Download It

302 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
302
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Download It

  1. 1. Techniques for Validating the Security Quality of Infrastructure Software John D. McGregor [email_address]
  2. 2. Outline <ul><li>Motivation </li></ul><ul><li>Proposed strategy </li></ul><ul><li>Detailed actions </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Theme – Life Cycle Threats <ul><li>There is not a means for automated testing of large software, both static and mobile code, to detect, identify malicious code, sleeper codes, and exploitable vulnerabilities and to determine and understand the potential impact on the life-cycle of the codes. Current testing approaches are largely manual rather than automated. </li></ul><ul><ul><ul><li>CSIIR Workshop Themes document </li></ul></ul></ul>
  4. 4. A Recommended Strategy <ul><li>Software security vulnerabilities are often caused by defective specification, design, and implementation. </li></ul><ul><li>… require that software be designed with security at the very heart of the design process… </li></ul><ul><li>Establish a security verification and validation program to evaluate different software development processes and practices for effectiveness in producing secure software. </li></ul><ul><li>Certify those processes demonstrated to be effective for producing secure software. </li></ul><ul><li>Security Across the Software Development Lifecycle Task Force </li></ul>
  5. 5. Recommended Practices <ul><li>Statistical testing - Usage based testing permits valid statistical estimation of quality with respect to all the executions not tested and tends to find any remaining high-failure-rate defects early. </li></ul><ul><li>Production testing - Two strategies are testing security functionality with standard functional testing techniques, and risk-based security testing based on attack patterns and threat models. A good security test plan (with traceability back to requirements) uses both strategies. </li></ul><ul><li>Process models - organizations can use the goals and attributes defined in process models as high-level guides for defining and improving their management and engineering processes in the ways they feel are most appropriate for them. </li></ul><ul><li>Security Across the Software Development Lifecycle Task Force </li></ul>
  6. 6. SEI <ul><li>The security of a software-intensive system is directly related to the quality of its software 1 . </li></ul><ul><li>Over 90% of software security incidents are caused by attackers exploiting known software defects. </li></ul><ul><li>Analysis of 45 e-business applications showed that 70% of security defects were design defects. </li></ul><ul><li>Experienced and capable software engineers inject, on average, one defect every nine lines of code. </li></ul><ul><li>A one million line of code systems typically contains 1,000-5,000 defects when shipped. </li></ul><ul><li>1 http://www.sei.cmu.edu/tsp/tsp-security.html </li></ul>
  7. 7. A Final Source <ul><li>“ One of the key things that developers can do to help secure their systems is to write code that can withstand attack and use security features properly.” </li></ul><ul><li>Defend Your Code with Top Ten Security Tips Every Developer Must Know </li></ul><ul><ul><li>8 out of 10 tips are directly programming issues </li></ul></ul><ul><li>http://msdn.microsoft.com/security/securecode/default.aspx?pull=/msdnmag/issues/02/09/securitytips/default.aspx </li></ul>
  8. 8. Basic Assumptions <ul><li>Testing early is cheaper than testing later. </li></ul><ul><li>System test of a system with j modules and k experiments (iterations or different implementations for a given interface) results in the following cost of testing </li></ul><ul><li>Where c t is the cost per test. </li></ul><ul><li>Module-level tests with j modules and k experiments results in </li></ul>Baldwin and Clark. Design Rules The Power of Modularity, volume 1, MIT Press, 2000.
