A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED ON WELL-DEFINED CRITERIA - Viva Presentation

VIVA Presentation

A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES

EXPLOIT TAXONOMY BASED ON WELL-DEFINED CRITERIA

April 2015

Nurul Haszeli Bin AhmadM.Sc. in Computer Sciences (CS780)

Faculty of Computer and Mathematical SciencesUiTM Shah Alam

Supervisor: Prof. Madya Dr Syed Ahmad Sheikh Aljunid (FSMK, UiTM Shah Alam)

Dr Jamalul-lail Ab Manan (Advance Computing Lab, MIMOS Berhad)

Definition• Source-code perspective – Is an approach of viewing software

problem from developers point-of-view

• Well-defined criteria – set of criteria to establish a good solution

• Overflow vulnerabilities – vulnerabilities that trigger overflow (with/without intention) in computer system’s memory (stack, heap, data segment)

• Overflow vulnerabilities exploit taxonomy – A taxonomy constructed to classify overflow vulnerabilities based on exploitation approach.

• Well-Defined Taxonomy - A well-defined taxonomy should comply with sets of criteria, covers all classes and ease user in understanding the field of study

References:

1. A well-defined taxonomy is a structured classification that fulfils sets of criteria, eased user in classifying object of studies and used in

analysis and discussion (Axelsson, 2000).

2. A well-defined taxonomy should be clear, allowing precise classifications of object(Bishop and Bailey, 1996)

3. A well-defined taxonomy should cover all relevant classes (Hannan et. al.,2003)

Presentation Outline

Introduction

Problem Statement

Research Questions, Objectives, Assumptions & Scope

Research Methodology

Results and Discussion

Conclusion and Recommendations

Q & A

1

2

3

4

5

6

7

Introduction

2 3 4 5 6 71

1988

Morris Worm (One, 1996)

2000 2010 2014

1. Vulnerabilities and exploitation continue to persist and evolve with

no indication of it to recede (Brandan, 2014; Campbell, 2012; IBM,

2009; Kaspersky, 2009)

2. Number of attacks increase (Cybersecurity Malaysia, 2009; Cenzic

Inc, 2010)

3. Attacks become more sophisticated; W32.Stuxnet (Symantec

Corporation, 2010; Falliere, Murchu, & Chien, 2011; Chen T. M.,

2010)

4. Number of vulnerabilities released per year: ~5000 (Symantec

Corporation, 2014)

Introduction

2 3 4 5 6 71

1988

Morris Worm (One, 1996)

2000 2010 2014

• First ever detected and continue to be released in major vulnerabilities databases such as Microsoft, Cenzic, IBM, HP, NIST, SANS Institute, OWASP, OSVDB, etc.

• Exist in multiple variance – 10 types of C overflow vulnerabilities

• Works on it since 1970

• Program Analysis – Static and Dynamic

• 11 analysis methods

• > 40 analysis tools

• Safe library, Secure Compiler

Why C overflow

vulnerabilities is persistent

and significant?

Introduction

2 3 4 5 6 71

1988 2000 2010 2014

1. Vulnerabilities understanding is the process of educating and building the knowledge on vulnerabilities (Krsul, 1998).

2. A major step towards enhancement of tools and implementation for better defense mechanism (Krsul, 1998) and (Tsipenyuk, Chess, & McGraw, 2005).

To improve(understanding

and knowledge)

Guidelines

BooksTaxonomy

2 3 4 5 6 71

Problem Statement

1. C overflow vulnerabilities is still a major security

issue and the root cause of many successful

exploits.

2. Although vulnerabilities taxonomies and their

classification have been constructed,

presently:

a. most of these are non-source code based,

which prevented software developers

from understanding the vulnerabilities and

writing safe codes.

b. There are a few source code-based

taxonomies but not well-defined.

Problem Statement

2 3 4 5 6 71

70s 20141990 2000 2010

1. For debugging and understanding code2. Focus on code causing error

In Summary1. Focus on software/coding vulnerabilities

(sw/hw/nw)2. Looking from memory/source-code perspective3. View/Solutions to overcome symptom that happen

after vulnerabilities occurs or exploitation occurs4. Too wide/generic classifications/taxonomy or

specifics but incomplete5. Starts looking on well-defined taxonomy6. Purpose – debugging, evaluate program analysis

Problem Statement

2 3 4 5 6 71

70s 20141990 2000 2010

Research Gaps

Taxonomy

Well-defined taxonomy

Source-code perspective

Looking on the root causes rather than symptom

Specifics to C overflow vulnerabilities

Purpose – Educate software developers on secure code

X

Problem Statement

2 3 4 5 6 71

“There is no taxonomy focusing on C

overflows vulnerabilities exploits from

source codes perspective and

constructed based on a set of well-

defined criteria with the objective of

helping the system developers and

programmers to develop secure codes to

reduce their mistakes or ignorance” (Thesis, page 9)

Research Gaps

2 3 4 5 6 71


RQ RQ 1: Why C overflow vulnerabilities still persist

although it is common knowledge, and there are

numerous methods and tools available to overcome

them?

