6/24/13

Vulnerability Assessment and Secure Programming Sessions

VulnerabilityAssessmentandSecure ProgrammingSessions
Monday,October12,2009 OGF27,Banff,Alberta,Canada Securityiscrucialinthesoftwarethatwedevelopanduse.Thistutorialisrelevanttoanyonewantingto learnaboutassessingsoftwareforsecurityflawsandfordeveloperswishingtominimizesecurityflawsin softwaretheydevelop. Weshareourexperienceinvulnerabilityassessmentofgridmiddleware.Youwilllearnskillscriticalfor developersandanalystsconcernedaboutsoftwaresecurity,andtheimportanceofindependentvulnerability assessment. ThefirstsessionofthistutorialpresentstheFirstPrinciplesVulnerabilityAssessmentprocesstoactively discovervulnerabilities.Weshowhowtogatherinformationaboutasystemandhowtousethistodirect thesearchforvulnerabilities,andhowtointegratethisintothedevelopmentcycle. Thesecondsessionofthistutorialexaminescodingpracticestopreventvulnerabilitiesbydescribingmore thanmanytypesofvulnerabilitieswithexamplesofhowtheycommonlyarise,andtechniquestoprevent them.MostexamplesareinC,C++,Perl,andthestandardCandPOSIXAPIs. TheafternoonsessionsdescribetheexperienceoftheUniversityofWisconsin'sVulnerabilityAssessment Project'sassessmentofseveralgridmiddlewarepackages,theexperienceoftheCondorprojectbeing assessed,andaroundtablediscussionofhowtheOpenScienceGrid'ssoftwareprovidersshoulduse vulnerabilityassessment.

Schedule
9:0010:00 FirstPrinciplesVulnerabilityAssessmentTutorial Prof.ElisaHeymann,UniversitatAutnomadeBarcelona ThistutorialpresentstheFirstPrinciplesVulnerabilityAssessmentprocesstoactively discovervulnerabilities.Weshowhowtogatherinformationaboutasystemandhowtouse thistodirectthesearchforvulnerabilities,andhowtointegratethisintothedevelopment cycle. 10:0012:00 SecureProgrammingTutorial JamesA.Kupsch,UniversityofWisconsin Thistutorialexaminescodingpracticestopreventvulnerabilitiesbydescribingmorethan manytypesofvulnerabilitieswithexamplesofhowtheycommonlyarise,andtechniquesto

research.cs.wisc.edu/mist/ogf27.html

1/4

6/24/13

Vulnerability Assessment and Secure Programming Sessions

preventthem.MostexamplesareinC,C++,Perl,andthestandardCandPOSIXAPIs. 12:0013:00 Lunch 13:0014:30 Keynote:AndreaDonnellan,JetPropulsionLaboratory,NASA 14:3015:00 Coffee 15:0015:30 VulnerabilityAssessment:TheAssessorsExperience Prof.BartonP.Miller,UniversityofWisconsin Prof.Millerwilldescribetheevaluationteam'sexperiencesworkingwithdevelopment groupsonvulnerabilityassessmentprojects.Hewilldiscusscommonmisconceptionsthat groupshavegoingintosuchactivities,andstrategiesformakingsucheffortssuccessful.He willalsopresentasummaryoftheresultsfromhisgroup'sassessmentactivitiesoverthe pastfewyears. 15:3016:00 VulnerabilityAssessment:TheAssesseesExperience ZacharyMiller,CondorTeam,UniversityofWisconsin TheCondorteamdescribesitsexperienceofhavingavulnerabilityassessmentperformed ontheirsoftware.Theywillpresenthowtheprocessworkedfromtheirpointofview,and howtheprocesschangedthetheirdevelopmentprocess. 16:0017:00 QuestionsandAnswers Openfloorforanyquestions. 17:0018:00 SoftwareProviderRoundTable Roundtablediscussionofattendees'experiencesinsoftwarevulnerabilityandassessment, PageSaved!AddTags ViewList currentpractices,howtheythinktheycanimprovetheircurrentpractices,ifnot,whynot.

TutorialDescription
Thesecurityofsoftwareisbecomingincreasinglyimportanttoanyonewhousesordevelopsit.This tutorialwillteachdevelopersandassessorshowtoproactivelyreducethenumberofvulnerabilitiesintheir software.JustasindependentQAtestingisessentialforassessingsoftwarereliability,testingforsecurityis essentialforassuringsoftwaresecurity.Evenprojectsthatarchitecttheirsoftwarewithsecurityinmindstill needindependentvulnerabilityassessmenttodetectdesignflawsorcodingproblemsthatcanariseinany project.Testingforsecurityisanessentialpartofthedevelopmentprocessandauniqueskillthatrequires training. Thistutorialisanoutgrowthofourexperienceinperformingvulnerabilityassessmentofgridmiddleware, whichincludesCondorfromtheUniversityofWisconsin,theStorageResourceBrokerfromtheSan

