20100309 03 - Vulnerability analysis (McCabe)

L
LeClubQualiteLogicielle
Vulnerability analysis - Vulnerability analysis involves discovering a subset of the input space with which a malicious user can exploit logic errors in an application to drive it into an insecure state. http://doi.ieeecomputersociety.org What is Vulnerability Analysis? copyright c March 9 2010 McCabe Technology
Potential vulnerabilities – locations within a program that contain known weaknesses - Example: The usage of APIs known to be susceptible to buffer overflows - Potential vulnerabilities may or may not be exploitable. Exploitable vulnerabilities - exist when a potentially vulnerable program location... - Is dependent on or able to be influenced by user supplied input - Is reachable on the program control flow graph at runtime Potential vs. Exploitable Vulnerabilities copyright c March 9 2010 McCabe Technology
Paths Connecting Attack Surface & Target Attack Surface Entry Libraries Attack Surface Target Libraries Subtrees/Paths RECV() STRCPY() copyright c March 9 2010 McCabe Technology
Advanced Exclude: Select Load Option Use the Advanced Exclude Menu to load a Class file that includes all the banned functions from Microsoft & OWASPS. This file user editable. Additional modules and/or library functions can be added. copyright c March 9 2010 McCabe Technology
Preloaded User Definable Classes for Security • List of Banned APIs from the Microsoft Secure Software Development Lifecycle & from OWASP • Attack Surface APIs and Libraries (entry points) • Vulnerable APIs and Libraries (exploitable targets) • Individual Attack Surface Entry Point • Individual Attack Surface Target Point copyright c March 9 2010 McCabe Technology
Class Editor: User Definable Class Libraries Preloaded with Microsoft & OWASP’s Banned Functions. User has the ability to add or delete Attack Surface & Target parameters copyright c March 9 2010 McCabe Technology
Advanced Exclude: Narrow Scope Use the Advanced Exclude Option to understand entry points into the system, narrow the scope of analysis, and to view attack space in context of the rest of the system copyright c March 9 2010 McCabe Technology
Attack Modeling copyright c March 9 2010 McCabe Technology
Even if you can make any code you write secure, you're still at the mercy of all those libraries. The C language is notorious for creating software with buffer overflows because of library calls. Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), getwd(), [vg]scanf, realpath, [v]sprintf(), sprintf(), vsprintf(), strcpy(), and strcat(). Gets() is an excellent example. This function performs the common task of reading user input, but it keeps accepting the input until it sees a command ending the line or closing the file. That means that gets() can always be used to overflow any size buffer—no matter how large. If you use fgets() instead, you can set a parameter to limit the number of characters it will accept, thus preventing buffer overflows. Strcpy() is similar in that it copies a string from a source to a buffer (again, it doesn’t limit the size of the string). There are safe ways to use strcpy(), such as adding a check; however, it’s often simpler to use strncpy(dst, src, dst_size – 1), which lets you specify a maximum number of characters. This is a particularly good alternative for many uses because it doesn’t throw an error when the input is too big—it simply terminates. If you need to generate an error when a specified string length is exceeded, you can use strcpy() along with a check, such as: if(strln(src) >= dst_size)... Strcat() concatenates a string onto the end of a buffer. Strncat() is a safer alternative, but it does require that you monitor the room left in the buffer. Libraries: Major challenge for developers who need to produce secure applications copyright c March 9 2010 McCabe Technology
A software system’s attack surface is the subset of resources that an attacker can use to attack the system. The classic attack surface definition assumes all entry points into the software system; this can include certain Windows registry keys, open handles to windowed objects, or command-line parameters It is important to differentiate the classic definition of attack surface from the useable attack surface. ... What is the Attack Surface? copyright c March 9 2010 McCabe Technology
Use the tools to extract subgraph of overall CFG that includes all nodes on a path between input acceptance node and target nodes (potentially vulnerability nodes containing things like strcpy calls) Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), sprintf(), vsprintf(), strcpy(), and strcat() Other possible vulnerable procedures include: printf, fprintf, snprintf, vsnprintf. This list names some of the worst offenders. Also, even though there are safer alternatives for most of these functions, those alternatives aren’t absolutely safe. You can still get into trouble using them—often with unterminated strings or by specifying the wrong buffer size Attack Map Modeling using McCabe IQ Battlemap copyright c March 9 2010 McCabe Technology
It is the portion of the attack surface that an attacker could use to crash the software, access sensitive information or gain access to the host machine remotely. It is these particular areas of code that we are interested in exercising as they pose the highest degree of risk. It is also independent of configuration, and specification, as we are testing the connected code to a particular input source. What is Useable Attack Surface? Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
Attack Surface Analysis & Reduction Microsoft Secure Software Development Series Best Practices -The Security Development Lifecycle SDL: A Process for Developing Demonstrably More Secure Software By Michael Howard and Steve Lipner http://www.microsoft.com/security/sdl/about/process.aspx copyright c March 9 2010 McCabe Technology
Viewing Attack space in relation to rest of code copyright c March 9 2010 McCabe Technology
In order to determine if the vulnerability is an exploitable threat, one must prove that it is reachable on the execution path given some user supplied input. The exploitability is dependent upon the control flow logic on the paths between the external input and targeted exploitable routines. The diagram below illustrates this idea, in this case showing control flow inclusive of packet acceptance and the basic block where a vulnerable API function is used. To narrow the scope of exploitable code, we consider its attack trees. … Exploitability Implies Reachability Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
What is An Attack Tree? An Attack Tree is a set of paths connecting a specific attack surface and specific attack target. Attack Tree is also known as “And/Or Trees”. The history of the Attack Tree can be traced back to the Fault Tree developed by Bell Labs and the U.S. Air Force in 1960s. The software related application of Fault Tree is also known as Threat Tree, which is an excellent tool for modeling a particular attack scenario. McCabe IQ uses the McCabe Design Complexity Metrics, visual subtree graphs, subtree test conditions and code coverage as Attack Trees. McCabe Design Complexity metrics are typically calculated rooted at the input node of the attack surface. copyright c March 9 2010 McCabe Technology
Applying McCabe Design Complexity to Attack Trees Definition: module design complexity of a module is a measure of the decision structure which controls the invocation of the module’s immediate subordinate modules. It is a quantification of the testing effort of a module as it calls its subordinates. The module design complexity is calculated as the cyclomatic complexity of the reduced graph. Reduction is completed by removing decisions and nodes that do not impact the calling control of the module over its subordinates. McCabe Design complexity metrics should be calculated by rooting at the input acceptance node. The McCabe Design complexity metrics and subtrees can be used to understand and test Attack Trees within the source code. copyright c March 9 2010 McCabe Technology
How do you assess complexity & test effort for component design? S1 = S0 - n + 1= 12 - 7 + 1 = 6 By measuring the integration paths in its modules Integration complexity S1 copyright c March 9 2010 McCabe Technology
McCabe System Design Complexity Attack Tree copyright c March 9 2010 McCabe Technology
1 of 19

