CS5103 Software

Engineering

Lecture 18Security Issues in Software Engineering & Final Exam

2

Last class

Delta Debugging Motivation

Algorithm

In practice

Static Bug Detection Common Bugs

FindBugs

3

Today’s class

Security Issues in Software Engineering Security Threats

Requirement Engineering for Security

Design for Security

Coding for Security Vulnerabilities

Testing for Security

4

Security Threats to Software

Undermine usability DOS attacks

Peculiar inputs causing crashes, bloats, …

Information Leaking SQL Injection, Cross-site Scripting, unencrypted data,

side channels, …

Command and Control OS Injection, Cross-site Scripting, Return Oriented

Programming, …

5

Requirement Engineering for Security

Security properties in the specification Users have different privileges for using functionalities?

Data should be seen only by certain users?

Certain communications and data transfer happens in a safe network or not?

Potential source of attacks Any user can use the software?

Access to the Internet?

The motive of attacking the software?

Risk of attacks Estimate the cost if the software is attacked successfully?

How important the user data is?

6

Design for Security

The security techniques you choose to protect your software from attacks Input validation: single points, multiple points?

Authentication: store and transfer credentials (passwords): where to do the encryption or just store verifier

Sensitive data: decide what data needs to be encrypted, minimize the data to be stored

Encryption: minimize the length of data flow before they reach the encryption, use known encryption algorithms

Auditing and Logging

7

Coding for security

Avoid common vulnerabilities Buffer Overflow

Injection

Cross-Site Scripting

8

Buffer Overflow

Quite many languages (C, C++) are memory unsafe

You define a buffer, and it is your responsibility to keep your data in the buffer

If you read or write to the place out of a buffer Semantic errors

Crashes

What else? Anything related to security?

char buffer[12];

Review of OS course: call stacks Function calls are traced by call stacks

Local VarsParameters

Local VarsParameters

Local VarsParameters

Return Address

Return Address

Local VarsParameters

Local VarsParameters

Local VarsParameters

Return Address

Local VarsParameters

Local VarsParameters

Return Address

main main

f

main main

f f

g

int main(int argc, char args**){ int result; if(argc >= 1){f(args[0]);}}void f(char* data){ char buffer[12]; strcpy(buffer, data) if(g()){return;} else{…}}bool g(){ ...}

Call stack of the function f

The local variable buffer

The parameter data

The return address to go back

to the call-site at main function

Char* data

Return Address

Stack frame of main

Un-allocatedStack

char[12] buffer

Feed in a valid input

Example “username”

Char* data

Return Address

\0

n a m e

u s e r

Stack frame of main

Un-allocatedStack

char[12] buffer

Feed in an invalid input

Example “usernameusername” The parameter data is covered

So it is no longer usable

The return value is covered So can not return normally

Still just a bug Minor security problem Undermines usability

name

\0 ...

u s e r

n a m e

u s e r

Stack frame of main

Un-allocatedStack

char[12] buffer

Feed in a malicious input

Idea to do the trick Feed in an input with 20 chars

Cover the return address

f() will return to the code we

Specify

Consider the program is on a

server, accessing user requests

How to make it possible? Where to put the code?

How to specify the return

value to our code?

name

To our code

u s e r

n a m e

u s e r

Stack frame of main

Un-allocatedStack

char[12] buffer

Feed in a malicious input

Use the buffer itself to

store the code

Set the return value

to the buffer address

Example Run exec(“/bin/sh”) to open

a shell

Translate to machine code

name

00 00 01 20

. . . .

. . . .

20 42 00 .

Stack frame of main

Un-allocatedStack

char[12] buffer

mov $a0 15mov $a1 datasyscalldata: /, b, i, n, /, s, h

0x20, 0x42, 0x00, ...

Feed in a malicious input

Other issues How to know the address

of buffer[]:

Programs are executed

in virtual memory, so install

the software and check

memory state

Buffer is too small to hold

your code?

Jump through return value to

the stack frame of parent function

name

00 00 01 20

. . . .

. . . .

20 42 00 .

Stack frame of main

Un-allocatedStack

char[12] buffer

16

The state of practice

Buffer overflow is very common in C / C++ programs

About 50% of new attacks are related to buffer overflow

Memory safe languages such as Java do not have the problem, why we still have the problem?

