[PDF] - Introduction to Security Kira Chan K. Chan: CSE435: Software PDF Document

SLIDE 1

11/26/19

K. Chan: CSE435: Software Engineering

1

Introduction to Security

Kira Chan

K. Chan: CSE435: Software Engineering

Software expectation

In a regular messaging application, what do you expect?
Let's assume you want to use it to meet your friend for Friday night

dinner.

Messages are delivered
Delivers within a time limit threshold
No one else is reading your messages
Message is not altered
Application does not “lag”
Etc
K. Chan: CSE435: Software Engineering

SLIDE 2

11/26/19

K. Chan: CSE435: Software Engineering

2

Terminology

“A computer is secure if you can depend on it and its software to

behave as you expect (intent).”

‘Trust describes our level of confidence that a computer system will

behave as expected.’ (intended)

[Garfinkel & Spafford, Kasten]

K. Chan: CSE435: Software Engineering

Why should we consider security?

Can you build a messaging application that satisfies requirements
Who are the requirements made for?
Stakeholders?
Users?
Does every user conform to the expectations you have set?
Resources and information contain monetary or other values
Security breaches could be damaging to your reputation
When is security usually taken into consideration?
Security is often an after thought
Added onto a system, it may not fully address the underlying issue
Lots of new “Band-Aids” to patch an issue, causes inefficiency
K. Chan: CSE435: Software Engineering

SLIDE 3

11/26/19

K. Chan: CSE435: Software Engineering

3

Potential impact

Wannacry
Encrypts user data and demand ransom to decrypt it
https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack
Say I encrypted your laptop, your final exam is tomorrow
Ransom is every asset you have
Do you pay it?
Safety?
What if critical systems are compromised?
K. Chan: CSE435: Software Engineering

De Definition (NIST)

Computer security is the protection afforded to an automated

information system in order to attain the applicable objective of preserving the integrity, availability and confidentiality of the system’s resources

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14.pdf
K. Chan: CSE435: Software Engineering

SLIDE 4

11/26/19

K. Chan: CSE435: Software Engineering

4

Confidentiality, Integrity and Availability

Confidentiality: information are not disclosed to unauthorized parties
Integrity: assure that information and program are only changed in an

authorized manner

A message is actually from where it claims to have come from
Mailman delivers you a mail from your best friend overseas, how do you

know if this message have not been modified?

Availability: assures that the systems work promptly, and services are

not denied to authorized users when they request them

K. Chan: CSE435: Software Engineering

Castle analogy

Img source: McCallum

K. Chan: CSE435: Software Engineering

SLIDE 5

11/26/19

K. Chan: CSE435: Software Engineering

5

Security challenges.

Defending a system is hard since we must secure all weak points
Attacker only needs to find one exploit
Users do not like complicated systems
Benefit of security is not considered until a breach occurs
IT tech person, why do we even hire this guy?
Impediment to the user
K. Chan: CSE435: Software Engineering

Terminology

Security Policy: a set of rules and practices that specify or regulate

how a system provides security services to protect sensitive and critical system resources

Vulnerability: a flaw or weakness in a system that can be exploited
Threat: a potential violation of security; a possible danger that might

exploit a vulnerability

Attack: an assault on the system that derives from a threat.
Threats carried out
K. Chan: CSE435: Software Engineering

SLIDE 6

11/26/19

K. Chan: CSE435: Software Engineering

6

Threats

Hardware: physical devices – easy target
“Involuntary computer-slaughter”
Accidental acts not intended to do harm
E.g. Spilling a drink on computer
“Voluntary computer slaughter” – machinicide:
Purposely break a machine
Software: equipment worthless without software
Deletion
Modification
Theft

Slide provided from Dr. Cheng

K. Chan: CSE435: Software Engineering

Why are we talking about this?

Time is money
Organizations want a product that makes money, so time spent not

making money producing software is wasted time.

