1-s2.0-S135348581370031X-main
-
Upload
scott-howard -
Category
Documents
-
view
213 -
download
0
Transcript of 1-s2.0-S135348581370031X-main
-
7/28/2019 1-s2.0-S135348581370031X-main
1/3
FEATURE
February 2013 Network Security13
Moving security testing intothe developers domain
This is particularly important in certaindomains. For example, with the military
increasingly reliant on technology, theembedded software in defence andmilitary systems has to be both reliableand secure. Limiting the risk of securityvulnerabilities is just as important asensuring there are no functional defectsthat could lead to failure in the field.
When it comes to softwaredevelopment, security defectsshould be treated like softwaredefects and managed as part ofthe development process
However, people and organisationsof all kinds would benefit from better,more secure code. And many of the sametechniques used to address functional orquality defects can also reduce securityvulnerabilities. When it comes tosoftware development, security defectsshould be treated like software defectsand managed as part of the developmentprocess. Indeed, the distinction betweensecurity and quality can sometimes bea subtle one; the defect that manifestsitself as a system failure today could beexploited by an attacker tomorrow.
Defects are essentially potentialexploitation primitives that can becreatively strung together by hackersinto an attack.1 Developers can makethe process of exploiting softwaremuch more difficult for the attacker
by eliminating as many primitivesas possible. The following exampleillustrates how multiple primitives can
be chained together to achieve remotecode execution.
Example of amulti-primitive attackLets assume that a security vulnerabilityexists in the code that resides on aremote server. While identifying theroot cause is sufficient for remedying theflaw, the successful exploitation of thatvulnerability is dependent on multiplepre-existing conditions. For the contextof this example, we assume an attacker
is attempting to achieve Remote CodeExecution (RCE), thereby runningcode of the attackers choosing on theremote machine. Although triggeringthe security vulnerability is essentialin achieving RCE, it actually requiresmany small steps that we refer to asexploitation primitives. By chainingthese primitives together, the attackercan create an exploit that works reliablyand maintains stability after the exploithas run its course.
In our example, the attacker isusing, but is not limited to, fourunique primitives. The first primitiveused is the soft leak, which leverageslegitimate program functionality tomanipulate memory in the targetedapplication without any stability orsecurity repercussions.2 These primitiveshappen to be the most common becausethey rely on intended, valid programfunctionality. For example, a server, by
design, will accept requests from a client.That client sends information that isheld until session termination occurs.
An exploit writer can make certainassumptions about the memory layoutof a particular application based on itsfunctionality by figuring out how theserequests and sessions work.
While most programmers thinkof this as a quality problem that
will result in massive memoryconsumption at worst, manyexploitation artists see this asan opportunity to ensure exploitstability
The next primitive used is the hardleak, or resource leak, which is quitefamiliar to most C/C++ programmers.The leak occurs when the programmerforgets to free memory that was
acquired dynamically during runtime.While most programmers think of thisas a quality problem that will resultin massive memory consumptionat worst, many exploitation artistssee this as an opportunity to ensureexploit stability. An attacker can assurethat certain portions of memory arenever subsequently used throughoutthe lifetime of a process by acquiringmemory permanently.
The third primitive used is the integeroverflow. If a mathematical operationattempts to store a number that is largerthan an integer can hold, then the excessis lost. The loss of the excess data issometimes referred to as an integer wrap.For example, an unsigned 32-bit integercan hold a maximum positive value.By adding 1 to that maximum positivevalue, the integer will start countingagain at zero (UINT_MAX + 1 == 0). Areal-world example is the odometer of a
car rolling over after 1 million miles andrestarting its mileage count from zero. Anattacker can allocate less memory than
Jane Goh, Coverity
Developers can play a crucial role in protecting software from hacking attacksand other security weaknesses. During the development phase, limiting thenumber of primitives within code can make life much more difficult forhackers, increasing the time, effort and cost associated with exploitation andthereby reducing its likelihood.
-
7/28/2019 1-s2.0-S135348581370031X-main
2/3
FEATURE
14Network Security February 2013
was intended by using this overflowed
integer in an allocation routine.Finally, the last primitive used is
a buffer overflow. This is the mostcommon kind of defect understood tohave security implications in C/C++programs. A buffer overflow is caused
when the program writes past the endof a buffer, resulting in corruption ofadjacent memory contents. In someinstances, this may result in overwritingthe contents of the stack or heap in
ways that allow an attacker to subvert
the normal operation of the system and,ultimately, take over the flow of controlfrom the program.
Primitive use in RCE
Now that the primitive types havebeen covered, lets discuss how theattacker in our example utilises themto achieve remote code execution. First,by using existing program functionality,the attacker sends valid requests thatresult in allocating many chunks ofmemory based on the size of the input.This might seem harmless, but is vitalto achieving heap determinism: themanipulation of the memory layout ofan application into a known desirablestate, which is obligatory whenexploiting heap-based buffer overflows.Next, the exploit author knows thatsome memory, once allocated, shouldnever be freed again. By leveraging hard
leaks within the application, the goal ofhaving memory that survives throughoutthe life of the process can be achieved,
resulting in greater post-exploitation
stability.
The ability to chain primitivestogether, regardless of severity,results in greater controlof exploitation and post-exploitation functionality
The integer overflow that causesan under-allocated heap buffer to beoverflowed is triggered. This causes a
mismatch between the actual size ofthe allocated buffer and the expectednumber of data elements it holds. Theattacker can then leverage a bufferoverflow to overwrite the contents ofadjacent memory. For example, imaginethe inability to determine the lastline of a piece of ruled paper. If yousequentially keep writing sentences, you
would eventually write onto your deskand potentially that nice new shirt. Byoverwriting adjacent memory, the attackercan overwrite important information withdata that he or she controls.
