vulnerabilities and exploitation in computer system – past, present, and future
Post on 19-Oct-2014
5.385 views
DESCRIPTION
Software vulnerabilities are regard as the most critical vulnerabilities due to its impact and availability as compared to hardware and network vulnerabilities. Throughout the years from the first appearance of software vulnerabilities in late 80s until today, there are many identified and classified software vulnerabilities such as the well-known buffer overflow, scripting and SQL command. We studied on those known software vulnerabilities, compared the criticality, impact and significant of the vulnerabilities, and further predicted the trend of the vulnerabilities and proposed the focus area based on the comparative studies. The result shows that C overflow vulnerabilities will continue to persist despite losing its dominance in terms of numbers of availability and exploitation. However, the impact of exploiting the C overflow vulnerabilities is still regard as the most critical as compare to others. Therefore, C overflow vulnerabilities will prevail again and continues its domination as it did for the past two decades.TRANSCRIPT
Vulnerabilities and Exploitation in Computer System
- Past, Present and Future
03 September 2013 @ 27 Syawal 1434HNurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan
SISKOM 2013Faculty of Computer and Mathematical Sciences
UiTM Shah Alam, Selangor, Malaysia
Presentation Outline
1. Introduction
2. Quantitative Studies on Known Software Vulnerabilities
3. Impact Analysis
4. The Prediction
5. Conclusion
Introduction
Introduction
Software Vulnerabilities
Flaws in software / codes
System to behave abnormal
Unintentionally triggered by user Exploit by hackers
Definition (Stoneburner et al., 2002, OWASP Org., 2013, Kaspersky Lab, 2013)
What is?
Impact?
Cause by Cause by
Root Cause
Improper Process
Poor Design
Programming errors/mistake
Biezer, 1990 and Piessens, 2002
Alhazmi et al., 2006, Howard et al., 1998, Krsul, 1998, Longstaff et al. 1997, Moore, 2007, Vipindeep et al., 2005
Ahmad et al. 2011
IntroductionProgramming errors/mistake Ahmad et al. 2011
Limitation in Programming Language
Incompetence programmers/software
engineers
Cause by
Exploitation
Impact
1. 1990 - Morris Worm (One, 1996)2. Poland Train crash (Baker et al. 2008)3. Iran nuclear attack (Chen 2011)4. Toyota brake failure (Carty, 2010)Etc.
Summary• Quantitatively studies on known software vulnerabilities• Share the criticality and significances of the identified
vulnerabilities• Predict the future
Scope1. Limited to quantity based on reported vulnerabilities2. Limited to four classes-SQLi, XSS, Java, and C/C++
Introduction
Quantitative Studies on Known Software Vulnerabilities
1. Software vulnerabilities was detected since programming exist2. The first unintended exploitation happens in late 80s3. Microsoft introduce SDL starting from 20024. Program Analysis (static and dynamic analysis), Anti-virus, etc
introduced as early as 1994 (Wagner) 5. Vulnerabilities still at large and exploitation increase exponentially
with vulnerabilities.
19 well-known online vulnerability databases and organization1. Microsoft Corporation2. Homeland Security3. NIST4. OSVDB5. OWASP6. SANS Institutes7. CSMetc.
Quantitative Studies on Known Software Vulnerabilities
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
1000
2000
3000
4000
5000
6000
7000
No. of Vulnerabilities By Year
No. of Vulnerabilities
Source: National Institute of Standards and Technology (NIST)Source: Open-Source Vulnerabilities Database (OSVDB)
Quantitative Studies on Known Software Vulnerabilities
Other Scary Facts
1. > 2000 vulnerabilities identified per year
2. 20% is constantly C/C++ overflow vulnerabilities
3. 40% ranked with severity 7.0 to 10.0
4. SANS Institute continues release same classes of vulnerabilities in its top 25 Software errors since 2002
5. A single vulnerability if exploitable can cause huge impact
6. Symantec reported 42% increase in exploitation and an increase of ~50% of web attack
7. Some of latest attack still used old identified vulnerabilities (Kaspersky Lab)
Impact Analysis
Fantastic Four
SQLi XSS
JavaC/C++ overflow
•95% has CVSS 4.0 – 6.9•Severity between low - medium
•70% has CVSS 4.0 – 6.9•Severity between low - medium
•85% has CVSS 7.0 – 10•Severity is high
•60% has CVSS 7.0 – 10•Severity is high
•Security bypass•Gain control / steal user identity (depending on user privileges
•Security bypass•Gain control / steal user identity (depending on user privileges
•With overflow vulnerabilities – access/control can be gain without used of user privileges•System malfunctions, accident, control system, etc (McGraw, 2013, Baker et al. , 2008, and Chen, 2010)
Impact Analysis
•Windows-based OS – 90%•30% is Windows XP•Most mobile OS used is Android (> 60% market shares)
Market shares
•Used of Microsoft IE reduce possibility of being hacked•Safari (by Apple) and Chrome (runs on Android based mobile) increase the risk of being attacked
Browser used
•Only XSS, SQLi, and Java vulnerabilities is affected and shall increase the risk of being exploited
Rise of online applications