Monetory consequences are often not considered until a breach.
Example: CSE3xx programs.
Did you consider security when you developed your programs?
K. Chan: CSE435: Software Engineering

SLIDE 7

11/26/19

K. Chan: CSE435: Software Engineering

7

Patches

K. Chan: CSE435: Software Engineering

Patches

Changes made to fix, improve or update your system
What are patches used for?
Bug-fixes
Improvements
New features
Why can we not just patch security issues away?
K. Chan: CSE435: Software Engineering

SLIDE 8

11/26/19

K. Chan: CSE435: Software Engineering

8

When to use patches for security

Security should be defined in your original design
Patches should only be given as emergency solution
User ignores patches a lot of time
Patches may not fix the fundamental issues
K. Chan: CSE435: Software Engineering

How do we provide security to a system?

Easiest way: no access.
Challenge is to prevent unauthorized access to system, while causing

the least amount of impediment to legitimate users.

User experience Security for system

K. Chan: CSE435: Software Engineering

SLIDE 9

11/26/19

K. Chan: CSE435: Software Engineering

9

How to design your system?

Design of security should be as small and simple as needed
Easy to test/verify its strength, fewer flaws
Open Design: security mechanism should not be a secret!
Why?
Experts can review and point to flaws
Reverse engineering can expose your software
You will not know if your software have been compromised
K. Chan: CSE435: Software Engineering

How to design your system (cont.)

Psychological acceptability: the security mechanisms should not interfere

with the work of the user

Consider our messaging app
Asks for user password every 30 seconds
Less extreme of an example: require restart every 12 hours
User will disarm if not!
Layering: Multiple layers of security. Failure at one point will not leave your

system compromised

Example: messaging application
Encrypt stored messages
Ensure other applications on same device cannot access those files
Least astonishment: no surprises!
Functions should conform to user expectation
K. Chan: CSE435: Software Engineering

SLIDE 10

11/26/19

K. Chan: CSE435: Software Engineering

10

Remainder of presentation

I will focus on what you can do as a developer to help secure your

system

What to do and what not to do
K. Chan: CSE435: Software Engineering

Risk Assessment

Three questions to answer:
What am I trying to protect?
What do I need to protect against?
How much time, effort, and money am I willing to spend to obtain these

protection?

Three key steps:
Identify assets
Identify threats
Calculate risks
Risk: expected loss from the probability that a threat that will exploit a vulnerability in

the system

Slide provided from Dr. Cheng

K. Chan: CSE435: Software Engineering

SLIDE 11

11/26/19

K. Chan: CSE435: Software Engineering

11

Identify Asset

What are you trying to protect against? Recall CIA
Data?
Message confidentiality?
System resources?
Availability?
Categories of vulnerabilities:
Corruption (loss of integrity)
Leaky (loss of confidentiality)
Unavailable or slow access (loss of availability)
K. Chan: CSE435: Software Engineering

Identify Threats

What is the threat?
Hackers?
Political opponents
Rival companies
Activist
What is the intent/objective of the threat?
K. Chan: CSE435: Software Engineering

SLIDE 12

11/26/19

K. Chan: CSE435: Software Engineering

12

3 classes of intruder skill level

Apprentice: minimal technical skills
Use existing technologies
Most intruders belong in this category
Easy to defend
Why?
Journeymen: modifies and extends attack toolkits
Master: high-level technical skills
Capable of discovering new attacks
Understands underlying protocol used
Writes their own attacks and toolkits
Hardest to defend against
K. Chan: CSE435: Software Engineering

Calculating risk

How likely is a particular threat?
What is the chance that X will happen, and what is the consequence
f it?
If an event happens on regular basis, you can estimate based on

previous experiences.

