OS Lab, DKU
- 16 -
Bug and Vulnerability
Classification of software bugs and vulnerabilities
Computer Security & OS Lab, DKU
Source: Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities, G. Schryen, AMCIS, 2009,
- 17 -
Vulnerabilities
Vulnerabilities
Design flaws
Implementation bugs
Design flaws
high-level problems associated with the architecture of the software
E.g., failure of authentication, TCP SYN mechanism (?), Telnet (?), …
Implementation bugs
Code-level S/W problem
E.g., buffer overflow
Design flaws and implementation bugs occur with roughly equal frequency.
Source: A comparison of the efficiency and effectiveness of vulnerability discovery techniques,
Information and Software Technology, 2013
Computer Security & OS Lab, DKU
- 18 -
Software Vulnerability
Informally, a bug with security consequences
A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose
e.g. allowing easily-guessed passwords (poor coding)
e.g. complete lack of passwords when needed (design flaw)
Hard-coded password (?)
More formal definition (NIST):
A security flaw, glitch, or weakness found in software that can be exploited by an attacker.
Computer Security & OS Lab, DKU
- 19 -
Threats of Insecure Software
Successful exploitation of insecure software can lead to
data breach and information leakage (confidentiality exposure),
modification or alteration of data (integrity exposure),
defacement, downtime, and denial of service (availability exposure),
financial loss.
Undetected and surreptitious exploitation can also lead to
implantation of malicious software within your organization,
giving attacker both the ability and potential to attack any time.
Surreptitious: 은밀한, 슬쩍하는
Computer Security & OS Lab, DKU
- 20 -
Secure Software
In software engineering, try to insure that
a program does what is intended
Secure software engineering requires that
the software does what is intended… … and nothing more
Software security ensures that software is used for its intended purpose and prevents unintended use.
Absolutely secure software is impossible
Absolute security is almost never possible!
How can we manage the risks?
Computer Security & OS Lab, DKU
- 21 -
Need to “Shift Left”
BSIMM8 Data
Computer Security & OS Lab, DKU
Prevention Detection Response
Program flaws are unintentional But still create security risks
Many vulnerabilities can occur Buffer overflow (smashing the stack)
Integer overflow
Format string vulnerability
SQL injection
- 22 -
Secure SW Development Lifecycle
Computer Security & OS Lab, DKU
Source: National Institute of Standards and Technology
- 23 -
Bug Bounty Programs
Source: Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities, A. Keuhn & M. Mueller, 2014
Computer Security & OS Lab, DKU
- 24 -
Whale Security Bug Bounty Program
Naver Corporation launches the Whale Security Bug Bounty Program to encourage security researchers in helping us to find and fix security vulnerabilities on Whale and to reward their efforts spent to make our product secure.
Naver focuses on bugs in the latest version of Whale browser. The bugs must be reproducible on the latest version in the time of reporting Bugs in third party libraries used by only Whale (not Chromium) are eligible Bugs in synchronization are eligible
https://bugbounty.whale.naver.com/ko/
Computer Security & OS Lab, DKU
- 25 -
Software Security Topics
Program vulnerabilities (unintentional)
Buffer overflow
Integer overflow
Format string bugs
Incomplete mediation
Race conditions
Malicious software (intentional)
Viruses
Worms
Other breeds of malware (Trojan horse, Bot, Rootkit, …)
Computer Security & OS Lab, DKU
- 26 -
Summary
Penetrate and patch approach is Bad
Software Security
Reduction/Mitigation of Software Vulnerabilities
Secure Software Development Life-Cycle
Need to “Shift Left”
Computer Security & OS Lab, DKU