OXFORD SOFTWARE ENGINEERING Software Engineering Services & Consultancy
CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam.
-
Upload
ashley-murphy -
Category
Documents
-
view
230 -
download
3
Transcript of CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam.
2
Last class
Delta Debugging Motivation
Algorithm
In practice
Static Bug Detection Common Bugs
FindBugs
3
Today’s class
Security Issues in Software Engineering Security Threats
Requirement Engineering for Security
Design for Security
Coding for Security Vulnerabilities
Testing for Security
4
Security Threats to Software
Undermine usability DOS attacks
Peculiar inputs causing crashes, bloats, …
Information Leaking SQL Injection, Cross-site Scripting, unencrypted data,
side channels, …
Command and Control OS Injection, Cross-site Scripting, Return Oriented
Programming, …
5
Requirement Engineering for Security
Security properties in the specification Users have different privileges for using functionalities?
Data should be seen only by certain users?
Certain communications and data transfer happens in a safe network or not?
Potential source of attacks Any user can use the software?
Access to the Internet?
The motive of attacking the software?
Risk of attacks Estimate the cost if the software is attacked successfully?
How important the user data is?
6
Design for Security
The security techniques you choose to protect your software from attacks Input validation: single points, multiple points?
Authentication: store and transfer credentials (passwords): where to do the encryption or just store verifier
Sensitive data: decide what data needs to be encrypted, minimize the data to be stored
Encryption: minimize the length of data flow before they reach the encryption, use known encryption algorithms
Auditing and Logging
8
Buffer Overflow
Quite many languages (C, C++) are memory unsafe
You define a buffer, and it is your responsibility to keep your data in the buffer
If you read or write to the place out of a buffer Semantic errors
Crashes
What else? Anything related to security?
char buffer[12];
Review of OS course: call stacks Function calls are traced by call stacks
Local VarsParameters
Local VarsParameters
Local VarsParameters
Return Address
Return Address
Local VarsParameters
Local VarsParameters
Local VarsParameters
Return Address
Local VarsParameters
Local VarsParameters
Return Address
main main
f
main main
f f
g
int main(int argc, char args**){ int result; if(argc >= 1){f(args[0]);}}void f(char* data){ char buffer[12]; strcpy(buffer, data) if(g()){return;} else{…}}bool g(){ ...}
Call stack of the function f
The local variable buffer
The parameter data
The return address to go back
to the call-site at main function
Char* data
Return Address
Stack frame of main
Un-allocatedStack
char[12] buffer
Feed in a valid input
Example “username”
Char* data
Return Address
\0
n a m e
u s e r
Stack frame of main
Un-allocatedStack
char[12] buffer
Feed in an invalid input
Example “usernameusername” The parameter data is covered
So it is no longer usable
The return value is covered So can not return normally
Still just a bug Minor security problem Undermines usability
name
\0 ...
u s e r
n a m e
u s e r
Stack frame of main
Un-allocatedStack
char[12] buffer
Feed in a malicious input
Idea to do the trick Feed in an input with 20 chars
Cover the return address
f() will return to the code we
Specify
Consider the program is on a
server, accessing user requests
How to make it possible? Where to put the code?
How to specify the return
value to our code?
name
To our code
u s e r
n a m e
u s e r
Stack frame of main
Un-allocatedStack
char[12] buffer
Feed in a malicious input
Use the buffer itself to
store the code
Set the return value
to the buffer address
Example Run exec(“/bin/sh”) to open
a shell
Translate to machine code
name
00 00 01 20
. . . .
. . . .
20 42 00 .
Stack frame of main
Un-allocatedStack
char[12] buffer
mov $a0 15mov $a1 datasyscalldata: /, b, i, n, /, s, h
0x20, 0x42, 0x00, ...
Feed in a malicious input
Other issues How to know the address
of buffer[]:
Programs are executed
in virtual memory, so install
the software and check
memory state
Buffer is too small to hold
your code?
Jump through return value to
the stack frame of parent function
name
00 00 01 20
. . . .
. . . .
20 42 00 .
Stack frame of main
Un-allocatedStack
char[12] buffer
16
The state of practice
Buffer overflow is very common in C / C++ programs
About 50% of new attacks are related to buffer overflow
Memory safe languages such as Java do not have the problem, why we still have the problem?
