検索 - みる会図書館

検索対象: Software security. building security in

Software security. building security inから 410件ヒットしました。

Software security. building security in


244 C わ 叩 10 An E 厩 e ゆ So 〃 ル 4 S “ 〃 り rog 川 SOftwa 「 e security initiatives. Many companies insist they are ( 「 eating secure software— and slogans tO that affect abound. But when asked how they measure their effective- ness, they are at a loss. Simply demanding that developers create secure code on ツ states a t 「 uism without providing any urgency to follow through. No developer sets out in the morning tO create insecure code—but they do it anyway. The desi 「 e to do it right is naturally present. The missing piece is identifying what is to be done and measuring tO ensure that it is. Training without Assessment Training not on ツ developers but everyone involved with ( 「 eating secure software is an essential activity. Unfortunately, a number Of companiesl have wo 「 ked with felt that once a t 「 aining prog 「 am had been put in place, nothing mo 「 e needed to be done. Nothing 、 was done tO impose objectives, measures, and testing a 「 ound software security. T 「 ain- ing by itself is not very usefulunless there is follow-through on the bigge 「 picture. Lack Of High-LeveI Commitment ー = Make no mistake; implementing an SDL is a serious undertaking. Getting everyone on board requires a sustained e 幵 0 心 Microsoft is no exception. Afte 「 the Gates memo in January 2002 (see Chapter 1 ) , Mic 「 osoft made a staunch public commitment to improve the security Of its operating system. The company was serious about reaching its goal. Microsoft built metrics to track p 「 ogress.lt hired and empowered some 0f the world'sleading software security autho 「 - ities. There was a strong management edict to get it right. Any developer at Microsoft whO created a security vulnerability after completing the corporate security training program faced nserious consequences. ″ AS a result, after an incredible investment 0f over $ 300 million, Microsoft has enjoyed considerable success rolling out its own SDL. At Microsoft, the wealthiest and most powerfulsoftware company in the world with its nearly limitless resources and expertise, the e 幵 0 「 t to adopt an SDL required the involvement and support Of the Chairman of the Board, not to mention an inc 「 edible amount Of e 幵 0 「 t and diligence on the part of engineers and managers throughout the organization. Without this commitment from the highestlevels, even the most powerful grass- 「 oots efforts can hit the w 訓 コ witnessed this myself at a huge Silicon valley technology producer that is a household name. The managers in the executive suite had lost touch with the builders and did not understand why they needed to put their weight behind software security. The initiative lost steam and was not able to get the budget it needed tO succeed. Ask yourself: Wh0 is the executive champion behind software security in your ( 0 ト poration, and how will they get thejob done?

Software security. building security in


P refa ce oftware security has come a long way in the last few years, but we've really only just begun. Software security is the practice of building soft- ware tO be secure and tO function properly under malicious attack. The underlying concepts behind So 〃 ル 4 尾 立 り have developed over almost a decade and were first described in B 〃 〃 市 〃 g 立 砒 So ″ ル 4 [Viega and McGraw 2001 ] and E ェ が 0 〃 g So 〃 ル 4 [Hoglund and McGraw 2004 ]. This book begins where its predecessors left off, describing in detail how to put SOft 、 vare security intO practice. After completing 立 り [McGraw and Felten 1996 ] and follow- ing it up with S ビ 〃 g レ 4 [McGraw and FeIten 1999 ] , I began wondering hOW it was that such excellent designers, engineers, and architects went astray when it came tO security.What was it about software that made secu- rity such a problem? If you wanted to build secure software, how would you do it? These questions and the perseverance of John Viega led to Building Secure SO 〃 ″ 4 e. Building 立 So 〃 ル 4 (BSS), the white hat book, seems to have touched off a revolution. Security people who once relied solely on fire- walls, intrusion detectlon, and antivn•us mechanisms came t0 understand and embrace the necessity Of better software. BSS provides a coherent and sensible philosophical foundation for the blossoming field of software security. E ゆ / 0 〃 g So ″ ル 4 尾 (ES), the black hat book, provides a much-needed balance, teaching hOW tO break soft 、 vare and how malicious hackers wrlte exploits. ES is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. The t 、 V() b()()ks are ln sense images. SO ″ ル 4 ビ S ビ c 〃 り unifies the two sides of software security—attack and defense, exploiting and designing, breaking and building—into a

