SoftTest IrelandCopyright 2008 ElectroMind Ltd1 People Challenges for Test Teams Stephen K. Allott.
Whittaker How To Break Software Security - SoftTest Ireland
-
Upload
david-odowd -
Category
Documents
-
view
2.293 -
download
1
description
Transcript of Whittaker How To Break Software Security - SoftTest Ireland
![Page 1: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/1.jpg)
How to Break Software Security
![Page 2: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/2.jpg)
Functionality vs. Security
• Functional testing: verify that the app does what it is supposed to do– Apply inputs, verify correct outputs– Funtional testers ask: ‘what is the software supposed to do?’
• Security testing: verify that the app does not do what it is not supposed to do– Apply inputs, verify that no bad things happen– Security testers ask: ‘what is the software not supposed to do?’
• But what is the set of bad things that can cause an application to behave insecurely?
![Page 3: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/3.jpg)
An Example
• Let’s examine two bugs:– A functional bug in which the software fails to do
what it is supposed to do– A security bug in which the software does what it
was supposed to (and a little bit extra!)
![Page 4: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/4.jpg)
The Functional Bug
![Page 5: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/5.jpg)
The Security Vulnerability
![Page 6: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/6.jpg)
What Have We Learned?
• That security bugs:– Are much harder to spot…they often have no
visible (to the human eye) behavior…we need better tools
– Require us to think about side effects and what sensitive data might be exposed
– Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen
![Page 7: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/7.jpg)
Two Models to Guide Our Thinking
• A model of software behavior– Functional testing is simply not designed to find security
flaws
• A model of the environment in which software executes– Many security flaws are caused by environment interaction
– Many security flaws are discovered by analyzing an application’s environment
![Page 8: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/8.jpg)
The Behavior Model(the “eclipse” diagram)
Intended Behavior
Actual Behavior
Traditional Bugs
Most Security Bugs
![Page 9: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/9.jpg)
Application Under Test
kernel
UI
file system
Soft-ware
The Environment Model(the “life preserver” diagram)
![Page 10: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/10.jpg)
Are Hackers Really Motivated to Attack You?
• Thousands of underground hacking tools
• Thousands of hacker sites
• The cold hard truth: Hackers have the advantage– They have to find only one bug…we have to close
them all– They have a lot more time on their hands
Enter their world…
![Page 11: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/11.jpg)
The HtBSS Project
• Goal: develop prescriptive techniques for finding security vulnerabilities in software– Not a “hacker how-to,” we are interested in the bug not the exploit
• Process: study bugs that shipped– What fault caused it?
– What failure symptoms do we look for?
– What testing technique would have found it?
• Outcome: four classes of vulnerabilities/techniques– External dependencies – banana peels in the environment
– Unanticipated user input – magic bullets
– Vulnerable design – bad design habits that bite
– Vulnerable implementation – just plain bugs
![Page 12: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/12.jpg)
External Dependencies
• Software does not exist in isolation– Think about the “life preserver” diagram – Software uses OS resources, runtime libraries, set up files,
data files, …– Programming an application to handle all these things
gracefully is very complicated • Ex: when do you check for a LoadLibrary failure?
– These are rare events, check too often you slow down the app– These are crucial events, check often so you don’t get bitten
• The result: software often fails insecurely because of its dependency on its environment
![Page 13: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/13.jpg)
Unanticipated User Input
• Some inputs are problematic and developers tend to ignore them:– Operating system reserved words– Programming language format strings– Character set boundary values (e.g., extended ascii)– Scripts, code and commands embedded in input fields
• It is important to maintain lists of these and make sure they get applied during testing
![Page 14: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/14.jpg)
Vulnerable Design
• Some good design practices are actually bad for security– Performance and security are at odds– Usability and security are at odds– Cohesion, coupling and many other design practices
can often aid an attacker
• We need to understand how some security vulnerabilities have their roots in design practices
![Page 15: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/15.jpg)
Vulnerable Implementation
• As an industry, we’ve been writing bugs since the dawn of computing and we don’t seem to be slowing down
• What common bugs have security implications?– What do these bugs look like?– How do we find them?
![Page 16: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/16.jpg)
External Dependency Attacks
![Page 17: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/17.jpg)
Dependency Attack Vectors
1. Block access to libraries2. Manipulate registry values3. Force the application to use corrupt files (write
protected, inaccessible, data errors...) and file names4. Replace files that the application reads from, writes to,
creates and executes5. Force the application to operate in stressed
memory/disk space/network availability conditions
![Page 18: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/18.jpg)
The IE content advisor
![Page 19: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/19.jpg)
We get stopped by the parental controls…
![Page 20: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/20.jpg)
…So we block access to the msrating.dll library
![Page 21: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/21.jpg)
Now we can view that site!
