Software Security & Privacy

Reference Book:
Software Engineering, Ian Sommerville
10th / Global Edition, Chapter 8
Pearson Publishers
Why is Software Security? HeartBleed Bug
The Heartbleed Bug is a serious vulnerability in the
Ø Buffer overflow bug in OpenSSL popular OpenSSL cryptographic software library. This
weakness allows stealing the information protected,
cryptographic library under normal conditions, by the SSL/TLS encryption
used to secure the Internet. SSL/TLS provides
ü Allows attacker to read server communication security and privacy over the Internet for
applications such as web, email, instant messaging (IM)
private keys and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read

Ø 17% of “secure” Internet the memory of the systems protected by the vulnerable
versions of the OpenSSL software. This compromises the
servers worldwide estimated to secret keys used to identify the service providers and to
encrypt the traffic, the names and passwords of the users
be vulnerable (500 Million and the actual content. This allows attackers to
eavesdrop on communications, steal data directly from
servers!!) the services and users and to impersonate services and
users.

Ø Simple patch, but huge cost of Source: Heartbleed.com

patching all these servers

Software Security & Privacy 2

Why is Software Security? Target Credit-Card Attack

v40 Million CC numbers stolen

v90 lawsuits filed against Target
vTarget spent $61 Million responding to
breach
vTarget profits fell in holiday period by
46%

Software Security & Privacy 3

Why is Software Security? Attack on Bitcoin Exchange

Software Security & Privacy 4

Software
Software: A program consists of data and instructions that manipulate the data.
Examples of Software:
Ø Operating systems
Ø Stand alone applications
Ø Web applications (Server Side: Gmail, Amazon, online Banking
Client Side: Internet Explorer, Chrome, Firefox)

Ø Mobile applications

Ø Embedded Software (Built into special purpose hardware platform)

ü Smart / Chip cards (Bank debit / credit cards), Cars, TVs, PlayStation, Cameras

Ø Software components
ü Libraries, e.g., STL, OpenSSL
ü Frameworks, e.g., Apache Thrift, Tensorflow

Software Security & Privacy 5

Software Security

Software Security is about the secure design and implementation of software.

Focus of the Study:

v the code (secure implementation)
v the design (threat modelling)
v the workflow (secure software development life cycle)

Software Security & Privacy 6

Software Security: Gap
v Developers are concerned with
correctness Undesired Behavior:

ü Software operates as intended, v Stealing Information

achieving desired behavior ü Corporate Secrets (product plan, source code, IP….)

ü Personal Information (health record, credit card

v Security is concerned with number, address….)
preventing undesired behavior
v Modifying Information or Functionality
ü Considers an enemy / opponent /
ü Destroying records (accounts, logs, files….)
hacker / adversary who is maliciously
ü Installing unwanted software (spyware, botnet client,
trying to circumvent any protective
ransomware….)
measures you put in place
v Denying Access
ü Unable to access a website, database, cloud drive…

Software Security & Privacy 7

Software Security: CIA Triad
Three Dimensions of Security:
— Confidentiality: concealment of information or resources.
Ø Prevent the disclosure of sensitive information from unauthorized
people, resources, and processes.
Ø Access control mechanisms and Resource hiding supports confidentially.
— Availability: the ability to use the information or resources desired.
Ø The assurance that systems and data are accessible by authorized users
when needed.
Ø Availability is an important aspect of reliability. Hacking is a driving force
Ø Attempts to block availability, called DOS attack is the most difficult to of security.
detect, if unusual access patterns are attributable to deliberate
manipulation of resources of environment.

