Web App Security I

WebAppSecurityI

AGuideforYourPresentation•  Goals

–  In2‐3sentences,statethegoals•  Whyisthispaperinteresting?

•  RelatedWork–  Whyisitdifferent?

•  Assumptions–  Whatarethey?–  Aretherealistic?–  Whatkindofenvironmentdotheyrepresent?

•  Basicconcepts–  Keycomponentsthatmakeitwork

•  Experiment–  Whatisobjective?

–  Whataretheinput/outputparameters?

•  TakeawaySlide–  Howitcanbenefitlisteners?Reusableconcepts?

Example•  Title

– Phalanx:WithstandingMultimillion‐NodeBotnets

•  Goal– Defendagainstmultimillionnodebotnetsusingindirectionalinfrastructurewithafocusondeployability

•  Whythispaperisinteresting– DeployableDDoSisrare– Multimillionnodebotnetsarerealthreats– Createagood“botnet”tofightagainstbadones

Example(cont.)

•  RelatedWork– Lowdeployabilitysincereliantonchangesto“ossified”routers

– Havenotconsideredbotnetsofthismagnitude

•  Assumptions– Thetotalresourcesofgoodbotnetisgreaterthanmultimillionnodebadbotnets

Example(cont.)

•  Concepts–  EmbedcodeinP2Pclients,e.g.,BitTorrent–  AccumulateP2Pclientstoformgoodbotnet–  P2Pclientsbecomeindirectionalinfrastructure

–  ProtectserverfromdirectconnectivitythroughISPfiltering

•  Experiment

– …..•  Takeawayslide

–  LimitedISPfilteringatserverlocationsseemsdeployableandeffective

–  Embedcodeonsoftwarewithlargeinstallbase

QuickCheckI

•  WhatisSOX?•  WhatyearwasSOXintroduced?

•  WhywasSOXintroduced?

•  WhyisSOXCSO’sbestfriend?

SOX:CSO’sBestFriend

CFO

CSO Ineedmoneyto

secureoutsystems

Sorry,themoneyisforbusinessexpansion

CSO

CFO Oursystemsecurityissecurebuthere’smoneytoenhanceit

Nomorebegging

Pre-SOX Post-SOX

SOXQuickFacts

•  EveryquarterlyreportfiledwiththeSecurityExchangeCommission(SEC),theCEOandCFOsigncertificationsthatsystemsconformtotheSarbanes‐OxleyAct(SOX)

•  UnderSOX,600corporatefraudconvictions,involvingmorethan1,000corporateexecutives

How can one ensure that the hundreds of different systems, each with different configuration and applications running, are secure?

SecurityBenchmark

Vendor

Wecanscanfor35DB

vulnerabilities

Weneedasecurity

scannerthatfindknown

vulnerabilities

CSO

Vendor WecanscanforbufferoverflowonSupa‐DB

fromver1to35

CSO

ThisisgoodforourOracle

DB

QuickCheckII

•  WhatisCVE?•  WhomanagesCVE?

•  WhatisCVEusedfor?

•  Whatelsedotheymanage?

MeasureableSecurity•  MakingSecurityMeasurable(MSM)

–  Standardizedenumeration•  Sharedconcepts(Vulnerabilities/Weaknessdescription)

–  Language•  Findconcepts•  CommunicateconceptsH2H,T2H,H2T,T2T

–  Repositories•  Sharingofinformationonconcepts

– UniformofAdoption•  Brandingprogramstoensureconformanceandinteroperability

MSM

•  Goal– Facilitatetheuseofautomationtoassess,manage,andimprovesecurity

– Fostereffectivesecurityprocesscoordinationacrosstheadoptingorganizations

– Choiceoftoolsandinteroperability

MSMEffortshttp://measurablesecurity.mitre.org/

MSM:ContributionInfoonstandardconceptsinrepositoryHigh‐fidelityofinfo

transferbyusingstandardlanguage

Interoperabilitywithothersystems

Automatedsecuritywithclearlydefinedstandardsandnolock‐intoproprietarytools/concepts

MSM:SecurityConfig&Mgmt

Cou

rtesy

of R

ober

t Mar

tin (M

ILC

OM

2008

)

MSM

•  Capturehowyourorganizationhasconfiguredandsetupanewsystemwhenithasbeenapprovedforuseinyourenterprise

•  Makesurethenewsystemcontinuestobeconfiguredthewayitwasapproved

•  Ensurethatitremainssecureinthefaceofnewthreatsandvulnerabilities

SecurityContentAutomationProtocol(SCAP)

