Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

pptx

advertisement 
Workforce Education and Training
in Software Assurance and Supply
Chain Risk Management
Joe Jarzombek, PMP, CSSLP
Director for Software Assurance
National Cyber Security Division
Office of the Assistant Secretary for
Cybersecurity and Communications
Dr. Robin Gandhi
Assistant Professor
of Information Assurance
University of Nebraska at Omaha
March 17, 2011
Technologies Subject to Exploitation:
Providing Context for the Priority of Common Weaknesses
Technology
Groups
Archetypes
Web Application
Web browser, web-server, web-based applications and
services, etc.
Control System
SCADA, process control systems, etc
Embedded System
Embedded Device, Programmable logic controller,
implanted medical devices, avionics package
End-point
Computing Device
Smart phone, laptop, and other remote devices that leave
the enterprise and/or connect remotely to the enterprise
Cloud Computing
Software-enabled capabilities and services (either installed
locally or offered via hosted services/cloud computing),
such as Infrastructure-as-a-Service (IaaS), Platform-as-aService (PaaS) and Software-as-a-Service (SaaS)
Enterprise
includes Databases, Operating Systems, office products
Application/System (such as word processing, spreadsheets, etc)
Domains
Description
E-Commerce
The use of the Internet or other computer networks for the sale of products and
services, typically using on-line capabilities.
Banking & Finance
Financial services, including banks, stock exchanges, brokers, investment companies,
financial advisors, and government regulatory agencies.
Public Health
Health care, medical encoding and billing, patient information/data, critical or
emergency care, medical devices (implantable, partially embedded, patient care), drug
development and distribution, etc.
Food & Water
Food processing, clean water treatment and distribution (including dams and processing
facilities), etc.
Energy
Smart Grid (electrical network through a large region, using digital technology for
monitoring or control), nuclear power stations, oil and gas transmission, etc.
Chemical
Chemical processing and distribution, etc.
Manufacturing
Plants and distribution channels, supply chain, etc.
Shipping &
Transportation
Aerospace systems (such as safety-critical ground aviation systems, on-board avionics,
etc), shipping systems, rail systems, etc.
National Security
National security systems (including networks and weapon systems), defense industrial
base, etc.
Government and
Commercial security systems, Homeland Security systems for CBP, TSA, etc.
Commercial Security
Emergency Services
Systems and services that support for First Responders, incident management and
response, law enforcement, and emergency services for citizens, etc.
Telecommunications Cellular services, land lines, VOIP, cable & fiber networks, etc.
Telecommuting &
Teleworking
Support for employees to have remote access to internal business networks and
capabilities.
eVoting
Electronic voting systems (ie., used in state-run elections, shareholder meetings, etc.)
Common Weakness Scoring System (CWSS) Vignettes
Leveraging CWE/CWSS in Cybersecurity Standardization for Key ICT Applications in various Domains
DOMAINS
ECommerce,
Finance &
Banking
Web
Applications
Real-Time
Embedded
Systems
Control
Systems
End-point
Computing
Devices
Cloud
Computing
Enterprise
Application/
System
Common Vignette for Domain
TECHNOLOGY
GROUPS
Public
Health,
Food &
Water
Energy
(including
Smart
Grid,
nuclear
power,
oil/gas
transmission)
Chemi
-cal
Manufac- Shipping &
turing
Transportation
(includes
aerospace,
rail, etc)
National
Security
(includes
weapon
systems &
defense
industrial
base)
Government and
Commercial
Security
Emergency
Services
(systems &
services for
First
Responders
, law
enforcemen
t, incident
response
TelecomTelee-Voting
munication commuting
& Teleworking
Common Vignette
for Tech View
Vignette for
Domain/
Tech View
Common Vignette for Tech View
Common Weakness Scoring System uses Vignettes with Archetypes to identify top CWEs in respective Domain/Technology Views
Vignettes and Business Value Context
Domain
Vignette
Description
Archetypes
Business Value Context
(BVC)
e-commerce
Confidentiality essential
from a financial PII
perspective, identity PII
usually less important.
Internet-facing, E-commerce
Database, Web PCI compliance a factor.
provider of retail goods or
Web-based Retail
client/server,
Security incidents might
services. Data-centric Provider
General-purpose have organizational
Database containing PII, credit
OS
impacts including financial
card numbers, and inventory.
loss, legal liability,
compliance/regulatory
concerns, and
reputation/brand damage.
