understanding security mistakes developers make
play

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative - PowerPoint PPT Presentation

Feb 16, 2023 •256 likes •611 views

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland MANY REAL VULNERABILITIES

  1. UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland

  2. MANY REAL VULNERABILITIES ARISE FROM “SOLVED” PROBLEMS 2500 • Buffer overflows 2000 • SQL injection 1500 • Bad randomness https://nvd.nist.gov/vuln/search 1000 • Static keys 500 0 1997 2000 2003 2006 2009 2012 2015 2018 Total Occurences of CWE 119 (Buffer Errors)

  3. From Reaves et al., “Mo(bile) Money, Mo(bile) Problems,” USENIX 2015.

  5. “ … hackers found that the most sensitive parts of the system are signed and encrypted solely using a key that's embedded on the device itself, rather than with the aid of a private key held exclusively by Sony.”

  6. Why are developers How can we make secure stupid or lazy? programming easier?

  7. SOME POSSIBLE SOLUTIONS • Better languages • Static, dynamic analysis tools • Better APIs • Threat modeling / design • Better documentation • Open source, bug bounties • More education • Etc. But how to prioritize, improve effectiveness?

  8. We need to understand causes and prevalence of vulnerabilities. But measuring this is hard.

  9. 1. Field studies 2. Field measures (CVEs, etc.) 3. Lab studies http://s3files.core77.com/blog/images/519972_34481_56003_00AM57OgX.jpg

  10. 1. Field studies 2. Field measures (CVEs, etc.) 3. Lab studies http://s3files.core77.com/blog/images/519972_34481_56003_00AM57OgX.jpg

  11. 1. Field studies 2. Field measures (CVEs, etc.) 3. Lab studies http://media.istockphoto.com/vectors/chemistry-experiment-laboratory-drawing-vector-id514323963

  12. BUILD IT, BREAK IT, FIX IT Break it Fix it Build it • Secure development contest • Build to spec • Then break other teams • Incentive design is important! Ruef et al., CCS 2016

  13. BUILDERS BREAKERS Make it performant Prefer security to correctness Make it secure Attack breadth of submissions Find unique vulnerabilities

  14. More control than field studies. More realistic than lab studies. Result: Rich data about vulnerability introduction.

  15. SECURE LOG PROBLEM Event Log Event Log Event Log Event Log log : Time Time User User Action Action Where Where Time Time User User Action Action Where Where 8:00 AM Bob Enter Gallery 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM 8:01 AM Alice Alice Enter Enter Office Office 8:15 AM Alice Exit Office X ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logappend –T 0815 –K XDFLKJSLJDLJFLKJLSDF –E Alice -L –R Office log ./logread –K key –R –E Alice log Office

  16. SECURE COMMUNICATIONS PROBLEM https://cdn.onlinewebfonts.com/svg/img_449093.png http://cdn.onlinewebfonts.com/svg/img_456116.png ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1000 1050 450 ./atm –s auth –c card –a bob –w 600 card : DFLLKSDF auth : XDFLKJSLJDLJFLKJLSDF

  17. https://www.shareicon.net/download/2015/08/14/85119_database_512x512.png SECURE DATA SERVER PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** as principal bob password ”bobs_password" do return msg ***

  18. ANALYSIS APPROACH • Examine each project and each vulnerability in detail • Breaker-identified and researcher-identified • Iterative open and axial coding • T wo independent coders; high reliability • 76 projects, more than 800 vulnerabilities • Qual and quant analysis on resulting categories

  19. VULNERABILITIES PROJECTS Vuln type Modularity Severity Comments Chained Meaningful var. names Discovery difficulty Minimal trust Exploit difficulty Economy of mechanism

  20. Vulnerability classes No implementation Misunderstanding Mistake ... ... ... Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  21. RESULTS

  22. Projects (of 76) that introduced … PREVALENCE Non-attempts Obvious Non-attempts >> mistakes Misunderstandings >> mistakes Implicit Implicit >> obvious Misunderstandings Bad choice Concept errors >> bad choices Concept error Mistake 0 10 20 30 40 # of projects

  23. COMPARING PROBLEMS • Mistakes most common for secure server, then ATM (problem complexity) • Implicit issues, concept errors in the ATM problem (lots of unstated requirements, lots of moving parts) • Bad choices in the secure log problem (why?)