  9. 9. Basic assumptions - 2 Though estimates vary, the cost of removing defect increases dramatically later in the life cycle. 30 2 to 4 1 Russell 2 to 10 1 Ackerman 82 20 1 Remus 40 to 1000 30 to 70 15 to 40 1 Boehm 100 60 1.5 1 IBM Production Acceptance Development Test Code Design Inspection Design
  10. 10. Premise <ul><li>Our premise is that poorly written software will contain more vulnerabilities than well written software where the security quality attribute is a design driver. </li></ul><ul><li>Current views of security often take a defensive approach. Some of the security infrastructure even adds to the security risk due to the complexity it adds to the product. </li></ul><ul><li>We propose an offensive approach in which security is a key design driver and a priority throughout the development process. </li></ul>
  11. 11. Context <ul><li>A chain of quality should be threaded through the entire process so that validation is most effective and efficient. </li></ul>Systems Engineering Class Name Responsibility Collaborator Super Class Requirements Use Case Name: Use: User: Frequency: See Also: Use Case Modeling Domain Expert Domain Analysis Architectural Design Class Development Incremental Integration and System Testing Application Analysis Client Use Case Name: Use: User: Frequency: See Also: Application Use Cases View Model Controller Class Specification Class Design Class Derivation Class Reuse Implementation Refinement Testing Class Delivery Architecture inspection Cluster design inspection Analysis model inspection Analysis model inspection Requirements model inspection
  12. 12. A Proposed Strategy <ul><li>Develop method engineering tactics and guidelines that enhance the security quality of the software through improved processes. </li></ul><ul><li>Structure architecture evaluation techniques to focus on security by searching for static security patterns. </li></ul><ul><li>Discover and capture test patterns that correspond to dynamic security patterns. </li></ul><ul><li>Develop focused test techniques to effectively explore security test patterns while reducing the test suite size. </li></ul><ul><li>Create a defect model for security that can be used to predict types and number of security vulnerabilities in scientific codes. </li></ul>
  13. 13. Action – Develop method engineering techniques <ul><li>Method engineers create custom-made processes to help a project achieve specific goals. </li></ul><ul><li>The goal of being “secure” needs to be operationalized so that these engineers can assemble methods in ways that enhance the security of the software product built using their processes. </li></ul><ul><li>This task would involve extending the Software Process Engineering MetaModel 1 (SPEM) standard to define security-specific constructs. The model would be automated using existing tools such as MetaEdit+. </li></ul><ul><li>1 Software Process Engineering Metamodel, version 1.1, Object Management Group (OMG), 2005. </li></ul>
  14. 14. Action – Develop method engineering techniques - 2 <ul><li>The security-oriented method fragments would be suitable to integrate into processes defined in the context of the SPEM. </li></ul><ul><li>Process audits could evaluate the strength of the security aspect of the process, once it is explicitly embedded in the process, just as other qualities are validated. </li></ul><ul><li>Deliverables: A process definition guide that would show how to design security-centric development process fragments, an assembly guide, and an example process. </li></ul>
  15. 15. Action – Create architecture security analysis <ul><li>Architects have techniques that they apply to an architecture in order to improve the behavior of the architecture with respect to classes of security threats 1 . </li></ul><ul><li>Assuring system survivability requires showing that the system architecture is adequately resilient to likely patterns of attack 2 . </li></ul><ul><li>One approach to architecture design is to identify quality attributes for the architecture and make design decisions that enhance the desirable qualities and degrade the less desirable ones. </li></ul><ul><li>Architecture evaluation techniques such as the architecture trade-off analysis method (ATAM) can be used to focus architecture evaluations on the security quality through security-specific scenarios. </li></ul><ul><li>One aspect of this task would be to develop a set of architecture-level security scenarios that would guide the evaluation of an architecture for the security quality. </li></ul><ul><li>1 Security and Survivability Reasoning Frameworks and Architectural Design Tactics. CMU/SEI-2004-TN-022 </li></ul><ul><li>2 Architectural Refinement for the Design of Survivable Systems CMU/SEI-2001-TN-008 </li></ul>