RO RO 1: To identify the reasons why C overflow

vulnerabilities, despite more than three decades,

still persist although there are various methods and

tools available.

5 RQ versus

5 RO

2 3 4 5 6 71


RQ RQ 1: Why C overflow vulnerabilities still persist although it is common

knowledge, and there are numerous methods and tools available to

overcome them?

RO RO 1: To identify the reasons why C overflow vulnerabilities, despite

more than three decades, still persist although there are various

methods and tools available.

RQ RQ 2: How to improve the understanding and

knowledge of software developer on C overflow

vulnerabilities from source code perspective?

RO RO 2: To construct a well-defined C overflow

vulnerabilities exploit taxonomy from source code

perspectives.

2 3 4 5 6 71


RQ RQ 3: How to evaluate the well-defined C overflow vulnerabilities taxonomy

from source code perspective?

RO RO 3: To evaluate and validate the constructed taxonomy against the well-

defined criteria

RQ RQ 4: Which Windows-based operating system is critical and vulnerable to

exploit using C overflow vulnerabilities?

RO RO 4: To evaluate the security vulnerability of window-based operating

systems with respect to C overflow vulnerabilities exploits

RQ RQ 5: What is the effectiveness of static analysis tools in detecting the C

overflow vulnerabilities exploit based on the well-defined taxonomy?

RO RO 5: To evaluate the effectiveness of static analysis tools in detecting C

overflow vulnerabilities based on the classes in the constructed taxonomy

2 3 4 5 6 71


Ass

um

ptio

ns

1. Most exploits on vulnerabilities occurs in Windows 32 bit OS although many vulnerabilities are OS dependent.

2. Numbers of exploitation in UNIX or Linux OS are significantly small.

3. 64 bit OS is more secured compared to 32 bit OS.

4. Other programming language is safer.

2 3 4 5 6 71


Scope

1. The main environment is Windows 32-bits OS.

2. The research is limited to Windows XP and 7

3. Only programs built using C language are considered

4. The evaluation was limited to five different analysis tools

5. Studies on program analysis is focus on static analysis.

6. The scope of the research was on C source code.

7. Only vulnerabilities triggering overflows in C programs

2 3 4 5 6 71

Research MethodologiesC Overflow Vulnerabilities Exploit Taxonomy

Theoretical Studies

Software Vulnerabilities

Program Analysis

Vulnerabilities Taxonomy

Taxonomy Construction

Taxonomy Criteria

Vulnerabilities Exploit Taxonomy

Taxonomy Evaluation

Taxonomy Evaluation

Tool Evaluation

Research Framework

2 3 4 5 6 71

Research Methodologies

Theoretical Studies

Taxonomy Construction

Taxonomy Evaluation

Research Phases

2 3 4 5 6 71

Research MethodologiesTheoretical Studies

RQ 1: Why C overflow vulnerabilities still persist although it is common and known for more than two decades?

Pre-analysis on vulnerabilities

and information

security issues

In-depth review on software

vulnerabilities

Critical review on C overflow vulnerabilities

Critical review on program

analysis

Critical review on

vulnerabilities understanding

RO 1: To identify the reasons why C overflow vulnerabilities, despite more than three decades, still persist although there are various methods and tools available.

2 3 4 5 6 71

Research MethodologiesTaxonomy

Construction

RQ 2:: How to improve the understanding and knowledge of software developer on C overflow vulnerabilities from source code perspective?

Development of Criteria for Well-Defined Taxonomy

C Overflow Vulnerabilities Exploits Taxonomy

Construction

RO 2: To construct a well-defined C overflow vulnerabilities exploit taxonomy from source code perspective.

2 3 4 5 6 71


Construction



Critical review on relevant publications

Extracted the criteria for

constructing taxonomy

Detail analysis on the

identified criteria

Construct criteria of well-

defined taxonomy

Review the constructed

criteria

2 3 4 5 6 71


Construction



Critical review on relevant

reports

Formation of Classes

Detail analysis on related

publications

Organized and constructed

the taxonomy

Review the constructed taxonomy

RO 3: To evaluate and validate the constructed taxonomy against the well-defined criteria. RO 4: To evaluate the security vulnerability of window-based operating systems with respect to C overflow vulnerabilities exploits.RO 5: To evaluate the effectiveness of static analysis tools in detecting C overflow vulnerabilities based on the classes in the constructed taxonomy

2 3 4 5 6 71

Research MethodologiesTaxonomy Evaluation

RQ 3: How to evaluate the well-defined C overflow vulnerabilities taxonomy from source code perspectiveRQ 4: Which Windows-based operating system is critical and vulnerable to exploit using C overflow vulnerabilities?RQ 5: What is the effectiveness of static analysis tools in detecting the C overflow vulnerabilities exploit based on the well-defined taxonomy?

