SECURE PROGRAMMING Chapter 1

Overview What is the problem Cost? Threat? Software Security Concepts Policy Flaws Vulnerabilities Exploits Mitigations C and C++ Brief History What is the problem? Legacy code Other languages Development platforms Operating Systems Compilers Summary

Conficker, aka Downup, Downadup, Kido First detected 2008 Uses software flaws and dictionary attacks Forms a big botnet (over 1.5 million and counting)  Reached 9-15 Million in 2009 Discovered in November 2008 Exploited MS08-067, patched on October Problem example/Description

Is all malware bad? Welchia worm, aka Nachia worm exploits another Microsoft RPC service vulnerability. Vulnerability in TFTPD.EXE, on ports , buffer overflow on port 135. Payload:  Patch the vulnerability.  Run a series of Microsoft patches.  Try to remove W32/Lovsan.worm.a (MSBLAST.EXE  Self removes on January 1, 2004 or after 120 days of processing, whichever comes first.

Cost? Variable per worm: Welchia: probably minimal Blaster (estimated at more than $525 million) Conficker? ?????

Cost (2)? Difficult to gauge, due to underreporting Indirect costs are also difficult to gauge Indirect costs (loss of trust) are also difficult to gauge. Lines are blurred. Some estimates (table 1.1)

Threat? It is only increasing; malware is on the rise! More and more malware is appearing out there. I have heard (forgot where) about a marked increase in the first half of this year.

Who is the threat? Crackers/hackers Insiders Criminals Competitive Intelligence Professionals (aka Corporate spies) Terrorists Information warriors

Software Security

Security Concepts

Programmer System Integrator System Administrator Network Administrator Security Flaw Security Analyst Vulnerability=flaw + access + capability Vulnerability Analyst Security researcher Attacker aka adversary, malicious user, hacker, cracker, etc....

Security Policy “A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.” RFC 2828 Internet Security Glossary [2000] Rules and practices can be either explicit or implicit. Explicit = documented + well known + visibly enforced Implicit does not mean that they are less useful.

Flaws Software defects (bugs) → security flaws Thus, the relation between Software Engineering and Secure Programming. However Software Engineers are seldom concerned about attackers. They usually check for “reasonable inputs”, when attackers will try anything but... Identifying and prioritizing security flaws is needed, which mandates expanded tools.

Vulnerabilities “A set of conditions that allows an attacker to violate an explicit or implicit security policy.” ISO/IEC TS (C Secure Coding Rules) A flaw alone is not sufficient to cause a vulnerability. However, sometimes software designers may choose to leave a product vulnerable. (Is it no longer a flaw because it is documented?) Programs contain vulnerabilities or are vulnerable, systems/networks possess vulnerabilities.

Exploits A technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy. Many forms: Malware: worms, viruses, trojans. Proof of concept

Mitigations Methods, techniques, processes, tools, runtime libraries that can prevent or limit exploits against vulnerabilities. Source code correction Turning off a port or filtering traffic. Alerting users Preferred way: Find and correct the actual defect. (Cheaper?) Alternative: stop malicious inputs

C and C++ Why C/C++ Most popular languages, most legacy code, biggest amount of vulnerabilities

Brief History ● Early 1970's Creation of C based on B, which in turn was based on BCPL ● 1966 “The Development of the C Language” (Dennis Ritchie) ● K&R “C Programming Language” published in 1978 ● 1983 ANSI – X3J11 → 1989 ISO/IEC Known as C89 ● Corrected and amended again 99 ● Descendants ● Concurrent C (Gehani 1989) ● Objective-C (Fox 1991) ● Thinking (1990 ● C++ (Stroustrup )

C++ Evolution ● C with Classes (before 1983) ● C++ ( ● 1990 exceptions and templates ● ISO runtime type identification, namespaces, standard library ● Most recent version is C++ 11

What is the problem with C? ● Flexible, lightweight, high level language, small footprint. ● Very little handled by the system, e.g: ● Array bound checking ● Checking integer overflows/truncations, ● calling functions with incorrect number of arguments,

What is the problem with C? (2) C design philosophy: C design charter, point 6: a) Trust the programmer (Trust with verification?) b) Don't prevent the programmer from doing what needs to be done c) Keep the language small and simple d) Provide only one way to do an operation. e) Make it fast, even if it is not guaranteed to be portable.

What is the Problem with C? (3) Different kinds of behaviors: ● Locale specific ● Unspecified behavior ● Implementation defined behavior ● Undefined behavior Another problem: lack of type safety: ● Lack of preservation ● Lack of progress Yet another problem: legacy code

Other languages? Java: Not a perfect solution: Still vulnerable to design and implementation level security flaws. Can mix in C/C++ Legacy code?? Legacy programmers? Other solutions: Cyclone, D

Development Platforms For the textbook and course, emphasis will be on: Languages: C C++ Operating Systems: Microsoft Windows, Linux, sometimes Unix/MAC Compilers: Visual C++, GCC

Summary ● Most software vulnerabilities caused by common programming errors. ● Patches (too many) ● Defective software is a fact of life; at best every 1000 LOC have 1-2 defects; since an OS has several million.... even application software has its problems. If only 1-2% is a vulnerability... ● Purpose of this course is learning to program securely.