Vulnerabilities

VulnerabilityFindingTodaySecuritybugscanbring$500-$100,000ontheopenmarketGoodbugfindersmake$180-$250/hrconsultingFewcompaniescanfindgoodpeople,manydon’tevenrealizethisispossible.StilllargelyablackartSecurityVulnerabilitiesWhatcanSecuritybugsanattackerdo?avoidauthenticationprivilegeescalationbypasssecuritycheckdenyservice(crash/hoseconfiguration)runcoderemotelyVulnerabilitiesBasisConceptsTechniquesforDetecting

VulnerabilitiesClassificationofVulnerabilitiesVulnerabilityAssessmentBasisConcepts

6WhatAreSoftwareVulnerabilities?Asoftwarevulnerabilityisaninstanceofafaultinthespecification,development,orconfigurationofsoftwaresuchthatitsexecutioncanviolatethe(implicitorexplicit)securitypolicy.SourcesofVulnerabilitiesAmongthemostfrequentlymentionedsourcesofsecurityvulnerabilityproblemsincomputernetworksaredesignflawsincorrectimplementationpoorsecuritymanagementsocialengineeringExamplesVulnerabilityDistributionsAcrossOperatingSystemsLocationsofobservedvulnerabilitiesMajorityofthevulnerabilitiesoccurredinapplicationsRedHatLinux(79%),Windows2000(77%),andSolaris(90%)10%to20%ofvulnerabilitiesarepresentintheunderlyingoperatingsystemsExample:WhereistheVulnerability?intread_packet(intfd){charheader[50];charbody[100];size_tbound_a=50;size_tbound_b=100;read(fd,header,bound_b);read(fd,body,bound_b);return0;}Example:Whereisthebug?intread_packet(intfd){charheader[50];//model(header,50)charbody[100];//model(body,100)size_tbound_a=50;size_tbound_b=100;read(fd,header,100);read(fd,body,100);return0;}Example:Whereisthebug?intread_packet(intfd){charheader[50];//model(header,50)charbody[100];//model(body,100)size_tbound_a=50;size_tbound_b=100;read(fd,header,100);//constantpropagationread(fd,body,100);//constantpropagationreturn0;}Example:Whereisthebug?intread_packet(intfd){charheader[50];//model(header,50)charbody[100];//model(body,100)size_tbound_a=50;size_tbound_b=100;

//checkread(fd,dest.size>=len)read(fd,header,100);//constantpropagationread(fd,body,100);//constantpropagationreturn0;}Example:Whereisthebug?intread_packet(intfd){charheader[50];//model(header,50)charbody[100];//model(body,100)size_tbound_a=50;size_tbound_b=100;

//checkread(fd,50>=100)=>SIZEMISMATCH!!read(fd,header,100);//constantpropagationread(fd,body,100);//constantpropagationreturn0;}TechniquesforDetecting

