Failure to protect stored data Austin Woodruff CSCE 548
Learning OBjectives Technical Overview of the Problem Examples Detection Methods and Error Mitigation Conclusion
Technical Overview Comes from the idea that software designers will often worry about protecting data and information in transit more so than they will when it is on the disk. The reality is that the data spends more time on the disk than in transit. To protect stored data the two big aspects to consider are having weak or missing access control mechanisms, and lousy or lacking data encryption.
Access Control on Stored Data Windows: Access Control Lists (ACLs) UNIX: Permission Model Bad Practice
Encryption of Stored data Don’t be lazy, do it! Don’t do it lousy!
Related topics to help understanding Information leakage Race conditions Use of weak password-based systems Poor random numbers to generate encryption keys Using the wrong cryptography
Examples SMS remote control program Cybration’s ICUII Mozilla installer software
Detection Look for code that… Sets access controls Creates an object without setting access controls Writes configuration information into a shared area Writes sensitive information into an area readable by low-priviledged users
Detection in code review
Mitigation Don’t be lousy in protection! Take it step by step Encrypt! Encrypt! Encrypt!
Conclusion ACLs and permissions Encrypt! Integrate your defense! Apply Analyze Test and retest for weaknesses Encrypt! Integrate your defense!
Works Cited "Common Weakness Enumeration." CWE - CWE-217: DEPRECATED: Failure to Protect Stored Data from Modification (2.9). N.p., n.d. Web. 26 July 2016. Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010. Print. "Common Vulnerabilities and Exposures." CVE - CVE-2000-0100. N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE-2005-1411. N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE-2004-0907. N.p., n.d. Web. 26 July 2016.