K. Chan: CSE435: Software Engineering

SLIDE 13

11/26/19

K. Chan: CSE435: Software Engineering

13

Different kind of attacks you may consider as a developer

K. Chan: CSE435: Software Engineering

Denial of Service (DoS)

Attack on availability of a system
Deny legitimate user the ability to use a system or its resources
Distributed Denial of Service attack (DDoS)
K. Chan: CSE435: Software Engineering

SLIDE 14

11/26/19

K. Chan: CSE435: Software Engineering

14

Quick overview of how the web works

Very simplified
Your client connects to a “socket” of a server and that socket serves

you

Imagine a parking lot connected to a mall.
You can only access this mall after parking at the lot
Each parking spot (socket) serves one car (your computer) only
K. Chan: CSE435: Software Engineering

Simple Implementation

No fee or registration
Let anyone in when they show up at the gate
Only one car can pass through the gate at a time
K. Chan: CSE435: Software Engineering

SLIDE 15

11/26/19

K. Chan: CSE435: Software Engineering

15

in

ut

1 (reserved port) 2 3 … 65535 One server

K. Chan: CSE435: Software Engineering

Classic Ping of death attack (more info)

Spam ping traffic to the victim,

which affects the network performance.

Not very effective from one

computer

It will also cripple the attacking

device, since you also must send the packets.

Can use a botnet (a bunch of

compromised computers) to ping the same victim

Regular internet traffic is about 10kbps During DoS attack, this spikes to 32Mbps

K. Chan: CSE435: Software Engineering

SLIDE 16

11/26/19

K. Chan: CSE435: Software Engineering

16

1 2 … cars

K. Chan: CSE435: Software Engineering

Signatures

If a person generates a ticket that uses the same car model, year for

60,000 cars, it is probably not legit.

K. Chan: CSE435: Software Engineering

SLIDE 17

11/26/19

K. Chan: CSE435: Software Engineering

17

Naïve protocol

3 Way handshake
Client requests connection
Server response with a syn ack
Allocate resources for the client
Client response with an ack to ack

Client hello Server ack Client ack Connection established here

K. Chan: CSE435: Software Engineering

in

ut

1 (reserved port) 2 3 … 65535 One server

K. Chan: CSE435: Software Engineering

SLIDE 18

11/26/19

K. Chan: CSE435: Software Engineering

18

Naïve parking lot

Driver request ticket online
We reserve the parking space for them
Save details of car model, make and year
Driver shows up, inputs the ticket and enters the parking lot
They finish their business in the mall and leaves the lot (disconnect)
Their spot can then be reserved again for next car
K. Chan: CSE435: Software Engineering

Website attacks

Consume a web server’s entire capacity
New legit users are unable to establish a connection
Fairly common; you may have encountered one or will encounter one
Example: TCP syn attack (more info)
Recent DDoS attacks: Github2018, Wikipedia Sep 2019
Consequences?
Damage to reputation
What if this happened to online selling platform?
Consider if you are amazon, and this happens during black friday
K. Chan: CSE435: Software Engineering

SLIDE 19

11/26/19

K. Chan: CSE435: Software Engineering

19

TCP syn attack

Take ticket online
Parking lot reserves a spot for you
Never show up to claim the spot

Client hello Server ack Client ack Connection established here

K. Chan: CSE435: Software Engineering

How to defend against DoS attacks?

You cannot prevent these entirely!
High volumes of traffic may be completely legit
Think of traffic amazon.com. It may be that a bunch of users want to buy at

the same time (Cyber Monday, last minute holiday shopping)

How to minimize impact of DoS attacks
Defenses at multiple layer
TCP connections: use modified TCP connection code.
Use TCP syn cookies
Drop an entry for incomplete connection from TCP connection table when overflowing
Use of captcha
Use of mirrors and replicated servers
Disadvantage?
K. Chan: CSE435: Software Engineering

SLIDE 20

11/26/19

K. Chan: CSE435: Software Engineering

20

TCP syn cookie using parking lot

Driver takes a ticket, the information of the vehicle is embedded in

the ticket

Add some information that we want to the ticket
Spot is not reserved until the car arrives and enters the ticket to the

gate

If a car is idle for too long, kick it out
Again, this is simplified
K. Chan: CSE435: Software Engineering

Slow Loris

Another form of DoS attack
Send a little bit of data at a time
A legit client might have slow connection
Only uses very little bandwidth and processing power of attacker
Server loses ability to serve new clients
How do we defend against Slow Loris?

