Binary and Protocol Security Assurance Mahesh Saptarshi, Technical Director Symantec software India Pvt Ltd

Agenda 1 Disclaimers, requests, etc 2 Security Bugs – what, how, and their classification 3 Security assurance of Binary – 3rd party modules This is a sample “Agenda/Preview” slide. This slide is ideal for “setting the scene” at the beginning of your presentation by providing a “big picture” overview of what you plan to cover. To Change Slide Title: In Normal View (View > Normal), triple click on the title placeholder to select the title text and begin typing desired text. To Change Titles in Shapes (i.e.: “Text here”): Place cursor on top of text in Shape and triple click to select text. Begin typing desired text. To Change Font Color/Size: Place cursor on top of text and triple click to select it. right-click and select “Font” from the drop-down menu. Select desired attributes to change font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the “Font" group of the “Home” tab or from the “Mini” toolbar that appears when text is selected. To Change a Shape’s Fill Color: double-click along edge of Shape to activate the “Drawing Tools Format” tab. Click the “Shape Fill” button within the “Shape Styles” group to select a color or desired effect. To choose a custom color, click on the “More Fill Colors” option. Choose “Picture,” “Gradient” or “Texture” to set a gradient, texture, pattern and/or picture fill. To Delete a Shape: Select the edge of the desired object by clicking once. Press the “Delete” key from your computer keypad. To Copy a Shape: Select the edge of the desired object by clicking once (making certain the selection border appears around the object to be copied). Type “Ctrl C” (copy), click outside object, then type “Ctrl V” (paste) to place the object. Click and drag the pasted object to desired location. 4 Security assurance of network protocols 5 Tools and techniques for discovering security bugs 6 Summary and Q/A

Disclaimers, Requests, etc Not Symantec company position, statement or policy Focus on the technical details Cell phones - Please activate vibrate/quiet mode Ask a question any time Q&A time also at the end Much of the material is learned by practice 3

Security Bugs – What Assets, threats, Software bugs aka vulnerabilities Threats always exist – probabilities vary Vulnerabilities make exploits possible Threats can be mitigated – reduced probability Threats != attacks Vulnerabilities != attacks Attacks – attempts by malicious entity to actuate a threat Our aim – Eliminate or mitigate vulnerabilities To foil attacks So that probability of a threat is reduced So that the asset is secure 4

So that the asset is secure Our Goal Eliminate or mitigate vulnerabilities To foil attacks So that probability of a threat is reduced So that the asset is secure 5

Causes of Security bugs Security Bugs – Causes Causes of Security bugs Insecure design Insecure Coding Insecure environment Lack of proper data validation Lack of Security Assurance 6

Security Bugs –Examples Buffer overflow Cross site scripting Authentication bypass Escalation of privilege Arbitrary code execution SQL injection Arbitrary file modification/overwrite/truncation 7

Most prevalent security issues Input validation buffer overflow Cross site scripting SQL injection File path redirection Authentication bypass Session issues session hijack, session replay insufficient randomization Configuration security 9

Practical approach to finding security bugs Brute Force Fuzzing Feeding the application lots of different values of the data Values of data are derived by systematic or random changes to a valid value Network fuzzing, file fuzzing, API parameter fuzzing. Web request fuzzing Automation required – too many variations Intelligent Security assurance Targetted fuzzing Integer values at byte boundaries Size value and buffer size mismatch SQL query and cross domain scripting verification Path variation related attacks 10

Practical approach to hunting for security bugs – cont. Authentication related verification Session re-establishment protocol Frequent session or form reload testing Fake client instantiation Fake server instantiation Proxy and session break up Defaults verification by denying authentication protocol completion 11

Practical approach to hunting for security bugs – cont. Session issues Session hijack using a proxy MITM attack Session key management verification Encryption key management verification Session key exchange protocol verification Session timeout testing 12

Practical approach to hunting for security bugs – cont. Configuration Security File permissions File name generation and temporary file location Configuration file fuzzing and unreasonable values Locale related verification Registry entry permissions – DACLs Log file permissions – log analyzers and report generators Event viewers File overwrite attack using “log truncate” or “cleanup” action File upload/download and overwrite action Arbitrary file access action 13

Tools for hunting down security bugs Static source code analysis – Coverity, RATS, Findbugs, FxCOP Nessus – Port scanner and vulnerability verification NMAP – network mapper, services and OS security Wireshark – Sniffing network traffic SPIKE – network fuzzing Filemon/Regmon – monitoring file access,registry PEexplorer – exploring running processes IDA – debugger for analysing crash dumps WebInspect, AppScan, Cenzic hailstorm – web security attack tools 14

So that the asset is secure Summary Software Security bugs Eliminate or mitigate vulnerabilities To foil attacks So that probability of a threat is reduced So that the asset is secure 15

Mahesh Saptarshi Mahesh_saptarshi@symantec.com