Information Systems 365/765Lecture 11

Software Security (Vulnerabilities) and Physical Security

Vulnerability

• Applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection.

Vulnerability vs. Exploit

• A security risk is classified as a vulnerability if it is recognized as a possible means of attack.

• A security risk with one or more known instances of working and fully-implemented attacks is classified as an exploit.

Causes• There are multiple causes of

vulnerabilities• Password Management

Flaws• Fundamental Operating

System Design Flaws • Software Bugs • Unchecked User Input

Password Management Flaws

• The computer user uses weak passwords that could be discovered by brute force.

• The computer user stores the password on the computer where a program can access it.

• Users re-use passwords between many programs and websites.

Operating System Design Flaws

• The operating system designer chooses to enforce sub optimal policies on user/program management. F

• or example operating systems with policies such as default permit grant every program and every user full access to the entire computer.

• This operating system flaw allows viruses and malware to execute commands on behalf of the administrator

Software Bugs• The programmer

leaves an exploitable bug in a software program.

• The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application.

Software Bugs

• Also the programmer's failure to check the size of data buffers, which can then be overflowed, causing corruption of the stack or heap areas of memory (including causing the computer to execute code provided by the attacker).

Unchecked User Input • The program

assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).

Vulnerability Disclosure

• The method of disclosing vulnerabilities is a topic of debate in the computer security community.

• Some advocate immediate full disclosure of information about vulnerabilities once they are discovered.

• Others argue for limiting disclosure to the users placed at greatest risk, and only releasing full details after a delay, if ever.

• What do you think?

Vulnerability Disclosure

• Benefit to limited disclosure:• Such delays may allow those

notified to fix the problem by developing and applying patches,

• Drawback to limited disclosure• May increase the risk to those

not privy to full details.

Full Disclosure

• Disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity

Full Disclosure

• The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security.

• Fixes are produced faster because vendors and authors are forced to respond in order to save face.

• Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

Responsible Disclosure

• Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround.

Limited Disclosure

• With full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach

• Nick doesn’t like Limited Disclosure

A.C. Hobbs - Locksmith• A commercial, and in some respects a

social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Security Through Obscurity

• Attempts to use secrecy (of design, implementation, etc.) to provide security.

• A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.

Vulnerability Disclosure Date • When can it be said that a

vulnerability has been disclosed?• 1. The information is freely

available to the public • 2. The vulnerability information is

published by a trusted and independent channel/source

• 3. The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure

Examples of Vulnerabilities • Buffer overflows • Dangling pointers • Input validation errors, such as: • Format string bugs • Improperly handling shell metacharacters so they are

interpreted • SQL injection • Code injection • E-mail injection • Directory traversal • Cross-site scripting in web applications • Race conditions, such as: • Time-of-check-to-time-of-use bugs • Symlink races • Privilege-confusion bugs, such as: • Cross-site request forgery in web applications • Privilege escalation • User interface failures, such as: • Warning fatigue or user conditioning• Blaming the Victim Prompting a user to make a security

decision without giving the user enough information to answer it.

• Race Conditions

Buffer Overflow • A condition where a

process attempts to store data beyond the boundaries of a fixed-length buffer.

• The result is that the extra data overwrites adjacent memory locations.

Buffer Overflow• The overwritten data may include

other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security.

Basic example • In the following example, a

program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide.

A B

0 0 0 0 0 0 0 0 0 3

Buffer Overflow Example

• Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B:

A B

'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0

SQL Injection • User input is either incorrectly

filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

SQL Injection Humor

Email Injection

• A security vulnerability that can occur in Internet applications that are used to send e-mail messages. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another.

Directory Traversal• The goal of this attack is to order an

application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

• Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking.

Cross-Site Scripting

• (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Time-of-check-to-time-of-use

• TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Confused Deputy

• A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important.

• Billing example

Blaming The Victim

• Prompting a user to make a security decision without giving the user enough information to answer it.

Physical Security • Physical security

describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.

3 Elements to Physical Security

• Obstacles, to frustrate trivial attackers and delay serious ones;

• Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and

• Security response, to repel, catch or frustrate attackers when an attack is detected.

4 Layers to Physical Security

• Environmental design • Mechanical and electronic

access control • Intrusion detection • Video monitoring

What Are Physical Security Goals?

• The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack.

• If you are unable to convince them, then the second goal comes into play—to keep them from entering

Layer One - Physical• The initial layer of security for a

campus, building, office, or physical space uses Crime Prevention Through Environmental Design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.

Layer Two - Mechanical• Includes gates, doors, and locks. • Key control of the locks becomes a

problem with large user populations and any user turnover.

• Keys quickly become unmanageable forcing the adoption of electronic access control.

• Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points.

• For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days.

Layer Three – Intrusion Detection

• Monitors for attacks. It is less a preventative measure and more of a response measure, although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.

Layer Four - Monitoring• Typically video monitoring systems. Like

intrusion detection, these are not much of a deterrent.

• Video monitoring systems are more useful for incident verification and historical analysis.

• For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms.

• In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed.

• Monitoring is ALWAYS active

Intertwined in These Four Layers are People

• Guards have a role in all layers. • In the first as patrols and at

checkpoints. • In the second to administer electronic

access control. • In the third to respond to alarms. The

response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers.

• In the fourth to monitor and analyze video.

Users Are Helpful Too• Users obviously have a role also by

questioning and reporting suspicious people.

• Aiding in identifying people as known versus unknown are identification systems.

• Often photo ID badges are used and are frequently coupled to the electronic access control system.

• Visitors are often required to wear a visitor badge.

Examples of Physical Security • ATMs (cash dispensers) are

protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Thieves quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.

Examples Continued• Safes are rated in terms of the

time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

How Is Physical Security Like Software Security?

• Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security

• Security through obscurity can be used in the cases of software security and physical security!

• Video!