P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PA193 - Secure coding principles and practices
Defense in depth
•Petr Švenda svenda@fi.muni.cz
•
Based on slides by Zdeněk Říha

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
D:\Documents\Obrázky\is2\Plain-Blue-icon.png
What prevents malicious code on server?
| PA193 - Defense in depth
D:\Documents\Obrazky\is2\Home-Server-icon.png
Where would you attack?
Where is defense in depth applied?
How many layers are present?
Are these layers independent?
D:\Documents\Obrazky\question.png devil
Internet
Server
Malicious code
2
rm -rf

Malicious code execution on remote server
Firewall, antivirus, ADSL, DEP, filtering on
Many layers => is it perfect? (no)
How to bypass? Phishing

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Layers of defense
•Code/setup review
–Manual review, fuzzing, static/dynamic analysis, pentests… (prevention)
•Network level
–IDS, ISP filtering, firewall… (prevent reaching server)
•Host level
–User authentication, HTTPS… (limit attack surface)
–Antivirus, Sandboxing… (if attacker reach the application)
–ASLR, DEP… (if code is executed)
–Access rights (low-priority user)
–DMZ/Virtualization (if whole server is compromised)
–…
•
3
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Defense in depth
•It is an general approach/concept/strategy
•You have to apply it in your concrete project
•You have to think as an attacker
–Then select appropriate defenses/measures
•Your need to be able to find your weakest point
–And make sure that the weakest point is strong enough
•
•This lecture will give you some hints
–
| PA193 - Defense in depth
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
ACKNOWLEDGEMENT
•Original slides made by Zdeněk Říha,
•existing and new mistakes responsibility of me
5
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Defense in depth: Definition (Wikipedia)
•Non-IT: “defense in depth (also known as deep or elastic defense) is a military strategy; it seeks
to delay rather than prevent the advance of an attacker, buying time and causing additional
casualties by yielding space.”
•IT: “defense in depth is an information assurance concept in which multiple layers of security
controls (defense) are placed throughout an IT system. Its intent is to provide redundancy in the
event a security control fails or a vulnerability is exploited that can cover aspects of personnel,
procedural, technical and physical for the duration of the system's life cycle.”
| PA193 - Defense in depth
6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Defense in depth – key features
•IT: “defense in depth is an information assurance concept in which multiple layers of security
controls (defense) are placed throughout an IT system. Its intent is to provide redundancy in the
event a security control fails or a vulnerability is exploited that can cover aspects of personnel,
procedural, technical and physical for the duration of the system's life cycle.”
•
7
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Defense in depth – application code
•Code fails. We have to take it as a fact. All code has a nonzero likelihood of containing one or
more vulnerabilities
•You need to change your outlook from "my code is very good quality" to "though my code is the best
it can be with today's knowledge, it likely still has security defects.“
–Michael Howard, Attack Surface (MSDN)
| PA193 - Defense in depth
8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Basic concepts
•Simplicity
–Keep it simple (stupid) principle - KISS
•Compartmentalization
–Principle of least privilege
–Minimize needed trust
•Expect failures
–Use more than one security mechanism (layered)
–Secure the weakest link, Fail securely
•Work in team
–Everyone can design defense he/she cannot breach
–Do not reinvent wheel, Code review, tools
| PA193 - Defense in depth
9

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
KISS principle
•Keep it as simple as possible
–KISS – Keep it Simple Stupid
–“Invented” in 1960s in aviation industry
•Simplicity
–Less things can go wrong
–Fewer possible inconsistencies
–Code is easier to understand
–When errors occur, they are easier to understand and fix
•Pay attention to interfaces and interactions
| PA193 - Defense in depth
10

KISS principle: “Keep It Simple, Silly” (often stronger pejoratives are substituted for “silly)
Simplicity refers to all dimensions: design, implementation, operation, interaction with other
components, even in specification. The toolkit philosophy of the UNIX system is excellent here;
each tool is designed and implemented to perform a single task. The tools are then put together.
This allows the checking of each component, and then their interfaces. It is conceptually much less
complex than examining the unit as a whole. The key, though, is to define all interfaces completely
(for example, environment variables and global variables as well as parameter lists).

