Thursday, September 23, 2010

Software Security Development - A White Hat's Perspective

"If you know the enemy and know yourself you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu[1]
Introduction-
How to know your enemy
Knowing your enemy is vital in fighting him effectively. Security should be learned not just by network defense, but also by using the vulnerability of software and techniques used for malicious intent. As computer attack tools and techniques continue to advance, we will likely see major, life-impacting events in the near future. However, we will create a much more secure world, with risk managed down to an acceptable level. To get there, we have to integrate security into our systems from the start, and conduct thorough security testing throughout the software life cycle of the system. One of the most interesting ways of learning computer security is studying and analyzing from the perspective of the attacker. A hacker or a programming cracker uses various available software applications and tools to analyze and investigate weaknesses in network and software security flaws and exploit them. Exploiting the software is exactly what it sounds like, taking advantage of some bug or flaw and redesigning it to make it work for their advantage.
Similarly, your personal sensitive information could be very useful to criminals. These attackers might be looking for sensitive data to use in identity theft or other fraud, a convenient way to launder money, information useful in their criminal business endeavors, or system access for other nefarious purposes. One of the most important stories of the past couple of years has been the rush of organized crime into the computer attacking business. They make use of business processes to make money in computer attacks. This type of crime can be highly lucrative to those who might steal and sell credit card numbers, commit identity theft, or even extort money from a target under threat of DoS flood. Further, if the attackers cover their tracks carefully, the possibilities of going to jail are far lower for computer crimes than for many types of physical crimes. Finally, by operating from an overseas base, from a country with little or no legal framework regarding computer crime prosecution, attackers can operate with virtual impunity [1].
Current Security
Assessing the vulnerabilities of software is the key to improving the current security within a system or application. Developing such a vulnerability analysis should take into consideration any holes in the software that could carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures. The security we have in place today including firewalls, counterattack software, IP blockers, network analyzers, virus protection and scanning, encryption, user profiles and password keys. Elaborating the attacks on these basic functionalities for the software and the computer system that hosts it is important to making software and systems stronger.
You may have a task which requires a client-host module which, in many instances, is the starting point from which a system is compromised. Also understanding the framework you're utilizing, which includes the kernel, is imperative for preventing an attack. A stack overflow is a function which is called in a program and accesses the stack to obtain important data such as local variables, arguments for the function, the return address, the order of operations within a structure, and the compiler being used. If you obtain this information you may exploit it to overwrite the input parameters on the stack which is meant to produce a different result. This may be useful to the hacker which wants to obtain any information that may grant them access to a person's account or for something like an SQL injection into your company's database. Another way to get the same effect without knowing the size of the buffer is called a heap overflow which utilizes the dynamically allocated buffers that are meant to be used when the size of the data is not known and reserves memory when allocated.
We already know a little bit about integer overflows (or should at least) and so we Integer overflows are basically variables that are prone to overflows by means of inverting the bits to represent a negative value. Although this sounds good, the integers themselves are dramatically changed which could be beneficial to the attackers needs such as causing a denial of service attack. I'm concerned that if engineers and developers do not check for overflows such as these, it could mean errors resulting in overwriting some part of the memory. This would imply that if anything in memory is accessible it could shut down their entire system and leave it vulnerable later down the road.
Format string vulnerabilities are actually the result of poor attention to code from the programmers who write it. If written with the format parameter such as "%x" then it returns the hexadecimal contents of the stack if the programmer decided to leave the parameters as "printf(string);" or something similar. There are many other testing tools and techniques that are utilized in testing the design of frameworks and applications such as "fuzzing" which can prevent these kinds of exploits by seeing where the holes lie.
In order to exploit these software flaws it implies, in almost any case, supplying bad input to the software so it acts in a certain way which it was not intended or predicted to. Bad input can produce many types of returned data and effects in the software logic which can be reproduced by learning the input flaws. In most cases this involves overwriting original values in memory whether it is data handling or code injection. TCP/IP (transfer control protocol/internet protocol) and any related protocols are incredibly flexible and can be used for all kinds of applications. However, the inherent design of TCP/IP offers many opportunities for attackers to undermine the protocol, causing all sorts of problems with our computer systems. By undermining TCP/IP and other ports, attackers can violate the confidentiality of our sensitive data, alter the data to undermine its integrity, pretend to be other users and systems, and even crash our machines with DoS attacks. Many attackers routinely exploit the vulnerabilities of traditional TCP/IP to gain access to sensitive systems around the globe with malicious intent.
