build it break it fix it
play

Build it, Break it, Fix it Fix it Today Break It Presentations - PowerPoint PPT Presentation

Dec 23, 2023 •333 likes •723 views

Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How to Approach Vulnerability Fixing Hints for Fix It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

  1. Build it, Break it, Fix it Fix it

  2. Today  Break It Presentations  Theoretical Part: How to Approach Vulnerability Fixing  Hints for Fix It Prof. Eric Bodden – Build It, Break It, Fix It SS 17 2

  3. How to Approach Vulnerability Fixing

  4. How not to… “Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business .” – Quote from bug report They were down shortly after. Surprise. Prof. Eric Bodden – Build It, Break It, Fix It SS 17 4

  5. Vulnerability Lifecycle - Ideal Notification Vendor finds out Danger Public knows Nobody knows Vendor knows Fix Silent Update 5 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  6. Vulnerability Lifecycle – Common Case in Reality No fix within time X (typ. 90 days) Danger Nobody knows Vendor knows Public knows Fix White Hats know Full Public White Hats find Confidential Disclosure out Disclosure 6 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  7. https://www.theguardian.com/technology/2016/nov/01/google-microsoft-bug 7 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  8. Vulnerability Lifecycle – Worst Case: Zero Day Extreme Danger Danger Only Black Hats White Hats know know Black Hats find out Nobody knows Vendor knows Public knows Fix 8 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  9. Vulnerabilities  No non-trivial system is completely free of vulnerabilities  C ommon V ulnerabilities and E xposures (~ 80k)  Managed and hosted by MITRE  https://cve.mitre.org/  Each known vulnerability is assigned an identifier E.g., CVE-2011-1153  9 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  10. Error -47. The system How Bad is Bad? will be restarted. O.k. We’ve seen many vulnerabilities   Many of them can do catastrophic things Danger really “depends on the situation”   Many, many situational factors, such as: Asset exposed, and its relative importance Remotely, or locally exploitable? Expertise needed to exploit the vulnerability? Affects all deployments? Impact on CIA properties How much traction did the problem have already? 10 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  11. Rating Vulnerabilities vs. Risk Management  Similar to one another, you have to rate found vulnerabilities  How crucial is the vulnerability? Risk Management Vulnerability Assessment Starts in early development phases, e.g., Only applicable for existing systems   design Applied to concrete vulnerabilities and (in  Based on potential threats to the system the best case) corresponding exploits  Goal: Prevent (important) vulnerabilities Goal: Fix and prevent further (important)   vulnerabilities If risk management is used/updated throughout the lifecycle, it can also support vulnerability assessment. 11 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  12. Rating Vulnerabilities  We need a method to rate discovered vulnerabilities  Should take all essential factors into account  Should be repeatable and deterministic (to a certain degree)  Should result in comparable results (order of importance)  Should be approved by experts / industry  C ommon V ulnerability S coring S ystem (CVSS) 12 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  13. CVSS Common Vulnerability Scoring System  An open scoring system from FIRST  FIRST: Forum for Incident Response & Security Teams  http://www.first.org/cvss  A group of researchers & practitioners  Adopted by NIST  CVSS added in CVE descriptions NVD (NIST) provides CVSS scores for all CVE  Latest version: v3 (2015)  Mostly applied in industry: v2  Provide a set of metrics, and corresponding values and weighting functions  13 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  14. CVSS Metric Groups Base Metrics Core aspects of the vulnerability. Temporal Metrics Environmental Metrics Vulnerability Score Your own organization’s Change over time. priorities. May vary in different deployments. https://www.first.org/cvss/specification-document 14 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  15. CVSS Metric Groups Typically done by To be done by vulnerability bulletin “user” analysts, security product organisation vendors, or application vendors https://www.first.org/cvss/specification-document 15 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  16. Base Metric Group Base Metrics Exploitability  Exploitability metrics Attack Attack  Characteristics of how a given thing is Vector Complexity vulnerable Privileges User Interaction Required  Impact metrics Impact Confidentiality Integrity  Represent the consequence to the thing Impact Impact that suffers the impact Availability Impact  Scope Scope Which parts of the system are affected?  Scope 16 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  17. Exploitability Attack Attack Base Vector Complexity Attack Vector (AV) User Privileges Interaction Required  Through what entry gates can an attacker exploit the vulnerability?  Metric Value:  (P) Physical (L) Local only   (A) Adjacent network (e.g. wi-fi, local IP subnet) (N) Network: fully remotely exploitable  More than one level affected? Go with the worse one  Client that opens stuff from an untrusted internet source?  Go with Network (e.g. zip utility with a buffer overflow) 1. XSS in a webapp? (N) 2. Lack of SSL encryption on Facebook? (A) 17 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  18. Exploitability Attack Attack Base Vector Complexity Attack Complexity (AC) User Privileges Interaction Required  How complex would the vulnerability be to exploit?  One step? e.g. buffer overflow  Multiple steps? e.g. convince an email user to download a sketchy attachment  Metric value  (H) High: Specialized access conditions  e.g. overcoming advanced exploit mitigation techniques  e.g. man in the middle attack  (L) Low: no specialized conditions  e.g. default configuration  e.g. requires little skill to perform  Note: Low complexity is bad 18 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  19. Exploitability Attack Attack Base Vector Complexity Privileges Required (PR) User Privileges Interaction Required  Level of privileges needed for exploit? Metric value   (H) privileges that provide significant control  (e.g. administrative)  (L) privileges that provide basic user capabilities  (N) No authorization needed  In an authentication system itself? Go with (N) (L) 1. Path traversal in photo upload for a Twitter client? (N) 2. Insecure PRNG for session IDs? 19 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  20. Exploitability Attack Attack Base Vector Complexity User Interaction (UI) User Privileges Interaction Required  a user, other than the attacker, participates in the exploit  Metric value  (N): can be exploited without interaction from any user  (R): requires a user to take action  E.g. exploit may only be possible during the installation of an application by a system administrator. (R) – must click on a link 1. Reflected XSS? (R) – need victim to create the http request & be logged in 2. CSRF? 20 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  21. Impact Attack Attack Confidentiality Integrity Base Vector Complexity Impact Impact CIA Impact Availability Privileges Impact Required  Any impact on confidentiality, integrity, and/or availability?   These are three separate metrics  Metric Value (for each metric) (N) None   (L) Low  e.g. disclosing a few database tables e.g. temporary DoS   (H) High e.g. reading arbitrary memory locations is High confidentiality impact   e.g. full bypass of plug-in sandbox is High integrity impact e.g. root-level access? High on all three metrics  Hardcoded root credentials in blogging software? C = High | I = High | A = None 21 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