Known bugs are being exploited from time to time

17

How to deal with buffer overflow

Boundary check for input-reachable buffers Not so easy in practice

Check too many places: slow the software down

Check too few places: buffer overflow risk

Automatic supports Buffer Overflow Detection: libsafe, stackguard, …

Runtime protection: weak memory safe

Runtime protection: split stack

18

Injection

Directly inject user input into code to be executed SQL Injection

Inject code to SQL queries

OS Injection Inject code to OS commands

User Input Software OS / Database

19

SQL Injection An example

A student information system

You can query your grade for certain course, year, …

You login to your session, and say you are going to search for the grade of “CS5103”

What does the server do?

Session.Username

CS5103

HTTP Request

Server:Select * from Grade where

username = ‘you’ and course = ‘CS5103’

Database

UIHTTP

ResponseQuery Results

20

SQL Injection The malicious Input

We want to inject code into the SQL query

Say we want it to be “select * from Grade”

It is the same with “select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’”

Session.Username

CS5103

HTTP Request

Server:Select * from Grade where

username = ‘you’ and course = ‘CS5103’ or ‘a’=’a’

Database

WOW!HTTP

ResponseQuery Results

21

OS Injection

Quite Similar Consider a server is going to make a dir for you as a

new user, and it will execute exec(“mkdir path/to/” + username)

What username you should make up?

An example:

HahaGotyou | \bin\sh

User Input Server OS Command

22

Injection Protection

Injection works by passing user inputs into back-end engines

Can we simply cut off the path? Definitely NO

We have to do some filtering

We are going to work on the example:

select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’

23

User Input Filtering

What to filter? or ? => “oorr” can bypass it

Space? => use /**/ can bypass it

Quotes? A little bit difficult, we can search by year, and use year = 2009 or 1=1

Want more?

See

select * from Grade where username = ‘you’ and course = ‘CS5103’ or ‘a’ = ‘a’

http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/

24

Final Exam

Time: Dec 18th 6:00pm to 8:30pm

Location: FLN 3.02.07

Form: closed book exam 100 points total

Account for 30% for the course grade

15 multiple choice questions * 3 points each: single answer

5 multiple choice questions * 4 points each: multiple answers

3-4 Question & Answer, 35 points in total

25

Covered Course Contents

Must * It is for sure that this knowledge point will be

covered in the final exam

May ? This knowledge point may be covered in the

final exam

Not mentioned in this outline The final exam will not cover this knowledge

point

26

Software process models

Features of Waterfall model ? Features of Iterative model ? Features of Agile software development

& Extreme programming * Major difference between these models

* Usage Scenario of different models ?

27

Requirement Engineering

Find Stake Holders ? Type of Requirements * Major requirement elicitation

approaches ? Natural Language Specifications and

find problems in the specifications * Use case diagram ?

Actors and Relationship between use cases ?

28

System Modeling

Class Diagram* Draw Class Diagrams *

Relationship between classes * Generalization, Aggregation, Composition,

Association and their difference * Multiplicity and Role Names ?

29

Software Architecture

Major software architecture styles* Pipe and Filter ?

Layered ?

There differences and usage scenarios *

30

Software Design

Design Patterns * Structure and Types ?

Composite Pattern ?

Factory Pattern ?

Visitor Pattern ?

31

Versioning

Diff * Know what a diff between two files should look

like ? Know how applying a diff works ? Know what diff to apply for pull / update ?

Conflict ? Know how to detect conflict ?

Branch * Know how to merge branches by applying diffs ? Branch strategies and their pros / cons ?

32

Software licences

Know major software licenses ? GPL, LGPL, Apache, BSD, …

Know the difference between permissive licenses and copyleft licenses *

Know the main idea of GPL and its difference with LGPL ?

33

Coding Styles

Coding style rules for all levels * Identifier / constant ?

Expression ?

Statements ?

Blocks ?

Comments ?

Finding coding style errors in given code * Understand the goal and concept of

software refactoring ?

34

Software Testing

Concepts and terms in software testing * Test case, Test suite, Test oracle, …

Unit Testing * Working process of JUnit ?

What are good ways to write assertions ?

What are good ways to do the tearing down ?

35

Software Testing

Test coverage * Understand statement coverage, branch

coverage and path coverage, and calculate coverage for a given test case and code*

Understand input combination coverage, and calculate coverage for a given model and test case*

Understand mutations and mutation coverage ?

36

Software Testing

Regression Testing ? Know the ways to reduce testing effort in

regression testing ?

Understand what is APFD, and know how total and additional strategy works ?

37

Software Debugging

Delta debugging* Understand how basic delta debugging works ?

Know how to handle interference and multiple interference ?

Understand the limitations of delta debugging ?

38

Software Security Issues

Major software vulnerabilities * Injection ?

Buffer Overflow *

39

Thanks!