security vulnerabilities and their impact upon poirot jun lin [email protected] jlin8/se690...

Security Vulnerabilities and Security Vulnerabilities and Their Impact upon PoirotTheir Impact upon Poirot

< SE690 Initial Presentation >

Jun [email protected]://students.depaul.edu/~jlin8/SE690

Supervised by Dr. Jane Huang

Security Vulnerabilities and Their Impact upon Poirot

Agenda Project Description Poirot Introduction Security Issues Rose-based Access Control SQL Injection Other Security Problems Reference Project Plan Question & Answer


Project Description Background

This master project is a extended project of a larger project named Poirot.

Poirot is an automated traceability tool that has been developed in the RE research center.

Poirot will be open-sourced in the Summer, and has already been requested by organizations such as Motorola and Siemens. Security issues are therefore important to address.


Project Description

Objectives To analyze security issues related to

Poirot. Those issues specifically include Role-based access control, SQL injection, and other typical types of security problems. The work will involve a full evaluation of Poirot in respect to common security failures.


Poirot Instroduction

Poirot Is an enterprise level automated

traceability tool Web based application Distributed system Use database to store traceable data


Poirot Instroduction

Architecture

Web Brower

Poirot Server

Traceable DataArtifacts

(XML)

Broker

ArtifactsIn case tool

MR Service

MR Adapter


Security Issues

Web Brower

Poirot Server


(XML)

Broker


MR Service

MR Adapter

SQL Injection Unauthenticated access

Sensitive data

Disclosure,Integrity

Threat

Data integrity


Security Issues

S1: Security

S2: Only authorized access to project artifacts.

S3: Secure communication S4: Minimize

system vulnerabilities

S5: Role based access control

S7: Encrypt all comm-unication

S8: Prevent dangerous characters from being passed to SQL queries from free text.

S9: Limit system access to approved IP addresses

S6: Screens timeout after 15 minutes of inactivity

++

+

++ + + +


Rose-Based Access Control

Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Task-Based Access Control (TBAC) Object-Based Access Control (OBAC) Role-Based Access Control (RBAC)



Advantages Natively fits to Poirot Simplifies authorization administration

by assigning permissions to users through roles

Can easily handle large numbers of users Confirms with job positions within

organization, hence promotes usability.



ModelPermission

User Role

Session

Permission assignment

User assignment Rolehierarchy

1

n

n

m



PermissionSystem

System configuration

Projects

Project Configuration

Artifacts

Read

Write

More…



Role

System Administrator

Project Manager

Common User

Architect Programmer QA …

V

V


SQL Injection

"SQL Injection" is subset of the an unverified/insanities user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended.


SQL Injection Attack Intent

Identifying injectable parameters Performing database finger-printing Determining database schema Extracting data Adding or modifying data Performing denial of service Evading detection Bypassing authentication Executing remote commands


SQL Injection

Example Html

<FORM action=Login method=post><input type=hidden name=userid value=[user input]>

</FORM>

URL http://webserver/login.jsp?userid=[user input]


SQL Injection Example

SQL & Code SELECT count(*) as count FROM table

WHERE field = ‘[user input]' Granted = count > 1 ? True : False How about: user input = whatever’ or ‘1’ =

‘1 ? The SQL becomes: SELECT count(*) as

count FROM table WHERE field = ‘whatever’ or ‘1’ = ‘1’

Result: once the table has records, the Granted will always be true.


SQL Injection

Example User input = whatever’; drop table –- User input = whatever’; xp_cmdshell(…)

--


SQL Injection

SQL Injection Types Tautologies Illegal/Logically Incorrect Queries Union Query Piggy Backed Queries Stored Procedures Inference Alternate Encodings


SQL Injection

Tautologies Intent

Bypassing authentication, extracting data. Example

SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’


SQL Injection Illegal/Logically Incorrect Queries

Intent Identifying injectable parameters, performing

database finger-printing. Example

SELECT accounts FROM users WHERE login=’’ AND 1 = convert (int,(select top 1 name from sysobjects where xtype=’u’)) -- AND pass=’’

Shown Error: ”Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int.”


SQL Injection

Stored Procedures Intent

performing denial of service, executing remote commands...

Example SELECT accounts FROM users WHERE

login=’admin’; SHUTDOWN; -- AND pass=’’


SQL Injection

Alternate Encodings Intent

Evading detection Example

SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’

legalUser == char(0x73687574646f776e)


SQL Injection

Prevention Sanitize the input Escape the input Limit database permissions and

segregate users Use stored procedures for database

access Configure error reporting Using tools


SQL Injection

Second-Order SQL Injection Assume that single quote has been

handled Replace(“ ’ ”, “ ’’ ”)

Attacker add a new account: Username： admin‘ –- Password： password

Insert SQL: insert into users values(123,’admin’’ –

-’,’password’)


SQL Injection

Second-Order SQL Injection Attacker update password

Sql = “update users set password = '" + newpassword + "' where username = '" + rs.getString("username") + "'"

update users set password = 'password' where username='admin‘ -- ‘

What happen?


Other Security Problems

Web Brower

Poirot Server


(XML)

Broker


MR Service

MR Adapter

Unauthenticated access

Sensitive data

Data integrity


Reference Poirot: TraceMaker: A Tool for Dynamically Retrieving

Traceability Links, Xuchang Zou, Chuan Duan, Raffaella Settimi, Jane Cleland-Huang.

An Extensible Architecture for Enterprise-wide Automated Requirements Traceability, Jun Lin, Chan Chou Lin, Joseph Amaya, Massimo Illario, Jane Cleland-Huang,CTIRS, 2006.

Building Secure Software: How to Avoid Security Problems the Right Way, John Viega, Gary McGraw, Addison-Wesley

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus, Version 6.01 November 28, 2005 Copyright (C) 2005, SANS Institute, http://www.sans.org/top20/

A Classification of SQL Injection Attacks and Countermeasures, William G.J. Halfond, Jeremy Viegas, and Alessandro Orso

SQL Injection Attacks by Example, Steve Friedl, http://www.unixwiz.net/techtips/sql-injection.html


Project Plan Phase 1: Analysis

Initially research into Role-based access control and SQL injection, 05/29/2006

Make initial presentation, 06/02/2006 Further research into Role-based access control, SQL injection,

and other typical types of security problems, 06/30/2006 Phase 2: Implementation

Design: Class diagrams and sequence diagrams, 07/08/2006 Coding and unit testing, 08/05/2006 Integration testing, 08/10/2006

Phase 3: Documentation Write developer Instruction, 08/13/2006 Prepare final presentation, 08/15/2006

Completion: 08/15/2006


Question?


Thanks

security vulnerabilities and their impact upon poirot jun lin [email protected] jlin8/se690...

Documents

authorized access

access controls7

limit system access

security vulnerabilities

poirot instroductionpoirotis

evaluation of poirot

extended project

project artifacts