Chapter 11

Software Security
Table
11.1
CWE/
SANS TOP
25 Most
Dangerous
Software
Errors
(2011)

(Table is on page
359 in the textbook)
 Security Flaws
• Critical Web • These flaws occur as a
consequence of
application insufficient checking and
security flaws validation of data and
include five related error codes in programs
to insecure • Awareness of these issues
software code is a critical initial step in
• Unvalidated input writing more secure
• Cross-site scripting program code
• Buffer overflow • Emphasis should be
• Injection flaws placed on the need for
• Improper error software developers to
handling address these known
areas of concern
 Reducing Software
Vulnerabilities
• The NIST report NISTIR 8151 presents a range
of approaches to reduce the number of software
vulnerabilities
• It recommends:
• Stopping vulnerabilities before they occur by using
improved methods for specifying and building
software

• Finding vulnerabilities before they can be exploited

by using better and more efficient testing techniques

• Reducing the impact of vulnerabilities by building

more resilient architectures
 Software Security,
Quality and Reliability
• Software quality
• Software security:
and reliability:
• Attacker chooses
• Concerned with the probability distribution,
accidental failure of
specifically targeting
program as a result of
some theoretically random, bugs that result in a
unanticipated input, system failure that can be
interaction, or use of exploited by the attacker
incorrect code
• Triggered by inputs that
• Improve using structured differ dramatically from
design and testing to what is usually expected
identify and eliminate as
many bugs as possible from • Unlikely to be identified
a program by common testing
• Concern is not how many approaches
bugs, but how often they
are triggered
Defensive Programming
• Designing and implementing software so that it
continues to function even when under attack
• Requires attention to all aspects of program
execution, environment, and type of data it
processes
• Software is able to detect erroneous conditions
resulting from some attack
• Also referred to as secure programming
• Key rule is to never assume anything, check all
assumptions and handle any possible error states
 Defensive
Programming
• Programmers often make
assumptions about the type of
inputs a program will receive • Conflicts with
and the environment it business
executes in pressures to
• Assumptions need to be validated keep
by the program and all potential development
failures handled gracefully and times as short
safely
as possible to
• Requires a changed mindset maximize
to traditional programming market
practices advantage
• Programmers have to understand
how failures can occur and the
steps needed to reduce the chance
of them occurring in their
programs
 Security by Design
• Security and reliability are common design goals
in most engineering disciplines
• Software development not as mature
• Recent years have seen increasing efforts to
improve secure software development processes
• Software Assurance Forum for Excellence in
Code (SAFECode)
• Develop publications outlining industry best practices
for software assurance and providing practical advice
for implementing proven methods for secure software
development
Handling Program
Input
Input is any
source of data
from outside
Incorrect
and whose value
handling is a
is not explicitly
very common
known by the
failing
programmer
when the code
was written

Explicitly
validate
Must identify all assumptions on
data sources size and type of
values before
use
 Input Size & Buffer
Overflow
• Programmers often make assumptions
about the maximum expected size of input
• Allocated buffer size is not confirmed
• Resulting in buffer overflow
• Testing may not identify vulnerability
• Test inputs are unlikely to include large enough
inputs to trigger the overflow

• Safe coding treats all input as dangerous

Example
 Interpretation of
Program Input
• Program input may be binary or text
• Binary interpretation depends on encoding and is
usually application specific

• There is an increasing variety of character sets

being used
• Care is needed to identify just which set is being
used and what characters are being read

• Failure to validate may result in an exploitable

vulnerability
• 2014 Heartbleed OpenSSL bug is a recent
example of a failure to check the validity of a
binary input value
 Input validation
example
public class InputExample{
public static void main(String[] args){
Scanner scan = new Scanner(System.in);
System.out.print("Please Enter the day number");
int day = scan.nextInt();
System.out.print("Please Enter the month number");
int month = scan.nextInt();
System.out.print("Please Enter the year number");
int year = scan.nextInt();
}
// No type checking (ex: string, Boolean, ..)
// No size checking (ex: input integer with 50 digits)
// No length checking(ex: day must be 2 digits: 02 03 11)
// No content checking (ex: 1w , 2- )
}

// how to fix the vulnerabilities ?

