Software Security

Software Security
Issues
• Many vulnerabilities
result from poor
programming
practices
• Consequence from Software error
categories:
insufficient checking
• Insecure interaction between
and validation of data components
and error codes • Risky resource management
o Awareness of these issues is • Porous defenses
a critical initial step in writing
more secure program code
 Table
11.1

CWE/SANS
TOP 25
Most
Dangerous
Software
Errors
(2011)
 Software Security,
Quality and Reliability
• Software quality and • Software security:
reliability: o Attacker chooses probability
o Concerned with the distribution, specifically
accidental failure of program targeting bugs that result in
as a result of some a failure that can be
theoretically random, exploited by the attacker
unanticipated input, system
interaction, or use of o Triggered by inputs that
incorrect code differ dramatically from what
is usually expected
o Improve using structured
design and testing to identify o Unlikely to be identified by
and eliminate as many bugs common testing approaches
as possible from a program
o Concern is not how many
bugs, but how often they are
triggered
 Defensive
Programming
• Designing and implementing software so that it
continues to function even when under attack
• Requires attention to all aspects of program
execution, environment, and type of data it
processes
• Software is able to detect erroneous conditions
resulting from some attack
• Also referred to as secure programming
• Key rule is to never assume anything, check all
assumptions and handle any possible error states
 Defensive
Programming
• Programmers often make • Conflicts with
assumptions about the type business
of inputs a program will pressures to keep
receive and the environment development
it executes in times as short as
o Assumptions need to be validated possible to
by the program and all potential maximize market
failures handled gracefully and advantage
safely

• Requires a changed mindset

to traditional programming
practices
o Programmers have to understand
how failures can occur and the
steps needed to reduce the
chance of them occurring in their
programs
 Security by Design
• Security and reliability are common design goals
in most engineering disciplines
• Software development not as mature
• Recent years have seen increasing efforts to
improve secure software development processes
• Software Assurance Forum for Excellence in Code
(SAFECode)
o Develop publications outlining industry best practices for software
assurance and providing practical advice for implementing proven
methods for secure software development
Handling Program
Input
Input is any
source of data
from outside
Incorrect
and whose value
handling is a
is not explicitly
very common
known by the
failing
programmer
when the code
was written

Explicitly
validate
Must identify all assumptions on
data sources size and type of
values before
use
 Input Size & Buffer
Overflow
• Programmers often make assumptions about the
maximum expected size of input
o Allocated buffer size is not confirmed
o Resulting in buffer overflow
• Testing may not identify vulnerability
o Test inputs are unlikely to include large enough inputs to
trigger the overflow
• Safe coding treats all input as dangerous
 Interpretation of
Program Input
• Program input may be binary or text
o Binary interpretation depends on encoding and is usually
application specific
• There is an increasing variety of character sets
being used
o Care is needed to identify just which set is being used and
what characters are being read
• Failure to validate may result in an exploitable
vulnerability
• 2014 Heartbleed OpenSSL bug is a recent
example of a failure to check the validity
of a binary input value
 Injection Attacks
• Flaws relating to invalid handling of input data,
specifically when program input data can
accidentally or deliberately influence the flow of
execution of the program

Most often occur in

scripting languages
• Encourage reuse of other programs
and system utilities where possible
to save coding effort
• Often used as Web CGI scripts
 Cross Site Scripting
(XSS) Attacks

Commonly seen
in scripted Web XSS reflection
applications Exploit vulnerability
• Vulnerability assumption that • Attacker includes
Attacks where involves the all content from
inclusion of script the malicious script
input provided code in the HTML one site is content in data
by one user is content equally trusted supplied to a site
subsequently • Script code may and hence is
output to need to access permitted to
another user data associated interact with
with other pages
• Browsers impose other content
security checks and from the site
restrict data access
to pages
originating from
the same site
 Validating
Input Syntax
It is
necessary to
ensure that By only
Alternative
data accepting
Input data is to
conform known safe
should be compare the
with any data the
compared input data
assumptions program is
against what with known
made about more likely
is wanted dangerous
the data to remain
values
before secure
subsequent
use
 Alternate Encodings
Growing requirement to
support users around the
May have multiple means
globe and to interact
of encoding text
with them using their
own languages

