security vulnerabilities and their impact upon poirot jun lin [email protected] jlin8/se690...
TRANSCRIPT
Security Vulnerabilities and Security Vulnerabilities and Their Impact upon PoirotTheir Impact upon Poirot
< SE690 Initial Presentation >
Jun [email protected]://students.depaul.edu/~jlin8/SE690
Supervised by Dr. Jane Huang
Security Vulnerabilities and Their Impact upon Poirot
Agenda Project Description Poirot Introduction Security Issues Rose-based Access Control SQL Injection Other Security Problems Reference Project Plan Question & Answer
Security Vulnerabilities and Their Impact upon Poirot
Project Description Background
This master project is a extended project of a larger project named Poirot.
Poirot is an automated traceability tool that has been developed in the RE research center.
Poirot will be open-sourced in the Summer, and has already been requested by organizations such as Motorola and Siemens. Security issues are therefore important to address.
Security Vulnerabilities and Their Impact upon Poirot
Project Description
Objectives To analyze security issues related to
Poirot. Those issues specifically include Role-based access control, SQL injection, and other typical types of security problems. The work will involve a full evaluation of Poirot in respect to common security failures.
Security Vulnerabilities and Their Impact upon Poirot
Poirot Instroduction
Poirot Is an enterprise level automated
traceability tool Web based application Distributed system Use database to store traceable data
Security Vulnerabilities and Their Impact upon Poirot
Poirot Instroduction
Architecture
Web Brower
Poirot Server
Traceable DataArtifacts
(XML)
Broker
ArtifactsIn case tool
MR Service
MR Adapter
Security Vulnerabilities and Their Impact upon Poirot
Security Issues
Web Brower
Poirot Server
Traceable DataArtifacts
(XML)
Broker
ArtifactsIn case tool
MR Service
MR Adapter
SQL Injection Unauthenticated access
Sensitive data
Disclosure,Integrity
Threat
Data integrity
Security Vulnerabilities and Their Impact upon Poirot
Security Issues
S1: Security
S2: Only authorized access to project artifacts.
S3: Secure communication S4: Minimize
system vulnerabilities
S5: Role based access control
S7: Encrypt all comm-unication
S8: Prevent dangerous characters from being passed to SQL queries from free text.
S9: Limit system access to approved IP addresses
S6: Screens timeout after 15 minutes of inactivity
++
+
++ + + +
Security Vulnerabilities and Their Impact upon Poirot
Rose-Based Access Control
Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Task-Based Access Control (TBAC) Object-Based Access Control (OBAC) Role-Based Access Control (RBAC)
Security Vulnerabilities and Their Impact upon Poirot
Rose-Based Access Control
Advantages Natively fits to Poirot Simplifies authorization administration
by assigning permissions to users through roles
Can easily handle large numbers of users Confirms with job positions within
organization, hence promotes usability.
Security Vulnerabilities and Their Impact upon Poirot
Rose-Based Access Control
ModelPermission
User Role
Session
Permission assignment
User assignment Rolehierarchy
1
n
n
m
Security Vulnerabilities and Their Impact upon Poirot
Rose-Based Access Control
PermissionSystem
System configuration
Projects
Project Configuration
Artifacts
Read
Write
More…
Security Vulnerabilities and Their Impact upon Poirot
Rose-Based Access Control
Role
System Administrator
Project Manager
Common User
Architect Programmer QA …
V
V
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
"SQL Injection" is subset of the an unverified/insanities user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended.
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection Attack Intent
Identifying injectable parameters Performing database finger-printing Determining database schema Extracting data Adding or modifying data Performing denial of service Evading detection Bypassing authentication Executing remote commands
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Example Html
<FORM action=Login method=post><input type=hidden name=userid value=[user input]>
</FORM>
URL http://webserver/login.jsp?userid=[user input]
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection Example
SQL & Code SELECT count(*) as count FROM table
WHERE field = ‘[user input]' Granted = count > 1 ? True : False How about: user input = whatever’ or ‘1’ =
‘1 ? The SQL becomes: SELECT count(*) as
count FROM table WHERE field = ‘whatever’ or ‘1’ = ‘1’
Result: once the table has records, the Granted will always be true.
