Software Security

undesirableavocadoSecurity

Jun 13, 2012 (5 years and 4 months ago)

298 views

Software Security: What is it?,
History and Significance


CPRE 556: Lecture 6, January 26, 2006

Electrical and Computer Engineering Dept.

Iowa State University



Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

2

Current Views on Security


Vulnerability = malicious functionality that
extends primary, intended design.


Vulnerabilities may remain invisible until
they are exploited.


Software security = risk management


Management = administrative policies +
patch security holes + testing + auditing

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

3

Why is security a challenge


Complexity of systems and software.


Security is a cross
-
cutting concern pervading the entire
system and its software.


Lack of proactive techniques.


One may say that it is better to design for security from
scratch


not possible in practice because:


Significant investment in existing systems and software, practical
realities rule out new replacements starting from scratch.


Security standards and knowledge about security are still in
evolutionary stage for building new systems.


Software experts are not security experts.


Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

4

Managing Security Risk


Management = administrative policies + patch security
holes + testing (current view) + auditing.


Administrative policies (often amount restrictions on
access) address only a subset of problems and leave
other doors open for different types of attacks. For
example, a password protected computer can be
highjacked by causing a buffer overflow.


Patching is a reactive approach. Expensive damage can
occur before patching.


Testing is a proactive approach


it has inherent
limitations (we will elaborate and talk more about it later.)


Auditing (often manual) is a proactive approach


new
improvements are needed for automating and improving
the quality of audits.

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

5

Security: Software Problem


Most people tend to think of security as a
network problem…


The truth: Security is often a
software

problem…

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

6

Security: When is it software
problem


We can distinguish security problems by the
mechanisms requiring changes to eliminate the
vulnerability.


Network Problem: requires changing networking
mechanisms such as network protocols.


OS Problem: requires changing OS mechanisms
such OS resource management policies.


Software Problem: requires changing software
implementation or design

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

7

Some Observations


Note that in some cases:


It may be a hybrid problem requiring more
than one type of change.


A change in a mechanism such as protocols
may be implemented in software or hardware.


It may be possible to eliminate a problem by
making a fundamental change in the
processor hardware such as the stack
mechanism for implementing subroutine calls.


Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

8

SANS Top 10 Security
Vulnerabilities


Windows: #1
-

IIS


Failure to handle unanticipated requests


Buffer overflows: Code Red, Nimda


Poor Defaults: Sample applications


Unix: # 8


Sendmail


Buffer Overflows


Insecure defaults


SANS:
http://www.sans.org/top20/top10.php


Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

9

Security Bugs Can Be Expensive


Buffer overflow in IIS


Estimated cost: $3.26 billion


Buffer overflow in SQL Server


Estimated cost: $1.2 billion

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

10

What Entrances Do the Hackers
Use


Hackers exploit interactions with:


Operating System


User Interfaces


File System


Libraries

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

11

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

12

Example of an Attack


Buffer Overflow Attack (BOA): Deadly
attack underlying many computer
highjackings in the past.



Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

13

Buffer Overflow Attack


The idea is simple: enter long strings into
input fields, could be APIs/exposed
internal objects


This is an important bug because:


copy/paste into inputs fields is a fairly
common practice


Buffer overflow may be exploitable by a
hacker to get arbitrary code to run on a
system.

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

14

Demonstration of Buffer Overflow


Next we will see a brief demonstration.


The demonstration will illustrate the buffer
overflow attack as a high
-
level concept.


Note that the demo makes simplifications and
does not cover complex and subtle mechanism
employed by BOA. These will be covered in a
later lecture.


The demo developed with NSF support is
available at:
http://nsfsecurity.pr.erau.edu/bom/


Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

15

Expected Work After the Lecture


You will often find more information on lectures
through papers and resources listed on the web.
You should look for those, scan several, and
read a few in more depth.


You should report your interesting findings in
class or by sending me an email.


If you send email, identify the lecture number
and your last name in the subject line (e.g.
Lecture1
-
Smith) and also within your message.
Give proper references for each of your findings.


This will be considered as a part of class
participation.

Lecture Notes


Copyright © 2006
S. C. Kothari, All rights reserved

16

References


These are a few additional references from CPRE 556 website
that are related to this lecture:


CERT Coordination Center,
http://www.cert.org/


Open Source Vulnerability Database,
http://www.osvdb.org/



Linux Security,
http://www.linuxsecurity.com/content/view/101892/155/



Microsoft Security Bulletins,
http://www.microsoft.com/technet/security/default.mspx



Exploiting Software: The Achilles’ Heel of Cyber Defense, by Gary
McGraw and Greg Hoglund, Cyber Defense Magazine, June 2004,
http://www.ccs.neu.edu/home/lieber/courses/csg379/f04/lectures/cd
-
Exploiting_Software.pdf



The Evolution of Java Security
,
L. Koved
, A. Nadalin, D. Neal and T.
Lawson. IBM Systems Journal (Volume 37,No 3),
http://www.research.ibm.com/journal/sj37
-
3.html



Smashing The Stack For Fun And Profit,

Aleph One.