20100309 03 - Vulnerability analysis (McCabe)

Download to read offline
Software

What is vulnerability analysis

L
LeClubQualiteLogicielle

Recommended

VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis... by
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
287 views45 slides
A Platform for Application Risk Intelligence by
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceCheckmarx
9.5K views6 slides
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media... by
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
25 views49 slides
Detection of vulnerabilities in programs with the help of code analyzers by
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
420 views6 slides
Dupressoir by
DupressoirDupressoir
Dupressoiranesah
238 views4 slides
Automated server-side model for recognition of security vulnerabilities in sc... by
Automated server-side model for recognition of security vulnerabilities in sc...Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...IJECEIAES
14 views10 slides

More Related Content

What's hot

29-Krishan Kumar by
29-Krishan Kumar29-Krishan Kumar
29-Krishan Kumarkrishan8018
156 views7 slides
Model Comparison for Delta-Compression by
Model Comparison for Delta-CompressionModel Comparison for Delta-Compression
Model Comparison for Delta-CompressionMarkus Scheidgen
469 views82 slides
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR... by
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
667 views16 slides
Generation of Random EMF Models for Benchmarks by
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksMarkus Scheidgen
868 views27 slides
4.Security Assessment And Testing by
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testingphanleson
493 views58 slides
Model-based Analysis of Large Scale Software Repositories by
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
1.1K views30 slides

