Embed Size (px)
Citation preview
CSCD 303Essential ComputerSecuritySpring 2013
Lecture 18Creating Secure Programs
Overview
• Developing Secure Programs– Traditional– Secure Code Model– Security Threats– What Microsoft Does
Secure Software
What does it mean for software to be secure? Software security is an idea implemented
to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks
Build Security In
Security First, Designing with SecurityAll these names were used to address the
“new” concept to include security in with the design of the software
Prior to this radical idea, security was and still is an afterthought to most popular software
Here is a good summary of this concept by Gary McGraw
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right
There are many reasons for Security First ….
Why Put Security First?
1. Adding security later is wrapping security around existing features, not designing features with security in mind.
2. Adding security later is expensive.3. Adding security may change how
you implement application features.4. Adding security may change user
interface.
How is Software Created
Modern software systems Developed through a software
development process or model Many different development models Look at the most classic and then see
how secure development fits within this model
Waterfall ModelRequirements – defines needed information, function, behavior, performance and interfaces.Design – data structures, software architecture, interface representations, algorithmic details.Implementation – source code, database, user documentation, testing Test – Test each component and integrated testsInstallation – self explainedMaintenance – Fix minor problems, bug fixes and updates
Waterfall Strengths
Easy to understand, easy to use Provides structure to inexperienced staff Milestones are well understood Sets requirements stability Good for management control (plan, staff, track) Works well when quality is more important than cost or schedule
Waterfall Deficiencies All requirements must be known up front Deliverables created for each phase are considered frozen – inhibits flexibility Can give a false impression of progress Does not reflect problem-solving nature of software development – iterations of phases Integration is one big bang at the end Little opportunity for customer to preview the system (until it may be too late)
Using Waterfall Model
Where could we inject security into the development process ?And, what could we do?
Security Development Lifecycle
Product Inception Assign resource
Security plan
DesignDesign guidelines appliedSecurity architectureSecurity design reviewShip criteria agreed upon
Guidelines & Best PracticesCoding StandardsTesting based on threat modelsTool usage
Security PushSecurity push trainingReview threat modelsReview codeAttack testing Review against new threatsMeet signoff criteria
Final Security Review (FSR)Review threat modelsPenetration Testing Archiving of Compliance Info
Security ResponseFeedback loop- Tools/Processes
- Postmortems- SRLs
RTM & DeploymentSignoff
Design Response
Threat ModelingModels createdMitigations in design and functional specs
Security Docs & ToolsCustomer deliverables for secure deployment
Requirements Implementation Verification Release
Model developed by Microsoft
Version 02U-1 12
Security Development Lifestyle Artifacts
Security in the Development Cycle
Security Modeling in Development is a RiskMitigation Strategy
• You will not find all the bugs…• You will not see all the
vulnerabilities…• Your design will have errors of
omission and oversight– But, better than the alternative
which is do nothing
Security Modeling
Another way to label the process of developing secure software
Techniques to evaluate an application’s overall security or assess the impact of a specific threat
Objectively identify vulnerabilities and address countermeasures
Integrated steps to take in the development process
Security Modeling – The Process
Define threatsConsider the data stored in the system, and how it can be
misused
Consider the architecture of the system, and the opportunities it affords malicious users
Specific threat identification processes can be usedAssess the Impact
You’ve found a vulnerability… what happens if someone actually finds it? How badly would you or your users be affected?
Implement a Countermeasure Mitigate the risk to the best of your ability – code a
preventative action, limit the exposure
Defining the Threats Decompose your application to ask questions about how each use case or application component could go awry
STRIDE STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker).
Spoofing IdentityTampering with DataRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
DREADDREAD is a classification scheme for quantifying, comparing and prioritizing
the amount of risk presented by each evaluated threat.
STRIDE Threat CategorizationMicrosoft Developed ThisSpoofing
ex: Replaying authentication transaction.Tampering
ex: Modifying authentication files to add new user.Repudiation
ex: Denying that you purchased items you actually did.Information disclosure
ex: Obtaining a list of customer credit card numbers.Denial of service
ex: Consuming CPU time via hash algorithm weakness.Elevation of privilege
ex: Subverting a privileged program to run your cmds.
Microsoft article on Stride with Example
http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Stride in a Nutshell OWASP overview of Stride and other threat
modelshttps://www.owasp.org/index.php/Threat_Risk_Modeling
Version 02U-1 19
Evaluate Risk with DREAD
Damage Potential Extent of damage if vulnerability exploited.Reproducibility How often attempt at exploitation works.Exploitability Amount of effort required to exploit vulnerability.Affected Users. Ration of installed instances of system that would be affected if exploit became widely available.Discoverability Likelihood that vulnerability will be discovered.
Assessing Vulnerabilities ImpactDREAD aims to quantify a threat
DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.
