and Web Applications 06 Secure Coding Alexandros Labrinidis - - PDF document

1

CS 1655 / Spring 2010 Secure Data Management and Web Applications

Alexandros Labrinidis University of Pittsburgh 06 – Secure Coding

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

2

Secure Coding

 From:

Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk O’Reilly, 2003

 First chapter is available online:

http://www.securecoding.org

2

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

3

One example

 When:

late 1996

 Where:

earth (internet problems affect all!)

 What:

TCP SYN Flood attack

 Why:

“not playing by the rules”

 Real-life equivalent:

 A calls B  B hangs up  A does not hang up  Result: B’s phone is busy! (no longer the case :-)) CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

4

Vulnerability Cycle

 Someone discovers a security flaw  Bad guys analyze info  Good guys try to fix it  Media take over…  People get worried  Panic responses (stop all email at a company)  Patch is ready  Technical-savvy folks apply patch  Many people don’t apply patch  Good guys look for related problems  MUCH LATER, an exploit is released - those with patches

are ok, the rest are victims…

3

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

5

Attacks and defenses

 Architectural-design level attacks:

 Man-in-the-middle  Race-condition  Replay  Sniffer  Session hijacking  Session killing CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

6

Attacks and defenses

 Implementation-level attacks

 Buffer-overflow  Back door attack  Parsing error attack

4

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

7

Attacks and defenses

 Operations-level attacks

 Denial-of-service  Default accounts  Password cracking  policies CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

8

Why good people write bad code

 Technical Factors

 In other fields, the whole may be greater than the sum of its

parts, in computer security the sum of the parts is often a hole!

 Phsychological Factors

 Decisions influenced by personal experiences  Mental models (of what the program is doing)  Ways of thinking about software

 Real world factors

 Production pressure  Just secure enough  The tragedy of the commons

5

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

9

What can be done?

 Education  Standards  Metrics

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

10

Making things clear

 Phishing

 E.g. activate your chase account

 Data breach

 Choicepoint  ABN-AMRO

 Attack/Hacking  Denial of Service Attack

6

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

11

Security Architecture

 Definition:

 Body of high-level design principles and decisions that allow a

programmer to say “yes” with and confidence and “No” with certainty

 e.g., knowing that adding a certain component will not

compromise the security of your system

 Security architecture

 serves as framework for secure design  should match a defined security need  often corresponds to a set of design documents

 NEXT: Principles of Security Architecture

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

12

Principles of Security Architecture

• 1. Start by asking questions

 About our worries

 What can go wrong?  What are we trying to protect?  Who do we think might want to compromise our security?  What is the weakest point in our defense?

 About our resources

 Do we have a security architecture? Is it used?  Do we have access to reusable code libraries?  What guidelines and standards are available?  What are good examples that we can use for inspiration?

7

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

13

Principles of Security Architecture

• 1. Start by asking questions

 About the software

 Where does it stand in the chain of trust?  Who are the legitimate users?  Who will have access to the software (exec/source)?  Do we use usage/# users changing over time?  What is the environment it will run? (the big bad Web?)

 About our goals

 What impact would a security compromise have?  Who are we willing to irritate with security measures?  Do have support of others (“higher-ups”) for our security

precautions?

 If users go around our security measures, how will we know/

handle it?

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

14

Principles of Security Architecture

• 2. Select a destination before stepping on the gas

 Must wait until you are sure you understand fully what

needs to be done, before starting making decisions.

 Contrast with house building

 Before architects draw plans, they must find info about:  type of house  Area (e.g., protect from earthquakes)  building code (& restrictions)  customer’s needs  …

8

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

15

Principles of Security Architecture

• 3. Decide how much security is just enough

 degree of assurance required by your application is very

strongly related to:

 size and nature of your unique risks  Cost of counter-measures that you program

 I.e., not make applications as secure as possible, BUT

make applications just secure enough

 Of course, this level should be determined objectively, and not

because you ran out of time :-)

 Ideally, there are standards, as in the financial sector  Example:

require biometric identification for all amazon.com purchases

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

16

Principles of Security Architecture

• 4. Employ standard engineering techniques

 Good security requires good software design and design

techniques.

 Main factors for security attacks:

 Lack of any design  Simple human weakness  Poor coding practices

 Good security architecture eliminates top two factors

• nly

9

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

17

Principles of Security Architecture

• 5. Identify your assumptions

 Must be able to stand apart from the problem at hand.  Example assumptions:

 If we receive a TCP packet with the SYN flag set, it means that

the sender wants to start a dialog with us

 1) missed malicious intent  2) assume sender identity is correct  The users of this software are human beings  maybe a script runs instead, executing our code several

thousand times a second…

 Q: How did yahoo/hotmail/gmail/etc solved this for their user

signup systems?

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

18

Principles of Security Architecture

• 6. Engineer security in from day one

 As opposed to “patching” things in later

 Just adding encryption won’t be enough!

