Built-in Security Mindfulness for Software Developers
2 likes203 views
1) Software vulnerabilities, not network issues, are the main cause of cyber attacks according to surveys. Common software vulnerabilities like buffer overflows and injection attacks allow hackers to exploit programs. 2) Conventional network security mechanisms cannot prevent attacks from software vulnerabilities within programs. Developers often focus on functionality over security and make mistakes like lacking input validation that have led to vulnerabilities for 40+ years. 3) The University of Dayton is working to build security mindfulness for software developers through hands-on courses. Students learn about vulnerabilities and defensive programming techniques to avoid security problems at the design stage.
Built-in Security Mindfulness for Software Developers
- 1. Built-in Security Mindfulness for Software Developers Phu H. Phung Intelligent Systems Security Lab Department of Computer Science, University of Dayton https://isseclab-udayton.github.io/ March 11, 2020
- 2. Cyber Security Spends and Trends in Companies •Spends and Trends: SANS 2020 IT Cybersecurity Spending Survey All about network, i.e., cyber security But, most of cyber attacks are not due to network issues 1
- 3. Applications Continue To Be Companies’ Weakest Security Link 2 Forrester: The State Of Application Security, 2019 Top 71% of external attacks are due to software vulnerabilities
- 6. Software Security versus Network (Cyber) Security 5 Program Process Data (Structured Program Internals) Input Output Call-out to other programs (also consider input & output issues) Software Security Network Security Network Security
- 7. Software Security versus Network Security: An example •Assume that you are a Paypal user, and assume that Paypal is on HTTPS and requires two-factor authentication, i.e., after providing username/password, you are required to confirm the login in another device Network security is fully guaranteed •Discussion: is it safe for you to open a link like below while you are logged in on Paypal? https://www.paypal.com/eg/cgi-bin/cmd=flow&SESSION=Akl-tATMf1GOP- tQu3t3x4Vju&… 6
- 8. Paypal was vulnerable to CSRF 7
- 9. Who should be responsible for the Paypal attack example? •The user? e.g., using anti-virus software? •Your organization? e.g., installing anti-virus software, using a proxy filtering, firewalls? •The Internet Provider? e.g., installing firewalls? Conventional Security Solutions such as anti-virus software or firewall cannot prevent attacks caused by software vulnerabilities 8
- 10. Conventional Security Mechanisms •Firewall •Cryptography •Access control •System calls/ privileged mode Treat programs as black box, cannot address vuneralbilities inside a program 9
- 11. Issues of Conventional Security Mechanisms and Network Security •Cannot address important current and future security needs: Downloaded, mobile code Buffer overflow, code injection, data races, and other safety problems Web application security Information flow control, e.g., privacy 10
- 12. Software Security •Vulnerabilities in software that cause cyber attacks that can not be prevented by conventional security mechanisms A vulnerability is a flaw in software mostly caused by software developers 11 Chart source: Trend Micro and the Organization of American States (OAS)
- 13. Another Attack Example: A Buffer-Overflow 12 Enter Your PIN: Attacker can inject malicious code from input to exploit vulnerable programs
- 14. Buffer Overflow Example • A simple program in C, e.g., myecho.c that just print the input: • Compiling and execution $ gcc myecho.c -o myecho $ myecho OISC20 OISC20 Are there any issues you can see in this simple program? How about? $ myecho $(perl -e 'print "A"x150') 13
- 15. Buffer Overflow Attack Live Demo 14 Demo video: https://youtu.be/RAawLvKa-U0
