Software Security - 2019


Objectives:

Course content:
  • Software Security Introduction: Motivation, What is software security, Trend of attacks, Malware: worms, viruses, trojans example, Sources of software insecurity, Secure software development
  • Set-UID Privileged Programs and Attacks on Them: Need for privileged programs, Types of privileged programs, How Set-UID mechanism works, Attack vectors of Set-UID programs, Improving the security of Set-UID programs
  • Environment Variables and Attacks: Environment variables, Obtaining environment variables by a new process, Shell variables and environment variables, Attack vectors through environment variables, Risks introduced by the environment variables
  • Shellshock Attack: Shell functions, Shellshock bug, Shellshock attack on Set-UID programs, Shellshock attack on CGI programs
  • Security in the Software Development Life Cycle: McGraw Touchpoints, BSIMM, Microsoft SDL - Threat modeling, The STRIDE model, OWASP SAMM
  • Buffer Overflows: Problems caused by buffer overflows, Memory management, How does buffer overflow work, Causes of buffer overflows, Exploit the buffer overflow vulnerability, Shellcode, Injection of Shellcode, Jumping to the Shellcode, Writing the Shellcode
  • Protection Mechanisms for Buffer Overflows: Secure coding practices, Better libraries, Safer languages, Static/Dynamic analysis, Fuzzing, StackGuard, ProPolice, StackShield, Control flow integrity, Address space layout randomization, Non-Executable stack, Defeat dash/bash protection
  • Format String Attacks: The stack and format strings, Leaking data from memory, Reading memory at any location, Writing memory to any location, Vulnerable program and attacks, Countermeasures
  • Return-to-libc and ROP Attacks: Using the system function, Construct the correct stack frame for system, Return Oriented Programming
  • Race Condition: Race condition examples, Race condition vulnerability, Exploit race condition, Countermeasures
  • SQL Injection Attacks: Injection attacks, What is SQL injection, SQL injection attacks classification, SQL injection attack examples, SQL injection in real world, Goals of the attacker, Finding SQL injection, Exploiting SQL injection, Identifying the database, Extracting data through UNION, Using conditional statements: time-based/error-based/content-based approach, Enumerating the database schema, Second-order SQL injection examples
  • Preventing SQL Injection Attacks: Input validation, Parameterized statements, Design techniques, Runtime protection
  • Cross Site Scripting (XSS) Attacks: What are XSS attacks, How XSS attacks work, Real world XSS attacks, XSS attack scenarios, Reflected/Stored/DOM-based XSS attacks, Web cookies, Same Origin Policy, XSS attack examples
  • Preventing XSS Attacks: Input/Output validation, Dangerous insertion points elimination, HttpOnly cookies, Content Security Policy, Sandboxing, Finding and exploiting XSS
  • Cross-Site Request Forgery (CSRF) Attacks: What are CSRF attacks, Real world CSRF attacks, How does CSRF attack work, CSRF attack on GET/POST scenario, Preventing CSRF Client-Side, Preventing CSRF Server-Side (Referer header, Synchronizer CSRF Tokens), CSRF vs. XSS attacks
  • Software Security Principles


Attacks Lab content:

Lab exercises that help to understand the software security principles discussed in course and apply those principles to solve real problems using Linux operating system. The focus of the exercises is to analyze software systems for finding the security vulnerabilities, to exploit the vulnerabilities, and apply the prevention techniques that can help defend against such attacks. The studied vulnerabilities are: Attack Vectors of Set-UID Programs, Attack Vectors through Environment Variables, Shellshock, Shellcode Injections, Format Strings, Return-to-libc, Race Conditions, SQL Injections, XSS, CSRF.


Lecture Notes References
Software Security Introduction
Set-UID Privileged Programs and Attacks on Them Wenliang Du, Computer Security: A Hands-on Approach, 2019, Chapter 1.
Environment Variables and Attacks Wenliang Du, Computer Security: A Hands-on Approach, 2019, Chapter 2.
Shellshock Attack

Security in the Software Development Life Cycle
Wenliang Du, Computer Security: A Hands-on Approach, 2019, Chapter 3.
Gary McGraw, Software security, IEEE Security & Privacy, 2004.
Sammy Migues, John Steven, Mike Ware, BSIMM10, 2019.
Microsoft SDL.
Buffer Overflows Michael Howard, David LeBlanc, John Viega, 24 Deadly Sins of Software Security, 2009.
BlueBorne Attacks, 2017.
Ticketbleed Attack, 2017.
Shellcode Injection Attacks Aleph One, Smashing The Stack For Fun And Profit, 1996.
Protection Mechanisms for Buffer Overflows Ulfar Erlingsson, Yves Younan, Frank Piessens, Low-Level Software Security by Example, Springer, 2010.
Format String Attacks Wenliang Du, Computer Security: A Hands-on Approach, 2019, Chapter 6.
Return-to-libc Attacks Wenliang Du, Computer Security: A Hands-on Approach, 2019, Chapter 5.
SQL Injection Attacks Justin Clarke, SQL Injection Attacks and Defense, 2nd Edition, Elsevier, 2012, Chapters 1-5.
Chris Anley, Advanced SQL Injection In SQL Server Applications, Next Generation Security Software, 2002.
Preventing SQL Injection Attacks Justin Clarke, SQL Injection Attacks and Defense, 2nd Edition, Elsevier, 2012, Chapters 8, 9.
Cross-Site Scripting (XSS) Attacks Dafydd Stuttard, Marcus Pinto, The Web Application Hacker's Handbook - Finding and Exploiting Security Flaws, 2nd Edition, John Wiley & Sons, 2011, Chapter 12.
Jeremiah Grossman, Robert Hansen, Petko D.Petkov, Anton Rager, Seth Fogie, XSS Attacks: Cross Site Scripting Exploits and Defenses, Elsevier, 2007.
Preventing Cross-Site Scripting (XSS) Attacks Mike West, An Introduction to Content Security Policy, 2016.
Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, Wouter Joosen, SessionShield: Lightweight Protection against Session Hijacking, ESSoS 2011.
Shay Chen The 2017/2018 WAVSEP DAST Benchmark: Evaluation of Web Application Vulnerability Scanners in Modern Pentest/SSDLC Usage Scenarios, 2018.
Cross-Site Request Forgery (CSRF): Attacks and Prevention Dafydd Stuttard, Marcus Pinto, The Web Application Hacker's Handbook - Finding and Exploiting Security Flaws, 2nd Edition, John Wiley & Sons, 2011, Chapter 13.
OWASP, Cross-Site Request Forgery (CSRF), Cross-Site Request Forgery (CSRF) Prevention, 2018.

Attacks Lab References
Labs Setup Ubuntu 16.04 VM
Set-UID Privileged Programs Cătălin Bîrjoveanu, Set-UID Privileged Programs and Attacks on Them, Lecture Notes.
Attacks on Set-UID Privileged Programs
Environment Variables and Attacks Cătălin Bîrjoveanu, Environment Variables and Attacks, Lecture Notes.
Shellshock Attack Cătălin Bîrjoveanu, Shellshock Attack, Lecture Notes.
Shellcode Injection Attacks Cătălin Bîrjoveanu, Shellcode Injection Attacks, Lecture Notes.
Scores