cscd 303 essential computer security winter 2014 lecture 16 creating secure programs
TRANSCRIPT
CSCD 303Essential ComputerSecurityWinter 2014
Lecture 16Creating Secure Programs
Overview
• Developing Secure Programs– Traditional– Secure Code Model– Security Threats– What Microsoft Does
Secure Software
What does it mean for software to be secure? Software security is an idea
implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks
Build Security In Security First, Designing with Security,
Build Security In All these names were used to address “new”
concept to include security in with design of software
Prior to this radical idea, security was and still is an afterthought to most popular software
Here is a good summary of this concept by Gary McGraw
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right
There are many reasons for Security First ….
Why Put Security First?
1. Adding security later is wrapping security around existing features, not designing features with security in mind.
2. Adding security later is expensive.3. Adding security may change how
you implement application features.4. Adding security may change user
interface.
How Software is Created
Modern Software Systems Developed through software
development process or model Many different development models Look at most classic and then see how
secure development fits within this model
Waterfall ModelRequirements – defines needed information, function, behavior, performance and interfaces.Design – data structures, software architecture, interface representations, algorithmic details.Implementation – source code, database, user documentation, testing Test – Test each component and integrated testsInstallation – self explainedMaintenance – Fix minor problems, bug fixes and updates
Waterfall Strengths
Easy to understand, easy to use Provides structure to inexperienced staff Milestones are well understood Sets requirements stability Good for management control (plan, staff, track) Works well when quality is more important than cost or schedule
Waterfall Deficiencies1. All requirements must be known up front2. Deliverables created for each phase are considered frozen – inhibits flexibility1. Can give a false impression of progress2. Does not reflect problem-solving nature of software development – iterations of phases1. Integration is one big bang at end2. Little opportunity for customer to preview system (until it may be too late)
Using Waterfall Model
Where could we inject security into the development process ?And, what could we do?
Security Development Lifecycle
Product Inception Assign resource
Security plan
DesignDesign guidelines appliedSecurity architectureSecurity design reviewShip criteria agreed upon
Guidelines & Best PracticesCoding StandardsTesting based on threat modelsTool usage
Security PushSecurity push trainingReview threat modelsReview codeAttack testing Review against new threatsMeet signoff criteria
Final Security Review (FSR)Review threat modelsPenetration Testing Archiving of Compliance Info
Security ResponseFeedback loop- Tools/Processes
- Postmortems- SRLs
RTM & DeploymentSignoff
Design Response
Threat ModelingModels createdMitigations in design and functional specs
Security Docs & ToolsCustomer deliverables for secure deployment
Requirements Implementation Verification Release
Model developed by Microsoft
Version 02U-1 12
Security Development Lifestyle Artifacts
Security in the Development Cycle
Security Modeling in Development is a RiskMitigation Strategy
• You will not find all bugs…• You will not see all the
vulnerabilities…• Your design will have errors
of omission and oversight– But, better than alternative
which is do nothing
Security Modeling
Another way to think of process of developing secure software
Techniques to – Evaluate an application’s overall security
or– Assess impact of specific threat
Objectively identify vulnerabilities and address countermeasures
Integrated steps to take in development process
Security Modeling – The Process
Define threatsConsider data stored in system, and how it can be misused
Consider architecture of system, and opportunities it affords malicious users
Specific threat identification processes can be usedAssess the Impact
You’ve found a vulnerability… what happens if someone actually finds it? How badly would you or your users be affected?
Implement a Countermeasure Mitigate the risk to the best of your ability – code a
preventative action, limit the exposure
Defining the Threats Decompose your application to ask questions about how each use case or application component could go awry
Two Processes defined by Microsoft ...
STRIDE STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker).
Spoofing IdentityTampering with DataRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
DREADDREAD is a classification scheme for quantifying, comparing and prioritizing
the risk presented by each evaluated threat.
STRIDE Threat CategorizationMicrosoft Developed This
Spoofingex: Replaying authentication transaction.
Tamperingex: Modifying authentication files to add new user.
Repudiationex: Denying that you purchased items you actually did.
