Whittaker How To Break Software Security - SoftTest Ireland


Published on

Visit SoftTest Ireland www.softtest.ie and sign up for access to free Irish Software Testing events.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome to How to Break Software Security! This course is based on the book by the same name published in 2003. This book followed How to Break Software and precedes How to Break Web Software . That is a lot of How-To’s, which is a good thing because that’s what this course is about. It’s about understanding security vulnerabilities and how to do something about it for your own applications. Whether you are a developer, tester, integrator, manager, decision-maker, whatever…you’ll find this material to be invaluable for understanding security and security vulnerabilities. Welcome to the wonderful world of breaking things!
  • We’ve been performing functional testing for decades and the process is pretty well-entrenched. We have a spec or a test plan that tells us what the application is supposed to do. Say, for example, our test plan tells us to apply input A and that the application should generate output B. As a functional tester, that’s what we do: apply A, watch for B and when we see it, we mark the test case as ‘passed.’ What we are doing here is verifying that the application did what is was supposed to do. But this is both too much and not enough for security testing. It’s too much in that security testers really don’t bother with what the app is supposed to do. We’re concerned more with what the app is not supposed to do! In other words, we apply that same input A but don’t care about output B that is supposed to occur. Instead, we try to verify that some bad output C does not occur. That’s what you’ll learn in this course. How to anticipate insecure behaviors and test for their absence.
  • To highlight the difference, let’s examine two bugs, one functional and one security, and analyze the differences.
  • This screen snap is just for the slides…during the course we will repro the bug in Excel. This bug is in the “scenarios” feature and has the following analysis: 1. That the expected functionality DOES NOT WORK. We do not see the required output. 2. That the failure symptoms are pretty easy to see. This is, in essence, a typical functional bug.
  • This will also be demoed live. The bug in Macromedia flash (which has been fixed) doesn’t show up when the application executes this SWF file. The bug has the following properties. 1. The desired result (output) does indeed happen: the file is rendered correctly. This means that the insecure side-effect (which is a buffer overflow) is masked by the fact that the software did what it was supposed to do. 2. Insecurity often happens invisibly. New tools and thought processes are required to find them. This means that testers need to think about what SHOULD NOT HAPPEN when they are doing security testing.
  • In order to help us think about security bugs, we offer two models for testers to keep in their heads while they are doing security testing. The first deals with the software itself and teaches us how to think about software behaviors. The second deals with the environment in which the application runs and teaches us to think about how the application interacts with other entities in its environment of use.
  • On the left hand side of this diagram we have the specification, or intended behavior of the application. This is what the application is SUPPOSED to do. Then the application gets coded (which is the second, rightmost circle) we have ACTUAL behavior to compare to the EXPECTED behavior. This is the process of testing…find problems, fix problems and make the two circles merge. But functional testing only finds bugs on the left part of the Venn diagram. These are behaviors that SHOULD happen but DON’T…just like the Excel bug shown earlier. To find the security bugs on the right side we need to train ourselves to look for what “isn’t there”…to look in places we don’t look in traditional testing. We need to think about what should NOT happen.
  • If we think about the Macromedia bug for a moment, we realize that we could not see the security bug through the user interface. The UI is rarely the place where security bugs manifest (but it can be as we will see later). Instead, we have to think more holistically about the execution environment. The UI is one aspect of the environment. It is the interface where the application receives user input that must be carefully error-checked. It is also the place where outputs are rendered and we have to make sure those outputs do not reveal anything useful to an attacker The File System is the interface where data from files is read and written. Unlike the UI, this interface is normally invisible and require special tools to observe the traffic that crosses application boundaries. Another important set of inputs crosses this boundary and must be error-checked. However, error checking here is much less common than the UI because developers tend to trust the content of files more than they trust the content of UI text boxes and so forth. The Software interface is where data to third-party controls and applications comes from. For example, network libraries, databases, math libraries and so forth. This is also an invisible interface requiring special tools. The Kernel interface is where applications get memory and other resources. This is where evidence of memory-based exploits will be found and also requires special tools to observe. One such special tool is Holodeck and it will be demoed here.
