CSC 569 Building Secure Software By Viega/McGraw Addison Wesley

Chapter 1 Introduction to Software Security

Its All About the Software Its All About the Software Hackers, Crakers, and Attackers Hackers, Crakers, and Attackers Dealing with Widespread Security Failures Dealing with Widespread Security Failures Technical Trends Affecting Software Security Technical Trends Affecting Software Security Security is like Safety, Dependability, Reliability: the ‘ilities’ Security is like Safety, Dependability, Reliability: the ‘ilities’ Penetrate and Patch Approach Penetrate and Patch Approach Common Software Security Pitfalls Common Software Security Pitfalls Software Project Goals Software Project Goals

It’s the software Biggest problem in computer security is that many security practitioners do not know what is the problem. Biggest problem in computer security is that many security practitioners do not know what is the problem. Data lines protected by strong cryptography make poor targets. Data lines protected by strong cryptography make poor targets. A secure program begins by building secure software. The software problem is a risk management problem. A secure program begins by building secure software. The software problem is a risk management problem. A good risk management approach acknowledges that security is often just a single concern among many, including time-to-market, cost, flexibility, reusability, and ease-of-use. A good risk management approach acknowledges that security is often just a single concern among many, including time-to-market, cost, flexibility, reusability, and ease-of-use. Software is at the root of all common computer security problems. Software is at the root of all common computer security problems. Malicious hackers don’t create security holes; they simply exploit them. Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities are the result of bad software design and implementation. Security holes and vulnerabilities are the result of bad software design and implementation.

Hackers, Crakers, and Attackers In the UNIX development community, a Hacker is someone who is an excellent and enthusiastic programmer. In the UNIX development community, a Hacker is someone who is an excellent and enthusiastic programmer. Software engineers define a Hacker as someone who can solve a hard programming problem given limited information. Software engineers define a Hacker as someone who can solve a hard programming problem given limited information. In general, a hacker is someone who maliciously tries to break software. In general, a hacker is someone who maliciously tries to break software. A Craker is someone who breaks software for nefarious ends. A Craker is someone who breaks software for nefarious ends. A malicious hacker, attacker, or bad guy are the ones to fear. Those that find exploits but do not exploit them are not the bad guys. A malicious hacker, attacker, or bad guy are the ones to fear. Those that find exploits but do not exploit them are not the bad guys.

Widespread Security Failures Bugtraq is a mailing list dedicated to reporting security vulnerabilities. Bugtraq is a mailing list dedicated to reporting security vulnerabilities. Consequences of security flaws vary. The goal of most malicious hackers is to “own” a networked computer and do so because they can. Consequences of security flaws vary. The goal of most malicious hackers is to “own” a networked computer and do so because they can. CERT Coordination Center (CERT/CC) exists at Software Engineering Institute at Carnegie Mellon University. CERT Coordination Center (CERT/CC) exists at Software Engineering Institute at Carnegie Mellon University. The RISKS Digest forum is a mailing list compiled by security guru Peter Neumann that covers all kinds of security, safety, and reliability risks introduced and exacerbated by technology. The RISKS Digest forum is a mailing list compiled by security guru Peter Neumann that covers all kinds of security, safety, and reliability risks introduced and exacerbated by technology.

Trends Affecting Software Security Complex systems introduce multiple risks and all systems involving software are complex. Complex systems introduce multiple risks and all systems involving software are complex. Malicious functionality can be added that exceeds the primary intended design. Malicious functionality can be added that exceeds the primary intended design. Complexity of a system can let flawed and malicious subsystems remain invisible. Complexity of a system can let flawed and malicious subsystems remain invisible. Complexity of a system makes it hard to understand, hard to analyze, and hard to secure. Complexity of a system makes it hard to understand, hard to analyze, and hard to secure. Rogue programmers can modify systems software that is initially installed on the machine. Security vulnerability can occur when adding features to a network-based application or hostile installation of a Trojan horse to collect user passwords. Rogue programmers can modify systems software that is initially installed on the machine. Security vulnerability can occur when adding features to a network-based application or hostile installation of a Trojan horse to collect user passwords.

