1、Topics in Security Testing,Reading assignment: Chapter 13, pp. 193-209. Note that many more topics are covered in these slides and in class.,Computer Security,The goal of computer security is to protect computer assets (e.g., servers, applications, web pages, data) from: corruption unauthorized acce
2、ss denial of authorized access malicious software Security is strengthened by: physically limiting the access of computers to trusted users hardware mechanisms (e.g., biometrics) operating system mechanisms that impose rules on untrusted programs (e.g., role-based access control) anti-virus software
3、 to detect malware secure coding techniques (e.g., array bounds checking) to make code less vulnerable to security attacks.,2,Approach to Software Security,Verify that security mechanisms are trustworthy Verify that security architecture adheres to the security policy Verify that the applications th
4、at constitute the system are trustworthy i.e., they have been developed using secure coding practices, or they are not malware.,3,Security Architecture,A security architecture is a specification that is used as a guide to enforce security constraints It specifies where security mechanisms (e.g., enc
5、ryption, firewalls) need to be positioned in the software architecture The quality of a security architecture also depends on the security of the applications that constitute the system,4,Security Architecture,Security architecture describes the position of security mechanisms in the software archit
6、ecture and comprises: subsystems e.g., web servers, application servers, DBMS, directories, web applications, and legacy applications communication links between the subsystems e.g., local or remote function calls and protocols (SSL, HTTPS, LDAP) position of security mechanisms e.g., authentication
7、and authorization points, encryption methods, audit, logging, monitoring, intrusion detection, registration, backup, recovery,5,Example of a Security Architecture,6,Validating Security Architecture,There are many security faults that arise from a poorly designed security architecture, e.g., unauthor
8、ized access to data and applications confidential and restricted data flowing as unencrypted text over network connections Security architecture is validated using a process called threat modeling. Threat modeling is typically a manual (i.e., not automated) inspection process, similar to code and re
9、quirements inspection.,7,Threat modeling,Threat Modeling is a process for evaluating a software system for security issues. It is a variation of the code and specification inspections processes discussed earlier in the course. The goal is for a review team to look for software features that vulnerab
10、le from a security perspective. Threat modeling is not the responsibility of a software tester, although testers may be involved in the security review team.,Threat modeling process (1),Assemble the treat modeling team Include security experts and consultants Identify the assets E.g., credit card nu
11、mbers, social security numbers, computing resources, trade secrets, financial data Create an architecture overview Define the architecture and identify the trust boundaries and authentication mechanisms Decompose the application E.g., identify data flows, encryption processes, password flows.,Threat
12、 modeling process (2),Identify threats E.g., can data be viewed, changed? Limit access of legitimate users? Unauthorized access of the system? Document threats E.g., describe threat, target, form of attack, counter-measures to prevent an attack, etc. Rank threats (scale: low, medium, high) Damage po
13、tential E.g., property, data integrity, financial loss Reproducibility E.g., probability that an attempt to compromise the system will succeed Exploitability/Discoverability E.g., is it difficult to hack into the system? Affected users How many users will be affected? Who are these users? Are they i
14、mportant?,What is Malware?,Malware (malicious software) is any program that works against the interest of the systems user or owner. Question: Is a program that spies on the web browsing habits of the employees of a company considered malware? What if the CEO authorized the installation of the spyin
15、g program?,Uses of Malware,Why do people develop and deploy malware? Financial gain Psychological urges and childish desires to “beat the system”. Access private data ,Typical purposes of Malware,Backdoor access: Attacker gains unlimited access to the machine. Denial-of-service (DoS) attacks: Infect
16、 a huge number of machines to try simultaneously to connect to a target server in hope of overwhelming it and making it crash. Vandalism: E.g., defacing a web site. Resource Theft: E.g., stealing other users computing and network resources, such as using your neighbors Wireless Network. Information
