Course 1: Overview of Secure Programming, Section 1Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated August 24, 2004Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.

Course 1 Learning Plan

Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Shell and environment Resource management Trust management

Overarching Goals

Understand the security mindset

Understand security definitions

Understand the risk and impact on industry of insecure software products

Understand patching costs

Understanding the Security Mindset

Security as…– an enabler– a process– risk management– a puzzle– a multidisciplinary science

Security as an Enabler

Common perspective: Security is an inconvenient obstacle that forbids actions

Correct perspective: Security enables projects and enterprises that would otherwise be impractical, by lowering risks

Analogy:– Are the tracks that a train must follow a restriction, or an

enabler?

Question

Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks

Question Sample Answers

Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks

– Restraints in amusement park rides– Seat belts– Dual-signature checks

Security as a Process

“I got software X so I’m safe”

What would you think of a railroad company that laid railroads without checking and maintaining their integrity?

"Old software never dies; it just becomes insecure.“ (Author unknown)

Need design, configuration, inspection, maintenance, management, updates– Provide assurance that track quality is acceptable

– Basis for trust

Processes can provide guarantees

Security as a Process Exercise

Discuss why old software can become insecure

Security as a Process Exercise Sample Answers

Discuss why old software can become insecure– Security objectives or policies have changed

Laws have changed Business model changed Company processes changed

– Environment has changed Configuration is out of date Operating system has changed Risks are different Protections have changed (e.g., firewall rules) Employees, units responsibilities have changed

– Vulnerabilities have been found Exploits, worms, viruses exploit them

– Input has changed e.g., old application made to work online (with a wrapper) Protocol changed

Security as Risk Management

How much is an asset worth? How vulnerable is the asset? What are the risks?

– Financial costs (contracts, sales, remediation, etc...)– Reputation (that alone killed the Arthur Anderson

accounting firm in the Enron scandal) Part of building trust is building secure software

– Employee loyalty, productivity and well-being Morale, self-respect

Security as Risk Management Question

You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database?

Security as Risk Management Possible Answers

You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database?– How valuable is the database to an attacker, to your

customers, and to you?– Who (and what) has access to the database?– How is the database protected?

Is it on a shared or dedicated host? Is there a path to the internet from the database? How well is the software kept up-to-date with patches? Are there applicable risk mitigation strategies?

– How long is credit card information kept?– Do customers have the option of re-entering their credit card

information every time instead of having it stored?

Security as a Puzzle

What can a skilled attacker contrive?– Which assumptions are being made?

Are they always true? What guarantees the assumptions? Is indirect evidence relied upon?

– Who and what can be trusted? Who controls, controlled or could control it?

– What logic flaws exist? Are all cases handled? (a single hole may sink the ship) Is there a transformation that makes all the pieces fall apart?

– What resources are exposed?

Security as a Puzzle Exercise

Give an example of an incorrect assumption made by an application that inhibits security– Example: some email clients assume that the standard

ports for IMAP, POP and SMTP protocols will always be used, and so it rejects server specifications with a port number: 127.0.0.1:1143 is rejected Consequence: the use of encryption through ssh tunneling is

discouraged

Security as a Puzzle Exercise Answers

Give an example of an incorrect security assumption made by an application.– Assuming that the file extension and the MIME type are

the same Decide to download something using the file extension, but

the file is processed according to another mime type– IE 5, 6

» CAN-2001-0712 Decide how to handle an email attachment based on the

MIME type, but the attachment really is an executable that gets launched!

– IE 5» CAN-2001-0154

Security as a Multidisciplinary ScienceSocial Engineering

Social engineering is used to exploit human trust through deception– Poor user interface design may facilitate social

engineering Example: In some email programs, someone could be fooled into

thinking that an attachment was a safe file, and open it. What appeared as "resume.txt" was in reality

– "resume.txt .exe"

User interface design affects the security of applications!

Security as a Multidisciplinary Science Social Engineering

You get a phone call from the CFO, on a trip, "I can't remember the VPN password, and I need a document now!"

Your account will be terminated tomorrow unless you take action, as described in this attachment!

Please help me get my money out of this crazy country!

Oh, no, I forgot my key/badge/token! Please, hold the door, I have my hands full! Thanks!

Security as a Multidisciplinary ScienceSocial Engineering

Most problems are related to identification without authentication– By phone– Online

Identification by impression and persuasion– Social mechanisms

Helpfulness Ingratiation (a.k.a. "brown-nosing") Conformity, peer pressure Diffusion of responsibility Friendliness

– Employees can do it even if they know they shouldn't!

Security as a Multidisciplinary ScienceSocial Engineering (continued)

Physical Security– Dumpster diving

Recon for attack– Phone books, calendars, etc...

– Backdoors, tailing someone through a door– Stealing documents...