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Keep It Simple
•Don’t add unnecessary features
–Additional functionality means more ways to attack
•Use simple algorithms that are easy to verify
–Premature optimizations
–‘Hacks’ in code makes it
•More difficult to understand
•More difficult to maintain
| PA193 - Defense in depth
11

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-11:08.telnetd
II.  Problem Description
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
III. Impact
An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).
IV.  Workaround
No workaround is available, but systems not running the telnet daemon
are not vulnerable.
| PA193 - Defense in depth
12

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Compartmentalization
•Divide system into modules
–Each module serves a specific purpose
–Different modules will have different access rights
–The access rights are related to activities
•Example application:
1.Need access to files
2.Reads user or network input
3.Execute privileged instructions (under root UID)
•Real example:
–Apache vs. suEXEC
–
| PA193 - Defense in depth
13

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
suEXEC - example
•User “Alice” has a website including some CGI scripts in her own public_html folder, which can be
accessed by http://server/~alice. •Bob now views Alice's webpage, which requires Apache to run one
of these CGI scripts. •Instead of running all scripts as “wwwrun”, the scripts in
/home/alice/public_html will be wrapped using suEXEC and run with Alice's user ID resulting in
higher security and eliminating the need to make the scripts readable and executable for all users
or everyone in the "wwwrun" group.
•
•
| PA193 - Defense in depth
14

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Least Privilege
•A subject should be given only those privileges necessary to complete its task
–Function, not identity, controls
–Rights added as needed and discarded after use (!)
•The original formulation from Jerome Saltzer
–“Every program and every privileged user of the system should operate using the least amount of
privilege necessary to complete the job.”
•Dynamic assignments of privileges was later discussed by Roger Needham and others
| PA193 - Defense in depth
15

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Least Privilege - example
•On UNIX-based systems binding a program to a port number <1024 requires root privilege.
–(Let’s ignore modern ‘capabilities’ at this moment)
•Many internet servers listening on well known ports (like webserver on port 80, mailserver on port
25 etc.) need to be run with root privilege.
•As soon as the port is bound the process should drop the root privilege as it is typically not
needed anymore.
•Many programs keep running with the root privileges.
–After a successful attack against the process the attacker receives the power of root
–“Sendmail” was well known for problems of this kind
•Visual Studio required Admin privileges for long time => developers were admins => programs were
requiring admin privileges to execute
| PA193 - Defense in depth
16

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Minimize needed trust
•Minimize trust relationships
•Clients, servers should not trust each other
–all can get hacked
–can be manipulated by users
•Trusted code should not call untrusted code
•Do not trust the input (!)
–Separate lecture on input validation will follow
•Do not trust the communication channel
–Use encryption, data authentication etc.
–Separate lecture on secure channel will follow
| PA193 - Defense in depth
17

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: Web security
•Web server + web client
•Simple HTML form (FORM,INPUT,TEXT,MAXLENGTH, …)
•Validity of fields checked by Javascript on clientside
MC900424790[1] MC900195258[1]
| PA193 - Defense in depth
18

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: Web security (2)
| PA193 - Defense in depth
19
•It is easy to avoid these checks
–Disable Javascript
–Send the “filled” form directly
–Tools (e.g. python request module)

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: Web security (3)
•The server cannot trust that the input received from the web browser will be correct with respect
to the limitations specified
–E.g. MAXLENGTH attribute of the INPUT fields
–E.g. values will be check by the Javascript functions
•It is easy to avoid these checks
–Disable Javascript
–Send the “filled” form directly
–Tools (e.g. python request module)
MC900424790[1]
MC900441338[1]
| PA193 - Defense in depth
20

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Fail defaults
•Blacklist vs. Whitelist
•Example: firewall
–Default action is to drop packets
–The administrator configures the firewall to allow only the packet types deemed acceptable though
•Example: input filtering
–E.g. HTML tags in blog posts
•
| PA193 - Defense in depth
21

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example - Blacklisting of HTML tags
•E.g. blocking the tags
–‘applet’, ‘body’, ‘bgsound’, ‘base’, ‘basefont’, ‘embed’, ‘frame’, ‘frameset’, ‘head’, ‘html’,
‘id’, ‘iframe’, ‘ilayer’, ‘layer’, ‘link’, ‘meta’, ‘name’, ‘object’, ‘script’, ‘style’, ‘title’,
‘xml’
•A new version of HTML arrives (e.g. HTML5)
–New tags (like <audio>, <video>, …)
–New attributes (like formaction of <input>,…)
•Syntax errors
–How to recover from syntax errors
| PA193 - Defense in depth
22

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Fail-safe vs. Fail-secure
•Fail-safe means that a device will not endanger lives or properties when it fails
•Fail-secure means that access or data will not fall into the wrong hands in a failure
•Example - if a building catches fire:
–fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside
–fail-secure would lock doors to prevent unauthorized access to the building
| PA193 - Defense in depth
23

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Failing securely (1)
•What’s wrong with the following code?
DWORD dwRet = IsAccessAllowed(...);
if (dwRet == ERROR_ACCESS_DENIED) {
  // Security check failed.
  // Inform user that access is denied.
} else {
  // Security check OK.
}
| PA193 - Defense in depth
24

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Failing securely (2)
•This is a more secure alternative
DWORD dwRet = IsAccessAllowed(...);
if (dwRet == NO_ERROR) {
  // Secure check OK.
  // Perform task.
} else {
  // Security check failed.
  // Inform user that access is denied.
}
DWORD dwRet=IsAccessAllowed(...);
if (dwRet == ERROR_ACCESS_DENIED) {
  // Security check failed.
  // Inform user that access is denied.
} else {
  // Security check OK.
}
| PA193 - Defense in depth
25

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-01:56
II.  Problem Description
The addition of a flawed check for a numeric result during reverse DNS
lookup causes tcp_wrappers to skip some of its sanity checking of DNS
results.  These sanity checks are only enabled by the 'PARANOID' ACL
option in the configuration file, and simply weaken the 'PARANOID'
host checks to the level of assurance provided by the regular host
ACLs.
III. Impact
An attacker that can influence the results of reverse DNS lookups can
bypass certain tcp_wrappers PARANOID ACL restrictions by impersonating
a trusted host.  Such an attacker would need to be able to spoof
reverse DNS lookups, or more simply the attacker may be the
administrator of the DNS zone including the IP address of the remote
host.
| PA193 - Defense in depth
26

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-01:56
•The patch that is fixing the bug:
http://ftp.sunet.se/pub/security/vendor/freebsd/patches/SA-01:56/tcp_wrappers.patch
--- contrib/tcp_wrappers/socket.c 2000/09/25 00:41:55 1.5
+++ contrib/tcp_wrappers/socket.c 2001/07/04 20:16:18 1.6
@@ -222,7 +222,7 @@
  hints.ai_family = sin->sa_family;
  hints.ai_socktype = SOCK_STREAM;
  hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
- if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
      freeaddrinfo(res0);
      tcpd_warn("host name/name mismatch: "
        "reverse lookup results in non-FQDN %s",
| PA193 - Defense in depth
27

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-11:09.pam_ssh
I.   Background
The PAM (Pluggable Authentication Modules) library provides a flexible framework for user
authentication and session setup / teardown.  It is used not only in the base system, but also by a
large number of third-party applications.
The base system includes a module named pam_ssh which, if enabled, allows users to authenticate
themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted
form in the their .ssh directory.  Authentication is considered successful if at least one of these
keys could be decrypted using the provided passphrase.
By default, the pam_ssh module rejects SSH private keys with no passphrase.  A "nullok" option
exists to allow these keys.
II.  Problem Description
The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is
not encrypted.  Because the pam_ssh module only checks whether the passphrase provided by the user
is null, users with unencrypted SSH private keys may successfully
authenticate themselves by providing a dummy passphrase.
III. Impact
If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have
unencrypted SSH private keys.
| PA193 - Defense in depth
28

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Failing securely
•Do not expose system internals even in case of errors
–Stack traces
–Internal errors
–Paths
•
php-error image
| PA193 - Defense in depth
29

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Do not expose system internals in case of errors
WordPress database error:
[Table './serkey/posts' is marked as crashed and should be repaired]
SELECT MAX(id) FROM posts;
WordPress database error:
[Table './serkey/posts' is marked as crashed and should be repaired]
SELECT * FROM posts WHERE id IN ('');
| PA193 - Defense in depth
30