Hackers today have come to understand operating frameworks and security vulnerabilities within the operating structure itself. Windows, Linux and UNIX programming has been openly exploited for their flaws by means of viruses, worms or Trojan attacks. After gaining access to a target machine, attackers want to maintain that access. They use Trojan horses, backdoors, and root-kits to achieve this goal. Just because operating environments may be vulnerable to attacks doesn't mean your system has to be as well. With the new addition of integrated security in operating systems like Windows Vista, or for the open source rule of Linux, you will have no trouble maintaining effective security profiles.
Finally I want discuss what kind of technology were seeing to actually hack the hacker, so to speak. More recently a security professional named Joel Eriksson showcased his application which infiltrates the hackers attack to use against them.
Wired article on the RSA convention with Joel Eriksson:
"Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders' machines." [7]
Hackers, particularly in china, use a program called PCShare to hack their victim's machines and upload's or downloads files. The program Eriksson developed called RAT (remote administration tools) which infiltrates the programs bug which the writers most likely overlooked or didn't think to encrypt. This bug is a module that allows the program to display the download time and upload time for files. The hole was enough for Eriksson to write files under the user's system and even control the server's autostart directory. Not only can this technique be used on PCShare but also a various number of botnet's as well. New software like this is coming out everyday and it will be beneficial for your company to know what kinds will help fight the interceptor.
Mitigation Process and Review
Software engineering practices for quality and integrity include the software security framework patterns that will be used. "Confidentiality, integrity, and availability have overlapping concerns, so when you partition security patterns using these concepts as classification parameters, many patterns fall into the overlapping regions" [3]. Among these security domains there are other areas of high pattern density which includes distributive computing, fault tolerance and management, process and organizational structuring. These subject areas are enough to make a complete course on patterns in software design [3].
We must also focus on the context of the application which is where the pattern is applied and the stakeholders view and protocols that they want to serve. The threat models such as CIA model (confidentiality, integrity and availability) will define the problem domain for the threats and classifications behind the patterns used under the CIA model. Such classifications are defined under the Defense in Depth, Minefield and Grey Hats techniques.
The tabular classification scheme in security patterns, defines the classification based on their domain concepts which fails to account for more of the general patterns which span multiple categories. What they tried to do in classifying patterns was to base the problems on what needs to be solved. They partitioned the security pattern problem space using the threat model in particular to distinguish the scope. A classification process based on threat models is more perceptive because it uses the security problems that patterns solve. An example of these threat models is STRIDE. STRIDE is an acronym containing the following concepts:
Spoofing: An attempt to gain access to a system using a forged identity. A compromised system would give an unauthorized user access to sensitive data.
Tampering: Data corruption during network communication, where the data's integrity is threatened.
Repudiation: A user's refusal to acknowledge participation in a transaction.
Information Disclosure: The unwanted exposure and loss of private data's confidentiality.
Denial of service: An attack on system availability.
Elevation of Privilege: An attempt to raise the privilege level by exploiting some vulnerability, where a resource's confidentiality, integrity, and availability are threatened. [3]
What this threat model covers can be discussed using the following four patterns: Defense in Depth, Minefield, Policy Enforcement Point, and Grey Hats. Despite this all patterns belong to multiple groups one way or another because classifying abstract threats would prove difficult. The IEEE classification in their classification hierarchy is a tree which represents nodes on the basis of domain specific verbatim. Pattern navigation will be easier and more meaningful if you use it in this format. The classification scheme based off of the STRIDE model alone is limited, but only because patterns that address multiple concepts can't be classified using a two-dimensional schema. The hierarchical scheme shows not only the leaf nodes which display the patterns but also multiple threats that affect them. The internal nodes are in the higher base level which will find multiple threats that all the dependent level is affected by. Threat patterns at the tree's root apply to multiple contexts which consist of the core, the perimeter, and the exterior. Patterns that are more basic, such as Defense in Depth, reside at the classification hierarchy's highest level because they apply to all contexts. Using network tools you will be able to find these threat concepts such as spoofing, intrusion tampering, repudiation, DoS, and secure pre-forking, will allow the developer team to pinpoint the areas of security weakness in the areas of core, perimeter and exterior security.
