software gone wrong. security innovation ©2003 2 computer security security is an enabling...

Software Gone WrongSoftware Gone Wrong

SECURITY INNOVATION ©20032

Computer SecurityComputer Security• Security is an enabling technology of the Internet.Security is an enabling technology of the Internet.

– Privacy, authentication, integrity, fairness.Privacy, authentication, integrity, fairness.– Security turns the Internet into a serious tool for both Security turns the Internet into a serious tool for both

business and personal uses.business and personal uses.– The limits of security are the limits of the Internet.The limits of security are the limits of the Internet.

• Security has been failing us, again and again, faster Security has been failing us, again and again, faster and faster.and faster.

• Why is this so?Why is this so?• Can anything be done about it?Can anything be done about it?


Problems in Computer Problems in Computer SecuritySecurity

• Bad cryptography: algorithms and protocols.Bad cryptography: algorithms and protocols.• Bad programming: overflow bugs, CGI scripting errors.Bad programming: overflow bugs, CGI scripting errors.• Bad installation: misconfigured firewalls, routers, etc.Bad installation: misconfigured firewalls, routers, etc.• Bad users: poor password choices, social engineering.Bad users: poor password choices, social engineering.• Bad products: don’t solve the correct problem, don’t Bad products: don’t solve the correct problem, don’t

scale, etc.scale, etc.


All Components are All Components are SuspectSuspect

• On today’s networks, everything has the On today’s networks, everything has the potential to compromise security.potential to compromise security.– A Web-based feedback form can compromise A Web-based feedback form can compromise

your Web server.your Web server.– Melissa proved that your word processor can Melissa proved that your word processor can

compromise your security.compromise your security.– In Windows NT, a rogue printer driver can In Windows NT, a rogue printer driver can

compromise your security.compromise your security.– In Windows 2000, any program running on In Windows 2000, any program running on

your computer can compromise your security.your computer can compromise your security.


Protecting Digital Protecting Digital SecretsSecrets

• Cryptography has the property that Cryptography has the property that the defender has an enormous the defender has an enormous advantage over the attacker.advantage over the attacker.

• Computer security is more Computer security is more balanced.balanced.


What About What About CryptographyCryptography

• Cryptography is about mathematics; Cryptography is about mathematics; security is about people.security is about people.

• Most security problems cannot be solved Most security problems cannot be solved with cryptography:with cryptography:– Denial-of-service attacks.Denial-of-service attacks.– CGI attacks against Web servers.CGI attacks against Web servers.– Viruses like Melissa.Viruses like Melissa.– Some attacks against DNS servers.Some attacks against DNS servers.


The Future…..The Future…..

• It doesn’t looks good:It doesn’t looks good:– Defensive technologies are getting better, Defensive technologies are getting better,

but so are attack technologies.but so are attack technologies.– Migration to digital media means that we are Migration to digital media means that we are

depending more on technology.depending more on technology.– More people using products means fewer More people using products means fewer

intelligent users.intelligent users.• The future of products is complexity, and The future of products is complexity, and

complexity is the worst enemy of security.complexity is the worst enemy of security.

The Insecurity of The Insecurity of ComplexityComplexity


Complexity MeansComplexity Means

1. More bugs1. More bugs

2. Modularity2. Modularity

3. Interconnectedness3. Interconnectedness

4. Difficulty of understanding4. Difficulty of understanding

5. Difficulty of analysis5. Difficulty of analysis

6. Difficulty of testing6. Difficulty of testing


What is a Software Bug?What is a Software Bug?

• A software flaw that produces A software flaw that produces unexpected output given proper inputunexpected output given proper input

• A software flaw that causes the system A software flaw that causes the system to crash or grind to a halt when exposed to crash or grind to a halt when exposed to faulty inputsto faulty inputs


Denver Airport BaggageDenver Airport Baggage

• Unmanned carts on a trackUnmanned carts on a track• Bad failure recovery/detectionBad failure recovery/detection

– Piles of fallen bags would not stop the unloadersPiles of fallen bags would not stop the unloaders

• Carts got out of syncCarts got out of sync– Full carts continue to get loadedFull carts continue to get loaded– Empty carts get unloadedEmpty carts get unloaded