Software security. building security in


324 A 々 々 d ⅸ A 物 So 町 Code ハ 〃 記 な Suite ル 3. Ensuring a Working Build Environment 4. Running the Source C0de Analysis Engine 5. Exploring the Basic SCA Engine Command Line Arguments 6. Understanding Raw Analysis Results 7. lntegrating with an Automated Build Process 8. Using the Audit Workbench 9. Auditing Open Source Applications By using this tutorial, you will learn hOW tO audit programs for security in order tO ferret out the kinds Of vulnerabilities that cause real security problems. The kinds of problems that you can find are exactly like those uncovered and publicized by experienced security researchers and malicious hackers—sometimes beconung or news events.Who kno 、 you may even find yourself discovering previously unknown vulnerabilities in open source code that has been fielded for years! The directorles containing the files used in this tutorial are located in the Insta 7 7 ー D rectory/Tutori al directory, where Insta 7 7—Directory is the directory in which the Fortify Source C0de Analysis Suite is installed. See the CD accompanying this book. 1. lntroducing the Audit Workbench ThiS exerclse exammes the results ()f a successful source COde security audit of the Washington University FTP daemon wu-ftpd version 2.6.0 that was performed using the Enterprise verslon Of Fortify Software. ln this exerclse, you use the Audit Workbench t0 explore a results file that was generated by the Source C0de Analysis Engine and annotated by a code auditor. The files for this lesson are located in the following directory: Insta7 7—Directory/Tutoria1/understand—AWB 1. Start Audit Workbench and load the audit. ・ Start Audit Workbench: 〇 On Windows, navigate from the Start menu as follows: Start ー ) AII Programs → Fortify Software → Fortify SCA Suite 3.1.1 ー Demonstration Edition → Audit Workbench. 〇 On UNIX, enter audi tworkbench at a command prompt. Choose the Continue Audit option. ・ Select the wu-ftpd . fpr 61e. 2. Examine the information displayed in the Project Summary dialog. CIick Skip AuditGuide to close the Project Summary.

Software security. building security in


388 A 々 々 d ⅸ C ス 〃 Exercise R な た A れ 記 な : S 川 〃 イ ル e the integrity and privacy functionality t0 work. The secrets are a hash 0f the system clock. SmurfScanner Embedded I/O Manager: This app sorts encrypted versus unencrypted commands and forwards them t0 either the Helper or directly to the Logic Layer. Commands are sent directly t0 the Logic Layer when the I/O Manager recognizes the Smurfette body weight shared secret hash. SmurfScanner LogiC Layer: ThiS layer takes the hardware measurement Of a user's blueness and compares it tO the calibrated value and returns a yes or 〃 0 , thus performing authenticatlon on a Smurf. The Logic Layer alSO does Other things like calibrate the scanner based on data received from the Manager app, track usage, and run diagnostics. smurfscanner Business Application: lt is critical tO understand the busi- ness context order tO estlmate impact ()n such a 、 as tO the "WhO cares?" question). ln this case, the SmurfScanner is being used tO pro- tect SmurfTunes from use by non-Smurfs. SmurfTunes is set up tO deliver saturday morning cartoon theme songs tO SmurfPod personal digital listen- ing devices. Questions 1.What are the business goals and associated risks for the SmurfTunes system? 2. [hat goals could an attacker have in mind when thinking about attacking this system? 3. ・ What are the implementation bugs and architectural flaws in this sys- tem that could be used for attack? 4. How can these technical problems be stated as risks (and then ranked)? 5.What ways could an attacker exploit technical weaknesses tO achieve attack goals? 6. Given your answers tO the preceding questions, list at least three risks posed by this software system and rank them starting with the great- est first. Tons of extra credit for performing this exercise by following the risk analysis process from Chapter 5. DO NOT CHEAT. Work out answers before you look at the ones I provide.

Software security. building security in


390 Answers APPendix C An Exercise R な た A 〃 4 s な : S 川 〃 イ 曜 4 尾 Some Of the questions have 1 れ ore correct answers than the ones listed here. 1. What are the business goals and associated risks for the SmurfTunes system ~ Provide digital Saturday morning cartoon muSIC with Smurfs only. Loss of digital IP (value). Provide mLISIC on demand. Store and retrieve essential Smurf theme song data. 2. What goals could an attacker have in mind when thinking about attacking this system? Theft of Saturday morning cartoon 1 れ uSIC. Determine what Others are listenrng tO. Cause a certain song tO become a "hit. ' Substitute theme song from the Brady B 〃 れ 訪 for the Smurf theme song. Deny servlce tO all SmurfTunes. 3. What are the implementation bugs and architectural flaws in this sys- tem that could be used for attack? SmurfScanner Manager and the I/O Manager use a hard-coded shared secret that has 10W entropy and could be reverse-engi- neered. SmurfScanner Manager commands are not protected fror れ tampering since they use no encryption. The Manager seeds the helper apps with low-entropy system clock output. The software components in the system don't authenticate with each Other, hence it would be easy for an attacker tO substitute a malicious component on the PC side. The Smurfcrypt0 is roll-your-own crypto, which is weak, and an attacker app can choose which cryptO tO use. The SmurfScanner Common Command Layer does not authenti- cate calls made tO it, hence it provides an effective and easy means tO a denial-of-servlce attack. 4. How can these technical problems be stated as risks (and then ranked) ? Left as an exercise for the reader. Think about the business goals and risks you already identified. 5. ・ What ways could an attacker exploit technical weaknesses to achieve attack goals ~ Denial Of servlce using Common Command Layer functionality.

