Vulnerabilities and Exploitation in Computer System

- Past, Present and Future

03 September 2013 @ 27 Syawal 1434HNurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan

SISKOM 2013Faculty of Computer and Mathematical Sciences

UiTM Shah Alam, Selangor, Malaysia

Presentation Outline

1. Introduction

2. Quantitative Studies on Known Software Vulnerabilities

3. Impact Analysis

4. The Prediction

5. Conclusion

Introduction

Introduction

Software Vulnerabilities

Flaws in software / codes

System to behave abnormal

Unintentionally triggered by user Exploit by hackers

Definition (Stoneburner et al., 2002, OWASP Org., 2013, Kaspersky Lab, 2013)

What is?

Impact?

Cause by Cause by

Root Cause

Improper Process

Poor Design

Programming errors/mistake

Biezer, 1990 and Piessens, 2002

Alhazmi et al., 2006, Howard et al., 1998, Krsul, 1998, Longstaff et al. 1997, Moore, 2007, Vipindeep et al., 2005

Ahmad et al. 2011

IntroductionProgramming errors/mistake Ahmad et al. 2011

Limitation in Programming Language

Incompetence programmers/software

engineers

Cause by

Exploitation

Impact

1. 1990 - Morris Worm (One, 1996)2. Poland Train crash (Baker et al. 2008)3. Iran nuclear attack (Chen 2011)4. Toyota brake failure (Carty, 2010)Etc.

Summary• Quantitatively studies on known software vulnerabilities• Share the criticality and significances of the identified

vulnerabilities• Predict the future

Scope1. Limited to quantity based on reported vulnerabilities2. Limited to four classes-SQLi, XSS, Java, and C/C++

Introduction

Quantitative Studies on Known Software Vulnerabilities

1. Software vulnerabilities was detected since programming exist2. The first unintended exploitation happens in late 80s3. Microsoft introduce SDL starting from 20024. Program Analysis (static and dynamic analysis), Anti-virus, etc

introduced as early as 1994 (Wagner) 5. Vulnerabilities still at large and exploitation increase exponentially

with vulnerabilities.

19 well-known online vulnerability databases and organization1. Microsoft Corporation2. Homeland Security3. NIST4. OSVDB5. OWASP6. SANS Institutes7. CSMetc.

Quantitative Studies on Known Software Vulnerabilities

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

1000

2000

3000

4000

5000

6000

7000

No. of Vulnerabilities By Year

No. of Vulnerabilities

Source: National Institute of Standards and Technology (NIST)Source: Open-Source Vulnerabilities Database (OSVDB)

Quantitative Studies on Known Software Vulnerabilities

Other Scary Facts

1. > 2000 vulnerabilities identified per year

2. 20% is constantly C/C++ overflow vulnerabilities

3. 40% ranked with severity 7.0 to 10.0

4. SANS Institute continues release same classes of vulnerabilities in its top 25 Software errors since 2002

5. A single vulnerability if exploitable can cause huge impact

6. Symantec reported 42% increase in exploitation and an increase of ~50% of web attack

7. Some of latest attack still used old identified vulnerabilities (Kaspersky Lab)

Impact Analysis

Fantastic Four

SQLi XSS

JavaC/C++ overflow

•95% has CVSS 4.0 – 6.9•Severity between low - medium

•70% has CVSS 4.0 – 6.9•Severity between low - medium

•85% has CVSS 7.0 – 10•Severity is high

•60% has CVSS 7.0 – 10•Severity is high

•Security bypass•Gain control / steal user identity (depending on user privileges

•Security bypass•Gain control / steal user identity (depending on user privileges

•With overflow vulnerabilities – access/control can be gain without used of user privileges•System malfunctions, accident, control system, etc (McGraw, 2013, Baker et al. , 2008, and Chen, 2010)

Impact Analysis

•Windows-based OS – 90%•30% is Windows XP•Most mobile OS used is Android (> 60% market shares)

Market shares

•Used of Microsoft IE reduce possibility of being hacked•Safari (by Apple) and Chrome (runs on Android based mobile) increase the risk of being attacked

Browser used

•Only XSS, SQLi, and Java vulnerabilities is affected and shall increase the risk of being exploited

Rise of online applications

•Java – has built in security (JVM)•XSS and SQLi vulnerabilities is input related•C/C++ has no perfect defense

Detection/Prevention Mechanism

The Prediction

The Famous Four will remains for another decades

C/C++ will prevail again

Conclusion

• There are many sites support hackers– Shodan, Rapid7, Offensive Security and SecurityVuln

