Improving Software Security at the. Source

Transcription

1 Improving Software Security at the Source Greg Snyder Privacy & Security RIT January 28, 2006

2 Abstract While computer security has become a major focus of information technology professionals due to patching and networking, a major source of computer security issues has been consistently overlooked. The software development lifecycle needs to be analyzed to determine what is allowing flawed software to be produced, and can anything be done to fix it. With the internet connecting millions of individuals together the storing, processing, and transfer of information has become more rapid than ever. However, these great benefits also have a darker side to them when information is stolen, corrupted, or erased. Current Computer Security Current computer security is based on three goals: confidentiality, integrity, and availability (confidentiality, integrity, availability). Confidentiality refers to allowing only authorized users to access information and preventing unauthorized users from accessing it. Currently confidentiality is based on verification through something you know, something you are, or something you have (Cieslak). Something you know is a password, pin number, or something similar. Something you are is biometric identification, such as your finger prints or an iris scan. Something you have is a key or an access card. Currently software mainly relies on passwords, something you know, however there has been a move towards biometrics, something you are. However, these systems generally

3 run in parallel instead of a two tired verification. Integrity refers to the reliability of the information, if the information has been tainted all extrapolations from it are invalid. Availability is the act of being able to access the information itself. If a companies website is experiencing a denial of service attack your websites availability to your customers has been compromised. In order to combat this, on the second Tuesday of every month system administrator s panic and work long hours interrupting coworkers and costing them valuable hours of productivity. Patch Tuesday, as it has become known, is when Microsoft releases the latest patches to fix yet another critical software flaw. However, it s unfair to single out Microsoft when there is a slew of software from companies with names such as 3Com, Adobe, AOL, Apple, AT&T, and Cisco, just name a small number, have had critical software security flaws (United States Computer Emergency Readiness Team). The solution to maintaining confidentiality, integrity, and availability has been to patch the software when vulnerability is known to exist; however there is still be a time period before the software is patched when it is vulnerable. When this flawed software is connected to the internet it becomes accessible to millions of individuals dramatically increasing the chances that someone will try to exploit a bug. The problem of the internet exposing software was met with the solution of firewalls which don t block all attacks, so intrusion detection systems were deployed but some attacks can get around those also (McAfee). This results in

4 a constant cycle of penetrating attacks and patching. All of these systems are reactionary to problems as they arise and don t address the real issue. The Problem Over fifty percent of exploits in the CERT vulnerability database are buffer overflows (MacAfee). A buffer overflow is an anomalous condition where a process attempts to store more data in a buffer than there is memory allocated for it, causing the extra data to overwrite adjacent memory locations. The overwritten data may include other buffers, variables and program flow data (Wikipedia Buffer Overflow). To exploit this flaw a malicious user will overwrite a variable to change the behavior of a program, or overwriting a return address on the stack so it points to code the attacker wants to execute (Wikipedia Buffer Overflow). There are four major reasons why the buffer overflow is so dangerous: buffer overflows are easy to exploit, unchecked buffers are extremely common, many buffer overflow exploits give administrator level access to the machine, and current security measures are ineffective against buffer overflows (McAfee). Many programming languages raise exceptions to a buffer overflow, however the most popular C and C++ languages do no protect against it (Wikipedia Buffer Overflow). The simple solution to prevent buffer overflows is with bounds checking, which the complier can accomplish depending on the language or the programmer can add code to do it.

5 So a majority of computer security problems can be traced back to errors in programming. The reason these errors occur is because software of the complexity of software with numerous programmers all contributing code to a project, and now some code is being computer generated (Usher). Also, it doesn t just have to be mistakes that result in security flaws, poor quality leads to security problems just as the unplanned use of well-coded features can (Usher). Bruce Schneier and Adam Shostack sum up the problem of the relationship with security, complexity is the worst enemy of security, and systems that are loaded with features, capabilities, and options are much less secure than simple systems do a few things reliably, (Schneier). To remain competitive software manufactures are releasing software in the bleeding-edge phase in which products are less reliable (Suppa). To summarize, a majority of software flaws occur due to poor quality programming, unnecessary complexity, and the constant push for bleeding edge products. Software Development With so many flaws due resulting from development, there are a number of steps that need to be addressed to lower the number of flaws in programs. One step is to take a security oriented approach to the software development life cycle. At section 3.1 phase one a preliminary threat and risk assessment should be performed along with identifying the security requirements based on the three goals of confidentiality, integrity, and availability (Gupta). One of the