Enumeration Evaluation Measuring Reporting Content

CVE ● ●

CCE ● ●

CPE ● ●

XCCDF ● ● ●

OVAL ● ●

CVSS ● ● CourtesyofNIST2007

IntegratingITandITSecuritythroughSCAP

AssetManagement

VulnerabilityManagement

ConfigurationManagement

CVE

CPEXCCDF

CCE

SCAP

OVALCVSS

CourtesyofNIST2007

Unique configuration ID

Collection of CCE that applies to CPE with OVAL check

Unique platform ID

Unique vulnerabilities ID

Rules to define CCE and CVE checks

Scoring system

CVE:CommonVulnerabilitiesandExposureEnumeration

•  Whatisit?– Alistofsecurityvulnerabilitiesandexposures

•  Goal– Makeiteasiertosharedataacrossseparatedatabases,tools,andservicesusingacommonID

– Baselineforevaluatingthecoverageofyourtools

Trivia

•  DoesCVEtellsyouhowtofixtheproblem?

CVEEntry

•  CVEidentifiernumber– E.g.,"CVE‐1999‐0067”

•  Status– "entry"or"candidate”

•  Briefdescription– Descriptionofsecurityvulnerabilityorexposure

•  Anypertinentreferences– VulnerabilityreportsandadvisoriesorOVAL‐ID

ExampleCVEEntry•  CVEID

–  CVE‐2002‐0649•  Status

–  Candidate•  Description

–  MultiplebufferoverflowsintheResolutionServiceforMicrosoftSQLServer2000andMicrosoftDesktopEngine2000(MSDE)allowremoteattackerstocauseadenialofserviceorexecutearbitrarycodeviaUDPpacketstoport1434…..

•  References–  BUGTRAQ:20030125Fw:MSSQLWORMISDESTROYINGINTERNET

•  URL:http://www.securityfocus.com/archive/1/archive/1/308321/30/26180/threaded

–  MS:MS02‐039•  URL:http://www.microsoft.com/technet/security/bulletin/ms02‐039.asp

–  CERT:CA‐2002‐22•  URL:http://www.cert.org/advisories/CA‐2002‐22.html

CVEUsage:ShareDataVulnScanandRepository

Courtesyofhttp://www.securityfocus.com/infocus/1759

Search/RetrieveinfousingCVE

CVEUsage:BaselineforComparison

•  OpenVASproductsareFreeSoftwareunderGNUGPLandaforkofNessus

Baselineforcomparisonandtoolselection

CourtesyofLaboratoryforSystemsandSystemsUniversityofZagreb

CPE:CommonPlatformEnumeration–UseCase

•  AsoftwareinventorymanagementproductvendorusesCPENamestotagdataelementswithintheirproduct'sdatamodel

•  Enabletheirproducttointeroperatewithdifferenttools

CPESpecification

•  Includes:– NamingsyntaxforCPENames

– Languagefordescribingcomplexplatforms– Algorithmformatching– XMLschemaforbindingdescriptiveanddiagnosticinformationtoaname

CPENamingSyntax

CPEUsage

•  Representtheindividualsoftwareproductsthatexistonanendsystem

•  Impliesrelationshiptosoftwareproduct– Configurationcheck– Vulnerabilitycheck– Patchcheck/Patch– Configurationcontrolchange

CPEExampleInCPEDictionary

•  CPEDictionary:– OfficialcollectionofCPENames

– BinddescriptiveproseanddiagnosticteststoaCPEName,e.g.,OVALcheck

<cpe-item name="cpe:/a:microsoft:ie:7”> <title>Microsoft Internet Explorer 7</title> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="fdcc-ie7-cpe-oval.xml">oval:gov.nist.fdcc.ie7:def:627</check> </cpe-item>

CPE Name

Human readable description

OVAL Check: Example registry check for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version

CPEComplexPlatformExample

<cpe:platform id="456”> <cpe:title>Sun Solaris 5.8 or 5.9 or 5.10</cpe:title> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.10" /> </cpe:logical-test> </cpe:platform>

CPEMatchingExample

•  OVALdefinitioninCPEdictionarydeterminesthatthesystemconsistsof– K={"cpe:/o:microsoft:windows_2000::sp3:pro","cpe:/a:microsoft:ie:5.5"}

•  AsecurityguidancechecklistdescribessomeforMicrosoftWindows2000– X="cpe:/o:microsoft:windows_2000"–  Part=“o”,Vendor=“microsoft”,Product=“windows_2000”

•  XmatchesK’s1stmembersoguidanceapplies

CPEComplexMatching

•  Twodifferences– TheruletomatchX,utilizedCPElanguage–  InsteadofmatchinganymemberinK,itneedstomatchall

K = {"cpe:/o:sun:sunos:5.9:::en-us", "cpe:/a:bea:weblogic:8.1”} X = <cpe:platform id="123”> <cpe:title>Sun Solaris 5.8 or 5.9 with BEA Weblogic 8.1 installed</cpe:title> <cpe:logical-test operator="AND" negate="FALSE”> <cpe:logical-test operator="OR" negate="FALSE”> <cpe:fact-ref name="cpe:/o:sun:solaris:5.8" /> <cpe:fact-ref name="cpe:/o:sun:solaris:5.9" /> </cpe:logical-test> <cpe:fact-ref name="cpe:/ a:bea:weblogic:8.1" /> </cpe:logical-test> </cpe:platform>

CPE:Functionalvs.Technical

•  CPEnamingbasedonfunctionaldefinitionNOTtechnicaldefinition– LinuxdistroAwithApachever.B– LinuxdistroCwithApachever.B– Technically,CPEnameforApachever.Bissame

– Functionally,whoshouldbeprovidingpatchmeanstheCPEnamemaybedifferent

CPE:IssuewithScope(UnsupportedUse)

•  Network‐basedDiscovery– Assetsdiscoveredbyscanning– Partialinfosoneedstobecategorizedunderfunctionalityetc.

•  ForensicsAnalysis/SoftwareArchitecture– Lowergranularitytagging– dlls,harddiskclusters,stack

•  ITManagement– Categorizeassetsbasedonfunctionality

CCE:CommonConfigurationEnumeration•  Whatisit?

– UniqueIDsforconfigurationguidancestatementsandconfigurationcontrols

– Configurationguidancestatement•  The"accountlockoutthreshold"settingshouldbesetto3

– Configurationcontrol•  Theaccountpolicysettings,suchasaccountlockoutthresholdsetting

•  Goal– Quicklycorrelateconfigurationdataacrossmultipleinformationsourcesandtools

CCEEntry•  CCEIdentifierNumber

–  "CCE‐2715‐1”•  Description

–  Descriptionoftheconfigurationissue•  ConceptualParameters

–  ParametersneededtoimplementaCCE

•  AssociatedTechnicalMechanisms–  Anygivenconfigurationissuehaveoneormorewaystoimplementthedesiredresult

•  References–  Pointerstodocumentsthathasdetailsofconfigurationissue

CCEWindowsVistaPlatformGroupExtract

CCE ID CCE Description CCE Parameters CCE Technical Mechanisms

CCE-2715-1

The "reset account lockout counter after" policy should meet minimum requirements. (1) number of minutes

(1) defined by Local or Group Policy

CCE-2363-0 The "account lockout duration" policy should meet minimum requirements. (1) number of minutes

(1) defined by Local or Group Policy

CCE-3177-3

The "account lockout threshold" policy should meet minimum requirements. (1) number of attempts

(1) defined by Local or Group Policy

ExtensibleConfigurationChecklistDescriptionFormat(XCCDF)

•  Specificationlanguageforwritingsecuritychecklists,benchmarks,etc.

•  XCCDFdocumentrepresents:– Structuredcollectionofsecurityconfigurationrules

– Forsomesetoftargetsystems

•  Supportinformationinterchange,automatedcompliancetesting,andcompliancescoring

XCCDF:Example<Benchmarkid="fdcc‐ie‐7"resolved="0"xml:lang="en”… … <title>FDCC:GuidanceforSecuringMicrosoftInternetExplorer7forITProfessionals</title> <description>ThisguidehasbeencreatedtoassistITprofessionalsineffectivelysecuringsystemswithMicrosoftInternetExplorer7installed.</description> … <Profileid="all_800_53"abstract="true”> <title>800‐53All</title> … <selectidref="CM‐1"selected="true"/> <selectidref="CM‐2"selected="true"/> … </Profile>

CONTINUEonnextpage

Collection of checks

XCCDF:Example(cont.) <Profileid="federal_desktop_core_configuration_version_1.2.0.0"extends="all_800_53"> <selectidref="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="true"/> </Profile> … <Groupid="core‐policy"> … <Ruleid="DisableAutomaticInstallOfIEComponents_LocalComputer"selected="false"weight="10.0”> <title>DisableAutomaticInstallofInternetExplorerComponents‐LocalComputer</title> … <requiresidref="SI‐3"/> <requiresidref="SI‐7"/> <identsystem="http://cce.mitre.org">CCE‐3518‐8</ident> … <check‐content‐refhref="fdcc‐ie7‐oval.xml"name="oval:gov.nist.fdcc.ie7:def:1198"/> </check> </Rule>

Extending existing check collection

New check with CCE ID and corresponding OVAL check

XCCDF

OpenVulnerabilityandAssessmentLanguage(OVAL)