Picture Credit: Tilo Nadler

K. Chan: CSE435: Software Engineering

SLIDE 21

11/26/19

K. Chan: CSE435: Software Engineering

21

Dynamic servers

Idea came from an online multiplayer games
Hardware host made to account normal level of traffic
During peak time (when people get off work), dynamically spin up

more server on cloud

Server 1 … 1 65535 Cloud Server n … 1 Cloud Server 1 … 1 65535 Cloud Server 2 … 1 65535 …

K. Chan: CSE435: Software Engineering

Other resources if you are hosting your own website

https://www.cloudflare.com/
Or similar services who can provide you DDoS protection
If you host your own website as a small business, DDoS attacks can be

detrimental (since you have to pay for each packet sent to you)

K. Chan: CSE435: Software Engineering

SLIDE 22

11/26/19

K. Chan: CSE435: Software Engineering

22

Phishing

K. Chan: CSE435: Software Engineering

Phishing attacks

Social engineering attack
Aims to get users to compromise their own system
Very dangerous
We cannot patch this away
Masquerade as a trusted source (looks legit)
Uses psychology tricks
Time is running out, reset your password soon
Spear-phishing: email specifically crafted for a target
K. Chan: CSE435: Software Engineering

SLIDE 23

11/26/19

K. Chan: CSE435: Software Engineering

23

Source: Cameron Camp

K. Chan: CSE435: Software Engineering

How to defend?

Knowledge is essential
Check domain name of email (e.g. www.chasbank.com, no-

reply@bank.xyz.com)

If you do need to reset a password, go to the website directly and

reset it through their portal. Email links are dangerous!

If an email has a sense of urgency, proceed cautiously
Ex: “Update your payment information or your services will be terminated”
K. Chan: CSE435: Software Engineering

SLIDE 24

11/26/19

K. Chan: CSE435: Software Engineering

24

Passwords (Important!)

K. Chan: CSE435: Software Engineering

Passwords

Commonly used
User accounts must have an associated password with it
How do we store these in a database?
Plaintext?
Encrypted?
Key concept: developer never need to know a user’s password!
The following concept will attempt to deter an attack on your system

but may not completely defend against all attacks!

Entities with large resources and time can crack passwords
If I want to know a certain password, I can try all combination possible using

many computers

K. Chan: CSE435: Software Engineering

SLIDE 25

11/26/19

K. Chan: CSE435: Software Engineering

25

Standard approaches to storing passwords

1. Take the input and hash it.
A hash function takes any length input and converts it to a fixed length string that is

different for every input. (SHA256, SHA512)

Issue?
Some users use weak or common passwords
Attacker can precompute the hashed value of common passwords and compare with

compromised data

Rockyou.txt
2. Use a salt (random string)
To solve this, we append a “salt” of random strings to the user password, then hash

the concatenated string. We then store the password and salt next to each other

Each time the user enters their password, add the salt before you hash and compare
K. Chan: CSE435: Software Engineering

Cont.

3. Use a “pepper” (random string)
Similar concept to a salt, but the same string for the entire site
Aim to slow down attacker
K. Chan: CSE435: Software Engineering

SLIDE 26

11/26/19

K. Chan: CSE435: Software Engineering

26

Example

1. Input: password -> sha512(password)
B109F3BBBC244EB8244…
2. Salt and password: sha512(password + 103FD07)
AB8B060C7283E36D93E…
3. Salt and pepper: sha512(sha512(password+salt), pepper)
This is painful for an attacker to crack, especially if they are trying to execute a

broad comparison against a database of passwords

K. Chan: CSE435: Software Engineering

Example Table

ID Name Username Password Salt 1 Jon Doe doejo@ex.com NVSQY8ZBod… JLDq1RBXzN 2 Wolfgang Mozart wolfzart fgKotr16PM… jWTNN7kXhm 3 Johann Pachelbel jpach 0iJExGx74e… yO1HoxSdoK 4 Claude Debussy debussy Y4hAdMD6Mr… 7Xz4iH0XMP 5 … … … … Site pepper (Not stored in database): UW2vdTKmZN

