CSCD 303Essential ComputerSecurityWinter 2014

Lecture 16Creating Secure Programs

Overview

• Developing Secure Programs– Traditional– Secure Code Model– Security Threats– What Microsoft Does

Secure Software

What does it mean for software to be secure? Software security is an idea

implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks

Build Security In Security First, Designing with Security,

Build Security In All these names were used to address “new”

concept to include security in with design of software

Prior to this radical idea, security was and still is an afterthought to most popular software

Here is a good summary of this concept by Gary McGraw

http://searchsecurity.techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right

There are many reasons for Security First ….

Why Put Security First?

1. Adding security later is wrapping security around existing features, not designing features with security in mind.

2. Adding security later is expensive.3. Adding security may change how

you implement application features.4. Adding security may change user

interface.

How Software is Created

Modern Software Systems Developed through software

development process or model Many different development models Look at most classic and then see how

secure development fits within this model

Waterfall ModelRequirements – defines needed information, function, behavior, performance and interfaces.Design – data structures, software architecture, interface representations, algorithmic details.Implementation – source code, database, user documentation, testing Test – Test each component and integrated testsInstallation – self explainedMaintenance – Fix minor problems, bug fixes and updates

Waterfall Strengths

Easy to understand, easy to use Provides structure to inexperienced staff Milestones are well understood Sets requirements stability Good for management control (plan, staff, track) Works well when quality is more important than cost or schedule

Waterfall Deficiencies1. All requirements must be known up front2. Deliverables created for each phase are considered frozen – inhibits flexibility1. Can give a false impression of progress2. Does not reflect problem-solving nature of software development – iterations of phases1. Integration is one big bang at end2. Little opportunity for customer to preview system (until it may be too late)

Using Waterfall Model

Where could we inject security into the development process ?And, what could we do?

Security Development Lifecycle

Product Inception Assign resource

Security plan

DesignDesign guidelines appliedSecurity architectureSecurity design reviewShip criteria agreed upon

Guidelines & Best PracticesCoding StandardsTesting based on threat modelsTool usage

Security PushSecurity push trainingReview threat modelsReview codeAttack testing Review against new threatsMeet signoff criteria

Final Security Review (FSR)Review threat modelsPenetration Testing Archiving of Compliance Info

Security ResponseFeedback loop- Tools/Processes

- Postmortems- SRLs

RTM & DeploymentSignoff

Design Response

Threat ModelingModels createdMitigations in design and functional specs

Security Docs & ToolsCustomer deliverables for secure deployment

Requirements Implementation Verification Release

Model developed by Microsoft

Version 02U-1 12

Security Development Lifestyle Artifacts

Security in the Development Cycle

Security Modeling in Development is a RiskMitigation Strategy

• You will not find all bugs…• You will not see all the

vulnerabilities…• Your design will have errors

of omission and oversight– But, better than alternative

which is do nothing

Security Modeling

Another way to think of process of developing secure software

Techniques to – Evaluate an application’s overall security

or– Assess impact of specific threat

Objectively identify vulnerabilities and address countermeasures

Integrated steps to take in development process

Security Modeling – The Process

Define threatsConsider data stored in system, and how it can be misused

Consider architecture of system, and opportunities it affords malicious users

Specific threat identification processes can be usedAssess the Impact

You’ve found a vulnerability… what happens if someone actually finds it? How badly would you or your users be affected?

Implement a Countermeasure Mitigate the risk to the best of your ability – code a

preventative action, limit the exposure

Defining the Threats Decompose your application to ask questions about how each use case or application component could go awry

Two Processes defined by Microsoft ...

STRIDE STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker).

Spoofing IdentityTampering with DataRepudiationInformation DisclosureDenial of ServiceElevation of Privilege

DREADDREAD is a classification scheme for quantifying, comparing and prioritizing

the risk presented by each evaluated threat.

STRIDE Threat CategorizationMicrosoft Developed This

Spoofingex: Replaying authentication transaction.

Tamperingex: Modifying authentication files to add new user.

Repudiationex: Denying that you purchased items you actually did.