The ability to chain primitivestogether, regardless of severity, results ingreater control of exploitation and post-exploitation functionality (see Figure 1).If our attacker does not have the ability tocreate hard leaks within the application,it would be necessary to figure out adifferent way to ensure that the memoryused for the attack code is not freed
when the session times out, or theattacker would have at least come to therealisation that an eventual program crash
was inevitable. And if the integer overflowdoes not exist, there is no opportunity atall for our attacker to exploit.
The link between exploitationprimitives and security vulnerabilitiescan be direct or indirect. Certain kinds
of primitives, such as buffer overflows,can lead to many different kinds ofvulnerabilities, depending on the skill,creativity, and determination of theattacker. What is clear, however, is thathaving more primitives available makesit easier for an attacker to leveragemore severe vulnerabilities and developdamaging exploits. Therefore, findingand eliminating large numbers ofexploitation primitives early in thedevelopment process can greatly help
in reducing security vulnerabilityexposure and maintenance costs overthe entire time the application is inservice.
A practical approachto secure codedevelopment
Developing reliable and secure software isa tough challenge that confronts IT teams
when initiatives to integrate securitytesting early into the development lifecycle have not been adopted widely. It isnot that developers dont want to developsecure products, but they are focused ondelivering new features and functionalityand often are under intense pressure tomeet release deadlines.
The tools are out there toensure vulnerabilities are limited
during code development bymaking sure developers are ableto find and fix defects quicklyand efficiently
Besides the lack of financial incentivesto invest in strengthening security,developers are not traditionally trainedto be security experts. Computer scienceprogrammes have focused on producingprogrammers with a foundation tobecome good application developers
but not necessarily security experts. As aresult, developers today are, by and large,unaware of the myriad ways they can
Figure 1: Chaining vulnerability primitives together results in greater control of exploitation andpost-exploitation functionality.
-
7/28/2019 1-s2.0-S135348581370031X-main
3/3
FEATURE
February 2013 Network Security15
introduce security problems into theircode, and dont have the wherewithal tofix them when they are found.
Development testing solutions needto be designed from the perspective ofthe developer. This means addressing
the major issues that have madedevelopers shy away from traditionalsecurity assessment tools lack ofusability and high false positive rates.Development managers looking tointegrate security testing into theirprocess should search for automateddevelopment testing tools that are ableto deliver the following:U i>i>i `iviVi
noise: Developers simply donthave time to waste trying to sift
through noisy results, or reproducingphantom defects that arent reallythere. They need defects that areeasy to understand with as few falsepositives as possible.
U iiVv`iviVi>>`vi]
as code is written: it takes significanteffort to determine the exact cause of
defects, and fixing defects can involveextensive architectural changes.Finding critical defects as early aspossible enables development teamsto anticipate workload and impact torelease schedules, thereby reducing
cost to the overall project.U V>Li> ViV> Vi
how to fix security defects: defectremediation advice provided aspart of security assessments usuallyisnt customised for the relevantframework, language, or librariesbeing used in the software package.Its hard for developers to translategeneric advice into a fix that worksand this often leads to a wrongor incomplete fix being applied
leading to churn and rework.We may never be able to completely
eliminate defects in softwaredevelopment. But the tools are out thereto ensure vulnerabilities are limitedduring code development by makingsure developers are able to find and fixdefects quickly and efficiently.
About the author
Jane Goh is senior manager of productmarketing for Coverity. She has over 10years of technology marketing experience,and is focused on security development
testing solutions. Prior to joining thecompany, Goh held senior marketingposit ions at leading IT securitycompanies including Imperva,Check Point Technologies andVeriSign.
References
1. Bishop, M. VulnerabilitiesAnalysis. Proceedings of theSecond International Symposiumon Recent Advances in Intrusion
Detection, pp.125-136, Sept1999.
2. Waisman, Nicholas. Understandingand bypassing Windows HeapProtection. Immunity, 2007.
Accessed Feb 2013.http://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdf.
Steve Gold
Perhaps more importantly, from acounter-surveillance aspect, theseelectronic surveillance technologies andallied methodologies have now reachedthe stage where anyone with a littletechnical knowledge, combined with an
understanding of how computers andtelephone networks operate, can deploya surveillance system without needing
the assistance of so-called professionals.This has given rise to a new type ofcasual surveillance by employers and thirdparties even to the extent of addingindustrial espionage to the mix.
Countering this type of surveillance
requires a general understanding of thetechnology in use. If your landline phoneis making odd noises or the volume is
changing on an irregular basis, or yourcomputer is misbehaving, these canbe indicators that you might be undersurveillance. You could be the target of anamateur, a common criminal or a seasonedprofessional perhaps even a cyber-criminal or industrial spy engaging in an
Advanced Persistent Threat style of attack.Whoever is surveilling you, however, thereis a strong chance that you are not happy
with the situation so what can be done?
Baby steps
First and foremost if you suspectyou are being surveilled, you havethree main options: put up with the
Steve Gold, freelance journalist
The black art of surveillance is a science that has been around since the GreatWar, but there can be little doubt that the development of the transistor in1954 by Texas Instruments and its commercial development by Bell Labsand others in the 1960s has assisted would-be James Bonds in developingelectronic spy techniques that would make their First World War colleaguesgreen with envy. The years since the turn of the century, however, have turnedthe science of surveillance into a mass-market phenomenon, allowing almostanyone or any organisation with sufficiently deep pockets to monitor mostof their peers at a distance using all manner of electronic means.
Electronic counter-surveillance strategies
http://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdf