UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKEdvotipka/slides/Votipka-HCSS2019.pdf · UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Daniel Votipka, Kelsey Fulton, James Parker,

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE

Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks

Qualitative Analysis From Build It, Break It, Fix It

University of Maryland, College Park

1

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2


2


2


2


2

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3



3



3



3



3

“SBI's Mumbai-based data center had a server without password protection”

4

5

Why do developers continue to make

stupid and lazy mistakes?

6



7



How can we make secure programming easier?

8

POSSIBLE SOLUTIONS

9

POSSIBLE SOLUTIONS

More/Better Education

9

POSSIBLE SOLUTIONS


Better APIs

9

POSSIBLE SOLUTIONS


Better APIs

Better documentation

9

POSSIBLE SOLUTIONS


Better APIs


Automation

9

POSSIBLE SOLUTIONS


Better APIs


Automation

Etc

9

POSSIBLE SOLUTIONS


Better APIs


Automation

Etc

How can we improve the effectiveness of these solutions?

9

IN ORDER TO IMPROVE THESE SOLUTIONS, WE NEED TO UNDERSTAND THE TYPES, CAUSES, AND PERVASIVENESS OF VULNERABILITIES.

10

HOW CAN WE MEASURE THIS?

Field studies

Field surveys

Lab studies

11

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data

12

FIELD STUDIES


Pros:

12

FIELD STUDIES


Pros:

We can see what happens in the real world

12

FIELD STUDIES


Pros:


Cons:

12

FIELD STUDIES


Pros:


Cons:

Hard to get access to

12

FIELD STUDIES


Pros:


Cons:

Hard to get access to

Hard to generalize site specific data 12

FIELD SURVEYS

CVEs, GitHub, etc

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:

Large datasets publicly available

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:


Data is already categorized

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:



Cons:

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:



Cons:

Hard to understand why

13

FIELD SURVEYS

CVEs, GitHub, etc

Pros:



Cons:

Hard to understand why

Hard to compare possibly unrelated data 13

LAB STUDIES

Have people participate in a controlled experiment

14

LAB STUDIES


Pros:

14

LAB STUDIES


Pros:

A lot of control over conditions

14

LAB STUDIES


Pros:


Cons:

14

LAB STUDIES


Pros:


Cons:

Ecological validity

14

LAB STUDIES


Pros:


Cons:

Ecological validity

Potentially simple problems 14

BUILD IT, BREAK IT, FIX IT

Secure programming contest

Ruef et al. , CCS 2016

15



Build-It Phase


15



Build-It Phase

2 weeks


15



Build-It Phase

2 weeks

Develop to spec with open choices


15



Build-It Phase

2 weeks


Incentivized:


15



Build-It Phase

2 weeks


Incentivized:

Make it performant


15



Build-It Phase

2 weeks


Incentivized:

Make it performant

Make it secure


15


Break-It Phase


16


Break-It Phase

Get other teams’ source code


16


Break-It Phase


Attack breadth of submissions


16


Break-It Phase



Find unique vulnerabilities


16


Break-It Phase




Prioritize security bugs over correctness


16


Break-It Phase





Fix-It Phase


16


Break-It Phase





Fix-It Phase

Make fixes and get points back


16

SECURE LOG PROBLEM

log: Event LogTime User Action Where

17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log


17

SECURE LOG PROBLEM



8:00 AM Bob Enter Gallery

Event LogTime User Action Where

17

SECURE LOG PROBLEM


./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log




17

SECURE LOG PROBLEM




8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office




17

SECURE LOG PROBLEM



log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log






17

SECURE LOG PROBLEM



log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office






17

SECURE LOG PROBLEM



log:







17

SECURE LOG PROBLEM



log:




X




17

SECURE COMMUNICATIONS PROBLEM

18


./bank –s auth

18


auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

18



./bank –s auth

18



./bank –s auth ./atm –s auth –c card –a bob –n 1000

18



./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000

bob balance: 1000

18



./bank –s auth

card: DFLLKSDF


./atm –s auth –c card –a bob –d 50 bob balance: 10001050

18



./bank –s auth

card: DFLLKSDF


./atm –s auth –c card –a bob –d 50

./atm –s auth –c card –a bob –w 600bob balance: 10001050450

18



./bank –s auth

card: DFLLKSDF




18



./bank –s auth

card: DFLLKSDF




18

MULTIUSER DATABASE PROBLEM

19


as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" ***

19



as principal alice password ”alices_password" do return msg ***

19



as principal alice password ”alices_password" do return msg ***

as principal bob password ”bobs_password" do return msg ***

19

RESEARCH QUESTIONS

20

RESEARCH QUESTIONS

What types of vulnerabilities do developers introduce?

20

RESEARCH QUESTIONS


How severe are the vulnerabilities? If exploited, what is the effect on the system?