research.cs.wisc.edu/mist/ogf27.html

2/4

6/24/13

Vulnerability Assessment and Secure Programming Sessions

DiegoSupercomputerCenter,andMyProxyfromtheNationalCenterforSupercomputerApplications. Thetutorialwillteachtheprocessesandskillsthatwedevelopedandusedintheseactivities. Thistutorialisrelevanttoanyonewhowantstolearnaboutanalyzingsoftwareforsecurityflawsandfor developerswishingtominimizesecurityflawsinsoftwarethattheydevelop.Itcoversthetwosidesof security:theoffensivehowtofindproblemsthroughtheuseofproactivevulnerabilityassessmentandthe defensivehowtopreventproblemsbyshowingmanytypesofvulnerabilitiesthatoccurincodeandwhat techniquescanbeusedtopreventthem. Thetargetaudienceforthistutorialisanyoneinvolvedwiththedevelopmentofsoftwareoranyone wishingtoassessthesecurityofsoftware.Togainmaximumbenefitfromthistutorial,attendeesshouldbe familiarwiththeprocessofdevelopingsoftwareandtheCprogramminglanguage.Abasicknowledgeof thestandardClibraryandthePOSIXAPIwillaidtheparticipant. Thistutorialdoesnotassumeanypriorknowledgeofsecurityassessmentorvulnerabilities.Someofthe exampleswillincludelesscommonAPIs,orwillbeinaprogramminglanguageotherthantheC programminglanguage.Intheseinstances,enoughexplanationwillbegivensotheattendeeunfamiliar withthetopicwouldbeabletounderstandtheconcepts. Thefirstpartofthistutorialexplainshowtoperformavulnerabilityassessment.Ourprocessisbasedona deepassessmentofthesoftware,donebyonewhoisworkingincooperationwiththedevelopmentteam andhasaccesstosourcecode,internaldocumentsanddevelopers.Weemphasizeunderstandingofthe processofvulnerabilityassessmentanddevelopingtheskillsneededtoconductsuchanassessment. Thefirststepofavulnerabilityassessmentistogainanindepthunderstandingofthesystem.Withoutan understandingofhowitworks,itisimpossibletoknowwhatarethecriticalassetsandwhatarethethreats totheseassets.Todothis,thetutorialwillshowaprocesstogatheranddocumentthisinformationby performinganarchitectural,resourceandprivilegeanalysis.Thesestepsarecompletedbymeetingwiththe developers,reviewingdesigndocumentsandenduserdocumentation,usingthesystem,andlookingatthe code. Thearchitecturalanalysisconsistsofdiscoveringanddocumentingthehighlevelstructuresofthesystem: machines,configurationparameters,processes,functionofprocesses,userinteraction,interactionsbetween processes,interactionswithexternalsystems,othercommunicationchannels,resourcescontrolledby processes,andtrustbetweencomponents. Theresourceandprivilegeanalysisistheprocessofdiscoveringanddocumentingtheobjectsthatthe systemcanmanipulate,suchasinmemorydatastructures,databaserecords,files,CPUcycles,and physicaldevicescontrolledbythecomputer.Italsodocumentswhatactionscanbeperformedonthe resourcesinthesystem.Theprivilegeanalysisdocumentstheprivilegemodeldefinedbythesystemitself, andtheconfigurationofprivilegesintheunderlyingoperatingsystemandexternalapplications,suchas databases. Thetutorialthenshowshowtocreatedataflowdiagramsfromtheresultsoftheprioranalyses.These diagramscontainmuchoftheinformationcollectedearlierinasuccinctfashionthatallowstheanalystto

research.cs.wisc.edu/mist/ogf27.html

3/4

6/24/13

Vulnerability Assessment and Secure Programming Sessions

easilycomprehendthesystem. Thetutorialthencoverstheprocessofperformingacomponentanalysis,whichislookingfor vulnerabilitiesincomponentsofthesystem.Sinceitisnotrealistictocompletelyverifythesecurityofthe system,thetutorialwillshowhowtousethepreviousstepsoftheanalysistofocusthesearchtofindboth thosethatarelikelytobeeasilyfoundbyoutsideattackers,andalsothosevulnerabilitiesthatcanleadto highervaluetargetssuchasthecompromiseofthehostoperatingsystemorasubversionoftheprivilege system.Informationinthesecondpartofthetutorialwillexplainhowtolookforspecifictypesof vulnerabilities. Thetutorialwillalsodescribehowtointegratetheresultsofthevulnerabilityassessmentprocessintothe softwaredevelopmentprocess,includingwritingvulnerabilityreports,thevulnerabilitydisclosureprocess, fixingvulnerabilities,andreleasingsecurityupdates. Thesecondpartofthistutorialwillfocusonvulnerabilities.Itwillfeatureseveralinteractivesecurecoding quizzeswheretheaudiencewillbechallengedtofindasmanyvulnerabilitiesastheycaninshortcode fragments.Whattheaudiencefinds(anddoesnotfind)willthenbediscussed. Thissectionwillalsocontainadiscussionofthemostcommonvulnerabilitiesandwillbevaluabletoboth developersandsecurityassessors.Descriptionsofeachvulnerabilitywillbepresentedwithexamples.It willbeshownhowthevulnerabilitytypicallyoccurswithincode,pointingoutAPIortechniquesthat commonlyresultinthevulnerability,andalsohowthevulnerabilitycanbemitigatedoreliminatedthrough theuseofothertechniquesorAPIs.Thecausesandtypesofvulnerabilitiescoveredwillinclude: Lackofdatavalidation ErrorHandling Bufferoverflows Numericparsing Integervulnerabilities Raceconditions Injectionattacks Formatstringattacks Commandinjection SQLinjection Crosssitescripting(XSS) Directorytraversals Memorymanagementattacks Raceconditions Denialofservice Insecurepermissions Notdroppingprivileges Informationleaks

research.cs.wisc.edu/mist/ogf27.html

4/4