- 16. Buffer-Over Flow Attack Examples •The most common software vulnerabilities that causes cyber attacks •Recent and notable examples: Wannacry, May 2017 o A Ransomware crippling systems worldwide WhatsApp, May 2019 o Hackers compromise victims’ phone by a phone call that automatically executes malicious code 15
- 18. 17
- 19. Are buffer overflow attacks new? •Buffer overflow is 40 years old! 18
- 20. Why does Buffer-Overflow happen? •Data is read or written outside the bounds of a buffer The attacker gets the program to treat the malicious data as code •How can this happen? The developer did not check the data size or use insecure functions in the program!!! 19
- 21. Software Development •Based on a typical software engineering process Normally developers focus on the functionalities of the application 20 Image source: www.pinterest.com
- 22. Security in Software Development •Developers mainly focus on the functionalities Few developers know how to develop secure software o Programming books/courses do not teach it Most developers do not think like a hacker o “How could this be attacked?” – be slightly paranoid Developers do not learn from others’ security mistakes o Most vulnerabilities caused by same mistakes over 40+ years Credit: David A. Wheeler 21
- 23. Traditional Penetrate-and-Patch Software Development Approach •Once a software vulnerability is discovered (normally by attackers), the software can be patched, but: Unpatched systems remain vulnerable Other vulnerabilities might still remain New vulnerabilities might be discovered •Zero-day vulnerability attacks exploit this Penetrate-and- Patch approach 22
- 24. Zero-day vulnerabilities •Undisclosed computer-software vulnerabilities Hackers can exploit to adversely affect computer systems oBefore the vulnerability is fixed and patched 23
- 25. Security at the source •The developers should be responsible for security at the design and development phase Secure Development Lifecycle has been proposed Source: “Improving Security Across the Software Development Lifecycle – Task Force Report”, April 1, 2004. http://www.cyberpartnership.org/init.html; based on Gary McGraw 2004, IEEE Security and Privacy. Fair use asserted. Credit: David A. Wheeler 24
- 26. Built-in Security Mindfulness for Software Developers at UDayton-CS •Understanding of the impact of software vulnerabilities (in Software/Language-based Security course) •Develop “Building Security In” Approach (in Secure Application Development course) Secure and Sustainability Principles and Practices in Application Development Avoid security problems at the design stage 25
- 27. Software Security/Language-based Security at UDayton-CS •Students will learn the practice of software security how to identify vulnerabilities in computer systems o white-hat hacker mindset !!! how to defense against the possible vulnerabilities •Students can understand the principles of language-based security how to design secure systems and write secure code 26
- 28. UDayton-CS hands-on example: SQLi Attacks •Students will need to hack into a real web server (on a Cyber Range), e.g.: http://myphoto.blog.com/ By exploring and exploiting its SQL Injection Vulnerabilities Read the data from the database Obtain the username/password and login to the system 27
- 29. Detect the SQL Vulnerabilities • Click on a link, e.g.:http://myphoto.blog.com/cat.php?id=1 Recall HTTP GET Request, inputs are encoded in the URL • Let’s try several different inputs to detect potential vulnerabilities: http://myphoto.blog.com/cat.php?id=1' 28
- 30. Detect the SQL Vulnerabilities - More http://myphoto.blog.com/cat.php?id=a http://myphoto.blog.com/cat.php?id=2-1 • Guessing? 29 SELECT xxx FROM xxx WHERE xxx=<input>
- 31. Exploitation of SQL Injections • We guessed the SQL SELECT xxx FROM xxx WHERE xxx=<input> • How to inject a SQL query for attacks? Use UNION: SELECT xxx FROM xxx WHERE xxx=value UNION SELECT ??? UNION must have the same number of columns. How do we know? oTrials with errors, e.g.,: • SELECT xxx FROM xxx WHERE xxx=value UNION SELECT 1 30
