7/28/2019 1-s2.0-S135348581370031X-main

1/3

FEATURE

February 2013 Network Security13

Moving security testing intothe developers domain

This is particularly important in certaindomains. For example, with the military

increasingly reliant on technology, theembedded software in defence andmilitary systems has to be both reliableand secure. Limiting the risk of securityvulnerabilities is just as important asensuring there are no functional defectsthat could lead to failure in the field.

When it comes to softwaredevelopment, security defectsshould be treated like softwaredefects and managed as part ofthe development process

However, people and organisationsof all kinds would benefit from better,more secure code. And many of the sametechniques used to address functional orquality defects can also reduce securityvulnerabilities. When it comes tosoftware development, security defectsshould be treated like software defectsand managed as part of the developmentprocess. Indeed, the distinction betweensecurity and quality can sometimes bea subtle one; the defect that manifestsitself as a system failure today could beexploited by an attacker tomorrow.

Defects are essentially potentialexploitation primitives that can becreatively strung together by hackersinto an attack.1 Developers can makethe process of exploiting softwaremuch more difficult for the attacker

by eliminating as many primitivesas possible. The following exampleillustrates how multiple primitives can

be chained together to achieve remotecode execution.

Example of amulti-primitive attackLets assume that a security vulnerabilityexists in the code that resides on aremote server. While identifying theroot cause is sufficient for remedying theflaw, the successful exploitation of thatvulnerability is dependent on multiplepre-existing conditions. For the contextof this example, we assume an attacker

is attempting to achieve Remote CodeExecution (RCE), thereby runningcode of the attackers choosing on theremote machine. Although triggeringthe security vulnerability is essentialin achieving RCE, it actually requiresmany small steps that we refer to asexploitation primitives. By chainingthese primitives together, the attackercan create an exploit that works reliablyand maintains stability after the exploithas run its course.

In our example, the attacker isusing, but is not limited to, fourunique primitives. The first primitiveused is the soft leak, which leverageslegitimate program functionality tomanipulate memory in the targetedapplication without any stability orsecurity repercussions.2 These primitiveshappen to be the most common becausethey rely on intended, valid programfunctionality. For example, a server, by

design, will accept requests from a client.That client sends information that isheld until session termination occurs.

An exploit writer can make certainassumptions about the memory layoutof a particular application based on itsfunctionality by figuring out how theserequests and sessions work.

While most programmers thinkof this as a quality problem that

will result in massive memoryconsumption at worst, manyexploitation artists see this asan opportunity to ensure exploitstability

The next primitive used is the hardleak, or resource leak, which is quitefamiliar to most C/C++ programmers.The leak occurs when the programmerforgets to free memory that was

acquired dynamically during runtime.While most programmers think of thisas a quality problem that will resultin massive memory consumptionat worst, many exploitation artistssee this as an opportunity to ensureexploit stability. An attacker can assurethat certain portions of memory arenever subsequently used throughoutthe lifetime of a process by acquiringmemory permanently.

The third primitive used is the integeroverflow. If a mathematical operationattempts to store a number that is largerthan an integer can hold, then the excessis lost. The loss of the excess data issometimes referred to as an integer wrap.For example, an unsigned 32-bit integercan hold a maximum positive value.By adding 1 to that maximum positivevalue, the integer will start countingagain at zero (UINT_MAX + 1 == 0). Areal-world example is the odometer of a

car rolling over after 1 million miles andrestarting its mileage count from zero. Anattacker can allocate less memory than

Jane Goh, Coverity

Developers can play a crucial role in protecting software from hacking attacksand other security weaknesses. During the development phase, limiting thenumber of primitives within code can make life much more difficult forhackers, increasing the time, effort and cost associated with exploitation andthereby reducing its likelihood.

7/28/2019 1-s2.0-S135348581370031X-main

2/3

FEATURE

14Network Security February 2013

was intended by using this overflowed

integer in an allocation routine.Finally, the last primitive used is

a buffer overflow. This is the mostcommon kind of defect understood tohave security implications in C/C++programs. A buffer overflow is caused

when the program writes past the endof a buffer, resulting in corruption ofadjacent memory contents. In someinstances, this may result in overwritingthe contents of the stack or heap in

ways that allow an attacker to subvert

the normal operation of the system and,ultimately, take over the flow of controlfrom the program.

Primitive use in RCE

Now that the primitive types havebeen covered, lets discuss how theattacker in our example utilises themto achieve remote code execution. First,by using existing program functionality,the attacker sends valid requests thatresult in allocating many chunks ofmemory based on the size of the input.This might seem harmless, but is vitalto achieving heap determinism: themanipulation of the memory layout ofan application into a known desirablestate, which is obligatory whenexploiting heap-based buffer overflows.Next, the exploit author knows thatsome memory, once allocated, shouldnever be freed again. By leveraging hard

leaks within the application, the goal ofhaving memory that survives throughoutthe life of the process can be achieved,

resulting in greater post-exploitation

stability.

The ability to chain primitivestogether, regardless of severity,results in greater controlof exploitation and post-exploitation functionality

The integer overflow that causesan under-allocated heap buffer to beoverflowed is triggered. This causes a

mismatch between the actual size ofthe allocated buffer and the expectednumber of data elements it holds. Theattacker can then leverage a bufferoverflow to overwrite the contents ofadjacent memory. For example, imaginethe inability to determine the lastline of a piece of ruled paper. If yousequentially keep writing sentences, you

would eventually write onto your deskand potentially that nice new shirt. Byoverwriting adjacent memory, the attackercan overwrite important information withdata that he or she controls.