• Delayed airport opening for 11 monthsDelayed airport opening for 11 months– $1 million dollars a day in cost due to interest bond $1 million dollars a day in cost due to interest bond

issuesissues


….last known image before plunging to it’s death


NASA Mars LanderNASA Mars Lander

• Failed translation Failed translation – English units into metric units English units into metric units – major error in spacecraft's path as it major error in spacecraft's path as it

approached Marsapproached Mars

• Crashed into the planetCrashed into the planet– Shut off descent engines prematurelyShut off descent engines prematurely

• Taxpayer cost: $165 MillionTaxpayer cost: $165 Million


Milstar Filght 3 FailureMilstar Filght 3 Failure

• Incorrect software Incorrect software constant entered into the constant entered into the Upper Stage guidance Upper Stage guidance computercomputer– The roll-rate filter The roll-rate filter

constant was entered at constant was entered at one-tenth of its proper one-tenth of its proper value (0.1992476 rather value (0.1992476 rather than -1.992476) than -1.992476)

• Useless orbit of 400 x Useless orbit of 400 x 2700 miles instead of the 2700 miles instead of the required geosynchronous required geosynchronous orbit of 23000 milesorbit of 23000 miles

• Taxpayer cost: $1.2 Taxpayer cost: $1.2 billionbillion


4 Marines Killed4 Marines Killed

• MV-22 Osprey Helicopter CrashMV-22 Osprey Helicopter Crash• Burst hydraulic failureBurst hydraulic failure• Software caused backup system to failSoftware caused backup system to fail


Can you spot the difference?Can you spot the difference?


Civilian Airliner shot Civilian Airliner shot Down by NavyDown by Navy

• Computer-generated mistakes aboard Computer-generated mistakes aboard the USS Vincennes lie at the root of the the USS Vincennes lie at the root of the downing of Iran Air Flight 655, according downing of Iran Air Flight 655, according to senior military officials being briefed to senior military officials being briefed on the disaster.on the disaster.

• 290 Iranian passengers and crew may 290 Iranian passengers and crew may have been the first known victims of have been the first known victims of "artificial intelligence," "artificial intelligence,"


What is a Software Security What is a Software Security Bug?Bug?

• A software flaw that exposes A software flaw that exposes confidential data to unauthorized usersconfidential data to unauthorized users

• A software flaw which causes the system A software flaw which causes the system to crash or grind to a halt when exposed to crash or grind to a halt when exposed to faulty inputsto faulty inputs

• A software flaw which allows an attacker A software flaw which allows an attacker to inject code and execute itto inject code and execute it

• A software flaw which executes A software flaw which executes privileged commands for an attackerprivileged commands for an attacker


$8.8 Billion Mistake by $8.8 Billion Mistake by MicrosoftMicrosoft

• According to Computer According to Computer Economics, the Economics, the worldwide economic worldwide economic impact of the Love Bug impact of the Love Bug Virus was estimated at Virus was estimated at $8.75 billion$8.75 billion

• The fact that Microsoft The fact that Microsoft Outlook was designed Outlook was designed to execute programs to execute programs that were mailed to it that were mailed to it made the virus made the virus possible..possible..


Software Security BugsSoftware Security Bugs

• Faulty code has been with us since the beginning.Faulty code has been with us since the beginning.• Adequate software needs to withstand random Adequate software needs to withstand random

programming bugs:programming bugs:

Programming Murphy’s computer.Programming Murphy’s computer.


Programming Satan’s Programming Satan’s ComputerComputer

• Engineering Software security is different Engineering Software security is different from any other type of engineering.from any other type of engineering.

• Traditional engineering involves making Traditional engineering involves making products from ideas.products from ideas.

• Most products are useful for what they Most products are useful for what they do.do.

• Security products are only useful when Security products are only useful when they do not allow things to occur.they do not allow things to occur.

• Security engineering is therefore Security engineering is therefore backward. We first must figure out how backward. We first must figure out how to make things not perform as intended to make things not perform as intended …and then prevent those occurrences.…and then prevent those occurrences.


Programming Satan’s Programming Satan’s ComputerComputer


• Structural engineering involves making sure things do not Structural engineering involves making sure things do not fail in the presence of random faults (designed margins of fail in the presence of random faults (designed margins of safety). safety).

