Software vulnerabilities are regard as the most critical vulnerabilities due to its impact and availability as compared to hardware and network vulnerabilities. Throughout the years from the first appearance of software vulnerabilities in late 80s until today, there are many identified and classified software vulnerabilities such as the well-known buffer overflow, scripting and SQL command. We studied on those known software vulnerabilities, compared the criticality, impact and significant of the vulnerabilities, and further predicted the trend of the vulnerabilities and proposed the focus area based on the comparative studies. The result shows that C overflow vulnerabilities will continue to persist despite losing its dominance in terms of numbers of availability and exploitation. However, the impact of exploiting the C overflow vulnerabilities is still regard as the most critical as compare to others. Therefore, C overflow vulnerabilities will prevail again and continues its domination as it did for the past two decades.
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
1. Vulnerabilities and Exploitation
in Computer System
- Past, Present and Future
03 September 2013 @ 27 Syawal 1434H
Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan
SISKOM 2013
Faculty of Computer and Mathematical Sciences
UiTM Shah Alam, Selangor, Malaysia
4. Introduction
Software
Vulnerabilities
Flaws in software /
codes
System to behave
abnormal
Unintentionally
triggered by user
Exploit by hackers
Definition (Stoneburner et al., 2002,
OWASP Org., 2013, Kaspersky Lab,
2013)
What is?
Impact?
Cause by Cause by
Root Cause
Improper Process
Poor Design
Programming
errors/mistake
Biezer, 1990 and
Piessens, 2002
Alhazmi et al., 2006,
Howard et al., 1998, Krsul,
1998, Longstaff et al. 1997,
Moore, 2007, Vipindeep et
al., 2005
Ahmad et al. 2011
5. Introduction
Programming errors/mistake Ahmad et al. 2011
Limitation in Programming
Language
Incompetence
programmers/software
engineers
Cause by
Exploitation
Impact
1. 1990 - Morris Worm (One, 1996)
2. Poland Train crash (Baker et al. 2008)
3. Iran nuclear attack (Chen 2011)
4. Toyota brake failure (Carty, 2010)
Etc.
6. Summary
• Quantitatively studies on known software vulnerabilities
• Share the criticality and significances of the identified
vulnerabilities
• Predict the future
Scope
1. Limited to quantity based on reported vulnerabilities
2. Limited to four classes-SQLi, XSS, Java, and C/C++
Introduction
7. Quantitative Studies on Known
Software Vulnerabilities
1. Software vulnerabilities was detected since programming exist
2. The first unintended exploitation happens in late 80s
3. Microsoft introduce SDL starting from 2002
4. Program Analysis (static and dynamic analysis), Anti-virus, etc
introduced as early as 1994 (Wagner)
5. Vulnerabilities still at large and exploitation increase exponentially
with vulnerabilities.
19 well-known online vulnerability databases and organization
1. Microsoft Corporation
2. Homeland Security
3. NIST
4. OSVDB
5. OWASP
6. SANS Institutes
7. CSM
etc.