K. Chan: CSE435: Software Engineering

SLIDE 27

11/26/19

K. Chan: CSE435: Software Engineering

27

From an attacker’s perspective

Let's consider the other perspective
If you want to obtain a password, how would you?
Phish
Try all common passwords
Eavesdropping
Try all possible combinations
K. Chan: CSE435: Software Engineering

How to secure your own passwords

Do not use the same password for multiple sites
If one site is compromised, the next one is too
Some sites may store passwords in plaintext (there is no federal regulations)
Do not use simple or common passwords
Try to find it in rockyou.txt
Use: passphrases
myFavoriteBookIsGreatGatsby!
K. Chan: CSE435: Software Engineering

SLIDE 28

11/26/19

K. Chan: CSE435: Software Engineering

28

Password inputs

K. Chan: CSE435: Software Engineering

SQL injection attacks (SQLi)

One of the most dangerous form of attacks
As of 2017, 51% of cyber attacks on web apps are from SQLi
https://www.akamai.com/de/de/multimedia/documents/state-of-the-

internet/q2-2017-state-of-the-internet-security-report.pdf

User enters code into the input boxes
Server takes the input and runs it
Damages: unauthorized login, unauthorized changes to table, drop

tables…

Code …. TakeUserInputDirectly…Code
K. Chan: CSE435: Software Engineering

SLIDE 29

11/26/19

K. Chan: CSE435: Software Engineering

29

Example

Use of Tautology (make condition always equal to true)
Input password as 1’ OR ‘1’ = ‘1
Use of comment mark “--”
Subsequent code (password check) ignored
https://www.w3schools.com/sql/trysql.asp?filename=trysql_comment_single_2
Piggyback queries
Insert SQL code after input
userPassword+;+ DROP table…
SELECT * FROM USERS WHERE ….. ; DROP TABLE USERS; --…..
Examples taken from Dr. Scott Tu
K. Chan: CSE435: Software Engineering

Relevant xkcd

https://xkcd.com/327/

K. Chan: CSE435: Software Engineering

SLIDE 30

11/26/19

K. Chan: CSE435: Software Engineering

30

Defenses against SQLi

ALL INPUTS ARE EVIL!!
Sanitize input (a function provided by php)
Strips out any comment marks and quotations
Make sure that input conforms to expected input
Parameterized inputs
“prepare statements”: SELECT FROM ?
Placeholders are used for parameters and values are supplied at execution

times

Take these as “plaintext” and do not run anything that resembles commands
“Preattack” your system
K. Chan: CSE435: Software Engineering

Other things that you may encounter

Red team vs blue team
Red team is the “adversary”
They attempt to break into the system
Penetration Testers
Identifies weakness in a system (might be the company)
Could be a person disguised as IT support to see if employees will fall for it
Ethical hackers
K. Chan: CSE435: Software Engineering

SLIDE 31

11/26/19

K. Chan: CSE435: Software Engineering

31

Confidentiality and Integrity

K. Chan: CSE435: Software Engineering

Confidentiality

We do not want a third party listening to our communications
Bank password?
Example: wireshark
K. Chan: CSE435: Software Engineering

SLIDE 32

11/26/19

K. Chan: CSE435: Software Engineering

32

K. Chan: CSE435: Software Engineering

Communication between Alice and Bob

Alice Bob Let’s meet for coffee tomorrow at 7 Eve

K. Chan: CSE435: Software Engineering

SLIDE 33

11/26/19

K. Chan: CSE435: Software Engineering

33

Alice Bob Plaintext M

Encryption Algorithm

Ciphertext C

Decryption Algorithm

Plaintext M

K. Chan: CSE435: Software Engineering

Encryption

Caesar cipher: earliest and simplest cipher (more info)
Shift each character by a fixed number n.
If n = 5
Attack at dawn -> fyyfhp fy ifbs
Strength?
Weak
Attacker only needs to try 26 combinations to obtain the plaintext message.
K. Chan: CSE435: Software Engineering

SLIDE 34

11/26/19

K. Chan: CSE435: Software Engineering

34

Encryption used today

Based on mathematics
Typically uses a “Classic Feistel Network”
Uses substitution and transposition
Substitution: replace x with y
Transposition: switch bits around
K. Chan: CSE435: Software Engineering

Disclaimer!