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Failing securely
•Many vulnerabilities are related to
–error handling,
–debugging,
–testing features,
–error messages.
•Make sure you handle errors
–Manual testing and review
–Static analysis for missing return values checks
–Fuzzing
31
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Failing securely
•Errors as side-channel for an attacker
–Analysis of system behavior (probing)
–Padding oracle attack (RSA PKCS1, CBC padding)
•Test
–Test if your system fails securely as you expect
–There may be nontrivial consequences, relationships, …
–Negative unit/integration tests
•
32
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Mediation is difficult
•Check permissions at every access
•Quite often done only with the first action
–File open
•If permissions change after the access could be unauthorized
•Mediator with higher privileges
–Kernel
–Services (daemons running as root)
–…
•
| PA193 - Defense in depth
33

The reason for relaxing this one is efficiency: if you do lots of accesses, the checks will slow
you down substantially. It’s not clear if that is really true, though.
Exercise: Have a process open a UNIX file for reading. From the shell, delete the read permissions
that allow the process to read the file. Then have the process read from the open file. The process
can do so. This shows the check is done at the open. If you want to be sure, have the process close
the file. Then have the process try to reopen the file for reading. This open will fail.
Note that UNIX systems fail to enforce this principle to any degree on a superuser process, where
access permissions are not even checked for an open! This is why people create management accounts
(more properly, role accounts) like bin or mail: by restricting processes to those accounts, so
access control checking applies. It also is an application of the principle of least privilege.

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-08:03.sendfile
II.  Problem Description
When a process opens a file (and other file system objects, such as
directories), it specifies access flags indicating its intent to read,
write, or perform other operations.  These flags are checked against
file system permissions, and then stored in the resulting file
descriptor to validate future operations against.
The sendfile(2) system call does not check the file descriptor access
flags before sending data from a file.
III. Impact
If a file is write-only, a user process can open the file and use
sendfile to send the content of the file over a socket, even though the
user does not have read access to the file, resulting in possible
disclosure of sensitive information.
| PA193 - Defense in depth
34

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
“Security by Obscurity” is NOT secure
•“Security by Obscurity” vs. “Open design”
•Security should not depend on secrecy of design or implementation (Kerckhoff)
•“Security by Obscurity” does not work (in long time)
–Reverse engineering
–Disassembler: machine code to assembly language
–Decompiler: machine code to higher-level language
•Assume an attacker knows everything you know
–Insider attacks are common
–If attacker has 1-in-a-million chance, and there are a million attackers, you are out of luck
| PA193 - Defense in depth
35

Note that source code need not be available to meet this principle. It simply says that your
security cannot depend upon your design being a secret. Secrecy can enhance the security, but if
the design becomes exposed, the security of the mechanism cannot be affected.
The problem is that people are very good at finding out what secrets protect you. They may figure
it out from the way the system works, or from reverse engineering the interface or system, or by
more prosaic techniques such as dumpster diving.
This principle does not speak to secrets not involving design or implementation. For example, you
can keep crypto keys and passwords secret.

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security by Obscurity vs. Open Design
•Open design does not mean that the full source code must be available to everyone •Logically
crypto keys, passwords, … must remain secret J
| PA193 - Defense in depth
36

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security by obscurity
•Examples where security by obscurity did not work
–GSM encryption algorithms: A5/1, A5/2, …
–WEP encryption
–CSS encryption on DVDs
–Mifare classic smartcards
–Car remotes (Keeloq, VW Group immobilizer…)
•Weak proprietary cipher, few global master keys…
•Obscurity adds additional burden to analysis
–Good because attacker needs to overcome (short term)
–Bad because less analysis is performed and system is almost always vulnerable after first release
(long term)
–
| PA193 - Defense in depth
37

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Separation of Privilege
•Require multiple conditions to grant privilege
–Separation of duty
•Failures are seen frequently
–Edward Snowden (2013)
•System admin, US lost classified information
–Unauthorized trading in UBS (Kweku Adoboli, 2010)
•Loss of 2 billion USD
–Fraudulent trades Societe Generale (Jerome Kerviel, 2008)
•Loss of 7.2 billion USD
| PA193 - Defense in depth
38

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Do not share (runtime resources)
•Sharing often introduced to increase performance
–But often decrease original security
–(virtual perimeter)
•Share the minimal number of mechanisms
–Information can flow along shared channels
–Covert channels
•Use isolation
–Sandboxes
–Virtual machines
–Physical separation
–
| PA193 - Defense in depth
39

Isolation prevents communication, and communication with something—another process or a resource—is
necessary for a breach of security. Limit the communication, and you limit the damage. So, if two
processes share a resource, by coordinating access, they can communicate by modulating access to
the entire resource.
Examples: percent of CPU used. To send a 1 bit, the first process uses 75% of the CPU; to send a 0
bit, it uses 25% of the CPU. The other process sees how much of the CPU it can get and from that
can tell what  the first process used, and hence is sending. Variations include filling disks,
creating files with fixed names, and so forth.
Approaches to implementing this principle: isolate each process, via virtual machines or sandboxes
(a sandbox is like a VM, but the isolation is not complete).

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Vulnerability Note VU#911878 (CVE-2005-0109)
Description
Hyper-Threading (HT) Technology allows two series of instructions to run simultaneously and
independently on a single processor. With Hyper-Threading Technology enabled, the system treats a
physical processor as two "logical" processors. Each logical processor is allocated a thread on
which to work, as well as a share of execution resources such as cache memories, execution units,
and buses.
Information could potentially be deduced by local users using programs capable of shared memory
cache eviction analysis. Proof of concept code using timing and cache eviction analysis techniques
have demonstrated that cryptographic keys can be deduced on Intel processors with Hyper-Threading
technology (HTT) . It is likely that similar techniques could be employed on other processor
architectures that support simultaneous multithreading.
This vulnerability is applicable to many operating system platforms running on a hardware platform
that supports simultaneous multithreading (Intel HTT in particular).
| PA193 - Defense in depth
40

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Vulnerability Note (CVE-2015-0565)
•DRAM: privilege escalation via Row Hammer
Description
The DRAM memory is used by most recent computers.
Researchers found that reading at a memory address can trigger a bit flip in a page located near.
To ease this attack, DRAM without ECC (Error Correcting Code) was used, and the processor cache was
flushed with the CLFLUSH assemble instruction.
A local attacker can therefore alter the content of DRAM memory, in order to corrupt data. If these
data are located in a page used by a privileged process, this attack can lead to a privilege
escalation.
| PA193 - Defense in depth
41

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Human Acceptability
•Security mechanisms complicate accessing resources and performing duties
–Hide complexity introduced by security mechanisms to users
•Chernobyl nuclear power plant
–Some safety mechanisms disabled/bypassed
•Unpopularity of User Account Control (UAC) in Microsoft Vista
–Number of alerts reduced in subsequent Windows versions
•Certificate validation errors in Web browsers
| PA193 - Defense in depth
42

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
D:\Documents\Obrázky\is2\Plain-Blue-icon.png
D:\Documents\Obrázky\is2\Places-server-database-icon.png
Human is often the weakest link
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
D:\Documents\Obrázky\is2\Lock-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png >
More than 60% of users have weak passwords
D:\Documents\Obrázky\is2\Body-Brain-icon.png D:\Documents\Obrázky\is2\Key-icon.png
D:\Documents\Obrázky\is2\Key-icon.png devil
D:\Documents\Obrázky\is2\Places-server-database-icon.png D:\Documents\Obrázky\is2\Lock-icon.png
D:\Documents\Obrázky\is2\Plain-Blue-icon.png
password123
Google:
Sfdlk2c&432mo%
Skype:
*(&21mefd872!&
D:\Documents\Obrázky\is2\johntheripper1_10_design.png
| PA193 - Defense in depth
43
KeePass+Dropbox
LastPass
1Password
MozillaSync
…

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Don’t reinvent the wheel
•Use standard, tested components
•Use SW, libraries, designs, protocols that others are successfully using
•In particular use standard crypto and crypto libraries
–Use standard good random number generators
–Use standards parsers etc.
–Don’t implement your own cryptography
•Bad examples
–Bad use of crypto: 802.11b
–Protocols without expert review: early 802.11i
–Ad-hoc changes to OpenSSL key generation: Debian (2008)
44
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Avoid High-Risk Technologies
•Some technologies are considered more insecure than others
–This includes programming languages, services and protocols
•Statistics of published vulnerabilities
–E.g. comparison of web browsers
•If the technology must be used, integrate security wrappers, application firewalls etc.
•Java VM is a hot target these days
–Java as a language has always been considered a bit more secure language than C/C++
45
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Learn from Mistakes
•Learn from your mistakes and mistakes of others
–How did the security error occur?
–Is the same bug repeated in the code?
–How could it have been prevented?
•Change your education/practices to avoid repeating the same errors
•Examine mistakes/bugs of your “competitors” (!)
•
| PA193 - Defense in depth
46