Finance
N-tier
distributed, J2EE
Financial trading system
Financial Trading /
and supporting
supporting high-volume, highTransactional
frameworks,
speed transactions.
Transactional
engine
High on integrity transactions should not be
modified. Availability also
very high - if system goes
down, financial trading can
stop and critical transactions
are not processed.
Vignettes and Business Value Context
Domain
Public Health
Smart Grid
Vignette
Description
Archetypes
Medical devices - "implantable" or
"partially embedded" in humans, as
well as usage in clinic or hospital
Web-based
environments ("patient care"
monitoring and
devices.) Includes items such as
Human Medical
control, Generalpacemakers, automatic drug
Devices
purpose OS,
delivery, activity monitors. Control
Smartphone,
or monitoring of the device might
Embedded Device
be performed by smartphones. The
devices are not in a physically
secured environment.
Smart Meters
Business Value Context (BVC)
Power consumption and privacy a
concern. Key management
important. Must balance ease-ofaccess during emergency care with
patient privacy and day-to-day
security. Availability is essential failure of the device could lead to
illness or death.
Devices are not in a physically
secured environment.
Confidentiality of customer energy
usage statistics is important - could
be used for marketing or illegal
purposes. For example, hourly
Web Applications,
usage statistics could be useful for
Real-Time Embedded monitoring activities. Integrity of
Meter that records electrical
consumption and communicates
System, Process
metering data is important because
this information to the supplier on a Control System, End- of the financial impact on
regular basis.
point Computing
stakeholders (consumers
Device
manipulating energy costs).
Availability typically is not needed
for real-time; other avenues exist if
communications are disrupted
(e.g., site visit).
CWSS Framework:
Providing Business Value Context
Web Applications, Endpoint Computing Devices,
Cloud Services, etc
Technology
Group 1
Technology
Group 2
Why Johnny Can’t
write secure code?
• Johnny, avoid these weaknesses…. Period!
– Common Weaknesses Enumeration (CWE)
• Johnny…learn from your mistakes
– Common Vulnerabilities and Exposures (CVE)
• Johnny…these are the ways of the bad guys
– Common Attack Patterns Enumeration and
Classification (CAPEC)
• Johnny…these are ways to develop secure code
– CERT secure coding guidelines
9
Poor Johnny !
10
Using Semantic Templates to Study
Vulnerabilities Recorded in
Large Software Repositories
Me
Harvey Siy
Yan Wu
11
The Paradox we face !
Source Code Differences
after the fix
Bug tracking
databases
Log of Changes
Mailing list Discussions
Weakness
Enumerations
Vulnerability
Databases
Public Descriptions
12
Concept Extraction
CWE-221:
INFORMATION
LOSS OR
OMMISSION
CWE-468:
INCORRECT
POINTER SCALING
CWE-192
INTEGER
COERCION
ERROR
CWE-194:
UNEXPECTED
SIGN
EXTENSION
CWE-467: USE OF
SIZEOF() ON A
POINTER TYPE
CWE- 190
INTEGER
OVERFLOW OR
WRAPAROUND
CWE-20 IMPROPER
INPUT VALIDATION
CWE-130: IMPROPER
HANDLING OF
LENGTH
PARAMETER
INCONSISTENCY
CWE-119: FAILURE TO
CONSTRAIN OPERATIONS
WITHIN THE BOUNDS OF A
MEMORY BUFFER
CWE- 788 ACCESS OF
MEMORY LOCATION
AFTER END OF
BUFFER
CWE- 121 STACKBASED BUFFER
OVERFLOW
CWE- 786 ACCESS OF
MEMORY LOCATION
BEFORE START OF
BUFFER
CWE-787 OUTOF-BOUNDS
WRITE
CWE- 124 BUFFER
UNDERWRITE
('BUFFER
UNDERFLOW')
CAN PRECEED
(DEVELOPMENT VIEW)
CATEGORY
(DEVELOPMENT VIEW)
CWE- 466 RETURN OF
POINTER VALUE
OUTSIDE OF EXPECTED
RANGE
CATEGORY
(RESEARCH VIEW)
CWE- 227
API
ABUSE
CWE- 251
STRING MGMT.
