150 likes | 164 Views
Binary and Protocol Security Assurance. Mahesh Saptarshi, Technical Director Symantec software India Pvt Ltd. Agenda. 1. Disclaimers, requests, etc. 2. Security Bugs – what, how, and their classification. 3. Security assurance of Binary – 3 rd party modules. 4.
E N D
Binary and Protocol Security Assurance Mahesh Saptarshi, Technical Director Symantec software India Pvt Ltd
Agenda 1 Disclaimers, requests, etc 2 Security Bugs – what, how, and their classification 3 Security assurance of Binary – 3rd party modules 4 Security assurance of network protocols 5 Tools and techniques for discovering security bugs Summary and Q/A 6
Disclaimers, Requests, etc • Not Symantec company position, statement or policy • Focus on the technical details • Cell phones - Please activate vibrate/quiet mode • Ask a question any time • Q&A time also at the end • Much of the material is learned by practice 3
Security Bugs – What • Assets, threats, Software bugs aka vulnerabilities • Threats always exist – probabilities vary • Vulnerabilities make exploits possible • Threats can be mitigated – reduced probability • Threats != attacks • Vulnerabilities != attacks • Attacks – attempts by malicious entity to actuate a threat • Our aim – Eliminate or mitigate vulnerabilities • To foil attacks • So that probability of a threat is reduced • So that the asset is secure 4
Our Goal Eliminate or mitigate vulnerabilities • To foil attacks • So that probability of a threat is reduced • So that the asset is secure 5
Security Bugs – Causes • Causes of Security bugs • Insecure design • Insecure Coding • Insecure environment • Lack of proper data validation • Lack of Security Assurance 6
Security Bugs –Examples • Buffer overflow • Cross site scripting • Authentication bypass • Escalation of privilege • Arbitrary code execution • SQL injection • Arbitrary file modification/overwrite/truncation 7
Most prevalent security issues • Input validation • buffer overflow • Cross site scripting • SQL injection • File path redirection • Authentication bypass • Session issues • session hijack, session replay • insufficient randomization • Configuration security 9
Practical approach to finding security bugs • Brute Force • Fuzzing • Feeding the application lots of different values of the data • Values of data are derived by systematic or random changes to a valid value • Network fuzzing, file fuzzing, API parameter fuzzing. Web request fuzzing • Automation required – too many variations • Intelligent Security assurance • Targetted fuzzing • Integer values at byte boundaries • Size value and buffer size mismatch • SQL query and cross domain scripting verification • Path variation related attacks 10
Practical approach to hunting for security bugs – cont. • Authentication related verification • Session re-establishment protocol • Frequent session or form reload testing • Fake client instantiation • Fake server instantiation • Proxy and session break up • Defaults verification by denying authentication protocol completion 11
Practical approach to hunting for security bugs – cont. • Session issues • Session hijack using a proxy • MITM attack • Session key management verification • Encryption key management verification • Session key exchange protocol verification • Session timeout testing 12
Practical approach to hunting for security bugs – cont. • Configuration Security • File permissions • File name generation and temporary file location • Configuration file fuzzing and unreasonable values • Locale related verification • Registry entry permissions – DACLs • Log file permissions – log analyzers and report generators • Event viewers • File overwrite attack using “log truncate” or “cleanup” action • File upload/download and overwrite action • Arbitrary file access action 13
Tools for hunting down security bugs • Static source code analysis – Coverity, RATS, Findbugs, FxCOP • Nessus – Port scanner and vulnerability verification • NMAP – network mapper, services and OS security • Wireshark – Sniffing network traffic • SPIKE – network fuzzing • Filemon/Regmon – monitoring file access,registry • PEexplorer – exploring running processes • IDA – debugger for analysing crash dumps • WebInspect, AppScan, Cenzic hailstorm – web security attack tools 14
Summary • Software Security bugs Eliminate or mitigate vulnerabilities • To foil attacks • So that probability of a threat is reduced • So that the asset is secure 15
Mahesh Saptarshi Mahesh_saptarshi@symantec.com