Secure Code DevelopmentSecure Code DevelopmentWhat are the risks of delivering

insecure applications or software products?

How can a company ensure they produce secure code?

What strategies can be used?What tools exist?What departments help with this

process?

Secure ProgramsSecure Programs

15-50 faults per 1000 lines of code.Fixing faults:

◦“penetrate and patch” search for bugs and repair.

Is conformance to specifications sufficient?

Compare requirements with behavior. ◦Find program security flaws.◦Either human error or malicious intent.

Tester’s perspective important.

Security Development Security Development LifecycleLifecycleAlign the below tasks with the SDLC.Plan: product stakeholders & security meet.Design: identify weaknesses early.Develop: code securely.Test: test products against security

requirements.Document: secure configurations of productAssess: verify product security before release.Respond: know how to deal with customers

who report security concerns with your product.

Threat Model (design phase)Threat Model (design phase)

Static Code Analysis ToolsStatic Code Analysis ToolsStatic analysis: static code analysis, data

flow static analysis, and metrics analysis Peer code review: process automation

◦ preparation, notification, and tracking Unit testing: JUnit and Cactus test

creation, execution, optimization, and maintenance

Runtime error detection: race conditions, exceptions, resource & memory leaks, security attack vulnerabilities.

Quality AssuranceQuality Assurance

Systematic evaluation of the various aspects of a product to maximize the probability that minimum standards of quality are being attained by the production process.

Cannot guarantee production of quality products.

Two principles in QA: ◦ "Fit for purpose" - suitable for the intended purpose;◦ "Right first time" - mistakes should be eliminated.

Quality is determined by the product users, clients or customers, not by society in general.

TestingTestingUnit: test in controlled environment.Integration: components work

together.Functional: does it meet

requirements.Performance: measure capability.Acceptance: check meets customer

requirements.Installation: final test during install.

Testing ContinuedTesting ContinuedRegression: test product still meets

requirements after it has been modified.Black Box: test without knowledge of

how the system was built.White Box: test with full knowledge of

the system and its expected behavior.Independent: Outsider viewPenetration: computer security testing.

Figure 3-19  Fault Discovery Rate Reported at Hewlett-Packard.

Types of FlawsTypes of FlawsValidation Error: permission checks.Domain Error: controlled access to

data.Serialization and aliasing: program flow.Inadequate identification and

authentication◦Authorization flaws

Boundary condition violation: exceed them

Logic errors: errors in process design.

Secure Software Development Secure Software Development PracticesPractices

Peer Reviews: review, walk-through, inspection.Hazard Analysis: expose hazardous states.Testing: quality assurance.Good Design: fail-safe, earlier discussion items.Prediction: risk analysis.Static analysis: control and data flow, structure.Configuration management: what changes

when.Analysis of mistakes: lessons learned.

Nessus Vulnerability Scanner Nessus Vulnerability Scanner (assess phase)(assess phase)

Non Malicious Program Non Malicious Program ErrorsErrors

Buffer Overflows: coding error, buffer overruns.◦Attacker replaces code in the stack

Heap Overflow: dynamically allocated memory. ◦ Corrupt this data in specific ways to cause

overwriting.Incomplete Mediation: out of range input or

value injection◦ http://www.comesite.com/purchasing/data&parm1=(303)5

55-1234&price=10◦ Tools: Hackbar, Tamper Data, OWASP Web Scarab, etc.

Figure 3-1  Places Where a Buffer Can Overflow.

Metasploit Pen TestingMetasploit Pen Testing

Asset ManagementAsset ManagementConfiguration Management

◦ Manage updates and deliveries.Baselining

◦ capture a point in time.Patch management

◦ Verification and delivery.Vulnerability Management

◦ How will you respond to a customer?Change Management

◦ If no change will become less secure.

TOCTTOU/Race ConditionTOCTTOU/Race ConditionTime of check time of use (TOCTOU)

◦ “Alter a condition after it has been checked”.◦ A state attack leveraging an OS change of

state◦ Hacker ask for permission to file “readme”.◦ OS Checks permission on file, ◦ OS does something else…◦ Hacker makes file a symbolic link from readme

to /etc/shadow.◦ OS allows access to file. Hacker changes

passwords.

