Team-9

Anirudh Gaur (B.Tech)

Rahul Sihag (B.Tech)

Bharatram Natarajan (M.Tech)

Sanjay Bankapur (M.Tech)

Introduction SoftCorp is an emerging software development company and aims at leadership

position in the upcoming mobile computing market by developing cutting edge

products that address the entire range of handheld user needs.

SoftCorp product development team had worked on office applications such as text

processors, image editors, and even a small spreadsheet application.

Team was quite clear that to develop a good email client for the PDAs/Mobile

devices by which

Addressing the world that SoftCorp is arrived into the PDA software market, and

By development of this product would also help them to get more familiar with the handheld

programming environment.

After brainstorming, the team listed all the required features and they found the

product called “EazeeMail” by their competitor KurApps. Team has decided to use

this product as a benchmark for developing of Mobile Email Client (MEC).

SoftCorp team found that EazeeMail didn‟t support multimedia based email such as

support for audio clips, pictures etc. They decided that they will try to provide

support for the multimedia emails.

Topics to cover Identify and specify various security requirements by using use/abuse case

diagram.

For the identified security requirements indentify potential vulnerabilities and threats for this system.

Identify the security loop holes from the given fragmented codes.

Identify at-least 4 design patterns that can be used to enhance the security for this product.

By taking any 1 use cases related to email functionality, will perform thread modelling and generate threat tree for the same.

Does SoftCorp requires redesigning of the product to ensure all security?

Security Requirements

Assets:

•Data like Email content, User login credentials, User account information, Configuration file,

Email client code.

•Email Server.

•Handheld devices.

The need for prevention of virus, malicious software which if present in the handheld

devices will result in the confidentiality, integrity, privacy violation.

The need for securing the connection between the client and the email server in order to

maintain data confidentiality, integrity, privacy.

The need for preventing spam mails in order not to overload the server and handheld

devices.

The need for preventing phishing in email in order to protect the customer details and

maintaining their trust, privacy.

The need for protecting the mobile email client code for maintaining integrity

constraint and confidentiality constraint, privacy.

The need for protecting the configuration file from being accessed by anyone except

the mobile email client for maintaining confidentiality, integrity.

Security Threats & Vulnerabilities Virus - Responsible for destructive payloads, destroying data and bringing down entire

mail systems. E.g.: Internet Worms, Mass mailer viruses tend to stay longer even if antivirus products have included protection against them in their products leading to loss of money, resources ,effort to recover from such incidents, loss of productivity, corrupt or lost data, loss of user confidence.

Phishing (Identify Theft) – It targets the customers of financial institutions and high-profile online retailers by luring them to spoofed websites and give their credentials. This leads to personal information revelation to other people thereby violating the confidentiality of the data.

Spam – It bring down system availability and also can carry viruses, malicious code and fraudulent solicitations for private information. It overloads network and server resources.

Adversary who are eavesdropping on the channel between the client and the email server, capturing the data and modifying the data according to his need and resending again.

Solutions to Threats Use of anti-virus software which will remove virus, malware program and un-trusted

program, anti spam solution like blacklist the list of spam users rather than deleting

the mails every time the mail comes, enabling the email spam filter and anti phishing

solutions like Caller ID by Microsoft, Sender Policy Framework by Meng Wong,

Domain Keys by Yahoo etc.

Use of secure protocol like SSL(Secure Socket Layer).

The wrapping of client code, configuration file with anti-virus software, anti-spam

solution, anti-phishing solution which will act as the firewall for the client code.

Security Code Issue & CorrectionFragment 1

void f(char *src1, char* src2)

{

char dest[DEST_SIZE];

// check to make sure first string fits

if (strlen(src1) > sizeof(dest)) return;

strcpy(dest, src1);

// copy as much of the second string as will fit

strncat(dest, src2, sizeof(dest));

...

}

Threat of changing both src1 and src2 in this function

strncpy() and strncat() functions are a source of buffer

overflow vulnerabilities.

void f(const char *src1, const char* src2){

char dest[DEST_SIZE];// check to make sure first string fitsif (strlen(src1) > sizeof(dest)) return;strcpy_s(dest, src1);// copy as much of the second string as will fitstrncat_s(dest, src2, sizeof(dest));...

}

strncpy_s and strcat_s functions are

secure for buffer vulnerabilities.

Fragment 2:

void *ConcatBytes(void *buf1, size_t len1, char *buf2, size_t len2)

{

void *buf = malloc(len1 + len2);

if (buf == NULL) return; // allocation failed

memcpy(buf, buf1, len1);

memcpy(buf + len1, buf2, len2);

...

}

Threat of changing both buf1 and buf2in this function

void *ConcatBytes(const void *buf1, size_t len1, const char *buf2, size_t len2)

{

void *buf = malloc(len1 + len2);

if (buf == NULL) return; // allocation failed

memcpy_s(buf, len1, buf1, len1);

memcpy_s(buf + len1, len2 buf2, len2);

...

}

Void pointers can store any data type & hence data type

mismatch will occur with memcpy.

Fragment 3:

#define MAX_BUFF (64)

BYTE bBuff[MAX_BUFF];

DWORD cbBuff = 0;

…

// Determine how much data // to read

RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff );

...

// Read ALL the data!!!

RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff );

…

Functions return value is not verified

to check status of request

Not verifying if cbBuff is greater

than MAX_BUFF

#define MAX_BUFF (64)

BYTE bBuff[MAX_BUFF];

DWORD cbBuff = 0;

…

// Determine how much data // to read

If(RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff ) > 0)

{

...

If(cbBuff>MAX_BUFF)

bBuff=new BYTE[cbBuff];

// Read ALL the data!!!

RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff );

}

…

Fragment 4:

…

SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = sa;password = password;” );

String sql = “select * from client where name = „” + name + “‟”;

…

…

String id=getUserId();

String pass=getPasswd();

SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = ” +id+ “;password=” + pass+ “;” );

String sql = “select * from client where name = „” + name + “‟”;

If(checkSyntax(sql) < 0) return;

…

Both UserId and Password values should

not be hard coded in the code. Values

should be read from the configuration file.

Threat of SQL Injection

Secure Design PatternsThin client: process centrally, present locally Sensitive data stays centralised in hardened bunkers, with

remote devices allowed views of it via thin-client terminalapplications.

network access is required, thin client doesn't supportoffline use.

The advantage of thin client is that data never leaves theserver - it is only rendered on the endpoint. For additionalsecurity, IT can restrict host copy-and-paste operations,limit data transfers, and require strong or two-factorauthentication using SecureID or other tokens.

Thin device: replicated data, with device-kill for insurance Point-purpose devices like smartphones, for example, can

keep only limited amounts of sensitive information onthem. The information they keep is replicated, with mastercopies stored in data-centres.

Because of their size, storage capacity, and comparativelymodest processing power, application is limited to e-mail rather than general data processing.

Using native management tools or third-party mobiledevice platforms like Sybase, smartphone security policiesthat can typically be imposed include backup and enforcedencryption.

Protected process: local information processing in a secure "bubble" It allows data to be processed locally.

Sensitive information sits inside a compartmentalisedprocessing environment that is separated from theuser's local operating system environment - whosesecurity and backup properties are controlled by IT.

The protected process pattern has many advantages:local execution, offline operation, centralmanagement, and a high degree of granular securitycontrol, including remote wipe.

Protected data: documents protect themselves regardless of location Technologies like enterprise rights management

enshrine access rules into documents directly.

These rules, which rely on cryptography to enforce,apply no matter where the document rests - a keyadvantage.

Of all the patterns in the Zero Trust data securitystrategy, protected data is the most fine-grained andeffective because it focuses on the information, not itscontainers.

SuggestionSoftCorp should not go for complete redesign, since complete code is already done. Hence below strategy can be used for security review of the product:- Threat Modelling Test Planning Test Execution Security Bug Fixing

Applicable Tests: Authentication Testing Input Validation Testing Session Management Testing Encryption Testing Application Testing

Benefits of Threat Modelling

These are some benefits of threat modelling:-

Complex design level security bugs can be easily identified if weincorporate the threat modelling.

More over multi-step security bugs (several small failures combining toform a disaster) are best found using threat modelling.

it also will also help us to understand our application better, since wewould spend time analysing the makeup of the application in arelatively structured manner.

It yields useful documents which the testing team could use to testagainst.

Threat Modelling Process:

1. Identify Security Objectives

2. Create an Application Overview

3. Application Decomposition

4. Identify Threats

5. Mitigation Measures

Use Case: Sending an e-mail

Security Objectives:

Confidentiality (No Eavesdropping) – Any third person having access to my network should not be able to read my mail.

Privacy - Information may be used to tell in whichcity you are located or even to find out what youraddress is in some cases.

No Spam and Unwanted Email

Integrity (No Tampering) - No data should be modified during the transmission of an email.

Non-repudiation

Application Overview

Users - Senders with authenticated account at email provider

Technologies -Network : Wireless network Protocol : SMTP (Simple Mail Transport Protocol)

Description -1. Compose an email2. Press the send button

Application Decomposition

Threats

(1) Disclosure of Information: Most of emails aretransmitted in the clear (not encrypted) text. By meansof some available tools, persons other than thedesignated recipients can sniff the packets and can readthe email contents. Email messages are stored on SMTPservers in plain, unencrypted text. Backups of the dataon these servers may be made at any time andadministrators can read any of the data on thesemachines.

(2) Modification of messages: Email contents can bemodified during transport or storage.

(3) Repudiation: Because normal emailmessages can be forged, there is no way for youto prove that someone sent you a particularmessage. This means that even if someone DIDsend you a message, they can successfully denyit.

(4) Identity Theft: If someone can obtain theusername and password that you use to accessyour email servers, they can read your emailand send false email messages as you.

Threat Tree

Figure: Attack Tree for Information Disclosure

Mitigation

Encrypting an EMAIL message

Encrypt the message before sending. Useencryption algorithms like authenticated Diffi-Hellman key exchange or RSA Algorithm. Thissolves the problem of eavesdropping andDisclosure of Information

Encrypting the TRANSMISSION or RECEIPTof an email (SMTP/POP/IMAP over SSL/TLS)

While connecting to mail server (whethersending or receiving), email credentials(username and password) are encrypted,protecting them from being intercepted bymalicious users as they traverse the internet fromemail client to mail server.

Security with Escrow EncryptionEscrow encryption uses a trusted “encryption middleman” toprovide the same security offered by asymmetric keyencryption, but with universal compatibility.

The sender ands receiver connects to the middleman’s webmail portal on a secure SSL connection.There will be no information disclosure in communicationchannel and no identity theft as both sender and receiver areon secure SSL connection.

There will be no repudiation as the middleman validates thesender.

The middleman encrypts the message and stores it on hisserver. Therefore no one can modify the message because itnever leaves the middleman’s server and it will be secureeven in backups.