UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative - - PowerPoint PPT Presentation

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE

Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks

Qualitative Analysis From Build It, Break It, Fix It

University of Maryland, College Park

1

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2

“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM

2

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys

• ver the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys

• ver the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys

• ver the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys

• ver the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3

“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys

• ver the network, and were using a fixed

initialization vector… Moreover, the devices didn’t include any message signing”

3

“SBI's Mumbai-based data center had a server without password protection”

4

5

Why do developers continue to make stupid and lazy mistakes?

6

Why do developers continue to make stupid and lazy mistakes?

7

Why do developers continue to make stupid and lazy mistakes? How can we make secure programming easier?

8

POSSIBLE SOLUTIONS

9

POSSIBLE SOLUTIONS

More/Better Education

9

POSSIBLE SOLUTIONS

More/Better Education Better APIs

9

POSSIBLE SOLUTIONS

More/Better Education Better APIs Better documentation

9

POSSIBLE SOLUTIONS

More/Better Education Better APIs Better documentation Automation

9

POSSIBLE SOLUTIONS

More/Better Education Better APIs Better documentation Automation Etc

9

POSSIBLE SOLUTIONS

More/Better Education Better APIs Better documentation Automation Etc

How can we improve the effectiveness of these solutions?

9

IN ORDER TO IMPROVE THESE SOLUTIONS, WE NEED TO UNDERSTAND THE TYPES, CAUSES, AND PERVASIVENESS OF VULNERABILITIES.

10

HOW CAN WE MEASURE THIS?

Field studies Field surveys Lab studies

11

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data

12

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data Pros:

12

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data Pros: We can see what happens in the real world

12

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data Pros: We can see what happens in the real world Cons:

12

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data Pros: We can see what happens in the real world Cons: Hard to get access to

12

FIELD STUDIES

Immerse ourselves in the “real world” to observe and collect data Pros: We can see what happens in the real world Cons: Hard to get access to Hard to generalize site specific data

12

FIELD SURVEYS

CVEs, GitHub, etc

13

FIELD SURVEYS

CVEs, GitHub, etc Pros:

13

FIELD SURVEYS

CVEs, GitHub, etc Pros: Large datasets publicly available

13

FIELD SURVEYS

CVEs, GitHub, etc Pros: Large datasets publicly available Data is already categorized

13

FIELD SURVEYS

CVEs, GitHub, etc Pros: Large datasets publicly available Data is already categorized Cons:

13

FIELD SURVEYS

CVEs, GitHub, etc Pros: Large datasets publicly available Data is already categorized Cons: Hard to understand why

13

FIELD SURVEYS

CVEs, GitHub, etc Pros: Large datasets publicly available Data is already categorized Cons: Hard to understand why Hard to compare possibly unrelated data

13

LAB STUDIES

Have people participate in a controlled experiment

14

LAB STUDIES

Have people participate in a controlled experiment Pros:

14

LAB STUDIES

Have people participate in a controlled experiment Pros: A lot of control over conditions

14

LAB STUDIES

Have people participate in a controlled experiment Pros: A lot of control over conditions Cons:

14

LAB STUDIES

Have people participate in a controlled experiment Pros: A lot of control over conditions Cons: Ecological validity

14

LAB STUDIES

Have people participate in a controlled experiment Pros: A lot of control over conditions Cons: Ecological validity Potentially simple problems

14

BUILD IT, BREAK IT, FIX IT

Secure programming contest

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase 2 weeks

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase 2 weeks Develop to spec with open choices

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase 2 weeks Develop to spec with open choices Incentivized:

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase 2 weeks Develop to spec with open choices Incentivized: Make it performant

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Secure programming contest Build-It Phase 2 weeks Develop to spec with open choices Incentivized: Make it performant Make it secure

Ruef et al. , CCS 2016

15

BUILD IT, BREAK IT, FIX IT

Break-It Phase

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code Attack breadth of submissions

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code Attack breadth of submissions Find unique vulnerabilities

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code Attack breadth of submissions Find unique vulnerabilities Prioritize security bugs over correctness

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code Attack breadth of submissions Find unique vulnerabilities Prioritize security bugs over correctness Fix-It Phase

Ruef et al. , CCS 2016

16

BUILD IT, BREAK IT, FIX IT

Break-It Phase Get other teams’ source code Attack breadth of submissions Find unique vulnerabilities Prioritize security bugs over correctness Fix-It Phase Make fixes and get points back

Ruef et al. , CCS 2016

16

SECURE LOG PROBLEM

log:

Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log

log:

Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log

log:

Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

Event Log Time User Action Where 8:00 AM Bob Enter Gallery 8:01 AM Alice Enter Office Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log

Event Log Time User Action Where 8:00 AM Bob Enter Gallery 8:01 AM Alice Enter Office Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office

Event Log Time User Action Where 8:00 AM Bob Enter Gallery 8:01 AM Alice Enter Office Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office

Event Log Time User Action Where 8:00 AM Bob Enter Gallery 8:01 AM Alice Enter Office Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE LOG PROBLEM

./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log

log:

./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office

Event Log Time User Action Where 8:00 AM Bob Enter Gallery 8:01 AM Alice Enter Office

X

Event Log Time User Action Where 8:00 AM Bob Enter Gallery Event Log Time User Action Where 17

SECURE COMMUNICATIONS PROBLEM

18

SECURE COMMUNICATIONS PROBLEM

./bank –s auth

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth ./atm –s auth –c card –a bob –n 1000

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000

bob balance:

1000

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000 ./atm –s auth –c card –a bob –d 50

bob balance:

1000 1050

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000 ./atm –s auth –c card –a bob –d 50 ./atm –s auth –c card –a bob –w 600

bob balance:

1000 1050 450

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000 ./atm –s auth –c card –a bob –d 50 ./atm –s auth –c card –a bob –w 600

bob balance:

1000 1050 450

18

SECURE COMMUNICATIONS PROBLEM

auth: XDFLKJSLJDLJFLKJLSDF

./bank –s auth

card: DFLLKSDF

./atm –s auth –c card –a bob –n 1000 ./atm –s auth –c card –a bob –d 50 ./atm –s auth –c card –a bob –w 600

bob balance:

1000 1050 450

18

MULTIUSER DATABASE PROBLEM

19

MULTIUSER DATABASE PROBLEM

as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" ***

19

MULTIUSER DATABASE PROBLEM

as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg ***

19

MULTIUSER DATABASE PROBLEM

as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** as principal bob password ”bobs_password" do return msg ***

19

RESEARCH QUESTIONS

20

RESEARCH QUESTIONS

What types of vulnerabilities do developers introduce?

20

RESEARCH QUESTIONS

What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect

• n the system?

20

RESEARCH QUESTIONS

What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect

• n the system?

How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?

20

What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect

• n the system?

How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?

RESEARCH QUESTIONS

21

ANALYSIS APPROACH

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail Iterative open coding

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits

22

ANALYSIS APPROACH

Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits Both qualitative and quantitative analysis performed

22

RESULTS

23

Mistake

Vulnerability classes

No implementation Misunderstanding

Intuitive Bad Choice Conceptual Error Unintuitive

24

Vulnerability classes

No implementation

25

Vulnerability classes

No implementation

Intuitive

• Missed something “Intuitive”

26

Vulnerability classes

No implementation

Intuitive

• Missed something “Intuitive”
• No encryption (log, ATM)

26

Vulnerability classes

No implementation

Intuitive

• Missed something “Intuitive”
• No encryption (log, ATM)
• No access control (MD)

26

Vulnerability classes

No implementation

Intuitive Unintuitive

• Missed something “Intuitive”
• No encryption (log, ATM)
• No access control (MD)
• Missed something “Unintuitive”
• No MAC (log)

27

Vulnerability classes

No implementation

Intuitive Unintuitive

• Missed something “Intuitive”
• No encryption (log, ATM)
• No access control (MD)
• Missed something “Unintuitive”
• No MAC (log)
• Side-channel leakage (ATM,

MD)

27

Vulnerability classes

No implementation

Intuitive Unintuitive

• Missed something “Intuitive”
• No encryption (log, ATM)
• No access control (MD)
• Missed something “Unintuitive”
• No MAC (log)
• Side-channel leakage (ATM,

MD)

• No replay prevention (ATM)

27

Vulnerability classes

Misunderstanding

28

Vulnerability classes

Misunderstanding

Bad Choice

• Made a “Bad Choice”

29

Vulnerability classes

Misunderstanding

Bad Choice

• Made a “Bad Choice”
• Weak algorithms

(log, ATM)

29

Vulnerability classes

Misunderstanding

Bad Choice

• Made a “Bad Choice”
• Weak algorithms

(log, ATM)

• Homemade

encryption (log, ATM)

29

Vulnerability classes

Misunderstanding

Bad Choice

• Made a “Bad Choice”
• Weak algorithms

(log, ATM)