Defense against kernel made root-kits should keep attackers from gaining administrative access in the first place by applying system patches. Tools for Linux, UNIX and Windows look for anomalies introduced on a system by various users and kernel root-kits. But although a perfectly implemented and perfectly installed kernel root-kit can dodge a file integrity checker, reliable scanning tools should be useful because they can find very subtle mistakes made by an attacker that a human might miss. Also Linux software provides useful tools for incident response and forensics. For example some tools returns outputs that you can be trusted more than user and kernel-mode root-kits.
Logs that have been tampered with are less than useless for investigative purposes, and conducting a forensic investigation without logging checks is like cake without the frosting. To harden any system, a high amount of attention will be needed in order to defend a given system's log which will depend on the sensitivity of the server. Computers on the net that contain sensitive data will require a great amount of care to protect. For some systems on an intranet, logging might be less imperative. However, for vitally important systems containing sensitive information about human resources, legality issues, as well as mergers and acquisitions, the logs would make or break protecting your company's confidentiality. Detecting an attack and finding evidence that digital forensics use is vital for building a case against the intruder. So encrypt those logs, the better the encryption, the less likely they will ever be tampered with.
Fuzz Protocols
Protocol Fuzzing is a software testing technique that which automatically generates, then submits, random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities. It is more commonly used to discover security weaknesses in applications and protocols which handle data transport to and from the client and host. The basic idea is to attach the inputs of a program to a source of random or unexpected data. If the program fails (for example, by crashing, or by failing in-built code assertions), then there are defects to correct. These kind of fuzzing techniques were first developed by Professor Barton Miller and his associates [5]. It was intended to change the mentality from being too confident of one's technical knowledge, to actually question the conventional wisdom behind security.
Luiz Edwardo on protocol fuzzing:
"Most of the time, when the perception of security doesn't match the reality of security, it's because the perception of the risk does not match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. We don't correctly assess the magnitude of different risks. A lot of this can be chalked up to bad information or bad mathematics, but there are some general pathology that come up over and over again" [6].
With the mainstream of fuzzing, we have seen numerous bugs in a system which has made national or even international news. Attackers have a list of contacts, a handful of IP addresses for your network, and a list of domain names. Using a variety of scanning techniques, the attackers have now gained valuable information about the target network, including a list of phone numbers with modems (more obsolete but still viable), a group of wireless access points, addresses of live hosts, network topology, open ports, and firewall rule sets. The attacker has even gathered a list of vulnerabilities found on your network, all the while trying to evade detection. At this point, the attackers are poised for the kill, ready to take over systems on your network. This growth in fuzzing has shown that delivering the product/service software using basic testing practices are no longer acceptable. Because the internet provides so many protocol breaking tools, it is very likely that an intruder will break your company's protocol on all levels of its structure, semantics and protocol states. So in the end, if you do not fuzz it someone else will. Session based, and even state based, fuzzing practices have been used to establish the connections using the state level of a session to find better fault isolation. But the real challenge behind fuzzing is doing these techniques then isolating the fault environment, the bugs, protocols implementation and the monitoring of the environment.
Systems Integrations
There are three levels of systems integration the developer must consider for security. The software developer must consider the entire mitigation review of the software flaw and base it on the design implementation. This includes access control, intrusion detection and the trade-offs for the implementation. Integrating these controls into the system is important in the implementation stage of development. Attacks on these systems may even lead to severe safety and financial effects. Securing computer systems has become a very important part of system development and deployment.
Since we cannot completely take away the threats, we must minimize their impact instead. This can be made possible by creating an understanding of human and technical issues involved in such attacks. This knowledge can allow an engineer or developer make the intruder's life as hard as possible. This makes the challenge even greater in understanding the attacker's motivations and skill level. Think of it as infiltrating the hackers head by thinking like them psychologically.
Access Control
Even if you have implemented all of the controls you can think of there are a variety of other security lockdowns that must continually be supplemented to constant attacks against a system. You might apply security patches, use a file integrity checking tool, and have adequate logging, but have you recently looked for unsecured modems, or how about activating security on the ports or on the switches in your critical network segments to prevent the latest sniffing attack? Have you considered implementing non-executable stacks to prevent one of the most common types of attacks today, the stack-based buffer overflow? You should always be ready for kernel-level root-kits with any of these other attacks which imply the attacker has the capability of taking you out of command of your system.