What's hot(17)

29-Krishan Kumar by krishan8018
29-Krishan Kumar29-Krishan Kumar
29-Krishan Kumar
krishan8018156 views
Model Comparison for Delta-Compression by Markus Scheidgen
Model Comparison for Delta-CompressionModel Comparison for Delta-Compression
Model Comparison for Delta-Compression
Markus Scheidgen469 views
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR... by IJNSA Journal
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal667 views
Generation of Random EMF Models for Benchmarks by Markus Scheidgen
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for Benchmarks
Markus Scheidgen868 views
4.Security Assessment And Testing by phanleson
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson493 views
Model-based Analysis of Large Scale Software Repositories by Markus Scheidgen
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
Markus Scheidgen1.1K views
Standardizing Source Code Security Audits by ijseajournal
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal31 views
Reference Representation in Large Metamodel-based Datasets by Markus Scheidgen
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based Datasets
Markus Scheidgen1.3K views
Resume by Arvind Raghuwanshi
ResumeResume
Resume
Arvind Raghuwanshi92 views
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC by FPGA Central
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
FPGA Central4.5K views
TriggerScope: Towards Detecting Logic Bombs in Android Applications by Pietro De Nicolao
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao478 views
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass... by AdaCore
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
AdaCore2.4K views
A Closer Look at Real-World Patches by Dongsun Kim
A Closer Look at Real-World PatchesA Closer Look at Real-World Patches
A Closer Look at Real-World Patches
Dongsun Kim425 views
System verilog important by elumalai7
System verilog importantSystem verilog important
System verilog important
elumalai75.5K views
Jpl coding standard for the c programming language by Kwanghee Choi
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming language
Kwanghee Choi48 views
Automatic reverse engineering of malware emulators by UltraUploader
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
UltraUploader159 views
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study by DevOps.com
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com188 views

Similar to 20100309 03 - Vulnerability analysis (McCabe)

Buffer overflow attacks by
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
3.6K views18 slides
Application Security Guide for Beginners by
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
6.4K views29 slides
Secure coding-guidelines by
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
175 views18 slides
Software security by
Software securitySoftware security
Software securityRoman Oliynykov
4K views48 slides
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA... by
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...IJNSA Journal
8 views16 slides
Advanced System Security and Digital Forensics by
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
339 views55 slides

Similar to 20100309 03 - Vulnerability analysis (McCabe)(20)

Buffer overflow attacks by Kapil Nagrale
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale3.6K views
Application Security Guide for Beginners by Checkmarx
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx6.4K views
Secure coding-guidelines by Trupti Shiralkar, CISSP
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP175 views
Software security by Roman Oliynykov
Software securitySoftware security
Software security
Roman Oliynykov4K views
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA... by IJNSA Journal
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal8 views
Advanced System Security and Digital Forensics by Dr. Ramchandra Mangrulkar
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar339 views
SmartphoneHacking_Android_Exploitation by Malachi Jones
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Malachi Jones316 views
A035401010 by inventionjournals
A035401010A035401010
A035401010
inventionjournals214 views
Aspect Oriented Programming Through C#.NET by Waqas Tariq
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
Waqas Tariq550 views
Exploits Attack on Windows Vulnerabilities by Amit Kumbhar
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar594 views
Binary code obfuscation through c++ template meta programming by nong_dan
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
nong_dan998 views
SOHIL_RM (1).pptx by SanketPatel295815
SOHIL_RM (1).pptxSOHIL_RM (1).pptx
SOHIL_RM (1).pptx
SanketPatel2958151 view
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf by Gabriel Mathenge
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge206 views
10. sig free a signature free buffer overflow attack blocker by akila_mano
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
akila_mano1.5K views
What by anity
WhatWhat
What
anity408 views
Commix by nullowaspmumbai
Commix Commix
Commix
nullowaspmumbai201 views
ASIP (Application-specific instruction-set processor) by Hamid Reza
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
Hamid Reza1K views
spamzombieppt by kajol agarwal
spamzombiepptspamzombieppt
spamzombieppt
kajol agarwal713 views
Safety criticalc++ by David Underdown
Safety criticalc++Safety criticalc++
Safety criticalc++
David Underdown38 views
Dotnetintroduce 100324201546-phpapp02 by Wei Sun
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02
Wei Sun876 views

