Post on 03-Feb-2022
WebAppSecurityI
AGuideforYourPresentation• Goals
– In2‐3sentences,statethegoals• Whyisthispaperinteresting?
• RelatedWork– Whyisitdifferent?
• Assumptions– Whatarethey?– Aretherealistic?– Whatkindofenvironmentdotheyrepresent?
• Basicconcepts– Keycomponentsthatmakeitwork
• Experiment– Whatisobjective?
– Whataretheinput/outputparameters?
• TakeawaySlide– Howitcanbenefitlisteners?Reusableconcepts?
Example• Title
– Phalanx:WithstandingMultimillion‐NodeBotnets
• Goal– Defendagainstmultimillionnodebotnetsusingindirectionalinfrastructurewithafocusondeployability
• Whythispaperisinteresting– DeployableDDoSisrare– Multimillionnodebotnetsarerealthreats– Createagood“botnet”tofightagainstbadones
Example(cont.)
• RelatedWork– Lowdeployabilitysincereliantonchangesto“ossified”routers
– Havenotconsideredbotnetsofthismagnitude
• Assumptions– Thetotalresourcesofgoodbotnetisgreaterthanmultimillionnodebadbotnets
Example(cont.)
• Concepts– EmbedcodeinP2Pclients,e.g.,BitTorrent– AccumulateP2Pclientstoformgoodbotnet– P2Pclientsbecomeindirectionalinfrastructure
– ProtectserverfromdirectconnectivitythroughISPfiltering
• Experiment
– …..• Takeawayslide
– LimitedISPfilteringatserverlocationsseemsdeployableandeffective
– Embedcodeonsoftwarewithlargeinstallbase
QuickCheckI
• WhatisSOX?• WhatyearwasSOXintroduced?
• WhywasSOXintroduced?
• WhyisSOXCSO’sbestfriend?
SOX:CSO’sBestFriend
CFO
CSO Ineedmoneyto
secureoutsystems
Sorry,themoneyisforbusinessexpansion
CSO
CFO Oursystemsecurityissecurebuthere’smoneytoenhanceit
Nomorebegging
Pre-SOX Post-SOX
SOXQuickFacts
• EveryquarterlyreportfiledwiththeSecurityExchangeCommission(SEC),theCEOandCFOsigncertificationsthatsystemsconformtotheSarbanes‐OxleyAct(SOX)
• UnderSOX,600corporatefraudconvictions,involvingmorethan1,000corporateexecutives
How can one ensure that the hundreds of different systems, each with different configuration and applications running, are secure?
SecurityBenchmark
Vendor
Wecanscanfor35DB
vulnerabilities
Weneedasecurity
scannerthatfindknown
vulnerabilities
CSO
Vendor WecanscanforbufferoverflowonSupa‐DB
fromver1to35
CSO
ThisisgoodforourOracle
DB
QuickCheckII
• WhatisCVE?• WhomanagesCVE?
• WhatisCVEusedfor?
• Whatelsedotheymanage?
MeasureableSecurity• MakingSecurityMeasurable(MSM)
– Standardizedenumeration• Sharedconcepts(Vulnerabilities/Weaknessdescription)
– Language• Findconcepts• CommunicateconceptsH2H,T2H,H2T,T2T
– Repositories• Sharingofinformationonconcepts
– UniformofAdoption• Brandingprogramstoensureconformanceandinteroperability
MSM
• Goal– Facilitatetheuseofautomationtoassess,manage,andimprovesecurity
– Fostereffectivesecurityprocesscoordinationacrosstheadoptingorganizations
– Choiceoftoolsandinteroperability
MSMEffortshttp://measurablesecurity.mitre.org/
MSM:ContributionInfoonstandardconceptsinrepositoryHigh‐fidelityofinfo
transferbyusingstandardlanguage
Interoperabilitywithothersystems
Automatedsecuritywithclearlydefinedstandardsandnolock‐intoproprietarytools/concepts
MSM:SecurityConfig&Mgmt
Cou
rtesy
of R
ober
t Mar
tin (M
ILC
OM
2008
)
MSM
• Capturehowyourorganizationhasconfiguredandsetupanewsystemwhenithasbeenapprovedforuseinyourenterprise
• Makesurethenewsystemcontinuestobeconfiguredthewayitwasapproved
• Ensurethatitremainssecureinthefaceofnewthreatsandvulnerabilities
SecurityContentAutomationProtocol(SCAP)
Enumeration Evaluation Measuring Reporting Content
CVE ● ●
CCE ● ●
CPE ● ●
XCCDF ● ● ●
OVAL ● ●
CVSS ● ● CourtesyofNIST2007
IntegratingITandITSecuritythroughSCAP
AssetManagement
VulnerabilityManagement
ConfigurationManagement
CVE
CPEXCCDF
CCE
SCAP
OVALCVSS
CourtesyofNIST2007
Unique configuration ID
Collection of CCE that applies to CPE with OVAL check
Unique platform ID
Unique vulnerabilities ID
Rules to define CCE and CVE checks
Scoring system
CVE:CommonVulnerabilitiesandExposureEnumeration
• Whatisit?– Alistofsecurityvulnerabilitiesandexposures
• Goal– Makeiteasiertosharedataacrossseparatedatabases,tools,andservicesusingacommonID
– Baselineforevaluatingthecoverageofyourtools
Trivia
• DoesCVEtellsyouhowtofixtheproblem?