20

RESEARCH QUESTIONS



How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?

20



How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?

RESEARCH QUESTIONS

21

ANALYSIS APPROACH

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail

22

ANALYSIS APPROACH


Iterative open coding

22

ANALYSIS APPROACH



Two independent researchers with high reliability

22

ANALYSIS APPROACH




76 projects with 866 submitted exploits

22

ANALYSIS APPROACH




76 projects with 866 submitted exploits

Both qualitative and quantitative analysis performed

22

RESULTS

23

Mistake

Vulnerability classes

No implementation Misunderstanding

Intuitive Bad Choice Conceptual ErrorUnintuitive

24


No implementation

25


No implementation

Intuitive

• Missed something “Intuitive”

26


No implementation

Intuitive

• Missed something “Intuitive”• No encryption (log, ATM)

26


No implementation

Intuitive

• Missed something “Intuitive”• No encryption (log, ATM)• No access control (MD)

26


No implementation

Intuitive Unintuitive


• Missed something “Unintuitive”• No MAC (log)

27


No implementation



• Missed something “Unintuitive”• No MAC (log)• Side-channel leakage (ATM,

MD)

27


No implementation



• Missed something “Unintuitive”• No MAC (log)• Side-channel leakage (ATM,

MD)• No replay prevention (ATM)

27


Misunderstanding

28


Misunderstanding

Bad Choice

• Made a “Bad Choice”

29


Misunderstanding

Bad Choice

• Made a “Bad Choice”• Weak algorithms

(log, ATM)

29


Misunderstanding

Bad Choice


(log, ATM)• Homemade

encryption (log, ATM)

29


Misunderstanding

Bad Choice


(log, ATM)• Homemade

encryption (log, ATM)

• strcpy (log, ATM, MD)

29


Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual Error”

30


Misunderstanding


• Made a “Conceptual Error”• Fixed value (log,

ATM, MD)

30

31

31

31


Misunderstanding



ATM, MD)

32


Misunderstanding



ATM, MD)• Lacking sufficient

randomness (log, ATM)

32


Misunderstanding



ATM, MD)• Lacking sufficient

randomness (log, ATM)

• Disabling protections in library (log)

32

33

33

Mistake


• Made a “Mistake”

34

Mistake


• Made a “Mistake”• Control flow mistake (ATM, MD)

34

Mistake


• Made a “Mistake”• Control flow mistake (ATM, MD)• Skipped algorithmic step (ATM, MD)

34

Mistake



34

Mistake



34

PREVALENCEPercentage of projects that introduced a mistake, misunderstanding,

and no implementation vulnerability grouped by problem:

20% of projects 800 40 60

Secure log Secure communication Multiuser database Totals

Mistake

Misund.

No Impl.

introd_metagroup_noattempt

introd_metagroup_misunderstood

introd_metagroup_mistake

0 20 40 60 80Percentage of Projects

Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total

35





Mistake

Misund.

No Impl.





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total

35





Mistake

Misund.

No Impl.





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total





Vuln

erab

ility

Cla

ss problem

ATM

EHR

Gallery

Total

35

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

PREVALENCE

Intuitive

Unituitive

Bad choice

Concept error

0 14 28 41 55

No

Impl

.

Mis

und.


% of projects

36

TRENDS WITHIN MISTAKES

37


Complexity breeds mistakes.

37



Most common in the multi-user database problem (most complex) and least common in log problem (least complex)

37




Writing security checks once reduced mistakes

37




Writing security checks once reduced mistakes

37

Almost all mistakes were found in the Break-It phase

RECOMMENDATIONS

38

RECOMMENDATIONS

Simplify API design

Build in security primitives and focus on common use-cases

38

RECOMMENDATIONS

Simplify API design


Indicate security impact of non-default use in API Documentation

Explain the negative effects of turning off certain things

38

RECOMMENDATIONS

Simplify API design


Indicate security impact of non-default use in API Documentation

Explain the negative effects of turning off certain things

Vulnerability Analysis Tools

More emphasis on design-level conceptual issues 38

SUMMARY

39

SUMMARY

Developers struggle with security concepts

39

SUMMARY


Mostly knew they needed security and picked the right tools

39

SUMMARY



Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)

39

SUMMARY




Mistakes happen, but can be reduced through code review and best practices

39

SUMMARY





Improve API design, documentation, and automation to handle conceptual nuances

39

SUMMARY





Improve API design, documentation, and automation to handle conceptual nuances

39

[email protected]

sec-professionals.cs.umd.edu

mailto:[email protected]

http://sec-professionals.cs.umd.edu

Documents

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKEdvotipka/slides/Votipka-HCSS2019.pdf · UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Daniel Votipka, Kelsey Fulton, James Parker,