More from LeClubQualiteLogicielle

20171122 03 - Les tests de performance en environnement DevOps by
20171122 03 - Les tests de performance en environnement DevOps20171122 03 - Les tests de performance en environnement DevOps
20171122 03 - Les tests de performance en environnement DevOpsLeClubQualiteLogicielle
2.3K views30 slides
20171122 04 - Automatisation - formation et certifications by
20171122 04 - Automatisation - formation et certifications20171122 04 - Automatisation - formation et certifications
20171122 04 - Automatisation - formation et certificationsLeClubQualiteLogicielle
764 views37 slides
20171122 01 - REX : Intégration et déploiement continu chez Engie by
20171122 01 - REX : Intégration et déploiement continu chez Engie20171122 01 - REX : Intégration et déploiement continu chez Engie
20171122 01 - REX : Intégration et déploiement continu chez EngieLeClubQualiteLogicielle
1.1K views30 slides
20171122 02 - Engage developers to use better coding practices by
20171122 02 - Engage developers to use better coding practices20171122 02 - Engage developers to use better coding practices
20171122 02 - Engage developers to use better coding practicesLeClubQualiteLogicielle
269 views21 slides
20171122 - Accueil Club Qualité Logicielle by
20171122 - Accueil Club Qualité Logicielle 20171122 - Accueil Club Qualité Logicielle
20171122 - Accueil Club Qualité Logicielle LeClubQualiteLogicielle
415 views12 slides
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des... by
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...LeClubQualiteLogicielle
460 views23 slides

More from LeClubQualiteLogicielle(20)

