Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...

Measuring and Managing Software Security

Robert A. Martin

20 March 2013

© 2012 The MITRE Corporation. All rights reserved.

Today Everything’s Connected

When this Other System gets subverted through an un-patched vulnerability, a mis-configuration, or an application weakness…

Your System is attackable…


CVE 1999 to 2000

to 2012

Vulnerability Type Trends:A Look at the CVE List (2001 - 2007)

Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79)

• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)• Improper Neutralization of Script in an Error Message Web Page (81)• Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82)• Improper Neutralization of Script in Attributes in a Web Page (83)• Improper Neutralization of Encoded URI Schemes in a Web Page (84)• Doubled Character XSS Manipulations (85)• Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86)• Improper Neutralization of Alternate XSS Syntax (87)

Improper Restriction of Operations within the Bounds of a Memory Buffer (119)• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120)• Write-what-where Condition (123)• Out-of-bounds Read (125)• Improper Handling of Length Parameter Inconsistency (130)• Improper Validation of Array Index (129) • Return of Pointer Value Outside of Expected Range (466)• Access of Memory Location Before Start of Buffer (786) • Access of Memory Location After End of Buffer (788)• Buffer Access with Incorrect Length Value 805• Untrusted Pointer Dereference (822)• Use of Out-of-range Pointer Offset (823)• Access of Uninitialized Pointer (824)• Expired Pointer Dereference (825)

Path Traversal (22)• Relative Path Traversal (23)• Path Traversal: '../filedir' (24)• Path Traversal: '/../filedir' (25)• <------------8 more here -------------->• Path Traversal: '....//' (34)• Path Traversal: '.../...//' (35)• Absolute Path Traversal (36)

• Path Traversal: '/absolute/pathname/here’ (37)• Path Traversal: '\absolute\pathname\here’ (38)• Path Traversal: 'C:dirname’ (39)• Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)

9

14

19

Common Weakness Enumeration (CWE) – 700+


What is wrong with this picture?Wouldn’t it be nice if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine…

CWE Compatibility & Effectiveness Program

396

9

cwe.mitre.org/compatible/

( launched Feb 2007)

Direct Contributors to the 2011 CWE/SANS Top 25

Red Hat Inc. Secunia (Denmark) CERIAS, Purdue University CAST Software NetBSD Symantec Corporation Veracode, Inc. Grammatech Inc. IPA (Japan) IBM Ellumen, Inc. McAfee SAIC SRI International UC Davis MITRE White Hat Security KRvW Associates Oracle Corporation Fortify Software, an HP Company ThinkSec

Tata Consultancy Services (TCS) Motorola Solutions RSA, the Security Division of EMC

Mark J. Cox Carsten Eiram Pascal Meunier Razak Ellafi & Bonsignour David Maxwell Cassio Goldschmidt & Mahesh Saptarshi Chris Eng Paul Anderson Masato Terada Bernie Wong Dennis Seymour Kent Landfield Hart Rossman Jeremy Epstein Matt Bishop Adam Hahn & Sean Barnum Jeremiah Grossman Kenneth van Wyk Bruce Lowenthal Jacob West Frank Kim Christian Heinrich (Australia) Ketan Vyas Joe Baum Matthew Coles, Aaron Katz & Nazira OmuralievaNational Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division


CWE/SANS Top 25

3 years running Latest version published in June 2011 Survey results from over 25 organizations 41 CWE entries nominated CWSS 0.8 used to rank results

– Technical Impact, Prevalence, Likelihood of Exploit

Published pocket guide for mitigating the Top 25 (and other weaknesses, too)