VulnerabilitiesTechniquesforDetecting

VulnerabilitiesSystemVerificationMathematicallyverifyingthatasystemsatisfiescertainconstraintsCanprovetheabsenceofvulnerabilitiesPenetrationtestingStartwithsystem/environmentcharacteristicsTrytofindvulnerabilitiesCannotprovetheabsenceofvulnerabilitiesNotesPenetrationtestingisatestingtechnique,notaverificationtechniqueItcanprovethepresenceofvulnerabilities,butnottheabsenceofvulnerabilitiesForformalverificationtoproveabsence,proofandpreconditionsmustincludeallexternalfactorsRealistically,formalverificationprovesabsenceofflawswithinaparticularprogram,design,orenvironmentFormalmethodFormalmethod:automatedtechniquebasedonmathematicallogicusedtoanalyzeapropertyofasystemNationalSecurityAgencywasthemajorsourceoffundingformalmethodsresearchanddevelopmentinthe70sandearly80sFormalsecuritymodelsToolsforreasoningaboutsecurityApplicationsofusingthesetoolstoprovesystemssecureFMsarecatchingon“Formalmethodscanrevolutionizedevelopment!”“Formalmethodsaredifficult,expensive,notwidelyusefulandforsafety-criticalsystemsonly”PeoplerealizeitsimportanceModelcheckerSpinbyBelllabswonSystemSoftwareAwardfor2001bytheACMInventorsofModelChecking(EdmundM.Clarke,E.AllenEmerson,andJosephSifakis)wonACMTuringAwardfor2007Intel,IBM,Motorola,etc.nowemployhundredsofmodelcheckingexpertsMicrosoftannouncedmodelcheckingprojectZingIBMeServerp690*,“appliedFVtosomeextentonapproximately40designcomponentsandfoundmorethan200designflaws…Itisestimatedthat15%ofthesebugswereofextremecomplexityandwouldhavebeendifficultfortraditionalverification".FormalmethodTheuseofInternetbringssecuritytotheattentionofmassesWhatkindofproblemscanformalmethodshelptosolveinsecurityWhatproblemswillformalmethodsneverhelptosolveTheLimitsofFormalMethodsSystemswillneverbe100%secureFormalmethodswillnotbreakthisaxiomAssumptionsaboutthesystem’senvironmentHardtostatethemexplicitlyThesystemcouldbedeployedinanenvironmentnotoriginallydesignedCleverintrudersfindouthowtoviolatetheseassumptionsSecurityisnotaneither/orpropertyPaymore,gainmoree.g.Passwords,certificates,biometricsaremeasuredintermsofdegreeofsecurityforauthenticationWhatFormalMethodsCanDoCharacterizeasystem’sbehaviormorepreciselyDefinethesystem’sdesiredpropertiespreciselyProveasystemmeetsitsspecification

ThesecapabilitiesofformalmethodshelppractitionerintwowaysThroughspecification,focusingondesigner’sattentionWhatistheinterfaceWhataretheassumptionsaboutthesystemWhatisthesystemsupposedtodounderthisconditionandthatconditionWhatarethesystem’sinvariantpropertiesThroughverificationProveasystemmeetsitssecuritygoalsFindouttheweaknessesofthesystemHowTheyCanHelpFormalMethodsChecker/ProverSystem,MProperty,PNo,

andwhyYesMaybeSpecificationVerificationOnesuccessfullightweightverification:ModelCheckingNumerous

lightweightspec

languagesSpecificationUsingalanguagewithamathematicallydefinedsyntaxandsemanticsSystempropertiesFunctionalbehaviorTimingbehaviorPerformancecharacteristicsInternalstructureSpecificationSpecificationhasbeenmostsuccessfulforbehavioralpropertiesSomeothernon-behavioralaspectsofasystemPerformanceReal-timeconstraintsSecuritypoliciesArchitecturaldesignSpecificationFormalmethodsforspecificationofthesequentialsystemsZ(Spivey1988)ConstructiveZ(Mirian1997)VDM(Jones1986)Larch(Guttag&Horning1993)Statesaredescribedinrichmathstructures(set,relation,function)Transitionaredescribedintermsofpre-andpost-conditionsSpecificationFormalmethodsforspecificationoftheconcurrentsystemsCSP(Hoare1985)CCS(Milner1980)Statecharts(Harel1987)TemporalLogic(Pnueli1981)I/OAutomata(LynchandTuttle1987)Statesrangeoversimpledomains,likeintegersBehaviorisdefinedintermsofsequences,trees,partialordersofeventsExample：

TheSpec#ProgrammingSystemTheSpec#language:C#+non-nulltypes,checkedexceptions,methodcontracts,objectinvariants,…TheSpec#toolsuite:Arun-timecheckingcompilerAstaticverifier:/specsharp/30ExampleSpec#CodeclassAccount{intbalance;Account(intinitial)

ensuresbalance==initial;{balance=initial;}voidDeposit(intamount)