Information disclosureex: Obtaining a list of customer credit card numbers.

Denial of serviceex: Consuming CPU time via hash algorithm weakness.

Elevation of privilegeex: Subverting a privileged program to run your cmds.

Microsoft article on Stride with Examplehttp://msdn.microsoft.com/en-us/magazine/

cc163519.aspx

Stride in a Nutshell OWASP overview of Stride and other threat

models

https://www.owasp.org/index.php/Threat_Risk_Modeling

Evaluate Risk with DREAD

Damage Potential Extent of damage if vulnerability exploited.Reproducibility How often attempt at exploitation works.Exploitability Amount of effort required to exploit vulnerability.Affected Users. Ration of installed instances of system that would be affected if exploit became widely available.Discoverability Likelihood that vulnerability will be discovered.

Assessing Vulnerabilities Impact DREAD aims to quantify a threat

DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.

Assign a value between 1 and 10 and use the mean

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

Damage Potential• 0 – no damage; 10 – complete system damage

Reproducibility• 0 – Almost impossible to reproduce; 10 – can reproduce at any time

Exploitability• 0 – Extremely sophisticated skills required; 10 – anybody with a

browser

Affected Users• 0 – No users; 10 – All users (or beyond… think VA data leak)

Discoverability• 0 – Requires source code; 9 – details of exploit are in public domain; 10

– it’s in easily discoverable data in the application itself.

Threat Modeling in General

Goals of Threat Modeling

1. Understand threats to guard against during requirements analysis.

2. Provide basis for which security mechanisms to include during design.

3. Verify security of system design.4. Provide basis for prescribing secure

implementation practices.5. Provide basis for testing system security

after implementation.

Threat Modeling Process

1. Understand adversary’s view of system

2. Evaluate threats

Understanding Adversary’s View

1. Identify System Assets– System resources that an adversary might

attempt to access, modify, or steal.– Ex: credit cards, network bandwidth, user access.

2. Identify Entry Points– Any location where data or control transfers

between the system being modeled and another system.

– Ex: network sockets, RPCs, web forms, files

3. Determine Trust Levels– Privileges external entities have to legitimately

use system resources.

Evaluate Threats

Identify Threats For each entry point, determine how an

adversary may attempt to affect an asset. Based on asset, predict what adversary would

try to do and what his goals would be.

Analyze ThreatsDecompose threats into individual, testable

conditions using techniques like attack treesEvaluate risk of threat with DREAD categories

Identify Threats Can an unauthorized network user view

confidential information such as addresses or passwords?

Can an unauthorized user modify data like payments or purchases in the database?

Could someone deny authorized users access to the application?

Could an authorized user exploit a feature to raise their privileges to administrator level?

Analyze Threats

• Decompose threats into individual, testable conditions using attack trees

• Attack Trees– Hierarchical decomposition of threat– Root of tree is adversary’s goal in attack– Each level below root decomposes attack

into finer approaches– Child nodes are OR'd together by default– Special notes may indicate to AND them

Attack Trees—Graph Notation

Goal: Read file from password-protected PC

Read File

Get Password Network Access Physical Access

Search Desk Social Engineer Boot with CD Remove hard disk

Attack Trees—Text NotationGoal: Read message sent from one PC to another

1. Convince sender to reveal message.1.1 Blackmail.1.2 Bribe.

2. Read message when entered on sender’s PC.1.1 Visually monitor PC screen.1.2 Monitor EM radiation from screen.

3. Read message when stored on receiver’s PC.1.1 Get physical access to hard drive.1.2 Infect user with spyware.

4. Read message in transit.1.1 Sniff network.1.2 Usurp control of mail server.

Other Stages Secure Development

Implementation

Coding standardsAcceptable libraries and functionsChecklists.

Static analysis toolsIdentifies common errors

Code reviewsMore effective than testing in many

reports

Verification

Fuzz TestingAutomatic testing with random data.

Unit TestsTest security features.

Penetration TestingDriven by application risks.Threat model identifies most important

assets and entry points.

Maintenance

Prepare before release time.Receiving vulnerability reports.Releasing security advisories.Developing, testing, and distributing

patches.