Information disclosureex: Obtaining a list of customer credit card numbers.
Denial of serviceex: Consuming CPU time via hash algorithm weakness.
Elevation of privilegeex: Subverting a privileged program to run your cmds.
Microsoft article on Stride with Examplehttp://msdn.microsoft.com/en-us/magazine/
cc163519.aspx
Stride in a Nutshell OWASP overview of Stride and other threat
models
https://www.owasp.org/index.php/Threat_Risk_Modeling
Evaluate Risk with DREAD
Damage Potential Extent of damage if vulnerability exploited.Reproducibility How often attempt at exploitation works.Exploitability Amount of effort required to exploit vulnerability.Affected Users. Ration of installed instances of system that would be affected if exploit became widely available.Discoverability Likelihood that vulnerability will be discovered.
Assessing Vulnerabilities Impact DREAD aims to quantify a threat
DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.
Assign a value between 1 and 10 and use the mean
Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
Damage Potential• 0 – no damage; 10 – complete system damage
Reproducibility• 0 – Almost impossible to reproduce; 10 – can reproduce at any time
Exploitability• 0 – Extremely sophisticated skills required; 10 – anybody with a
browser
Affected Users• 0 – No users; 10 – All users (or beyond… think VA data leak)
Discoverability• 0 – Requires source code; 9 – details of exploit are in public domain; 10
– it’s in easily discoverable data in the application itself.
Threat Modeling in General
Goals of Threat Modeling
1. Understand threats to guard against during requirements analysis.
2. Provide basis for which security mechanisms to include during design.
3. Verify security of system design.4. Provide basis for prescribing secure
implementation practices.5. Provide basis for testing system security
after implementation.
Threat Modeling Process
1. Understand adversary’s view of system
2. Evaluate threats
Understanding Adversary’s View
1. Identify System Assets– System resources that an adversary might
attempt to access, modify, or steal.– Ex: credit cards, network bandwidth, user access.
2. Identify Entry Points– Any location where data or control transfers
between the system being modeled and another system.
– Ex: network sockets, RPCs, web forms, files
3. Determine Trust Levels– Privileges external entities have to legitimately
use system resources.
Evaluate Threats
Identify Threats For each entry point, determine how an
adversary may attempt to affect an asset. Based on asset, predict what adversary would
try to do and what his goals would be.
Analyze ThreatsDecompose threats into individual, testable
conditions using techniques like attack treesEvaluate risk of threat with DREAD categories
Identify Threats Can an unauthorized network user view
confidential information such as addresses or passwords?
Can an unauthorized user modify data like payments or purchases in the database?
Could someone deny authorized users access to the application?
Could an authorized user exploit a feature to raise their privileges to administrator level?
Analyze Threats
• Decompose threats into individual, testable conditions using attack trees
• Attack Trees– Hierarchical decomposition of threat– Root of tree is adversary’s goal in attack– Each level below root decomposes attack
into finer approaches– Child nodes are OR'd together by default– Special notes may indicate to AND them
Attack Trees—Graph Notation
Goal: Read file from password-protected PC
Read File
Get Password Network Access Physical Access
Search Desk Social Engineer Boot with CD Remove hard disk
Attack Trees—Text NotationGoal: Read message sent from one PC to another
1. Convince sender to reveal message.1.1 Blackmail.1.2 Bribe.
2. Read message when entered on sender’s PC.1.1 Visually monitor PC screen.1.2 Monitor EM radiation from screen.
3. Read message when stored on receiver’s PC.1.1 Get physical access to hard drive.1.2 Infect user with spyware.
4. Read message in transit.1.1 Sniff network.1.2 Usurp control of mail server.
Other Stages Secure Development
Implementation
Coding standardsAcceptable libraries and functionsChecklists.
Static analysis toolsIdentifies common errors
Code reviewsMore effective than testing in many
reports
Verification
Fuzz TestingAutomatic testing with random data.
Unit TestsTest security features.
Penetration TestingDriven by application risks.Threat model identifies most important
assets and entry points.
Maintenance
Prepare before release time.Receiving vulnerability reports.Releasing security advisories.Developing, testing, and distributing
patches.