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Example User input = whatever’; drop table –- User input = whatever’; xp_cmdshell(…)
--
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
SQL Injection Types Tautologies Illegal/Logically Incorrect Queries Union Query Piggy Backed Queries Stored Procedures Inference Alternate Encodings
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Tautologies Intent
Bypassing authentication, extracting data. Example
SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection Illegal/Logically Incorrect Queries
Intent Identifying injectable parameters, performing
database finger-printing. Example
SELECT accounts FROM users WHERE login=’’ AND 1 = convert (int,(select top 1 name from sysobjects where xtype=’u’)) -- AND pass=’’
Shown Error: ”Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int.”
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Stored Procedures Intent
performing denial of service, executing remote commands...
Example SELECT accounts FROM users WHERE
login=’admin’; SHUTDOWN; -- AND pass=’’
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Alternate Encodings Intent
Evading detection Example
SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’
legalUser == char(0x73687574646f776e)
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Prevention Sanitize the input Escape the input Limit database permissions and
segregate users Use stored procedures for database
access Configure error reporting Using tools
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Second-Order SQL Injection Assume that single quote has been
handled Replace(“ ’ ”, “ ’’ ”)
Attacker add a new account: Username: admin‘ –- Password: password
Insert SQL: insert into users values(123,’admin’’ –
-’,’password’)
Security Vulnerabilities and Their Impact upon Poirot
SQL Injection
Second-Order SQL Injection Attacker update password
Sql = “update users set password = '" + newpassword + "' where username = '" + rs.getString("username") + "'"
update users set password = 'password' where username='admin‘ -- ‘
What happen?
Security Vulnerabilities and Their Impact upon Poirot
Other Security Problems
Web Brower
Poirot Server
Traceable DataArtifacts
(XML)
Broker
ArtifactsIn case tool
MR Service
MR Adapter
Unauthenticated access
Sensitive data
Data integrity
Security Vulnerabilities and Their Impact upon Poirot
Reference Poirot: TraceMaker: A Tool for Dynamically Retrieving
Traceability Links, Xuchang Zou, Chuan Duan, Raffaella Settimi, Jane Cleland-Huang.
An Extensible Architecture for Enterprise-wide Automated Requirements Traceability, Jun Lin, Chan Chou Lin, Joseph Amaya, Massimo Illario, Jane Cleland-Huang,CTIRS, 2006.
Building Secure Software: How to Avoid Security Problems the Right Way, John Viega, Gary McGraw, Addison-Wesley
The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus, Version 6.01 November 28, 2005 Copyright (C) 2005, SANS Institute, http://www.sans.org/top20/
A Classification of SQL Injection Attacks and Countermeasures, William G.J. Halfond, Jeremy Viegas, and Alessandro Orso
SQL Injection Attacks by Example, Steve Friedl, http://www.unixwiz.net/techtips/sql-injection.html
Security Vulnerabilities and Their Impact upon Poirot
Project Plan Phase 1: Analysis
Initially research into Role-based access control and SQL injection, 05/29/2006
Make initial presentation, 06/02/2006 Further research into Role-based access control, SQL injection,
and other typical types of security problems, 06/30/2006 Phase 2: Implementation
Design: Class diagrams and sequence diagrams, 07/08/2006 Coding and unit testing, 08/05/2006 Integration testing, 08/10/2006
Phase 3: Documentation Write developer Instruction, 08/13/2006 Prepare final presentation, 08/15/2006
Completion: 08/15/2006
Security Vulnerabilities and Their Impact upon Poirot
Question?
Security Vulnerabilities and Their Impact upon Poirot
Thanks