  22. Scope Attack Scope Base: Scope (S) Vector  The ability for a vulnerability in one software component to impact resources beyond its means, or privileges.  Metric Value  (U): Unchanged  The vulnerable component and the impacted component are the same.  (C): Changed  The vulnerable component and the impacted component are different. (C) 1. Vulnerability in a Linux VM that compromises the host OS? (U) 2. Using crafted office file to cause a DoS in office suite? 22 Prof. Eric Bodden - Build It, Break It, Fix It SS 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS 17 Today Introduction n Theoretical Part: How to Build Secure Software n Brief Problem Overview n Setup HowTo for Phase I n 2 Prof. Eric

610 views • 50 slides
Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part: How to Approach Vulnerability Finding Hints for Break It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

573 views • 56 slides
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland MANY REAL VULNERABILITIES

611 views • 34 slides
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix It Daniel Votipka , Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland, College Park 1 SOLVED

1.64k views • 148 slides
It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your

It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your

It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your hierarchy of needs Put together your assumptions about the each layer Run regular disaster recovery testing (DRT) as close to reality as possible

447 views • 27 slides
STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD & BREAK

STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD & BREAK

STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD & BREAK Handover of the park: Pre-event - 19 th May / Post-event - 11 th June Two production gates: Herne Hill Gate for large vehicles (10am -

324 views • 13 slides
Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2 What is a break-even point? 3 Calculating the Break-Even Point (BEP) in number of units (items) 4 Calculating Break-Even point for a Lemonade

234 views • 8 slides
A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration 9:00$9:15 welcome 9:15$10:15 Stecker 9:00$10:00 Keating Granot Miller Kelley 10:15$10:45 BREAK 10:00$10:30 BREAK BREAK BREAK BREAK 10:45$11:30

224 views • 8 slides
Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food

Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food

The Southeast NB Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food system into bite-sized actions that link our work at the individual, organizational, and political levels to set goals, and build a

168 views • 14 slides
Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction What is your dream vacation and who would you take with you? In break out rooms discuss the questions for about 5 - 10 minutes Make