• Old vulnerabilities is still relevant (Kaspersky Lab)• Compare to other classes of vulnerabilities, C/C++

is the most dangerous• Vulnerabilities and exploitations in computer

systems will persist to exist• C/C++ overflow vulnerabilities will regain its

domination

References1. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2010a). Preventing Exploitation on Software Vulnerabilities: Why Most Static Analysis Is

Ineffective? Conferences on Engineering and Technology Education. Kuching: World Engineering Congress.2. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.-

Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer.3. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011c). Understanding Vulnerabilities by Refining Taxonomy. 7th International Conference

on Information Assurance and Security (IAS) (pp. 25 - 29). Melaka: IEEE Computer Society.4. Alhazmi, H. O. (2005). Quantitative vulnerability assessment of systems software. Annual Proceedings of Reliability and Maintainability

Symposium (pp. 615 - 620). IEEE.5. Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International

Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143).6. Aslam, T. (1995). A Taxonomy of Security Faults in the UNIX Operating System. MSc Thesis, Department of Computer Sciences, Purdue

University.7. Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph:

http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html8. Beizer, B. (1990). Software Testing Technique (2nd Edition ed.). New York, USA: Van Nostrand Reinhold Co.9. Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS

News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html10. Cenzic Inc. (2013). Resources - Application Security Papers. Retrieved August 09, 2013, from CENZIC:

http://www.cenzic.com/resources/application-security-papers/11. Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3.12. CISCO. (2013). Cisco Security Report. Retrieved August 09, 2013, from Cisco:

http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html13. Critical Patch Updates, Security Alerts and Third Party Bulletin. (2013). Retrieved August 09, 2013, from Oracle Technology Network:

http://www.oracle.com/technetwork/topics/security/alerts-086861.html14. CyberSecurity Malaysia. (2013). e-Security Bulleting. Retrieved August 09, 2013, from CyberSecurity Malaysia:

http://www.cybersecurity.my/en/knowledge_bank/bulletin/content/main/detail/182/index.html?mytabsmenu=215. Department of Homeland Security. (2013). US-CERT. Retrieved August 09, 2013, from US-CERT (United States Computer Emergency

Readiness Team): http://www.us-cert.gov/16. Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.

References17. Hewlett-Packard Development Company. (2013). Resource Center. Retrieved August 09, 2013, from HP Enterprise Security:

http://www.hpenterprisesecurity.com/news/resource-center18. Howard, J. D., & Longstaff, T. A. (1998). A Common Language for Computer Security Incidents. Sandia Technical Report, Sandia National

Laboratories, Sandia Corporation.19. Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill.20. IBM X-Force. (2013). IBM X-Force Annual Trend and Risk Report. Retrieved August 09, 2013, from IBM X-Force:

http://www-03.ibm.com/security/xforce/downloads.html21. iMPERVA. (2013). Imperva Web Application Attack Report. iMPERVA.22. IT Security Research Group. (2013). Map Honeynet. Retrieved August 09, 2013, from The Honeynet Project: http://map.honeynet.org/23. Johnson, S. (2013, August 07). FortiGuard Labs sees fast rise of mobile malware in 2013. (TechTarget) Retrieved August 09, 2013, from

SearchSecurity: http://searchsecurity.techtarget.com/news/2240203220/FortiGuard-Labs-sees-fast-rise-of-mobile-malware-in-2013?asrc=EM_ERU_22893730&utm_medium=EM&utm_source=ERU&utm_campaign=20130808_ERU%20Transmission%20for%2008/08/2013%20(UserUniverse:%20551200)_myka-rep

24. Kaspersky Lab. (2013b). Analysis. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis?genre=125. Kaspersky Lab. (2013). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Retrieved August 09, 2013, from SECURELIST:

http://www.securelist.com/en/analysis/204792255/26. Kaspersky Lab. (2013a). Software vulnerabilities. Retrieved August 09, 2013a, from SECURELIST:

http://www.securelist.com/en/threats/vulnerabilities?chapter=3527. Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University.28. Lipner, S. (2013, May 14). The time is now. Security Development Must be a Priority for Everyone. Retrieved August 09, 2013, from

Microsoft Trustworthy Computing: http://blogs.technet.com/b/trustworthycomputing/archive/2013/05/08/security-development-conference-2013.aspx

29. Longstaff, T. A., Ellis, J. T., Hernan, S. V., Lipson, H. F., McMillan, R. D., Pesante, L. H., et al. (1997). Security of the Internet. (M. Dekker, Ed.) The Froehlich/Kent Encyclopedia of Telecommunications , 15, pp. 231 - 255.

