system security beyond the libraries

51
Security Beyond the Libraries Eoin Woods Endava [email protected] / @eoinwoodz

Upload: eoin-woods

Post on 20-Feb-2017

183 views

Category:

Software


1 download

TRANSCRIPT

Page 1: System Security Beyond the Libraries

Security Beyond the Libraries

Eoin [email protected] / @eoinwoodz

Page 2: System Security Beyond the Libraries

Introduction

2

Page 3: System Security Beyond the Libraries

Introduction

• Security is a difficult thing to achieve• becoming more important all the time

• Development teams often start with technologies• “SSL” “Spring Security” “SSO” “Roles” “OAuth”• “FindBugs” “FxCop” “Fortify” “Tripwire”

• This is completely the wrong way around• need to understand your risks before finding solutions• technology is only part of the solution

• In this talk we discuss how to base security on risks

3

Page 4: System Security Beyond the Libraries

Caveats

• This talk is introductory in nature• some things aren’t talked about at all• some things are just introduced

• Talk is for system developers not security engineers• there are many subtleties that are skipped over• some things are simplified to their essentials• you still probably need a security specialist

• Don’t talk much technologies or coding practice• these fundamentals need to be in place first

4

Page 5: System Security Beyond the Libraries

Introducing Security

5

Page 6: System Security Beyond the Libraries

The Need for Security

• We need systems that are dependable in spite of• Malice• Error and• Mischance

• People are sometimes bad, stupid or just unlucky• System security attempts to mitigate these situations

• Anything of value may attract unwelcome attention• Theft, Fraud, Destruction, Disruption

6

Page 7: System Security Beyond the Libraries

The Need for Security

• Why do we care about these factors?• Each of them implies a loss of some sort• Time• Money• Privacy• Reputation• Advantage

7

Page 8: System Security Beyond the Libraries

What is Security?

• Security is the business of managing risks• Security is a type of insurance • Balances cost and effort against risk of loss

• Some basic terminology• resources - things of value that (may) need protection• actors - people (“entities”) interacting with the system• policies - the rules to control access to the resources• threats - the reason that the rules may be broken

8

Page 9: System Security Beyond the Libraries

What is Security?

• Security is multi-dimensional• People

• Users, administrators, security experts (and … attackers)• Process

• Design, operation, control, monitoring, …• Technology

• What to apply, how to use it, how to integrate it

Security is not a product -- it's a process Bruce Schneier

You’re only as strong as your weakest link!9

Page 10: System Security Beyond the Libraries

Risks, Threats and Attacks

• Vulnerability = a weakness in a security mechanism• Threat = Vulnerability + Attacker + Motivation• Attack = when the attacker puts a plan into action• Risk = threat x likelihood x impact

10

Source: OWASP

Page 11: System Security Beyond the Libraries

Key Security Requirements

• Confidentiality (or Privacy)• Prevent unauthorised access to information

• Integrity• Prevent tampering or destruction

• Availability• Prevent disruption to users of systems

• Accountability (or “non-repudiation”)• Know who does what, when

11

Page 12: System Security Beyond the Libraries

Securing Systems

12

Page 13: System Security Beyond the Libraries

Validate

Securing a System

Understand

Analyse

Mitigate

Model the System Investigate the Environment

Resources & Policy Threat Modelling

Minimise Attack Surface

Security Countermeasures

Security Reviews Security Testing

Page 14: System Security Beyond the Libraries

Modelling the System and EnvironmentUnderstand

System Context

System Architecture

Page 15: System Security Beyond the Libraries

Resources - Identify Value

• What is valuable is often self-evident• client information … damaging if lost• what is of value for an external attacker?• configuration files … reveal network topologies

• Operations as well as data• viewing a payment might be fine

… releasing a payment is another question!

• May require fine-grained consideration• HR data - work phone numbers vs home address

15

Analyse

Page 16: System Security Beyond the Libraries

Policy - Define the Required Controls

• Security policy is a security specification• controls and guarantees needed in the system• WHO will use the system? (principals)• WHAT will they work on? (resource types)• and WHAT may they do? (actions on resources)

16

Analyse

Page 17: System Security Beyond the Libraries

Security Policy

Clients Orders Refunds <= £100

Refunds > £100

Onshore Service Agents

Create, View,Modify

(Un)SuspendAll Create, View,

Authorise View

Offshore Service Agents

View, (Un)Suspend View, Cancel View View

Supervisors All All All Create, View, Cancel

Finance View View View, Authorise All

Analyse

Page 18: System Security Beyond the Libraries

Threat Modelling

• Threat is a possible breach in security policy• System/process/people may (will) have vulnerabilities• Attackers have motivation and goals• Threat is an attacker exploiting a vulnerability

• Identifying threats is a key part of security design• threats are where you focus your security effort• threat modelling is the key activity

18

Analyse

Page 19: System Security Beyond the Libraries

Threat Modelling

A procedure for optimizing security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system — OWASP

• Identify the real risks to focus security effort• A technique all developers should be familiar with

19

Analyse

Page 20: System Security Beyond the Libraries

Threat Modelling

• Who might attack your system?• What is their goal?• Which vulnerabilities might they exploit?

20

AliceBob

EveAttacker: opportunist insiderGoal: secret document Vulnerability: unprotected key

Analyse

Page 21: System Security Beyond the Libraries

Finding Threats - STRIDE

Spoofing Pretending to be someone that you’re not

Tampering Changing information you shouldn’t

Repudiation Being able to deny performing an action

Information Disclosure Getting access to information illicitly

Denial of Service Preventing a service being offered

Elevation of Privilege Gaining privileges you shouldn’t have

Analyse

Page 22: System Security Beyond the Libraries

Capture Threat ModelAnalyse

ID 25 26

Threat Type Tampering Spoofing

Component WebUI WebUI

Threat Javascript tampering in browser, altering order data

WebUI user spoofing session ID for other user account

MitigationOPR-5543 - Add validation and unit tests for incoming order

OPR-5547 - Regenerate session ID and recheck on every request

Page 23: System Security Beyond the Libraries

Exploring Attacks - The Attack Tree

Attacker: Professional hackerGoal: Obtain customer credit card detailsAttack: Extract details from the system database.

1. Access the database directly1.1. Crack/guess database passwords1.2. Crack/guess OS passwords to bypass db security1.3. Exploit a known vulnerability in the database software

2. Access the details via a DBA2.1. Bribe a database administrator (DBA)2.2. Social engineering to trick DBA into revealing details

3. …

23

Analyse

Page 24: System Security Beyond the Libraries

Comparing Threats - DREAD Model

• Risk = Damage (1..10) + Reproducibility (1..10) + Exploitability (1..10) + Affected Users (1..10) + Discoverability (1..10)

• Sum values and divide by 5 for the DREAD ratinghttps://www.owasp.org/index.php/Threat_Risk_Modeling

• Can be criticised for lack of consistency• Still a useful process - but sanity check results

24

Analyse

Page 25: System Security Beyond the Libraries

DREAD Model Example

• Suppose a threat where …• damage limited to individual users => 5/10• is reproducible with a browser => 10/10• needs malware for the exploit => 5/10• affects many but not all users => 5/10• and can be discovered easily => 10/10

• DREAD value = (5+10+5+5+10)/5 = 7/10

a useful process … but thinking is still required!

25

Analyse

Page 26: System Security Beyond the Libraries

Libraries for Known Problems

• OWASP Top 10 list• https://www.owasp.org/index.php/

Category:OWASP_Top_Ten_Project

• WASC threat classification• http://projects.webappsec.org/f/WASC-TC-v2_0.pdf

• Mitre’s CAPEC & CWE• Common Attack Pattern Enumeration & Classification• Common Weaknesses Enumeration

26

Analyse

Page 27: System Security Beyond the Libraries

Security Abuse Cases

User Logs In

Search Catalogue

Order ItemsCustomer Attacker

Steal Auth Token

Spoof Authorisation

«threatens»

«threatens»

«depends»

Analyse

Page 28: System Security Beyond the Libraries

Abuse Case Example

Abuse Case: Spoofing Authorisation via Valid Authentication

Threat: The misuser steals an authorisation token and attempts to use it via a valid (other) authenticated identity

Preconditions:1) The misuser has a valid means of user authentication (e.g. username/password). 2) The misuser has a stolen user authorisation token.

Actions:

1. The system shall request the user’s identity and authentication. 2. The misuser authenticates himself correctly. 3. The system shall identify and authenticate the user. 4. The misuser attempts to authorise using the stolen token. 5. The system rejects the authorisation attempt, audits the event,

terminates the session and locks the user account.

Postconditions:1. The system shall have identified and authenticated the misuser 2. The system shall have prevented the misuser from stealing

another user’s means of authorisation.

Analyse

Page 29: System Security Beyond the Libraries

Minimise the Attack Surface

• The attack surface is the set of potentially vulnerable ways into the system (“attack vectors”)• smaller attack surface = less to attack and secure

• OWASP definition:• all channels into and out of the system• the code securing those channels• data of value within the application (security & domain)• the code securing this data

• Reduce interfaces, protocols, services, …• conflict with other goals!

29

Mitigate

Page 30: System Security Beyond the Libraries

Security Countermeasures

• Once risks prioritised then implement mitigations• Some are well known and relatively straightforward• e.g. use of role based access control

• Some are more complex but well known• e.g. XSS or SQL injection require input validation

• Some need custom solutions• e.g. attacks based on organisation structure

• Remember people, process and technology!

30

Mitigate

Page 31: System Security Beyond the Libraries

Incident Response

• Despite security a system may breached• Need a plan for what you do when it happens• an incident response plan• a standing incident response team

• Broader than technical mitigation• technical, management, legal & communications

• A plan allowing a clear, logical, risk driven response• analysis, mitigation, evidence, communication, lessons

• Practice your response31

Mitigate

Page 32: System Security Beyond the Libraries

Secure Implementation

• Secure design is useless if implemented insecurely• secure implementation outside the scope of this talk

• Secure implementation can be complicated• requires knowledge and care• relatively specialist today

• Static analysis and expert code review• FxCop, FindBugs, CodeAnalysis, Coverity, Fortify, …• OWASP code review guidelines• Oracle Java security guidelines

32

Mitigate

Page 33: System Security Beyond the Libraries

Top Application Security Coding Errors

• Not thoroughly validating input• Injection attack vulnerabilities• Insecure randomness• Using custom cryptography• Insecure logging• Careless exception handling• Lack of security testing

33

… this topic needs another session

Mitigate

Page 34: System Security Beyond the Libraries

Testing and Verification

• As a software quality security needs to be tested• security testing largely outside the scope of this talk

• Wide range of security validation activities:• static analysis of code• functional testing of security features• penetration / known vulnerability / fuzz testing• manual system security review• threat mitigation tests

• Risk driven approach needed to maximise RoI• Consider third party assistance

34

Validate

Page 35: System Security Beyond the Libraries

Summary

35

Page 36: System Security Beyond the Libraries

Summary

• We’ve looked how to improve system security• we need to be risk and principle driven

• Security requires: People, Process and Technology• the weakest of the three is your security level

• Security needs to be designed in• its very difficult and expensive to add later

• Be guided by risks not security technologies• threat risk models (STRIDE and DREAD); attack trees

• Get the experts involved for significant risks• and never invent your own security technology!

36

Page 37: System Security Beyond the Libraries

Summary (ii)

Never stop asking “why?” and “what if?” critically important info sec questions!