  • Here’s where we play the All Your Base Are Belong To Us video that underscores hacker’s motivations and sheer delight in doing what they do. The lessons learned from this: 1. Hackers have some free time on their hands…they don’t ship products! 2. Hackers have some skills and they know how to use the tools. 3. Hackers are motivated to break anyone’s application.
  • Beginning in 1996, we undertook a massive project to analyze bugs. This project was partially funded by industry and government sources and had as its goal to develop a better understand of important bugs and to describe better techniques to prevent and find defects. We began studying functional bugs and the result was How to Break Software by James A. Whittaker. We then turned our attention to security bugs which resulted in How to Break Software Security by James and Herbert H. Thompson. In both cases, we studying BUGS THAT SHIPPED because it is this set of bugs that our current processes are the worst at preventing and finding…after all these are the ones that got away.
  • Placeholder for text of Conclusions, SPAs and others (substitute your own text) No source line is necessary unless the source is something other than Gartner Research
  • Whittaker How To Break Software Security - SoftTest Ireland

    1. 1. How to Break Software Security
    2. 2. Functionality vs. Security <ul><li>Functional testing: verify that the app does what it is supposed to do </li></ul><ul><ul><li>Apply inputs, verify correct outputs </li></ul></ul><ul><ul><li>Funtional testers ask: ‘what is the software supposed to do?’ </li></ul></ul><ul><li>Security testing: verify that the app does not do what it is not supposed to do </li></ul><ul><ul><li>Apply inputs, verify that no bad things happen </li></ul></ul><ul><ul><li>Security testers ask: ‘what is the software not supposed to do?’ </li></ul></ul><ul><li>But what is the set of bad things that can cause an application to behave insecurely? </li></ul>
    3. 3. An Example <ul><li>Let’s examine two bugs: </li></ul><ul><ul><li>A functional bug in which the software fails to do what it is supposed to do </li></ul></ul><ul><ul><li>A security bug in which the software does what it was supposed to (and a little bit extra!) </li></ul></ul>
    4. 4. The Functional Bug
    5. 5. The Security Vulnerability
    6. 6. What Have We Learned? <ul><li>That security bugs: </li></ul><ul><ul><li>Are much harder to spot…they often have no visible (to the human eye) behavior…we need better tools </li></ul></ul><ul><ul><li>Require us to think about side effects and what sensitive data might be exposed </li></ul></ul><ul><ul><li>Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen </li></ul></ul>
    7. 7. Two Models to Guide Our Thinking <ul><li>A model of software behavior </li></ul><ul><ul><li>Functional testing is simply not designed to find security flaws </li></ul></ul><ul><li>A model of the environment in which software executes </li></ul><ul><ul><li>Many security flaws are caused by environment interaction </li></ul></ul><ul><ul><li>Many security flaws are discovered by analyzing an application’s environment </li></ul></ul>
    8. 8. The Behavior Model (the “eclipse” diagram) Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs
    9. 9. The Environment Model (the “life preserver” diagram) Application Under Test kernel UI file system Soft- ware o p e r a t i n g s y s t e m
    10. 10. Are Hackers Really Motivated to Attack You? <ul><li>Thousands of underground hacking tools </li></ul><ul><li>Thousands of hacker sites </li></ul><ul><li>The cold hard truth: Hackers have the advantage </li></ul><ul><ul><li>They have to find only one bug…we have to close them all </li></ul></ul><ul><ul><li>They have a lot more time on their hands </li></ul></ul><ul><li>Enter their world… </li></ul>
