1

Vulnerability Reporting, Analysis and Remediation

By Abhishek Sharma

11/6/2008Prof. Dr. Norbert Pohlmann

2

Motivation Definition Overview Reporting Analysis Remediation Statistics Future work

Outline

3

Buyers have no way of ascertaining that a particular vendor’s software is secure

Expectations and demands of customers for more trustworthy systems

Security testing techniques for software are still immature and collectively represent an incomplete patchwork of coverage of all security issues that need to be tested for

Motivation

4

"Vulnerability is any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system.“ [1]

IBM Internet Security Systems (ISS)

Definition

5

A standardized system is followed

for reporting vulnerabilities

Centralized Identification of

vulnerabilities by a third party

Update vulnerability

Knowledge base

Improvements in SDLC

Deploy Patches

Overview

6

Need for reporting?

The Dangerous Silent Fix

Reporting

7

Q) When is a vulnerability unforgivable?Ans: Precedence Documentation Obviousness Attack Simplicity Found in five

Possible causes: Tendency to get a working version ready – fast

deployment Lack of developer knowledge Introduced by a developer in collaboration

phase and overlooked when in integration phase ex. Off shoring and Outsourcing

8

1) Buffer overflow using long strings of “A” characters in:a. username/password during authenticationb. file or directory namec. arguments to most common features of the product or

product class

2) XSS using well-formed SCRIPT tags, especially in the:a. username/password of an authentication routineb. body, subject, title, or to/from of a message

3) SQL injection using ' in the:a. username/password of an authentication routineb. “id” or other identifier fieldc. numeric field

4) Remote file inclusion from direct input such as:a. include($_GET['dir'] . "/config.inc");

Candidates for unforgivable vulnerabilities

9

5) Directory traversal using "../.." or "/a/b/c" in “GET” or “SEND” commands of frequently-used file sharing functionality, e.g. a GET in a web/FTP server, or a send-file command in a chat client

6) World-writable critical files:a. Executablesb. Libraries

7) Direct requests of administrator scripts8) Grow-your-own crypto9) Authentication bypass using "authenticated=1" cookie/form

field10) Turtle race condition - symlink11) Privilege escalation launching "help" (Windows)12) Hard-coded or undocumented account/password13) Unchecked length/width/height/size values passed to

malloc()/calloc()

Candidates for unforgivable vulnerabilities

10

6,437 vulnerabilities recorded in the X-Force Database in 2007

Not including site-specific vulnerabilities, Symantec documented 2,134 vulnerabilities in the second half of 2007, 13 percent less than the first half of 2007.

Seventy-three percent of vulnerabilities documented in this period were classified as easily exploitable, compared to 72 percent in the first half of 2007.

Analysis

11

low access constraints very high feature frequency very low novelty low manipulation complexity low level of effort

VAAL and Unforgivable Vulnerabilities

12

Gather all relevant characteristics of the new vulnerability and create an alert

Determine software affected by the vulnerability Make entry in database about severity and possible

workarounds Corrections completed by vendor in the form of

updates/patches to remove vulnerability Distribution of the fix Identify insecure coding practices and develop secure

alternatives Reduce or eliminate vulnerabilities before deployment

Remediation

13

Intrusions before and after patch releases

14

"There are three kinds of lies: lies, damn lies, and statistics.” Benjamin Disraeli

Statistics

15

Vulnerability Disclosure Trend Statistics

16

High/Medium/Low Vulnerability Impact Breakdown [1]

17

Remote vs. Local Exploitation [1]

18

Consequences of Exploitation [1]

19

Windows based Web Browser Vulnerabilities [1]

20

Browser plug-in vulnerabilities [10]

21

Measuring relative attack surfaces [5][6][7] Fuzz testing ex. Codenomicon DEFENSICS

s/w based [8] and Mu service analyzer h/w based [9]

Vulnerability Management. Ex. QualysGuard [11]

Vulnerabilities in open-source software [14] Development of metrics for software

assurance. Ex. VAAL-based metrics

Future work

22

[1] IBM Internet Security SystemsX-Force® 2007 Trend Statistics January 2007[2] Software Security Assurance State-of-the-Art Report (SOAR) July 2007[3] Software Vulnerability Assessment Version Extraction and Verification Martin Boldt, Bengt

Carlsson and Roy Martinsson 2007[4] Unforgivable Vulnerabilities Steve Christey, The MITRE Corporation August 2007[5]http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/

secure02132003.asp[6] Measuring Relative Attack Surfaces Michael Howard, Jon Pincus, and Jeannette M. Wing

October 2003[7] Measuring a System’s Attack Surface Pratyusa Manadhata and Jeannette M. Wing Computer

Science Department Carnegie Mellon University January 2004[8] ESG WHITE PAPER Black Box Testing and Codenomicon DEFENSICS Jon Oltsik April 2008[9] http://www.mudynamics.com/products/overview.html [10] Symantec Internet Security Threat Report Trends for July–December 07Volume XII, Published April 2008[11] The Need for Vulnerability Management whitepaper www.Qualys.com[12] http://www.digitalbond.com/index.php/2007/09/17/the-dangerous-silent-fix/[13] Optimal Policy for Software Vulnerability Disclosure Ashish Arora, Rahul Telang, Hao Xu H.

John Heinz III School of Public Policy and Management Carnegie Mellon University July 2007[14] Coverty Open Source Report 2008

References

23

Questions?