Trends Affecting Software Security Computer networks are becoming ubiquitous. The large number of computers connected through the Internet has increased the number of avenues for attack (both near and far). Computer networks are becoming ubiquitous. The large number of computers connected through the Internet has increased the number of avenues for attack (both near and far). The size and complexity of modern information systems and their corresponding programs allows for software security vulnerability. Low level languages such as C and C++ do not protect against simple attacks. The size and complexity of modern information systems and their corresponding programs allows for software security vulnerability. Low level languages such as C and C++ do not protect against simple attacks.

Trends Affecting Software Security The degree to which systems have become extensible and accept updates or extensions (mobile code) adds to the security problem. The degree to which systems have become extensible and accept updates or extensions (mobile code) adds to the security problem. Browser’s which runs on top of an OS and provides Web interface services are good candidates for security vulnerability. Netscape Navigator and Internet Explorer have fuzzy boundaries. See pp for details on browser construction. Browser’s which runs on top of an OS and provides Web interface services are good candidates for security vulnerability. Netscape Navigator and Internet Explorer have fuzzy boundaries. See pp for details on browser construction. Growing system complexity, ubiquitous networking, and built-in extensibility make the software security problem urgent. Growing system complexity, ubiquitous networking, and built-in extensibility make the software security problem urgent.

The ‘Ilities’ Security is not a feature you can add to a system at any time. Security is not a feature you can add to a system at any time. Security is like safety, dependability, reliability, or any other software ‘ility’. Security is like safety, dependability, reliability, or any other software ‘ility’. It is better to design for security from scratch than to try to add security to an existing design. It is better to design for security from scratch than to try to add security to an existing design. What is security? The book states that security involves enforcing a policy that describes rules for accessing resources. We need a well-defined policy to determine if an event is really a security breach. What is security? The book states that security involves enforcing a policy that describes rules for accessing resources. We need a well-defined policy to determine if an event is really a security breach.

The ‘Ilities’ Reliability is a measurement of how robust your software is with respect to some definition of a bug. Reliability is a measurement of how robust your software is with respect to some definition of a bug. The definition of a bug is analogous to a security policy. The definition of a bug is analogous to a security policy. Security can be viewed as a measurement of how robust your software is with respect to a particular security policy. Security can be viewed as a measurement of how robust your software is with respect to a particular security policy. Reliability problems are not always security problems. Reliability problems can usually be considered denial-of- service problems. Reliability problems are not always security problems. Reliability problems can usually be considered denial-of- service problems. Applying solid software reliability techniques to your software, you will likely improve its security. Applying solid software reliability techniques to your software, you will likely improve its security.

Penetrate and Patch is Bad We want to minimize the pervasive “penetrate-and- patch” approach to security, ie., patch after each security breach. We want to minimize the pervasive “penetrate-and- patch” approach to security, ie., patch after each security breach. We want to avoid the problem of trying to fix a problem that is actively exploited by attackers. We want to avoid the problem of trying to fix a problem that is actively exploited by attackers. Problems with penetrate and patch is: Problems with penetrate and patch is: (1) Can only patch problems which we know (1) Can only patch problems which we know about. about. (2) Patches are often rushed out and not (2) Patches are often rushed out and not thoroughly debugged. thoroughly debugged. (3) Patches only fix the symptoms not underlying (3) Patches only fix the symptoms not underlying problem. problem. (4) Patches are ignored. (4) Patches are ignored.

On Art and Engineering Properly engineered software goes through a well structured process from requirements design, through detailed specification, to actual implementation. Properly engineered software goes through a well structured process from requirements design, through detailed specification, to actual implementation. Pressure to market products results in short circuiting this process especially testing. Pressure to market products results in short circuiting this process especially testing. The Internet time phenomenon has exacerbated the software engineering problem. Lack of specifications and short time pressures are primary reasons. The Internet time phenomenon has exacerbated the software engineering problem. Lack of specifications and short time pressures are primary reasons. It is hard to determine whether a security hole is an implementation problem or a specification problem. It is hard to determine whether a security hole is an implementation problem or a specification problem.