Do not try to implement your own encryption algorithm!
You will probably do it wrong or leave security flaws behind
Use existing ones
K. Chan: CSE435: Software Engineering

SLIDE 35

11/26/19

K. Chan: CSE435: Software Engineering

35

Symmetric vs Asymmetric

Symmetric encryption uses the same key to encrypt and decrypt
Ex: DES, 3DES, AES
Asymmetric encryption uses private key and public key
Encrypting with private key means only public key can decrypt
Encrypting with public key means only private key can decrypt
User keeps private key private, public key can be sent to anyone
What's the point of encrypting with private key?
Ex: RSA
K. Chan: CSE435: Software Engineering

Symmetric encryption

Alice Bob Plaintext M

AES encrypt

Ciphertext C

AES decrypt

Plaintext M Key A Key A

K. Chan: CSE435: Software Engineering

SLIDE 36

11/26/19

K. Chan: CSE435: Software Engineering

36

Asymmetric encryption

Alice Bob Plaintext M

RSA encrypt

Ciphertext C

RSA decrypt

Plaintext M Bob’ s Public Key Bob’ s Private Key

K. Chan: CSE435: Software Engineering

Block Ciphers

Chop messages into blocks of fixed size
Run encryption algorithms on these blocks
Permutate the key so we use a different one per block
How?
Hash(key + 1), Hash(key + 2)…
K. Chan: CSE435: Software Engineering

SLIDE 37

11/26/19

K. Chan: CSE435: Software Engineering

37

Symmetric encryption: DES (more info)

Data Encryption Standard
Key length: 56bits
16 rounds
Developed in early 1970s
Uses the Feistel function to permutate and add key half block at a

time

Insecure since the key is short.
Proven in 1998, key can be discovered in 56 hours.
Used in WEP and WPA wifi encryption (do not use these)
K. Chan: CSE435: Software Engineering

Source: Matt Crypto

K. Chan: CSE435: Software Engineering

SLIDE 38

11/26/19

K. Chan: CSE435: Software Engineering

38

How do we address weaknesses of DES?

Hardware is made for DES, expensive to replace.
Solution: 3DES
Encryption: C = Encrypt(K3, Decrypt(K2, Encrypt(K1, Plaintext)))
Decryption: P = Decrypt(K1, Encrypt(K2, Decrypt(K3, Ciphertext)))
Variable key length of 168, 112, 56 bits
Why Encrypt -> Decrypt -> Encrypt?
K. Chan: CSE435: Software Engineering

Symmetric encryption: AES (more info)

3DES is not a permanent solution
Advanced Encryption Standard aka Rijndael
Replaced DES (2001)
Input block size: 128, 192 or 256 bits
10, 12 and 14 rounds respectively
Most popular form of symmetric encryption
Used for WPA2
K. Chan: CSE435: Software Engineering

SLIDE 39

11/26/19

K. Chan: CSE435: Software Engineering

39

Each round of AES (Very simplified)

1. Substitution: Replace each data with respect to a table (S-box)
2. Shift rows: Perform circular shift on each row
3. Mix Column: Use of Galois finite field multiplication
4. Add round key: XOR with the key

https://www.commonlounge.com/discussion/e32fdd267aaa4240a446 4723bc74d0a5

K. Chan: CSE435: Software Engineering

Img from stalling and brown textbook

K. Chan: CSE435: Software Engineering

SLIDE 40

11/26/19

K. Chan: CSE435: Software Engineering

40

Asymmetric encryption: RSA (more info)

