- No customer demand for security
- Secure code requires time and money
- Security measures may affect usability
- Users don't care about security
- Lack of security awareness and knowledge. Need to...
- Understand the threat model
- Know at least main security bugs
- Use existing tools to help you
- Keep updated at relevant places
- Writing Secure code is hard
- Laziness
- Confidentiality: protect data from unauthorised reading
- Integrity: protect data from tampering
- Availability: data must be available to legitimate users
- Authentication: check identity of users/processes
-
Get code right
- Not vulnerable to integer overflow
-
Check inputs
- Not vulnerable to SQL injection
-
Least privilege and deny by default
- Give least privilege needed to work
- Isolate code modules with higher privileges
- Whitelisting safer than blacklisting
-
Secure-friendly architecture
- Simple code easier to review, update, etc.
-
Defense in depth
- Multiple layers of security
- Block malicious inputs, but still assume some may get through
-
Stay up-to-date
-
OWASP: Open Web Application Security Project
-
CWE: Common Weakness Enumeration
- Standard for computer security certification
- Provides assurance to buyers of a security product
- OS security features
- Secure libraries
- Cryptography
- Static analysis
- Looking at code for patterns showing vulnerabilities
- Dynamic analysis
- OWASP tools
- Badly formed inputs may lead to
- Crash
- Unexpected behaviour
- Resource exhaustion
- Security issues
- Cope with badly formed input
- Identify all inputs and sources
- Check inputs are formed properly
- User-entered data
- Program arguments
- File contents
- File handles
- stdin, stdout, stderr
- Working directory
- Environment variables, config, registry values, umask values, etc.
- URL
- Encoded URL
- Standard hex encoding
- Different UTF-8 bytestreams decodes to same value
- HTTP request body
- HTTP headers
- Cookies
- Referrer
- Validate all inputs
- Strong typing, length checks, range checks
- Syntax
- Validate inputs from all sources
- Good practice
- Easy to verify inputs are validated
- Establish trust boundaries
- Validate at each module border
- Store trusted and untrusted data separately
- Whitelist defines what is allowed, rejects anything else
- Blacklist defines what is not allowed, allows anything else
- Whitelists preferred, easy to forget cases in blacklists
- Number ranges
- Input lengths
- Enumeration of multiple choices
- Regular expressions
- Languages have characters with special meaning
- Need to distinguish between character itself and special meaning
- Escape sequences are used to represent a character itself
- Example . for "."
- Interface limits range of inputs allowed
- More chance to be correct
- Examples:
- Prepared statements in MySQL
- Object-relational mappers
- Wherever an interpreter is used, separate untrusted data and the command/query
- Prevent known attack patterns
- Use automated tools
- Static analysis: search known vulns in code
- Dynamic analysis: run code with known attack patterns
- Attacker modifies SQL queries through uncleaned inputs
- Confidentiality: could read sensitive data
- Integrity: could change data
- Authentication: could bypass authentication
- Authorisation: could change authorisation info
- Prepared statements
- Prepare phase:
- Create SQL statement template with parameters
- Send prepared statement to database for parse, compile, optimisation and storage
- Binding phase:
- Application binds values to parameters, executes statement
- Can be done several times with different values
- Advantages:
- Reduced parsing time (only once for multiple executions)
- Reduced bandwidth (only send params, not whole query)
- Prevent injection by separating code and data
- Critical code preimplemented by experts
- Prepare phase:
- Object-relational mappers
- Object database: DB management system, info is represented by objects
- Convert info from relational to object database
- Advantages:
- Reduce code size
- SQL injection can be blocked by the OR mapper
- Disadvantages:
- Hides implementation
- Stored procedures
- Similar to parameterised queries
- Difference to prepared statements: procedure stored in database
- Whitelist validation
- Use when above methods are not an option
- Defence in depth: always use, even on binded variables
- Escaping
- Users that only need read access to DB only get that
- Users only need access to part of DB only get that
- DB management systems not run as root
- Inject js code into the client's browser via messages between client/server
- Cookie or session data sent to attacker
- Browser history, documents revealed
- Redirected to dangerous website
- Trojan installed
- DOM = Document Object Model
- Representation of HTML doc
- Separates doc structure from content
- DOM includes document's URL
- Attacks are entirely client side
- Use anchor tags '#' in HTTP request
- Anchor tags not sent to the server
- Full URL stored in the DOM
- Script executed by browser when document is loaded
- Escape untrusted input and output data
- When needing to allow code, use sanitizing libraries on untrusted inputs
- Use Context Security Policy (CSP)
- Cookies often used to create HTTP sessions
- Cookies contain auth credentials
- HttpOnly cookie flag prevents js script access to it
- Mitigates impact of XSS attacks
- Browser can only use resources from trusted sources
- Browser should ignore hostile sources
- Enabled in HTTP header
- Authentication: Verifying the user
- Authorisation: Verifying permission (of the user/action)
- What you know
- Passwords
- What you have
- Physical key
- Physical device
- Certificate
- What you are
- Biometrics
- Basic auth: Sending the password in the clear (e.g. HTTP basic auth)
- Digest auth: Sending hash of a password
- Challenge-Response:
- Client initiates a connection
- Server sends a challenge
- Client sends response
- Server checks/verifys response
Client’s response is a cryptographically strong function of challenge and password
- HTTPS (HTTP over TLS)
- Agree a common secret session key (key exchange via DHE)
- Communicate using encrypted session via agreed secret session key
- HTTP is stateless
- Each request is independent to the previous
keep-aliveorpersistentconnections can be used but will still timeout after several minutes
- Aim: extend the length of communication
- Idea:
- Client opens a connection
- Server sends a session ID to identify the client
- Client uses session id in every communication with the server to identify itself
- URL parameters
example.com/page1?id=.. - Body arguments on POST requests
- Cookies via header:
Cookie: ../Set-Cookie: .. - Proprietary HTTP headers
- Stealing cookies
Impersonating a user by posing as them with their authentication
- Session Hijacking: steal a session id and use it
- Session fixation: give the user a session id to use
- Packet sniffing: steal via packet observation
- Malware/Spyware
- XSS
- Cross-Site Request Forgery: make the client perform an action whilst holding the session id, allowing it to be stolen.