Security Goals Security is not a static feature on which everyone agrees. You might not be able to define it but you know it when you see it. Security is not a static feature on which everyone agrees. You might not be able to define it but you know it when you see it. Any given system, no matter how secure, can probably be broken. Any given system, no matter how secure, can probably be broken. Security is best understood in terms of a simple question: Secure against what and from whom? Security is best understood in terms of a simple question: Secure against what and from whom?

Security Goals Prevention Internet time is the enemy of software security. Internet time is the enemy of software security. It shortens the software development life cycle making it hard to perform risk management and accelerates the spread of attacks. It shortens the software development life cycle making it hard to perform risk management and accelerates the spread of attacks. For these reasons, prevention is more important than ever. For these reasons, prevention is more important than ever.

Security Goals Traceability, Auditing, and Monitoring Good auditing and traceability measures are essential to help detect, dissect, and demonstrate an attack. They show who did what when, and provide critical evidence for court proceedings. Good auditing and traceability measures are essential to help detect, dissect, and demonstrate an attack. They show who did what when, and provide critical evidence for court proceedings. Monitoring is real-time auditing. Monitoring systems include intrusion detection systems based on watching network traffic or looking over log files. Monitoring is real-time auditing. Monitoring systems include intrusion detection systems based on watching network traffic or looking over log files.

Security Goals Privacy and Confidentiality Privacy and confidentiality are deeply intertwined. Business, individuals, and governments want to keep secrets. Privacy and confidentiality are deeply intertwined. Business, individuals, and governments want to keep secrets. Software also must keep secrets and must ensure privacy. However, software is not designed to do this. Software also must keep secrets and must ensure privacy. However, software is not designed to do this. Software is vulnerable to releasing secrets from the machine it runs on. Software is vulnerable to releasing secrets from the machine it runs on. Avoid storing secrets like passwords in your code, especially if the code is likely to be mobile. Avoid storing secrets like passwords in your code, especially if the code is likely to be mobile.

Security Goals Multilevel Security Some information is more secret than others. Governments classifications range from unclassified to secret and top secret. Business also classifies data such as salary, SSN data. Some information is more secret than others. Governments classifications range from unclassified to secret and top secret. Business also classifies data such as salary, SSN data. Getting software to interact cleanly with a multilevel security system is tricky. Getting software to interact cleanly with a multilevel security system is tricky.

Security Goals Anonymity Anonymity can be good and bad. Anonymity can be good and bad. Software often makes inherent and unanticipated decisions about anonymity. Software often makes inherent and unanticipated decisions about anonymity. Privacy and decisions about anonymity are important aspects of software security. Privacy and decisions about anonymity are important aspects of software security. Technology that severely degrades anonymity and privacy can be useful for law enforcement. Example: FBI’s Carnivore system tracking who sends to whom using a traffic monitoring system at an ISP. Technology that severely degrades anonymity and privacy can be useful for law enforcement. Example: FBI’s Carnivore system tracking who sends to whom using a traffic monitoring system at an ISP. Cookies are used by e-commerce sites to track customer habits. Can be good and bad. Cookies are used by e-commerce sites to track customer habits. Can be good and bad. Software creators should give consideration to the potential vulnerabilities of the data they collect. Software creators should give consideration to the potential vulnerabilities of the data they collect. Convenience or potential privacy issues? Convenience or potential privacy issues?

Security Goals Authentication Authentication, confidentiality, and integrity are the big three security goals. Authentication, confidentiality, and integrity are the big three security goals. Authentication is critical to security as we need to know who to trust and who not to trust. Authentication is critical to security as we need to know who to trust and who not to trust. Enforcing a security policy requires knowing who is trying to utilize protected data. Enforcing a security policy requires knowing who is trying to utilize protected data. Software security always includes authentication issues. Need to log in with password in security-critical systems. Software security always includes authentication issues. Need to log in with password in security-critical systems. Web authentication is poor today. Knowing a universal resource locator (URL) may not be the Web site it represents (friendlybank.com may not be a bank and may not be friendly!) Web authentication is poor today. Knowing a universal resource locator (URL) may not be the Web site it represents (friendlybank.com may not be a bank and may not be friendly!)