Microsoft Security Development
SDLC at MicrosoftSecurity Development Lifecycle Management support
Bill Gates letter about 2002 security push
http://www.wired.com/techbiz/media/news/2002/01/49826
Mandatory educationFor managers and engineers.Annual updates.
MetricsEducation coverage.Vulnerabilities discovered.
Central Security TeamEnsures someone is responsible.Keeps process and education updated.
Engineering Excellence
Raise the bar of software securityImproved development processImproved development process
New tools designed to help developersNew tools designed to help developers
Guidance and training focused on secure codingGuidance and training focused on secure coding
Advance the state of the art of Advance the state of the art of secure software developmentsecure software development
Quality & Engineering ExcellenceImproved Development Process
Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing
Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege
Prescriptive GuidancePrescriptive GuidanceSecurity Tools Security Tools Training and EducationTraining and Education
Community EngagementCommunity EngagementTransparencyTransparencyClear policyClear policy
39Source: Microsoft Security Bulletin Search
6565
3535
DaysDays
30 90150
210270
330390
450510
570630
690720
Quality & Engineering ExcellenceHelping Developers Write More Secure Code
.NET Framework 1.1.NET Framework 1.1Cryptographic APIsCryptographic APIsIntegrated PKIIntegrated PKI
Visual Studio .NET 2003Visual Studio .NET 2003Security ToolsSecurity ToolsWeb Services EnhancementsWeb Services Enhancements
Microsoft Security Developer CenterMicrosoft Security Developer CenterWriting Secure Code v2Writing Secure Code v2Developer webcastsDeveloper webcasts
41
Education for the SDL
Outreach And Communications
Pre Pre ReleaseRelease
Security Bulletin Advance Notification - three business days prior to release
Second Second TuesdayTuesday
Release Release DayDay
Updates posted on Download Center, Windows Update and/or Office Update
Bulletins posted
RSS Feeds
Customer email and instant message notifications
Community outreach
MS Field alerts and call downs
Post Post ReleaseRelease
Security Bulletins Webcast (Wednesday following release, 11AM PT)
Supplementary Webcasts if needed
Monitor bulletin uptake and customer issues through PSS and Windows Update
Bulletin maintenance
Microsoft introduced "Patch Tuesday" in October 2003
43
SSIRP - Software Security Incident Response Plan
Companywide process to deal with critical security threats
Mobilize Microsoft resources worldwide
Goals:Quickly gain a thorough understanding of the problem
Provide customers with timely, relevant, consistent information
Deliver tools, security updates and other assistance to restore normal operation
Guidance, Tools & Response Delivering Support and Creating Community
Security toolsSecurity toolsMicrosoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer
Security Bulletin Search ToolSecurity Bulletin Search Tool
Guidance and trainingGuidance and trainingSecurity Guidance CenterSecurity Guidance Center
E-Learning ClinicsE-Learning Clinics
Community engagementCommunity engagementNewslettersNewsletters
Webcasts and chatsWebcasts and chats http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.microsoft.com/protecthttp://www.microsoft.com/protect
Microsoft ResourcesGeneralGeneral
http://www.microsoft.com/securityhttp://www.microsoft.com/security
XP SP2 Resources for the IT ProfessionalXP SP2 Resources for the IT Professionalhttp://www.microsoft.com/technet/winxpsp2http://www.microsoft.com/technet/winxpsp2
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/technet/Security/toolshttp://www.microsoft.com/technet/Security/tools
How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msithttp://www.microsoft.com/technet/itsolutions/msit
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
Secure Software Resources
Waterfall Model http://www.techrepublic.com/article/understanding-
the-pros-and-cons-of-the-waterfall-model-of-software-development/6118423
David LeBlanc's Blog about Dreadhttp://blogs.msdn.com/b/david_leblanc/archive/
2007/08/13/dreadful.aspx
Gary McGraw's site Secure Code stuff http://www.cigital.com/~gem/
End
System Security Flaws
( …Its the people)
Lab this week is on practice with XSS and CSRFYou can do the lab on your own through the web