Reverse Social Engineering– Instead of asking for information and help, you provide it

initially– Of course they need help because of something the

attacker did

Read more: Granger S. (2001, 2002) Security Focus "Infocus" articles

Security as a Multidisciplinary ScienceExercise: Social Engineering

Team up in groups of 2 or 3 and make up a skit to demonstrate a social engineering technique; your "victim" will be another student in the audience who will "fall for it". Follow it up with a second version showing the correct response. Do try to obtain the most outrageous results possible (while being convincing). After the skit, explain the preparation you would have needed to conduct the attack.– You can get inspiration from the table of correct responses

(Granger 2002): http://www.securityfocus.com/infocus/1533

Security as a Multidisciplinary SciencePsychological Effects

Security features (or the lack thereof) have psychological effects– SPAM: loss of value and control over an important

communication medium– Panoptical effects (feeling of being watched)

Can affect motivation, focus People perform differently

– Intellectual performance is typically lower under surveillance

Exercises

Identify a user interface limitation that may allow social engineering

Identify a security mechanism that may cause users to feel that they are being watched

Example Answers

Identify a user interface limitation that may allow social engineering– Phishing email scams

Look-alike web sites that capture passwords

Identify a security mechanism that may cause users to feel that they are being watched– Windows login banners– "Possibly" recorded phone calls to help centers

Overarching Goals

Understand the security mindset

Understand security definitions

Understand the risk and impact on industry of insecure software products

Understand patching costs

Vulnerability

A flaw in a system that allows a policy to be violated Example policy: the content on a web site is

restricted to authenticated users. Vulnerability: the web site relies on JavaScript to

be executed on the client browser for access control

Exploit: Disable JavaScript An abundance of vulnerable sites exist

Exploit

An exploit is the act of exercising a vulnerability Also used to refer to an actual program, binary or

script that automates an attack

Latent Vulnerabilities

Sometimes, a vulnerability can be protected by a change that leaves the vulnerable code in place:– some change external to the application (firewall)– a configuration change (disabling an option)– a code wrapper that blocks exploit attempts

A vulnerability that is not exploitable at the moment is a latent vulnerability

Potential Vulnerabilities

Bad practices, quality defects and other flaws that could result in vulnerabilities in a different code context are potential vulnerabilities

Exploitability

Difficult to establish whether a vulnerability is exploitable, latent or potential in complex systems

A latent or potential vulnerability can become exploitable when – The software is used in a different context sometime after

its design– The configuration is changed– The code is changed– Someone thinks of something you didn't

Is a memory leak exploitable?– It depends!

Exercise

Evaluate your security stance and risk tolerance. For each potential, latent and exploitable vulnerability you find, would you:

a) Ignore the problem to save money and development time

b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database

c) Bring immediate attention to the problem

Exercise Typical Answer

a) Ignore the problem to save money and development time

b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database

c) Bring immediate attention to the problem Option c) should be done first and serves as an

assessment step. Then, both b) and a) may also be done for the same issue. Ignoring the problem (temporarily?) can be justified depending on its severity and business circumstances (e.g., support for an end-of-life product ends sooner than the time required for a fix).

Exposure

An exposure is an information leak that may assist an attacker.

Examples:– Software identification and version number released when

connecting to a service, which may be used to select the most effective attack.

– When web pages display SQL error messages– When an IT person is having trouble (e.g., with their

firewall) and posts questions to public mailing lists with their company's email address

– Sun's "tar" utility disclosed part of the password file

Exercise

Identify other examples of information leaks that may assist an attacker

Exercise Sample Answers

Identify other examples of information leaks that may assist an attacker– Finger may release information about who is online, e.g.,

administrators– Source code leaks (if the code contains vulnerabilities)– Directory listings– Wireless networks that broadcast their existence

Security Objective

A security objective is a high-level description of what the program or system must accomplish.– Federal regulations drive many of these objectives

HIPAA (Health Insurance Portability and Accountability Act) etc...

– Examples: all money transfers must be legal the system must pass EAL4 Common Criteria certification

Policy

Policies specify which activities, states and processes are allowed.– Examples:

All users must be authenticated Money transfers can only be requested by the account

owner

Also refers to security models that specify rules Famous policies (e.g., see Bishop 2002):

– The Bell-LaPadula confidentiality model– The Biba integrity model– The Clark-Wilson integrity model

Risks to Confidentiality, Integrity and Availability

Confidentiality is threatened when information can be revealed in violation of a policy – Examples: eavesdropping and inadequate access control

Integrity is threatened when information can be manipulated by an attacker. – Example: "man-in-the-middle" attack

Availability is threatened when a resource can be disabled or made unavailable.

– Assets can be classified according to these

Example

An FTP server is read-only. If passwords are sent in clear text, what is threatened if transmissions are captured?– Confidentiality of the passwords

Confidentiality of the documents on the FTP server Confidentiality, Integrity and Availability of other resources

that use the same password!

