Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi
Agendum Confidential McAfee Internal Use Only
Security Testing Confidential McAfee Internal Use Only
Cost Impact m suffered a heavy The TJX Company breach, which m suffered a heavy The TJX Company breach, which security breach in Aug 2007 that was first reported in January of 2007, security breach in Aug 2007 that was first reported in January of 2007, reportedly resulted in the theft of reportedly resulted in the theft of has been widely recognized as t he has been widely recognized as t he the confidential information for the confidential information for largest report ed theft of personal largest report ed theft of personal o o some 1.3 million j ob seekers. c some 1.3 million j ob seekers. c details ever lost by a company. details ever lost by a company. . . r r e e t s t s n n o o M M Operation Aurora affected as Operation Aurora affected as many as 2,411 companies and many as 2,411 companies and compromised data ranges from compromised data ranges from intellectual property, classified intellectual property, classified documents to credit card transaction documents to credit card transaction details details LOVE BUG exploited Microsoft LOVE BUG exploited Microsoft Outlook e-mail client to execute Outlook e-mail client to execute programs. The damage resulting programs. The damage resulting from this virus was reported to be from this virus was reported to be in the billions of dollars. in the billions of dollars. Confidential McAfee Internal Use Only
Rich Man’s Wisdom A man who wants to remain rich , will make sure he locks his money in The “VAULT” Confidential McAfee Internal Use Only
Case Study – Product Context Setting Applicat ion Product t eam Int egrat ed Engineering t eam S kill S et s S pecialized S killed Confidential McAfee Internal Use Only
Threat Model and its constraints P P R R O O G G C C E E E E T T S S S S S S E E F F T T L L O O G G W W O O C C O O N N S S T T R R A A I I N N T T S S Confidential McAfee Internal Use Only
Adaptive Ladder • Full Time S ecurity Tester Threat • S ecurity Expertise Model • Authorized personnel Adaptive Model Adversarial Security R3 Testing Expertise Level R2 Peripheral R1 Security Testing • Part time S ecurity tester • S ecurity Testing Novice • Limited Access to codebase Success Rate Confidential McAfee Internal Use Only
Adaptive Model - Highlights Two-tier sequential model Peripheral Security Testing (PST) Adversarial Security Testing (AST) Each of these testing types is defined in terms of Inputs Activities Outputs Adaptive Model kicks off with PS T and then helps to Enhance security knowledge and experience Constantly Deliver results Build perquisite for AS T Confidential McAfee Internal Use Only
Adaptive Model – Basic Workflow Activities Inputs Outputs QA with Security Expertise Analysis , Research & Result Documents AST Code Access Historical Knowledge S ecurity Experience Expertise QA with Attack Perspective PST Execution & Results Document Archit ect ure Document Use Cases AST –Adversarial Security Testing PST –Peripheral Security Testing EPs –Entry/Exit Points Confidential McAfee Internal Use Only
Peripheral Security Testing Entry Place where inputs are supplied to Entry Points Points your application Desirable/ undesirable Exit Exit output from the application. Points Points Without much knowledge of internal Outside Outside implementation Approach Approach Easier to detect and require less effort. On the On the S urface S urface Confidential McAfee Internal Use Only
Sample Study I (Peripheral Security Testing) P P R R O O C C E E S S S S F F L L O O W W A A T T T T A Does your product functionality hamper if you deny the permissions to the temp folder ? A C C K K Do the files(logs/event xml/binaries) contain sensitive data ? M M Is there a way in which you can cause buffer overflow in the file extension /file names? O O D D E E L L Confidential McAfee Internal Use Only
Sample Study II (Peripheral Security Testing) P P R R O O C C E E S S S S F F L L O O W W A A T T T T A Identify Named Pipes (pipe list) A C C K K View Permissions of Named Pipe (ObjSD) M M Check the product against Hijacking or Impersonating the Named pipe O O D D E E L L Confidential McAfee Internal Use Only