• With software security, faults that occur at exactly the wrong With software security, faults that occur at exactly the wrong time and in exactly the wrong way do not occur at random time and in exactly the wrong way do not occur at random but are forced by an intelligent and malicious agent. but are forced by an intelligent and malicious agent. Security engineering insures that failures do not occur in the Security engineering insures that failures do not occur in the presence of this hostile environment. presence of this hostile environment.

Engineering Software Engineering Software SecuritySecurity


Software is not Rocket Software is not Rocket ScienceScience

• The methods used for testing in traditional The methods used for testing in traditional analog systems do not apply to softwareanalog systems do not apply to software

• With a rocket, you extrapolate resultsWith a rocket, you extrapolate results– What happens in between a 1000 kg test firing What happens in between a 1000 kg test firing

and a 10,000 kg test firing?and a 10,000 kg test firing?– The system is continuousThe system is continuous– State changes are usually gradual and State changes are usually gradual and

predictablepredictable


Zero Margin of SafetyZero Margin of Safety

• Buffer overflows (e.g. fingerd and Morris Worm).Buffer overflows (e.g. fingerd and Morris Worm).• CGI scripting errors, cross-site scripting, etc.CGI scripting errors, cross-site scripting, etc.• Bad random number generators weaken Bad random number generators weaken

cryptographic keys.cryptographic keys.• Java, JavaScript.Java, JavaScript.


Discrete systemsDiscrete systems

• State changes can not be predictedState changes can not be predicted• When change happens, numbers can When change happens, numbers can

change between change between

00001111101000 00001111101000

and and

1001110001000010011100010000

in an instantin an instant


Let the Compiler Do the Let the Compiler Do the CheckingChecking

• In the old days programmers had to In the old days programmers had to book time on the mainframe two weeks book time on the mainframe two weeks in advance for compile time they would in advance for compile time they would invest countless hours checking their invest countless hours checking their work. This enforced good code.work. This enforced good code.

• The code jockeys of today today just The code jockeys of today today just bounce code off the compiler until all bounce code off the compiler until all the errors go awaythe errors go away– This puts the responsibility of “code review” This puts the responsibility of “code review”

on the compileron the compiler


Form follows FailureForm follows Failure

• Sub-synchronous resonance in power systemsSub-synchronous resonance in power systems– The addition of series AC capacitors in high energy The addition of series AC capacitors in high energy

power systems increases electrical stabilitypower systems increases electrical stability– However, due to line inductance, the capacitors However, due to line inductance, the capacitors

create electrical oscillations that effect the create electrical oscillations that effect the mechanical generatormechanical generator

• Mohave Generating Station, Southern Nevada, Mohave Generating Station, Southern Nevada, 1971 1971 – This snapped the drive shaft on a generator twice This snapped the drive shaft on a generator twice

before it was properly diagnosedbefore it was properly diagnosed– This phenomenon is now a serious consideration is This phenomenon is now a serious consideration is

any power system designany power system design


Things We Can do to Fix Things We Can do to Fix Bad SoftwareBad Software

• Design better compilers and languages Design better compilers and languages that are inherently safethat are inherently safe– More formal, more machine tractableMore formal, more machine tractable

• Perform rigorous failure analysis and Perform rigorous failure analysis and apply fault-injection technology.apply fault-injection technology.

• Hold vendors liableHold vendors liable• Stop buying itStop buying it


Heterogeneous Software Heterogeneous Software SystemsSystems

• Historical Approach: large monolithic Historical Approach: large monolithic applications on top of small operating system.applications on top of small operating system.

• New paradigm: New paradigm: – Applications with components, plug-ins, Applications with components, plug-ins,

dynamic linked libraries.dynamic linked libraries.– Operating systems with components, plug-ins, Operating systems with components, plug-ins,

libraries, modules.libraries, modules.


Security Issues with Security Issues with Heterogeneous Heterogeneous

ComponentsComponents• You can’t assume all the components are You can’t assume all the components are

trustworthy.trustworthy.• You can’t assume the components will work in You can’t assume the components will work in

your configuration in a way that is secure.your configuration in a way that is secure.• Your operating system cant be relied on to Your operating system cant be relied on to

mediate security between components.mediate security between components.• Java sandbox and ActiveX security models have Java sandbox and ActiveX security models have

flaws.flaws.