Software Security & Privacy 8

Software Security: CIA Triad
— Integrity: Trustworthiness of data and resources.
Ø The protection of system information or processes from intentional
or accidental modification.
Ø Integrity includes data integrity (the contents of information) and
origin integrity (the source of data often called authentication). The
source of information may bear on its accuracy and credibility.
Ø Integrity mechanisms fall into two classes: Prevention Mechanism
and detection mechanism (report that the data integrity is no
longer trustworthy).
Ø Prevention blocks any unauthorized attempts to change the
data (lack of authentication) or any attempts to change the
data in unauthorized way (lack of authorization) — Hackers
Ø Negative – Black Hat Hacker
Ø Positive – White Hat Hacker
o Gray Hat Hacker

Software Security & Privacy 9

The OSI Security Architecture
• Security Attack: An action that compromises the security of information owned by an
organization.
• Security Mechanism: A process (or a device incorporating such a process) that is designed to
detect, prevent or recover from a security attack.
• Security Service: A processing or communication service that enhances the security of the data
processing systems and the information transfer of an organization.

Threat and Attack (RFC 2828)

• Threat: A potential for violation of security, which exits when there is a circumstance,
capability, action, or event that could breach security and cause harm.
• Attack: An assault on system security that derives from an intelligent threat.
i.e., an intelligent act that is a deliverable attempt to evade security services and violet the
security policy of a system

Software Security & Privacy 10

Threats

Threats: Potential violation of security.

Attacks: Actions that could cause violation of security.

Threats can be divided into four broad classes:

v Disclosure: unauthorized access of information.
v Deception: acceptance of false data.
v Disruption: Interruption or prevention of correct operation.
v Usurpation: Unauthorized control of some part of a system.

Software Security & Privacy 11

Threats
Some Important threats are:
v Snooping: unauthorized interception of information.
ü Passive wiretapping: Listening to communications or browsing files or system information.
ü Active wiretapping: Modification or alteration of information, e.g., the man-in the middle attack.

v Masquerading or spoofing: Impersonation of one entity by another. Delegation occurs when one entity authorizes
a second entity to perform functions on its behalf. Masquerading is a violation of security whereas delegation is not.
üPassive masquerading: does not attempt to authenticate the recipient but merely accesses it.
ü Active masquerading: Masquerader issues response to mislead the user about its identity.

v Repudiation of origin: A false denial that an entity sent (or created) something.

v Denial of receipt: a false denial that an entity received some information or message.
v Delay: a temporary inhibition of a service. This requires manipulation of system control structures, such as network
components or server components.

v Denial of Service (DoS): a long term inhibition of a service. This an infinite delay.
Software Security & Privacy 12
Security Attacks
• Virus: A malicious software which attaches to another
program to execute a specific unwanted function on a
computer.

— Worm: executes arbitrary code and installs copies of itself in the

memory of the infected computer, which then infects other hosts.

— Trojan Horse: An application written to look like

something else. When a Trojan Horse is downloaded and
opened, it attacks the end-user computer from within.

Software Security & Privacy 13

Security Attacks: Worm Attack
Three major components to most worm attacks:
Ø Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on
a vulnerable system.
Ø Propagation mechanism - After gaining access to a device, the
worm replicates itself and locates new targets.
Ø Payload - Any malicious code that results in some action. Most
often this is used to create a backdoor to the infected host.
Response to a worm infection:
Ø Containment - A policy for checking the
expansion of worm to other files or devices.
Ø Inoculation- Increase computer’s Immunity.
Ø Quarantine- Separate infected files.
Ø Treatment- disinfect the worm from the files.
Software Security & Privacy 14
Security Attacks: Trojan Horse

Classification of Trojan horse:

Ø Remote-access Trojan Horse (enables unauthorized remote access)
Ø Data sending Trojan Horse (provides the attacker with sensitive data such as passwords)
Ø Destructive Trojan Horse (corrupts or deletes files)
Ø Proxy Trojan Horse (user's computer functions as a proxy server)

Ø FTP Trojan Horse (opens port 21)

Ø Security software disabler Trojan Horse (stops anti-virus programs or firewalls from functioning)
Ø Denial of Service Trojan Horse (slows or halts network activity)

Software Security & Privacy 15

Attack Methodologies

Reconnaissance Attacks
Ø unauthorized discovery and mapping of systems,
services, or vulnerabilities.

Access Attacks
Ø exploit known vulnerabilities in authentication services,

FTP services, and web services.

Denial of Service Attacks

Ø send extremely large numbers of requests over a network or the Internet.