    11. 11. The HtBSS Project <ul><li>Goal: develop prescriptive techniques for finding security vulnerabilities in software </li></ul><ul><ul><li>Not a “hacker how-to,” we are interested in the bug not the exploit </li></ul></ul><ul><li>Process: study bugs that shipped </li></ul><ul><ul><li>What fault caused it? </li></ul></ul><ul><ul><li>What failure symptoms do we look for? </li></ul></ul><ul><ul><li>What testing technique would have found it? </li></ul></ul><ul><li>Outcome: four classes of vulnerabilities/techniques </li></ul><ul><ul><li>External dependencies – banana peels in the environment </li></ul></ul><ul><ul><li>Unanticipated user input – magic bullets </li></ul></ul><ul><ul><li>Vulnerable design – bad design habits that bite </li></ul></ul><ul><ul><li>Vulnerable implementation – just plain bugs </li></ul></ul>
    12. 12. External Dependencies <ul><li>Software does not exist in isolation </li></ul><ul><ul><li>Think about the “life preserver” diagram </li></ul></ul><ul><ul><li>Software uses OS resources, runtime libraries, set up files, data files, … </li></ul></ul><ul><ul><li>Programming an application to handle all these things gracefully is very complicated </li></ul></ul><ul><ul><ul><li>Ex: when do you check for a LoadLibrary failure? </li></ul></ul></ul><ul><ul><ul><ul><li>These are rare events, check too often you slow down the app </li></ul></ul></ul></ul><ul><ul><ul><ul><li>These are crucial events, check often so you don’t get bitten </li></ul></ul></ul></ul><ul><li>The result: software often fails insecurely because of its dependency on its environment </li></ul>
    13. 13. Unanticipated User Input <ul><li>Some inputs are problematic and developers tend to ignore them: </li></ul><ul><ul><li>Operating system reserved words </li></ul></ul><ul><ul><li>Programming language format strings </li></ul></ul><ul><ul><li>Character set boundary values (e.g., extended ascii) </li></ul></ul><ul><ul><li>Scripts, code and commands embedded in input fields </li></ul></ul><ul><li>It is important to maintain lists of these and make sure they get applied during testing </li></ul>
    14. 14. Vulnerable Design <ul><li>Some good design practices are actually bad for security </li></ul><ul><ul><li>Performance and security are at odds </li></ul></ul><ul><ul><li>Usability and security are at odds </li></ul></ul><ul><ul><li>Cohesion, coupling and many other design practices can often aid an attacker </li></ul></ul><ul><li>We need to understand how some security vulnerabilities have their roots in design practices </li></ul>
    15. 15. Vulnerable Implementation <ul><li>As an industry, we’ve been writing bugs since the dawn of computing and we don’t seem to be slowing down </li></ul><ul><li>What common bugs have security implications? </li></ul><ul><ul><li>What do these bugs look like? </li></ul></ul><ul><ul><li>How do we find them? </li></ul></ul>
    16. 16. External Dependency Attacks
    17. 17. Dependency Attack Vectors <ul><li>Block access to libraries </li></ul><ul><li>Manipulate registry values </li></ul><ul><li>Force the application to use corrupt files (write protected, inaccessible, data errors...) and file names </li></ul><ul><li>Replace files that the application reads from, writes to, creates and executes </li></ul><ul><li>Force the application to operate in stressed memory/disk space/network availability conditions </li></ul>
    18. 18. The IE content advisor
    19. 19. We get stopped by the parental controls…
    20. 20. … So we block access to the msrating.dll library
    21. 21. Now we can view that site!
    22. 22. Holodeck monitors Update Expert for registry interactions
    23. 23. U.E. Shows a patch applied to the local machine
    24. 24. U.E. reads patch info from the registry...
