Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author Software Engineering Institute

Published byDuane Cobb Modified over 6 years ago

Similar presentations

Presentation on theme: "Author Software Engineering Institute"— Presentation transcript:

1 Author Software Engineering Institute
Using Malware Analysis to Identify Overlooked Security Requirements (MORE) 5/5/2018 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Nancy R. Mead Title Slide Title and Subtitle text blocks should not be moved from their position if at all possible.

2 Author Software Engineering Institute
5/5/2018 Copyright 2017 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at DM

3 Topics Problem Statement Malware-Analysis-Driven Use Cases Process for Creating Use Cases Case Studies Project Goal and Tool Development Current Status Discussion and Future Work

4 Author Software Engineering Institute
Problem Statement 5/5/2018 Despite the reported attacks on critical systems, operational techniques like malware analysis are not used to inform early lifecycle activities, such as security requirements engineering. Operational techniques like malware analysis are typically used for patch generation; they don’t usually get fed back into the development process. Security requirements developers tend to either start with a blank slate or with large databases of candidate requirements and use cases. Creating and prioritizing security requirements may be done without the insights gained from analysis of prior attacks, especially those that are specific to a particular domain. Suggested Agenda Format As a format for an Agenda, inactive agenda items can be made grey if creating builds.

5 Creating a Vulnerability
Code flaws result from a lack of secure coding. Design flaws result from overlooked requirements. An unknown amount of time is needed to discover a vulnerability: discovered in software discovered as part of a malware exploit If discovered and made public  patch it! and kept private  exploit it!

6 Malware-Analysis-Driven Use Cases
Malware already analyzed by domain expert We start the process with the analysis results. It’s exploiting a vulnerability! Get the exploit details. Design or code flaw? If design, what requirements were overlooked that led to the flaw? Create a use case from those requirements and add it to the database. Goal: Requirements should prevent this flaw from occurring again.

7 Process for Creating Use Cases
Author Software Engineering Institute Process for Creating Use Cases 5/5/2018 The results are obtained from completed static and dynamic analysis of a malicious code sample. Analyses reveal the malware is exploiting a vulnerability from either a code flaw or a design flaw. In the case of a design flaw, the exploitation scenario corresponds to a misuse case that should be described. The misuse case is analyzed to determine the overlooked security requirement and its corresponding use case. The security requirements statement and corresponding use case are added to a requirements database. The requirements database is used in future software development projects. (Traceability is retained across the steps and the use of requirements from the database is tracked.) Type Format We have specified the type formats for four (4 levels of indentation) We have also made suggestions for highlighting text within body copy.

8 Case Studies

9 Application K-9 Mail Application for Android Open source
Author Program Application 5/5/2018 K-9 Mail Application for Android Open source Compatible with IMAP, POP3, and Exchange 2003/2007 Provides searching and other common smartphone client functionality User expectation of privacy and security Functionality: Search, Flagging, multi-folder syncing, filing, PGP integration Technical Details: 32 Java packages, 448 classes, 57,939 lines of code The security goals of an client are: The account credentials shall be protected. in transit between the server and the client shall be protected. stored on the client shall be protected from unauthorized access. will not be sent without permission of the account owner. Attachments stored on the client shall be protected from unauthorized access.

10 Vulnerability DroidCleaner Trojan malware
Author Program Vulnerability 5/5/2018 DroidCleaner Trojan malware Claims to perform an Android tune- up. Sends premium- rate SMS messages. Uploads data from the Android External Storage area to hacker’s servers. Android security model: Android is based on the Linux kernel. Applications run in their own space like users in a Linux system. Root is reserved for the kernel. Two storage areas: Internal Storage – managed for each application protected by Linux kernel. External Storage – permissions granted at the overall storage-level. (Ex: Read access grants an application access to all subfolders in the storage area). K-9 Mail allows users to store in either location (External less secure). Vulnerabilities: 650,000 variations of Malware for Android. The vast majority are Trojans. Trojans appear to be legitimate applications. Request access permissions at install time, tricking the user into granting the malware access to parts of the device. DroidCleaner is a Trojan that pretends to be an Android tool to free up memory and requests access to the External Storage area and internet access. DroidCleaner also sends premium rate SMS messages as a revenue stream for the author.