- 32. Exploitation of SQL Injections - more • We guessed the SQL SELECT xxx FROM xxx WHERE xxx=<input> • Trials with errors, e.g.,: SELECT xxx FROM xxx WHERE xxx=value UNION SELECT 1 SELECT xxx FROM xxx WHERE xxx=value UNION SELECT 1, 2 ... • Students first do hands-on to identify the number of columns Carry out further attacks 31
- 33. Future Software security hacking environment • We create a practical and real environment for students E.g.,: https://myphoto.ss-lbs.me for SQL Injection Attacks https://myblog.ss-lbs.me for XSS, SQLi, Session Hijacking CSRF attacks 32
- 34. Discussion: How many columns used in the SQL in https://myphoto.ss-lbs.me/cat.php?id=1 A. * B. 1 C. 2 D. 3 E. 4 33
- 35. Demo: Retrieving username/password with SQLi Attacks Students can login with the stolen username/password 34
- 36. Secure Application Development at UDayton-CS • How to develop application software with “Building Security In” Approach Secure and Sustainability Principles and Practices in Application Development Robust and Defensive Programming Techniques Avoid security problems at the design stage o Developers with hacker mindset!! 35
- 37. Secure Application Development Example: A Simple Login System •Code (from the scratch) to authenticate users with username/password Check on real database (MySQL) •Then think as a hacker! Doing self-attacks Implementing secure code The query: SELECT * FROM users where username='admin' AND password=password('thepassword'); thepassword 36
- 38. Username/password check from Database 37 Discussion: What are the potential security risks in this SQL statement? A. No input validation B. Attackers can inject SQL code C. Attackers can inject JavaScript code D. A and B E. A, B, and C sql=SELECT * FROM users where username=' ' AND password=password(' ') P4$$w0rd admin P4$$w0rd
- 39. Self-attack Demo: Mixed SQL and JavaScript 38 admin' #<script>alert(document.cookie)</script> This is an example of code injection attacks, mixing SQL and JavaScript. Will be covered in detail next steps
- 40. Prepared Statements in PHP/MySQL 39 Vulnerable SQL Statement OWASP Primary Defenses against SQL Injection Attacks: Option #1: Use of Prepared Statements
- 41. Built-in Security Mindfulness for Software Developers at UDayton-CS: A Reflection •Stable and increasing enrollment •Very high positive feedback from students Yoursecureapplication projectis veryusefulforattending interviews. Dr.Phung, Ijust wantedtothankyouandalsoletyouknowhowbeneficial yourclass wasinan interviewIhadacoupleweeksago. … Yourclassbenefited meextremelyandIjustwantedtomakesurethatyouknewand yousothatyoucantellyourclasses what employersmightaskabout.Iendedup gettingajoboffer15minutes afterIleft theinterview,theysaidthattheywere trulyimpressed with myrangeofknowledge. 40
- 42. Challenges and Opportunities •Security courses are not mandatory for CS students Future developers still write insecure code !!! •I welcome and look forward to opportunities Integrate security components in programming classes Collaborate with other colleges to explore the possibilities to integrate security components in their curriculum Work with industry to propose a long-term solution 41
- 43. Thank you! Phu H. Phung Intelligent Systems Security Lab Department of Computer Science, University of Dayton https://isseclab-udayton.github.io/ March 11, 2020
Editor's Notes
- #16: https://youtu.be/M_IIbjBtHLY
- #21: WannaCry attacks
- #32: http://myphoto.blog.com/cat.php?id=1 UNION SELECT 1, 2, 3, 4
- #33: http://myphoto.blog.com/cat.php?id=1 UNION SELECT 1, 2, 3, 4
- #35: E. 4 http://myphoto.blog.com/cat.php?id=1 UNION SELECT 1, 2, 3, 4 http://myphoto.blog.com/cat.php?id=1 UNION SELECT 1, 'pphung1', 3, 4
- #39: E. All are correct
- #41: $prepared_sql = "SELECT * FROM users WHERE username= ? " . " AND password=password(?);"; if(!$stmt = $mysqli->prepare($prepared_sql)) echo "Prepared Statement Error"; $stmt->bind_param("ss", $username,$password); if(!$stmt->execute()) echo "Execute Error"; if(!$stmt->store_result()) echo "Store_result Error"; $result = $stmt;