Accelerating ConnectivityAccelerating Connectivity

• As systems get connected, a security flaw in As systems get connected, a security flaw in one can propagate to others.one can propagate to others.

• Connectivity means:Connectivity means:– MS Word is a networked program.MS Word is a networked program.– Java applets.Java applets.– Viruses in PostScript files Viruses in PostScript files Connectivity means Connectivity means

maintenance ports on routers, printers, etc.maintenance ports on routers, printers, etc.

• Windows NT has a C2 security ratingWindows NT has a C2 security rating– What happens when we connect to a networkWhat happens when we connect to a network


Accelerating Accelerating ConnectivityConnectivity

• New protocols, delivery mediums mean New protocols, delivery mediums mean new mistakesnew mistakes

• This high degree of connectivity creates This high degree of connectivity creates the potential for small failures to the potential for small failures to propagate and lead to massive outagespropagate and lead to massive outages

• Critical InfrastructureCritical Infrastructure– Telephone network outagesTelephone network outages– Power system grid failuresPower system grid failures


More DevicesMore Devices

• Features from workstation Features from workstation computers and low-end wireless computers and low-end wireless terminals are integrated in terminals are integrated in embedded systemsembedded systems

• Modern embedded systems Modern embedded systems have operating systems and have operating systems and open interfacesopen interfaces

• Embedded systems usually Embedded systems usually have very light weight memory have very light weight memory managementmanagement

• Embedded systems usually Embedded systems usually have a rather small stackhave a rather small stack


More DevicesMore Devices

• What happens when What happens when buffer overflows and poor buffer overflows and poor access controls lead to access controls lead to mobile code attacks on mobile code attacks on cellular phones?cellular phones?

• Mobile code can effect Mobile code can effect distributed systems in distributed systems in exponential timeexponential time

• If an embedded product If an embedded product gets mass-exploited, gets mass-exploited, software upgrades to fix software upgrades to fix the vulnerability will be the vulnerability will be nearly impossible for the nearly impossible for the consumer to updateconsumer to update


Security Issues of Security Issues of ConnectivityConnectivity

• Using a home computer as an Internet server.Using a home computer as an Internet server.– Game machines.Game machines.

• Putting toasters, refrigerators and other small Putting toasters, refrigerators and other small devices on the Internet.devices on the Internet.

• Reusing weak protocols for new services.Reusing weak protocols for new services.• Connecting phones and palmtops and laptops Connecting phones and palmtops and laptops

and computers and servers....and computers and servers....


Connectivity as a Connectivity as a Forcing Function for Forcing Function for

ComplexityComplexity• Modern software systems are non-linear Modern software systems are non-linear

in their behavior.in their behavior.• Modern systems are tightly coupled.Modern systems are tightly coupled.• We don’t even understand the We don’t even understand the

interconnectedness of most corporate interconnectedness of most corporate networks, how can we possibly networks, how can we possibly understand the Internet.understand the Internet.


Complexity and AnalysisComplexity and Analysis• Complex systems are being used by those without a Complex systems are being used by those without a

fundamental level of understanding:fundamental level of understanding:– This lack of understanding enables social engineering This lack of understanding enables social engineering

and makes those attacks more dangerous.and makes those attacks more dangerous.

• Analysis of complex systems is difficult:Analysis of complex systems is difficult:– The potential threat model.The potential threat model.– The protection mechanisms required.The protection mechanisms required.– The overall design behavior.The overall design behavior.

• Everything that touches the system becomes Everything that touches the system becomes relevant to understanding and analysis.relevant to understanding and analysis.


Increased Complexity Increased Complexity Means Increased ErrorsMeans Increased Errors• Estimates are between 5 and 15 errors Estimates are between 5 and 15 errors

per 1000 lines of code.per 1000 lines of code.• More complexity More complexity more code more code more more

errors.errors.• More errors More errors more security more security

vulnerabilities.vulnerabilities.