  16. 16. Action – Create architecture security analysis - 2 <ul><li>This evaluation can be automated if the architects use a formal architecture description language (ADL). </li></ul><ul><li>Our current implementation uses the Architectural Analysis and Design Language (AADL) from the Society of Automotive Engineers (SAE) and Eclipse plug-ins. </li></ul><ul><li>A second part of the task could be to identify standard mechanisms for representing security in an architecture description so that security patterns could be automatically recognized. </li></ul><ul><li>Deliverables: A set of validation scenarios and specific architecture tactics for recognizing security vulnerabilities at the architecture level </li></ul>
  17. 17. Current implementation as Eclipse plug-in for AADL
  18. 18. Action – Create architecture security analysis - 3 <ul><li>This analysis could also be conducted on pre/post-test basis </li></ul><ul><li>Use an architecture re-construction technique such as OAR 1 to extract the “as built” architecture from the implementation. </li></ul><ul><li>Compare to the “as designed” architecture to determine if changes have occurred </li></ul><ul><li>1 Options Analysis for Reengineering (OAR): A Method for Mining Legacy Assets CMU/SEI-2001-TN-013 </li></ul>
  19. 19. Action – Discover test patterns for security <ul><li>Test patterns are solutions to testing problems in context. They often correspond to design patterns. </li></ul><ul><li>Test patterns are language independent </li></ul><ul><li>Content of a test pattern 1 </li></ul><ul><ul><li>Problem - Description of pattern to be tested </li></ul></ul><ul><ul><li>Context - Special testing conditions </li></ul></ul><ul><ul><li>Forces - What types of faults are we looking for? </li></ul></ul><ul><ul><li>Solution - Test case selection strategy that tests the interactions among the components that implement the pattern </li></ul></ul><ul><ul><li>Example – A sample implementation </li></ul></ul><ul><li>1 John McGregor and David Sykes Practical Guide to Testing Object-Oriented Software, Addison-Wesley, 2001. </li></ul>
  20. 20. Action – Discover test patterns for security - 2 <ul><li>Problem: The synchronous communication between two objects is modified to be asynchronous by adding a callback object. How should this be tested? </li></ul>Client Server Client Server Callback
  21. 21. Action – Discover test patterns for security - 3 <ul><li>Context </li></ul><ul><ul><li>An intermediate object forwards messages </li></ul></ul><ul><li>Forces </li></ul><ul><ul><li>Possible to intermingle successive messages/responses </li></ul></ul><ul><ul><li>Temporal considerations must be added to the test case </li></ul></ul><ul><li>Solution </li></ul><ul><ul><li>Construct tests that exercise the callback in a variety of states </li></ul></ul><ul><ul><li>Construct multiple clients, submit multiple requests through multiple callback objects </li></ul></ul><ul><ul><li>Build test cases that submit a second message prior to receiving the response from the first message </li></ul></ul>
  22. 22. Action – Discover test patterns for security - 4 <ul><li>In this task, security vulnerabilities and standard designs to correct them would be studied. </li></ul><ul><li>The standard designs would lead to a catalog of specific test patterns. </li></ul><ul><li>Users of the test patterns could implement them in whatever language was in use. </li></ul><ul><li>Deliverables: test pattern catalog </li></ul>
  23. 23. Task force identified security patterns 1. Make the Client Invisible 2. Target Programs That Write to Privileged OS Resources 3. Use a User-Supplied Configuration File to Run Commands That Elevate Privilege 4. Make Use of Configuration File Search Paths 5. Direct Access to Executable Files 6. Embedding Scripts within Scripts 7. Leverage Executable Code in Non-executable Files 8. Argument Injection 9. Command Delimiters 10. Multiple Parsers and Double Escapes 11. User-Supplied Variable Passed to File System Calls 12. Postfix NULL Terminator 13. Postfix, Null Terminate, and Backslash 14. Relative Path Traversal 15. Client-Controlled Environment Variables 16. User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth) 17. Session ID, Resource ID, and Blind Trust 18. Analog In-Band Switching Signals (aka “Blue Boxing”) 19. Attack Pattern Fragment: Manipulating Terminal Devices 20. Simple Script Injection 49 security patterns have been identified. Here are a few. Security Across the Software Development Lifecycle Task Force
  24. 24. Action – Develop focused test techniques - 1 <ul><li>Operational profiles establish a relative frequency of operations for a particular type of user or application. </li></ul><ul><li>Test cases are chosen with the same relative frequency to mimic actual use or to mimic attack scenarios. </li></ul><ul><li>This narrows the range of values to cover in test. </li></ul>.3 Op 3 .3 Op 2 User 2 .4 Op 1 .2 Op 3 .6 Op 2 User 1 .2 Op 1 Relative frequency Operation User
  25. 25. Action – Develop focused test techniques - 2 <ul><li>Testing all possible values even once, much less all possible combinations of values, is usually impossible. </li></ul><ul><li>Combinatorial test designs can systematically sample test values to ensure the maximum coverage with minimum test cases. </li></ul><ul><li>Orthogonal array testing is one combinatorial approach. </li></ul>