Discussion QuestionsDiscussion QuestionsThe common description of a

salami attack is penny shaving. ◦Steal small amounts that no one will

notice.How could you prevent a salami

attack from being part of your software product?◦Can you identify 3 controls to help?

VirusVirusAgent: virus author.Malware that does not spread

automatically.Requires a carrier (USB, CDROM,

floppy).Macro: MS (Word, Excel).Polymorphic: changes its signature on

install.Boot sector: loads on system startup.Stealth: hides from anti-virus software.

Figure 3-4  Virus Appended to a Program.

Figure 3-5  Virus Surrounding a Program.

Figure 3-6  Virus Integrated into a Program.

Figure 3-7  Virus Completely Replacing a Program.

Figure 3-8  Boot Sector Virus Relocating Code.

Figure 3-9  Recognizable Patterns in Viruses.

Anti-Virus is ReactionaryAnti-Virus is Reactionary

Polymorphic VirusPolymorphic Virus

Virus coded to modify its signature.Insert lines containing random

comments.Scanners: remove comments, white

space. Insert junk code intermittently.

◦ Changes the capitalization of the letters in the crucial strings.◦ Traditional code normalization techniques are not applicable.

Use static encryption.Change Variable names.

Protection Ring ModelProtection Ring Model

Root kitsRoot kitsMalware that replaces portions of an

operating system at user level 3.◦ Unix: replace ls, ps etc.

PATH:.:/usr/bin:/usr/sbin Hide from /proc on linux

◦ Windows Replace dir or task list

Kernel-mode rootkits operate in ring 0.◦ Hide from /proc on linux

Root Kit Protection Root Kit Protection (OSSEC)(OSSEC)

Targeted Malicious CodeTargeted Malicious CodeWritten for a specific application or

purposeTrap doors: undocumented entry point.Salami Attack: skimming small

amounts.Rootkits: Sony XPC example.Privilege escalation: programs that run

at a high privilege level are targets.Keystroke loggers.

Figure 3-10  Stubs and Drivers.

Covert ChannelsCovert ChannelsDefinition: any communication

that violates a security policy.Storage Channel: use shared

storage to communicate, /tmp filesystem.

Covert timing channel: hacker notices the difference in system response to an incorrect password vs. incorrect username.

Figure 3-11  Covert Channel Leaking Information.

Figure 3-12  Covert Channels.

Figure 3-13  File Lock Covert Channel.

Figure 3-14  File Existence Channel Used to Signal 100.

Figure 3-15  Covert Timing Channel.

Discussion QuestionDiscussion QuestionAn electronic mail system could

be used to leak information. How could email leakage occur?What controls could detect or

prevent the leakage?

Modularity & Modularity & ProgrammingProgrammingGoals for a component

◦Have a Single purpose.◦Be small: understand content and

structure.◦Be simple: KISS, low complexity.◦Be independent: performs a task

isolated from other modules.

Benefits of ModularityBenefits of ModularityMaintenance: easier to maintain.Understandability: easier to

comprehend smaller pieces of code.

Reuse: reuse code in other systems.

Correctness: quickly trace failures if it only performs a single task.

Testing: simplifies testing.

Figure 3-16  Modularity.

Coupling & CohesionCoupling & CohesionConcept used to describe objects

in the object oriented world.Highly coupled = requires a lot of

other objects to complete a task.High Cohesion = very

independent objectObjects with high coupling have

low cohesion.

Figure 3-17  Coupling.

Object Oriented Object Oriented ProgrammingProgrammingJava, PERL, Python, C++.Programs are a series of connected

objects.Communicate via message passing.Objects are black boxes

◦Have data encapsulated.◦Has methods that can be called.

Design by breaking problems into objects.

Object Oriented ClassObject Oriented Class

EncapsulationEncapsulationConcept used to describe how

object oriented design hides data.

An object is a black box.Object provides methods to

access data.We do not know how the object

performs its function.Hide what should be hidden.

Figure 3-18  Information Hiding.