modifiesthis.*;ensuresbalance==old(balance)+amount;{balance=balance+amount;}…}31VerificationTwowellestablishedapproachestoverificationModelCheckingTheoremProvingModelcheckingBuildafinitemodelofsystemandperformanexhaustivesearchTheoremProvingMechanizationofalogicalproofModelCheckingThetechnicalchallengeistodeviseanalgorithmforhandlinglargespacesScopeofmodelcheckersLogicandfunctionaldesignerrors,especiallyrelatedtoconcurrencyandmulti-threading:Deadlock,livelock,starvation,blockingRaceconditionsLockingandpriorityproblemsResourceallocationerrorsRelianceonrelativespeedsofexecutionofthreadsViolationoffixedsystembounds(memory,stack,time)Specificationincompleteness(unhandledeventscenariosSpecificationredundancy(deadcode)Logicproblems:missingcausalortemporalrelationsModelCheckingTherearetwogeneralapproachesinmodelcheckingTemporalModelCheckingModelcheckingwithaautomatonspecThedifferenceisbetweenthespecificationFirstone:TemporalLogicSecondone:AutomatonTemporalModelCheckingLineartemporallogic(LTL)

isamodal

temporallogicwithmodalitiesreferringtotime.InLTL,onecanencodeformulaedescribingeventsalongasinglecomputationpath,suchas:Thereisacondition,c,willeventuallybetruecwillbetrueuntildbecomestrueComputationtreelogic(CTL)

isabranching-time(modal)temporallogic,meaningthatitsmodeloftimeisatree-likestructureinwhichthefutureisnotdetermined;therearedifferentpathsinthefuture,anyoneofwhichmightbeanactualpaththatisrealised;sometemporaloperatorsquantifyoverpathsthatarepossiblefromagivenstateforexample:thereisapathandcistrueatallpointonthepathciseventuallytrueatsomepointonallpaths