Accelerating LOCAccelerating LOC

Code SizeCode Size

~50 million Windows 2000 ~50 million Windows 2000 (2000)(2000)40 million40 million Space StationSpace Station17 million 17 million NetscapeNetscape 10 million 10 million Space ShuttleSpace Shuttle7 million 7 million Boeing 777 Boeing 777

• Technology is being pieced together with duct tape and Technology is being pieced together with duct tape and bailing wirebailing wire

• More feature rich, more drivers and librariesMore feature rich, more drivers and libraries– In 1983, Microsoft word was only 27,000 LOCIn 1983, Microsoft word was only 27,000 LOC


Size of Operating Size of Operating SystemsSystems

• Windows 3.1 (1992)Windows 3.1 (1992) 3 million lines of code3 million lines of code• Windows NT (1992)Windows NT (1992) 4 million l.o.c.4 million l.o.c.• Windows 95 (1995)Windows 95 (1995) 15 million l.o.c.15 million l.o.c.• Windows NT 4.0 (1996)Windows NT 4.0 (1996) 16.5 million l.o.c.16.5 million l.o.c.• Windows 98 (1998)Windows 98 (1998) 18 million l.o.c.18 million l.o.c.• Windows 2000 (2000)Windows 2000 (2000) 35–50 million l.o.c.35–50 million l.o.c.• Linux Linux 1.5 million 1.5 million • Solaris 7 Solaris 7 400,000400,000


2000 Backdoors2000 Backdoors• 5 – 50 bugs per 1000/lines of code 5 – 50 bugs per 1000/lines of code

[Vaos/McGraw]*[Vaos/McGraw]*

200K bugs X 10% = 20K Security Bugs200K bugs X 10% = 20K Security Bugs20K security bugs X 10% = 2000 Remote Security Bugs20K security bugs X 10% = 2000 Remote Security Bugs


Number of System Calls Number of System Calls in Operating Systemsin Operating Systems

• UNIX 1ed (1971) UNIX 1ed (1971) 3333

• UNIX 2ed (1979) UNIX 2ed (1979) 4747

• SunOS 4.1 (1989)SunOS 4.1 (1989) 171171

• 4.3 BSD Net 2 (1991)4.3 BSD Net 2 (1991) 136136

• Sun OS 4.5 (1992)Sun OS 4.5 (1992) 219219

• HP UX 9.05 (1994)HP UX 9.05 (1994) 163163

• Linux 1.2 (1996)Linux 1.2 (1996) 211211

• Sun OS 5.6 (1997)Sun OS 5.6 (1997) 190190

• Linux 2.0 (1998)Linux 2.0 (1998) 229229

• Windows NT 4.0 SP3 (1999)Windows NT 4.0 SP3 (1999) 34333433


Accelerating Exposure to Accelerating Exposure to RiskRisk

• Massive increase in connectivityMassive increase in connectivity• A vast network of relationshipsA vast network of relationships

– Arpanet started with 12 nodesArpanet started with 12 nodes

• Machines that used to work behind Machines that used to work behind closed doors are now exposedclosed doors are now exposed– Computers are now worn on belt-loopsComputers are now worn on belt-loops– Toasters connected to the InternetToasters connected to the Internet


Complexity CreepComplexity Creep

• Sun’s “Home Gateway”.Sun’s “Home Gateway”.• Video game machines.Video game machines.• The Internet.The Internet.• Network security devices (firewalls).Network security devices (firewalls).• ToastersToasters


The Same FlawsThe Same Flaws

• The same software bugs just seem like The same software bugs just seem like they will not go awaythey will not go away– We have known about buffer overflows for We have known about buffer overflows for

over 15 yearsover 15 years

• Vendors have achieved critical massVendors have achieved critical mass– When will customers hold vendors liable for When will customers hold vendors liable for

buffer overflows?buffer overflows?– Is it reasonable to accept buffer overflows in Is it reasonable to accept buffer overflows in

production code?production code?



• Buffer overflows were first identified in the Buffer overflows were first identified in the 1960s.1960s.

• They were first used to attack networked They were first used to attack networked computers in the 1970s.computers in the 1970s.

• The Morris Worm used buffer overflows to The Morris Worm used buffer overflows to attack the Internet in 1989.attack the Internet in 1989.