Software Security & Privacy 16

Reconnaissance Attack
• Reconnaissance attacks are the precursor to further attacks.

Software Security & Privacy 17

Access Attack Three methods for password attacks
ü Brute-force attacks
Five types of access attacks:
ü Trojan Horse Programs
ü Password attack ü Packet sniffers
ü Trust exploitation
ü Port redirection
ü Man-in-the-middle attack
ü Buffer overflow

Trust exploitation

Software Security & Privacy 18

Access Attack: Port Redirection Attack

Software Security & Privacy 19

Access Attack: Man in the Middle Attack

Software Security & Privacy 20

Access Attack: Buffer Overflow Attack

Buffer Overflow occurs when the amount of data in the buffer exceeds its
storage capacity. That extra data overflows into adjacent memory locations
and corrupts or overwrites the data in those locations.

Detect the Access Attacks:

Reviewing logs: Check the numbers of failed login attempts.
Bandwidth utilization: Detect the Man-in-the-middle attacks.
Process loads: Detect the buffer overflow attacks.
Software Security & Privacy 21
Access Attack: Mitigating
Strong password policy:
¡ Disabling accounts after a specific number of unsuccessful
logins. This practice helps to prevent continuous password
attempts.
¡ Not using plaintext passwords. Use either a one-time password
(OTP) or encrypted password.
¡ Using strong passwords. Strong passwords are at least eight
characters and contain uppercase letters, lowercase letters,
numbers, and special characters.

Software Security & Privacy 22

Denial of Service (DoS) Attack
A DoS attack is a network attack

compromise
the availability
of a network,
host, or
application

There are two major reasons a DoS attack occurs:

¡ A host or application fails to handle an unexpected condition.
¡ A network, host, or application is unable to handle an enormous quantity of
data.
Software Security & Privacy 23
Social Engineering Attack

Hacker-speak for tricking a person into revealing some confidential

information
An attack based on deceiving users or administrators at the target site
Done to gain illicit access to systems or useful information
The goals of social engineering are fraud, network intrusion, industrial
espionage, identity theft, etc.

Software Security & Privacy 24

Where Does Software Security Fit?

Software Security & Privacy 25

Why is Software Security a Problem?
Vulnerability: A weakness in a system is exploitable by an attacker to realize a threat,
e.g., an online bank server storing user passwords in a publicly accessible server.

Many Vulnerabilities are being exploited

Ø Strong incentives for finding and exploiting vulnerabilities
ü Financial (black market for vulnerabilities / malware)
ü Political / Espionage (Cyber warefare / intelligence)

Large number of software vulnerabilities are being discovered

Ø Made worse by increasing software
ü Complexity (millions of code lines)
ü Connectivity (more potential threats, zero-day vulnerabilities)
ü Extendibility (online updates)

Software Security & Privacy 26

Software Security Levels

Uses of System Operational Level

Application Application Level
Reusable components and libraries

Middleware

Database management
Infrastructure Level
Generic, shared applications (browsers, e--mail, etc)

Operating System

Network Computer hardware

Software Security & Privacy 27

Software Security Levels
• Infrastructure security:
ü concerned with maintaining the security of all systems and networks that provide an
infrastructure and a set of shared services to the organization.

ü System management problems where the infrastructure is configured to resists the attacks.

• Application security:
ü concerned with the security of individual application systems or related groups of systems.
ü Software Engineering problem where the system is designed to resists the attacks.

• Operational security:
ü concerned with the secure operation and use of the organization’s systems.

Software Security & Privacy 28

System Security Management
vUser and permission management (Authentication & Authorization)
ü Adding and removing users from the system and setting up appropriate permissions for users

vSoftware deployment, maintenance & Infrastructure Management

ü Installing application software and middleware and configuring these systems so that
vulnerabilities are avoided.

vAttack monitoring, detection and recovery

ü Monitoring the system for unauthorized access, design strategies for resisting attacks and
develop backup and recovery strategies.

v Backup
ü Backup policies should be implemented to ensure that you keep undamaged copies of
program and data files. These can then be restored after an attack

Software Security & Privacy 29

Security Terminologies
Term Definition
Asset Something of value which has to be protected. The asset may be the software system
itself or data used by that system.
Attack An exploitation of a system’s vulnerability. Generally, this is from outside the system
and is a deliberate attempt to cause some damage.
Control A protective measure that reduces a system’s vulnerability. Encryption is an example
of a control that reduces a vulnerability of a weak access control system

Exposure Possible loss or harm to a computing system. This can be loss or damage to data, or
can be a loss of time and effort if recovery is necessary after a security breach.

Threat Circumstances that have potential to cause loss or harm. You can think of these as a
system vulnerability that is subjected to an attack.
Vulnerability A weakness in a computer-based system that may be exploited to cause loss or harm.

Software Security & Privacy 30

Example of Security Terminologies (MentCare)
Unauthorized access to the Mentcare system

Clinic staff log on to the Mentcare system using a username and password. The system
requires passwords to be at least eight letters long but allows any password to be set
without further checking. A criminal finds out that a well-paid sports star is receiving
treatment for mental health problems. He would like to gain illegal access to information
in this system so that he can blackmail the star.

By posing as a concerned relative and talking with the nurses in the mental health clinic,
he discovers how to access the system and personal information about the nurses and
their families. By checking name badges, he discovers the names of some of the people
allowed access. He then attempts to log on to the system by using these names and
systematically guessing possible passwords, such as the names of the nurses’ children.

Software Security & Privacy 31

Example of Security Terminologies (MentCare)
Term Example

Asset The records of each patient that is receiving or has received treatment.

Exposure Potential financial loss from future patients who do not seek treatment because they do
not trust the clinic to maintain their data. Financial loss from legal action by the sports
star. Loss of reputation.

Vulnerability A weak password system which makes it easy for users to set guessable passwords.
User ids that are the same as names.
Attack An impersonation of an authorized user.

Threat An unauthorized user will gain access to the system by guessing the credentials (login
name and password) of an authorized user.
Control A password checking system that disallows user passwords that are proper names or
words that are normally included in a dictionary.

Software Security & Privacy 32

Threat Types
• Interception threats that allow an attacker to gain access to an asset.
ü A possible threat to the Mentcare system might be a situation where an attacker gains access to
the records of an individual patient.
• Interruption threats that allow an attacker to make part of the system unavailable.
ü A possible threat might be a denial of service attack on a system database server so that
database connections become impossible.

• Modification threats that allow an attacker to tamper with a system asset.

ü In the Mentcare system, a modification threat would be where an attacker alters or destroys a
patient record.
• Fabrication threats that allow an attacker to insert false information into a system.
ü This is perhaps not a credible threat in the Mentcare system but would be a threat in a banking
system, where false transactions might be added to the system that transfer money to the
perpetrator’s bank account.

Software Security & Privacy 33

Example of Threats Through Misuse
Register
patient

Unregister
patient
Impersonate
receptionist
View patient
info.
Medical Intercept Attacker
receptionist transfer
Transfer data

Contact
patient

Software Security & Privacy 34

MentCare Use Case – Data Transfer
Mentcare system: Transfer data
Actors Medical receptionist, Patient records system (PRS)

Description A receptionist may transfer data from the Mentcare system to a general patient
record database that is maintained by a health authority. The information
transferred may either be updated personal information (address, phone number,
etc.) or a summary of the patient’s diagnosis and treatment.

Data Patient’s personal information, treatment summary.

Stimulus User command issued by medical receptionist.

Response Confirmation that PRS has been updated.

Comments The receptionist must have appropriate security permissions to access the patient
information and the PRS.