  26. 26. OATS tool - 1 <ul><li>Three variables, each with three possible values, would require 27 test cases for all combinations coverage. </li></ul>200 50 5 # of web servers Firefox IE5.0 Netscape browser ODBC1.0 JDBC2.0 JDBC1.0 Database driver
  27. 27. OATS tool - 2 <ul><li>OATS reduces this to 9 test cases, testing pair-wise but remains approximately 96% as effective as “all combinations” coverage at finding defects. </li></ul>50 FoxFire ODBC1.0 9 200 IE5.0 ODBC1.0 8 5 Netscape ODBC1.0 7 200 FoxFire JDBC2.0 6 5 IE5.0 JDBC2.0 5 50 Netscape JDBC2.0 4 5 FoxFire JDBC1.0 3 50 IE5.0 JDBC1.0 2 200 Netscape JDBC1.0 1
  28. 28. Action – Develop focused test techniques - 3 <ul><li>Pair-wise value combinations can reduce the size of the test suite dramatically </li></ul><ul><li>These techniques have been applied in domains such as telecommunications. </li></ul><ul><li>In this task we would develop an industrial strength tool that allows the design of combinatorial test suites. </li></ul>
  29. 29. Action – Develop focused test techniques - 4 <ul><li>This technique is used in conjunction with traditional functional and structural strategies for test case selection. </li></ul><ul><li>Functional tests ensure that all specified functions are correct and structural tests ensure that all feasible paths are valid. </li></ul><ul><li>The result is confidence that the software does everything it is supposed to and nothing that it Is not supposed to. </li></ul><ul><li>Combinatorial techniques increase the coverage of large software products without significant increases in test effort. </li></ul><ul><li>This approach allows for risk-based test selections. </li></ul><ul><li>Deliverables: software tool that uses combinatorial techniques and risk-based techniques to define effective test cases. </li></ul>
  30. 30. Action – Develop a security defect model for scientific codes <ul><li>If you just found the 73 rd defect in your 50,000 LOC program, do you feel good about it? </li></ul><ul><li>With a validated defect model you would at least know how to feel. </li></ul><ul><li>You would know approximately how many defects to expect and what types of defects to look for. </li></ul>
  31. 31. Action – Develop a security defect model for scientific codes - 2 <ul><li>Using the relative frequency and estimated size, estimates can be made of the number of defects and the test case selection process be more precisely directed. </li></ul>100% Total 10% Argument injection 30% HTTP cookies 60% Static queue sizes Relative frequency per KLOC Security defect type
  32. 32. Action – Develop a security defect model for scientific codes - 3 <ul><li>In this task we would develop a defect model framework for scientific codes using historic data. </li></ul><ul><li>The framework would be packaged with a specialization method for tailoring the framework to a specific development context. </li></ul><ul><li>This would allow us to provide statistical estimates of the number of defects remaining in a software product and to provide a confidence interval on statistics such as reliability. </li></ul><ul><li>Deliverables: defect model </li></ul>
  33. 33. Conclusion <ul><li>No single action or algorithm will produce secure software. There must be a chain of quality activities. </li></ul><ul><li>The outlined strategy places security quality gates at several places in the software product development life cycle. </li></ul>Systems Engineering Class Name Responsibility Collaborator Super Class Requirements Use Case Name: Use: User: Frequency: See Also: Use Case Modeling Domain Expert Domain Analysis Architectural Design Class Development Incremental Integration and System Testing Application Analysis Client Use Case Name: Use: User: Frequency: See Also: Application Use Cases View Model Controller Class Specification Class Design Class Derivation Class Reuse Implementation Refinement Testing Class Delivery Architecture inspection Cluster design inspection Analysis model inspection Analysis model inspection Requirements model inspection
  34. 34. Conclusion - 2 <ul><li>Implementing any part of this strategy will improve the security of the software products produced. </li></ul><ul><li>Develop method engineering tactics and guidelines that enhance the security quality of the software through improved processes. </li></ul><ul><li>Structure architecture evaluation techniques to focus on security by searching for static security patterns. </li></ul><ul><li>Discover and capture test patterns that correspond to dynamic security patterns. </li></ul><ul><li>Instrument combinatorial test techniques to effectively explore security test patterns while reducing the test suite size. </li></ul><ul><li>Create a defect model for security that can be used to predict types and number of security vulnerabilities in a given product. </li></ul>

×