Unicode used for Canonicalization

internationalization • Transforming input data into a
• Uses 16-bit value for single, standard, minimal
characters representation
• UTF-8 encodes as 1-4 byte • Once this is done the input
sequences data can be compared with a
• Many Unicode decoders accept single representation of
any valid equivalent sequence acceptable input values
 Validating Numeric
Input
• Additional concern when input data represents
numeric values
• Internally stored in fixed sized value
o 8, 16, 32, 64-bit integers
o Floating point numbers depend on the processor used
o Values may be signed or unsigned
• Must correctly interpret text form and process
consistently
o Have issues comparing signed to unsigned
o Could be used to thwart buffer overflow check
 Input Fuzzing
• Developed by Professor Barton Miller at the
University of Wisconsin Madison in 1989
• Software testing technique that uses randomly
generated data as inputs to a program
o Range of inputs is very large
o Intent is to determine if the program or function correctly handles
abnormal inputs
o Simple, free of assumptions, cheap
o Assists with reliability as well as security

• Can also use templates to generate classes of

known problem inputs
o Disadvantage is that bugs triggered by other forms of input would be
missed
o Combination of approaches is needed for reasonably comprehensive
coverage of the inputs
 Writing Safe Program
Code
• Second component is processing of data by some
algorithm to solve required problem
• High-level languages are typically compiled and
linked into machine code which is then directly
executed by the target processor

Security issues:
• Correct algorithm implementation
• Correct machine instructions for
algorithm
• Valid manipulation of data
 Correct Algorithm
Implementation
Another variant is
Initial sequence when the
Issue of good program numbers used by programmers
development many TCP/IP deliberately include
technique implementations are additional code in a
too predictable program to help test
and debug it
Often code remains in
production release of a
program and could
Algorithm may not inappropriately release
correctly handle all Combination of the information
problem variants sequence number
as an identifier and May permit a user to
authenticator of bypass security checks
packets and the and perform actions
failure to make they would not
them sufficiently otherwise be allowed to
perform
Consequence of unpredictable
deficiency is a bug enables the attack
in the resulting to occur
This vulnerability was
program that could exploited by the Morris
be exploited Internet Worm
Ensuring Machine Language
Corresponds to Algorithm
• Issue is ignored by most programmers
o Assumption is that the compiler or interpreter generates or
executes code that validly implements the language
statements
• Requires comparing machine code with
original source
o Slow and difficult

• Development of computer systems with

very high assurance level is the one area
where this level of checking is required
o Specifically Common Criteria assurance level of EAL 7
 Correct Data
Interpretation
• Data stored as • Different languages
bits/bytes in provide different
computer capabilities for
o Grouped as words or restricting and
longwords validating
o Accessed and manipulated in
memory or copied into
interpretation of data
processor registers before in variables
being used o Strongly typed languages are
o Interpretation depends on more limited, safer
machine instruction o Other languages allow more
executed liberal interpretation of data
and permit program code to
explicitly change their
interpretation
 Correct Use of
Memory
• Issue of dynamic memory allocation
o Used to manipulate unknown amounts of data
o Allocated when needed, released when done

• Memory leak
o Steady reduction in memory available on the heap to the point where it is
completely exhausted
• Many older languages have no explicit support for
dynamic memory allocation
o Use standard library routines to allocate and release memory

• Modern languages handle automatically

 Race Conditions
• Without synchronization of accesses it is possible
that values may be corrupted or changes lost due
to overlapping access, use, and replacement of
shared values
• Arise when writing concurrent code whose solution
requires the correct selection and use of
appropriate synchronization primitives
• Deadlock
o Processes or threads wait on a resource held by the other
o One or more programs has to be terminated
 Operating System
Interaction
• Programs execute on systems under the control
of an operating system
o Mediates and shares access to resources
o Constructs execution environment
o Includes environment variables and arguments