•Java – has built in security (JVM)•XSS and SQLi vulnerabilities is input related•C/C++ has no perfect defense
Detection/Prevention Mechanism
The Prediction
The Famous Four will remains for another decades
C/C++ will prevail again
Conclusion
• There are many sites support hackers– Shodan, Rapid7, Offensive Security and SecurityVuln
• Old vulnerabilities is still relevant (Kaspersky Lab)• Compare to other classes of vulnerabilities, C/C++
is the most dangerous• Vulnerabilities and exploitations in computer
systems will persist to exist• C/C++ overflow vulnerabilities will regain its
domination
References1. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2010a). Preventing Exploitation on Software Vulnerabilities: Why Most Static Analysis Is
Ineffective? Conferences on Engineering and Technology Education. Kuching: World Engineering Congress.2. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.-
Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer.3. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011c). Understanding Vulnerabilities by Refining Taxonomy. 7th International Conference
on Information Assurance and Security (IAS) (pp. 25 - 29). Melaka: IEEE Computer Society.4. Alhazmi, H. O. (2005). Quantitative vulnerability assessment of systems software. Annual Proceedings of Reliability and Maintainability
Symposium (pp. 615 - 620). IEEE.5. Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International
Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143).6. Aslam, T. (1995). A Taxonomy of Security Faults in the UNIX Operating System. MSc Thesis, Department of Computer Sciences, Purdue
University.7. Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph:
http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html8. Beizer, B. (1990). Software Testing Technique (2nd Edition ed.). New York, USA: Van Nostrand Reinhold Co.9. Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS
News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html10. Cenzic Inc. (2013). Resources - Application Security Papers. Retrieved August 09, 2013, from CENZIC:
http://www.cenzic.com/resources/application-security-papers/11. Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3.12. CISCO. (2013). Cisco Security Report. Retrieved August 09, 2013, from Cisco:
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html13. Critical Patch Updates, Security Alerts and Third Party Bulletin. (2013). Retrieved August 09, 2013, from Oracle Technology Network:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html14. CyberSecurity Malaysia. (2013). e-Security Bulleting. Retrieved August 09, 2013, from CyberSecurity Malaysia:
http://www.cybersecurity.my/en/knowledge_bank/bulletin/content/main/detail/182/index.html?mytabsmenu=215. Department of Homeland Security. (2013). US-CERT. Retrieved August 09, 2013, from US-CERT (United States Computer Emergency
Readiness Team): http://www.us-cert.gov/16. Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.
References17. Hewlett-Packard Development Company. (2013). Resource Center. Retrieved August 09, 2013, from HP Enterprise Security:
http://www.hpenterprisesecurity.com/news/resource-center18. Howard, J. D., & Longstaff, T. A. (1998). A Common Language for Computer Security Incidents. Sandia Technical Report, Sandia National
Laboratories, Sandia Corporation.19. Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill.20. IBM X-Force. (2013). IBM X-Force Annual Trend and Risk Report. Retrieved August 09, 2013, from IBM X-Force:
http://www-03.ibm.com/security/xforce/downloads.html21. iMPERVA. (2013). Imperva Web Application Attack Report. iMPERVA.22. IT Security Research Group. (2013). Map Honeynet. Retrieved August 09, 2013, from The Honeynet Project: http://map.honeynet.org/23. Johnson, S. (2013, August 07). FortiGuard Labs sees fast rise of mobile malware in 2013. (TechTarget) Retrieved August 09, 2013, from
SearchSecurity: http://searchsecurity.techtarget.com/news/2240203220/FortiGuard-Labs-sees-fast-rise-of-mobile-malware-in-2013?asrc=EM_ERU_22893730&utm_medium=EM&utm_source=ERU&utm_campaign=20130808_ERU%20Transmission%20for%2008/08/2013%20(UserUniverse:%20551200)_myka-rep
24. Kaspersky Lab. (2013b). Analysis. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis?genre=125. Kaspersky Lab. (2013). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Retrieved August 09, 2013, from SECURELIST:
http://www.securelist.com/en/analysis/204792255/26. Kaspersky Lab. (2013a). Software vulnerabilities. Retrieved August 09, 2013a, from SECURELIST:
http://www.securelist.com/en/threats/vulnerabilities?chapter=3527. Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University.28. Lipner, S. (2013, May 14). The time is now. Security Development Must be a Priority for Everyone. Retrieved August 09, 2013, from
Microsoft Trustworthy Computing: http://blogs.technet.com/b/trustworthycomputing/archive/2013/05/08/security-development-conference-2013.aspx
29. Longstaff, T. A., Ellis, J. T., Hernan, S. V., Lipson, H. F., McMillan, R. D., Pesante, L. H., et al. (1997). Security of the Internet. (M. Dekker, Ed.) The Froehlich/Kent Encyclopedia of Telecommunications , 15, pp. 231 - 255.