    25. 25. We target an unapplied patch…
    26. 26. We create a folder with the key “installed”…
    27. 27. U.E. Reads the bogus directory and shows the patch as installed…
    28. 28. User Input Attack Vectors <ul><li>Overflow input buffers </li></ul><ul><li>Examine all command line switches and input options </li></ul><ul><li>Explore escape characters, character sets and commands </li></ul>
    29. 29. Buffer Overflow Details
    30. 30. Modify file with new data
    31. 31. Executable data <ul><li>6A 00 Push x00 </li></ul><ul><li>Parameter describing type of message box. </li></ul><ul><li>68 B0 FB 11 00 Push x0011FBB0 </li></ul><ul><li>Pointer to the message box caption text. </li></ul><ul><li>68 D5 FB 11 00 Push x0011FBD5 </li></ul><ul><li>Pointer to message box body text. </li></ul><ul><li>6A 00 Push x00 </li></ul><ul><li>Handle to a window. </li></ul><ul><li>FF 15 88 20 40 00 Call User32.MessageBoxA </li></ul><ul><li>Calling the windows message box function. In this case we are </li></ul><ul><li>calling indirectly through a pointer. </li></ul><ul><li>Now we have an exploit! </li></ul>
    32. 32. Open the file and you are owned!
    33. 33. Design Attack Vectors <ul><ul><li>Try common default and test account names and passwords </li></ul></ul><ul><ul><li>Expose unprotected test APIs </li></ul></ul><ul><ul><li>Connect to all ports </li></ul></ul><ul><ul><li>Fake the source of data </li></ul></ul><ul><ul><li>Create loop conditions in any application that interprets script, code etc </li></ul></ul><ul><ul><li>Use alternate routes to accomplish the same task </li></ul></ul><ul><ul><li>Force the system to reset values </li></ul></ul>
    34. 34. Common Accounts Windows; Unix “” ; web web Windows; Unix user user Common to many applications “” ; test; Test test Unix sysadmin sysadmin Unix sys; system; bin sys Unix setup setup Windows SQL server; others “” sa Unix “” ; root Root Windows “” ; Guest; guest Guest Many “” ; demo; demos Demo Windows; Unix and many other platforms and applications “” ; Admin; admin; administrator; Administrator; root Admin Windows; Unix and many other platforms and applications “” ; Admin; admin; administrator; Administrator; root Administrator Systems Affected Passwords Username
    35. 35. Implementation Attack Vectors <ul><li>Get between time of check and time of use </li></ul><ul><li>Create files with the same name as files protected with a higher classification </li></ul><ul><li>Force all error messages </li></ul><ul><li>Look for temporary files and screen their contents for sensitive information </li></ul>
    36. 36. Logging in with a bogus account…
    37. 37. … produces this error message
    38. 38. A legit account…
    39. 39. … produces this error message
    40. 40. Summary and Take-Aways
    41. 41. Always Remember… <ul><li>Security testing is different and requires us to think differently </li></ul><ul><li>There are testing techniques specifically aimed at security testing and these can and should be part of your software practice </li></ul>
    42. 42. Take Away (1) <ul><li>Understand your app’s behavior…think about what should NOT happen! </li></ul>Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs
    43. 43. Take Away (2) <ul><li>Understand your app’s environment…think about where the action is! </li></ul>kernel UI file system SW o p e r a t i n g s y s t e m Application Under Test common language runtime
    44. 44. Take Away (3) <ul><li>Ask yourself: what is the nightmare scenario for this app (or this customer)! </li></ul><ul><li>Then…test every entry point for that scenario being realized </li></ul><ul><ul><li>Its UI </li></ul></ul><ul><ul><li>Exposed remote functionality </li></ul></ul><ul><ul><li>Its communication paths </li></ul></ul><ul><ul><li>The files it reads </li></ul></ul>
    45. 45. Take Away (4) <ul><li>Use the attacks, master the tools </li></ul><ul><ul><li>Attacks: </li></ul></ul><ul><ul><ul><li>Exploit external dependencies </li></ul></ul></ul><ul><ul><ul><li>Find unanticipated user input </li></ul></ul></ul><ul><ul><ul><li>Expose insecure design </li></ul></ul></ul><ul><ul><ul><li>Determine insecure implementation practices </li></ul></ul></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><ul><li>The software Holodeck </li></ul></ul></ul><ul><ul><ul><li>Hex editors, debuggers, port scanners, … </li></ul></ul></ul><ul><li>Never cease your vigilance! </li></ul>
    46. 46. THE END Questions?