Security Goals Authentication People falsely believe that they have a “secure connection” when the lock icon on their browser is on. Secure socket layer (SSL) technology uses cryptography to protect the data stream from browser to server. People falsely believe that they have a “secure connection” when the lock icon on their browser is on. Secure socket layer (SSL) technology uses cryptography to protect the data stream from browser to server. The data stream is protected, but to whom are you connected? The data stream is protected, but to whom are you connected? United Airlines (UAL.COM) uses SSL security. Clicking on the lock icon shows you are connected to ITN.NET. Do you know them? Can you trust them? United Airlines (UAL.COM) uses SSL security. Clicking on the lock icon shows you are connected to ITN.NET. Do you know them? Can you trust them? Authentication in software is a critical software security problem. Authentication in software is a critical software security problem. Some authentication schemes require anonymity, and others require strict and detailed auditing. Some authentication schemes require anonymity, and others require strict and detailed auditing.

Security Goals Authentication Integrity in a security context refers to staying the same. Integrity in a security context refers to staying the same. Authentication is all about who, when, and how, integrity is about whether something has been modified since its creation. Authentication is all about who, when, and how, integrity is about whether something has been modified since its creation. People assume data to be correct. What if the data are tampered with between sender and receiver? People assume data to be correct. What if the data are tampered with between sender and receiver? Digital information is easy to fake. The more we rely on information, the more critical information integrity will become. Digital information is easy to fake. The more we rely on information, the more critical information integrity will become.

Common Software Security Pitfalls Two issues exist: (1) most security courses focus on network security (2) there has not been a comprehensive, practical guide covering software security. Until this book. Two issues exist: (1) most security courses focus on network security (2) there has not been a comprehensive, practical guide covering software security. Until this book. The phrase “keep your friends close and your enemies close” applies to software security. The phrase “keep your friends close and your enemies close” applies to software security. The first step in any analysis is recognizing the risks. The first step in any analysis is recognizing the risks. Software security risks: architectural problems and implementation errors. Software security risks: architectural problems and implementation errors. System calls and how you use them are important, but the overall design properties count for more. We need to integrate security into software engineering methodology, create general principles for developing secure software systems, and deal with security when performing security assessments. System calls and how you use them are important, but the overall design properties count for more. We need to integrate security into software engineering methodology, create general principles for developing secure software systems, and deal with security when performing security assessments.

Common Software Security Pitfalls Important threats to be wary of: Important threats to be wary of: (1) compromise of information as it passes through or resides on each node in a network. (1) compromise of information as it passes through or resides on each node in a network. (2) Social engineering where important information is obtained by an attacker from someone knowledgeable with system. (2) Social engineering where important information is obtained by an attacker from someone knowledgeable with system. (3) Malicious input problems on the server side of software security (buffer overflows). (3) Malicious input problems on the server side of software security (buffer overflows). (4) Compromising data on the actual communication medium itself. These include (4) Compromising data on the actual communication medium itself. These include (a) Eavesdropping (b) Tampering (c) Spoofing (a) Eavesdropping (b) Tampering (c) Spoofing (d) Hijacking (e) Capture/replay (d) Hijacking (e) Capture/replay

Software Project Goals Key software project goals: Key software project goals: (1) Functionality (1) Functionality (2) Usability-can affect reliability (2) Usability-can affect reliability (3) Efficiency-security requires overhead (3) Efficiency-security requires overhead (4) Time-to-market (4) Time-to-market (5) Simplicity- keep everything as simple as possible. Good for both software projects and security. (5) Simplicity- keep everything as simple as possible. Good for both software projects and security.