2 3 4 5 6 71

Research MethodologiesTaxonomy Evaluation

Evaluate taxonomy against the constructed criteria for well-

defined taxonomy

Measure the criticality and significant of

each identified classes

Measure the criticality of OS

and vulnerabilities exploitation

impact

Evaluate the static analysis

tools effectiveness in detecting the

identified classes

2 3 4 5 6 71

Results and DiscussionCriteria for Well-Defined Taxonomy

1. To ensure that the constructed taxonomy is well-defined and therefore contributes to the improvement of understanding

on C overflow vulnerabilities and hence eliminate or reduce

C overflow vulnerabilities occurrences (Tsipenyuk, Chess, &

McGraw, 2005; Krsul, 1998)

2. Previous works list between 3 (Killourhy,2004) to 18 (Lough, 2001)

• Too less or too many – insufficient or repetitive or not

relevant.

3. 8 relevant criteria that will ensure a taxonomy is well-

defined.

2 3 4 5 6 71


No Criteria Purpose

1. Simplicity To ease understanding

2. Organized structures To demonstrate the relationship

3. Obvious To ease the process of classifications.

4. Repeatability For consistency.

5. Specificity / Mutual exclusive /

Primitive

To remove ambiguity

6. Similarity Strengthen the obviousness and

specificity

7. Completeness To remove doubt

8. Knowledge compliant To ease learning and classifying.

1. Criteria for Well-Defined Taxonomy

2 3 4 5 6 71


1. Construction guided by the developed criteria

2. Constructed from Source-code perspective

3. Looking into the root cause rather than symptoms

4. Based on various works (Chess and McGraw (2004), Hansmann

(2003) and Howard (2011)) and vulnerabilities reports between late

80s – 2013 published at various site such as MITRE, Kaspersky, IBM

and NIST

2. Taxonomy of C Overflow Vulnerabilities Exploit

Result

A well-defined taxonomy with 10 unique classes .

1. Three of the classes are new; Memory Functions, Variable

Type Conversion and Pointer Scaling/Mixing2. Each has unique characteristics defined from source-code

perspective that triggers overflow

2 3 4 5 6 71

Results and DiscussionTaxonomy of C Overflow Vulnerabilities Exploit

Unsafe Functions

Array Out-of-Bound

Integer Range/Overflow

Return-into-libC

Memory Function

Function Pointer / Pointer Aliasing

Variable Type Conversion

Pointer Scaling / Pointer Mixing

Uninitialized Variable

Null Termination

2 3 4 5 6 71

Results and Discussion2. Taxonomy of C Overflow Vulnerabilities Exploit

Discussion

1. A characteristics based taxonomy

2. Overflow vulnerabilities in application developed using C

language3. Classified classes in a well-defined taxonomy.

4. Focus on exploit methodologies and source-code perspective

5. Comparison to previous work

1. Constructed from the same perspective but in generic

approach and did not focus on exploitation methods from

source-code view such as by Shariar (2011) and Weber

(2005)

2. Specifics to C language too but covers limited C overflow

vulnerabilities such as by Moore (2007), Wilander (2002)

3. Covers many overflow vulnerabilities but in general context

(Tsipenyuk, 2005; Killourhy, 2004);

2 3 4 5 6 71

Results and Discussion –Evaluation

# Type Findings

1 Evaluating the effectiveness and completeness in classifying vulnerabilities using the taxonomy.Please refer to:1. Table 4.3, page 1612. Table 4.4, page 162

1. Classifying vulnerabilities highly dependent on user skill and knowledge in the language itself

2. The taxonomy is effective and complete to classify C overflow vulnerabilities

3. The taxonomy ease user in understanding C overflow vulnerabilities from source-code view.

2 Evaluation on Taxonomy for Comprehensiveness Criterion (please refer to table 4.5, page 165 – 166)

1. The taxonomy covers all overflows till the date the thesis is written

2. There are sites that did not published some of the vulnerabilities due to:

1. Scope / interest area2. Years started to file3. Contributors

2 3 4 5 6 71


# Type Findings

3 Evaluation on Relevancies and Significant of Classes in C Overflow Vulnerabilities Exploit Taxonomy.Please refer to:1. Table 4.6, page 1702. Table 4.7, page 1713. Table 4.8, page 172

1. All classes listed in the taxonomy is relevant and significant

2. Most of the classes was filed with medium to high impact and severity

3. There are classes which was last detected in 2009

2 3 4 5 6 71


# Type Findings

4 Evaluation on Significant and Relevancies of C Overflow Vulnerabilities Classes and Impact to OS Criticality.Please refer to:1. Table 4.9 – table 4.12 (page 176 –

183)2. Table 4.13 page 1863. Table 4.14 – table 4.17 (page 188 –

193)

1. All OS is vulnerable to C

overflow vulnerabilities exploit. The only different is

difficulties and complexity of exploit.

