5218COMP - Secure Software Development 2019/2020 Lecture Notes PDF

Summary

These lecture notes cover secure software development topics: input validation, authentication, and authorization for 2019/2020. They include examples and case studies related to the topics.

Full Transcript

5218COMP – Secure Software Development

Dr. Max Hashem Eiza Dr. Nathan Shone
[email protected] [email protected]
Room BS/607A Room BS/649

5118COMP – Secure Software Development 2019 / 2020
3

Common Vulnerability Issues

5118COMP – Secure Software Development 2019 / 2020 2
Session Overview & Outcomes
In this session, we will discuss:
Input validation
Authentication
Authorisation
At the end of this session, you should be able to:
Understand and explain common vulnerabilities.
Understand the authentication and authorisation concepts.

5118COMP – Secure Software Development 2019 / 2020 3
Terminology Recap
Threat
What are you worried about? What needs protecting?
Vulnerability
How might threats become real?
Where are the weaknesses in the system?
Attack
How might someone break the security?
Attacks exploit vulnerabilities to realise threats.

5118COMP – Secure Software Development 2019 / 2020 4
Terminology Recap
Attack Vector: A path/route/method that exploits weak spots to gain
unauthorised access to a computer system.
Most attack vectors have some human element, as humans are often
the weakest part of a system!

5118COMP – Secure Software Development 2019 / 2020 5
Vulnerabilities
A weakness through which an attack can occur
Design weakness
Implementation failure
Change in requirements or environment
End-user misuse

5118COMP – Secure Software Development 2019 / 2020 6
Vulnerabilities
Design weakness
A flaw in the design allows an attack that wasn’t anticipated
E.g. TCP/SYN flood
Heartbleed, SSL RAM dumping

Implementation failure
The design isn’t followed correctly
E.g. Bluetooth vulnerabilities
Coding error – failure to follow good practice
E.g. SQL injection

5118COMP – Secure Software Development 2019 / 2020 7
Vulnerabilities
Change in requirements or environment
Assumptions made during design or development no longer hold
E.g., encryption becoming weak over time
Software is repurposed without being redesigned
Credit card use online

End-user misuse
Designer makes incorrect assumption about users
E.g., reading the manual, understanding the limitations of the technology
User takes shortcuts for usability
E.g., weak password, using sites with bad SSL certificates, sending executables by email

5118COMP – Secure Software Development 2019 / 2020 8
Vulnerabilities
Today we will look at the following examples:
Type mismatch
Lack of input validation
Authentication
Authorisation

5118COMP – Secure Software Development 2019 / 2020 9
Input Validation
Input validation is critical but often overlooked
Around 60% of vulnerabilities are due to poor input validation
It involves checking the sanity of input data
Usually this refers to user typed input (i.e. textbox) but this isn’t
always the case
It needs to be performed anywhere that tampered or miscellaneous
data can enter or exit the software

5118COMP – Secure Software Development 2019 / 2020 10
Input Validation
For example:
URLs (query parameters etc.)
User supplied files
Configuration files
Third party data
Data loaded from file system
Data loaded from data source (e.g. XML, DB)
Exported files

5118COMP – Secure Software Development 2019 / 2020 11
Input Validation

5118COMP – Secure Software Development 2019 / 2020 12
Input Validation
What is validation?
Verification of input “normality”
Examples:
Is it the data type expected?
Is it within the length (string) or range (numeric) expected?
Is a null entry acceptable?
Can commands be injected? (SQL injection of web form)

5118COMP – Secure Software Development 2019 / 2020 13
How to Validate

5118COMP – Secure Software Development 2019 / 2020 14
From the Lab…
Checks Made:
Email between 1– 100 characters
Email properly formatted, contains an @
Password < 8 characters long
No upper limit on password
Does the password + confirmation match
Improvements
Escape non alpha-numeric chars
Blacklist illegal email chars

5118COMP – Secure Software Development 2019 / 2020 15
When to Validate?
When data passes between differing trust boundaries

5118COMP – Secure Software Development 2019 / 2020 16
Case Study
WordPress wpshop plugin image file upload
WP plugins (particularly unpatched) are a major source of vulnerabilities

$file = $_FILES['wpshop_file'];
$tmp_name = $file['tmp_name'];
$name = $file["name"];
@move_uploaded_file($tmp_name, WPSHOP_UPLOAD_DIR.$name);

Basic validation: filename & filetype
Nothing to stop filename length being longer than that supported on server OS
Nothing to stop attacker uploading non-image files (e.g., another PHP file)

5118COMP – Secure Software Development 2019 / 2020 17
Important Note
Client-side and server-side validation are NOT the same!
Server-side:
Happens on the server
Occurs AFTER input is submitted
Client-side:
Happens on the client
Occurs BEFORE input is submitted
Client-side is used to reduce the load on server.
Never rely on client-side validation – it can be circumvented!

5118COMP – Secure Software Development 2019 / 2020 18
Array Sizes
Classic programming error
Widespread in C/C++ programs
Pointer arithmetic and out-by-one errors
Becoming less common
Java,.NET languages are typesafe
Can be considered as:
An input validation error
A typing error

5118COMP – Secure Software Development 2019 / 2020 19
Array Sizes
Telegraph pole problem:
BT is putting telegraph poles down a 100m street and spacing them 10m
apart.
How many telegraph poles will they need?

10 20 30 40 50 60 70 80 90 100

1 2 3 4 5 6 7 8 9 10 11

5118COMP – Secure Software Development 2019 / 2020 20
 Array Sizes
Array Looping
If I want to count to five, which of the following is correct?
1) for(i=0;i5;i++){printf(“%d\n”,i);} No output

3) for(i=0;i