06 SoftwareSecurity
06 SoftwareSecurity
Software Security
Issues
• Many vulnerabilities
result from poor
programming
practices
• Consequence from Software error
categories:
insufficient checking
• Insecure interaction between
and validation of data components
and error codes • Risky resource management
o Awareness of these issues is • Porous defenses
a critical initial step in writing
more secure program code
Table
11.1
CWE/SANS
TOP 25
Most
Dangerous
Software
Errors
(2011)
Software Security,
Quality and Reliability
• Software quality and • Software security:
reliability: o Attacker chooses probability
o Concerned with the distribution, specifically
accidental failure of program targeting bugs that result in
as a result of some a failure that can be
theoretically random, exploited by the attacker
unanticipated input, system
interaction, or use of o Triggered by inputs that
incorrect code differ dramatically from what
is usually expected
o Improve using structured
design and testing to identify o Unlikely to be identified by
and eliminate as many bugs common testing approaches
as possible from a program
o Concern is not how many
bugs, but how often they are
triggered
Defensive
Programming
• Designing and implementing software so that it
continues to function even when under attack
• Requires attention to all aspects of program
execution, environment, and type of data it
processes
• Software is able to detect erroneous conditions
resulting from some attack
• Also referred to as secure programming
• Key rule is to never assume anything, check all
assumptions and handle any possible error states
Defensive
Programming
• Programmers often make • Conflicts with
assumptions about the type business
of inputs a program will pressures to keep
receive and the environment development
it executes in times as short as
o Assumptions need to be validated possible to
by the program and all potential maximize market
failures handled gracefully and advantage
safely
Explicitly
validate
Must identify all assumptions on
data sources size and type of
values before
use
Input Size & Buffer
Overflow
• Programmers often make assumptions about the
maximum expected size of input
o Allocated buffer size is not confirmed
o Resulting in buffer overflow
• Testing may not identify vulnerability
o Test inputs are unlikely to include large enough inputs to
trigger the overflow
• Safe coding treats all input as dangerous
Interpretation of
Program Input
• Program input may be binary or text
o Binary interpretation depends on encoding and is usually
application specific
• There is an increasing variety of character sets
being used
o Care is needed to identify just which set is being used and
what characters are being read
• Failure to validate may result in an exploitable
vulnerability
• 2014 Heartbleed OpenSSL bug is a recent
example of a failure to check the validity
of a binary input value
Injection Attacks
• Flaws relating to invalid handling of input data,
specifically when program input data can
accidentally or deliberately influence the flow of
execution of the program
Commonly seen
in scripted Web XSS reflection
applications Exploit vulnerability
• Vulnerability assumption that • Attacker includes
Attacks where involves the all content from
inclusion of script the malicious script
input provided code in the HTML one site is content in data
by one user is content equally trusted supplied to a site
subsequently • Script code may and hence is
output to need to access permitted to
another user data associated interact with
with other pages
• Browsers impose other content
security checks and from the site
restrict data access
to pages
originating from
the same site
Validating
Input Syntax
It is
necessary to
ensure that By only
Alternative
data accepting
Input data is to
conform known safe
should be compare the
with any data the
compared input data
assumptions program is
against what with known
made about more likely
is wanted dangerous
the data to remain
values
before secure
subsequent
use
Alternate Encodings
Growing requirement to
support users around the
May have multiple means
globe and to interact
of encoding text
with them using their
own languages
Security issues:
• Correct algorithm implementation
• Correct machine instructions for
algorithm
• Valid manipulation of data
Correct Algorithm
Implementation
Another variant is
Initial sequence when the
Issue of good program numbers used by programmers
development many TCP/IP deliberately include
technique implementations are additional code in a
too predictable program to help test
and debug it
Often code remains in
production release of a
program and could
Algorithm may not inappropriately release
correctly handle all Combination of the information
problem variants sequence number
as an identifier and May permit a user to
authenticator of bypass security checks
packets and the and perform actions
failure to make they would not
them sufficiently otherwise be allowed to
perform
Consequence of unpredictable
deficiency is a bug enables the attack
in the resulting to occur
This vulnerability was
program that could exploited by the Morris
be exploited Internet Worm
Ensuring Machine Language
Corresponds to Algorithm
• Issue is ignored by most programmers
o Assumption is that the compiler or interpreter generates or
executes code that validly implements the language
statements
• Requires comparing machine code with
original source
o Slow and difficult
• Memory leak
o Steady reduction in memory available on the heap to the point where it is
completely exhausted
• Many older languages have no explicit support for
dynamic memory allocation
o Use standard library routines to allocate and release memory
Least privilege
• Run programs with least privilege needed to
complete their function
Programmers make
assumptions about
their operation
Programs use system • If incorrect behavior is not
what is expected
calls and standard • May be a result of system
library functions for optimizing access to shared
resources
common operations • Results in requests for
services being buffered,
resequenced, or otherwise
modified to optimize system
use
• Optimizations can conflict with
program goals
Preventing Race
Conditions
• Programs may need to access a common system
resource
• Need suitable synchronization mechanisms
o Most common technique is to acquire a lock on the shared file
• Lockfile
o Process must create and own the lockfile in order to gain access
to the shared resource
o Concerns
• If a program chooses to ignore the existence of the lockfile and
access the shared resource the system will not prevent this
• All programs using this form of synchronization must cooperate
• Implementation
Safe Temporary Files
• Many programs use temporary files
• Often in common, shared system area
• Must be unique, not accessed by others
• Commonly create name using process ID
o Unique, but predictable
o Attacker might guess and attempt to create own file
between program checking and creating
• Secure temporary file creation and use requires
the use of random names
Other Program
Interaction
Programs may use functionality and services of other
programs
• Security vulnerabilities can result unless care is taken with this
interaction
• Such issues are of particular concern when the program being used did not
adequately identify all the security concerns that might arise
• Occurs with the current trend of providing Web interfaces to programs
• Burden falls on the newer programs to identify and manage any security
issues that may arise
Issue of data confidentiality/integrity