30. McGraw, G. (2013, August 09). Five major technology trends affecting software security assurance. Retrieved August 11, 2013, from SearchSecurity.com: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance

31. Microsoft Corporation. (2002, January 15). Memo from Bill Gates. Retrieved 2010, from Microsoft News Center: http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx

32. Microsoft Corporation. (2013b). Microsoft Security Advisories. Retrieved August 09, 2013b, from Security TechCenter: http://technet.microsoft.com/en-us/security/advisory/

References33. Microsoft Corporation. (2013a). What is the Security Development Lifecycle? Retrieved August 09, 2013a, from Microsoft Security

Development Lifecycle: http://www.microsoft.com/security/sdl/default.aspx34. MITRE Corporation. (2011). Common Vulnerabilities And Exposures. Retrieved November 15, 2011, from CVE - Format String:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Format+String35. Moore, H. D. (2007). Exploiting Vulnerabilities. Presentation Slide, Secure Application Development (Secappdev.org).36. National Institute of Standards and Technology (NIST). (2013). CVE and CCE Statistics Query Page. Retrieved August 09, 2013, from National

Vulnerability Database (NVD): http://web.nvd.nist.gov/view/vuln/statistics37. Net Applications.com. (2013b). Desktop Browser Market Share. Retrieved August 11, 2013b, from NETMARKETSHARE:

http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=038. Net Applications.com. (2013). Desktop Operating System Market Share. Retrieved August 10, 2013, from NETMARKETSHARE:

http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=039. Offensive Security. (2013). Retrieved from Exploit Database: http://www.exploit-db.com/40. One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49).41. Open Sourced Vulnerability Database (OSVDB). (2013). Open Sourced Vulnerability Database. Retrieved August 09, 2013, from OSVDB:

http://osvdb.org/42. Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE:

http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html43. Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer

Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html44. Oracle FAQ. (2012, January 2). Oracle Corporation. Retrieved January 10, 2012, from Oracle FAQ:

http://www.orafaq.com/wiki/Oracle_Corporation45. OWASP Organization. (2013). Category: Vulnerability. Retrieved August 09, 2013, from OWASP - The Open Web Applications Security

Project: https://www.owasp.org/index.php/Category:Vulnerability46. Passeri, P. (2013). 2012 Cyber Attack Statistics. Retrieved August 09, 2013, from Hackmageddon.com: http://hackmageddon.com/2012-

cyber-attacks-statistics-master-index/47. Pierluigi, P. (2013). Security Affairs. Retrieved August 09, 2013, from Security Affairs: http://securityaffairs.co/wordpress/48. Piessens, F. (2002). A Taxonomy (with Examples) of Causes of Software Vulnerabilities in Internet Software. Technical Report, Katholieke

Universiteit Leuven, Department of Computer Science.49. Positive Research. (2012). Vulnerability Statistics for 2011. Positive Technologies.50. Rapid7. (2013). Vulnerability and Exploit Database. Retrieved August 09, 2013, from Rapid7: http://www.rapid7.com/db/modules/

References51. Rashid, F. Y. (2013, May 15). Microsoft Talks Secure Coding Practices, Standards at Security Development Conference. Retrieved August 09,

2013, from SECURITYWEEK: http://www.securityweek.com/microsoft-talks-secure-coding-practices-standards-security-development-conference

52. Red Hat Inc. (2013). Red Hat vulnerabilities by CVE name. Retrieved August 09, 2013, from redhat: https://access.redhat.com/security/cve/53. SANS Institute. (2013). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved August 09, 2013, from http://www.sans.org/top25-

software-errors/54. Secunia. (2013). Advisories. Retrieved August 09, 2013, from Secunia: http://secunia.com/community/advisories/historic/55. SecurityVulns. (2013). Retrieved August 09, 2013, from Computer Security Vulnerabilities: http://securityvulns.com/56. SHODAN. (2013). Expose Online Devices. Retrieved August 09, 2013, from SHODAN: http://www.shodanhq.com/57. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems – Recommendation of the

National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST).58. Symantec Corporation. (2013). Internet Security Threat Report 2013 Volume 18. Symantec Corporation.59. Symantec Corporation. (2013). Security Response Publications. Retrieved August 09, 2013, from Symantec:

http://www.symantec.com/security_response/publications/threatreport.jsp60. Vipindeep, V., & Jalote, P. (2005). List of Common Bugs and Programming Practices to avoid them. Technical Report, Indian Institute of

Technology, Kanpur.61.

THANK YOU

Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab MananEmail: masteramuk@yahoo.com / masteramuk@hotmail.comTwitter/LinkedIn: masteramuk / Nurul HaszeliWebsite: http://malaysiandeveloper.blogspot.com