• Today, buffer overflows are the most common Today, buffer overflows are the most common way to attack systems.way to attack systems.– Two-thirds of all CERT advisories are about Two-thirds of all CERT advisories are about

buffer overflows.buffer overflows.



• There’s a particular bug in Microsoft Internet There’s a particular bug in Microsoft Internet Information Server.Information Server.

• It was fixed in July 1998.It was fixed in July 1998.• Another warning was published by Microsoft in Another warning was published by Microsoft in

July 1999.July 1999.• In January 2000, the bug was exploited to steal In January 2000, the bug was exploited to steal

credit card numbers from several Web sites.credit card numbers from several Web sites.


Time to Market PressureTime to Market Pressure

• Windows 2000 shipped with 63,000 Windows 2000 shipped with 63,000 known bugs of which 28,000 were likely known bugs of which 28,000 were likely to be real problemsto be real problems


Insecure Software….Why it Insecure Software….Why it ExistsExists

• Networked Software and middleware Networked Software and middleware components are not designed to components are not designed to withstand a hostile environmentwithstand a hostile environment

• Development tools do not prevent simple Development tools do not prevent simple security bugs (i.e., buffer overflows)security bugs (i.e., buffer overflows)

• QA Testing methods do not address QA Testing methods do not address securitysecurity

• Customers line up to pay for bad softwareCustomers line up to pay for bad software• Vendors are not held accountableVendors are not held accountable


Moving Away From Moving Away From CenterCenter

• As new players emerge, in order to As new players emerge, in order to compete new services must be deliveredcompete new services must be delivered

• New technology drives more New technology drives more connections, devices, and codeconnections, devices, and code

• This new technology is not being This new technology is not being properly tested for failuresproperly tested for failures


The Real Reason Software The Real Reason Software Sucks….Sucks….

YOU!YOU!• As the consumer, you play a big part by As the consumer, you play a big part by

demanding bad softwaredemanding bad software• To continually demand new features in a To continually demand new features in a

very short time frame creates unrealistic very short time frame creates unrealistic time-to-market for reliable software.time-to-market for reliable software.

• Win 3.1, 95, 98, 2000, NT, XPWin 3.1, 95, 98, 2000, NT, XP– Are you willing to wait more than two years Are you willing to wait more than two years

for the features you want?for the features you want?– Are you willing to pay 10-times as much to Are you willing to pay 10-times as much to

get those features?get those features?


Other Industries Get Other Industries Get SuedSued

• Software shops gather around to defer Software shops gather around to defer bugs, decide which ones to ‘patch later’, bugs, decide which ones to ‘patch later’, and which ones to ignoreand which ones to ignore

• In other industries, safety flaws that are In other industries, safety flaws that are not corrected result in major class-action not corrected result in major class-action suitssuits


Other Industries Get Other Industries Get SuedSued

• LIMITATION OF LIABILITY AND REMEDIES. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all any reason whatsoever (including, without limitation, all damages referenced above and all direct or general damages referenced above and all direct or general damages), the entire liability of ‘damages), the entire liability of ‘The Vendor’The Vendor’ and any of and any of its suppliers under any provision of this EULA and your its suppliers under any provision of this EULA and your exclusive remedy for all of the foregoing (except for any exclusive remedy for all of the foregoing (except for any remedy of repair or replacement elected by ‘remedy of repair or replacement elected by ‘The Vendor’The Vendor’ with respect to any breach of the Limited Warranty) shall with respect to any breach of the Limited Warranty) shall be limited to the greater of the amount actually paid by be limited to the greater of the amount actually paid by you for the Software or you for the Software or U.S.$5.00U.S.$5.00. The foregoing . The foregoing limitations, exclusions and disclaimers (including limitations, exclusions and disclaimers (including Sections 7, 8, and 9 above) shall apply to the maximum Sections 7, 8, and 9 above) shall apply to the maximum extent permitted by applicable law, even if any remedy extent permitted by applicable law, even if any remedy fails its essential purpose. fails its essential purpose.

You get $5 bucksYou get $5 bucks


There are Two There are Two Alternatives....Alternatives....