MISUSE
CWE- 416
USE AFTER FREE
CWE- 415 DOUBLE
FREE
CWE- 456
MISSING INITIALIZATION
CWE- 125 OUT-OFBOUNDS READ
CWE- 134
UNCONTROLLED
FORMAT STRING
CWE- 127 BUFFER
UNDER-READ
CWE- 785
USE OF PATH MANIPULATION
FUNCTION WITHOUT MAX-SIZE
BUFFER
CHILD OF
(DEVELOPMENT VIEW)
CWE- 242 USE OF
DANDEROUS FUNCTIONS
CWE-123 WRITEWHAT-WHERE
CONDITION
CWE- 126 BUFFER
OVER-READ
CWE- 122 HEAPBASED BUFFER
OVERFLOW
CWE-680
INTEGER OVERFLOW
TO BUFFER
OVERFLOW
CWE-129 IMPROPER
VALIDATION OF ARRAY
INDEX
CWE- 131
INCORRECT
CALCULATION OF
BUFFER SIZE
CWE- 195
SIGNED TO
UNSIGNED
CONVERSION
ERROR
CWE-789
UNCONTROLLED
MEMORY ALLOCATION
PEER OF
(RESEARCH VIEW)
CHILD OF
(RESEARCH VIEW)
CWE- 191 INTEGER
UNDERFLOW (WRAP OR
WRAPAROUND)
CWE- 193 OFFBY-ONE ERROR
LEGEND
CWE-19: DATA
HANDLING
CAN PRECEED
(RESEARCH VIEW)
CWE-118 IMPROPER ACCESS
OF INDEXABLE RESOURCE
('RANGE ERROR')
CWE- 128
WRAPAROUND
ERROR
CWE- 682
INCORRECT
CALCULATION
CWE-199:
INFORMATION
MGMT. ERRORS
CWE- 231 IMPROPER
HANDELING OF EXTRA
VALUES
CWE- 196
UNSIGNED TO SIGNED
CONVERSION ERROR
CWE- 120 BUFFER COPY
WITHOUT CHECKING SIZE
OF INPUT ('CLASSIC
BUFFER OVERFLOW')
CWE- 170 IMPROPER
NULL TERMINATION
13
Tangling of information in the CWE
• CWE-119: Failure to Constrain Operations
within the Bounds of a Memory Buffer
LEGEND
Software Fault
Weakness
Resource/Location
Consequence
– The software performs operations on a memory
buffer, but it can read from or write to a memory
location that is outside of the intended boundary of
the buffer.
– Certain languages allow direct addressing of
memory locations and do not automatically ensure
that these locations are valid for the memory buffer
that is being referenced. This can cause read or
write operations to be performed on memory
locations that may be associated with other
variables, data structures, or internal program data.
As a result, an attacker may be able to execute
arbitrary code, alter the intended control flow, read
sensitive information, or cause the system to crash.
14
Tangling of information in the CWE
• CWE-120: Buffer Copy without Checking Size of
Input ('Classic Buffer Overflow')
LEGEND
Software Fault
Weakness
Resource/Location
Consequence
– The program copies an input buffer to an output
buffer without verifying that the size of the input
buffer is less than the size of the output buffer,
leading to a buffer overflow.
– A buffer overflow condition exists when a program
attempts to put more data in a buffer than it can
hold, or when a program attempts to put data in a
memory area outside of the boundaries of a buffer.
