Shea Ryan SECURE SOFTWARE ENGINEERING Ario Nejad Alan Messinger SIX FEATURES OF SECURE SOFTWARE 1. 2. 3. 4. 5. 6. Confidentiality Integrity Authentication Authorization Availability Non-Repudiation Typical “Black Hat” CONFIDENTIALIT Y Information should only be accessible to the intended recipient Example: I call my friend’s doctor’s office and ask for his test results. The office tells me the results: it’s Boneitis. I now know confidential information. INTEGRIT Y Information should be accurate. Example: I go to the bank and ask for my balance. I should get my actual balance, not the balance as of 3 months ago. AUTHENTICATION Identity checking (of user or a software component) Example: I check to see if the Bank of America website I visit is “authentic” with VeriSign AUTHORIZATION Let me just make a copy of this… Is the requester allowed to make this request? Example: I have a new job. My employer needs to check that I’m legally allowed to work. AVAILABILIT Y Services and information should be available when they’re needed Example: Del Taco (open 24h, because sometimes we “need” tacos at 4AM) NON-REPUDIATION There cannot be a way for me to send you a message and later have either of us deny our involvement. Example: I buy something at Amazon. They ship it and provide a tracking number. I must sign for the package. SECURIT Y MODELS AND POLICIES A security policy is a statement of the security we expect the system to enforce. Multilevel Security ( Security Levels) The Bell-LaPadula Model ( No read up and No write down) The Biba Model (Read Up, Write Down ) SECURIT Y MODELS CONT. Multilateral Security Brewer and Nash model. (The Chinese Wall) The BMA Model (British Medical Association) SECURIT Y ACCESS CONTROL Access control is an important aspect of any system. Security access control is the act of ensuring that an authenticated user accesses only what they are authorized to and no more. Authentication Authorization AUTHENTICATION The goals of authentication are verify that the user, either a person or system, which is attempting to interact with your system is allowed to do so. gather information regarding the way that the user is accessing your system. AUTHENTICATION CONT. There are several strategies that you can follow to identify a client: User id and password. This is the most common, and typically the simplest, approach to identifying someone because it is fully software-based. Physical security device. A physical device, such as a bank card, a smart card, or a computer chip (such as the “Speed Pass” key chains used by gas stations) is used to identify a person. Sometimes a password or personal identification number (PIN) is also required to ensure that it is the right person. Biometric identification. Biometrics is the science of identifying someone from physical characteristics. This includes technologies such as voice verification, a retinal scan, palm identification, and thumbprints. AUTHENTICATION CONT. You should consider some or all of the following factors when choosing an authentication method: i. Server and client operating systems ii. The client browser type iii. The number of users, and the location and type of the user name and password database iv. Deployment considerations v. The application type vi. Sensitivity of the data you are protecting vii. Performance and scalability factors viii. Application authorization requirements AUTHENTICATION CONT. AUTHENTICATION CONT. Anonymous Authentication The information you are protecting is considered "public.” Basic Authentication Passwords and user names are encoded using Base64 encoding Digest Authentication It uses a hashing mechanism, MD5 developed by RSA Certificate Authentication You require mutual authentication. Forms Authentication custom user interface component • SSO is a property of access control where user logs in once and gains access to all systems without being prompted to log in again at each of them. SINGLE SIGN-ON SSO uses centralized authentication servers Generating a single sign-on token SAML, SPNEGO, X.509 Mapping users to applications Identity Provider (IdP) Benefits include: Reduces phishing success Reducing time spent re-entering passwords for the same identity Can support conventional authentication such as Windows credentials Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users SINGLE SIGN-ON CLAIMS-BASED IDENTIT Y (some piece of information about the user ) Tokens (contains one or more claims) Claims identity providers CLAIMS-BASED IDENTIT Y AUTHORIZATION Authorization is the act of determining the level of access that an authenticated user has to behavior and data. ACCESS CONTROL Access control models are sometimes categorized as either discretionary or non-discretionary. Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC) MANDATORY ACCESS CONTROL Definition: A system-wide policy decrees who is allowed to have access. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system examines these security attributes and decides whether the access can take place. Individual user cannot alter that access. Relies on the system to control access. DISCRETIONARY ACCESS CONTROL Definition: An individual user can set an access control to allow or deny access to an object. Access Restrictions are based on the identity of the user, and any process and/or groups to which they belong. File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner. Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources. DISCRETIONARY ACCESS CONTROL Limitation of DAC: Global policy: DAC let users to decide the access control policies on their data, regardless of whether those policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure consistency. Information flow: information can be copied from one object to another, so access to a copy is possible even if the owner of the original does not provide access to the original copy. This has been a major concern for military. Malicious software: malicious program running by the owner can change DAC policies on behalf of the owner. ROLE-BASED ACCESS CONTROL A role is a category or set of users who share the same security privileges. RBAC is an access policy determined by the system, not the owner. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. ROLE-BASED ACCESS CONTROL Using roles rather than specific user identities provides the following benefits: You don't have to change your application when changes occur. Maintaining permissions for roles is easier than for individual users. A user can be a member of more than one role, allowing flexibility in how you assign and test permissions. You can also use roles to indicate the types of operations that a user performs for his or her job. SECURE DEVELOPMENT LIFE CYCLE THE AGILE DEBATE Extreme Security Engineering: On Employing XP Practices to Achieve ‘Good Enough Security’ without Defining It. B e z n o s o v, K o n s t a n t i n . B i z S e c , 2 0 0 3 . Towards Agile Security Assurance. B e z n o s o v, K o n s t a n t i n & K r u c h t e n . A C M , 2 0 0 4 , 2 0 0 5 . Secure Software Development Life Cycle Processes. D a v i s , Wo o d y. S E I / C M U , 2 0 0 5 , 2 0 0 6 , 2 0 0 9 . “Some of these [Agile] practices are in direct conflict with secure SDLC processes.” “Almost 50% of traditional security assurance activities are not compatible with Agile methods (12 out of 26 ).” PROCESS AGNOSTIC APPROACH “The best practices and methods described are applicable to any and all development approaches as long as they result in the creation of software artifacts.” BSI THE BUILDING SECURIT Y IN MATURIT Y MODEL (BSIMM) The participants of the study willing to be identified by name are: Adobe, Aon, Bank of America, Capital One, EMC , Google, Intel, Intuit, Microsoft, Nokia, Qualcomm, Sallie Mae, Standard Life, the Society for Worldwide Interbank Financial Telecommunication , Symantec, Telecom Italia, the Depository Trust & Clearing Corporation, Thomson Reuters, VMware, and Wells Fargo. SECURE DESIGN PATTERNS CERT at SEI/CMU Architectural-level Patterns Design-level Patterns Implementationlevel patterns ARCHITECTURAL-LEVEL PATTERNS Distrustful Decomposition PrivSep (Privilege Separation) Defer to Kernel (PrivSep and Defer to Kernel are specializations of Distrustful Decomposition.) DISTRUSTFUL DECOMPOSITION Split separate functions into mutually untrusting programs. Reduce the attack surface of the individual programs that make up the system Reduce the functionality and data exposed to an attacker if one of the mutually untrusting programs is compromised DISTRUSTFUL DECOMPOSITION Motivation Many attacks target vulnerable applications running with elevated permissions. Various attacks in which Internet Explorer running in an account with administrator privileges is compromised Security flaws in Norton AntiVirus 2005 that allow attackers to run arbitrary VBS scripts when running with administrator privileges A buffer overflow vulnerability in BSD -derived telnet daemons that allows an attacker to run arbitrary code as root DISTRUSTFUL DECOMPOSITION Known Uses Include qmail and Postfix, Both responses to Sendmail’s security issues in the 90’s. The Big qmail Picture Andre Opperman SENDMAIL ARCHITECTURE CERT/CC UNIX EMAIL ADVISORIES QMAIL ARCHITECTURE POSTFIX ARCHITECTURE DISTRUSTFUL DECOMPOSITION Consequences Distrustful Decomposition prevents an attacker from compromising an entire system. Even if a single component program is successfully exploited, the other programs still do not trust the results from the compromised one. DESIGN-LEVEL PATTERNS Secure Factory Security specific extension of the Abstract Factory pattern. A caller asks the Secure Factory for an object and gives a specific set of security credentials. The Secure Factory uses the given security credentials to select and return the appropriate version of the object. Caller does not receive any more functionality or data than their credentials warrant. Specializations include Secure Strategy Factory & Secure Builder Factory DESIGN-LEVEL PATTERNS Secure Chain of Responsibility Monolithic system wide rolebased access is broken up into a chain of distinct handlers. More checks of credentials. One breach does not give access to whole system. Specific checks tailored for specific roles/access requests DESIGN-LEVEL PATTERNS Secure State Machine Separate security mechanisms from user-level functionality. Separate state machines for each Secure Visitor Nodes in a data structure lock themselves from being read. Visitors must provide credentials in order to unlock the nodes. IMPLEMENTATION-LEVEL PATTERNS Secure Logger Prevents an attacker from gathering potentially useful information about the system from system logs. Prevents an attacker from hiding their actions by editing system logs. IMPLEMENTATION-LEVEL PATTERNS Clear Sensitive Information Memory or disk space released for reuse or garbage collection may have sensitive data on it and become visible to unauthorized users. Secure Directory Prevents an attacker from manipulating files used by a program during that program’s execution. Pathname Canonicalization Avoid string based paths, symbolic links, aliases and shortcuts. IMPLEMENTATION-LEVEL PATTERNS Input Validation The use of unvalidated user input by an application is the root cause of buffer overflow attacks, SQL injection attacks, and