Microsoft Security Development

SDLC at MicrosoftSecurity Development Lifecycle Management support

Bill Gates letter about 2002 security push

http://www.wired.com/techbiz/media/news/2002/01/49826

Mandatory educationFor managers and engineers.Annual updates.

MetricsEducation coverage.Vulnerabilities discovered.

Central Security TeamEnsures someone is responsible.Keeps process and education updated.

Engineering Excellence

Raise the bar of software securityImproved development processImproved development process

New tools designed to help developersNew tools designed to help developers

Guidance and training focused on secure codingGuidance and training focused on secure coding

Advance the state of the art of Advance the state of the art of secure software developmentsecure software development

Quality & Engineering ExcellenceImproved Development Process

Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing

Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege

Prescriptive GuidancePrescriptive GuidanceSecurity Tools Security Tools Training and EducationTraining and Education

Community EngagementCommunity EngagementTransparencyTransparencyClear policyClear policy

39Source: Microsoft Security Bulletin Search

6565

3535

DaysDays

30 90150

210270

330390

450510

570630

690720

Quality & Engineering ExcellenceHelping Developers Write More Secure Code

.NET Framework 1.1.NET Framework 1.1Cryptographic APIsCryptographic APIsIntegrated PKIIntegrated PKI

Visual Studio .NET 2003Visual Studio .NET 2003Security ToolsSecurity ToolsWeb Services EnhancementsWeb Services Enhancements

Microsoft Security Developer CenterMicrosoft Security Developer CenterWriting Secure Code v2Writing Secure Code v2Developer webcastsDeveloper webcasts

41

Education for the SDL

Outreach And Communications

Pre Pre ReleaseRelease

Security Bulletin Advance Notification - three business days prior to release

Second Second TuesdayTuesday

Release Release DayDay

Updates posted on Download Center, Windows Update and/or Office Update

Bulletins posted

RSS Feeds

Customer email and instant message notifications

Community outreach

MS Field alerts and call downs

Post Post ReleaseRelease

Security Bulletins Webcast (Wednesday following release, 11AM PT)

Supplementary Webcasts if needed

Monitor bulletin uptake and customer issues through PSS and Windows Update

Bulletin maintenance

Microsoft introduced "Patch Tuesday" in October 2003

43

SSIRP - Software Security Incident Response Plan

Companywide process to deal with critical security threats

Mobilize Microsoft resources worldwide

Goals:Quickly gain a thorough understanding of the problem

Provide customers with timely, relevant, consistent information

Deliver tools, security updates and other assistance to restore normal operation

Guidance, Tools & Response Delivering Support and Creating Community

Security toolsSecurity toolsMicrosoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer

Security Bulletin Search ToolSecurity Bulletin Search Tool

Guidance and trainingGuidance and trainingSecurity Guidance CenterSecurity Guidance Center

E-Learning ClinicsE-Learning Clinics

Community engagementCommunity engagementNewslettersNewsletters

Webcasts and chatsWebcasts and chats http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.microsoft.com/protecthttp://www.microsoft.com/protect

Microsoft ResourcesGeneralGeneral

http://www.microsoft.com/securityhttp://www.microsoft.com/security

XP SP2 Resources for the IT ProfessionalXP SP2 Resources for the IT Professionalhttp://www.microsoft.com/technet/winxpsp2http://www.microsoft.com/technet/winxpsp2

Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

ToolsToolshttp://www.microsoft.com/technet/Security/toolshttp://www.microsoft.com/technet/Security/tools

How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msithttp://www.microsoft.com/technet/itsolutions/msit

E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security

Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx

Secure Software Resources

Waterfall Model http://www.techrepublic.com/article/understanding-

the-pros-and-cons-of-the-waterfall-model-of-software-development/6118423

David LeBlanc's Blog about Dreadhttp://blogs.msdn.com/b/david_leblanc/archive/

2007/08/13/dreadful.aspx

Gary McGraw's site Secure Code stuff http://www.cigital.com/~gem/

End

System Security Flaws

( …Its the people)

Lab this week is on practice with XSS and CSRFYou can do the lab on your own through the web