– Buffer overflows often can be used to execute
arbitrary code…
– Buffer overflows generally lead to crashes
15
Buffer Overflow
SOFTWARE-FAULT
OFF-BYONE
#193
SIGN
ERRORS
#194 #195
#196
INTEGER
OVERFLOW
#190 #680
INTEGER
COERCION
ERROR
#192
INTEGER
UNDERFLOW
#191
IS-A
IS-A
IS-A
WRAPAROUND
ERROR #128
IS-A
IMPROPERINPUTVALIDATION
#20
MISSING
INITIALIZATION
#456
STRING
MANAGEMENT
API ABUSE
# 785 #134 #251
IS-A
RETURN OF POINTER
VALUE OUTSIDE OF
EXPECTED RANGE
#466
IS-A
IS-A
INCORRECTBUFFER-SIZECALCULATION
#131
IMPROPER
HANDELING OF
EXTRA VALUES
#231
API ABUSE
#227
USE OF DANDEROUS
FUNCTIONS
#242
IMPROPER USE OF
FREED MEMORY
#415 #416
IMPROPER NULL
TERMINATION
#170
POINTER
ERRORS
#467 #468
IS-A
INCORRECTCALCULATION
#682
IS-A
IMPROPER HANDLING OF
LENGTH PARAMETER
INCONSISTENCY
# 130
BUFFER COPY WITHOUT
CHECKING SIZE OF INPUT
('CLASSIC BUFFER OVERFLOW')
#120
IMPROPER
VALIDATION OF
ARRAY INDEX
#129 #789
CAN-PRECEDE
CAN-PRECEDE
WEAKNESS
RESOURCE/LOCATION
ACCESS AND
OUT-OF-BOUNDS
READ #125, #126,
#127, #786
ACCESS AND OUTOF-BOUNDS WRITE
#787, #788, #124
STACK-BASED
#121
OCCURS-IN
FAILURE TO CONSTRAIN
OPERATIONS WITHIN THE
BOUNDS OF A MEMORY
BUFFER
#119
IS-A
BUFFER
#119
IS-A
IMPROPER-ACCESS-OFINDEXABLE-RESOURCE #118
IS-A
HEAP-BASED
#122
IS-A
INDEX
(POINTER #466
INTEGER #129)
MEMORYBUFFER
#119
IS-A
IS-A
IS-A
STATIC
#129
CONSEQUENCES
CAN-PRECEDE
WRITE-WHAT-WHERE
CONDITION
#123
PART-OF
PART-OF
INDEXABLERESOURCE
#118
UNCONTROLLED
MEMORY
ALLOCATION
#789
INFORMATION
LOSS OR
OMMISSION
#199 #221
16
Buffer Overflow Semantic template
1
SOFTWARE-FAULT
SIGN
ERRORS
#194 #195
#196
OFF-BYONE
#193
CVE-2010-1773
[CVE Description]: Off-by-one error in the toAlphabetic function in
rendering/RenderListMarker.cpp
[Change Log Issue Description]:
The math was slightly off here, and we wound up
INTEGER
INTEGER
trying
to access an array
at index -1 in some cases
IMPROPER
OVERFLOW
COERCION
UNDERFLOW
#191
RETURN OF POINTER
[Code Change for Fix] : Line 105 decrement
(--numberShadow;)
and remove the
VALUE OUTSIDE
OF
subtraction of one in Line 106 (sequence[numberShadow
% sequenceSize];)
INCORRECTBUFFER-SIZECALCULATION
#131
WRAPAROUND
ERROR #128
IMPROPERINPUTVALIDATION
#20
INCORRECTCALCULATION
#682
EXPECTED RANGE
#466
2
IMPROPER NULL
TERMINATION
#170
POINTER
ERRORS
#467 #468
IMPROPER HANDLING OF
LENGTH PARAMETER
INCONSISTENCY
# 130
IMPROPER
VALIDATION OF
ARRAY INDEX
#129 #789
API ABUSE
#227
ACCESS AND
OUT-OF-BOUNDS
READ #125, #126,
#127, #786
RESOURCE/LOCATION
ACCESS AND OUT[Change
Log Issue
OF-BOUNDS WRITE
Description]:
….….trying
#787, #788,
#124
to access an array at
index -1 in some cases
STACK-BASED
#121
ARRAY
#129
% sequenceSize];)
#120
CAN-PRECEDE
[Change Log Issue Description]:
….….trying to access an array at
index -1HEAP-BASED
…..
#122
OCCURS-IN
INDEX
(POINTER #466
INTEGER #129)
MEMORYBUFFER
#119
4
FAILURE TO CONSTRAIN
OPERATIONS WITHIN THE
BOUNDS OF A MEMORY
BUFFER
#119
IS-A
PART-OF
BUFFER
#119
[Chrome Release
Announcement]:
….Memory corruption in
rendering….
IMPROPER-ACCESS-OFINDEXABLE-RESOURCE #118
IMPROPER USE OF
FREED MEMORY
BUFFER COPY WITHOUT
[Code] : Missing
validation of array size
CHECKING SIZE OF INPUT
in Line('CLASSIC
106 (sequence[numberShadow
BUFFER OVERFLOW')
5
3
USE OF DANDEROUS
FUNCTIONS
#242
[Change Log Issue Description]:
….trying
#415 #416
to access an array at index -1 ….