20171122 03 - Les tests de performance en environnement DevOps by LeClubQualiteLogicielle
20171122 03 - Les tests de performance en environnement DevOps20171122 03 - Les tests de performance en environnement DevOps
20171122 03 - Les tests de performance en environnement DevOps
LeClubQualiteLogicielle2.3K views
20171122 04 - Automatisation - formation et certifications by LeClubQualiteLogicielle
20171122 04 - Automatisation - formation et certifications20171122 04 - Automatisation - formation et certifications
20171122 04 - Automatisation - formation et certifications
LeClubQualiteLogicielle764 views
20171122 01 - REX : Intégration et déploiement continu chez Engie by LeClubQualiteLogicielle
20171122 01 - REX : Intégration et déploiement continu chez Engie20171122 01 - REX : Intégration et déploiement continu chez Engie
20171122 01 - REX : Intégration et déploiement continu chez Engie
LeClubQualiteLogicielle1.1K views
20171122 02 - Engage developers to use better coding practices by LeClubQualiteLogicielle
20171122 02 - Engage developers to use better coding practices20171122 02 - Engage developers to use better coding practices
20171122 02 - Engage developers to use better coding practices
LeClubQualiteLogicielle269 views
20171122 - Accueil Club Qualité Logicielle by LeClubQualiteLogicielle
20171122 - Accueil Club Qualité Logicielle 20171122 - Accueil Club Qualité Logicielle
20171122 - Accueil Club Qualité Logicielle
LeClubQualiteLogicielle415 views
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des... by LeClubQualiteLogicielle
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
LeClubQualiteLogicielle460 views
20151013 - Agirc arrco : Behavior driven development by LeClubQualiteLogicielle
20151013 - Agirc arrco : Behavior driven development20151013 - Agirc arrco : Behavior driven development
20151013 - Agirc arrco : Behavior driven development
LeClubQualiteLogicielle414 views
20151013 - Réduire les coûts des tests de performance ? by LeClubQualiteLogicielle
20151013 - Réduire les coûts des tests de performance ?20151013 - Réduire les coûts des tests de performance ?
20151013 - Réduire les coûts des tests de performance ?
LeClubQualiteLogicielle180 views
20151013 - Accueil Club Qualité Logicielle by LeClubQualiteLogicielle
20151013 - Accueil Club Qualité Logicielle 20151013 - Accueil Club Qualité Logicielle
20151013 - Accueil Club Qualité Logicielle
LeClubQualiteLogicielle135 views
20151013 - DevOps et qualification continue by LeClubQualiteLogicielle
20151013 - DevOps et qualification continue20151013 - DevOps et qualification continue
20151013 - DevOps et qualification continue
LeClubQualiteLogicielle384 views
20140410 - Cartographie applicative multi-technologies et analyse d'impact by LeClubQualiteLogicielle
20140410 - Cartographie applicative multi-technologies et analyse d'impact20140410 - Cartographie applicative multi-technologies et analyse d'impact
20140410 - Cartographie applicative multi-technologies et analyse d'impact
LeClubQualiteLogicielle419 views
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie by LeClubQualiteLogicielle
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie20140410 - Implémentation de squash TM-TA - Architecture et méthodologie
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie
LeClubQualiteLogicielle550 views
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu... by LeClubQualiteLogicielle
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...
LeClubQualiteLogicielle145 views
20140410 - Choisir et implanter un outil de test by LeClubQualiteLogicielle
20140410 - Choisir et implanter un outil de test20140410 - Choisir et implanter un outil de test
20140410 - Choisir et implanter un outil de test
LeClubQualiteLogicielle1.7K views
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a... by LeClubQualiteLogicielle
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...
LeClubQualiteLogicielle452 views
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e... by LeClubQualiteLogicielle
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...
LeClubQualiteLogicielle117 views
20130113 05 - Inspection continue et roadmap 2013 by LeClubQualiteLogicielle
20130113 05 - Inspection continue et roadmap 201320130113 05 - Inspection continue et roadmap 2013
20130113 05 - Inspection continue et roadmap 2013
LeClubQualiteLogicielle105 views
20130113 04 - Tests d'integration et virtualisation - La vision IBM by LeClubQualiteLogicielle
20130113 04 - Tests d'integration et virtualisation - La vision IBM20130113 04 - Tests d'integration et virtualisation - La vision IBM