210 views • 7 slides
self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

New ways of delivering self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is changing? The New Self Build Policy Why Support Self Build? The Self Build Revolution so Far Some Case Studies What is Self

960 views • 56 slides
Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing Introduction, Weighted Interval Scheduling some local criterion. Divide-and-conquer. Break up

434 views • 7 slides
EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break Longitudinal model-based test as primary analysis in phase III B. Bieth*, D. Renard*, I. Demin*, B. Hamrn*, G. Heimann*, Sigrid Balser** *

402 views • 15 slides
Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local

Algorithmic paradigms Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local criterion. Introduction, Weighted Interval Scheduling Divide-and-conquer. Break up a problem into independent subproblems,

237 views • 7 slides
Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB) D B Asset Management Contract R M Design-Build-Finance (DBF) F Design-Build-Operate-Maintain (DBOM) Increasing Private Sector Role

218 views • 19 slides
Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software components into an executable system Different systems are built from different combinations of components Invariably supported by automated

557 views • 20 slides
Automatically Repairing Broken Workflows for Evolving GUI Applications Sai Zhang University of

Automatically Repairing Broken Workflows for Evolving GUI Applications Sai Zhang University of

Automatically Repairing Broken Workflows for Evolving GUI Applications Sai Zhang University of Washington Joint work with: Hao L, Michael D. Ernst A workflow = A sequence of UI actions

845 views • 40 slides
Mortgage Contract Design David Miles Monetary Policy Committee Bank of England Federal Reserve

Mortgage Contract Design David Miles Monetary Policy Committee Bank of England Federal Reserve

Mortgage Contract Design David Miles Monetary Policy Committee Bank of England Federal Reserve Bank of New York May 2015 rate Percentage of UK mortgages that are fixed Q3 2007 Q4 2007 Q1 2008 Q2 2008 Q3 2008 Q4 2008 Q1 2009 Q2 2009

423 views • 7 slides
Announcements Project 0: Python Tutorial Due yesterday / Monday at 11:59pm (0 points in

Announcements Project 0: Python Tutorial Due yesterday / Monday at 11:59pm (0 points in

Announcements Project 0: Python Tutorial Due yesterday / Monday at 11:59pm (0 points in class, but pulse check to see you are in + get to know submission system) Homework 0: Math self-diagnostic Optional, but important to check

1.1k views • 56 slides
Skyline queries Information Systems M Prof. Paolo Ciaccia http://www

Skyline queries Information Systems M Prof. Paolo Ciaccia http://www

Skyline queries Information Systems M Prof. Paolo Ciaccia http://www db.deis.unibo.it/courses/SI M/ Limits of scoring functions Although scoring functions are widely used to rank a set of objects, it is nowadays recognized that they

465 views • 22 slides
Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n

Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n

Aut Automati tic Data Str truc uctur ture Repa pair usi using ng Sepa parati tion n Logi gic Gu Guolong Zheng, , ThanhVu Nguyen University of Nebraska-Lincoln Quang Loc Le Quoc-Sang Phan Teesside University Fujitsu

673 views • 20 slides
Lecture 6.6: The fundamental theorem of Galois theory Matthew Macauley Department of Mathematical

Lecture 6.6: The fundamental theorem of Galois theory Matthew Macauley Department of Mathematical

Lecture 6.6: The fundamental theorem of Galois theory Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 6.6: Fundamental

769 views • 9 slides
30 minutes to fix bugs in Eclipse Eclipse Con Europe 2015 November 3 2015 I - Fixing bugs I

30 minutes to fix bugs in Eclipse Eclipse Con Europe 2015 November 3 2015 I - Fixing bugs I

30 minutes to fix bugs in Eclipse Eclipse Con Europe 2015 November 3 2015 I - Fixing bugs I Welcome / Agenda general issues on contribution a few words about the hackathon introduction to requirements (how to install, ...) and

362 views • 10 slides
Dynamic Repair of Applications with Runtime Snap-ins J. Peter Brady Dartmouth College, Hanover

Dynamic Repair of Applications with Runtime Snap-ins J. Peter Brady Dartmouth College, Hanover

Dynamic Repair of Applications with Runtime Snap-ins J. Peter Brady Dartmouth College, Hanover NH jpb@cs.dartmouth.edu Advisors: Dr. Sean Smith, Dr. Sergey Bratus Funded by the U.S. Department of Energy and the U.S. Department of Homeland

496 views • 12 slides

More recommend