CAN-PRECEDE
WEAKNESS
MISSING
INITIALIZATION
#456
STRING
MANAGEMENT
API ABUSE
# 785 #134 #251
HANDELING OF
#190 #680
ERROR
[Change
Log Fix Description]: We need to decrement numberShadow
EXTRA VALUESrather than
#192
INTEGER
#231
subtracting one from the result of
the modulo operation
CONSEQUENCES
CAN-PRECEDE
7
PART-OF
INDEXABLERESOURCE
#118
UNCONTROLLED
MEMORY
ALLOCATION
#789
WRITE-WHAT-WHERE
CONDITION
#123
[CVE Description]: ….cause a
denial of service …..or possibly
execute arbitrary code
[CVE Description]: ….allows
remote attackers to obtain
sensitive information…
INFORMATION
LOSS OR
OMMISSION
#199 #221
6
17
Experiment
• The scenario…
– A newbie programmer or occasional contributor to
open source project
• How much effort does it take to study a vulnerability and
summarize lessons learned?
• 30 Computer Science students from a senior-level
undergraduate Software Engineering course.
– None to more than 5 years
– No prior knowledge of semantic templates
18
Experiment
• H10:
– There is no reduction in completion time for
subjects who use semantic templates compared
to those who do not.
• H20:
– There is no improvement in accuracy of
understanding of vulnerabilities for subjects who
use semantic templates compared to those who
do not.
19
Variables
• The experiment manipulated these independent
variables:
– Group - refers to the group assigned (1 or 2).
– Round - refers to the experiment round (1 or 2).
• Vulnerability ID - the vulnerability under study
(1-1, 1-2, 1-3, 2-1, 2-2, 2-3).
– These self-reported subject variables were collected:
• Programming skill level
• Reading comprehension and writing skill levels - ability to
read and write technical English documents.
20
Variables
• Dependent variables :
– Time to complete assignment
– CWE identification accuracy
– Fault identification accuracy
• a score (scale of 1-5) on the accuracy of the identification of
the software fault that led to the vulnerability
– Failure identification accuracy
• a score (scale of 1-5) on the accuracy of the description of
the nature of the vulnerability (the manifested problem, the
resources impacted and the consequences)
21
Initial Results and Findings
Table 1: p-values of one-tailed t-tests for Time data
Round 1
(1-1) 0.3627
(1-2) 0.5855
(1-3) 0.1516
Round 2
(2-1) 0.0001
(2-2) 0.0030
(2-3) 0.0015
p-values of one-tailed t-tests for CWE precision
Round 1
(1-1) 0.9281
(1-2) 0.9957
(1-3) 0.5344
Round 2
(2-1) 0.1840
(2-2) 0.6023
(2-3) 0.0891
Table 1: p-values of one-tailed t-tests for CWE recall
Round 1
(1-1) 0.0683
(1-2) 0.9481
(1-3) 0.2286
Round 2
(2-1) 0.0141
(2-2) 0.0093
(2-3) 0.0021
22
Future Work
• Integrate with existing static and dynamic analysis
tools to enhance reporting capabilities
– Provide layers of guidance to a developer upon
detection of a software flaw
– Organize and retrieve knowledge of past
vulnerabilities
– Verify patch submissions
• Investigate project/developer specific coding
errors and vulnerability fix patterns
• Other usage scenarios in the SDLC
23
Acknowledgement
• This research is funded in part by Department
of Defense (DoD)/Air Force Office of Scientific
Research (AFOSR), NSF Award Number
FA9550-07-1-0499, under the title
“High Assurance Software”
24
Related documents
H.264 Rate Control
H.264 Rate Control
Honors Chem- Buffers Worksheet
Honors Chem- Buffers Worksheet
Final Exam - Topic Outline
Final Exam - Topic Outline
2008-2011 - Online MMCE
2008-2011 - Online MMCE
Chapter 19 SI Sunday Tuesday Wednesday 7:30
Chapter 19 SI Sunday Tuesday Wednesday 7:30
Wednesday Quiz 6 answers Chem 265 2012
Wednesday Quiz 6 answers Chem 265 2012
Determination of pH and Buffer Capacity
Determination of pH and Buffer Capacity
Problem Set III Chemistry 3100 Winter 2011 Dr. G. Van Biesen 1. By
Problem Set III Chemistry 3100 Winter 2011 Dr. G. Van Biesen 1. By
Download
advertisement