Prof. Seong-je Cho

Computer Security & Operating Systems Lab,

Dept. of Software Science, Dankook University, Korea

Introduction to Software Security

Software Vulnerabilities (3)

- 2 -

Sources / References

Information Security: Principles and Practice, 2nd edition by Mark Stamp, Wiley, 2011

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Nicholas Weaver, Computer Science 161: Computer Security, Berkeley

Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh

Lecture 12 Program Security, CS 450/650 Lecture

CSC 593: Secure Software Engineering Seminar

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

Software Complexity

Software Cost

Penetrate and Patch approach

Bug vs. Vulnerability in Software

Secure Software

Computer Security & OS Lab, DKU

- 4 -

Software Security Issues

“Normal” users Find bugs and flaws by accident

Hate bad software…

… but must learn to live with it

Must make bad software work

Computer Security & OS Lab, DKU

Attackers Actively look for bugs (flaws)

Like bad software…

… and try to make it misbehave

- Buffer overflow

- Integer overflow

- Format string bug

Attack systems thru bad software

- 5 -

Complexity

“Complexity is the enemy of security”, Paul Kocher, Cryptography Research, Inc.

Computer Security & OS Lab, DKU

An autonomous vehicle contains more LOC than was required to land the Apollo astronauts on the moon

Netscape 17,000,000

Space shuttle 10,000,000

Linux 1,500,000

Windows XP 40,000,000

Boeing 777 7,000,000

System Lines of code (LOC)

- 6 -

Lines of Code and Bugs

Conservative estimate: 5 bugs/1000 LOC (5 bugs/1K LOC)

Do the math Typical computer: 3,000 exe’s of 10KB each

Conservative estimate of 50 bugs/exe

About 3K X 50 = 150K bugs per computer

30,000 node network has 4.5 billion bugs 30,000 X 150,000 = 4500,000,000 = 4.5 billion

Suppose that only 10% of bugs security-critical and only 10% of those remotely exploitable

Then “only” 45 million critical security flaws!

1 billion X 0.01 = 10 million

Computer Security & OS Lab, DKU

- 7 -

Software costs

Software errors cost the U.S. economy $60 billion annually in rework, lost productivity, and actual damages.

Software costs often dominate computer system costs.

Software costs more to maintain than to develop.

For systems with a long life, maintenance costs may be several times development costs

Computer Security & OS Lab, DKU

Source: CS 389 – Software Engineering (https://slide-finder.com/view/CS-389--Software.323946.html)

- 8 -

Penetrate and Patch

In the early days, security was shown by finding faults and patching them

Discover flaws after deployment

Often by attackers

Users may not deploy patches

Developers can only patch problems which they know about.

Patch only fix the symptoms

Patches may have security flaws (15%?)

Patches are map to vulnerabilities

Attackers reverse engineer to create attacks

Computer Security & OS Lab, DKU

- 9 -

Penetrate and Patch approach

Usual approach to S/W development

Develop product as quickly as possible

Release it without adequate testing

Design stage (?)

Patch the code as flaws are discovered

In security, this is “penetrate and patch”

A bad approach to S/W development

An even worse approach to secure software

Computer Security & OS Lab, DKU

- 10 -

Comparing the feedback cycle of various development techniques

Computer Security & OS Lab, DKU

Figure shows, the reason why the agile cost of change curve has flattened is because we follow techniques which reduce the feedback cycle. Agile techniques, shown in green, have short feedback cycles and therefore are at the flat end of the curve.Traditional techniques, shown in red, have longer feedback cycles and therefore are at the higher-cost end of the curve.

Source: http://www.agilemodeling.com/essays/costOfChange.htm

Vulnerability vs. Secure Software

Redefine Terminology

Computer Security & OS Lab, DKU

- 12 -

Program Flaws

An error오류 is a programming mistake To err is human

An error may lead to incorrect state: fault결점

A fault is internal to the program

A fault may lead to a failure실패, where a system departs from its expected behavior A failure is externally observable

Computer Security & OS Lab, DKU

Error Fault Failure

- 13 -

Example

This program has an error

This error might cause a fault

Incorrect internal state

If a fault occurs, it might lead to a failure

Program behaves incorrectly (external)

We use the term flaw결함 for all of the above

Computer Security & OS Lab, DKU

char array[10];

for(i = 0; i < 10; ++i)

array[i] = `A`;

array[10] = `B`;

- 14 -

Bug

Bug

A flaw in a computer program or system that results in an unexpected outcome.