• Systems have a concept of multiple users

o Resources are owned by a user and have permissions granting access
with various rights to different categories of users
o Programs need access to various resources, however excessive levels
of access are dangerous
o Concerns when multiple programs access shared resources such
as a common file
Environment Variables
• Collection of string values inherited by each
process from its parent
o Can affect the way a running process behaves
o Included in memory when it is constructed

• Can be modified by the program process at any

time
o Modifications will be passed to its children

• Another source of untrusted program input

• Most common use is by a local user attempting to
gain increased privileges
o Goal is to subvert a program that grants superuser or
administrator privileges
Vulnerable Compiled
Programs
Programs can be vulnerable to PATH
variable manipulation
• Must reset to “safe” values
If dynamically linked may be
vulnerable to manipulation of
LD_LIBRARY_PATH
• Used to locate suitable dynamic library
• Must either statically link privileged programs or
prevent use of this variable
 Use of Least Privilege
Privilege escalation
• Exploit of flaws may give attacker greater
privileges

Least privilege
• Run programs with least privilege needed to
complete their function

Determine appropriate user and group

privileges required
• Decide whether to grant extra user or just group
privileges

Ensure that privileged program can

modify only those files and directories
necessary
Root/Administrator
Privileges
Programs with root/ • They provide highest levels of
administrator system access and control
• Are needed to manage access to
privileges are a major protected system resources
target of attackers

Often privilege is only • Can then run as normal user

needed at start

Good design • Provides a greater degree of

isolation between the
partitions complex components
programs in smaller • Reduces the consequences of a
security breach in one
modules with needed component
privileges • Easier to test and verify
 System Calls and
Standard Library
Functions

Programmers make
assumptions about
their operation
Programs use system • If incorrect behavior is not
what is expected
calls and standard • May be a result of system
library functions for optimizing access to shared
resources
common operations • Results in requests for
services being buffered,
resequenced, or otherwise
modified to optimize system
use
• Optimizations can conflict with
program goals
 Preventing Race
Conditions
• Programs may need to access a common system
resource
• Need suitable synchronization mechanisms
o Most common technique is to acquire a lock on the shared file
• Lockfile
o Process must create and own the lockfile in order to gain access
to the shared resource
o Concerns
• If a program chooses to ignore the existence of the lockfile and
access the shared resource the system will not prevent this
• All programs using this form of synchronization must cooperate
• Implementation
 Safe Temporary Files
• Many programs use temporary files
• Often in common, shared system area
• Must be unique, not accessed by others
• Commonly create name using process ID
o Unique, but predictable
o Attacker might guess and attempt to create own file
between program checking and creating
• Secure temporary file creation and use requires
the use of random names
 Other Program
Interaction
Programs may use functionality and services of other
programs
• Security vulnerabilities can result unless care is taken with this
interaction
• Such issues are of particular concern when the program being used did not
adequately identify all the security concerns that might arise
• Occurs with the current trend of providing Web interfaces to programs
• Burden falls on the newer programs to identify and manage any security
issues that may arise
Issue of data confidentiality/integrity

Detection and handling of exceptions and errors

generated by interaction is also important from a
security perspective
 Handling Program
Output
• Final component is program output
o May be stored for future use, sent over net, displayed
o May be binary or text

• Important from a program security perspective that

the output conform to the expected form and
interpretation
• Programs must identify what is permissible output
content and filter any possibly untrusted data to
ensure that only valid output is displayed
• Character set should be specified
 Summary
• Software security
• Handling program
issues input
o Introducing software
security and defensive o Input size and buffer
programming overflow
o Interpretation of program
• Writing safe input
program code o
o
Validating input syntax
Input fuzzing
o Correct algorithm
implementation • Interacting with the
o Ensuring that machine
language corresponds to operating system
algorithm
o Correct interpretation of and other programs
data values o Environment variables
o Correct use of memory o Using appropriate, least
o Preventing race conditions privileges
with shared memory
o Systems calls and standard
• Handling program library functions
o Preventing race conditions
output with shared system
resources
o Safe temporary file use
o Interacting with other