Software security. building security in


The 立 り Pro わ 川 Microsoft operating systems (see the acclaimed paper "CyberInsecurity: The Cost of Monopoly" [Geer et al. 2003 わ . Besides being fired from his jOb at @stake for the trouble, Geer raised S01 れ e interesting questions about security bugs and the pile Of software we're creating. One central question emerged: ls it true that more buggy code leads to more security problems in the fieId?What kind of predictive power do we get if we 100k into the data? Partially spurred by an intense conversation we had, Geer did some work correlating CERT vulnerability numbers, number of hosts, and lines Of COde, which he has since presented in several talks. ln an address at the Yale Law School 9 Geer presented some correlations that bear repeating here. If you begin with the CERT data and the lines of code data presented in Figure 1 ー 2 you can then normalize the curves. Geer describes "opportunity" as the normalized product Of the number of hosts (gleaned from publicly available lnternet society data) and the number of vulnerabilities (shown in Figure 1 ー 1 ). See Figure 1 ー 3. One ques- t10n tO ask is whether there is 。 、 untapped opportunity" in the system as understood in this form. Geer argues that there is, by comparing actual inci- dents curves against opportunity (not shown here). put simply, there are fewer incidents than there could be. Geer believes that this indicates a grow- lng reservoir Of trouble. By normalizing the lines-of-code curve shown in Figure 1 ー 2 against its own median and then performing the same normalization technique on the data in Figure 1 ー 3 as well as data about particular incidents (also from CERT), Geer is able to overlay the three curves to begin to 100k for correla- tion (Figure 1 ー 4 ). The curves fit best when the lines-of-code data are shifted right by two years, something that can be explained with reference to diffu- sion delay. This means that new operating system versions dO not "plonk' intO the world all at once in a massive coordinated switchover. lnstead, there is a steady diffusion into the operating system population. A two-year diffu- sion delay seems logical. The next step is a bit 1 れ ore complex and involves some rolling average calculation. A code volume curve, which Geer calls MLOCs3 (millions of lines Of COde smoothed), is computed as the three-year movmg average 9Dan Geer, 、 'The Physics of Digital Law," keynote address, CyberCrime and Digital Law Enforcement Conference, lnformation society project, Yale Law school, March 26 , 2004. (Unpublished slides. )

Software security. building security in


319 ・ COde obfuscatlon and digital content protection ・ Malicious code detectlon and analysis open questions be used as drivers for research. The National Science Foundation suggests that the following eleven labs are working on some of the more difficult problems. security fla 、 (S). Scient1Sts and researchers from academic and commercial current capabilities (). g ” automated analysis Of software architecture for opment lifecycle as described by the touchpoints) and some of it far beyond practical (). g. , working software security intO the standard software devel- Much work remalns tO be done in SOft 、 security, some 0f it basic and turallevel [McGraw 2003 ]. duce the philosophy of proactively attacking the problem at the architec- problem, discuss trends that demonstrate the problem's growth, and intro- DIMACS Software Security Workshop, ' ' I introduce the software security research is t0 make progress [Wing 2003 ]. ln "From the Ground Up: The design and security' as one Of three critical areas tO tackle if security tO Action: LOOk Beyond the Horizon," JeannetteWing includes "software Most security researchers agree that we have a pressing problem. ln "A Call Basic Science: Open Research Areas practical solutions are becomlng available in the market. Much work remains tO done each Of these areas, but some basic will do and what they are doing 11. How to build programs and systems and know exactly what they designs 10. } 40 、 t() assumptlons security system 9. HOW tO quantify security tradeoffs 8. { OW tO prevent/withstand denial-of-service attacks 7. } 40W tO get trustworthy computations from untrusted platforms 6. HOW tO support privacy enforcement technically 5. HOW tO provide reasonable protection Of intellectual property managed 4. HOW tO design systems with security that can be reasonably lntended miSS10n 3. HOW tO design systems that can tolerate attack and carry out the 2. HOW tO know when a system has been compromised programs 1. How tO avoid building security flaws and security bugs into