CVEEntry
• CVEidentifiernumber– E.g.,"CVE‐1999‐0067”
• Status– "entry"or"candidate”
• Briefdescription– Descriptionofsecurityvulnerabilityorexposure
• Anypertinentreferences– VulnerabilityreportsandadvisoriesorOVAL‐ID
ExampleCVEEntry• CVEID
– CVE‐2002‐0649• Status
– Candidate• Description
– MultiplebufferoverflowsintheResolutionServiceforMicrosoftSQLServer2000andMicrosoftDesktopEngine2000(MSDE)allowremoteattackerstocauseadenialofserviceorexecutearbitrarycodeviaUDPpacketstoport1434…..
• References– BUGTRAQ:20030125Fw:MSSQLWORMISDESTROYINGINTERNET
• URL:http://www.securityfocus.com/archive/1/archive/1/308321/30/26180/threaded
– MS:MS02‐039• URL:http://www.microsoft.com/technet/security/bulletin/ms02‐039.asp
– CERT:CA‐2002‐22• URL:http://www.cert.org/advisories/CA‐2002‐22.html
CVEUsage:ShareDataVulnScanandRepository
Courtesyofhttp://www.securityfocus.com/infocus/1759
Search/RetrieveinfousingCVE
CVEUsage:BaselineforComparison
• OpenVASproductsareFreeSoftwareunderGNUGPLandaforkofNessus
Baselineforcomparisonandtoolselection
CourtesyofLaboratoryforSystemsandSystemsUniversityofZagreb
CPE:CommonPlatformEnumeration–UseCase
• AsoftwareinventorymanagementproductvendorusesCPENamestotagdataelementswithintheirproduct'sdatamodel
• Enabletheirproducttointeroperatewithdifferenttools
CPESpecification
• Includes:– NamingsyntaxforCPENames
– Languagefordescribingcomplexplatforms– Algorithmformatching– XMLschemaforbindingdescriptiveanddiagnosticinformationtoaname
CPENamingSyntax
CPEUsage
• Representtheindividualsoftwareproductsthatexistonanendsystem
• Impliesrelationshiptosoftwareproduct– Configurationcheck– Vulnerabilitycheck– Patchcheck/Patch– Configurationcontrolchange
CPEExampleInCPEDictionary
• CPEDictionary:– OfficialcollectionofCPENames
– BinddescriptiveproseanddiagnosticteststoaCPEName,e.g.,OVALcheck
<cpe-item name="cpe:/a:microsoft:ie:7”> <title>Microsoft Internet Explorer 7</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="fdcc-ie7-cpe-oval.xml">oval:gov.nist.fdcc.ie7:def:627</check> </cpe-item>
CPE Name
Human readable description
OVAL Check: Example registry check for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version
CPEComplexPlatformExample
<cpe:platform id="456”> <cpe:title>Sun Solaris 5.8 or 5.9 or 5.10</cpe:title> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.10" /> </cpe:logical-test> </cpe:platform>
CPEMatchingExample
• OVALdefinitioninCPEdictionarydeterminesthatthesystemconsistsof– K={"cpe:/o:microsoft:windows_2000::sp3:pro","cpe:/a:microsoft:ie:5.5"}
• AsecurityguidancechecklistdescribessomeforMicrosoftWindows2000– X="cpe:/o:microsoft:windows_2000"– Part=“o”,Vendor=“microsoft”,Product=“windows_2000”
• XmatchesK’s1stmembersoguidanceapplies
CPEComplexMatching
• Twodifferences– TheruletomatchX,utilizedCPElanguage– InsteadofmatchinganymemberinK,itneedstomatchall
K = {"cpe:/o:sun:sunos:5.9:::en-us", "cpe:/a:bea:weblogic:8.1”} X = <cpe:platform id="123”> <cpe:title>Sun Solaris 5.8 or 5.9 with BEA Weblogic 8.1 installed</cpe:title> <cpe:logical-test operator="AND" negate="FALSE”> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> </cpe:logical-test> <cpe:fact-ref name="cpe:/ a:bea:weblogic:8.1" /> </cpe:logical-test> </cpe:platform>
CPE:Functionalvs.Technical
• CPEnamingbasedonfunctionaldefinitionNOTtechnicaldefinition– LinuxdistroAwithApachever.B– LinuxdistroCwithApachever.B– Technically,CPEnameforApachever.Bissame
– Functionally,whoshouldbeprovidingpatchmeanstheCPEnamemaybedifferent
CPE:IssuewithScope(UnsupportedUse)
• Network‐basedDiscovery– Assetsdiscoveredbyscanning– Partialinfosoneedstobecategorizedunderfunctionalityetc.