1. 1. Slow down, simplify, add security.Slow down, simplify, add security.– ““FDA” approval for Internet devices and services.FDA” approval for Internet devices and services.– Reverse trend toward and move towards Reverse trend toward and move towards

convergence.convergence.– Limit usefulness of Internet.Limit usefulness of Internet.

2. Embrace the insecurity of products.2. Embrace the insecurity of products.– Accept that security vulnerabilities are inevitable.Accept that security vulnerabilities are inevitable.– Use security testing to quantify riskUse security testing to quantify risk– Use risk management and not threat avoidance.Use risk management and not threat avoidance.


Why do Vendors Refuse Why do Vendors Refuse to Fix Their Codeto Fix Their Code

• They can afford not to!They can afford not to!• Hardware is expensive to replace – so Hardware is expensive to replace – so

huge investments are placed into huge investments are placed into testing hardware prior to releasetesting hardware prior to release– Intel F00F bug cost $500 millionIntel F00F bug cost $500 million

• Software bugs can be patched and Software bugs can be patched and downloaded from a web-sitedownloaded from a web-site– They pass the cost of a bug to the customerThey pass the cost of a bug to the customer


Security TestingSecurity Testing• Security is orthogonal to functionality.Security is orthogonal to functionality.

– Just because a product functions properly does not mean that Just because a product functions properly does not mean that it’s secure.it’s secure.

• No amount of beta testing for functionality can ever No amount of beta testing for functionality can ever intentionally uncover a security flaw.intentionally uncover a security flaw.

• Experienced targeted security testing is required to Experienced targeted security testing is required to discover security flaws.discover security flaws.

• The vendor must find them allThe vendor must find them all• The attacker must only find oneThe attacker must only find one


Testing Software Testing Software SecuritySecurity

• What would happen if a vendor shipped a What would happen if a vendor shipped a product without any functional testing.product without any functional testing.– No in-house testing.No in-house testing.– No beta testing.No beta testing.– Just make sure it compiles and then ship it.Just make sure it compiles and then ship it.

• A product developed using this approach will A product developed using this approach will have hundreds of bugs; the odds of it have hundreds of bugs; the odds of it working correctly are negligible.working correctly are negligible.

• Now imagine a vendor shipping a product Now imagine a vendor shipping a product without any specific security testing.without any specific security testing.

• The odds of it being secure are negligible.The odds of it being secure are negligible.


Security Testing Requires Security Testing Requires Testing SmartTesting Smart

• Lets do the math…..Lets do the math…..• Imagine a system with ten different Imagine a system with ten different

settings, each with two possible choices:settings, each with two possible choices:– 45 different pairs of choices.45 different pairs of choices.– 1024 different combinations altogether.1024 different combinations altogether.

• 30 different settings = 190 different 30 different settings = 190 different pairs and a billion different pairs and a billion different combinations.combinations.


Security TestingSecurity Testing

• Software will never be Software will never be placed or deployed into a placed or deployed into a trusted or predictable trusted or predictable environmentenvironment

• Security testing requires Security testing requires attacking the software in a attacking the software in a way that exercises the trust way that exercises the trust relationships.relationships.

• The software should be The software should be tested in ways that are tested in ways that are unexpected while observing unexpected while observing for behaviors that are for behaviors that are unknown.unknown.


Security Testing HistorySecurity Testing History

• Attack and PenAttack and Pen• Source Code ReviewSource Code Review• Network ScanningNetwork Scanning• Fault InjectionFault Injection• Full DisclosureFull Disclosure


Fault InjectionFault Injection

• Source code changes require recompileSource code changes require recompile• Binary instrumentation requires host Binary instrumentation requires host

agentagent• API input testing requires test harnessAPI input testing requires test harness• Network input testing requires additional Network input testing requires additional

network nodenetwork node


Black Box TestingBlack Box Testing

• Can be automatedCan be automated• Can easily find ‘low hanging fruit’Can easily find ‘low hanging fruit’• Automated Tools:Automated Tools:

– HolodeckHolodeck– SpikeSpike– Hailstorm™Hailstorm™– PROTOSPROTOS

software gone wrong. security innovation ©2003 2 computer security security is an enabling...

Documents

computer security security

security innovation

security problems

mathematics security

limits of security

worst enemy of security

cryptography cryptography

bad products