• Homemade

encryption (log, ATM)

• strcpy (log, ATM,

MD)

29

Vulnerability classes

Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual

Error”

30

Vulnerability classes

Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual

Error”

• Fixed value (log,

ATM, MD)

30

31

31

31

Vulnerability classes

Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual

Error”

• Fixed value (log,

ATM, MD)

32

Vulnerability classes

Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual

Error”

• Fixed value (log,

ATM, MD)

• Lacking sufficient

randomness (log, ATM)

32

Vulnerability classes

Misunderstanding

Bad Choice Conceptual Error

• Made a “Conceptual

Error”

• Fixed value (log,

ATM, MD)

• Lacking sufficient

randomness (log, ATM)

• Disabling protections

in library (log)

32

33

33

Mistake

Vulnerability classes

• Made a “Mistake”

34

Mistake

Vulnerability classes

• Made a “Mistake”
• Control flow mistake (ATM, MD)

34

Mistake

Vulnerability classes

• Made a “Mistake”
• Control flow mistake (ATM, MD)
• Skipped algorithmic step (ATM, MD)

34

Mistake

Vulnerability classes

• Made a “Mistake”
• Control flow mistake (ATM, MD)
• Skipped algorithmic step (ATM, MD)

34

Mistake

Vulnerability classes

• Made a “Mistake”
• Control flow mistake (ATM, MD)
• Skipped algorithmic step (ATM, MD)

34

PREVALENCE

Percentage of projects that introduced a mistake, misunderstanding, and no implementation vulnerability grouped by problem:

20 % of projects 80 40 60 Secure log Secure communication Multiuser database Totals

Mistake Misund. No Impl.

35

PREVALENCE

Percentage of projects that introduced a mistake, misunderstanding, and no implementation vulnerability grouped by problem:

20 % of projects 80 40 60 Secure log Secure communication Multiuser database Totals

Mistake Misund. No Impl.

35

PREVALENCE

Percentage of projects that introduced a mistake, misunderstanding, and no implementation vulnerability grouped by problem:

20 % of projects 80 40 60 Secure log Secure communication Multiuser database Totals

Mistake Misund. No Impl.

35

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

PREVALENCE

Intuitive Unituitive Bad choice Concept error

14 28 41 55

No Impl. Misund.

% of Projects that introduced each subclass

% of projects

36

TRENDS WITHIN MISTAKES

37

TRENDS WITHIN MISTAKES

Complexity breeds mistakes.

37

TRENDS WITHIN MISTAKES

Complexity breeds mistakes. Most common in the multi-user database problem (most complex) and least common in log problem (least complex)

37

TRENDS WITHIN MISTAKES

Complexity breeds mistakes. Most common in the multi-user database problem (most complex) and least common in log problem (least complex) Writing security checks once reduced mistakes

37

TRENDS WITHIN MISTAKES

Complexity breeds mistakes. Most common in the multi-user database problem (most complex) and least common in log problem (least complex) Writing security checks once reduced mistakes

37

Almost all mistakes were found in the Break-It phase

RECOMMENDATIONS

38

RECOMMENDATIONS

Simplify API design Build in security primitives and focus on common use-cases

38

RECOMMENDATIONS

Simplify API design Build in security primitives and focus on common use-cases Indicate security impact of non-default use in API Documentation Explain the negative effects of turning off certain things

38

RECOMMENDATIONS

Simplify API design Build in security primitives and focus on common use-cases Indicate security impact of non-default use in API Documentation Explain the negative effects of turning off certain things Vulnerability Analysis Tools More emphasis on design-level conceptual issues

38

SUMMARY

39

SUMMARY

Developers struggle with security concepts

39

SUMMARY

Developers struggle with security concepts Mostly knew they needed security and picked the right tools

39

SUMMARY

Developers struggle with security concepts Mostly knew they needed security and picked the right tools Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)

39

SUMMARY

Developers struggle with security concepts Mostly knew they needed security and picked the right tools Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error) Mistakes happen, but can be reduced through code review and best practices

39

SUMMARY

Developers struggle with security concepts Mostly knew they needed security and picked the right tools Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error) Mistakes happen, but can be reduced through code review and best practices Improve API design, documentation, and automation to handle conceptual nuances

39

SUMMARY

Developers struggle with security concepts Mostly knew they needed security and picked the right tools Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error) Mistakes happen, but can be reduced through code review and best practices Improve API design, documentation, and automation to handle conceptual nuances

39

Questions dvotipka@cs.umd.edu sec-professionals.cs.umd.edu