 Injection Attacks
• Flaws relating to invalid handling of input data,
specifically when program input data can
accidentally or deliberately influence the flow of
execution of the program

Most often occur in scripting

languages
• Encourage reuse of other
programs and system utilities
where possible to save coding
effort
• Often used as Web CGI scripts
 Validating
Input Syntax
It is
necessary to
ensure that By only
Alternative
data accepting
Input data is to
conform known safe
should be compare the
with any data the
compared input data
assumptions program is
against what with known
made about more likely
is wanted dangerous
the data to remain
values
before secure
subsequent
use
 Alternate Encodings
May have multiple means
of encoding text
Unicode used for
internationalization
• Uses 16-bit value for
characters
• UTF-8 encodes as 1-4 byte
sequences
• Many Unicode decoders accept
any valid equivalent sequence
Growing requirement to
support users around the
globe and to interact
with them using their
own languages
Canonicalization
• Transforming input data into a
single, standard, minimal
representation
• Once this is done the input
data can be compared with a
single representation of
acceptable input values
 Validating Numeric
Input
• Additional concern when input data represents
numeric values
• Internally stored in fixed sized value
• 8, 16, 32, 64-bit integers
• Floating point numbers depend on the processor used
• Values may be signed or unsigned

• Must correctly interpret text form and process

consistently
• Have issues comparing signed to unsigned
• Could be used to thwart buffer overflow check
 Input Fuzzing
Software testing
technique that uses Can also use templates
randomly generated to generate classes of
data as inputs to a known problem inputs
program

Disadvantage is that
Range of inputs is bugs triggered by
very large other forms of input
would be missed
Developed by Professor
Barton Miller at the
University of Wisconsin Combination of
Madison in 1989 Intent is to approaches is
determine if the needed for
program or function reasonably
correctly handles comprehensive
abnormal inputs coverage of the
inputs

Simple, free of
assumptions, cheap

Assists with
reliability as well as
security
 Writing Safe Program
Code
• Second component is processing of data by some
algorithm to solve required problem
• High-level languages are typically compiled and
linked into machine code which is then directly
executed by the target processor

Security issues:
• Correct algorithm implementation
• Correct machine instructions for
algorithm
• Valid manipulation of data
Correct Algorithm Implementation
Another variant is
Initial sequence when the
Issue of good program numbers used by programmers
development many TCP/IP deliberately include
technique implementations are additional code in a
too predictable program to help test
and debug it
Often code remains in
production release of a
program and could
Algorithm may not inappropriately release
correctly handle all Combination of the information
problem variants sequence number
as an identifier and May permit a user to
authenticator of bypass security checks
packets and the and perform actions
failure to make they would not
them sufficiently otherwise be allowed to
perform
Consequence of unpredictable
deficiency is a bug enables the attack
in the resulting to occur
This vulnerability was
program that could exploited by the Morris
be exploited Internet Worm
 Ensuring Machine Language
Corresponds to Algorithm
• Issue is ignored by most programmers
• Assumption is that the compiler or interpreter
generates or executes code that validly implements
the language statements
• Requires comparing machine code with
original source
• Slow and difficult
• Development of computer systems with very
high assurance level is the one area where
this level of checking is required
• Specifically Common Criteria assurance level of EAL
7
 Correct Data
Interpretation
• Data stored as • Different languages
bits/bytes in provide different
computer capabilities for
restricting and
• Grouped as words or validating
longwords interpretation of
• Accessed and data in variables
manipulated in
memory or copied into • Strongly typed languages
processor registers are more limited, safer
before being used • Other languages allow
• Interpretation more liberal
depends on machine interpretation of data and
instruction executed permit program code to
explicitly change their
interpretation
 Correct Use of
Memory
• Issue of dynamic memory allocation
• Unknown amounts of data
• Allocated when needed, released when done
• Used to manipulate Memory leak
• Steady reduction in memory available on the heap to
the point where it is completely exhausted

• Many older languages have no explicit support

for dynamic memory allocation
• Use standard library routines to allocate and release
memory

• Modern languages handle automatically

 Use of Least Privilege
Privilege escalation
• Exploit of flaws may give attacker greater privileges

Least privilege
• Run programs with least privilege needed to
complete their function

Determine appropriate user and group

privileges required
• Decide whether to grant extra user or just group
privileges

Ensure that privileged program can

modify only those files and directories
necessary
 Other Program
Interaction
Programs may use functionality and services of
other programs
• Security vulnerabilities can result unless care is taken with this
interaction
• Such issues are of particular concern when the program being used did
not adequately identify all the security concerns that might arise
• Occurs with the current trend of providing Web interfaces to programs
• Burden falls on the newer programs to identify and manage any security
issues that may arise

Issue of data confidentiality/integrity

Detection and handling of exceptions and errors

generated by interaction is also important from a
security perspective
 Handling Program
Output
• Final component is program output
• May be stored for future use, sent over net, displayed
• May be binary or text
• Important from a program security perspective
that the output conform to the expected form and
interpretation
• Programs must identify what is permissible output
content and filter any possibly untrusted data to
ensure that only valid output is displayed
• Character set should be specified