11 Exploitation Scenario
Author Program Exploitation Scenario 5/5/2018 Trojan Social engineering to trick user into installing DroidCleaner: Install software. Grant access to external storage, internet access. K-9 Mail configured to store in External Storage. DroidCleaner uploads External Storage to hacker server. The hacker examines contents; contents are disclosed. DroidCleaner is a Trojan that pretends to be an Android tool to free up memory and requests access to the External Storage area, SMS Messaging, and internet access. External Storage area is less secure because any process granted access to the External Storage area has access to all subdirectories, including the data file for K-9 Mail Attack scenario: A K-9 Mail user stores their on External Storage. The user installs DroidCleaner, thinking it is a legitimate tool. DroidCleaner requests permission to External Storage and Internet, among other permissions. DroidCleaner uses its access to upload the contents of External Storage to the author’s server. - K-9 Mail files are transferred from External Storage to a hacker’s server. The hacker is able to read contents because K-9 Mail data is stored in an unencrypted Sqlite database.

12 Misuse Case Gain Access to Email Contents 5/5/2018 Author Program
User keeps their on the External Storage area of their Android Device. K-9 Mail’s data file has access managed by the Android operating system. The “Gain Access to Contents” Use Case is implemented by the DroidCleaner Trojan. The DroidCleaner Trojan tricks the User into granting permission to the External Storage area. DroidCleaner also implements the “Download Contents” use case by performing the action of uploading the contents of External Storage to the Hacker’s server using the permissions it requested from the User at installation time in order to force Android into granting access to the storage area.

13 New Requirement Requirement Number: 1 Requirement
1.1 contents shall be protected from unauthorized access. contents shall be stored in an area only available to the application (Android Internal Storage default configuration) and/or protected through encryption, which cannot be decrypted using data available in Android External Storage. 1.2 Processes with access to External Storage shall not have the ability to view K-9 Mail contents in clear text. If external storage is selected, a warning message or mitigation, such as encryption, is recommended. Category Data Protection Priority High Cost Medium Misuse Case MUC2 Rationale Due to the high risk of data theft malware on Android, it is not safe to assume data kept on the phone is private; therefore, the contents must be kept in a form that cannot be read, even if the hacker has access to the storage location.

14 Project Goal and Tool Development

15 Project Goal To provide a proof of concept by implementing and automating the solution To develop a web application that reads malware analysis reports and creates a database of misuse cases, use cases, and overlooked security requirements (MUOs)

16 Tool Development: Goal
A tool to help report writers write more comprehensive reports and include the misuse cases, use cases, and overlooked security requirements from the start

17 Tool Development: MORE Tool
Author Software Engineering Institute Tool Development: MORE Tool 5/5/2018 Two web-based applications Report Writer Security Requirement Finder (SERF) User roles Public user Report writer Reviewer Administrator Super user Type Format We have specified the type formats for four (4 levels of indentation) We have also made suggestions for highlighting text within body copy.

18 Author Software Engineering Institute
Current Status 5/5/2018 Webpage cert.org/cybersecurity-engineering/research/security- requirements-elicitation.cfm Release of prototype tool source code on GitHub Several industry case studies by U.K. students Paper and tool demo presented at Requirements Engineering Conference ESPRE Workshops and CMU faculty seminars Type Format We have specified the type formats for four (4 levels of indentation) We have also made suggestions for highlighting text within body copy.

19 Discussion and Possible Future Work
Author Software Engineering Institute Discussion and Possible Future Work 5/5/2018 Research activities Identify ways to use this method in threat modeling, in conjunction with the SEI threat modeling project Assess usefulness in other lifecycle activities (e.g., architecture and design). Practical application of the method Apply this method to larger systems to increase the knowledge base. Work with organizations developing new systems or enhancing existing systems. Tool/automation activities Revisit automated processing of malware reports. Revisit automated processing of CWEs in conjunction with Mitre reorganization of CWEs. Type Format We have specified the type formats for four (4 levels of indentation) We have also made suggestions for highlighting text within body copy.

20 Author Software Engineering Institute
Contact Information 5/5/2018 Nancy R. Mead Fellow and Principal Researcher CERT Division U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax:

Download ppt "Author Software Engineering Institute"

Similar presentations

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.

The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Software Documentation Written By: Ian Sommerville Presentation By: Stephen Lopez-Couto.

Software Documentation Written By: Ian Sommerville Presentation By: Stephen Lopez-Couto.
» Explain the way that electronic mail (e-mail) works » Configure an e-mail client » Identify e-mail message components » Create and send e-mail messages.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Presentation By Deepak Katta

Presentation By Deepak Katta
Data Security.

Data Security.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Similar presentations

Ads by Google