Transcript Watching Software Run pptx

Watching Software Run
Brian Chess Nov 18, 2009
Success is foreseeing failure.
– Henry Petroski
Static Analysis
Misconceptions Prevail
High priority
int main(int argc, char** argv) {
char buffer[10];
strcpy(buffer, argv[1]);
}
Low priority
int main(int argc, char** argv) {
char buffer[10];
strcpy(buffer, “test”);
}
Taint propagation
Trace potentially tainted data through the program
Report locations where an attacker could take advantage
of a vulnerable function or construct
buff = getInputFroNetwork();
copyBuffer( newBuff, buff );
exec( newBuff );
(command injection)
Many other approaches, no one right answer
A never-ending battle against bad code
• Format String attacks: known for 10+ years
printf(input);
• SQL Injection attacks: known for ? years
statement.execute(input);
The Stereotypes
• Static analysis
– Good: thorough
– Bad: too many results
• Testing
– Good: concrete results
– Bad: misses too many things
Security in the Development Lifecycle
A Lesson from Cryptography
Security is hard to measure
– Enemy has unknown capabilities
– Small mistakes can have big consequences
So how many of those static analysis results do
we have to fix?
Risk Management vs. Compliance
Risk Management
• Probabilistic framework for
allocating resources
Compliance
• Fulfill somebody else's
requirements
Compliance wins
Why isn't everyone a risk manager?
• Risks not widely understood
• People manage their own risk, not risk to the public
Compliance wins
What to comply with?
Breaking new ground
• Building Security In
Maturity Model
• Real data from real
initiatives
• McGraw, Chess, &
Migues
• http://bsi-mm.com
The nine
Two more unnamed financial services firms
A Software Security Framework
• Four domains
• Twelve practices
• An “archeology grid”
Ten things everybody does
• Activities that ALL do
– evangelist role
– policy
– awareness training
– history in training
– security features
– SSG does ARA
– code review tools
– black box tools
– external pen testing
– good network security
Average maturity over the nine
SM
CMVM
SE
PT
3
2.5
2
1.5
1
0.5
0
CP
T
AM
ST
SFD
CR
SR
AA
Average maturity over
the nine
Terminator
Success is foreseeing failure.
– Henry Petroski
Reactive Revisited
• A good idea: build security in
• Problem: software will still be vulnerable
• Solution: must compensate at runtime
Risk in a new endeavor
Risk
Market Risk
Security Risk
Time
2
0
Reactive Technology Today
• Protecting hosts and networks
– Firewalls
– Anti-virus
– Intrusion detection
• Protecting software
– Patching
– Web Application Firewall
– Language Level: Java Security Model
Patching
• Reaction time matters
• DON’T BREAK STUFF
• Microsoft has patched on Patch Tuesday for
30 months straight
• Patch flood means no one is ever fully patched
Web Application Firewalls (WAF)
• Sits on network, watches web requests
• Context problem
– What will the program do with this input?
• Good for collecting attacks
• Scaling problem
– Does go easily into the cloud
Java Security Model
• General access control mechanism
– Domains / domain change
– Privileges / privilege enforcement
• Built to
– Protect good Java from bad Java
– Protect a good computer from bad Java
• Nobody uses it
Return of the Reference Monitor
• Inline reference monitors (IRM)
• Aspect-oriented programming
• Watch interfaces between major components
– Report important events
– Enforce policy
Interface monitor architecture
<Rule>
VM
Target Program
Monitor
VM sees extensions as a
profiler or a debugger
Event
Program
Point
Event
Handlers
Action
<EventHandler>
Log
Syslog
Federation
Fortify 360 Server
Controller
VM
VM
VM
Static Analysis vs. Interface Monitors
Static Analysis
• Part of construction
• Must anticipate all
problems
• Locality important
• Performance not
important
Interface Monitors
• Part of deployment
• Must anticipate all
symptoms
• Locality not important
• Performance critically
important
DEMO
Better protection: SQL Injection
WAF protects
here
Target Program
Source of mal input
Database
We'll protect
here
Patching a privilege escalation
vulnerability
Unauthorized
request
Target Program
User Role
Source of mal input
We'll make the connection
Watching Software Run
Brian Chess Nov 18, 2009