1. Binary and Protocol Security Assurance
Mahesh Saptarshi, Technical Director
Symantec software India Pvt Ltd

2. Agenda 1 Disclaimers, requests, etc 2
Security Bugs – what, how, and their classification 3
Security assurance of Binary – 3rd party modules
This is a sample “Agenda/Preview” slide. This slide is ideal for “setting the scene” at the beginning of your presentation by providing a “big picture” overview of what you plan to cover.
To Change Slide Title:
In Normal View (View > Normal), triple click on the title placeholder to select the title text and begin typing desired text.
To Change Titles in Shapes (i.e.: “Text here”):
Place cursor on top of text in Shape and triple click to select text. Begin typing desired text.
To Change Font Color/Size:
Place cursor on top of text and triple click to select it. right-click and select “Font” from the drop-down menu. Select desired attributes to change font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the “Font" group of the “Home” tab or from the “Mini” toolbar that appears when text is selected.
To Change a Shape’s Fill Color:
double-click along edge of Shape to activate the “Drawing Tools Format” tab. Click the “Shape Fill” button within the “Shape Styles” group to select a color or desired effect. To choose a custom color, click on the “More Fill Colors” option. Choose “Picture,” “Gradient” or “Texture” to set a gradient, texture, pattern and/or picture fill.
To Delete a Shape:
Select the edge of the desired object by clicking once. Press the “Delete” key from your computer keypad.
To Copy a Shape:
Select the edge of the desired object by clicking once (making certain the selection border appears around the object to be copied). Type “Ctrl C” (copy), click outside object, then type “Ctrl V” (paste) to place the object. Click and drag the pasted object to desired location. 4
Security assurance of network protocols 5
Tools and techniques for discovering security bugs 6
Summary and Q/A

3. Disclaimers, Requests, etc
Not Symantec company position, statement or policy
Focus on the technical details
Cell phones - Please activate vibrate/quiet mode
Ask a question any time
Q&A time also at the end
Much of the material is learned by practice 3

4. Security Bugs – What
Assets, threats, Software bugs aka vulnerabilities
Threats always exist – probabilities vary
Vulnerabilities make exploits possible
Threats can be mitigated – reduced probability
Threats != attacks
Vulnerabilities != attacks
Attacks – attempts by malicious entity to actuate a threat
Our aim – Eliminate or mitigate vulnerabilities
To foil attacks
So that probability of a threat is reduced
So that the asset is secure 4

5. So that the asset is secure
Our Goal
Eliminate or mitigate vulnerabilities
To foil attacks
So that probability of a threat is reduced
So that the asset is secure 5

6. Causes of Security bugs
Security Bugs – Causes
Causes of Security bugs
Insecure design
Insecure Coding
Insecure environment
Lack of proper data validation
Lack of Security Assurance 6

7. Security Bugs –Examples
Buffer overflow
Cross site scripting
Authentication bypass
Escalation of privilege
Arbitrary code execution
SQL injection
Arbitrary file modification/overwrite/truncation 7

8. Most prevalent security issues
Input validation
buffer overflow
Cross site scripting
SQL injection
File path redirection
Authentication bypass
Session issues
session hijack, session replay
insufficient randomization
Configuration security 9

9. Practical approach to finding security bugs
Brute Force
Fuzzing
Feeding the application lots of different values of the data
Values of data are derived by systematic or random changes to a valid value
Network fuzzing, file fuzzing, API parameter fuzzing. Web request fuzzing
Automation required – too many variations
Intelligent Security assurance
Targetted fuzzing
Integer values at byte boundaries
Size value and buffer size mismatch
SQL query and cross domain scripting verification
Path variation related attacks 10

10. Practical approach to hunting for security bugs – cont.
Authentication related verification
Session re-establishment protocol
Frequent session or form reload testing
Fake client instantiation
Fake server instantiation
Proxy and session break up
Defaults verification by denying authentication protocol completion 11

11. Practical approach to hunting for security bugs – cont.
Session issues
Session hijack using a proxy
MITM attack
Session key management verification
Encryption key management verification
Session key exchange protocol verification
Session timeout testing 12

12. Practical approach to hunting for security bugs – cont.
Configuration Security
File permissions
File name generation and temporary file location
Configuration file fuzzing and unreasonable values
Locale related verification
Registry entry permissions – DACLs
Log file permissions – log analyzers and report generators
Event viewers
File overwrite attack using “log truncate” or “cleanup” action
File upload/download and overwrite action
Arbitrary file access action 13

13. Tools for hunting down security bugs
Static source code analysis – Coverity, RATS, Findbugs, FxCOP
Nessus – Port scanner and vulnerability verification
NMAP – network mapper, services and OS security
Wireshark – Sniffing network traffic
SPIKE – network fuzzing
Filemon/Regmon – monitoring file access,registry
PEexplorer – exploring running processes
IDA – debugger for analysing crash dumps
WebInspect, AppScan, Cenzic hailstorm – web security attack tools 14

14. So that the asset is secure
Summary
Software Security bugs
Eliminate or mitigate vulnerabilities
To foil attacks
So that probability of a threat is reduced
So that the asset is secure 15

15. Mahesh Saptarshi