17、Theft: E.g., stealing other users credit card numbers.,Types of Malware,Viruses Worms Trojan Horses Backdoors Mobile code Adware Sticky software,Antivirus programs,Antivirus programs identify malware by looking for unique signatures in the code of each program (i.e., potential virus) on a computer A
18、 signature is a unique sequence of code found in a part of the malicious program The antivirus program maintains a frequently updated database of virus signatures The goal is for the database to contain a signature for every known malware program Examples of antivirus software: Symantec (http:/) McA
19、fee (http:/),15,Viruses,Viruses are self-replicating programs that usually have a malicious intent. Old fashioned type of malware that has become less popular since the widespread use of the Internet. The unique aspect of computer viruses is their ability to self-replicate. However, someone (e.g., u
20、ser) must execute them in order for them to propagate.,Viruses (Contd),Some viruses are harmful (e.g.,): delete valuable information from a computers disk, freeze the computer. Other viruses are harmless (e.g.,): display annoying messages to attract user attention, just replicate themselves.,Viruses
21、: Operation,Viruses typically attach themselves to executable program files e.g., .exe files in MS Windows Then the virus slowly duplicates itself into many executable files on the infected system. Viruses require human intervention to replicate.,Origin of the term computer virus,The term computer v
22、irus was first used in an academic publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called VIRUS. John Brunners 1975 novel The
23、Shockwave Rider describes programs known as tapeworms which spread through a network for deleting data. The term computer virus also appears in the comic book Uncanny X-Men in 1982.,The first computer viruses,A program called Elk Cloner is credited with being the first computer virus to appear “in t
24、he wild“. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan.,Worms,Worms are
25、malicious programs that use the Internet to spread. Similar to a virus, a worm self-replicates. Unlike a virus, a worm does not need human intervention to replicate. Worms have the ability to spread uncontrollably in a very brief period of time. Almost every computer system in the world is attached
26、to the same network.,Worms: Operation,A worm may spread because of a software vulnerability exploit: Takes advantage of the OS or an application program with program vulnerabilities that allow it to hide in a seemingly innocent data packet. A worm may also spread via e-mail. Mass mailing worms scan
27、the users contact list and mail themselves to every contact on such a list. In most cases the user must open an attachment to trigger the spreading of the worm (more like a virus).,Trojan horses,A Trojan Horse is a seemingly innocent application that contains malicious code that is hidden somewhere
28、inside it. Trojans are often useful programs that have unnoticeable, yet harmful, side effects.,Trojan horses: Operation (1),Embed a malicious element inside an otherwise benign program. The victim: receives the infected program, launches it, remains oblivious of the fact that the system has been in
29、fected. The application continues to operate normally to eliminate any suspicion.,Trojan horses: Operation (2),Fool users into believing that a file containing a malicious program is really an innocent file such as a video clip or an image. This is easy to do on MS Windows because file types are det
30、ermined by their extension as opposed to examining the file headers. E.g., “A Great Picture.jpg .exe” The .exe might not be visible in the browser. The Trojan author can create a picture icon that is the default icon of MS Windows for .jpg files.,Backdoors,A backdoor is malware that creates a covert
31、 access channel that the attacker can use for: connecting, controlling, spying, or otherwise interacting with the victims system.,Backdoors: Operation,Backdoors can be embedded in actual programs that, when executed, enable the attacker to connect to and to use the system remotely. Backdoors may be
32、planted into the source code by rogue software developers before the product is released. This is more difficult to get away with if the program is open source.,Mobile code,Mobile code is a class of benign programs that are: meant to be mobile, meant to be executed on a large number of systems, not
33、meant to be installed explicitly by end users. Most mobile code is designed to create a more active web browsing experience. E.g., Java applets, ActiveX controls.,Mobile code (Contd),Java scripts are distributed in source code form making them easy to analyze. ActiveX components are conventional exe
34、cutables that contain native IA-32 machine code. Java applets are in bytecode form, which makes them easy to decompile.,Mobile code: Operation,Web sites quickly download and launch a program on the end users system. User might see a message that warns about a program that is about to be installed an