Question

Privacy fits best into which category?

a) Confidentiality

b) Integrity

c) Availability

Question

Privacy fits best into which category?

a) Confidentiality (not a perfect fit)

b) Integrity

c) Availability

Note that some organizations prefer to put emphasis on privacy separately from CIA (e.g., Purdue University's Security and Privacy office). Also, privacy advocates consider it important to be able to verify the integrity of personal information, especially when that information can be used against them (e.g., credit reports).

Overarching Goals

Understand the security mindset

Understand security definitions

Understand the risk and impact on industry of insecure software products

Understand patching costs

Security Organizations

Security companies and organizations are held to a higher standard of security

– Reputation

Would you buy from an HVAC company that has broken A/C equipment in their offices?

Employees are responsible to protect the credibility of the company

Exercise

Name an industry sector, and something that would make you avoid a company working in that sector.

People Want Software That:

Is produced with security assurance

– Analogy: some applications exposed to the internet are like disguised cartons of eggs on the sidewalk

Lowers security risks – To comply with laws mandating low security risks

HIPAA GLBA (Gramm-Leach Bliley) FERPA

– To protect trade secrets and other valuable company information

Has fewer maintenance headaches (patching) and costs

Protects their reputation

Exercise

Identify risks that would cause you to stop using a product. Be specific.

Exercise Example Answers

Frequencies of vulnerabilities and patches Absence of patches (or slow turnover) for known

issues Severity of vulnerabilities Criticality of the application Unreliability of patches

– Patches that break previous fixes– Patches that are incompatible with other software– Downtime while applying patches

Unreliable file systems (non-journaled) Which matter most (for whom)?

Your motivation as a participant in software development

How important is quality?

– Quality assurance is inclusive of secure programming techniques

How much design?

– Information assurance happens by design

How risk-averse?

– Security problems in your projects and code can hurt your reputation as well as your employer's

Overarching Goals

Understand the security mindset

Understand security definitions

Understand the risk and impact on Symantec of insecure software products

Understand patching costs

Cost of Patching

Cost of evaluating vulnerability claims Cost of patch development and testing Cost of patch notification and download system NIST recommendation on applying patches (s.p.

800-40)– Patch and Vulnerability Group (customer's cost)

test patches notify administrators monitor application of patches by system administrators

Vulnerability scanning to verify or enforce

Question

Patches incur costs to?

a) the vendor

b) the customer

c) both

Question

Patches incur costs to?

a) the vendor

b) the customer

c) both

Cost of Patching vs Preventing Flaws

Security bugs are introduced at 3 different stages:

– Design and architecture

– Implementation

– Operations Fixing security bugs with a patch costs 60 times

more than catching them at design time*

*: IBM System Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith in "Tangible ROI through Secure Software Engineering," Secure Business Quarterly, Volume 1, Issue 2.

Question

If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time?

a) $9,800

b) $98,000

c) $980

Question

If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time?

a) $9,800

b) $98,000

c) $980

• Note: It isn’t possible to catch all security flaws at design time.

Results from Current Software Engineering Methods

>1000 reported vulnerabilities each year

About 50% of vulnerabilities are commonly repeated mistakes

About 25% of vulnerabilities could be avoided by applying secure design principles at design time

Need new methods

Patches created using the same development methods that created the buggy software, are likely buggy themselves! “We can't solve problems by using the same kind of

thinking we used when we created them.” (Albert Einstein)

Question

Approximately what percentage of documented vulnerabilities are common repeated mistakes?

a) 25%

b) 50%

c) 75%

Question

Approximately what percentage of documented vulnerabilities are common repeated mistakes?

a) 25%

b) 50%

c) 75%

Question (guess)

How much money does a developer for a large software project typically save a company when catching and fixing a vulnerability during development instead of patching?

a) $1,000

b) $10,000

c) $100,000

A vulnerability fixed before release may take one hour, compared to weeks of several people's time to fix it after release.

Answer

c) $100,000

Without counting 1) costs to customers

– Especially if revenue-generating activities are interrupted!

2) intangible costs

Motivation and Definitions: End

Scrabble copyright Hasbro

About These Slides

You are free to copy, distribute, display, and perform the work; and to

make derivative works, under the following conditions.

– You must give the original author and other contributors credit

– The work will be used for personal or non-commercial educational uses

only, and not for commercial activities and purposes

– For any reuse or distribution, you must make clear to others the terms of

use for this work

– Derivative works must retain and be subject to the same conditions, and

contain a note identifying the new contributor(s) and date of modification

– For other uses please contact the Purdue Office of Technology

Commercialization.

Developed thanks to the support of Symantec Corporation

Pascal Meunierpmeunier@purdue.eduContributors:Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera