by abhishek sharma 11/6/2008 prof. dr. norbert pohlmann 1
TRANSCRIPT
![Page 1: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/1.jpg)
1
Vulnerability Reporting, Analysis and Remediation
By Abhishek Sharma
11/6/2008Prof. Dr. Norbert Pohlmann
![Page 2: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/2.jpg)
2
Motivation Definition Overview Reporting Analysis Remediation Statistics Future work
Outline
![Page 3: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/3.jpg)
3
Buyers have no way of ascertaining that a particular vendor’s software is secure
Expectations and demands of customers for more trustworthy systems
Security testing techniques for software are still immature and collectively represent an incomplete patchwork of coverage of all security issues that need to be tested for
Motivation
![Page 4: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/4.jpg)
4
"Vulnerability is any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system.“ [1]
IBM Internet Security Systems (ISS)
Definition
![Page 5: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/5.jpg)
5
A standardized system is followed
for reporting vulnerabilities
Centralized Identification of
vulnerabilities by a third party
Update vulnerability
Knowledge base
Improvements in SDLC
Deploy Patches
Overview
![Page 6: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/6.jpg)
6
Need for reporting?
The Dangerous Silent Fix
Reporting
![Page 7: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/7.jpg)
7
Q) When is a vulnerability unforgivable?Ans: Precedence Documentation Obviousness Attack Simplicity Found in five
Possible causes: Tendency to get a working version ready – fast
deployment Lack of developer knowledge Introduced by a developer in collaboration
phase and overlooked when in integration phase ex. Off shoring and Outsourcing
![Page 8: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/8.jpg)
8
1) Buffer overflow using long strings of “A” characters in:a. username/password during authenticationb. file or directory namec. arguments to most common features of the product or
product class
2) XSS using well-formed SCRIPT tags, especially in the:a. username/password of an authentication routineb. body, subject, title, or to/from of a message
3) SQL injection using ' in the:a. username/password of an authentication routineb. “id” or other identifier fieldc. numeric field
4) Remote file inclusion from direct input such as:a. include($_GET['dir'] . "/config.inc");
Candidates for unforgivable vulnerabilities
![Page 9: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/9.jpg)
9
5) Directory traversal using "../.." or "/a/b/c" in “GET” or “SEND” commands of frequently-used file sharing functionality, e.g. a GET in a web/FTP server, or a send-file command in a chat client
6) World-writable critical files:a. Executablesb. Libraries
7) Direct requests of administrator scripts8) Grow-your-own crypto9) Authentication bypass using "authenticated=1" cookie/form
field10) Turtle race condition - symlink11) Privilege escalation launching "help" (Windows)12) Hard-coded or undocumented account/password13) Unchecked length/width/height/size values passed to
malloc()/calloc()
Candidates for unforgivable vulnerabilities
![Page 10: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/10.jpg)
10
6,437 vulnerabilities recorded in the X-Force Database in 2007
Not including site-specific vulnerabilities, Symantec documented 2,134 vulnerabilities in the second half of 2007, 13 percent less than the first half of 2007.
Seventy-three percent of vulnerabilities documented in this period were classified as easily exploitable, compared to 72 percent in the first half of 2007.
Analysis
![Page 11: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/11.jpg)
11
low access constraints very high feature frequency very low novelty low manipulation complexity low level of effort
VAAL and Unforgivable Vulnerabilities
![Page 12: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/12.jpg)
12
Gather all relevant characteristics of the new vulnerability and create an alert
Determine software affected by the vulnerability Make entry in database about severity and possible
workarounds Corrections completed by vendor in the form of
updates/patches to remove vulnerability Distribution of the fix Identify insecure coding practices and develop secure
alternatives Reduce or eliminate vulnerabilities before deployment
Remediation
![Page 13: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/13.jpg)
13
Intrusions before and after patch releases
![Page 14: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/14.jpg)
14
"There are three kinds of lies: lies, damn lies, and statistics.” Benjamin Disraeli
Statistics
![Page 15: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/15.jpg)
15
Vulnerability Disclosure Trend Statistics
![Page 16: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/16.jpg)
16
High/Medium/Low Vulnerability Impact Breakdown [1]
![Page 17: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/17.jpg)
17
Remote vs. Local Exploitation [1]
![Page 18: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/18.jpg)
18
Consequences of Exploitation [1]
![Page 19: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/19.jpg)
19
Windows based Web Browser Vulnerabilities [1]
![Page 20: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/20.jpg)
20
Browser plug-in vulnerabilities [10]
![Page 21: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/21.jpg)
21
Measuring relative attack surfaces [5][6][7] Fuzz testing ex. Codenomicon DEFENSICS
s/w based [8] and Mu service analyzer h/w based [9]
Vulnerability Management. Ex. QualysGuard [11]
Vulnerabilities in open-source software [14] Development of metrics for software
assurance. Ex. VAAL-based metrics
Future work
![Page 22: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/22.jpg)
22
[1] IBM Internet Security SystemsX-Force® 2007 Trend Statistics January 2007[2] Software Security Assurance State-of-the-Art Report (SOAR) July 2007[3] Software Vulnerability Assessment Version Extraction and Verification Martin Boldt, Bengt
Carlsson and Roy Martinsson 2007[4] Unforgivable Vulnerabilities Steve Christey, The MITRE Corporation August 2007[5]http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/
secure02132003.asp[6] Measuring Relative Attack Surfaces Michael Howard, Jon Pincus, and Jeannette M. Wing
October 2003[7] Measuring a System’s Attack Surface Pratyusa Manadhata and Jeannette M. Wing Computer
Science Department Carnegie Mellon University January 2004[8] ESG WHITE PAPER Black Box Testing and Codenomicon DEFENSICS Jon Oltsik April 2008[9] http://www.mudynamics.com/products/overview.html [10] Symantec Internet Security Threat Report Trends for July–December 07Volume XII, Published April 2008[11] The Need for Vulnerability Management whitepaper www.Qualys.com[12] http://www.digitalbond.com/index.php/2007/09/17/the-dangerous-silent-fix/[13] Optimal Policy for Software Vulnerability Disclosure Ashish Arora, Rahul Telang, Hao Xu H.
John Heinz III School of Public Policy and Management Carnegie Mellon University July 2007[14] Coverty Open Source Report 2008
References
![Page 23: By Abhishek Sharma 11/6/2008 Prof. Dr. Norbert Pohlmann 1](https://reader035.vdocument.in/reader035/viewer/2022062519/56649efc5503460f94c0f07e/html5/thumbnails/23.jpg)
23
Questions?