Software Security & Privacy 35

MentCare Misuse Case – Intercept Transfer
Mentcare system: Intercept transfer (Misuse case)
Actors Medical receptionist, Patient records system (PRS), Attacker
Description A receptionist transfers data from his or her PC to the Mentcare system on the server. An
attacker intercepts the data transfer and takes a copy of that data.
Data (assets) Patient’s personal information, treatment summary
Attacks A network monitor is added to the system and packets from the receptionist to the server
are intercepted.
A spoof server is set up between the receptionist and the database server so that
receptionist believes they are interacting with the real system.
Mitigations All networking equipment must be maintained in a locked room. Engineers accessing the
equipment must be accredited.
All data transfers between the client and server must be encrypted.
Certificate-based client-server communication must be used

Requirements All communications between the client and the server must use the Secure Socket Layer
(SSL). The https protocol uses certificate based authentication and encryption.

Software Security & Privacy 36

Security Assurance
• Vulnerability avoidance
ü The system is designed so that vulnerabilities do not occur. For example, if there is no
external network connection then external attack is impossible

• Attack detection and elimination

ü The system is designed so that attacks on vulnerabilities are detected and neutralised
before they result in an exposure. For example, virus checkers find and remove viruses
before they infect a system

• Exposure limitation and recovery

ü The system is designed so that the adverse consequences of a successful attack are
minimised. For example, a backup policy allows damaged information to be restored

Software Security & Privacy 37

Security and Dependability
• Security and reliability
ü If a system is attacked and the system or its data are corrupted as a consequence of that attack,
then this may induce system failures that compromise the reliability of the system.
• Security and availability
ü A common attack on a web-based system is a denial of service attack, where a web server is
flooded with service requests from a range of different sources. The aim of this attack is to
make the system unavailable.
• Security and safety
ü Safety checks rely on analysing the source code of safety critical software and assume the
executing code is a completely accurate translation of that source code. If this is not the case,
safety-related failures may be induced and the safety case made for the software is invalid.
• Security and resilience
ü Resilience is a system characteristic that reflects its ability to resist and recover from damaging
events. The most probable damaging event is a cyberattack so most of the work now done in
resilience is aimed at deterring, detecting and recovering from such attacks.
Software Security & Privacy 38
Security in an Organization
• Security is expensive and it is important that security decisions are made in a
cost-effective way
ü There is no point in spending more than the value of an asset to keep that asset secure.

• The level of protection that is required for different types of asset

ü It is not cost-effective to apply stringent security procedures to all organizational assets.
Many assets are not confidential and can be made freely available.
ü For sensitive personal information, a high level of security is required; for other
information, the consequences of loss may be minor so a lower level of security is
adequate.

• The responsibilities of individual users, managers and the organization

ü The security policy should set out what is expected of users e.g. strong passwords, log out
of computers, office security, etc.

Software Security & Privacy 39

Risk Assessment and Management
Ø Threat: Any potential occurrence that may cause an
undesirable or unwanted outcome for an organization. Which are Threats
endangered
Ø Vulnerability: The weakness in an asset or a safeguard is a by
Exploit
vulnerability. A vulnerability is a flaw, loophole, oversight,
error, limitation, frailty, or susceptibility that enables a threat Assets Vulnerabilities
to cause harm.
Which protect Which
Results in
Ø Exposure: Exposure is being susceptible to asset loss because
of a threat; there is the possibility that a vulnerability can or Exposure
Safeguards
will be exploited by a threat agent or event.
Ø Risk: Risk is the possibility or likelihood that a threat will Which is Which is
exploit a vulnerability to cause harm to an asset and the mitigated by Risks
severity of damage that could result.
Risk = Threat * vulnerability or The cyclical Relationship of risk
elements
Risk = probability of harm * severity of harm

Software Security & Privacy 40

 Risk Assessment and Management
Ø Safeguards: A safeguard, security control, protection
mechanism, or countermeasure is anything that removes or Which are Threats
reduces a vulnerability or protects against one or more specific endangered Exploit
threats. This concept is also known as a risk response. by

