understanding security mistakes developers make
play

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative - PowerPoint PPT Presentation

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix It Daniel Votipka , Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland, College Park 1 SOLVED


  1. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  2. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  3. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office X ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  4. SECURE COMMUNICATIONS PROBLEM 18

  5. SECURE COMMUNICATIONS PROBLEM ./bank –s auth 18

  6. SECURE COMMUNICATIONS PROBLEM ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  7. SECURE COMMUNICATIONS PROBLEM ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  8. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  9. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth bob balance: 1000 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  10. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  11. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  12. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  13. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  14. MULTIUSER DATABASE PROBLEM 19

  15. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** 19

  16. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** 19

  17. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** as principal bob password ”bobs_password" do return msg *** 19

  18. RESEARCH QUESTIONS 20

  19. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? 20

  20. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? 20

  21. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary? 20

  22. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary? 21

  23. ANALYSIS APPROACH 22

  24. ANALYSIS APPROACH Examine projects and associated exploits in detail 22

  25. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding 22

  26. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 22

  27. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits 22

  28. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits Both qualitative and quantitative analysis performed 22

  29. RESULTS 23

  30. Vulnerability classes No implementation Misunderstanding Mistake Bad Unintuitive Conceptual Error Intuitive Choice 24

  31. Vulnerability classes No implementation 25

  32. Vulnerability classes • Missed something “Intuitive” No implementation Intuitive 26

  33. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation Intuitive 26

  34. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation • No access control (MD) Intuitive 26

  35. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation • No access control (MD) • Missed something “Unintuitive” • No MAC (log) Unintuitive Intuitive 27

Recommend


More recommend