Peripheral Security Testing Checklist S .No. Entry/ Exit Points Attack Model Tools/ S cripts Informat ion Disclosure FileMon ACL Editor Weak Permissions File & Folders 1 Buffer Overflow strings Man-in-the-middle Attack Wire shark netstat.exe S niffing network traffic netcat S end malicious dat a Sockets 2 Regmon Registry Accessed by the product Registry Entries ACL Editor 3 Permission of the registry keys PipS ec Exploit weak permission PipeList Hij ack the creat ion CreateAgentPipe Obj S D Impersonate the client Named Pipes 4 S hatter Att ack S hatter Tool User Interfaces WebText Convertor 5 Format S tring Attacks Command Line swit ches / ? , -? , / h, or -h. Process Explorer Image tab Command Line Arguments Exploit Undocumented command Line switches 6 Uncover Environment Variables used by Product Process Explorer Environnent Tab Manipulating data inside Product defined Environment S ystem Environnent Variable Tab Environment Variables 7 Variables COMRaider ActiveX Repurposing Attacks ActiveX Control 8 ActiveX Fuzzing OLEView I/ O Verification Windows Ut ility-> Verifier.exe Deadlock Detection Windows Ut ility -> fltmc Dangerous APIs Exceptions/ Handlers/ Memory Microsoft Application Verifier Loading and Unloading Filter Driver Velocity Tool by Microsoft Drivers 9 Attach and Detach Filter Driver Confidential McAfee Internal Use Only
Adversarial Security Testing Attack Base An entity of the product or the Operating S ystem which can be Manipulated to perform an attack on software. Observation Based Gather past vulnerability information About the attack base. Abuse Cases Abuse cases (sometimes called misuse cases as well) are a tool that can help you begin to think about your software the same way that attackers do. Confidential McAfee Internal Use Only
Sample Study III( Adversarial Security Testing) A A T T T T Complexity of ACL’ s configuration A A Permissions cannot be assigned to all C C K K obj ects Exploiting Integrity Level (Vista specific) M M O O D D E E L L P P R R O O C C E E S S S S F F L L O O W W Confidential McAfee Internal Use Only
Adversarial Security Testing Checklist S .No. Attack Base Abuse Case S cenarios References and Historical Knowledge Verificat ion of apt ACL’ s for your product resources S hatter Attack Target NULL DACL http:/ / www2.packetstormsecurit y.org/ cgi- Look for dangerous ACE types bin/ search/ search.cgi? searchtype=archives&co -> Everyone (WRITE_DAC) unts=26&searchvalue=win2000+att ack+.c 1 Access Control List -> Everyone (WRITE_OWNER) -> Everyone (FILE_ADD_FILE) Exploiting Integrity Levels Target Windows DAC weakness Target Windows MIC weakness http:/ / archive.hack.lu/ 2007/ cracking_windows _access_control.ppt List out shell extensions used by your product List the resources utilized by our S hell Extension 2 Shell Extensions Behavior of shell extension. http:/ / cve.mitre.org/ cgi- Effect of impersonat ing your product shell extensions. bin/ cvename.cgi? name=CVE-2006-5902 List resources used by BHO Learn how to write a BHO Understand functionality of IE Plugin. 3 P lugins -> This can give more att ack vectors Effect of impersonat ing our product BHO http:/ / cve.mitre.org/ cgi- Find a way to disable IE Plugin bin/ cvename.cgi? name=CVE-2004-2382 Do basic analysis of DOS At tacks Identify the services rendered by your product Identify the ports used by the services 4 Denial Of Service Identify tools to send specially crafter packet s to perform a DOS Attack on our product. ( use historical info ) http:/ / cve.mitre.org/ cgi- Analyze the results bin/ cvename.cgi? name=CVE-2008-1855 Confidential McAfee Internal Use Only
AASTM Model - Recap • Position yourself on the Adaptive Ladder and then design your security testing strategy. • The idea is to find security defects in the product. A model is important but not a constraint • Follow Peripheral and Adversarial approaches as a guideline to target security flaws. • Creating a dedicated S kill-set base within the team helps a lot. • Even if it’ s an ad-hoc approach it’ s good to expose some security shortcomings Confidential McAfee Internal Use Only
Recommend
More recommend