• ForensicsAnalysis/SoftwareArchitecture– Lowergranularitytagging– dlls,harddiskclusters,stack
• ITManagement– Categorizeassetsbasedonfunctionality
CCE:CommonConfigurationEnumeration• Whatisit?
– UniqueIDsforconfigurationguidancestatementsandconfigurationcontrols
– Configurationguidancestatement• The"accountlockoutthreshold"settingshouldbesetto3
– Configurationcontrol• Theaccountpolicysettings,suchasaccountlockoutthresholdsetting
• Goal– Quicklycorrelateconfigurationdataacrossmultipleinformationsourcesandtools
CCEEntry• CCEIdentifierNumber
– "CCE‐2715‐1”• Description
– Descriptionoftheconfigurationissue• ConceptualParameters
– ParametersneededtoimplementaCCE
• AssociatedTechnicalMechanisms– Anygivenconfigurationissuehaveoneormorewaystoimplementthedesiredresult
• References– Pointerstodocumentsthathasdetailsofconfigurationissue
CCEWindowsVistaPlatformGroupExtract
CCE ID CCE Description CCE Parameters CCE Technical Mechanisms
CCE-2715-1
The "reset account lockout counter after" policy should meet minimum requirements. (1) number of minutes
(1) defined by Local or Group Policy
CCE-2363-0 The "account lockout duration" policy should meet minimum requirements. (1) number of minutes
(1) defined by Local or Group Policy
CCE-3177-3
The "account lockout threshold" policy should meet minimum requirements. (1) number of attempts
(1) defined by Local or Group Policy
ExtensibleConfigurationChecklistDescriptionFormat(XCCDF)
• Specificationlanguageforwritingsecuritychecklists,benchmarks,etc.
• XCCDFdocumentrepresents:– Structuredcollectionofsecurityconfigurationrules
– Forsomesetoftargetsystems
• Supportinformationinterchange,automatedcompliancetesting,andcompliancescoring
XCCDF:Example<Benchmarkid="fdcc‐ie‐7"resolved="0"xml:lang="en”… … <title>FDCC:GuidanceforSecuringMicrosoftInternetExplorer7forITProfessionals</title> <description>ThisguidehasbeencreatedtoassistITprofessionalsineffectivelysecuringsystemswithMicrosoftInternetExplorer7installed.</description> … <Profileid="all_800_53"abstract="true”> <title>800‐53All</title> … <selectidref="CM‐1"selected="true"/> <selectidref="CM‐2"selected="true"/> … </Profile>
CONTINUEonnextpage
Collection of checks
XCCDF:Example(cont.) <Profileid="federal_desktop_core_configuration_version_1.2.0.0"extends="all_800_53"> <selectidref="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="true"/> </Profile> … <Groupid="core‐policy"> … <Ruleid="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="false"weight="10.0”> <title>DisableAutomaticInstallofInternetExplorerComponents‐LocalComputer</title> … <requiresidref="SI‐3"/> <requiresidref="SI‐7"/> <identsystem="http://cce.mitre.org">CCE‐3518‐8</ident> … <check‐content‐refhref="fdcc‐ie7‐oval.xml"name="oval:gov.nist.fdcc.ie7:def:1198"/> </check> </Rule>
Extending existing check collection
New check with CCE ID and corresponding OVAL check
XCCDF
OpenVulnerabilityandAssessmentLanguage(OVAL)
• Goals– Promoteopenandpubliclyavailablesecuritycontent
– Standardizethisinformationtransferacrossthesecuritytoolsandservices
OVALComponents• Language
– Standardizes3stepsoftheassessmentprocess:• Representconfigurationinformationofsystemsfortesting(Systemschema)
• Analyzethesystemforthepresencespecifiedmachinestate(vulnerability,configuration,patchstate,etc.)(DefinitionSchema)
• Reporttheresultsofthisassessment(Resultschema)
• Repository– Collectionsofpubliclyavailableandopencontentthatutilizethelanguage
OVAL
• WhyOVAL?– Nomeanstodeterminetheexistenceofsoftwarevulnerabilities,configurationissues,programs,and/orpatchesinlocalsystems
– Informationwasavailableastext‐baseddescriptionsfromvulnerabilitybutlaboriousanderror‐pronetointerpret
– Assessmenttooldoesnotrevealhowitdetectsvulnerabilities,thusunabletoverifyfalsepositives
OVALID
• val:OrganizationDNSName:IDType:IDValue”– OrganizationDNSNamee.g.,‘org.mitre.oval’
– IDType:obj‐Object,ste‐State,tst‐Test,orvar–Variable
– IDValue:integeruniquetotheDNSnameandIDTypepairthatprecedesit,e.g.,oval:org.mitre.oval:def:1115oroval:com.redhat.rhsa:def:20060742.
