1 / 20

CSCE 548 Secure Software Development Taxonomy of Coding Errors

CSCE 548 Secure Software Development Taxonomy of Coding Errors. Reading. This lecture: McGraw: Chapter 12 Recommended: SANS: The Top Cyber Security Risks, http://www.sans.org/top-cyber-security-risks/

mariam-benton
Download Presentation

CSCE 548 Secure Software Development Taxonomy of Coding Errors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 548 Secure Software DevelopmentTaxonomy of Coding Errors

  2. Reading • This lecture: • McGraw: Chapter 12 Recommended: • SANS: The Top Cyber Security Risks, http://www.sans.org/top-cyber-security-risks/ • Weber, Karger, Paradkar, A software flaw taxonomy: aiming tools at security, ACM SIGSOFT Software Engineering Notes Volume 30 ,  Issue 4 ,July 2005, http://portal.acm.org/citation.cfm?id=1082983.1083209&coll=portal&dl=ACM • Next lecture: • Howard et al.: Buffer Overruns

  3. Application Vulnerabilities • # application vulnerabilities >> # OS vulnerabilities • Most "popular" applications – change over time • prevalence • inability to effectively patch • Current targets: browsers and client-side applications

  4. Web Application Attacks • Brute force password guessing attacks • Web application attacks • Popular targets for pswd guessing: Microsoft SQL, FTP, and SSH servers • Popular targets for application attacks: SQL Injection, Cross-site Scripting and PHP File Include attacks

  5. Application Patching • Much Slower than Operating System Patching • Zero-Day Vulnerability: a flaw in software code is discovered and code exploiting the flaw appears before a fix or patch is available • Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862) • Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136) • Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015) • Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537) • Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493) • Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)

  6. Goal of Taxonomy • List of common coding mistakes • Support for software developers to avoid making mistakes • Useful in automated tools • Real time • Compile time • Teaching aid • NOT an attack taxonomy

  7. Attack-Based Approaches • Understand how attackers think • Assessing the possibility of attack • Misuses • Black hat approach

  8. Taxonomy of Coding Errors • Positive approach • Incomplete and imperfect • Practical and based on real world experiences • Focus on large enterprise software

  9. Components • Phylum: type or particular kind of coding error • Kingdom: a collection of phyla that share a common theme

  10. 7 Plus 1 Kingdoms • Input validation and representation • API abuse • Security features • Time and state • Error handling • Code quality • Encapsulation • Environment

  11. Input Validation and Representation • Caused by meta-characters, alternate encoding, and numeric representations • Problem: trusting input • Examples: buffer overflow, cross-site scripting, SQL injection, etc.

  12. API Abuse • API: contact between a caller and a callee • Common problem: caller failing to honor its end of contract • Example: failing to perform expected actions • Both sides may violate contract

  13. Security Features • List of features the software should support • In addition to security software • Examples: authentication, access control, confidentiality, etc.

  14. Time and State • Distributed computation: more than 1 component communicate, share states, uses system resources • Time requirements for distributed computing • Interactions between threads, processes, time, and information

  15. Error Handling • Junk input • Class of programming contract • Similar to API abuse • Very common • Producing errors or giving out too much information

  16. Code Quality • Security: subset of reliability • Poor code quality  unpredictable behavior • Unpredictable behavior  poor usability • Attacker: tries to stress the system in unexpected ways

  17. Encapsulation • Drawing boundaries between things and setting up barriers between them • Trust and trust models

  18. Environment • Machine the software runs on • Connection to the external context • Things outside of the code but critical to the security of the software

  19. Phyla • Coding errors that can be grouped into kingdoms • Static source code anlysis • See complete list, starting at page 283

  20. Next Class • Buffer Overruns

More Related