6 considerations that also should take place in phase one is the regulatory environment, it should be determined laws such as HIPAA need to be taken into consideration (Gupta). At section 3.2 phase two, the architecture and design phase, analysis for risks, threats, and vulnerabilities should be done and planning for mitigating these issues (Gupta). This is a very important phase, generally most projects fall behind schedule and to make up time considerations of security is sacrificed. Sufficient resources must be given to ensure that security is implemented in the software development life cycle (Gupta). At section 3.3 phase three; software coding, coding and code submission practices should be strictly followed. This section includes unit testing the code and conducting unit tests on the code. As mentioned previously, many software projects fall behind schedule and important steps such as unit testing and code reviews are dropped to meet deadlines that were optimistically set. Luckily there are a number of software tools to expedite testing. PScan is a C scanner that will find buffer overflow and format string attack exploits (La). Flawfinder is another C scanner that uses an internal database and can find the same errors as PScan along with a few others such as race conditions and system calls (La). The Rough Auditing Tool for Security can scan C, C++, Perl, PHP, and Python and looks for common buffer overflows and race conditions and generates HTML reports (La). Splint is another C scanner like the others, but it also checks for coding mistakes, style mistakes, undeclared variables, proper return statements, and missing arguments (La). ESC/Java is a Java scanner and searches for errors at compile time such as null dereferences, has modular checking techniques, and can scan

7 libraries with no subclasses defined (La). Finally, MOPS is a C scanner that enforces the sequence of operations, for example root should drop its privilege before executing an un-trusted program (La). At section 3.4 phase four, test and verification, vulnerability and threat testing should be done to try and find any flaws that were not previously found (Gupta). While checking that the software meets the customer s requirements the mitigation techniques that were implemented should also be thoroughly tested to ensure they did not cause any unknown flaws (Gupta). Finally, at section 3.5 phase five, the deployment and maintenance phase, continuing identification of any security issues should be done with corrections to those issues (Gupta). This is the classic patch cycle referred to earlier, however it is impossible to ship a software system that is completely secure (Gupta). The security oriented approach to the software development life cycle results in a dramatic decrease in the number of bugs in the software that can be exploited, yet there will always be bugs. Another way that security can be increased in development is by combining the extreme programming process and the capability maturity model. The capability maturity model outlines what to do to create quality software, and the extreme programming process tells developers how to do it (Usher). While many view a security oriented approach to software development to be costly and time consuming the resultant higher quality program will result in a satisfied consumer and cost savings for the developer in not having to release as many patches. In summarization the existing software development models do not need to be

8 changed, a more security oriented approach to the current processes can accomplish it. Other Considerations One major risk to the security oriented approach to software development is the issue of outsourcing. Outsourcing is defined as, the delegation of non-core operations or jobs from internal production within a business to an external entity (such as a subcontractor) that specializes in that operation, (Wikipedia Outsourcing). One reason outsourcing is such a risk it the loss of control, you are handing control of development to another company (Ramer). Another issue with the loss of control is that testing is done to ensure the delivered product meets requirements, however rarely is the code inspected for secret back doors or other built in security vulnerabilities (Ramer). Another issue with outsourcing is clashing security policies and procedures (Ramer). Another company s policies and procedures are unlikely to be the same, and ensuring that the ones followed by your company are followed by another company can only be confirmed through constant audits (Ramer). A third threat involving outsourcing is to intellectual property, you are sharing sensitive information about your company with another company (Ramer). Many secondary companies also may perform work for a direct competitor and accidental or even deliberate sharing of information may possibly occur, the risk of this must be taken into consideration when considering outsourcing. The final security problems with outsourcing are

9 legal issues, with companies in other states or even countries different laws apply (Ramer). When considering outsourcing companies should understand that they will not be able to obtain the level of security that they can internally, but they can define what security should be followed in the requirements and check that they are being met by audits. Conclusion With computer security being a major issue of the modern world some easy steps can be taken to cut down on the number of vulnerabilities. Making security a key priority in the development of software will cut down on a significant number of flaws that can be found in software. However, there will always be flaws in software and the cycle of patching, but to lesson the volume at which it happens would be a significant gain. It is not an easy path to follow, more time needs to be given for projects, and cost cutting techniques such as outsourcing need to be reevaluated to see if their short term benefit outweighs the long term benefit of better quality software. While preventing flaws from occurring at the source will help, software security will continue to be a significant issue in the coming years.

10 Bibliography Cieslak, David M. Why authentication technology can help your business. Microsoft. 22 Jan < ntication_technology_can_help_your_business.mspx>. confidentiality, integrity, availability (confidentiality, integrity, availability). University of Miami Ethics Programs Privacy / Data Protection Project. 11 May 2005 < bility.htm>. Gupta, Sandeep. A Proactive Approach Toinformation Security. SANS. 24 July La, Thien. Secure Software Development and Code Analysis Tools. SANS. 30 Sept < MacAfee. Server Protection for Today and Tomorrow. Dec < ontodaytomorrow.pdf>.

11 Ramer, Rob. The Security Challenges of Offshore Development. SANS. 26 Sept < Schneier, Bruca and Shostack, Adam. Results, Not Resolutions, A guide to judging Microsoft s security progress. 24 Jan < Suppa, Carly. Computer theft hits CCRA. Computer World Canada 17 October 2003 (2003): 1, 3. United States. Computer Emergency Readiness Team. Vulnerability Notes Database. 22 Jan < Usher, Robert W. Improving Software Security During Development. SANS. 26 March 2002 < Wikipedia. Outsourcing. 22 Jan < Wikipedia. Buffer overflow. 22 Jan <