- Session Hijacking: steal a session id and use it
- Don't send session ids in plaintext
- Use unpredictable ids (cryptographically secure randoms)
- Use short-lived sessions
- Regenerate fresh ids at login
- Check source IP address against cookie (not always effective)
- Refresh ids regularly (regenerate)
- Ensuring the client remembers to log out
HTTPOnly- cookie cannot be accessed by scripts (helps against XSS attacks) (?)SameSite- only allow cookie on the same domainDomainandPath- restrict cookie sending by domain and subpathMaxAge- timeout cookie after some timeSecure- only allow cookies on HTTPS connections
-
HTTP over TLS (SSL)
- You know what TLS is, this isn't 'Intro to Security'
-
Provides advantages:
- Confidentiality (AES encrypted transport)
- Authenticatiotn (client/server certificates)
- Integrity (Signatures)
- PFS (Forward secrecy): old messages cannot be retrieved with a current key/certificate
Anomalous behaviour due to unexpected critical dependence on relative timing of events
- open: checks effective UID permissions
- access: checks real UID permissions
if ( access (" filename ", W_OK ) != 0) {
exit (1);
}
fd = open (" filename ", O_WRONLY );
write ( fd , buffer , sizeof ( buffer ));Something unexpected may happen between access check and when file is used
- Race condition - something unexpected may happen between access check and when file is used
- May be able to replace file by another one after access check
- Use symlinks to redirect filenames to files
- Attacks require local access to system and precise timing
- Improve attack success probability
- Slow down computer with CPU intensive programs
- Run many attack processes in parallel
- Use atomic operations
- Check and use in single system call
- Use `open ( "filename", O_CREAT | O_EXCL | O_WRONLY );
- If
O_CREATandO_EXCLset, open fails if file exists
- Decrease probability (check-use-check again)
- Get file info, open, get file info, abort if info are different
- Attacker can defeat by restoring file
- Increase number of checks to reduce success probability
- Drop perms
- Use seteuid to temp drop real UID perms
- Use unpredictable filenames
- Hard for attacker to attack filename he doesn't know
- Filenames aren't totally unpredictable
- Better to use mkstemp, which returns a file descriptor
{Missing image}
- Needs synchronisation mechanism between threads (enforce atomicity)
- When resource is in use, lock to prevent use
- BEWARE OF THE DEADLOCKS OMG
- Unix
- Shared ("reading") and exclusive ("writing") locks
- Can be ignored
- Windows
- File system prevents write or delete access on executing files
- Share-access controls for whole-file access-share for read, write delete
- Byte-range locks
- Sequence of operations, perceived as single logical operation on data
- Must have ACID properties
- Atomicity - all or nothing
- Consistency - transaction moves DB from valid state to valid state
- Isolation - result as if transactions executed sequentially
- Durability - transaction remains effective once committed
- Implemented by locking resource, keeping partial copy til complete
{Missing notes}
- Identify entities interacting with application.
- Internal/external users
- Database user/admin
- Web server user/admin
- ...
- Identify trust relationships between entities
- Identify access each agent should have
- Create use cases to understand application use
- Understand app design/architecture
- Understand where app is used
- Identify entry points
- Decompose application to submodules
- Understand interactions and trust between submodules
- Read docs, specs, etc.
- Talk to app devs
- List and rank all threats
- Threat category lists useful:
- Threats from attacker's PoV
- Threats from defensive PoV
- Threat lists:
- STRIDE (OWASP) - attacker's PoV
- Application Security Frame (Microsoft) - defensive PoV
- Identify security measures in place to address threats
- Identify mitigated and non-mitigated threats
- Check security measures are properly implemented
- Check for known vulnerability patterns
- Run static/dynamic analysis tools
-
Damage: how big can damage be
-
Reproducibility: how easy to reproduce
-
Exploitability: how much it can be exploited (remotely, without auth, automated)
-
Affected users: % of users
-
Discoverability: how easy it is
-
All ranked from 1-10, average value = DREAD score
-
Alternative: Risk = Likelihood x Impact
{Missing notes}
- Where is most valuable data stored?
- Which attacks would cause worst impact?
- Which threat is most likely?
- Which parts have been reviewed?
- Security in place to address threat categories
- Known vulnerability patterns
- Specific to languages
- Specific to applications
- Use checklists
{Missing notes}
- Follow data through the application
- Where is entry point?
- Where is storage?
- Are inputs sanitised?
- Is there authentication for data retrieval/modification?
- Is data output properly escaped?
- Advantages:
- Large apps split into modules
- Can identify modules with large attack surface
{Missing notes}