8. Quantitative Studies on Known
Software Vulnerabilities
0
1000
2000
3000
4000
5000
6000
7000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
No. of Vulnerabilities By Year
No. of Vulnerabilities
Source: National Institute of Standards and Technology (NIST)Source: Open-Source Vulnerabilities Database (OSVDB)
9. Quantitative Studies on Known
Software Vulnerabilities
Other Scary Facts
1. > 2000 vulnerabilities identified per year
2. 20% is constantly C/C++ overflow vulnerabilities
3. 40% ranked with severity 7.0 to 10.0
4. SANS Institute continues release same classes of vulnerabilities in its top 25 Software errors
since 2002
5. A single vulnerability if exploitable can cause huge impact
6. Symantec reported 42% increase in exploitation and an increase of ~50% of web attack
7. Some of latest attack still used old identified vulnerabilities (Kaspersky Lab)
10. Impact Analysis
Fantastic Four
SQLi XSS
Java
C/C++ overflow
•95% has CVSS 4.0 – 6.9
•Severity between low -
medium
•70% has CVSS 4.0 – 6.9
•Severity between low -
medium
•85% has CVSS 7.0 – 10
•Severity is high
•60% has CVSS 7.0 – 10
•Severity is high
•Security bypass
•Gain control / steal user
identity (depending on
user privileges
•Security bypass
•Gain control / steal user
identity (depending on
user privileges
•With overflow vulnerabilities – access/control can be gain
without used of user privileges
•System malfunctions, accident, control system, etc
(McGraw, 2013, Baker et al. , 2008, and Chen, 2010)
11. Impact Analysis
•Windows-based OS – 90%
•30% is Windows XP
•Most mobile OS used is Android (> 60% market shares)
Market shares
•Used of Microsoft IE reduce possibility of being hacked
•Safari (by Apple) and Chrome (runs on Android based mobile)
increase the risk of being attacked
Browser used
•Only XSS, SQLi, and Java vulnerabilities is affected and shall
increase the risk of being exploited
Rise of online
applications
•Java – has built in security (JVM)
•XSS and SQLi vulnerabilities is input related
•C/C++ has no perfect defense
Detection/Prevention
Mechanism
13. Conclusion
• There are many sites support hackers
– Shodan, Rapid7, Offensive Security and SecurityVuln
• Old vulnerabilities is still relevant (Kaspersky Lab)
• Compare to other classes of vulnerabilities, C/C++
is the most dangerous
• Vulnerabilities and exploitations in computer
systems will persist to exist
• C/C++ overflow vulnerabilities will regain its
domination
14. References
1. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2010a). Preventing Exploitation on Software Vulnerabilities: Why Most Static Analysis Is
Ineffective? Conferences on Engineering and Technology Education. Kuching: World Engineering Congress.
2. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.-
Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer.
3. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011c). Understanding Vulnerabilities by Refining Taxonomy. 7th International Conference on
Information Assurance and Security (IAS) (pp. 25 - 29). Melaka: IEEE Computer Society.
4. Alhazmi, H. O. (2005). Quantitative vulnerability assessment of systems software. Annual Proceedings of Reliability and Maintainability
Symposium (pp. 615 - 620). IEEE.
5. Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International
Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143).
6. Aslam, T. (1995). A Taxonomy of Security Faults in the UNIX Operating System. MSc Thesis, Department of Computer Sciences, Purdue
University.
7. Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph:
http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html
8. Beizer, B. (1990). Software Testing Technique (2nd Edition ed.). New York, USA: Van Nostrand Reinhold Co.
9. Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS
News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html
10. Cenzic Inc. (2013). Resources - Application Security Papers. Retrieved August 09, 2013, from CENZIC:
http://www.cenzic.com/resources/application-security-papers/
11. Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3.
12. CISCO. (2013). Cisco Security Report. Retrieved August 09, 2013, from Cisco:
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
13. Critical Patch Updates, Security Alerts and Third Party Bulletin. (2013). Retrieved August 09, 2013, from Oracle Technology Network:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
14. CyberSecurity Malaysia. (2013). e-Security Bulleting. Retrieved August 09, 2013, from CyberSecurity Malaysia:
http://www.cybersecurity.my/en/knowledge_bank/bulletin/content/main/detail/182/index.html?mytabsmenu=2
15. Department of Homeland Security. (2013). US-CERT. Retrieved August 09, 2013, from US-CERT (United States Computer Emergency
Readiness Team): http://www.us-cert.gov/
16. Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.
15. References
17. Hewlett-Packard Development Company. (2013). Resource Center. Retrieved August 09, 2013, from HP Enterprise Security:
http://www.hpenterprisesecurity.com/news/resource-center
18. Howard, J. D., & Longstaff, T. A. (1998). A Common Language for Computer Security Incidents. Sandia Technical Report, Sandia National
Laboratories, Sandia Corporation.
19. Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill.
20. IBM X-Force. (2013). IBM X-Force Annual Trend and Risk Report. Retrieved August 09, 2013, from IBM X-Force: http://www-
03.ibm.com/security/xforce/downloads.html
21. iMPERVA. (2013). Imperva Web Application Attack Report. iMPERVA.