  24. Vulnerability classes Obvious No implementation Misunderstanding Mistake • No encryption (log, ATM) • No access control (server) ... ... ... Implicit Bad Conceptual • Side channels Obvious Implicit algorithm error • No MAC • No nonce • No checking delegation chain (server) ... ... ... ... ... ... ... ... ...

  25. Vulnerability classes No implementation Misunderstanding Mistake • Weak encryption algo (e.g., WEP) • Unkeyed function • strcpy ... ... ... Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  26. Vulnerability classes No implementation Misunderstanding Mistake • Subset of necessary • MAC only per line • MAC of key instead of log data • TLS w/o client authentication (ATM) ... ... ... Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  27. Vulnerability classes No implementation Misunderstanding Mistake • Misuse of library/API • Access control library can’t handle loops in delegation list • Used SQLCipher but turn off ... ... ... automated MAC Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  28. Vulnerability classes No implementation Misunderstanding Mistake • Fixed instead of random • Hardcode key, IV, password ... ... ... Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  29. Stack Overflow plus bad documentation assumptions … oops.

  30. Vulnerability classes No implementation Misunderstanding Mistake • Fixed instead of random • Hardcode key, IV, password • Insufficient randomness ... ... ... • Nonce overflow Conceptual Obvious Implicit Bad choice • IV counts up error • Nonce timestamp window too large ... ... ... ... ... ... ... ... ...

  31. Vulnerability classes • Bad NOT in nested conditionals No implementation Misunderstanding Mistake • Uncaught exception on replay • Ignore error from wrong nonce • Null pointer issues ... ... ... Conceptual Obvious Implicit Bad choice error ... ... ... ... ... ... ... ... ...

  32. THINKING ABOUT SOLUTIONS • Improve abstraction levels in APIs • Semantic primitives • Improve documentation • Clarify what you can(not) copy/paste • No mysterious error messages • Tools and automation • Wizards, API misuse detection, semantic analysis

  33. MORE ANALYSIS COMING SOON! • Relating features (modularity, comment quality, language used, etc.) to vulnerability types and quantities • Factors related to likelihood of vulnerability being found • Insight into contest incentives/improvements

  34. Understanding developer errors is hard; BIBIFI is one useful design point. Vulnerabilities arise from nuanced security properties. Abstractions and documentation matter (and not just in lab studies). Consider joining our participant panel! https://ter.ps/SecPros Michelle Mazurek mmazurek@umd.edu University of Maryland This research supported in part by NSF, NIST, and Google.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix It Daniel Votipka , Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland, College Park 1 SOLVED

1.64k views • 148 slides
Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast

Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast

Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast @TweetAnnaMarie We make mistakes Make better, faster, cheaper mistakes An incredibly expensive Yammer mistake A whole new Android App A

1.34k views • 72 slides
Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk

Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk

Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk about those mistakes openly and share what was done to correct those mistakes with other[s]" Froward, Handbook , "Establishing a Lesson

585 views • 30 slides
My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them. Youll Grow Even Faster. Jason M. Lemkin SaaStr Managing Director, Storm VenturesSaaStr w/ Nicolas Dessaigne Founder/CEO EchoSign/Adobe;

463 views • 24 slides
Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham Jain and Janne Lindqvist Department of Electrical and Computer Engineering Rutgers University Workshop on Usable Security (USEC14) February 23,

230 views • 21 slides
ANOVA There are only two mistakes one can make along the road to truth; not going all the

ANOVA There are only two mistakes one can make along the road to truth; not going all the

Cohen Chapter 16 (Two-Way) Mixed ANOVA There are only two mistakes one can make along the road to truth; not going all the way, and not starting. Buddha Dr. Professor is interested in determining whether the average man wants to

715 views • 9 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes

Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes

Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes Drownings Spyware Photos Backups The Lost Phone Trick Simple Phone / Tablet Mistakes Applying weird do-it-yourself hacks. Not properly cleaning

636 views • 29 slides
Mat Maths hs! We take our time for deeper understanding. We are learning ng to be math

Mat Maths hs! We take our time for deeper understanding. We are learning ng to be math