Assign a value between 1 and 10 and use the mean
Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
Damage Potential• 0 – no damage; 10 – complete system damage
Reproducibility• 0 – Almost impossible to reproduce; 10 – can reproduce at any time
Exploitability• 0 – Extremely sophisticated skills required; 10 – anybody with a browser
Affected Users• 0 – No users; 10 – All users (or beyond… think VA data leak)
Discoverability• 0 – Requires source code; 9 – details of exploit are in public domain; 10 – it’s
in easily discoverable data in the application itself.
Threat Modeling in General
Version 02U-1 22
Goals of Threat Modeling
1. Understand threats to guard against during requirements analysis.
2. Provide basis for which security mechanisms to include during design.
3. Verify security of system design.4. Provide basis for prescribing secure
implementation practices.5. Provide basis for testing system
security after implementation.
Version 02U-1 23
Threat Modeling Process
1. Understand adversary’s view of system
2. Evaluate threats
Version 02U-1 24
Understanding the Adversary’s View1. Identify System Assets.– System resources that an adversary might
attempt to access, modify, or steal.– Ex: credit cards, network bandwidth, user access.
2. Identify Entry Points.– Any location where data or control transfers
between the system being modeled and another system.
– Ex: network sockets, RPCs, web forms, files
3. Determine Trust Levels.– Privileges external entities have to legitimately
use system resources.
Version 02U-1 25
Evaluate Threats
Identify Threats For each entry point, determine how an
adversary may attempt to affect an asset. Based on asset, predict what adversary would
try to do and what his goals would be.
Analyze ThreatsDecompose threats into individual, testable
conditions using techniques like attack trees.Evaluate risk of threat with DREAD categories.
Version 02U-1 26
Identify Threats Can an unauthorized network user view
confidential information such as addresses or passwords?
Can an unauthorized user modify data like payments or purchases in the database?
Could someone deny authorized users access to the application?
Could an authorized user exploit a feature to raise their privileges to administrator level?
Version 02U-1 27
Analyze Threats
• Decompose threats into individual, testable conditions using attack trees
• Attack Trees– Hierarchical decomposition of a threat– Root of tree is adversary’s goal in the
attack– Each level below root decomposes the
attack into finer approaches– Child nodes are ORed together by default– Special notes may indicate to AND them
Version 02U-1 28
Attack Trees—Graph Notation
Goal: Read file from password-protected PC
Read File
Get Password Network Access Physical Access
Search Desk Social Engineer Boot with CD Remove hard disk
Version 02U-1 29
Attack Trees—Text NotationGoal: Read message sent from one PC to another
1. Convince sender to reveal message.1.1 Blackmail.1.2 Bribe.
2. Read message when entered on sender’s PC.1.1 Visually monitor PC screen.1.2 Monitor EM radiation from screen.
3. Read message when stored on receiver’s PC.1.1 Get physical access to hard drive.1.2 Infect user with spyware.
4. Read message in transit.1.1 Sniff network.1.2 Usurp control of mail server.
Other Stages Secure Development
Version 02U-1 31
Implementation
Coding standardsAcceptable libraries and functions.Checklists.
Static analysis toolsIdentifies common errors.
Code reviewsMore effective than testing in many
reports.
Version 02U-1 32
Verification
Fuzz TestingAutomatic testing with random data.
Unit TestsTest security features.
Penetration TestingDriven by application risks.Threat model identifies most important
assets and entry points.
Version 02U-1 33
Maintenance
Prepare before release time.Receiving vulnerability reports.Releasing security advisories.Developing, testing, and distributing
patches.
Microsoft Security Development
Version 02U-1 35
SDLC at MicrosoftManagement support
Bill Gates letter about 2002 security push
http://www.wired.com/techbiz/media/news/2002/01/49826
Mandatory educationFor managers and engineers.Annual updates.
MetricsEducation coverage.Vulnerabilities discovered.
Central Security TeamEnsures someone is responsible.Keeps process and education updated.
