DEEP INSIDE SOFTWARE

SECURITY DEVELOPMENT
AND BEST PRACTICES

P R O F E S S O R : D R . PA O L I N A C E N T O N Z E
L E C T U R E N . 6 ( PA RT 1 )

CS 315-CS 615
Software Security
Fall 2015
 LECTURE OUTLINE

• Introduction to software security best practices

• Brief software vulnerabilities and statistics
• Insight Software security vs Application
security
• Depth of these topics will be presented the
following week (in part 2)

2
TEXT BOOK REFERENCE
• Gary McGraw is Chief
Technology Officer (CTO) of
Cigital (a USA software
security company)
• His real world experience is
grounded in years of
consulting with major
corporations and software
producers
• He serves on the technical
advisory boards of
Counterpane, Fortify, and
Indigo
 PART I

I N T R O D U C T I O N TO S O F T WA R E
SECURITY BEST PRACTICES
 SOFTWARE SECURITY

• Software security is the idea of engineering software

• It must continue to function correctly under malicious attack
• Most technologists acknowledge this undertaking importance
• Biggest challenge understanding how to tackle (to deal with) it

5
SOFTWARE SECURITY BEST PRACTICES

• Software security best practices leverage

• Good software engineering practice
• It involves thinking about security early in the software life cycle
• Knowing and understanding common threats
• Including language based flaws (defects) and pitfalls (dangers)
• Designing for security
• Subjecting all software artifacts (components) to thorough objective risk
analyses and testing

6
7
 SOFTWARE SECURITY:
THE MOST CRITICAL ASPECT OF COMPUTER
SECURITY
• The first appearance of software security field in academia was
in 2001
• Best practices are neither widely adopted nor obvious
• A central and critical aspect of the computer security problem is
a software problem
• Most software has flaws (50%--60%)
• (i.e., inconsistent error handling)
• Implementation bugs (40%-- 50%)
• (i.e., buffer overflows and design flaws)

8
BUFFER OVER-FLOW VULNERABILITY

• Buffer overflows occurs when data:

• is written into a fixed-sized memory space
• overflowing into the memory around the destination buffer
• It gives an attacker control:
• over the contents of process memory
• potentially allowing for the insertion of hostile code
• Overflow data:
• get stored in adjacent buffers
• corrupt or overwrite the valid data held in them
• Read more about buffer over-flow:
• http://searchsecurity.techtarget.com/definition/buffer-overflow

9
BUFFER OVERFLOWS EXAMPLE

10
 BUFFER OVERFLOWS IN C BASED
LANGUAGES
• Buffer overflow:
• one of the oldest
• well-known exploitable bugs in C based language
• Although the iPhone has:
• some built-in preventative measures to prevent buffer overflow
• exploits resulting in code execution are still possible
• C functions such as strct() and strcpy()are the APIs most
often abused in this fashion
• yet, these functions are still used in the iPhone applications
today
SOME C-BASED LANGUAGE BEST
PRACTICES
• The threat of classic C exploits is
reduced, but not eliminated, by
using high-level Objective-C APIs
• It is very important to use some
best practices, such as:
• using NSString rather than legacy
string operations like strcat and
strcp to protect against buffer
overflows

Bugs in the source code

 AVOID BUFFER OVERFLOW

• The simplest way for an Objective-C to avoid

buffer overflow is:
• Avoid manual memory management entirely
• Use Cocoa objects such as NSString for string
manipulation
• If C-style string manipulation is necessary, the
str family of functions should be used
 INTEGER OVERFLOWS

• It occurs when:
• A computed value is larger than the storage space it’s
assigned to
• When calculating the size of a buffer to be allocated
(C, C++)
• The calculated size of the buffer will be smaller
than the amount of data to be copied to it (end
result)
 SECURITY ISSUES IN SWIFT: WHAT THE NEW LANGUAGE DID NOT FIX

• PLEASE READ THIS ARTICLE!

• http://www.drdobbs.com/security/security-issues-in-swift-what-the-new-la/240168882
• Swift is a new language developed by Apple for iOS and OS X development (presented at the conference
WWDC 2014)
• It is designed to eventually replace Objective-C
• Provide several important benefits
• i.e., greater resilience against erroneous code
• The article (link above) compare:
• How Swift compares with Objective-C from the security perspective
• Based on Apple's Secure Coding Guide document
• examining the various security vulnerabilities stated in the document
• checking if they can be exploited in Swift
• In the article the developers explored only loopholes that exist in Objective-C
• Not new ones that might exist in Swift
• They use the typical classification for defects, which include the category
• the severity
• the likelihood that the vulnerability might be exploited
• GREAT TOPIC to investigate for the final team project