20130113 04 - Tests d'integration et virtualisation - La vision IBM
LeClubQualiteLogicielle223 views
20130523 06 - The mathematics the way algorithms think / the mathematics the ... by LeClubQualiteLogicielle
20130523 06 - The mathematics the way algorithms think / the mathematics the ...20130523 06 - The mathematics the way algorithms think / the mathematics the ...
20130523 06 - The mathematics the way algorithms think / the mathematics the ...
LeClubQualiteLogicielle142 views
20130523 05 - Cyclomatic complexity by LeClubQualiteLogicielle
20130523 05 - Cyclomatic complexity20130523 05 - Cyclomatic complexity
20130523 05 - Cyclomatic complexity
LeClubQualiteLogicielle1.1K views

Recently uploaded

DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... by
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...Deltares
11 views23 slides
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker by
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDeltares
9 views16 slides
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... by
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...Deltares
7 views40 slides
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit... by
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...Deltares
13 views34 slides
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri
711 views34 slides
MariaDB stored procedures and why they should be improved by
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improvedFederico Razzoli
8 views32 slides

Recently uploaded(20)

DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... by Deltares
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares11 views
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker by Deltares
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
Deltares9 views
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... by Deltares
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
Deltares7 views
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit... by Deltares
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
Deltares13 views
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by Donato Onofri
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Donato Onofri711 views
MariaDB stored procedures and why they should be improved by Federico Razzoli
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Federico Razzoli8 views
Unleash The Monkeys by Jacob Duijzer
Unleash The MonkeysUnleash The Monkeys
Unleash The Monkeys
Jacob Duijzer7 views
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon by Deltares
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - AfternoonDSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon
Deltares13 views
Cycleops - Automate deployments on top of bare metal.pptx by Thanassis Parathyras
Cycleops - Automate deployments on top of bare metal.pptxCycleops - Automate deployments on top of bare metal.pptx
Cycleops - Automate deployments on top of bare metal.pptx
Thanassis Parathyras30 views
Elevate your SAP landscape's efficiency and performance with HCL Workload Aut... by HCLSoftware
Elevate your SAP landscape's efficiency and performance with HCL Workload Aut...Elevate your SAP landscape's efficiency and performance with HCL Workload Aut...
Elevate your SAP landscape's efficiency and performance with HCL Workload Aut...
HCLSoftware6 views
ict act 1.pptx by sanjaniarun08
ict act 1.pptxict act 1.pptx
ict act 1.pptx
sanjaniarun0813 views
Fleet Management Software in India by Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable11 views
Keep by Geniusee
KeepKeep
Keep
Geniusee73 views
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan... by Deltares
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
Deltares11 views
Copilot Prompting Toolkit_All Resources.pdf by Riccardo Zamana
Copilot Prompting Toolkit_All Resources.pdfCopilot Prompting Toolkit_All Resources.pdf
Copilot Prompting Toolkit_All Resources.pdf
Riccardo Zamana6 views
SAP FOR CONTRACT MANUFACTURING.pdf by Virendra Rai, PMP
SAP FOR CONTRACT MANUFACTURING.pdfSAP FOR CONTRACT MANUFACTURING.pdf
SAP FOR CONTRACT MANUFACTURING.pdf
Virendra Rai, PMP11 views
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI... by Marc Müller
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Marc Müller36 views
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea... by Safe Software
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Safe Software412 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm13 views
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... by Deltares
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares9 views