Ø Asset: An asset is a person, place or anything, whether Assets Vulnerabilities

tangible or intangible. Which protect Which
Results in

Safeguards Exposure
Asset Valuation: Asset valuation is value assigned to an asset
based on several factors, including importance to the
organization, use in critical process, actual cost, and Which is Which is
mitigated by Risks
nonmonetary expenses/costs (such as time, attention,
productivity, and research and development).
The cyclical Relationship of risk
q If an asset has no value, there is no need to provide protection for it. It makes no elements
sense to spend $100,000 protecting an asset that is worth only $1,000. As a rule, the
annual costs of safeguards should not exceed the potential annual cost of asset value
loss.
Software Security & Privacy 41
Risk Assessment
Asset
identification

Asset value Exposure

assessment assessment

Threat Attack
identification assessment

Control Feasibility Security req.

identification assessment definition

Software Security & Privacy 42

Risk Assessment
There are two primary risk assessment methodologies: qualitative and
quantitative.
ü Quantitative risk analysis assigns real dollar figures to the loss of an asset and is
based on mathematical calculations.
ü Qualitative risk analysis assigns subjective and intangible values to the loss of an
asset and takes into account perspectives, feelings, intuition, preferences, ideas,
and gut reactions.

The method of combining quantitative and qualitative analysis into a final

assessment of organizational risk is known as hybrid assessment or hybrid
analysis.

Software Security & Privacy 43

Qualitative Risk Assessment
Scenarios Method
Ø A scenario is a written description of a single Delphi Technique
major threat. The scenarios are limited to one Ø The Delphi technique is simply an
page of text to keep them manageable. anonymous feedback-and-response process
Ø The analysis participants then assign to the used to enable a group to reach an
scenario a threat level, a loss potential, and the anonymous consensus.
advantages of each safeguard. These assignments Ø The participants are usually gathered into a
can be simple—such as High, Medium, and Low, single meeting room. To each request for
or a basic number scale of 1 to 10—or they can be feedback, each participant writes down
detailed essay responses. their response on paper or through digital
Ø The responses from all participants are then messaging services anonymously. The
compiled into a single report that is presented to results are compiled and presented to the
upper management. group for evaluation. The process is
repeated until a consensus is reached.
Ø The usefulness and validity of a qualitative risk
analysis improves as the number and diversity of
the participants in the evaluation increases.

Software Security & Privacy 44

Quantitative Risk Assessment
Major steps in Quantitative Risk Analysis:
1. Inventory assets and assign asset value (AV)
2. For each asset-threat pairing, calculate the exposure factor (EF).
3. For each asset-threat pairing, calculate the single loss expectancy (SLE)
4. Assess the annualized rate of occurrence (ARO)
5. Derive the annualized loss expectancy (ALE)
6. Perform cost/benefit analysis of countermeasures

Software Security & Privacy 45

Quantitative Risk Assessment
Exposure Factor (EF)
Ø The EF indicates the expected overall asset value loss because of a single
realized risk. The EF is expressed as a percentage.
Ø The EF is usually small for assets that are easily replaceable, such as
hardware and can be very large for assets that are irreplaceable or
proprietary, such as product designs or a database of customers.
Ø The EF is determined by using historical internal data, performing statistical
analysis, consulting public or subscription risk ledgers/registers, working
with consultants, or using a risk management software solution.

Single Loss Expectancy (SLE)

Ø The single-loss expectancy (SLE) is the potential loss associated with a
single realized threat against a specific asset.
Ø SLE = asset value (AV) * exposure factor (EF)

Software Security & Privacy 46

Quantitative Risk Assessment
Annualized Rate of Occurrence (ARO)
Ø The annualized rate of occurrence (ARO) is the expected frequency with which a
specific threat or risk will occur within a single year.
Ø The ARO can range from a value of 0.0 (zero), indicating that the threat or risk will never
be realized, to a very large number, indicating that the threat or risk occurs often.
Ø The ARO can be derived by reviewing historical internal data, performing statistical
analysis, consulting public or subscription risk ledgers/registers, working with
consultants, or using a risk management software solution.