Password attacks are very common in exploiting software authorization protocols. Attackers often try to guess passwords for systems to gain access either by hand or through using scripts that are generated. Password cracking will involve taking the encrypted or hashed passwords from a system cache or registry and using an automated tool to determine the original passwords. Password cracking tools create password guesses, encrypt or hash the guesses, and compare the result with the encrypted or hashed password so long as you have the encryption file to compare the results. The password guesses can come from a dictionary scanner, brute force routines, or hybrid techniques. This is why access controls must protect human, physical and intellectual assets against loss, damage or compromise by permitting or denying entrance into, within and from the protected area. The controls will also deny or grant access rights and the time thereof of the protected area. The access controls are operated by human resources using physical and/or electronic hardware in accordance with the policies. To defend against password attacks, you must have a strong password policy that requires users to have nontrivial passwords. You must make users aware of the policy, employ password filtering software, and periodically crack your own users passwords (with appropriate permission from management) to enforce the policy. You might also want to consider authentication tools stronger than passwords, such as PKI authentication, hardware tokens or auditing software [1].
But despite this, another developer might be interested in authenticating only. This user would first create minimal access points where the authenticator pattern will enforce authentication policies. The subject descriptor will define the data used to grant or deny the authentication decision. A password synchronizer pattern performs distributed password management. Authenticator and password synchronizer are not directly related. The users will need to apply other patterns after authenticator before they could use a password synchronizer.
Intrusion Detection
Intrusion detection is used for monitoring and logging the activity of security risks. A functioning network intrusion detection system should indicate that someone has found the doors, but nobody has actually tried to open them yet. This will inspect inbound and outbound network activity and identify patterns used that may indicate a network or system attack from someone attempting to compromise the system. In detecting the misuse of the system the protocols used, such as scanners, analyzes the information it gathers and compares it to large databases of attack signatures it provides. In essence, the security detection looks for a specific attack that has already been documented. Like a virus detection system, the detection system is only as good as the index of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the normal state of the network's traffic breakdown, load, protocols, and typical packet size. Anomaly detection of segments is used to compare their current state to the normal state and look for anomalies. Designing the intrusion detection must also put into account, and detect, malicious packets that are meant to be overlooked by a generic firewall's basic filtering rules. In a host based system, the detection system should examine the activity on each individual computer or host. As long as you are securing the environment and authorizing transactions, then intrusion detection should pick up no activity from a flaw in the system's data flow.
Trade-Offs
Trade-offs of the implementation must also be taken into consideration when developing these controls and detection software. The developer must also consider the severity of the risk, the probability of the risk, the magnitude of the costs, how effective the countermeasure is at mitigating the risk and how well disparate risks and costs can be analyzed at this level, despite the fact that risks analysis was complete, because actual changes must be considered and the security assessment must be reassessed through this process. The one area that can cause the feeling of security to diverge from the reality of security is the idea of risk itself. If we get the severity of the risk wrong, we're going to get the trade-off wrong, which cannot happen at a critical level. We can do this to find out the implications in two ways. First, we can underestimate risks, like the risk of an automobile accident on your way to work. Second, we can overestimate some risks, such as the risk of some guy you know, stalking you or your family. When we overestimate and when we underestimate is governed by a few specific heuristics. One heuristic area is the idea that "bad security trade-offs is probability. If we get the probability wrong, we get the trade-off wrong" [6]. These heuristics are not specific to risk, but contribute to bad evaluations of risk. And as humans, our ability to quickly assess and spit out some probability in our brains runs into all sorts of problems. When we organize ourselves to correctly analyze a security issue, it becomes mere statistics. But when it comes down to it, we still need to figure out the threat of the risk which can be found when "listing five areas where perception can diverge from reality:"
-The severity of the risk.
-The probability of the risk.
-The magnitude of the costs.
-How effective the countermeasure is at mitigating the risk.
-The trade-off itself [6].
To think a system is completely secure is absurd and illogical at best unless hardware security was more widespread. Feeling of the word and reality of security are different, but they're closely related. We try our best security trade-offs considering the perception noted. And what I mean by that is that it gives us genuine security for a reasonable cost and when our actual feeling of security matches the reality of security. It is when the two are out of alignment that we get security wrong. We are also not adept at making coherent security trade-offs, especially in the context of a lot of ancillary information which is designed to persuade us in one direction or another. But when we reach the goal of complete lockdown on security protocol that is when you know the assessment was well worth the effort.
Physical Security
Physical security is any information that may be available, and used in order to gain specific information about company related data which may include documentation, personal information, assets and people susceptible to social engineering.