Rivest, Shamir, and Adleman MIT in 1977
Best known and widely used public key algorithm
Uses private and public keys
Security relies on difficulty of factoring a prime
K. Chan: CSE435: Software Engineering

How to generate keys

1. Select two primes p and q, say 17 and 11
2. Calculate p * q = 17 * 11 = 187
3. Calculate φ(n) = (p-1)*(q-1) [Euler’s product formula] = 16 * 10 = 160
4. Select public key e such that e is relatively prime to φ(n) and less than

φ(n). We choose e = 7

5. Determine private key d such that d*e mod φ(n) = 1. d = 23
23*7 = 161

Example from Dr. Scott T u

K. Chan: CSE435: Software Engineering

SLIDE 41

11/26/19

K. Chan: CSE435: Software Engineering

41

RSA Factoring Challenge

Suppose attacker have public key and encrypted message C
To decrypt C, they must infer private key d
To do so, they must calculate d = (k * φ(n) + 1) / e
Must try every possible combination
Calculating φ(n) is in NP
We use extremely large prime numbers for d and e
K. Chan: CSE435: Software Engineering

Which encryption scheme should you use?

You generally want to use RSA or AES
Other concepts related to keys if you are interested
Transport Layer Security (TLS)
https
Diffie Hellman Key Exchange
K. Chan: CSE435: Software Engineering

SLIDE 42

11/26/19

K. Chan: CSE435: Software Engineering

42

Malware

K. Chan: CSE435: Software Engineering

Definition from [NISTIR 7298]

A program that is inserted into a system, usually covertly, with the

intent of compromising the Confidentiality, Integrity, or Availability of the victim’s data, apps, OS or otherwise annoying/disruptive.

K. Chan: CSE435: Software Engineering

SLIDE 43

11/26/19

K. Chan: CSE435: Software Engineering

43

Virus

Infects programs (usually executables)
Needs a host to infect
When attached to an executable (.exe file), a virus can do anything

that the program can do

OS specific!
How to defend against this type of attack?
Use of antivirus, they can look for know virus signatures
K. Chan: CSE435: Software Engineering

Worms

Similar to virus, spreads through network connection, email…
STANDALONE PROGRAM
Actively seeks out more hosts to infect and each infected machine

serves as a platform to launch further attacks.

Examples:
ILOVEYOU (2000s)
Conflicker worm (2008)
Wannacry (2017)
Petya (2016)
K. Chan: CSE435: Software Engineering

SLIDE 44

11/26/19

K. Chan: CSE435: Software Engineering

44

Morris Worm

Written by Robert Morris to highlight security flaws of the internet
Was not meant to be an actual attack
Worm infects same computer multiple times, causing a fork bomb
Resulting in a denial of service attack
Spread through the US and took down the entire internet
Fun trivia: “The Worm Before Christmas”
K. Chan: CSE435: Software Engineering

Bots

Usually created from a worm
A compromised computer
Botnet: a network of compromised computers
Attack can send commands to them
Example: conflicker worm
Infects a computer
Computer then takes commands from some central location
10,500,000+ infected (source)
K. Chan: CSE435: Software Engineering

SLIDE 45

11/26/19

K. Chan: CSE435: Software Engineering

45

Key takeaways

Security should be considered as an integral part of your system
It should be a part of your design document
Do not wait until you have been compromised
Stay vigilant and look out for possible attacks
Expect the unexpected!
We design programs for the majority of user. This is totally valid
But the “edge cases” is often a vulnerability
Know how to store passwords
What is the difference between a salt and pepper?
Why do we use salt and pepper?
K. Chan: CSE435: Software Engineering

Key takeaways (cont.)

ALL INPUTS ARE EVIL!
Username: you expect user to type in legit usernames
True for most of the time
But SQL injection attacks rely on inputting different inputs
Know what SQLi attacks are and how to prevent them!
This is important, you can get in legal trouble if software you wrote is left

vulnerable to attacks.

What does encrypting a message with a private key ensure?
Encrypting with a public key?
If you need to use encryption, AES and RSA are the current standards
K. Chan: CSE435: Software Engineering