Annualized Loss Expectancy (ALE)

Ø The annualized loss expectancy (ALE) is the possible yearly loss of all instances of
a specific realized threat against a specific asset.
ALE = single loss expectancy (SLE) * Annualized rate of occurrence (ARO)
= Asset value (AV) * Exposure factor (EF) *
Annualized rate of occurrence (ARO)
Software Security & Privacy 47
Quantitative Risk Assessment
Concept Formula or meaning Mathematical Problems:
Asset Value (AV) $ 1. If an asset is valued at $200,000
and it has an EF of 45 percent
Exposure factor or severity of damage (EF) % for a specific threat, then what
Single loss expectancy (SLE) SLE = AV * EF is the SLE of the threat for that
asset?
Annualized rate of occurrence (ARO) # / year
2. If the SLE of an asset is $90,000
Annualized loss expectancy (ALE) ALE = SLE * ARO and the ARO for a specific threat
or (such as total power loss) is 0.5,
ALE = AV * EF * ARO
then what is the ALE? If the ARO
for a specific threat (such as
Annual cost of the safeguard (ACS) $ / year compromised user account) is
Value or benefit of a safeguard (i.e., (ALE1 – ALE2) – ACS
15 for the same asset, then
what is the ALE?
cost/benefit equation)

Software Security & Privacy 48

Design and Risk Assessment

Technology
choices

System System Architectural Design risk

requirements design design assessment

Design and
Design assets
requirements
changes

Software Security & Privacy 49

Design and Risk Assessment
Design assets

Asset value Exposure

assessment assessment

Threat Attack
identification assessment

Technology and Control Design and

architecture choices identification requirements
changes

Available
controls

Software Security & Privacy 50

Vulnerabilities Associated with Technology Choices
Technology choice Vulnerabilities

Login/password Users set Authorized users reveal

authentication guessable their passwords to System Requirements:
passwords unauthorised users
ü A password checker shall be made
available and shall be run daily. Weak
passwords shall be reported to
Server subject to Confidential information
denial of service may be left in browser system administrators.
Client/server attack cache
architecture using ü Access to the system shall only be
web browser
Browser security allowed by approved client
loopholes lead to
unauthorized access
computers.
ü All client computers shall have a
single, approved web browser
Use of editable Fine-grain logging Authorization can’t be installed by system administrators.
web forms of changes is varied according to user’s
impossible role

Software Security & Privacy 51

Architectural Design
• Two fundamental issues have to be considered when designing an
architecture for security.
üProtection
• How should the system be organized so that critical assets can be protected against
external attack?
üDistribution
• How should system assets be distributed so that the effects of a successful attack are
minimized?
• These are potentially conflicting
üIf assets are distributed, then they are more expensive to protect. If assets
are protected, then usability and performance requirements may be
compromised.

Software Security & Privacy 52

Architectural Design: Layered Protection
Platform level protection

• Platform-level protection System

authentication
System
authorization
File integrity
management
ü Top-level controls on the platform
on which a system runs.
Application level protection
• Application-level protection Database Database Transaction Database
ü Specific protection mechanisms login authorization management recovery
built into the application itself e.g.
additional password protection. Record level protection
• Record-level protection
Record access Record Record integrity
ü Protection that is invoked when authorization encryption management
access to specific information is
requested
Patient records

Software Security & Privacy 53

Architectural Design: Distribution
Authentication and authorization Authentication and authorization

• Distributing assets means that New York trading system London trading system

attacks on one system do not US user accounts International

user accounts
UK user accounts International
user accounts
necessarily lead to complete loss of US trading
US equity data
UK trading
UK equity data
system service history history

International International
• Each platform has separate
US funds data UK funds data
equity prices equity prices

protection features and may be

different from other platforms so
that they do not share a common Authentication and authorization Authentication and authorization
vulnerability Frankfurt trading system Hong Kong trading system

• Distribution is particularly important European user International HK user accounts International

if the risk of denial of service attacks accounts

Euro. trading
user accounts

HK trading
user accounts

is high history
Euro. equity data
history
Asian equity data

International International
Euro. funds data Asian funds data
equity prices equity prices

Software Security & Privacy 54

Operational Security
• It focuses on helping users to maintain security
• User attacks try to trick users into disclosing their credentials or accessing a
website that includes malware, such as a key-logging system
• Operational security procedures and practices
• Auto-logout, which addresses the common problem of users forgetting to logout from a
computer used in a shared space
• User command logging, which makes it possible to discover actions taken by users that have
deliberately or accidentally damaged some system resources
• Multi-factor authentication, which reduces the chances of an intruder gaining access to the
system using stolen credentials

Software Security & Privacy 55

Security Threats: Based on CIA Triad
Figure 7.1 Types of security threat

An attacker attempts An attacker attempts

to deny access to the system to damage the system
for legitimate users or its data.