2. 32bits OS is the most vulnerable and easy to exploit

5 Evaluation on Static Analysis Tools Effectiveness in Detecting Vulnerabilities based on C Overflow Vulnerabilities Exploit Taxonomy (referto Table 4.18, page 197)

1. All static analysis tool has yet to be able to detect all classes.

2. All static analysis still have false negative/positive.

2 3 4 5 6 71

Phases

Section

Phase 1 – Theoretical Studies

Research Question (RQ)

RQ 1: Why C overflow vulnerabilities still persist although it is common and known for more than two decades?

Research Objectives (RO)

RO 1: To identify the reasons why C overflow vulnerabilities, despite more than three decades, still persist although there are various methods and tools available.

Phase Deliverables / Output (RR)

RR 1: Strength and weaknesses of current detection and prevention mechanism RR 2: Gaps in understanding vulnerabilities

Research Summary

2 3 4 5 6 71

Phases

Section

Phase 2 – Taxonomy Construction


RQ 2: How to improve the understanding and knowledge of software developer on C overflow vulnerabilities from source code perspective?




RR 3: Criteria of well-defined taxonomy RR 4: Taxonomy of C overflow vulnerabilities exploit

Research Summary

2 3 4 5 6 71

Phases

Section

Phase 3 – Taxonomy Evaluation


RQ 3: How to evaluate the well-defined C overflow vulnerabilities taxonomy from source code perspectiveRQ 4: Which Windows-based operating system is critical and vulnerable to exploit using C overflow vulnerabilities?RQ 5: What is the effectiveness of static analysis tools in detecting the C overflow vulnerabilities exploit based on the well-defined taxonomy?


RO 3: To evaluate and validate the constructed taxonomy against the well-defined criteria.RO 4: To evaluate the security vulnerability of window-based operating systems with respect to C overflow vulnerabilities exploits.RO 5: To evaluate the effectiveness of static analysis tools in detecting C overflow vulnerabilities based on the classes in the constructed taxonomy


RR 5: Taxonomy validatedRR 6: Significant findings of the research

Research Summary

2 3 4 5 6 71

Conclusion and Recommendations

Research Contribution

Theoretical Contribution

Criteria to Construct Well-Defined

Taxonomy

C Overflow Vulnerabilities Exploit

Taxonomy

Novel Methods to Evaluate Taxonomy

Practical Contribution

Evaluation Methods on Critical OS

Evaluation Methods on 5 Static Analysis Tools

2 3 4 5 6 71

Conclusion and Recommendation

1. C Overflow Vulnerabilities is still relevant2. There is NO well-defined taxonomy specifically focusing on

complete C Overflow Vulnerabilities from source-code perspective for improvement of understanding and knowledge of C developers which looks into the root cause of the

problem. Therefore, this is a taxonomy; “C Overflow Vulnerabilities Exploit” Taxonomy; that is proven from the evaluation done to be helpful and useful.

3. 5 evaluations done that shows the significant and relevancies of each classes in the constructed taxonomy

2 3 4 5 6 71

Conclusion and

Recommendation1.Development of new methods and tools or

improvise current methods and tools to analyse

source code for C overflow vulnerabilities.

2. To further evaluate the taxonomy with larger

group of security experts

3. To use the taxonomy to evaluate commercial

analysis tools.

4. To use the taxonomy to evaluate commercial software using improvise methods and tools.

Q & A“Lack of knowledge and

understanding would produce software with vulnerabilities and

failure of implementing effective security mechanisms”

-Krsul, 1998

Nurul Haszeli Bin Ahmad M.Sc. in Computer Sciences (CS780)Faculty of Computer and Mathematical SciencesUiTM Shah Alamhttp://malaysiandeveloper.blogspot.comlinkedIn / twitter: masteramuk

Supervisor: Prof. Madya Dr Syed Ahmad Sheikh Aljunid (FSMK, UiTM Shah Alam)Dr Jamalul-lail Ab Manan (Advance Computing Lab, MIMOS Berhad)

Thank You

http://malaysiandeveloper.blogspot.com/

Technology

A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED ON WELL-DEFINED CRITERIA - Viva Presentation