CWE Outreach: A Team SportMay/June Issue of IEEE Security & Privacy…

16 July 2010

| 25 |


| 26 |


| 27 |


[1] CWE-79 Cross-site Scripting[2] CWE-89 SQL Injection[3] CWE-120 Classic Buffer Overflow[4] CWE-352 Cross-Site Request Forgery (CSRF)[5] CWE-285 Improper Authorization[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision[7] CWE-22 Path Traversal[8] CWE-434 Unrestricted Upload of File with Dangerous Type[9] CWE-78 OS Command Injection[10] CWE-311 Missing Encryption of Sensitive Data[11] CWE-798 Use of Hard-coded Credentials[12] CWE-805 Buffer Access with Incorrect Length Value[13] CWE-98 PHP File Inclusion[14] CWE-129 Improper Validation of Array Index[15] CWE-754 Improper Check for Unusual or Exceptional Conditions[16] CWE-209 Information Exposure Through an Error Message[17] CWE-190 Integer Overflow or Wraparound[18] CWE-131 Incorrect Calculation of Buffer Size[19] CWE-306 Missing Authentication for Critical Function[20] CWE-494 Download of Code Without Integrity Check[21] CWE-732 Incorrect Permission Assignment for Critical Resource[22] CWE-770 Allocation of Resources Without Limits or Throttling[23] CWE-601 Open Redirect[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm[25] CWE-362 Race Condition[26] CWE-749 Exposed Dangerous Method or Function[27] CWE-307 Improper Restriction of Excessive Auth. Attempts[28] CWE-212 Improper Cross-boundary Removal of Sensitive Data[29] CWE-330 Use of Insufficiently Random Values[30] CWE-59 Link Following[31] CWE-134 Uncontrolled Format String[32] CWE-476 NULL Pointer Dereference[33] CWE-681 Incorrect Conversion between Numeric Types[34] CWE-426 Untrusted Search Path[35] CWE-454 External Initialization of Trusted Variables or Data Stores[36] CWE-416 Use After Free[37] CWE-772 Missing Release of Resource after Effective Lifetime[38] CWE-799 Improper Control of Interaction Frequency[39] CWE-456 Missing Initialization[40] CWE-672 Operation on a Resource after Expiration or Release[41] CWE-804 Guessable CAPTCHA

| 28 |

CWE-119

CWE-706

CWE-834

CWE-637

CW

E/S

AN

S 2

01

0 T

op 2

5 M

ost

Dangero

us

Soft

ware

Err

ors

Total PotentialSecurity Weaknesses

DynamicAnalysis

StaticAnalysis

• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …

• Environment Configuration Issues• Issues in integrations of modules• Runtime Privileges Issues• Protocol Parser/Serializer Issues• Issues in 3rd party components• …

• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …

• Null Pointer Dereference• Threading Issues• Issues in Dead Code• Insecure Crypto Functions• …

• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …

• SQL Injection• Cross Site Scripting• HTTP Response Splitting• OS Commanding• LDAP Injection• …

Application Logic Issues Application Logic Issues

Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis

Weakness

Weakness

Weakness

Weakness

Asset

Attack

Impact

Item

Item

Item

Attack

Attack

Function

Asset

Impact

Impact

KnownThreatActors

Attack Patterns(CAPECs)

Weaknesses(CWEs)

Controls* TechnicalImpacts

Operational Impacts

* Controls include architecture choices, design choices, added security functions, activities & processes, physical decomposition choices, code assessments, design reviews, dynamic testing, and pen testing

System & System Security

EngineeringTrades

ISO/IEC Technical Report 20004:Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045

Technical Impacts – Common Consequences

1. Modify data2. Read data3. DoS: unreliable execution4. DoS: resource consumption5. Execute unauthorized code or commands6. Gain privileges / assume identity7. Bypass protection mechanism8. Hide activities

Technical Impacts – Common Weakness Risk Analysis Framework (CWRAF)

CWRAF/CWSS in a Nutshell

W

Wd

W is all possible weaknessesWd is all known weaknesses (CWE)

Common Weakness Risk Analysis Framework (CWRAF)

Multiple pieces – we’ll focus on “Vignettes”

Technical Impacts1. Modify data

2. Read data

3. DoS: unreliable execution

4. DoS: resource consumption

5. Execute unauthorized code or commands

6. Gain privileges / assume identity

7. Bypass protection mechanism

8. Hide activities

Technical Impact Scorecard

W1=10W2=0W3=0W4=0W5=0W6=0W7=0W8=0

Weightings

CWRAF/CWSS in a Nutshell

W

Wd

CWSS Score

CWE

97 CWE-7995 CWE-7894 CWE-2294 CWE-43494 CWE-79893 CWE-12093 CWE-25092 CWE-77091 CWE-82991 CWE-19091 CWE-49490 CWE-13490 CWE-77290 CWE-47690 CWE-131

…

User-defined cutoff

CWSSScorin

g Engine

Most Important Weakness

es

“Vignette”

W is all possible weaknessesWd is all known weaknesses (CWE)

What types of attacks should I test my system against?