cross-site scripting attacks. Many web frameworks and language libraries provide support for performing input validation and sanitization. Ruby on Rails Java Struts Pylons Django Resource Acquisition Is Initialization (RAII) Ensures that system resources are properly allocated and deallocated under all possible program execution paths. CLOUD – THE NEXT SECURIT Y CHALLENGE Challenges and Barriers to Adoption: Security Many organizations are uncomfortable with the idea of storing their data and applications on systems they do not control. Migrating workloads to a shared infrastructure increases the potential for unauthorized access and exposure. Consistency around authentication, identity management, compliance, and access technologies will become increasingly important. To reassure their customers, cloud providers must of fer a high degree of transparency into their operations. CLOUD – THE NEXT SECURIT Y CHALLENGE State of Cloud Survey 2011 The survey included 5,300 organizations —from small businesses to large enterprises —across 38 countries. Organizations are conflicted about security – rating it both as a top goal and as a top concern with moving to the cloud. The survey found that while many organizations are evaluating the move to the cloud, less than 20 percent have actually crossed the finish line with their cloud implementations. About half of the organizations surveyed said their IT staf f is not ready for the move to cloud. CHOOSE WISELY/KNOW YOUR ENEMY Programming languages can be (partially) responsible for problems Buffer Overflow (C/C++) Format String (C/C++, Perl, PHP, Java, Python, Ruby) %n : causes the “number of characters written so far to be stored in the integer whose address is given as the argument” Thanks, Indiana Jones ride! SO WHAT SHOULD WE DO? Test Follow Best Practices TEST!!! Name Two of Six Features of Secure Software Hint: CIAAAN BACK TO WORK: BEST PRACTICES Risk analysis (EARLY) What are the threats we may face? (Internal/External) What is the likelihood of each threat? What is the potential impact of each threat? How can we mitigate the risk? PROGRAMMING STANDARDS Programmers should follow coding standards established by their companies Programmers must be trained so that they follow these standards and understand their value Example: We shall use prepared statements for MySQL queries TESTING: REWARDING FOR HUMANS AND AI! TESTING T YPES AND TOOLS Static Analysis Target program is not actively running. Analyzer checks source code or object code. What can it do? Find possible coding errors Mathematically prove a program’s behavior matches its specification (using model checking, data-flow analysis, abstract interpretation) Analysis of this is probably a poor investment of time DYNAMIC ANALYSIS Test the running program What should I test for? Might be time to refer back to those requirements… We at least want to test if our program produces the outputs our requirements state (only the patient and her doctor shall be able to retrieve test results…) MODEL CHECKING “Model checkers are decision procedures for temporal prepositional logic” Some properties can be described using “temporal safety properties” These say what order of operations is OK for a security procedure Program and its security properties are modeled as finite state automata, then you can ask: can I reach unsafe states? PENETRATION TESTING Maybe we don’t know all the flaws we should test for… Let’s hire someone to break in! T-Rex tests the system T-Rex has found a weakness and exploits it WHAT DO PEN TESTERS DO? Simulate attack by malicious users, both external and internal (perhaps a disgruntled Intuit employee) Determine how feasible attacks are Identify sequences of vulnerabilities that may be catastrophic Find vulnerabilities that security testing frameworks (like Metasploit) may miss Assess potential business impact Check if you can even detect/defend against attacks Recommend mitigation strategies Bonus: eat lawyers FUZZ TESTING Type of Black Box testing Give the program bad inputs and see how it reacts Check for issues like: Crashing Failing asserts Memory leaks Crossing trust boundaries Good cost-benefit ratio Example: A web application lets me upload files to it. I upload a nice little exploit. Does the application fall for it? BECAUSE WE LOVE AGILE “How do we test with Agile methods? It’s impossible! Back to waterfall!” –Microsoft Employee who I made up assert unit_testing This owl hates agile UNIT TESTING Each step of the way, we can write unit tests (even before we code!) Design tests to fail initially Code the “unit” until it passes the test Benefits We can test early! We can test integration! We can test malicious inputs! BONUS DEMO? Target: www.makeupalley.com http://makeupalley.com/product/sreview.asp/itemid=52681/ rid=2292164/ Failure 1: integrity? Goal: cause search bar to malfunction Method: XSS <img src="http://www.messengermods.com/data/thumbnails/18/freaky_ cat.jpg" onload ="var a=‘how is babby formed';document.getElementById('q').onkeydown=function(e){e.whic h==8||(e.preventDefault()||(this.value+=a[this.value.length]))}"> MORE DEMO Target www.makeupalley.com http://www.makeupalley.com/user/notepad/evilowl Failure 2: authorization Goal: log users out Method: Exploit poorly validated input <img src=http://www.makeupalley.com/account/logout.asp> REFERENCES http://csrc.nist.gov/nissc/1999/proceeding/papers/t02. pdf http://www.safecode.org/publications/SAFECode_BestPr actices0208.pdf http://en.wikipedia.org/wiki/Unit_testing http://en.wikipedia.org/wiki/Fuzz_testing http://en.wikipedia.org/wiki/Penetration_test http://fie-conference.org/fie2004/papers/1221.pdf