•  Goals– Promoteopenandpubliclyavailablesecuritycontent

– Standardizethisinformationtransferacrossthesecuritytoolsandservices

OVALComponents•  Language

– Standardizes3stepsoftheassessmentprocess:•  Representconfigurationinformationofsystemsfortesting(Systemschema)

•  Analyzethesystemforthepresencespecifiedmachinestate(vulnerability,configuration,patchstate,etc.)(DefinitionSchema)

•  Reporttheresultsofthisassessment(Resultschema)

•  Repository– Collectionsofpubliclyavailableandopencontentthatutilizethelanguage

OVAL

•  WhyOVAL?– Nomeanstodeterminetheexistenceofsoftwarevulnerabilities,configurationissues,programs,and/orpatchesinlocalsystems

–  Informationwasavailableastext‐baseddescriptionsfromvulnerabilitybutlaboriousanderror‐pronetointerpret

– Assessmenttooldoesnotrevealhowitdetectsvulnerabilities,thusunabletoverifyfalsepositives

OVALID

•  val:OrganizationDNSName:IDType:IDValue”– OrganizationDNSNamee.g.,‘org.mitre.oval’

–  IDType:obj‐Object,ste‐State,tst‐Test,orvar–Variable

–  IDValue:integeruniquetotheDNSnameandIDTypepairthatprecedesit,e.g.,oval:org.mitre.oval:def:1115oroval:com.redhat.rhsa:def:20060742.

OVALDefinitionExamplehttp://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1115

Metadata

Criteria for vulnerability Checks for criteria Check details

OVALDefinitionXML<metadata> <title>IE6,SP2 PNG Image Buffer Overflow</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> <product>Microsoft Internet Explorer</product> </affected> <reference source="CVE" ref_id="CVE-2005-1211" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1211"/> <description> Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. </description> …

<criteria operator="AND"> <criteria comment="Software section" operator="AND"> <criterion comment="Internet Explorer 6.0 Installed XP SP2" negate="false" test_ref="oval:org.mitre.oval:tst:2403"/> <criterion comment="the version of mshtml.dll is less than 6.0.2900.2668" negate="false" test_ref="oval:org.mitre.oval:tst:1150"/> … </criteria> <criteria comment="Configuration section" operator="AND"> <criterion comment="PNG image rendering enabled in Internet Explorer" negate="false" test_ref="oval:org.mitre.oval:tst:2749"/> </criteria> </criteria> … <registry_test id="oval:org.mitre.oval:tst:2750" version="1" comment="the patch kb883939 is installed" check_existence="at_least_one_exists" check="at least one"> <object object_ref="oval:org.mitre.oval:obj:1578"/> <state state_ref="oval:org.mitre.oval:ste:2571"/> </registry_test> … <registry_object id="oval:org.mitre.oval:obj:1578" version="1"> <hive>HKEY_LOCAL_MACHINE</hive> <key> SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883939 </key> <name>Installed</name> </registry_object>

OVALResults

CommonVulnerabilityScoringSystem(CVSS)

•  Vendoragnostic,industryopenstandardtoconveyvulnerabilityseverityandhelpdetermineurgencyandpriorityofresponse

•  Solvestheproblemofmultiple,incompatiblescoringsystems

CVSS•  Derivedfrommetricsandformulas•  Metricsareinthreedistinctcategoriesarequantitativeorqualitative– BaseMetrics

•  Qualitiesthatareintrinsicanddonotchangeovertimeorindifferentenvironments

– TemporalMetrics•  Characteristicswhichevolveoverthelifetimeofvulnerability

– EnvironmentalMetrics•  Characteristicswhicharetiedtospecificusersenvironment.

CVSSScoringProcess

Severity

Urgency

Priority

BaseMetrics•  AccessVector

– Howremoteanattackercanbetoattackatarget•  Local,Adjacentnetwork,Network

•  AccessComplexity– Complexityofattack

•  High:Specializedcondition,e.g.,racecondition,rareconfigurationorsocialengineering

•  Medium:Somewhatspecialized

•  Authentication– Numberoftimesauthenticationneededinordertoexploitthevulnerability

•  CIAImpact

TemporalMetrics•  Exploitability

– Howcomplextoexploitthevulnerability•  Unproven:Noexploitcodeisyetavailable•  ProofofConcept:Proofofconceptexploitcodeisavailable

•  RemediationLevel– Levelofanavailablesolution

•  ReportConfidence– Degreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityofitsreport

EnvironmentalMetrics

•  CollateralDamagePotential– Potentialforalossoflifeorphysicalassets

•  TargetDistribution– Percentageofvulnerablesystems

•  SecurityRequirements– CustomizeddependingonthecriticalityoftheaffectedITasset•  Greaterweighttoavailabilityifanassetsupportsabusinessfunction