Swindon Village Primary School We have a go. We make mistakes and learn from them. We ask questions. Le Lear arni ning ng fr from om We think about what we are doing. We talk about what we are doing. each ea h ot othe

428 views • 30 slides
It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy Vaillancourt-Sals amy@thinkshout.com @AmyVSHorn Why Hire Junior Devs? Challenging to find senior developers Cost benefits Productivity

1.03k views • 34 slides
It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy Vaillancourt-Sals amy@thinkshout.com @AmyVSHorn Why Hire Junior Devs? Challenging to find senior developers Cost benefits Productivity

671 views • 31 slides
Success does not consist in never making mistakes but in never making the same one a second time.

Success does not consist in never making mistakes but in never making the same one a second time.

Success does not consist in never making mistakes but in never making the same one a second time. George Bernard Shaw Repeat offenders make mistakes by NOT: Utilising key learnings from Yr. 11 Mapping assessment schedules Linking

530 views • 23 slides
Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard macslist . org | @Macs_List | @Mac_Prichard Todays Agenda How to Land a Four job hunting mistakes to avoid My first job search How to find

642 views • 21 slides
Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton

Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton

Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton & John Burthem Manchester, UK UK NEQAS(H) DM scheme 1. Select up to 5 significant morphological features from a defined list 2. Place these in

901 views • 42 slides
grow...... May they see me as patient and understanding, for then they will be more willing to

grow...... May they see me as patient and understanding, for then they will be more willing to

"May the Children in My Care" a poem by Genie Graveline May the children in my care learn so much more from me than what is contained in books...... May I teach them by example that it's all right to make mistakes, for that is how we

497 views • 17 slides
Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you

Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you

Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you a Performance Expert More on http://blog.dynatrace.com Andreas Grabner - @grabnerandi Safe Harbor AND MANY MORE 0.01ms 0.02ms 15

1.01k views • 78 slides
Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking

Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking

IW-3718 Program Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking statements. Investors are cautioned not to place undue reliance on these forward-looking statements, including statements our plans to stop

418 views • 10 slides
Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD,

Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD,

29/01/2013 Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD, MRCS Academic Clinical Fellow in General Surgery Date: 29/01/2013 Physiology Congenital Abnormalities Bile Salts Liver

78 views • 7 slides
Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead,

Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead,

Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead, Snr Consultant Liver Tumor Group, National University Cancer Institute Singapore Division of Hepatopancreatobiliary Surgery and Liver Transplant

1.01k views • 51 slides
2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase

2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase

20.201 Review of Q2 2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase (e.g. ALT, AST, etc.), but this fails when the drug causes cholestasis, and testing for alkaline phosphatase is the preferred

532 views • 14 slides
Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative

Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative

Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative Effectiveness & Outcomes Research Assistant Professor Department of Radiology Department of Population Health NYU Langone Health What are we

1.08k views • 45 slides
The Use of BDDCS in Drug Development: The Observations, The Predictions, Understanding the

The Use of BDDCS in Drug Development: The Observations, The Predictions, Understanding the

The Use of BDDCS in Drug Development: The Observations, The Predictions, Understanding the Scientific Basis and The Extensions Leslie Z. Benet, PhD Professor of Bioengineering and Therapeutic Sciences Schools of Pharmacy and Medicine

921 views • 64 slides
The Greatness of God Examining Gods CV The difficulties of making sense of tangled ideas

The Greatness of God Examining Gods CV The difficulties of making sense of tangled ideas

The Greatness of God Examining Gods CV The difficulties of making sense of tangled ideas Drawing metaphors and analogies can help make sense of difficult material PPARs play essential roles in the regulation of cellular

753 views • 74 slides
GI Tumor Board Alan Venook George Fisher 62yo F without significant PMH presents w/RLQ

GI Tumor Board Alan Venook George Fisher 62yo F without significant PMH presents w/RLQ

3/7/2017 17 th Multidisciplinary Management of Cancers: A Case based Approach Case #1 GI Tumor Board Alan Venook George Fisher 62yo F without significant PMH presents w/RLQ abdominal pain. Carling Ursem Zach Koontz CT: asymmetric wall

430 views • 19 slides

More recommend