OVALDefinitionExamplehttp://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1115
Metadata
Criteria for vulnerability Checks for criteria Check details
OVALDefinitionXML<metadata> <title>IE6,SP2 PNG Image Buffer Overflow</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> <product>Microsoft Internet Explorer</product> </affected> <reference source="CVE" ref_id="CVE-2005-1211" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1211"/> <description> Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. </description> …
<criteria operator="AND"> <criteria comment="Software section" operator="AND"> <criterion comment="Internet Explorer 6.0 Installed XP SP2" negate="false" test_ref="oval:org.mitre.oval:tst:2403"/> <criterion comment="the version of mshtml.dll is less than 6.0.2900.2668" negate="false" test_ref="oval:org.mitre.oval:tst:1150"/> … </criteria> <criteria comment="Configuration section" operator="AND"> <criterion comment="PNG image rendering enabled in Internet Explorer" negate="false" test_ref="oval:org.mitre.oval:tst:2749"/> </criteria> </criteria> … <registry_test id="oval:org.mitre.oval:tst:2750" version="1" comment="the patch kb883939 is installed" check_existence="at_least_one_exists" check="at least one"> <object object_ref="oval:org.mitre.oval:obj:1578"/> <state state_ref="oval:org.mitre.oval:ste:2571"/> </registry_test> … <registry_object id="oval:org.mitre.oval:obj:1578" version="1"> <hive>HKEY_LOCAL_MACHINE</hive> <key> SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883939 </key> <name>Installed</name> </registry_object>
OVALResults
CommonVulnerabilityScoringSystem(CVSS)
• Vendoragnostic,industryopenstandardtoconveyvulnerabilityseverityandhelpdetermineurgencyandpriorityofresponse
• Solvestheproblemofmultiple,incompatiblescoringsystems
CVSS• Derivedfrommetricsandformulas• Metricsareinthreedistinctcategoriesarequantitativeorqualitative– BaseMetrics
• Qualitiesthatareintrinsicanddonotchangeovertimeorindifferentenvironments
– TemporalMetrics• Characteristicswhichevolveoverthelifetimeofvulnerability
– EnvironmentalMetrics• Characteristicswhicharetiedtospecificusersenvironment.
CVSSScoringProcess
Severity
Urgency
Priority
BaseMetrics• AccessVector
– Howremoteanattackercanbetoattackatarget• Local,Adjacentnetwork,Network
• AccessComplexity– Complexityofattack
• High:Specializedcondition,e.g.,racecondition,rareconfigurationorsocialengineering
• Medium:Somewhatspecialized
• Authentication– Numberoftimesauthenticationneededinordertoexploitthevulnerability
• CIAImpact
TemporalMetrics• Exploitability
– Howcomplextoexploitthevulnerability• Unproven:Noexploitcodeisyetavailable• ProofofConcept:Proofofconceptexploitcodeisavailable
• RemediationLevel– Levelofanavailablesolution
• ReportConfidence– Degreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityofitsreport
EnvironmentalMetrics
• CollateralDamagePotential– Potentialforalossoflifeorphysicalassets
• TargetDistribution– Percentageofvulnerablesystems
• SecurityRequirements– CustomizeddependingonthecriticalityoftheaffectedITasset• Greaterweighttoavailabilityifanassetsupportsabusinessfunction