22. IT Security Research Group. (2013). Map Honeynet. Retrieved August 09, 2013, from The Honeynet Project: http://map.honeynet.org/
23. Johnson, S. (2013, August 07). FortiGuard Labs sees fast rise of mobile malware in 2013. (TechTarget) Retrieved August 09, 2013, from
SearchSecurity: http://searchsecurity.techtarget.com/news/2240203220/FortiGuard-Labs-sees-fast-rise-of-mobile-malware-in-
2013?asrc=EM_ERU_22893730&utm_medium=EM&utm_source=ERU&utm_campaign=20130808_ERU%20Transmission%20for%2008/08
/2013%20(UserUniverse:%20551200)_myka-rep
24. Kaspersky Lab. (2013b). Analysis. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis?genre=1
25. Kaspersky Lab. (2013). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Retrieved August 09, 2013, from SECURELIST:
http://www.securelist.com/en/analysis/204792255/
26. Kaspersky Lab. (2013a). Software vulnerabilities. Retrieved August 09, 2013a, from SECURELIST:
http://www.securelist.com/en/threats/vulnerabilities?chapter=35
27. Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University.
28. Lipner, S. (2013, May 14). The time is now. Security Development Must be a Priority for Everyone. Retrieved August 09, 2013, from
Microsoft Trustworthy Computing: http://blogs.technet.com/b/trustworthycomputing/archive/2013/05/08/security-development-
conference-2013.aspx
29. Longstaff, T. A., Ellis, J. T., Hernan, S. V., Lipson, H. F., McMillan, R. D., Pesante, L. H., et al. (1997). Security of the Internet. (M. Dekker, Ed.)
The Froehlich/Kent Encyclopedia of Telecommunications , 15, pp. 231 - 255.
30. McGraw, G. (2013, August 09). Five major technology trends affecting software security assurance. Retrieved August 11, 2013, from
SearchSecurity.com: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance
31. Microsoft Corporation. (2002, January 15). Memo from Bill Gates. Retrieved 2010, from Microsoft News Center:
http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx
32. Microsoft Corporation. (2013b). Microsoft Security Advisories. Retrieved August 09, 2013b, from Security TechCenter:
http://technet.microsoft.com/en-us/security/advisory/
16. References
33. Microsoft Corporation. (2013a). What is the Security Development Lifecycle? Retrieved August 09, 2013a, from Microsoft Security
Development Lifecycle: http://www.microsoft.com/security/sdl/default.aspx
34. MITRE Corporation. (2011). Common Vulnerabilities And Exposures. Retrieved November 15, 2011, from CVE - Format String:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Format+String
35. Moore, H. D. (2007). Exploiting Vulnerabilities. Presentation Slide, Secure Application Development (Secappdev.org).
36. National Institute of Standards and Technology (NIST). (2013). CVE and CCE Statistics Query Page. Retrieved August 09, 2013, from National
Vulnerability Database (NVD): http://web.nvd.nist.gov/view/vuln/statistics
37. Net Applications.com. (2013b). Desktop Browser Market Share. Retrieved August 11, 2013b, from NETMARKETSHARE:
http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
38. Net Applications.com. (2013). Desktop Operating System Market Share. Retrieved August 10, 2013, from NETMARKETSHARE:
http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
39. Offensive Security. (2013). Retrieved from Exploit Database: http://www.exploit-db.com/
40. One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49).
41. Open Sourced Vulnerability Database (OSVDB). (2013). Open Sourced Vulnerability Database. Retrieved August 09, 2013, from OSVDB:
http://osvdb.org/
42. Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE:
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
43. Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer
Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html
44. Oracle FAQ. (2012, January 2). Oracle Corporation. Retrieved January 10, 2012, from Oracle FAQ:
http://www.orafaq.com/wiki/Oracle_Corporation
45. OWASP Organization. (2013). Category: Vulnerability. Retrieved August 09, 2013, from OWASP - The Open Web Applications Security
Project: https://www.owasp.org/index.php/Category:Vulnerability
46. Passeri, P. (2013). 2012 Cyber Attack Statistics. Retrieved August 09, 2013, from Hackmageddon.com: http://hackmageddon.com/2012-
cyber-attacks-statistics-master-index/
47. Pierluigi, P. (2013). Security Affairs. Retrieved August 09, 2013, from Security Affairs: http://securityaffairs.co/wordpress/
48. Piessens, F. (2002). A Taxonomy (with Examples) of Causes of Software Vulnerabilities in Internet Software. Technical Report, Katholieke
Universiteit Leuven, Department of Computer Science.