The ability to chain primitivestogether, regardless of severity, results ingreater control of exploitation and post-exploitation functionality (see Figure 1).If our attacker does not have the ability tocreate hard leaks within the application,it would be necessary to figure out adifferent way to ensure that the memoryused for the attack code is not freed

when the session times out, or theattacker would have at least come to therealisation that an eventual program crash

was inevitable. And if the integer overflowdoes not exist, there is no opportunity atall for our attacker to exploit.

The link between exploitationprimitives and security vulnerabilitiescan be direct or indirect. Certain kinds

of primitives, such as buffer overflows,can lead to many different kinds ofvulnerabilities, depending on the skill,creativity, and determination of theattacker. What is clear, however, is thathaving more primitives available makesit easier for an attacker to leveragemore severe vulnerabilities and developdamaging exploits. Therefore, findingand eliminating large numbers ofexploitation primitives early in thedevelopment process can greatly help

in reducing security vulnerabilityexposure and maintenance costs overthe entire time the application is inservice.

A practical approachto secure codedevelopment

Developing reliable and secure software isa tough challenge that confronts IT teams

when initiatives to integrate securitytesting early into the development lifecycle have not been adopted widely. It isnot that developers dont want to developsecure products, but they are focused ondelivering new features and functionalityand often are under intense pressure tomeet release deadlines.

The tools are out there toensure vulnerabilities are limited

during code development bymaking sure developers are ableto find and fix defects quicklyand efficiently

Besides the lack of financial incentivesto invest in strengthening security,developers are not traditionally trainedto be security experts. Computer scienceprogrammes have focused on producingprogrammers with a foundation tobecome good application developers

but not necessarily security experts. As aresult, developers today are, by and large,unaware of the myriad ways they can

Figure 1: Chaining vulnerability primitives together results in greater control of exploitation andpost-exploitation functionality.

7/28/2019 1-s2.0-S135348581370031X-main

3/3

FEATURE

February 2013 Network Security15

introduce security problems into theircode, and dont have the wherewithal tofix them when they are found.

Development testing solutions needto be designed from the perspective ofthe developer. This means addressing

the major issues that have madedevelopers shy away from traditionalsecurity assessment tools lack ofusability and high false positive rates.Development managers looking tointegrate security testing into theirprocess should search for automateddevelopment testing tools that are ableto deliver the following:U i>i>i `iviVi

noise: Developers simply donthave time to waste trying to sift

through noisy results, or reproducingphantom defects that arent reallythere. They need defects that areeasy to understand with as few falsepositives as possible.

U iiVv`iviVi>>`vi]

as code is written: it takes significanteffort to determine the exact cause of

defects, and fixing defects can involveextensive architectural changes.Finding critical defects as early aspossible enables development teamsto anticipate workload and impact torelease schedules, thereby reducing

cost to the overall project.U V>Li> ViV> Vi

how to fix security defects: defectremediation advice provided aspart of security assessments usuallyisnt customised for the relevantframework, language, or librariesbeing used in the software package.Its hard for developers to translategeneric advice into a fix that worksand this often leads to a wrongor incomplete fix being applied

leading to churn and rework.We may never be able to completely

eliminate defects in softwaredevelopment. But the tools are out thereto ensure vulnerabilities are limitedduring code development by makingsure developers are able to find and fixdefects quickly and efficiently.

About the author

Jane Goh is senior manager of productmarketing for Coverity. She has over 10years of technology marketing experience,and is focused on security development

testing solutions. Prior to joining thecompany, Goh held senior marketingposit ions at leading IT securitycompanies including Imperva,Check Point Technologies andVeriSign.

References

1. Bishop, M. VulnerabilitiesAnalysis. Proceedings of theSecond International Symposiumon Recent Advances in Intrusion

Detection, pp.125-136, Sept1999.

2. Waisman, Nicholas. Understandingand bypassing Windows HeapProtection. Immunity, 2007.

Accessed Feb 2013.http://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdf.

Steve Gold

Perhaps more importantly, from acounter-surveillance aspect, theseelectronic surveillance technologies andallied methodologies have now reachedthe stage where anyone with a littletechnical knowledge, combined with an

understanding of how computers andtelephone networks operate, can deploya surveillance system without needing

the assistance of so-called professionals.This has given rise to a new type ofcasual surveillance by employers and thirdparties even to the extent of addingindustrial espionage to the mix.

Countering this type of surveillance

requires a general understanding of thetechnology in use. If your landline phoneis making odd noises or the volume is

changing on an irregular basis, or yourcomputer is misbehaving, these canbe indicators that you might be undersurveillance. You could be the target of anamateur, a common criminal or a seasonedprofessional perhaps even a cyber-criminal or industrial spy engaging in an

Advanced Persistent Threat style of attack.Whoever is surveilling you, however, thereis a strong chance that you are not happy

with the situation so what can be done?

Baby steps

First and foremost if you suspectyou are being surveilled, you havethree main options: put up with the

Steve Gold, freelance journalist

The black art of surveillance is a science that has been around since the GreatWar, but there can be little doubt that the development of the transistor in1954 by Texas Instruments and its commercial development by Bell Labsand others in the 1960s has assisted would-be James Bonds in developingelectronic spy techniques that would make their First World War colleaguesgreen with envy. The years since the turn of the century, however, have turnedthe science of surveillance into a mass-market phenomenon, allowing almostanyone or any organisation with sufficiently deep pockets to monitor mostof their peers at a distance using all manner of electronic means.

Electronic counter-surveillance strategies

http://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdfhttp://immu-nityinc.com/downloads/Heap_Singapore_Jun_2007.pdf