ModelCheckingModelcheckingiscompletelyautomaticItproducescounterexamplesThecounterexampleusuallyrepresentssubtleerrorindesignThemaindisadvantage:stateexplosionproblem!TheoremProvingBoththesystemanditsdesiredpropertiesareexpressedinsomemathematicallogicTheoremprovingistheprocessoffindingaprooffromtheaxiomsofthesystemItcanberoughlyclassifiedHighlyautomatedprogramsInteractivesystemswithspecialpurposecapabilitiesIncontrasttomodelchecking,itcandealwithinfinitespaceReliesontechniqueslikereductionSystemVerificationWhataretheproblems?InvalidassumptionsLimitedviewofsystemStillaninexactscienceExternalenvironmentalfactorsIncorrectconfiguration,maintenanceandoperationoftheprogramorsystemWhatIsPenetrationTesting?Testingthesecurityofsystemsandarchitecturesfromahacker’spointofviewA“simulatedattack”withapredeterminedgoalTypesofTestingWhiteBoxTesterknowsallinformationaboutsystem.Includingsourcecode,design,requirements.Mostefficienttechnique.Avoidssecuritythroughobscurity.BlackBoxExaminessystemasanoutsiderwould.Testerbuildsunderstandingofattacksurfaceandsysteminternalsduringtestprocess.Canusetoevaluateeffortrequiredtoattacksystem.Helpstestitemsthataren’tdocumented.GreyBoxApplybothwhiteboxandblackboxtechniques.LayeringofTestsExternalattackerwithnoknowledgeofsystemLocatesystem,learnenoughtobeabletoaccessitExternalattackerwithaccesstosystemCanlogin,oraccessnetworkserversOftentrytoexpandlevelofaccessInternalattackerwithaccesstosystemTestersareauthorizeduserswithrestrictedaccounts(likeordinaryusers)TypicalgoalistogainunauthorizedprivilegesorinformationFlawHypothesisMethodologyInformationgatheringBecomefamiliarwithsystem’sfunctioningFlawhypothesisDrawonknowledgetohypothesizevulnerabilitiesFlawtestingTestthemoutFlawgeneralizationGeneralizevulnerabilitytofindotherslikeitInformationGatheringDevisemodelofsystemand/orcomponentsLookfordiscrepanciesincomponentsConsiderinterfacesamongcomponentsNeedtoknowsystemwell(orlearnquickly!)Designdocuments,manualshelpUnclearspecificationsoftenmisinterpreted,orinterpreteddifferentlybydifferentpeopleLookathowsystemmanagesprivilegedusersFlawHypothesizingExaminepolicies,proceduresMaybeinconsistenciestoexploitMaybeconsistent,butinconsistentwithdesignorimplementationExamineimplementationsUsemodelsofvulnerabilitiestohelplocatepotentialproblemsUsemanuals;tryexceedinglimitsandrestrictions;tryomittingstepsinproceduresFlawHypothesizing(con’t)Identifystructures,mechanismscontrollingsystemEnvironmentinwhichtheywork,andwerebuilt,mayhaveintroducederrorsThroughout,drawonknowledgeofothersystemswithsimilaritiesWhichmeanstheymayhavesimilarvulnerabilitiesResultislistofpossibleflawsFlawTestingDesigntesttobeleastintrusiveaspossibleMustunderstandexactlywhyflawmightariseProcedureBackupsystemVerifysystemconfiguredtoallowexploitTakenotesofrequirementsfordetectingflawVerifyexistenceofflawMayormaynotrequireexploitingtheflawMaketestassimpleaspossible,butsuccessmustbeconvincingMustbeabletorepeattestsuccessfullyFlawGeneralizationAstestssucceed,classesofflawsemergeSometimestwodifferentflawsmaycombinefordevastatingattackFuzzTestingAutomaticallygeneratetestcasesManyslightlyanomaloustestcasesareinputintoatargetinterfaceApplicationismonitoredforerrorsInputsaregenerallyeitherfilebased(.pdf,.png,.wav,.mpg)Ornetworkbased…h(huán)ttp,SNMP,SOAPTrivialExampleStandardHTTPGETrequestGET/index.htmlHTTP/1.1AnomalousrequestsAAAAAA...AAAA/index.htmlHTTP/1.1GET///////index.htmlHTTP/1.1GET%n%n%n%n%n%n.htmlHTTP/1.1GET/AAAAAAAAAAAAA.htmlHTTP/1.1GET/index.htmlHTTTTTTTTTTTTTP/1.1GET/index.htmlHTTP/.TrivialExampleExample:filefuzzingCreatesetofvalidfiles.ChoosepartsoffiletofuzzMetadata:dataformat,size,etc.Content:bytes,HTML/XMLtags,etc.Randomlymodifypartsoffile.Mayneedtorecomputechecksums.Submitfuzzedfilestoapplication.Monitorapplicationforcrashesanderrors.ApproachI:Black-boxFuzzTestingGivenaprogram,simplyfeeditrandominputs,seewhetheritcrashesAdvantage:reallyeasyDisadvantage:inefficientInputoftenrequiresstructures,randominputsarelikelytobemalformedInputsthatwouldtriggeracrashisaverysmallfraction,probabilityofgettingluckymaybeverylowEnhancement:Mutation-BasedFuzzingTakeawell-formedinput,randomlyperturb(flippingbit,etc.)LittleornoknowledgeofthestructureoftheinputsisassumedAnomaliesareaddedtoexistingvalidinputsExamples:ZZUF,verysuccessfulatfindingbugsinmanyreal-worldprograms,/zzuf/Taof,GPF,ProxyFuzz,FileFuzz,Filep,etc.FileFuzzFileFuzz–IdentifyTargetApplicationvs.filetypeOnefiletypemultipletargetsVendorhistoryPastvulnerabilitiesHighrisktargetsDefaultfilehandlersWindowsExplorerWindowsRegistryCommonlytradedfiletypesMediafilesOfficedocumentsConfigurationfilesIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityFileFuzz–IdentifyInputsProprietaryvs.openformatsVendordocumentsWGoogleBinaryfilese.g.images,video,audio,officedocuments,etc.Headersvs.dataTextfilese.g.*.ini,*.inf,*.xmlName/valuepairsIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityFileFuzz–GenerateFuzzedDataBinaryfilesBreadth