In its most widely practiced form, social engineering involves an attacker using employees at the target organization on the phone and exploiting them into revealing sensitive information. The most frustrating aspect of social engineering attacks for security professionals is that they are nearly always successful. By pretending to be another employee, a customer, or a supplier, the attacker attempts to manipulate the target person into divulging some of the organization's secrets. Social engineering is deception, pure and simple. The techniques used by social engineers are often associated with computer attacks, most likely because of the fancy term "social engineering" applied to the techniques when used in computer intrusions. However, scam artists, private investigators, law enforcement, and even determined sales people employ virtually the same techniques every single day.
Use public and private organizations to help with staffed security in and around complex parameters also install alarms on all doors, windows, and ceiling ducts. Make a clear statement to employees about assign clear roles and responsibilities for engineers, employees, and people in building maintenance and staff that they must always have authorization before they can disclose any corporate data information. They must make critical contacts and ongoing communication throughout a software product and disclosure of documentation. Mobile resources must be given to employees that travel and there should be installed on their mobile devices the correct security protocols for communicating back and forth from a web connection. The company must utilize local, state, and remote facilities to backup data or utilize services for extra security and protection of data resources. Such extra security could include surveillance of company waste so it is not susceptible to dumpster diving. Not to say an assailant might be looking for your yesterday's lunch but will more likely be looking for shredded paper, other important memo's or company reports you want to keep confidential.
Dumpster diving is a variation on physical break-in that involves rifling through an organization's trash to look for sensitive information. Attackers use dumpster diving to find discarded paper, CDs, DVDs, floppy disks (more obsolete but still viable), tapes, and hard drives containing sensitive data. In the computer underground, dumpster diving is sometimes referred to as trashing, and it can be a smelly affair. In the massive trash receptacle behind your building, an attacker might discover a complete diagram of your network architecture, or an employee might have carelessly tossed out a sticky note with a user ID and password. Although it may seem disgusting in most respects, a good dumpster diver can often retrieve informational gold from an organization's waste [1].
Conclusion
Security development involves the careful consideration of company value and trust. With the world as it exists today, we understand that the response to electronic attacks is not as lenient as they should be but none the less unavoidable. Professional criminals, hired guns, and even insiders, to name just a few of the threats we face today, cannot be compared to the pimply teen hacker sitting at his computer ready to launch his/her newest attacks at your system. Their motivations can include revenge, monetary gain, curiosity, or common pettiness to attract attention or to feel accomplished in some way. Their skill levels range from the simple script kiddies using tools that they do not understand, to elite masters who know the technology better than their victims and possibly even the vendors themselves.
The media, in retrospect, has made it a distinct point that the threat of digital terrorism is in the golden age of computer hacking. As we load more of our lives and society onto networked computers, attacks have become more prevalent and damaging. But do not get discouraged by the number and power of computer tools that harm your system, as we also live in the golden age of information security. The defenses implemented and maintained are definitely what you need. Although they are often not easy, they do add a good deal of job security for effective system administrators, network managers, and security personnel. Computer attackers are excellent in sharing and disclosing information with each other about how to attack your specified infrastructure. Their efficiency on information distribution concerning infiltrating their victims can be ruthless and brutal. Implementing and maintaining a comprehensive security program is not trivial. But do not get discouraged, we live in very exciting times, with technologies advancing rapidly, offering great opportunities for learning and growing.
If the technology itself is not exciting enough, just think of the great job security given to system administrators, security analyzers, and network managers who has knowledgeable experience on how to secure their systems properly. But also keep in mind that by staying diligent, you really can defend your information and systems while having a challenging and exciting job to give you more experience. To keep up with the attackers and defend our systems, we must understand their techniques. We must help system administrators, security personnel, and network administrators defend their computer systems against attack. Attackers come from all walks of life and have a variety of motivations and skill levels. Make sure you accurately assess the threat against your organization and deploy defenses that match the threat and the value of the assets you must protect. And we have to all be aware that we should never underestimate the power of the hacker who has enough time, patience and knowhow to accomplish anything they put their minds to. So it is your duty to do the same.
[1] Skoudis, Ed. Counter Hack Reloaded, Second Edition: a Step-by-Step Guide to Computer Attacks and Effective Defenses. 2nd ed. Massachussetts: Pearson Education, Inc., 2005. Safari Books Online. 12 Dec. 2007

1 comment: