1. CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam

2. 2 Last class  Delta Debugging  Motivation  Algorithm  In practice  Static Bug Detection  Common Bugs  FindBugs

3. 3 Today’s class  Security Issues in Software Engineering  Security Threats  Requirement Engineering for Security  Design for Security  Coding for Security  Vulnerabilities  Testing for Security

4. 4 Security Threats to Software  Undermine usability  DOS attacks  Peculiar inputs causing crashes, bloats, …  Information Leaking  SQL Injection, Cross-site Scripting, unencrypted data, side channels, …  Command and Control  OS Injection, Cross-site Scripting, Return Oriented Programming, …

5. 5 Requirement Engineering for Security  Security properties in the specification  Users have different privileges for using functionalities?  Data should be seen only by certain users?  Certain communications and data transfer happens in a safe network or not?  Potential source of attacks  Any user can use the software?  Access to the Internet?  The motive of attacking the software?  Risk of attacks  Estimate the cost if the software is attacked successfully?  How important the user data is?

6. 6 Design for Security  The security techniques you choose to protect your software from attacks  Input validation: single points, multiple points?  Authentication: store and transfer credentials (passwords): where to do the encryption or just store verifier  Sensitive data: decide what data needs to be encrypted, minimize the data to be stored  Encryption: minimize the length of data flow before they reach the encryption, use known encryption algorithms  Auditing and Logging

7. 7 Coding for security  Avoid common vulnerabilities  Buffer Overflow  Injection  Cross-Site Scripting

8. 8 Buffer Overflow  Quite many languages (C, C++) are memory unsafe  You define a buffer, and it is your responsibility to keep your data in the buffer  If you read or write to the place out of a buffer  Semantic errors  Crashes  What else? Anything related to security? char buffer[12];

9. Review of OS course: call stacks  Function calls are traced by call stacks main f f f g int main(int argc, char args**){ int result; if(argc >= 1){f(args[0]);} } void f(char* data){ char buffer[12]; strcpy(buffer, data) if(g()){return;} else{…} } bool g(){... }

10. Call stack of the function f  The local variable buffer  The parameter data  The return address to go back to the call-site at main function char[12] buffer

11. Feed in a valid input  Example “username” char[12] buffer

12. Feed in an invalid input  Example “usernameusername”  The parameter data is covered  So it is no longer usable  The return value is covered  So can not return normally  Still just a bug  Minor security problem  Undermines usability char[12] buffer

13. Feed in a malicious input  Idea to do the trick  Feed in an input with 20 chars  Cover the return address  f() will return to the code we Specify  Consider the program is on a server, accessing user requests  How to make it possible?  Where to put the code?  How to specify the return value to our code? char[12] buffer

14. Feed in a malicious input  Use the buffer itself to store the code  Set the return value to the buffer address  Example  Run exec(“/bin/sh”) to open a shell  Translate to machine code char[12] buffer mov $a0 15 mov $a1 data syscall data: /, b, i, n, /, s, h 0x20, 0x42, 0x00,...

15. Feed in a malicious input  Other issues  How to know the address of buffer[]: Programs are executed in virtual memory, so install the software and check memory state  Buffer is too small to hold your code? Jump through return value to the stack frame of parent function char[12] buffer

16. 16 The state of practice  Buffer overflow is very common in C / C++ programs  About 50% of new attacks are related to buffer overflow  Memory safe languages such as Java do not have the problem, why we still have the problem?  Known bugs are being exploited from time to time

17. 17 How to deal with buffer overflow  Boundary check for input-reachable buffers  Not so easy in practice  Check too many places: slow the software down  Check too few places: buffer overflow risk  Automatic supports  Buffer Overflow Detection: libsafe, stackguard, …  Runtime protection: weak memory safe  Runtime protection: split stack

18. 18 Injection  Directly inject user input into code to be executed  SQL Injection  Inject code to SQL queries  OS Injection  Inject code to OS commands

19. 19 SQL Injection  An example  A student information system  You can query your grade for certain course, year, …  You login to your session, and say you are going to search for the grade of “CS5103”  What does the server do?

20. 20 SQL Injection  The malicious Input  We want to inject code into the SQL query  Say we want it to be “select * from Grade”  It is the same with “select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’”

21. 21 OS Injection  Quite Similar  Consider a server is going to make a dir for you as a new user, and it will execute exec(“mkdir path/to/” + username)  What username you should make up? An example: HahaGotyou | \bin\sh

22. 22 Injection Protection  Injection works by passing user inputs into back- end engines  Can we simply cut off the path?  Definitely NO  We have to do some filtering  We are going to work on the example: select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’

23. 23 User Input Filtering  What to filter?  or ? => “oorr” can bypass it  Space? => use /**/ can bypass it  Quotes? A little bit difficult, we can search by year, and use year = 2009 or 1=1  Want more?  See select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’ http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/

24. 24 Final Exam  Time: Dec 18 th 6:00pm to 8:30pm  Location: FLN 3.02.07  Form: closed book exam  100 points total  Account for 30% for the course grade  15 multiple choice questions * 3 points each: single answer  5 multiple choice questions * 4 points each: multiple answers  3-4 Question & Answer, 35 points in total

25. 25 Covered Course Contents  Must *  It is for sure that this knowledge point will be covered in the final exam  May ?  This knowledge point may be covered in the final exam  Not mentioned in this outline  The final exam will not cover this knowledge point

26. 26 Software process models  Features of Waterfall model ?  Features of Iterative model ?  Features of Agile software development & Extreme programming *  Major difference between these models *  Usage Scenario of different models ?

27. 27 Requirement Engineering  Find Stake Holders ?  Type of Requirements *  Major requirement elicitation approaches ?  Natural Language Specifications and find problems in the specifications *  Use case diagram ?  Actors and Relationship between use cases ?

28. 28 System Modeling  Class Diagram*  Draw Class Diagrams *  Relationship between classes *  Generalization, Aggregation, Composition, Association and their difference *  Multiplicity and Role Names ?

29. 29 Software Architecture  Major software architecture styles*  Pipe and Filter ?  Layered ?  There differences and usage scenarios *

30. 30 Software Design  Design Patterns *  Structure and Types ?  Composite Pattern ?  Factory Pattern ?  Visitor Pattern ?

31. 31 Versioning  Diff *  Know what a diff between two files should look like ?  Know how applying a diff works ?  Know what diff to apply for pull / update ?  Conflict ?  Know how to detect conflict ?  Branch *  Know how to merge branches by applying diffs ?  Branch strategies and their pros / cons ?

32. 32 Software licences  Know major software licenses ?  GPL, LGPL, Apache, BSD, …  Know the difference between permissive licenses and copyleft licenses *  Know the main idea of GPL and its difference with LGPL ?

33. 33 Coding Styles  Coding style rules for all levels *  Identifier / constant ?  Expression ?  Statements ?  Blocks ?  Comments ?  Finding coding style errors in given code *  Understand the goal and concept of software refactoring ?

34. 34 Software Testing  Concepts and terms in software testing *  Test case, Test suite, Test oracle, …  Unit Testing *  Working process of JUnit ?  What are good ways to write assertions ?  What are good ways to do the tearing down ?

35. 35 Software Testing  Test coverage *  Understand statement coverage, branch coverage and path coverage, and calculate coverage for a given test case and code*  Understand input combination coverage, and calculate coverage for a given model and test case*  Understand mutations and mutation coverage ?

36. 36 Software Testing  Regression Testing ?  Know the ways to reduce testing effort in regression testing ?  Understand what is APFD, and know how total and additional strategy works ?

37. 37 Software Debugging  Delta debugging*  Understand how basic delta debugging works ?  Know how to handle interference and multiple interference ?  Understand the limitations of delta debugging ?

38. 38 Software Security Issues  Major software vulnerabilities *  Injection ?  Buffer Overflow *

39. 39 Thanks!