20100309 03 - Vulnerability analysis (McCabe)

  • 1. Vulnerability analysis - Vulnerability analysis involves discovering a subset of the input space with which a malicious user can exploit logic errors in an application to drive it into an insecure state. http://doi.ieeecomputersociety.org What is Vulnerability Analysis? copyright c March 9 2010 McCabe Technology
  • 2. Potential vulnerabilities – locations within a program that contain known weaknesses - Example: The usage of APIs known to be susceptible to buffer overflows - Potential vulnerabilities may or may not be exploitable. Exploitable vulnerabilities - exist when a potentially vulnerable program location... - Is dependent on or able to be influenced by user supplied input - Is reachable on the program control flow graph at runtime Potential vs. Exploitable Vulnerabilities copyright c March 9 2010 McCabe Technology
  • 3. Paths Connecting Attack Surface & Target Attack Surface Entry Libraries Attack Surface Target Libraries Subtrees/Paths RECV() STRCPY() copyright c March 9 2010 McCabe Technology
  • 4. Advanced Exclude: Select Load Option Use the Advanced Exclude Menu to load a Class file that includes all the banned functions from Microsoft & OWASPS. This file user editable. Additional modules and/or library functions can be added. copyright c March 9 2010 McCabe Technology
  • 5. Preloaded User Definable Classes for Security • List of Banned APIs from the Microsoft Secure Software Development Lifecycle & from OWASP • Attack Surface APIs and Libraries (entry points) • Vulnerable APIs and Libraries (exploitable targets) • Individual Attack Surface Entry Point • Individual Attack Surface Target Point copyright c March 9 2010 McCabe Technology
  • 6. Class Editor: User Definable Class Libraries Preloaded with Microsoft & OWASP’s Banned Functions. User has the ability to add or delete Attack Surface & Target parameters copyright c March 9 2010 McCabe Technology
  • 7. Advanced Exclude: Narrow Scope Use the Advanced Exclude Option to understand entry points into the system, narrow the scope of analysis, and to view attack space in context of the rest of the system copyright c March 9 2010 McCabe Technology
  • 8. Attack Modeling copyright c March 9 2010 McCabe Technology
  • 9. Even if you can make any code you write secure, you're still at the mercy of all those libraries. The C language is notorious for creating software with buffer overflows because of library calls. Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), getwd(), [vg]scanf, realpath, [v]sprintf(), sprintf(), vsprintf(), strcpy(), and strcat(). Gets() is an excellent example. This function performs the common task of reading user input, but it keeps accepting the input until it sees a command ending the line or closing the file. That means that gets() can always be used to overflow any size buffer—no matter how large. If you use fgets() instead, you can set a parameter to limit the number of characters it will accept, thus preventing buffer overflows. Strcpy() is similar in that it copies a string from a source to a buffer (again, it doesn’t limit the size of the string). There are safe ways to use strcpy(), such as adding a check; however, it’s often simpler to use strncpy(dst, src, dst_size – 1), which lets you specify a maximum number of characters. This is a particularly good alternative for many uses because it doesn’t throw an error when the input is too big—it simply terminates. If you need to generate an error when a specified string length is exceeded, you can use strcpy() along with a check, such as: if(strln(src) >= dst_size)... Strcat() concatenates a string onto the end of a buffer. Strncat() is a safer alternative, but it does require that you monitor the room left in the buffer. Libraries: Major challenge for developers who need to produce secure applications copyright c March 9 2010 McCabe Technology
  • 10. A software system’s attack surface is the subset of resources that an attacker can use to attack the system. The classic attack surface definition assumes all entry points into the software system; this can include certain Windows registry keys, open handles to windowed objects, or command-line parameters It is important to differentiate the classic definition of attack surface from the useable attack surface. ... What is the Attack Surface? copyright c March 9 2010 McCabe Technology
  • 11. Use the tools to extract subgraph of overall CFG that includes all nodes on a path between input acceptance node and target nodes (potentially vulnerability nodes containing things like strcpy calls) Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), sprintf(), vsprintf(), strcpy(), and strcat() Other possible vulnerable procedures include: printf, fprintf, snprintf, vsnprintf. This list names some of the worst offenders. Also, even though there are safer alternatives for most of these functions, those alternatives aren’t absolutely safe. You can still get into trouble using them—often with unterminated strings or by specifying the wrong buffer size Attack Map Modeling using McCabe IQ Battlemap copyright c March 9 2010 McCabe Technology
  • 12. It is the portion of the attack surface that an attacker could use to crash the software, access sensitive information or gain access to the host machine remotely. It is these particular areas of code that we are interested in exercising as they pose the highest degree of risk. It is also independent of configuration, and specification, as we are testing the connected code to a particular input source. What is Useable Attack Surface? Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
  • 13. Attack Surface Analysis & Reduction Microsoft Secure Software Development Series Best Practices -The Security Development Lifecycle SDL: A Process for Developing Demonstrably More Secure Software By Michael Howard and Steve Lipner http://www.microsoft.com/security/sdl/about/process.aspx copyright c March 9 2010 McCabe Technology
  • 14. Viewing Attack space in relation to rest of code copyright c March 9 2010 McCabe Technology
  • 15. In order to determine if the vulnerability is an exploitable threat, one must prove that it is reachable on the execution path given some user supplied input. The exploitability is dependent upon the control flow logic on the paths between the external input and targeted exploitable routines. The diagram below illustrates this idea, in this case showing control flow inclusive of packet acceptance and the basic block where a vulnerable API function is used. To narrow the scope of exploitable code, we consider its attack trees. … Exploitability Implies Reachability Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
  • 16. What is An Attack Tree? An Attack Tree is a set of paths connecting a specific attack surface and specific attack target. Attack Tree is also known as “And/Or Trees”. The history of the Attack Tree can be traced back to the Fault Tree developed by Bell Labs and the U.S. Air Force in 1960s. The software related application of Fault Tree is also known as Threat Tree, which is an excellent tool for modeling a particular attack scenario. McCabe IQ uses the McCabe Design Complexity Metrics, visual subtree graphs, subtree test conditions and code coverage as Attack Trees. McCabe Design Complexity metrics are typically calculated rooted at the input node of the attack surface. copyright c March 9 2010 McCabe Technology
  • 17. Applying McCabe Design Complexity to Attack Trees Definition: module design complexity of a module is a measure of the decision structure which controls the invocation of the module’s immediate subordinate modules. It is a quantification of the testing effort of a module as it calls its subordinates. The module design complexity is calculated as the cyclomatic complexity of the reduced graph. Reduction is completed by removing decisions and nodes that do not impact the calling control of the module over its subordinates. McCabe Design complexity metrics should be calculated by rooting at the input acceptance node. The McCabe Design complexity metrics and subtrees can be used to understand and test Attack Trees within the source code. copyright c March 9 2010 McCabe Technology
  • 18. How do you assess complexity & test effort for component design? S1 = S0 - n + 1= 12 - 7 + 1 = 6 By measuring the integration paths in its modules Integration complexity S1 copyright c March 9 2010 McCabe Technology
  • 19. McCabe System Design Complexity Attack Tree copyright c March 9 2010 McCabe Technology