35、d launched. Most users click OK to allow the program to run. They may not consider the possibility that malicious code is about to be downloaded and executed on their system.,Adware,Adware is a program that forces unsolicited advertising on end users. Adware is a new category of malicious programs t
36、hat has become very popular. Adware is usually bundled with free software that is funded by the advertisements displayed by the Adware program.,Adware: Operation (1),The program gathers statistics about the end users browsing and shopping habits. The data might be transferred to a remote server. The
37、n the Adware uses the information to display targeted advertisements to the end user.,Adware: Operation (2),Adware can be buggy and can limit the performance of the infected machine. E.g., MS IE can freeze for a long time because an Adware DLL is poorly implemented and does not use multithreading pr
38、operly. Ironically, buggy Adware defeats the purpose of the Adware itself.,Sticky software,Sticky software implements methods that prevent or deter users from uninstalling it manually. One simple solution is not to offer an uninstall program. Another solution in Windows involves: installing registry
39、 keys that instruct Windows to always launch the malware as soon as the system is booted. The malware monitors changes to the registry and replace the keys of they are deleted by the user. The malware uses two mutually monitoring processes to ensure that the user does not terminate the malware befor
40、e deleting the keys.,Future Malware,Todays malware is just the tip of the iceberg. The next generation of malware may take control of the low levels of the computer system (e.g., BIOS, Firmware). The antidote software will be in the control of the malware Also the theft of valuable information can r
41、esult in holding it for ransom.,Information-stealing worms,Present-day malware does not take advantage of cryptography much. Asymmetric encryption creates new possibilities for the creation of information-stealing worms. A worm encrypts valuable data on the infected system using an asymmetric cipher
42、 and hold the data as ransom.,Information-stealing worms:Operation,The Kleptographic worm embeds a public encryption key in its body. It starts encrypting every bit of valuable data on the host using the public key. Decryption of the data is impossible without the private key. Attacker blackmails th
43、e victim demanding ransom. Attacker exchanges the private key for the ransom while maintaining anonymity. Theoretically possible using zero-knowledge proofs Attacker proves that he has the private key without exposing it.,BIOS/Firmware Malware,Antivirus programs assume that there is always some trus
44、ted layer of the system. Nave antivirus programs scan the hard drive for infected files using the high-level file-system service. A clever virus can intercept file system calls and present to the virus with fake versions (original/uninfected) of the files on disk. Sophisticated antivirus programs re
45、side at a low enough level (in OS kernel) so that malware cannot distort their view of the system.,BIOS/Firmware Malware: Operations (1),What is the malware altered an extremely low level layer of the system? Most CPUs/hardware devices run very low-level code that implements each assembly language i
46、nstruction using low level instructions (micro-ops). The micro-ops code that runs inside the processor is called firmware. Firmware can be updated using a firmware-updating program.,BIOS/Firmware Malware: Operations (2),Malicious firmware can (in theory) be included in malware that defeats antivirus
47、 programs. The hardware will be compromised by the malicious firmware. Not easy to do in practice because firmware update files are encrypted (private key inside the processor).,Antivirus programs,Antivirus programs identify malware by looking for unique signatures in the code of each program (i.e.,
48、 potential virus) on a computer. A signature is a unique sequence of code found in a part of the malicious program. The antivirus program maintains a frequently updated database of virus signatures. The goal is for the database to contain a signature for every known malware program. Well known antiv
49、irus software includes: Symantec (http:/) McAfee (http:/),Polymorphic viruses,Polymorphism is a technique that thwarts signature-based identification programs. Polymorphic viruses randomly encode or encrypt the program code in a semantics-preserving way. The idea is to encrypt the code with a random
50、 key and decrypt it at runtime. Each copy of the code is different because of the use of a random key.,Polymorphic viruses: Decryption technique,A decryption technique that polymorphic viruses employ involves “XORing” each byte with a randomized key that was saved by the parent virus. The use of XOR-operations has the additional advantage that the encryption and decryption routine are the same: a xor b = c c xor b = a,