37

Page 38: System Security Beyond the Libraries

Resources

• OWASP - http://www.owasp.org• Top 10, cookbooks, guides, sample apps, tutorials, …

• Microsoft SDL - http://www.microsoft.com/security/sdl• complete security development lifecycle with resources

• Elevation of Privilege game- http://tinyurl.com/eopgame• card game which helps to explain and drive threat modelling

• Trike - http://www.octotrike.org• alternative threat modelling approach

• CAPEC, CWE - http://{capec,cwe}.mitre.org• threat and vulnerability lists

38

Page 39: System Security Beyond the Libraries

Resources

• CPNI - http://www.cpni.gov.uk• UK government support for cyber security

• US Government CERT - https://www.us-cert.gov• CMU’s CERT - http://cert.org

• vulnerability monitoring and alerting

• WASC - http://www.webappsec.org• similar organisation to OWASP

• SANS Institute - http://www.sans.org• security research and education

39

Page 40: System Security Beyond the Libraries

Books

Page 41: System Security Beyond the Libraries

Eoin [email protected]

www.eoinwoods.info @eoinwoodz

Questions?

Page 42: System Security Beyond the Libraries

Appendix: Overview of Security Mechanisms

42

Page 43: System Security Beyond the Libraries

Security Mechanisms and Attacks

• This talk is for system designers, not security specialists

• Understanding mechanisms and attacks is hard• people who like this sort of thing are security

engineers!

• This section overviews key mechanisms and some of the more important types of attack• this isn’t a detailed explanation of any of this• make sure you consult a security expert when needed• this is useful to understand the basics and the

43

Page 44: System Security Beyond the Libraries

Partial Summary of Security Mechanisms

Authentication (“Who are you?)

Usernames & passwords, 2FA, biometrics, certificates, …

Authorisation (“What can you do?”)

Roles, access control lists, OAuth, permissions, …

Confidentiality(“Keeping stuff secret”) Encryption, access control lists, …

Integrity(“Stop tampering”) Cryptographic hashing, checksums, …

Non-Repudiation(“You did that”) Cryptographic signing, audit trails, …

Auditing(“What happened, when?”) Secure record of who did what, when

Page 45: System Security Beyond the Libraries

Cryptography and its Uses

• Cryptography: the process of keeping information private (typically) using a cypher and a key

• Two broad subfields:• Symmetric Key - the same key to encrypt and decrypt• Public Key - a pair of keys one to encrypt one to

decrypt• Often used together for real applications

• Applications of cryptography: privacy (encryption), integrity (signing) and non-repudiation (signing)

• Difficulties with cryptography include designing 45

Page 46: System Security Beyond the Libraries

Basic Symmetric Key Cryptography

Alice Bob

Encrypt Decrypt

Page 47: System Security Beyond the Libraries

Basic Public Key Cryptography

Alice Bob

Bob’s public key

Encrypt

Bob’sprivate

key

Decrypt

Bob’s keypair

Page 48: System Security Beyond the Libraries

Comparing Symmetric and Public Key

48

Symmetric Key Public Key

Single shared key A keypair needs to be generated with public and private key

Single key needs to be shared securely

Private key is kept secret, public key can be freely shared

Efficient computationally Really slow (~100s times slower)

Classic attack is stealing keys Classic attack is forging public keys, so faking identity

Big challenge is passing keys around Big challenge is chains of trust so you know keys (certs) are valid

Page 49: System Security Beyond the Libraries

Example of Crypto in Practice: Key Exchange

Client ServerClient Hello

(“Hello - here are the options I know about ….”)

Server Hello(“OK - here are the options we’ll use ….”)

Server Certificate(“Here is my certificate (public key) ….”)

Client Key Exchange(“Here is a symmetric key” encrypted with server public key)

Data Exchange(encrypted with symmetric key)

Page 50: System Security Beyond the Libraries

Hashing and Signing

Alice

Bob

Hashing

private key

keypair

hash

SigningVerification

public key

Page 51: System Security Beyond the Libraries

Summary of Common Attacks

Social Engineering(Attack the people) Bluffing, bribery, coercion, …

Network Attacks (Protocol exploits) SYN floods, DDoS, DNS attacks, …

Application Attacks(Flaws and bugs)

XSS, SQL injection, corrupted input (fuzz), DLL attacks, CGI/SSI attacks …

Programming Attacks(Abuse of a language)

Stack overflows, buffer overflows, known bugs in libraries, …

Crypto Attacks(Algorithms or design)

Known plain/cipher text, randomness, cert forgery, man in the middle, traffic analysis…