Software security. building security in


K 〃 川 わ 4 ア 4 (for So ″ ル 4 尾 S “ 町 ″ 鈔 227 Without explicitly taking this on, a security analysis will fall short in the "WhO cares" department. Quest10ns Of cost tO the parent organlzatlon sponsoring the software are considered relative tO the project. This COSt is understood in terms 0f b0th direct cost (think liability, lost productiv- ity, and rework) as well as in terms Of indirect COSt (think reputation and brand damage). The most important people tO consult when assessing software- induced business risks are the business stakeholders behind the software. ln organizations that already practice business-level technology analysis, that fact tends to be quite well understood. The problem is that in a maJority Of these organizatlons, technology assessment Of the business situation stops well before the level of software. A standard approach can be enhanced with the addition of a few simple questions: What do the people causing the software t0 be built think about security? What do they expect? What are they trying to accomplish that might be thwarted by successful attack? What worries them about security? The value that informatlon security professionals can bring tO answerlng these questions comes from a wealth Of first hand experience seelng security impact When similar business applications were compromised. That puts them in a good position tO answer other security-related questions: ・W7 ・ hat sorts Of COStS have similar compames lncurred frOI れ attacks? HOW much downtlme was involved? ・ What was the resulting publicity in each case? ln what ways was the organization's reputation tarnished? lnfosec people are in a good position tO provide input and flesh ()LIt a conversatlon With relevant stories. Here agaln, great care should be taken tO not overstate facts. When citing incidents at other organizations, be prepared tO back up your claims with news reports and Other third-party documentatlon. ・ Design: A 尾 わ ″ / R な た A れ 4 / な Like the business risk analysis just described, architectural risk analysis assesses the technical security exposures ln an application's proposed design and links these t0 business impact. Starting with a high-level depiction Of the design, each module, interface, lnteraction, and SO on IS considered against known attack methodologies and their likelihood of success (see Chapter 5 ). Architectural risk analyses are often usefully applied against individual subcomponents of a design as well as on the design as a wh01e. This provides a forest-level view of a software sys- tem's securlty posture. Attent1011 tO hOlistic aspects Of securlty IS para- mount as at least 509 合 Of security defects are architectural in nature.

Software security. building security in


C わ 4 邵 3 な 0 面 は わ 〃 SO ″ ル 4 立 り 〃 訪 々 0 な Cost of Fixing Defects at Each Stage of Software Development 92 $ 15 , 000 $ 12 , 000 0 Requirements ■ Design ■ coding ロ Testing ロ Maintenance 」 の d 一 S00 $ 9 , 000 $ 6 , 000 $ 3 , 000 $ 0 日 9 ′ e 3 ー 2 Data from Barry Boehm's work showing how much cheaper it is to fix a defect early in the lifecycle. Use this chart tO convince management Of the importance of starting early. Source:TRW probably better than doing nothing. But when these late lifecycle methods find problems in your software, what are you going tO dO? This reactive strategy (which is really a kind 0f penetrate-and-patch approach) may well work OK when the fix involves something operational or in nature such as installing a better operatrng system changing firewall rules, or otherwise t 、 an operational environment. But a reactlve approach doesn't work so well when the problems are deep in the software itself (which is, frankly, where most of the core problems are). The state of the practice, penetration testing first"' IS not very clever. One caveat order.. penetration testing can be very effective in lighting the security fire. That is, in a skeptical organization that thinks it is dOing everything right from a security perspective, there is nothing quite as powerful as a working' demo-able remote exploit t0 scare the heck out 0f people. Use this approach with great care. Actually, there is one strategy worse than "penetration testing first"' and that is the "panic when attacked" approach. Large numbers Of organiza- tions are SO far behind in computer security that they even realize what trouble they're in until it's way t00 late. If you're reading this bOOk' you're not likely in that boat.

Software security. building security in


13 Annotated 田 b 09 phy and References 299 Annotated Bibliography: An Emerging Literature 299 犬 eq d 尺 市 〃 g : T わ ビ To 々 Five 299 Re ル れ c ぉ 0 d Software Security: BuiIding Security ln 300 Go 怩 川 川 ビ 厩 〃 d S 〃 d ホ P わ 〃 〃 0 Cited 372 〇 舫 1 々 0 れ の な Re ル れ s 313 Software Security Puzzle Pieces 318 B た S じ 〃 : 〇 々 〃 R ぉ 尾 わ A 37 9 Appendices 321 A B 0 ド 0 ー 50 rce Code AnaIysis Suite T to 323 9. Auditing Open Source Applications 342 8. Using the Audit Workbench 339 7. lntegrating with an Automated Build Process 335 6. Understanding Raw Analysis ResuIts 333 Arguments 332 5. Exploring the Basic SCA Engine Command Line 4. Running the Source Code Analysis Engine 329 3. Ensuring a Working Build Environment 328 2. Auditing Source Code Manually 326 1. lntroducing the Audit Workbench 324 lndex 395 ( 55a ヴ 393 SmurfWare SmurfScanner Design for Security 390 SmurfWare SmurfScanner Risk Assessment Case Study An Exercise Risk A れ a ツ 5i5 : Smurfware 385 打 54 R 厄 5 345 CO れ れ な 385