Known bugs are being exploited from time to time
17
How to deal with buffer overflow
Boundary check for input-reachable buffers Not so easy in practice
Check too many places: slow the software down
Check too few places: buffer overflow risk
Automatic supports Buffer Overflow Detection: libsafe, stackguard, …
Runtime protection: weak memory safe
Runtime protection: split stack
18
Injection
Directly inject user input into code to be executed SQL Injection
Inject code to SQL queries
OS Injection Inject code to OS commands
User Input Software OS / Database
19
SQL Injection An example
A student information system
You can query your grade for certain course, year, …
You login to your session, and say you are going to search for the grade of “CS5103”
What does the server do?
Session.Username
CS5103
HTTP Request
Server:Select * from Grade where
username = ‘you’ and course = ‘CS5103’
Database
UIHTTP
ResponseQuery Results
20
SQL Injection The malicious Input
We want to inject code into the SQL query
Say we want it to be “select * from Grade”
It is the same with “select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’”
Session.Username
CS5103
HTTP Request
Server:Select * from Grade where
username = ‘you’ and course = ‘CS5103’ or ‘a’=’a’
Database
WOW!HTTP
ResponseQuery Results
21
OS Injection
Quite Similar Consider a server is going to make a dir for you as a
new user, and it will execute exec(“mkdir path/to/” + username)
What username you should make up?
An example:
HahaGotyou | \bin\sh
User Input Server OS Command
22
Injection Protection
Injection works by passing user inputs into back-end engines
Can we simply cut off the path? Definitely NO
We have to do some filtering
We are going to work on the example:
select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’
23
User Input Filtering
What to filter? or ? => “oorr” can bypass it
Space? => use /**/ can bypass it
Quotes? A little bit difficult, we can search by year, and use year = 2009 or 1=1
Want more?
See
select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’
http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
24
Final Exam
Time: Dec 18th 6:00pm to 8:30pm
Location: FLN 3.02.07
Form: closed book exam 100 points total
Account for 30% for the course grade
15 multiple choice questions * 3 points each: single answer
5 multiple choice questions * 4 points each: multiple answers
3-4 Question & Answer, 35 points in total
25
Covered Course Contents
Must * It is for sure that this knowledge point will be
covered in the final exam
May ? This knowledge point may be covered in the
final exam
Not mentioned in this outline The final exam will not cover this knowledge
point
26
Software process models
Features of Waterfall model ? Features of Iterative model ? Features of Agile software development
& Extreme programming * Major difference between these models
* Usage Scenario of different models ?
27
Requirement Engineering
Find Stake Holders ? Type of Requirements * Major requirement elicitation
approaches ? Natural Language Specifications and
find problems in the specifications * Use case diagram ?
Actors and Relationship between use cases ?
28
System Modeling
Class Diagram* Draw Class Diagrams *
Relationship between classes * Generalization, Aggregation, Composition,
Association and their difference * Multiplicity and Role Names ?
29
Software Architecture
Major software architecture styles* Pipe and Filter ?
Layered ?
There differences and usage scenarios *
30
Software Design
Design Patterns * Structure and Types ?
Composite Pattern ?
Factory Pattern ?
Visitor Pattern ?
31
Versioning
Diff * Know what a diff between two files should look
like ? Know how applying a diff works ? Know what diff to apply for pull / update ?
Conflict ? Know how to detect conflict ?
Branch * Know how to merge branches by applying diffs ? Branch strategies and their pros / cons ?
32
Software licences
Know major software licenses ? GPL, LGPL, Apache, BSD, …
Know the difference between permissive licenses and copyleft licenses *
Know the main idea of GPL and its difference with LGPL ?
33
Coding Styles
Coding style rules for all levels * Identifier / constant ?
Expression ?
Statements ?
Blocks ?
Comments ?
Finding coding style errors in given code * Understand the goal and concept of
software refactoring ?
34
Software Testing
Concepts and terms in software testing * Test case, Test suite, Test oracle, …
Unit Testing * Working process of JUnit ?
What are good ways to write assertions ?
What are good ways to do the tearing down ?
35
Software Testing
Test coverage * Understand statement coverage, branch
coverage and path coverage, and calculate coverage for a given test case and code*
Understand input combination coverage, and calculate coverage for a given model and test case*
Understand mutations and mutation coverage ?
36
Software Testing
Regression Testing ? Know the ways to reduce testing effort in
regression testing ?
Understand what is APFD, and know how total and additional strategy works ?
37
Software Debugging
Delta debugging* Understand how basic delta debugging works ?
Know how to handle interference and multiple interference ?
Understand the limitations of delta debugging ?