Defects and

Vulnerabilities
LECT 2
 1. What do wireless devices, cell phones,
PDAs, browsers, operating systems, servers,
personal computers, public key
infrastructure systems, and firewalls have in
Quiz common?

SOFTWARE!
So what’s the problem?
 2. What do laptops, tablets, mobile phones,
wifi access points, network routers, bank
cards, e-passports, eID cards, smartphone
apps, web sites, web browsers, web
servers, operating systems, firewalls,
intrusion detection systems, cars, and
Quiz airplanes have in common? Why can all
these things be hacked, if we are not very
careful?

There is SOFTWARE inside them!

 Some basics and
terminology

Thinking like an
attacker –
Thinking like an
analyst –
Thinking like a
programmer/designe
r–
Overview

A brief overview of in-

Secure programming
“Owning the bits” depth vulnerability
techniques
assessment
 “A vulnerability is a defect or
weakness in system security
procedures, design, implementation,
What is a or internal controls that can be
Vulnerability? exercised and result in a security
breach or violation of security policy.”
- Gary McGraw, Software Security
 A weakness allowing a principal (e.g. a
user) to gain access to or influence a system
beyond the intended rights.
Unauthorized user can gain access.

What is a Authorized user can:

• gain unintended privileges – e.g. root or
Vulnerability? admin.
• damage a system.
• gain unintended access to data or
information.
• delete or change another user’s data.
• impersonate another user.
 •“Software bugs are errors, mistakes, or
oversights in programs that result in
unexpected and typically undesirable
behavior.”
What is a The Art of Software Security Assessment

Weakness (or
Defect or Bug)? • Vulnerabilities are a subset of weaknesses.

•Almost all software analysis tools find

weaknesses not vulnerabilities.
 •“The process of attacking a
vulnerability in a program is called
exploiting.”
What is an The Art of Software Security Assessment

Exploit?
•Exploit: The attack can come from a
program or script.
Defects and Vulnerabilities
Many breaches begin by exploiting a vulnerability
• This is a security-relevant software defect that can be exploited
to effect an undesired behaviour
• A software defect is present when the software behaves
incorrectly, i.e., it fails to meet its requirements
• Defects occur in the software’s design and its implementation
◦ A flaw is a defect in the design
◦ A bug is a defect in the implementation
 Complexity, inadequacy, and change
Incorrect or changing assumptions
(capabilities, inputs, outputs)

Flawed specifications & designs

Sources of
Software
Insecurity Poor implementation of software interfaces
(input validation, error & exception handling)

Inadequate knowledge of secure coding

practices
Sources of Software Insecurity
Unintended, unexpected interactions
• with other components
• with the software’s execution environment

Absent or minimal consideration of security during all life cycle phases

Not thinking like an attacker

12
Which Vulnerabilities Are Most Exploited?

SOURCE: Breach Security The WHID, Feb

OWASP 13
 64% of the vulnerabilities are due to programming
errors at the application layer, not on network
Most 51% of those due tolayer
classic errors like buffer
overflows, cross-site-scripting, injection flaws
Vulnerabilities
caused by
Programming
Errors
“We wouldn't need so much network
security if we didn't have such bad
software security”
--Bruce Schneier

14
What Your Defect Management Metrics Say?
Most of my vulnerabilities
are coding and design
issues

But are mostly

found during
pen test in UAT

The cost of fixing

them in UAT is
10 X during coding
(unit tests)
OWASP 19
 The Cost of Not Checking…
4 Jun 1996: An unchecked 64 bit floating point
number assigned to a 16 bit integer

Ariane 5 mission 501

Cost: Development cost: $7 billion
Lost rocket and payload $500 million
 Attacks are expensive and affect assets:
Management

Network Organization
resources

Intellectual
property
Digital identities Cost of
Insufficient
Information and
Security
Reputation
data

Software and
Financial capital
applications

Infrastructure
The cost to remove defects, including
security flaws, can be hundreds of times

Defect
higher after deployment.

Removal Is a
Moreover, adding security through testing is
a never-ending task. Major
Challenge
Other research has shown that a majority of
vulnerabilities are related to programming
errors that are fairly well understood.
Goal of The ability
Goal: Better, of software software
defect-free to recognize,
that
software resist,
cantolerate,
functionand
morerecover
robustly from events
in its
Security operationalthat
production
threatenenvironment
it.
Learn to
Think
Like an
Attacker
The Path of an Attack

p = requesttable;
while (p != (struct table *)0)
{
if (p->entrytype == PEER_MEET)
{
found = (!(strcmp (her, p->me)) &&
!(strcmp (me, p->her)));
}
else if (p->entrytype == PUTSERVER)
{
found = !(strcmp (her, p->me));
}
if (found)
return (p);
else
p = p->next;
}
return ((struct table *) 0);
An Exploit through the Eyes of an
Attacker
Exploit, redefined:
– A manipulation of a program’s internal state in a way not anticipated (or desired) by the programmer.

Start at the user’s entry point to the program: the attack surface:
– Network input buffer
– Field in a form
– Line in an input file
– Environment variable
– Program option
– Entry in a database
– …
Attack surface: the set of points in the program’s interface that can be controlled by the user.
An Exploit through the Eyes of an Attacker
Follow the data and control flow through the program, observing what state you
can control:
– Control flow: what branching and calling paths are affected by the data
originating at the attack surface?
– Data flow: what variables have all or part of their value determined by
data originating at the attack surface?

Sometimes it’s a combination:

if  (inputbuffer[1]  ==  'a’)
val  =  3;
else
val  =  25;

val is dependent on inputbuffer[1] even though it’s not directly assigned.

The Path of an Attack

p = requesttable;
while (p != (struct table *)0)
{
if (p->entrytype == PEER_MEET)
{
found = (!(strcmp (her, p->me)) &&
!(strcmp (me, p->her)));
}
else if (p->entrytype == PUTSERVER)
{
found = !(strcmp (her, p->me));
}
if (found)
return (p);
else
p = p->next;
}
return ((struct table *) 0);