10

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

19

Principles of Security Architecture

• 7. Design with the enemy in mind

 Try to anticipate how an attacker might approach solving

the “puzzle” of breaking your security infrastructure.

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

20

Principles of Security Architecture

• 8. Understand and respect the chain circle of trust

 Do not invoke untrusted programs from within trusted

• nes!

 General rule: do not delegate authority to take an action,

without delegating responsibility to check if action is appropriate.

11

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

21

Principles of Security Architecture

• 9. Be stingy with privileges

 “Principle of least privilege”

 A program must operate with just enough privilege and access to

accomplish its objectives.

 Example:

 If you only need to read a value from a file, do not open with

read/write permissions.

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

22

Principles of Security Architecture

• 10. Test any proposed action against policy

 Make sure that moment-to-moment decisions made by

software are in accordance with the up-to-date security settings.

 Example:

 Before adding an item to shopping cart, check that cart belongs

to user.

 We should not reauthenticate the user every time  We should try to verify that session has not expired, the

connection has not been broken, no rules were added about shopping carts…

12

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

23

Principles of Security Architecture

• 11. Build in appropriate levels of fault tolerance

 CERT’s recommendation:

 First identify mission-critical functionality. Then, use the 3 Rs:  Resistance (the capability to deter attacks)  Recognition (the capability to recognize attacks and

damage)

 Recovery (the capability to provide essential services and

assets during attack, and recover full services after attack)

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

24

Principles of Security Architecture

• 12. Address error-handling issues appropriately

 It is very common for improper error handling to create a

security vulnerability.

 What to do:

 Architect: decide on a general plan for handling errors  e.g., stop only on bizarre errors and log all others  Designer: how will application detect errors, discriminate

between cases, respond to them

 Coder: capture triggering conditions (and follow design)  Operator: check processes (to see if they have stopped),

check logs to see possible error reports

13

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

25

Principles of Security Architecture

• 13. Degrade gracefully

 When trouble happens, the application won’t panic, but

continues to operate in a restricted or degraded way.

 Examples:

 SYN Flood attack: no control over number of open internet

connections… (simple limit will do the trick)

 Crumple zones in cars  VMS system (by DEC):  Factor limiting processor performance = memory available

 Answer for performance complaints: buy more memory  VMS was crash-resistant  DEC sold a lot of memory :-)

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

26

Principles of Security Architecture

• 14. Fail safely

 Examples:

 Traffic lights are out => blink red  Corporate firewall fails => network closed  Time lock on bank vault => leave vault closed  Computer room with electronic lock, power fails => on/off?  Software to determine if iron lung machine should shut down

because a patient seems clinically dead. What happens with code crashes?

14

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

27

Principles of Security Architecture

• 15. Choose safe default actions and values

 Example:

 When looking at authorization, assume that user does NOT have

access rights first…

 Of course, this depends on the application (i.e. shutting off

valves at a nuclear reactor)

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

28

Principles of Security Architecture

• 16. Stay on the simple side
• 17. Modularize thoroughly

 To be successfully you need to:

 properly define the interfaces between modules  limit privileges and resources to modules that really need them

• 18. Don’t rely on obfuscation

 Security through obscurity does not work

 Reliance on obscurity is not ok  However, there is value in deception (i.e. misleading attackers)  Q: What is a honeypot?

15

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

29

Principles of Security Architecture

• 19. Maintain minimal retained state

 Example:

 TCP SYN flood attack  Maintaining state was harmful and let to exploitation

 Maintaining as little or no state information makes it

harder for attackers to change it!

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

30

Principles of Security Architecture

• 20. Adopt practical measures users can live with

 In theory there should be no difference between theory

and practice, but in practice there is!

 Be realistic

 Select user interface that makes it easy to do the right

thing

 Use mental models from real world  Users may work around security measures that are

deemed by them to be too “harsh”

 e.g., how often should passwords be changed?

16

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

31

Principles of Security Architecture

• 21. Make sure some individual is accountable

 No group accounts  Difficult for one person to pose as another  Responsibility for security must be clearly assigned

 Who is responsible for installing security patches?

• 22. Self-limit program consumption of resources

 Very common method of attack:

 exhaust system resources and crash the system

 Impose limits on resource consumption

 e.g., number of new processes spawn, amount of memory CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

32

Principles of Security Architecture

• 23. Make sure it is possible to reconstruct events

 Logging/audit trails

 For example: track changes to data

• 24. Eliminate “weak links”

 Provide consistent level of security measures throught

entire program

 Also means that security measures are reasonable

enough not to encourage users to introduce “back doors”

17

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

33

Principles of Security Architecture

• 25. Build in multiple layers of defense

 Don’t put all your security eggs in one basket :-)

• 26. Treat an application as a holistic whole
• 27. Reuse code known to be secure
• 28. Do not rely on off-the-shelf software for security
• 29. Do not let security needs overwhelm democratic

principles

CS 1655 / Spring 2010 Alexandros Labrinidis, Univ. of Pittsburgh

34

Principles of Security Architecture

• 30. Remember to ask “What did I forget?”