Common Attack Pattern Enumeration and Classification

WWd

CWSS Score CWE

97 CWE-79

95 CWE-78

94 CWE-22

94 CWE-434

94 CWE-798

93 CWE-120

93 CWE-250

92 CWE-770

91 CWE-829

91 CWE-190

91 CWE-494

90 CWE-134

90 CWE-772

90 CWE-476

90 CWE-131

…

CWSSScoring Engine

Most Important

Weaknesses

CWE Related CAPEC ID’s

CWE-79 CAPEC-232, CAPEC-106, CAPEC-19, …

CWE-78 CAPEC-108, CAPEC-15, CAPEC-43, CAPEC-6, …

… …

Scoring Weaknesses Discovered in Code using CWSS

Organizations that have declared plans to support CWSS in their future offerings and are working with MITRE to help evolve CWSS to meet their customer's and the community's needs for a scoring system for software errors.

CWE Coverage – Implemented…

Which static analysis tools and Pen Testing services find the CWE’s I care about?

Utilizing CWE Coverage Claims

Most Important Weakness

es(CWE’s)

Code Review

Static Analysis Tool A

Pen Testing Services

CWE’s a capability claims to cover

Static Analysis Tool B

Leveraging and Managing to take Advantage of the Multiple Perspectives of Analysis

Different perspectives are effective at finding different types of weaknesses

Some are good at finding the cause and some at finding the effectStaticCode

Analysis

PenetrationTest

DataSecurityAnalysis

CodeReview

ArchitectureRisk

Analysis

Cross-Site Scripting (XSS) X X X

SQL Injection X X X

Insufficient Authorization Controls X X X X

Broken Authentication and Session Management X X X X

Information Leakage X X X

Improper Error Handling X

Insecure Use of Cryptography X X X

Cross Site Request Forgery (CSRF) X X

Denial of Service X X X X

Poor Coding Practices X X

Architecture Analysis

Design Review

Source Code Static Analysis

Binary Static Analysis

Automated Dynamic Analysis

Penetration Testing

Red Team Assessment

(1) Modify data

(2) Read Data

(3) DoS: unreliable execution

(4) DoS: resource consumption

(5) Execute unauthorized code or commands

(6) Gain privileges / assume identity(7) Bypass protection mechanism

(8) Hide activities

Revie

w o

f A

rch

itectu

re a

nd

D

esig

n

Revie

w o

f C

od

e

Revie

w o

f Liv

e

Syste

m

Notiona

l

Architecture Analysis

Design Review

Source Code Static

Analysis

Binary Static

Analysis

Automated Dynamic Analysis

Penetration Testing

Red Team Assessment

(1) Modify data CWE-23 CWE-23 CWE-131 CWE-131 CWE-311 CWE-311 CWE-311

(2) Read Data CWE-14 CWE-14 CWE-129 CWE-129 CWE-209 CWE-209 CWE-209

(3) DoS: unreliable execution

CWE-36 CWE-36 CWE-476 CWE-476 CWE-406 CWE-406 CWE-406

(4) DoS: resource consumption

CWE-395 CWE-395

CWE-190 CWE-190 CWE-412 CWE-412 CWE-412

(5) Execute unauthorized code or commands


(6) Gain privileges / assume identity


(7) Bypass protection mechanism


(8) Hide activities


Notiona

l

OS Command Injection

SQL Injection

Static Code Injection

Argument Injection

Use of NullPointerExceptio

n

Absolute Path Traversal

Compiler Removal of Buffer Clearing

Relative Path Traversal

Improper Handling of Inconsistent

Insufficient UI Warning of Dangerous

Leftover Debug Code

Buffer Overflow

Integer Overflow

Null Pointer Dereference

Improper Validation of Array

Index

Incorrect Calculation of

Buffer Size

HTTP Request Smuggling

Improper Initialization

Use of Password System for Primary Authentication

Cross-site Scripting

Unrestricted Externally Accessible Lock

Network Amplification

Information Exposure Through an Error Messages

Missing Encryption of Sensitive Data

Vulnerability Analysis Focus By Phase and Impact

Contact Info

[email protected]

[email protected]

Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...

Documents

Transcript of Measuring and Managing Software Security Robert A. Martin 20 March 2013 © 2012 The MITRE...