49. Positive Research. (2012). Vulnerability Statistics for 2011. Positive Technologies.
50. Rapid7. (2013). Vulnerability and Exploit Database. Retrieved August 09, 2013, from Rapid7: http://www.rapid7.com/db/modules/
17. References
51. Rashid, F. Y. (2013, May 15). Microsoft Talks Secure Coding Practices, Standards at Security Development Conference. Retrieved August
09, 2013, from SECURITYWEEK: http://www.securityweek.com/microsoft-talks-secure-coding-practices-standards-security-development-
conference
52. Red Hat Inc. (2013). Red Hat vulnerabilities by CVE name. Retrieved August 09, 2013, from redhat: https://access.redhat.com/security/cve/
53. SANS Institute. (2013). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved August 09, 2013, from http://www.sans.org/top25-
software-errors/
54. Secunia. (2013). Advisories. Retrieved August 09, 2013, from Secunia: http://secunia.com/community/advisories/historic/
55. SecurityVulns. (2013). Retrieved August 09, 2013, from Computer Security Vulnerabilities: http://securityvulns.com/
56. SHODAN. (2013). Expose Online Devices. Retrieved August 09, 2013, from SHODAN: http://www.shodanhq.com/
57. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems – Recommendation of the
National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST).
58. Symantec Corporation. (2013). Internet Security Threat Report 2013 Volume 18. Symantec Corporation.
59. Symantec Corporation. (2013). Security Response Publications. Retrieved August 09, 2013, from Symantec:
http://www.symantec.com/security_response/publications/threatreport.jsp
60. Vipindeep, V., & Jalote, P. (2005). List of Common Bugs and Programming Practices to avoid them. Technical Report, Indian Institute of
Technology, Kanpur.
61.
18. THANK YOU
Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan
Email: masteramuk@yahoo.com / masteramuk@hotmail.com
Twitter/LinkedIn: masteramuk / Nurul Haszeli
Website: http://malaysiandeveloper.blogspot.com
Editor's Notes
Introduction on the scenario and problem statementPresent the past and present with few casesImpact analysis based on reports gatheredPredict the vulnerabilities that will persist for another decadesConclusions – present the significant of this studies
Hardware vulnerabilitiesExample: vulnerabilities in switches/router, chips, card, even TPMSoftware vulnerabilitiesFlaws exist in software causing abnormal behaviorWhy focus on software vulnerabilities?Most of hardware vulnerabilities caused by codes @ softwareSupport our argumentPublished by Reuters – German Federal Office for Info. Security (BSI) released report on insecure TPM due to weak link with Win 8.Sifu of TPM – Prof Ahmad-Reza Sadeghi in his lecture in 2011 share the same view on insecure of TPM ("Runtime Attacks: Buffer Overflow and Return-Oriented Programming," System Security Lab, TechnischeUniversitat Darmstadt Presentation Slide for Course Secure, Trusted and Trustworthy Computing, 2011.)Software vulnerabilities exist since human starts coding/systemize manual work with first vulnerability exploited in late 80s known as Morris Worm.
Microsoft SDL starts with Bill Gates memo to employee stress on important of having Trustworthy Computing (2002) and continues the vision until now (Rashid, 2013) and (Lipner, 2013).Actual program analysis starts by Anderson in 1974Question raised about the integrity of the data… Is it true? How many vulnerabilities exist? What kind of vulnerabilities? What about future?