15
SECURITY IMPACT OF INTEGER
OPERATIONS 
• Attackers can use these conditions
• To influence the value of variables in
Hacker ways that the programmer did not
Hacking into an online purchase
intend, i.e.,
• When calculating a purchase
order total, an integer overflow
could allow the total to shift from
a positive value to a negative
one
• This would give money to the
customer in addition to their
purchases, when the transaction is
completed
 EXPLOIT SCENARIO:
SECURITY IMPACT OF INTEGER OPERATIONS 

• Withdrawing 1 $ from an account with a

balance of 0 could cause an integer
Hacker underflow and yield a new balance of $
4,294,967,295 (> $Billions) (*note 1)
Hacking into a Bank
• A very large positive number in a bank
transfer could be cast as a signed integer
by a back-end system
• In such case, the interpreted value could
become a negative number and reverse the
flow of money - from a victim's account
into the attacker's

*note 1:Signed/Unsigned Mismatch In the Two's Compliment System, the bit-streams that represent a negative signed integer correspond to a
very large unsigned integer. For example, the same 32-bit stream is used to represent both -1 and 4,294,967,295 -- casting between signed and
unsigned integers can result in a drastic change in interpreted value.
 EXPLOITING SOFTWARE DEFECTS

• Malicious intruders can hack into

systems by exploiting software
defects
• Internet (1950s)
• It enabled software applications
• It presents the most common security risk
encountered today
• Software’s complexity and extensibility adding Hacker

additional security vulnerabilities

18
19
 NUMBER OF VULNERABILITIES FOR OS
AND APPLICATIONS

• Based on the NIST (National Institute of Standard Technology) reports

• Based on the NVD (National Vulnerability Database) reports
Reference Source: http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
20
HIGH SEVERITY VULNERABILITY

21
VULNERABILITY DISTRIBUTION
BY TYPE

22
TOP OPERATING SYSTEMS BY
VULNERABILITIES IN 2014

23
TOP APPLICATIONS BY VULNERABILITIES
REPORTED IN 2014

24
 PART II
S O F T WA R E S E C U R I T Y
VERSUS
A P P L I C AT I O N S E C U R I T Y
 DEFINITION OF APPLICATION
SECURITY
• Application Security:
• It means many different things to many different people
• In IEEE Security & Privacy magazine: “The
protection of software after it is already built”
• It is easier to protect something that is defect free than
something with vulnerabilities

26
 “WHAT IS THE MOST EFFECTIVE
WAY TO PROTECT SOFTWARE?”
• On one hand, Software Security:
Designing software to be secure
Building secure software
Making sure that software is secure
Educating:
software developers
 architects
 Users about how to build secure things
27
“WHAT IS THE MOST EFFECTIVE WAY TO
PROTECT SOFTWARE?” (CON.)

• On the other hand, Application Security:

 Protecting software and the systems that software runs in a
post facto way, after development is complete
 Sandboxing code (as the JVM does with Security Manager)
 Protecting against malicious code
 Obfuscating code
 Locking down executable
 Monitoring programs as they run (especially their input)
 Enforcing the software use policy with technology
 Dealing with extensible systems

28
 APPLICATION SECURITY VS
SOFTWARE SECURITY
• Application Security:
• Finding and fixing known security problems after they’ve been
exploited in systems
• Software Security:
• The process of designing, building, and testing software for security
• Identifies and expunges (eliminate) problems in the software itself
• Software security practitioners attempt to build software that can
withstand attack proactively
• example: although there is some real value in stopping buffer overflow
attacks by observing HTTP traffic as it arrives over port 80, a superior
approach is to fix the broken code and avoid the buffer overflow
completely
29
 READING ARTICLES HOMEWORK

Please read the following articles resources:

1. https://www.us-cert.gov/sites/default/files/US-CERT_2012_Tren
ds-
In_Retrospect.pdf
2. http://searchsecurity.techtarget.com/definition/buffer-overflow
3. http://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/
BufferOverflow.html (how to create a buffer overflow attack)
4. http://www.thegeekstuff.com/2013/06/buffer-overflow/
5. http://nvd.nist.gov/cvss.cfm (vulnerability criteria database)

30
OTHER OPEN SOURCE TOOLS FOR STATIC
ANALYSIS
• https://www.owasp.org/index.php/Static_Code_Analysis
(OWASP introduction to static analysis and free/open source
tools for static analysis)
• http://iosdevelopertips.com/objective-c/open-source-static-analys
is-tool-for-objective-c.html
(static analysis tool for C-Objective)

31
 HOMEWORK

• Everyone must listen and learn the podcast below at this URL:
(I will ask about this in class)
• https
://www.cigital.com/podcasts/show-113-software-security-best-practices/
• Use one of the tools listed in the previous slide in order to
identify some vulnerability in a program
• Or you can use some other tool that you may already know in
order to identify some program/software vulnerability
• Show me that you have tried at least one of those tools

32