By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1.
-
Upload
magnus-barker -
Category
Documents
-
view
217 -
download
0
Transcript of By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1.
1
Vulnerability Reporting, Analysis and Remediation
By Abhishek Sharma
11/6/2008Prof. Dr. Norbert Pohlmann
2
Motivation Definition Overview Reporting Analysis Remediation Statistics Future work
Outline
3
Buyers have no way of ascertaining that a particular vendor’s software is secure
Expectations and demands of customers for more trustworthy systems
Security testing techniques for software are still immature and collectively represent an incomplete patchwork of coverage of all security issues that need to be tested for
Motivation
4
"Vulnerability is any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system.“ [1]
IBM Internet Security Systems (ISS)
Definition
5
A standardized system is followed
for reporting vulnerabilities
Centralized Identification of
vulnerabilities by a third party
Update vulnerability
Knowledge base
Improvements in SDLC
Deploy Patches
Overview
6
Need for reporting?
The Dangerous Silent Fix
Reporting
7
Q) When is a vulnerability unforgivable?Ans: Precedence Documentation Obviousness Attack Simplicity Found in five
Possible causes: Tendency to get a working version ready – fast
deployment Lack of developer knowledge Introduced by a developer in collaboration
phase and overlooked when in integration phase ex. Off shoring and Outsourcing
8
1) Buffer overflow using long strings of “A” characters in:a. username/password during authenticationb. file or directory namec. arguments to most common features of the product or
product class
2) XSS using well-formed SCRIPT tags, especially in the:a. username/password of an authentication routineb. body, subject, title, or to/from of a message
3) SQL injection using ' in the:a. username/password of an authentication routineb. “id” or other identifier fieldc. numeric field
4) Remote file inclusion from direct input such as:a. include($_GET['dir'] . "/config.inc");
Candidates for unforgivable vulnerabilities
9
5) Directory traversal using "../.." or "/a/b/c" in “GET” or “SEND” commands of frequently-used file sharing functionality, e.g. a GET in a web/FTP server, or a send-file command in a chat client
6) World-writable critical files:a. Executablesb. Libraries
7) Direct requests of administrator scripts8) Grow-your-own crypto9) Authentication bypass using "authenticated=1" cookie/form
field10) Turtle race condition - symlink11) Privilege escalation launching "help" (Windows)12) Hard-coded or undocumented account/password13) Unchecked length/width/height/size values passed to
malloc()/calloc()
Candidates for unforgivable vulnerabilities
10
6,437 vulnerabilities recorded in the X-Force Database in 2007
Not including site-specific vulnerabilities, Symantec documented 2,134 vulnerabilities in the second half of 2007, 13 percent less than the first half of 2007.
Seventy-three percent of vulnerabilities documented in this period were classified as easily exploitable, compared to 72 percent in the first half of 2007.
Analysis
11
low access constraints very high feature frequency very low novelty low manipulation complexity low level of effort
VAAL and Unforgivable Vulnerabilities
12
Gather all relevant characteristics of the new vulnerability and create an alert
Determine software affected by the vulnerability Make entry in database about severity and possible
workarounds Corrections completed by vendor in the form of
updates/patches to remove vulnerability Distribution of the fix Identify insecure coding practices and develop secure
alternatives Reduce or eliminate vulnerabilities before deployment
Remediation
13
Intrusions before and after patch releases
14
"There are three kinds of lies: lies, damn lies, and statistics.” Benjamin Disraeli
Statistics
15
Vulnerability Disclosure Trend Statistics
16
High/Medium/Low Vulnerability Impact Breakdown [1]
17
Remote vs. Local Exploitation [1]
18
Consequences of Exploitation [1]
19
Windows based Web Browser Vulnerabilities [1]
20
Browser plug-in vulnerabilities [10]
21
Measuring relative attack surfaces [5][6][7] Fuzz testing ex. Codenomicon DEFENSICS
s/w based [8] and Mu service analyzer h/w based [9]
Vulnerability Management. Ex. QualysGuard [11]
Vulnerabilities in open-source software [14] Development of metrics for software
assurance. Ex. VAAL-based metrics
Future work
22
[1] IBM Internet Security SystemsX-Force® 2007 Trend Statistics January 2007[2] Software Security Assurance State-of-the-Art Report (SOAR) July 2007[3] Software Vulnerability Assessment Version Extraction and Verification Martin Boldt, Bengt
Carlsson and Roy Martinsson 2007[4] Unforgivable Vulnerabilities Steve Christey, The MITRE Corporation August 2007[5]http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/
secure02132003.asp[6] Measuring Relative Attack Surfaces Michael Howard, Jon Pincus, and Jeannette M. Wing
October 2003[7] Measuring a System’s Attack Surface Pratyusa Manadhata and Jeannette M. Wing Computer
Science Department Carnegie Mellon University January 2004[8] ESG WHITE PAPER Black Box Testing and Codenomicon DEFENSICS Jon Oltsik April 2008[9] http://www.mudynamics.com/products/overview.html [10] Symantec Internet Security Threat Report Trends for July–December 07Volume XII, Published April 2008[11] The Need for Vulnerability Management whitepaper www.Qualys.com[12] http://www.digitalbond.com/index.php/2007/09/17/the-dangerous-silent-fix/[13] Optimal Policy for Software Vulnerability Disclosure Ashish Arora, Rahul Telang, Hao Xu H.
John Heinz III School of Public Policy and Management Carnegie Mellon University July 2007[14] Coverty Open Source Report 2008
References
23
Questions?