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
The weakest link
•Encryption example
–The system encrypts data
–Encryption is done in a standard crypto library
•The library will typically not be the weakest link
–Data is stored in encrypted form
–The weakest link will typically be centered around the cryptographic key / password
•How and where is the passport stored?
•How is it processed during the data encryption/decryption?
•Defense layers – independence is important!
| PA193 - Defense in depth
47

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SOFTWARE DESIGN PATTERNS
•
48
| PA193 - Defense in depth

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Software design pattern
•SW design pattern
–General solution to a standard problem
–The problem is common and being solved frequently
–The solution is general and can be reused
•The aim is to speed up the development process and to avoid issues that can be recognized later
(or too late).
•Design pattern is not code
–Design pattern ≠ code reuse
| PA193 - Defense in depth
49

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security patterns
•Applying the idea of Software design pattern to the area of computer security
•Aim is to achieve some IT security goals
–Like confidentiality, integrity, … or some specific goal
•Comprehensive catalogs of security patterns exist
–E.g. Munawar Hafiz. Security Pattern Catalog
–http://www.munawarhafiz.com/securitypatterncatalog/index.php
| PA193 - Defense in depth
50

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security Pattern Catalog
Source: http://www.munawarhafiz.com/securitypatterncatalog/index.php
imageMap
| PA193 - Defense in depth
51

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: defense in depth
•Problem
–A security failure in a compartment can cause the whole system to crash. How can we make the
system robust against security failures?
•Solution
–Employ security measures at multiple layers of an application and throughout its operating
environment. defense In Depth is more a security principle. In fact this is considered to be the
core security principles for system architecture.
•Known Uses
–qmail does not employ only one security mechanism, rather it has security solutions built in
different levels of architecture.
•Source
–Hafiz et. al.
•Tags
–Deep defense
http://www.munawarhafiz.com/securitypatterncatalog/patterns.php?name=defense%20in%20Depth
| PA193 - Defense in depth
52

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
The SD3 Security Framework (Microsoft)
•SD3
•
* Secure architecture and code
* Threat analysis
* Vulnerability reduction
•Secure
by Design
* Protection: Detection, defense, recovery, management
* Process: How to guides, architecture guides
* People: Training
•Secure in Deployment
* Attack surface area reduced
* Unused features turned off by default
* Minimum privileges used
•Secure
by Default
| PA193 - Defense in depth
53

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Software design pattern
•Examples
–Computational design patterns
•Identify key computations
–Execution patterns
•Execution of stream of tasks & synchronization
–Implementation strategy patterns
•Program organization and data structures
| PA193 - Defense in depth
54

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Examples of security patterns
•Security patterns for highly available systems
–Check pointed system
•Replication and recovery from component failure
–Standby pattern
•Resuming the service of a failing component
–Comparator-checked fault tolerant system
•monitoring the failure free behavior of a component
–Replicated system
•The use of redundant components, load balancing, …
| PA193 - Defense in depth
55

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security Pattern Catalog
Source: http://www.munawarhafiz.com/securitypatterncatalog/index.php
hierarchical
| PA193 - Defense in depth
56

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security in Software Development Life Cycle
security_in_SDLC
[Source: Gary McGraw, Software security, Security & Privacy Magazine, IEEE, Vol 2, No. 2, pp.
80-83, 2004. ]
| PA193 - Defense in depth
57

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
OWASP Top 10 of WEB application vulnerabilities
1.Unvalidated Input
2.Broken Access Control
3.Broken Authentication and Session Management
4.Cross Site Scripting (XSS) Flaws
5.Buffer Overflows
6.Injection Flaws
7.Improper Error Handling
8.Insecure Storage
9.Denial of Service
10.Insecure Configuration Management
| PA193 - Defense in depth
58

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Summary
•Never assume impenetrable defense, completely secure code, will-never-happen situations…
–Ask yourself: What will happen if defense fails?
•Defense in depth is general technique
–Tries to remove single point of failure
•Proper secure coding is one layer of defense
–Or better make it multiple layers
•Good design supports defense in depth!
59
question
•Questions
•| PA193 - Defense in depth