Expert agreed with SANS – Passeri and PierluigiSample cases - 600,000 computers were infected by exploiting a vulnerability found in Apple iOS (Symantec Corporation, 2013) and become botnet.
Four classes of vulnerabilities contributes to 80% of overall vulnerabilities (Positive Research, 2012, and iMPERVA, 2013)These four classes are – SQLi, XSS, Java and C/C++ vulnerabilities (C/C++ stays top 4 for the past 3 decades (Howard, 2010))Based on analysis done on the online vulnerability databases and organization ((MITRE Corporation, 2011), (National Institute of Standards and Technology (NIST), 2013) and (Open Sourced Vulnerability Database (OSVDB), 2013))95% of XSS vulnerabilities carries Common Vulnerability Scoring System (CVSS) base of 4.0 to 6.9. This indicates the impact of this class of vulnerability is ranked within low to medium severity.70% of Java vulnerabilities recorded in most online vulnerabilities databases have CVSS base of 4.0 to 6.9, of which indicates that the severity of this class of vulnerability is yet to be highly criticalSQLi vulnerability class on the other end has an average of 85% of its vulnerabilities given with CVSS base of 7.0 to 10. This shows that most of vulnerabilities within this class are identified as critical and has severe impact to community. This same intensity is shared with C/C++ vulnerabilities, whereby 60% of reported vulnerabilities in this class are ranked with highly critical and severe impact.
CVSS is NOT the only factors that is used to measure the impact of vulnerabilities and hence justified our prediction (beside the numbers of vulnerabilities released as presented earlier), we also observed on the other factors as well.Market SharesBased on Net Applications.com – 90% OS is dominated by Windows with 30% is still using the obsolete Windows XP. Used of open-sources OS; that is Linux based such as Centos, Ubuntu, Fedora, etc. also plays important roles. And the most effected vulnerabilities is no other than C/C++ - C/C++ is still at the top four in the list.Being the most popular mobile OS, Android, has contributes to the increase of Java and C/C++ overflow vulnerabilities and exploitation (CISCO, 2013), (IBM X-Force, 2013) and (Symantec Corporation, 2013) and this will continue in-parallel with the emergence of mobile computing (Symantec Corporation, 2013) and (McGraw, 2013).Browser used - Used of Chrome and Safari contributes to increase of exploitation on XSS, Java or C/C++ vulnerabilities (Symantec Corp, 2013) – Todays we have more than 60% mobile computer/phone is using either Chrome, Safari, or IE.Java has virtual machine developed to runs java applications and all vulnerabilities will has difficulties to escape from this virtual machine (Oracle Corporation, 2010), (Oracle Corporation, 2012) and (Fritzinger, et al., 1996). Most of Java vulnerabilities can be contaminated and can be prevented from impacting the user. Many of XSS and SQLi vulnerabilities affecting computer systems through invalidated input. Hence, by validating all input, the vulnerabilities can be prevented and therefore reduce its severity impact (Alhazmi, et al., 2006). Whereas, according to Ahmad et. al. 2011, there is no perfect defense from C/C++ overflow vulnerabilities yet which contributes to the persistency of the vulnerability.
The fantastic four will remains at least another decades due to emerging mobile tech and online system which is yet to mature.With advancement of detection/prevention – there is probability to suppress the vulnerabilities except C/C++ overflowC/C++ overflow vulnerabilities will prevail againFaster and high memory processing is demanded and as of now, only C/C++ successfully implementedIncreasing trend of cloud services and computerize legacy system in utility, transportation, defense, etc
Shodan – expose devices connected via the netRapid7 (metasploit), Offensive Security and SecurityVulns – exploit database and toolkitC/C++ is regards as the most dangerous becauseC/C++ is embedded in the language it self and is well-known for more than three decades yet to concrete solutionsOthers do have security mechanism/library/etcDevelopers can be trained (SDL by Microsoft)There is yet a substitute to C/C++ as an efficient language and thus it shall be used as the core language of all systems. On top of that, there is lack of defensive and preventive mechanism of C/C++ language. Therefore, C/C++ overflow vulnerabilities will regain its position and it is predict that it shall happen in the near future