SW bug: a flaw in a program that causes it to misbehave in an unintended way

a flaw in computer code that can compromise the security of a computer system

HW Bug: a flaw in a system

SW Bugs results in crashes and unintended program state

are due to human mistake in the source code, compiler, or runtime system

are triggered through specific input (e.g., console, file, network, or environmental input)

Computer Security & OS Lab, DKU

- 15 -

Bug vs. Vulnerability

If the bug can be controlled by an adversary to escalate privileges,

e.g., gaining code execution, changing the system state, or leaking system information

then it is called a vulnerability.

Vulnerability

A SW weakness that allows an attacker to exploit a software bug

It requires 3 key components

System is susceptible to flaw

Adversary has access to the flaw (e.g., through information flow)

Adversary has capability to exploit the flaw

Computer Security & OS Lab, DKU

- 16 -

Bug and Vulnerability

Classification of software bugs and vulnerabilities

Computer Security & OS Lab, DKU

Source: Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities, G. Schryen, AMCIS, 2009,

- 17 -

Vulnerabilities

Vulnerabilities

Design flaws

Implementation bugs

Design flaws

high-level problems associated with the architecture of the software

E.g., failure of authentication, TCP SYN mechanism (?), Telnet (?), …

Implementation bugs

Code-level S/W problem

E.g., buffer overflow

Design flaws and implementation bugs occur with roughly equal frequency.

Source: A comparison of the efficiency and effectiveness of vulnerability discovery techniques,

Information and Software Technology, 2013

Computer Security & OS Lab, DKU

- 18 -

Software Vulnerability

Informally, a bug with security consequences

A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose

e.g. allowing easily-guessed passwords (poor coding)

e.g. complete lack of passwords when needed (design flaw)

Hard-coded password (?)

More formal definition (NIST):

A security flaw, glitch, or weakness found in software that can be exploited by an attacker.

Computer Security & OS Lab, DKU

- 19 -

Threats of Insecure Software

Successful exploitation of insecure software can lead to

data breach and information leakage (confidentiality exposure),

modification or alteration of data (integrity exposure),

defacement, downtime, and denial of service (availability exposure),

financial loss.

Undetected and surreptitious exploitation can also lead to

implantation of malicious software within your organization,

giving attacker both the ability and potential to attack any time.

Surreptitious: 은밀한, 슬쩍하는

Computer Security & OS Lab, DKU

- 20 -

Secure Software

In software engineering, try to insure that

a program does what is intended

Secure software engineering requires that

the software does what is intended… … and nothing more

Software security ensures that software is used for its intended purpose and prevents unintended use.

Absolutely secure software is impossible

Absolute security is almost never possible!

How can we manage the risks?

Computer Security & OS Lab, DKU

- 21 -

Need to “Shift Left”

BSIMM8 Data

Computer Security & OS Lab, DKU

Prevention Detection Response

Program flaws are unintentional But still create security risks

Many vulnerabilities can occur Buffer overflow (smashing the stack)

Integer overflow

Format string vulnerability

SQL injection

- 22 -

Secure SW Development Lifecycle

Computer Security & OS Lab, DKU

Source: National Institute of Standards and Technology

- 23 -

Bug Bounty Programs

Source: Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities, A. Keuhn & M. Mueller, 2014

Computer Security & OS Lab, DKU

- 24 -

Whale Security Bug Bounty Program

Naver Corporation launches the Whale Security Bug Bounty Program to encourage security researchers in helping us to find and fix security vulnerabilities on Whale and to reward their efforts spent to make our product secure.

Naver focuses on bugs in the latest version of Whale browser. The bugs must be reproducible on the latest version in the time of reporting Bugs in third party libraries used by only Whale (not Chromium) are eligible Bugs in synchronization are eligible

https://bugbounty.whale.naver.com/ko/

Computer Security & OS Lab, DKU

- 25 -

Software Security Topics

Program vulnerabilities (unintentional)

Buffer overflow

Integer overflow

Format string bugs

Incomplete mediation

Race conditions

Malicious software (intentional)

Viruses

Worms

Other breeds of malware (Trojan horse, Bot, Rootkit, …)

Computer Security & OS Lab, DKU

- 26 -

Summary

Penetrate and patch approach is Bad

Software Security

Reduction/Mitigation of Software Vulnerabilities

Secure Software Development Life-Cycle

Need to “Shift Left”

Computer Security & OS Lab, DKU