FFFFFFFF0000DBFE0B00C5000001E803;????..?t..?...è. D7FFFFFFFF00DBFE0B00C5000001E803;×????.?t..?...è. D7CDFFFFFFFFDBFE0B00C5000001E803;×í?????t..?...è.DepthD7CDFD9A0000DBFE0B00C5000001E803;×íy?..?t..?...è. D7CDFE9A0000DBFE0B00C5000001E803;×ít?..?t..?...è. D7CDFF9A0000DBFE0B00C5000001E803;×í??..?t..?...è.IdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityFileFuzz–ExecuteFuzzedDataCommandlineargumentsWindowsexplorerTools…FolderOptions…FileTypesIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityFileFuzz–MonitorforExceptionsVisualErrormessagesBluescreenEventlogsSystemlogsApplicationlogsDebuggersReturncodesDebuggingAPIIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityFileFuzz–MonitorforExceptionsExecuteAutomatedandrepeatedMonitorLibrary-libdasmCaptureMemorylocationRegistryvaluesExceptiontypeKillSettimeoutIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitability[*]"crash.exe""C:\ProgramFiles\WordPerfectOffice12\Programs\UA120.exe"2000/qtc:\fuzz\ast\8.ast[*]AccessViolation[*]Exceptioncaughtat00403f06moveax,[eax+edi*4][*]EAX:0014b1b8EBX:00000005ECX:00435c00EDX:0012fbac[*]ESI:00435c00EDI:ccccccccESP:0012fab8EBP:0012fae8FileFuzz–DetermineExploitabilitySkillsDisassemblyDebuggingVulnerabilitytypesStackoverflowsHeapoverflowsIntegerhandlingDoSLogicerrorsFormatstringsRaceconditionsIdentifytargetIdentifyinputsGeneratefuzzeddataExecutefuzzeddataMonitorforexceptionsDetermineexploitabilityHowMuchFuzzIsEnough?Mutationbasedfuzzersmaygenerateaninfinitenumberoftestcases...Whenhasthefuzzerrunlongenough?Generationbasedfuzzersmaygenerateafinitenumberoftestcases.Whathappenswhenthey’reallrunandnobugsarefound?CodeCoverageSomeoftheanswerstothesequestionslieincodecoverageCodecoverageisametricwhichcanbeusedtodeterminehowmuchcodehasbeenexecuted.Datacanbeobtainedusingavarietyofprofilingtools.e.g.gcovTypesofCodeCoverageLine/blockcoverageMeasureshowmanylinesofsourcecodehavebeenexecuted.BranchcoverageMeasureshowmanybranchesincodehavebeentaken(conditionaljmps)PathcoverageMeasureshowmanypathshavebeentakenExampleRequires1testcaseforlinecoverage2testcasesforbranchcoverage4testcasesforpathcoveragei.e.(a,b)={(0,0),(3,0),(0,3),(3,3)}ApproachII:Constraint-based

AutomaticTestCaseGenerationLookinsidetheboxUsethecodeitselftoguidethefuzzingAssertsecurity/safetypropertiesExploredifferentprogramexecutionpathstocheckforsecuritypropertiesChallenge:1.Foragivenpath,needtocheckwhetheraninputcantriggerthebug,i.e.,violatesecurityproperty2.FindinputsthatwillgodowndifferentprogramexecutionpathsRunningExamplef(unsignedintlen){unsignedints;char*buf;if(len%2==0)s=len;else s=len+2;buf=malloc(s);read(fd,buf,len);…}Where’sthebug?What’sthesecurity/safetyproperty?s>=lenWhatinputswillcauseviolationofthesecurityproperty?len=232-1Howlikelywillrandomtestingfindthebug?SymbolicExecutionTestinputlen=6NoassertionfailureWhataboutallinputsthattakesthesamepathaslen=6?UsingaSolverIsthereavalueforlens.t.len%2=0^s=len^s<len?GivethesymbolicformulatoasolverInthiscase,thesolverreturnsNoTheformulaisnotsatisfiableWhatdoesthismean?Foranylenthatfollowsthesamepathaslen=6,theexecutionwillbesafeSymbolicexecutioncancheckmanyinputsatthesametimeforthesamepathWhattodonext?TrytoexploredifferentpathHowtoExploreDifferentPaths?Previouspathconstraint:len%2=0Flipthebranchtogodownadifferentpath:len%2!=0UsingasolverfortheformulaAsatisfyingassignmentisanewinputtogodownthepathCheckingAssertionintheOtherPathIsthereavalueforlens.t.len%2!=0^s=len+2^s<len?GivethesymbolicformulatoasolverSolverreturnssatisfyingassignment:len=232-1Foundthebug!VulnerabilityClassificationRequirementsforaGoodTaxonomyAcomprehensivetaxonomymustbe:MutuallyexclusiveExhaustiveUnambiguousRepeatableAcceptedUsefulUnfortunately,thisisaveryhardproblemtosolveVulnerabilityClassificationDescribeflawsfromdifferingperspectivesExploit-orientedHardware,software,interface-orientedGoals:Specify,design,implementcomputersystemwithoutvulnerabilitiesAnalyzecomputersystemtodetectvulnerabilitiesAddressanyvulnerabilitiesintroducedduringsystemoperationDetectattemptedexploitationsofvulnerabilitiesNRLTaxonomyGoals:DeterminehowflawsenteredsystemDeterminewhenflawsenteredsystemDeterminewhereflawsaremanifestedinsystem3differentschemesused:GenesisofflawsTimeofflawsLocationofflawsGenesisofFlawsInadvertent(unintentional)flawsclassifiedusingRISOScategories;notshownaboveIfmostinadvertent,betterdesign/codingreviewsneededIfmostintentional,needtohiremoretrustworthydevelopersanddomoresecurity-relatedtestingRISOS:ResearchIntoSecureOperating