30. McGraw, G. (2013, August 09). Five major technology trends affecting software security assurance. Retrieved August 11, 2013, from SearchSecurity.com: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance
31. Microsoft Corporation. (2002, January 15). Memo from Bill Gates. Retrieved 2010, from Microsoft News Center: http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx
32. Microsoft Corporation. (2013b). Microsoft Security Advisories. Retrieved August 09, 2013b, from Security TechCenter: http://technet.microsoft.com/en-us/security/advisory/
References33. Microsoft Corporation. (2013a). What is the Security Development Lifecycle? Retrieved August 09, 2013a, from Microsoft Security
Development Lifecycle: http://www.microsoft.com/security/sdl/default.aspx34. MITRE Corporation. (2011). Common Vulnerabilities And Exposures. Retrieved November 15, 2011, from CVE - Format String:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Format+String35. Moore, H. D. (2007). Exploiting Vulnerabilities. Presentation Slide, Secure Application Development (Secappdev.org).36. National Institute of Standards and Technology (NIST). (2013). CVE and CCE Statistics Query Page. Retrieved August 09, 2013, from National
Vulnerability Database (NVD): http://web.nvd.nist.gov/view/vuln/statistics37. Net Applications.com. (2013b). Desktop Browser Market Share. Retrieved August 11, 2013b, from NETMARKETSHARE:
http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=038. Net Applications.com. (2013). Desktop Operating System Market Share. Retrieved August 10, 2013, from NETMARKETSHARE:
http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=039. Offensive Security. (2013). Retrieved from Exploit Database: http://www.exploit-db.com/40. One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49).41. Open Sourced Vulnerability Database (OSVDB). (2013). Open Sourced Vulnerability Database. Retrieved August 09, 2013, from OSVDB:
http://osvdb.org/42. Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE:
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html43. Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer
Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html44. Oracle FAQ. (2012, January 2). Oracle Corporation. Retrieved January 10, 2012, from Oracle FAQ:
http://www.orafaq.com/wiki/Oracle_Corporation45. OWASP Organization. (2013). Category: Vulnerability. Retrieved August 09, 2013, from OWASP - The Open Web Applications Security
Project: https://www.owasp.org/index.php/Category:Vulnerability46. Passeri, P. (2013). 2012 Cyber Attack Statistics. Retrieved August 09, 2013, from Hackmageddon.com: http://hackmageddon.com/2012-
cyber-attacks-statistics-master-index/47. Pierluigi, P. (2013). Security Affairs. Retrieved August 09, 2013, from Security Affairs: http://securityaffairs.co/wordpress/48. Piessens, F. (2002). A Taxonomy (with Examples) of Causes of Software Vulnerabilities in Internet Software. Technical Report, Katholieke
Universiteit Leuven, Department of Computer Science.49. Positive Research. (2012). Vulnerability Statistics for 2011. Positive Technologies.50. Rapid7. (2013). Vulnerability and Exploit Database. Retrieved August 09, 2013, from Rapid7: http://www.rapid7.com/db/modules/
References51. Rashid, F. Y. (2013, May 15). Microsoft Talks Secure Coding Practices, Standards at Security Development Conference. Retrieved August 09,
2013, from SECURITYWEEK: http://www.securityweek.com/microsoft-talks-secure-coding-practices-standards-security-development-conference
52. Red Hat Inc. (2013). Red Hat vulnerabilities by CVE name. Retrieved August 09, 2013, from redhat: https://access.redhat.com/security/cve/53. SANS Institute. (2013). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved August 09, 2013, from http://www.sans.org/top25-
software-errors/54. Secunia. (2013). Advisories. Retrieved August 09, 2013, from Secunia: http://secunia.com/community/advisories/historic/55. SecurityVulns. (2013). Retrieved August 09, 2013, from Computer Security Vulnerabilities: http://securityvulns.com/56. SHODAN. (2013). Expose Online Devices. Retrieved August 09, 2013, from SHODAN: http://www.shodanhq.com/57. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems – Recommendation of the
National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST).58. Symantec Corporation. (2013). Internet Security Threat Report 2013 Volume 18. Symantec Corporation.59. Symantec Corporation. (2013). Security Response Publications. Retrieved August 09, 2013, from Symantec:
http://www.symantec.com/security_response/publications/threatreport.jsp60. Vipindeep, V., & Jalote, P. (2005). List of Common Bugs and Programming Practices to avoid them. Technical Report, Indian Institute of
Technology, Kanpur.61.
THANK YOU
Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab MananEmail: [email protected] / [email protected]/LinkedIn: masteramuk / Nurul HaszeliWebsite: http://malaysiandeveloper.blogspot.com