![Page 22: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/22.jpg)
Holodeck monitors Update Expert for registry interactions
![Page 23: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/23.jpg)
U.E. Shows a patch applied to the local machine
![Page 24: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/24.jpg)
U.E. reads patch info from the registry...
![Page 25: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/25.jpg)
We target an unapplied patch…
![Page 26: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/26.jpg)
We create a folder with the key “installed”…
![Page 27: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/27.jpg)
U.E. Reads the bogus directory and shows the patch as installed…
![Page 28: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/28.jpg)
User Input Attack Vectors
6. Overflow input buffers
7. Examine all command line switches and
input options
8. Explore escape characters, character sets and
commands
![Page 29: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/29.jpg)
Buffer Overflow Details
![Page 30: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/30.jpg)
Modify file with new data
![Page 31: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/31.jpg)
Executable data6A 00 Push x00
Parameter describing type of message box.
68 B0 FB 11 00Push x0011FBB0
Pointer to the message box caption text.
68 D5 FB 11 00Push x0011FBD5
Pointer to message box body text.
6A 00 Push x00
Handle to a window.
FF 15 88 20 40 00 Call User32.MessageBoxA
Calling the windows message box function. In this case we are
calling indirectly through a pointer.
Now we have an exploit!
![Page 32: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/32.jpg)
Open the file and you are owned!
![Page 33: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/33.jpg)
Design Attack Vectors
9. Try common default and test account names and passwords
10. Expose unprotected test APIs
11. Connect to all ports
12. Fake the source of data
13. Create loop conditions in any application that interprets script, code etc
14. Use alternate routes to accomplish the same task
15. Force the system to reset values
![Page 34: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/34.jpg)
Common AccountsUsername Passwords Systems Affected
Administrator
“”; Admin; admin; administrator; Administrator; root
Windows; Unix and many other platforms and applications
Admin
“”; Admin; admin; administrator; Administrator; root
Windows; Unix and many other platforms and applications
Demo “”; demo; demos Many
Guest “”; Guest; guest Windows
Root “”; root Unix
sa “” Windows SQL server; others
setup setup Unix
sys sys; system; bin Unix
sysadmin sysadmin Unix
test “”; test; Test Common to many applications
user user Windows; Unix
web “”; web Windows; Unix
![Page 35: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/35.jpg)
Implementation Attack Vectors
16. Get between time of check and time of use
17. Create files with the same name as files protected with a higher classification
18. Force all error messages
19. Look for temporary files and screen their contents for sensitive information
![Page 36: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/36.jpg)
Logging in with a bogus account…
![Page 37: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/37.jpg)
… produces this error message
![Page 38: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/38.jpg)
A legit account…
![Page 39: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/39.jpg)
… produces this error message
![Page 40: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/40.jpg)
Summary and Take-Aways
![Page 41: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/41.jpg)
Always Remember…
• Security testing is different and requires us to think differently
• There are testing techniques specifically aimed at security testing and these can and should be part of your software practice
![Page 42: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/42.jpg)
Take Away (1)
• Understand your app’s behavior…think about what should NOT happen!
Intended Behavior
Actual Behavior
Traditional Bugs
Most Security Bugs
![Page 43: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/43.jpg)
Take Away (2)
• Understand your app’s environment…think about where the action is!
kernel
UI
file system
SW Application Under Test
![Page 44: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/44.jpg)
Take Away (3)
• Ask yourself: what is the nightmare scenario for this app (or this customer)!
• Then…test every entry point for that scenario being realized– Its UI– Exposed remote functionality – Its communication paths– The files it reads
![Page 45: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/45.jpg)
Take Away (4)
• Use the attacks, master the tools– Attacks:
• Exploit external dependencies
• Find unanticipated user input
• Expose insecure design
• Determine insecure implementation practices
– Tools• The software Holodeck
• Hex editors, debuggers, port scanners, …
• Never cease your vigilance!
![Page 46: Whittaker How To Break Software Security - SoftTest Ireland](https://reader035.fdocuments.us/reader035/viewer/2022062307/553acc434a7959d8258b45ce/html5/thumbnails/46.jpg)
THE END
Questions?