Engineering Excellence
Raise the bar of software securityRaise the bar of software securityImproved development processImproved development process
New tools designed to help developersNew tools designed to help developers
Guidance and training focused on secure codingGuidance and training focused on secure coding
Advance the state of the art of Advance the state of the art of secure software developmentsecure software development
Quality & Engineering ExcellenceImproved Development Process
Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing
Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege
Prescriptive GuidancePrescriptive GuidanceSecurity Tools Security Tools Training and EducationTraining and Education
Community EngagementCommunity EngagementTransparencyTransparencyClear policyClear policy
39Source: Microsoft Security Bulletin Search
6565
3535
DaysDays
30 90150
210270
330390
450510
570630
690720
Quality & Engineering ExcellenceHelping Developers Write More Secure Code
.NET Framework 1.1.NET Framework 1.1Cryptographic APIsCryptographic APIsIntegrated PKIIntegrated PKI
Visual Studio .NET 2003Visual Studio .NET 2003Security ToolsSecurity ToolsWeb Services EnhancementsWeb Services Enhancements
Microsoft Security Developer CenterMicrosoft Security Developer CenterWriting Secure Code v2Writing Secure Code v2Developer webcastsDeveloper webcasts
41
Education for the SDL
42
Outreach And Communications
Pre Pre ReleaseRelease
Security Bulletin Advance Notification - three business days prior to release
Second Second TuesdayTuesday
Release Release DayDay
Updates posted on Download Center, Windows Update and/or Office Update
Bulletins posted
RSS Feeds
Customer email and instant message notifications
Community outreach
MS Field alerts and call downs
Post Post ReleaseRelease
Security Bulletins Webcast (Wednesday following release, 11AM PT)
Supplementary Webcasts if needed
Monitor bulletin uptake and customer issues through PSS and Windows Update
Bulletin maintenance
43
Customer Process Improvement
Build a more Build a more Simplified, Simplified,
Manageable Manageable ProcessProcess
Enhance and Enhance and Improve Bulletin Improve Bulletin
Content Content
Expand Expand Resources and Resources and
SupportSupport
Moved to monthly release of security bulletins:A predictable, manageable processEnable advance planning and preparationsSoftware Update Validation Program to help ensure quality
Advance notification three business days prior to releasePublicly posted on Microsoft.com; Email alert available
Revamped technical security bulletin format:Added a monthly summary bulletin that includes a summary table of affected software for each bulletin
Added mitigations and workarounds per vulnerability
Added more information and guidance on distribution and deployment
Improved bulletin search tool on TechNet Security
Security AdvisoriesTechnical webcast on Wednesday following the releaseRSS feed for security bulletinsNew notification services, including a comprehensive version and instant message alertsMalicious Software Removal Tool
44
SSIRP - Software Security Incident Response Plan
Companywide process to deal with critical security threats
Mobilize Microsoft resources worldwide
Goals:Quickly gain a thorough understanding of the problem
Provide customers with timely, relevant, consistent information
Deliver tools, security updates and other assistance to restore normal operation
45
WatchWatch
Observe Observe environment to environment to detect any detect any potential issuespotential issues
Leverage existing Leverage existing relationships with:relationships with:
PartnersPartners
Security Security researchers researchers and findersand finders
Monitor customer Monitor customer requests and requests and press inquiriespress inquiries
AlertAlertand and
MobilizeMobilize
Convene and Convene and evaluate severityevaluate severity
Mobilize security Mobilize security response teams response teams and support and support groups into two groups into two main groups:main groups:
Emergency Emergency Engineering TeamEngineering Team
Emergency Emergency Communications Communications TeamTeam
Start monitoring Start monitoring WW press interest WW press interest and customer and customer support lines for support lines for this issuethis issue
AssessAssessandand
StabilizeStabilize
Assess the Assess the situation and the situation and the technical technical information information availableavailable
Start workingStart workingon solutionon solution
Communicate Communicate initial guidance initial guidance and workarounds and workarounds to customers, to customers, partners and partners and presspress
Notify and inform Notify and inform Microsoft sales Microsoft sales and support fieldand support field
ResolveResolve
Provide Provide information and information and tools to restore tools to restore normal operationsnormal operations
Appropriate Appropriate solution is solution is provided to provided to customers, such customers, such as a security as a security update, tool or fixupdate, tool or fix
Conduct internal Conduct internal process reviews process reviews and gather and gather lessons learnedlessons learned
Guidance, Tools & Response Delivering Support and Creating Community
Security toolsSecurity toolsMicrosoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer
Security Bulletin Search ToolSecurity Bulletin Search Tool
Guidance and trainingGuidance and trainingSecurity Guidance CenterSecurity Guidance Center
E-Learning ClinicsE-Learning Clinics
Community engagementCommunity engagementNewslettersNewsletters
Webcasts and chatsWebcasts and chats http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.microsoft.com/protecthttp://www.microsoft.com/protect
Microsoft ResourcesGeneralGeneral
http://www.microsoft.com/securityhttp://www.microsoft.com/security
XP SP2 Resources for the IT ProfessionalXP SP2 Resources for the IT Professionalhttp://www.microsoft.com/technet/winxpsp2http://www.microsoft.com/technet/winxpsp2
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/technet/Security/toolshttp://www.microsoft.com/technet/Security/tools
How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msithttp://www.microsoft.com/technet/itsolutions/msit
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
Secure Software Resources
Waterfall Model http://www.techrepublic.com/article/understanding-
the-pros-and-cons-of-the-waterfall-model-of-software-development/6118423
David LeBlanc's Blog about Dreadhttp://blogs.msdn.com/b/david_leblanc/archive/
2007/08/13/dreadful.aspx
Gary McGraw's site Secure Code stuff http://www.cigital.com/~gem/
End
System Security Flaws
( …Its the people)
Lab this week is on buffer overflow, do on your own