Systems(SevenClasses)IncompleteparametervalidationExample:emulatingintegerdivisioninkernel(RISCchipinvolved)Callerprovidedaddressesforquotient,remainderQuotientaddresscheckedtobesureitwasinuser’sprotectiondomain,but..Inconsistentparametervalidationeachdatabaserecord1line,colonsseparatingfieldsImplicitsharingofprivileged/confidentialdataAsynchronousvalidation/inadequateserializationInadequateidentification/authentication/authorizationViolableprohibition/limitExploitablelogicerrorTimeofFlawsDevelopmentphase:allactivitiesuptoreleaseofinitialversionofsoftwareMaintenancephase:allactivitiesleadingtochangesinsoftwareperformedunderconfigurationcontrolOperationphase:allactivitiesinvolvingpatchingandnotunderconfigurationcontrolLocationofFlawFocuseffortonlocationswheremostflawsoccur,orwheremostseriousflawsoccurVulnerabilityAssessmentVulnerabilityassessment–aproactivemethodtofindsecurityholesProduction-modenetworkapplicationsVulnerabilityassessmenttoolsAssessmentreportScannedserverScanningmachineDefiningaVulnerabilityAssessmentDefiningScopeNetworkSurveyPortScanningVulnerabilityResearch/ValidationCommonVulnerabilitiesIndustryDatabases(CVE)Tools,productsandinformationDefinitionofaVulnerabilityAssessmentvulnerabilityassessment:

Thesystematicexaminationofasystemtoidentifythosecriticalinfrastructuresorrelatedcomponentsthatmaybeatriskfromanattack.DefiningScopeBeforebeginninganywork,youmustcarefullydefineyourscope:Whichmachinestotest(IPrangesoraddresses)WhichtimesaregoodandbadtoperformtestingAreyougoingtotestforDenialofServicesusceptibility?Typeofassessmenttobedone-BlackBox(nothingisknown),GreyBox(somethingsareknown),orWhiteBox(allthingsareknown)Makesureyouhavelegalrightstodotheassessment!NetworkSurveyPerformsomedatacollectiontogetthemoreinformationforyourassessmentAskthecustomertoidentifyallknownhostsonthesegmentFindoutwhatservicesarerunningonthehosts–AnalyzenetworkmapsAnalyze‘whois’andARINdata.IdentifyDNSinformationPortScanningUseaportscannersuchas‘nmap’tomapthesubnetDeterminewhatports(andhenceservices)areavailableonthenetworkLookforopen,aswellasclosedandfilteredports.VulnerabilityResearchUseavarietyofsecurityscanningtoolsThesetoolstypicallyhaveadatabaseofvulnerabilitysignatures,justlikeananti-virusproductManualanalysisofservices,especially“odd”onesisusuallynecessaryusetheInternettolookforvulnerabilities,do