Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Today Introduction n Theoretical Part: How to Build Secure Software n Brief Problem Overview n Setup HowTo for Phase I n 2 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
General Setup Group Project with groups of four or five students n Three Phases: n 1st Phase: n Each group implements software according to a specification 2nd Phase: n Each group examines the implementations of the other groups, searches for vulnerabilites and writes exploits. 3rd Phase: n Each group receives the vulnerability reports, has to fix them and write a report. 3 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Organisation Appointments 31.07.2017 10 AM s.t. - 3 PM Kickoff „Build It" n 03.08.2017 10 AM s.t. - 1 PM Q&A session 1 (voluntary) n 07.08.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Break It" n 10.08.2017 10 AM s.t. - 1 PM Q&A session 2 (voluntary) n 14.08.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Fix It" n 17.08.2017 10 AM s.t. - 1 PM Q&A session 3 (voluntary) n 21.08.2017 10 AM s.t. - 1 PM Final presentations n 21.08.2017 11:59 PM Deadline for the final report n Examination n Consists of your practical contest participation, the final report, the presentations and an oral exam n Make an appointment for your oral exam with Prof. Bodden Slides available online 4 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Organisation Deliverables 2 Intermediate Presentations: 10min talk, summarise your work of the previous n phase Final Presentation: 15min talk, summarise your overall work of all phases n Final report: max. 10 pages, write about your implementation, your breaking n approach, your bugs and their fixes and lessons learned Oral examination: Knowledge about theoretical parts and about your group‘s n implementation, breaks and fixes Slides available online 5 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
General Advice Challenge yourself, challenge the others, expect to be challenged n Do not start working on the Saturday before the deadline n Raise your questions in time and use the course mailing list , so that others may n benefit from the answers as well. Please participate and answer questions for others when you know the answer. Mailing List: bibifi@lists.uni-paderborn.de Make use of the Q/A sessions and come early, as we may leave earlier if there is no n demand Rules No plagiarism (zero tolerance) n No deadline extensions n Do not attack the infrastructure n Allowed Programming Languages: C, Python, Java n 6 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
How to Build Secure Software 7 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Why do we care? 8 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
How risky can it be to use Adobe Flash Player? 2011 Attack on RSA and U.S. Weapon Manufacturers 1: Social engineering & phishing 3: Collecting SecureID secret seed records, downloading them from staging server. ▪ RSA issues warning on March 17 ▪ Unusually fast (e.g., attack on ▪ March 3: Fake email to some RSA employees: [2011 Nortel went unnoticed for more Recruitment plan.xls] with embedded flash zero-day then 10 years) CVE-2011-0609 in Adobe Flash Player. ▪ Planted “Poison Ivy” trojan horse. 4: Exploiting compromised SecureID to break into the target systems at defence industry. 2: Digital Shoulder Surfing ▪ June 3: Lockheed discloses a blocked attack, which exploited the breach at RSA. ▪ Poison Ivy connects back ▪ RSA announced replacement program for tokens to control server, giving (>40M tokens worldwide, Lockheed > 45’000). full control to attacker. ▪ August 2011: RSA acknowledge immediate 66M$ ▪ Attacker gradually moves for recovery. towards higher value accounts ▪ March 27, 2012: NSA attributes attack to Chinese and data. hackers http://www.f-secure.com/weblog/archives/00002226.html http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all http://www.informationweek.com/news/government/security/232700341 9 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
What does “Security” mean for Software and Information Systems? 10 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Security is Not a Set of Features Secure is an emergent property of software n “Being dry” in a tent in the rain n Being secure is the result of many, many factors, not one feature (e.g. encryption) n …so requirements documents should not just be a list of features n 11 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Core Security Goals The CIA Triad Confidentiality The system must not disclose any information intended to be hidden, e.g., your credit card information on a website. Note: open source software can still be confidential. Integrity Availability The system must not allow assets to be The system must be able to be available and subverted by unauthorized users, e.g., operational to users, e.g., bringing down changing a prisoner’s release date. Amazon.com We must be able trust what is in the system Any system performance degradation that can be The data being stored triggered by a user can be used for denial of The functionality being executed service attacks 12 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Spoofing “Pretending to be something or someone other than yourself.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Authentication IP Spoofing n Set source IP address to some other IP n E-Mail Spoofing n Replace sender address n In SMTP, “From” is not checked n 13 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Tampering “Modifying something on disk, on a network, or in memory.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] “Web Tampering” [owasp.org] n Integrity <input type=”hidden” id=”1008” name=”cost” value=”70.00”> http://www.attackbank.com/savepage.asp?nr=147&status=del http://www.attackbank.com/savepage.asp?nr=147&status=read 14 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Repudiation “Claiming that you didn’t do something, or were not responsible. Repudiation can be honest or false, and the key question for system designers is, what evidence do you have?” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Confirmation Deleting Logs n Using symmetric keys for signing n Both parties can dispute the signing n 15 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Information Disclosure “Providing information to someone not authorized to see it.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Confidentiality 16 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Denial of Service “Absorbing resources needed to provide service.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Availability Any system performance degradation that can be triggered by n an user can be used for denial of service attacks, e.g., too many server requests Blog of security blogger Brian Krebs was taken down in n September 2016 DNS services of Dyn were attacked in October 2016 n Many prominent websites were not reachable n Botnet of thousands of IoT devices, e.g., IP-cameras n 17 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Elevation of privilege “Allowing someone to do something they’re not authorized to do.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Authorization Library for image processing n Used by many websites n “Image Tragic” n Upload a compromised SVG n Execute code with the privileges of the calling n server process, e.g., deleting all images 18 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Threat Classification Summary S poofing Authentication T ampering Confidentiality Authorization R epudiation I nformation Disclosure D enial of Service Integrity E levation of Privilege Availability Confirmation 19 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Composability Component AB Component A + Component B Sometimes… Secure + Secure Secure Insecure Security is usually not preserved under composition! 20 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
At which point in the development can we apply security? At which point in the development can we introduce insecurity? 21 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Software Development Lifecycle – Potentials for Insecurity Overlooking Bad Incomplete Flawed Incomplete vuln. Configuration Requirements Architecture Test and Feedback from Test Plans Code and Use Cases And Design Test Results the Field 22 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Security Touchpoints Requirements Architecture Test and Feedback from Test Plans Code and Use Cases And Design Test Results the Field 23 Prof. Eric Bodden – Build It, Break It, Fix It SS 17
Recommend
More recommend