Availability Integrity
threats threats

SOFTWARE PRODUCT

PROGRAM
Example: Virus
Example: Distributed denial
of service attack DATA

Example: Ransomware

Example: Data theft

Confidentiality
threats

An attacker tries to gain

access to private information
held by the system

Software Security & Privacy 56

Authentication
• Authentication is the process of ensuring
that a user of your system is who they Authentication approach Example

claim to be Knowledge Password

• You need authentication in all software Possession Mobile

device
products that maintain user information so
Authenticating user Attribute Fingerprint
that only the providers of that information
can access and change it
• You also use authentication to learn about
your users so that you can personalize
their experience of using your product

Software Security & Privacy 57

Authentication Methods
• Knowledge-based authentication
ü The user provides secret, personal information when they register with the system. Each time
they log on, the system asks them for this information
• Possession-based authentication
ü This relies on the user having a physical device (such as a mobile phone) that can generate or
display information that is known to the authenticating system. The user inputs this
information to confirm possession of the device
• Attribute-based authentication
ü This is based on a unique biometric attribute of the user, such as a fingerprint, which is
registered with the system
• Multi-factor authentication
ü combines these approaches and requires users to use more than one authentication method

Software Security & Privacy 58

Weakness of Password Based Authentication
• Insecure passwords
ü Users choose passwords that are easy to remember. It is easy for attackers to guess/generate
these passwords, either dictionary or brute force attack
• Phishing attacks
ü Users click on an email link that points to a fake site that tries to collect their login and
password details
• Password reuse
ü Users use the same password for several sites. If there is a security breach at one of these
sites, attackers then have passwords they can try on other sites
• Forgotten passwords
ü Users regularly forget their passwords, so you need to set up a password recovery
mechanism to allow these to be reset. This can be a vulnerability if users’ credentials have
been stolen and attackers use them to reset their passwords.

Software Security & Privacy 59

Federated Identity Based Authentication

• Federated identity is an approach to authentication where you use an external

authentication service
• ‘Login with Google’ and ‘Login with Facebook’ are widely used examples of
authentication using federated identity
• The advantage of federated identity for a user is that they have a single set of
credentials that are stored by a trusted identity service
• Instead of logging into a service directly, a user provides their credentials to a
known service that confirms their identity to the authenticating service
• They don’t have to keep track of different user IDs and passwords. Because their
credentials are stored in fewer places, the chances of a security breach where
these are revealed are reduced.

Software Security & Privacy 60

Federated Identity Based Authentication
Figure 7.5 Federated identity

User Service Trusted authenticator

Request
authentication
Divert request

Request credentials

Provide credentials

Return authentication
token
Authentication
response

Software Security & Privacy 61

Authorization
• Authentication involves a user proving their identity to a software system
• Authorization is a complementary process in which that identity is used to control
access to software system resources
• For example, if you use a shared folder on Dropbox, the folder’s owner may
authorize you to read the contents of that folder, but not to add new files or
overwrite files in the folder
• When a business wants to define the type of access that users get to resources,
this is based on an access control policy
• This policy is a set of rules that define what information (data and programs) is
controlled, who has access to that information, and the type of access that is
allowed

Software Security & Privacy 62

Access Control Policies
• Explicit access control policies are important for both legal and technical reasons
• Data protection rules limit access to personal data, and this must be reflected in
the defined access control policy
• If this policy is incomplete or does not conform to the data protection rules, then
there may be subsequent legal action in the event of a data breach
• Technically, an access control policy can be a starting point for setting up the
access control scheme for a system
• For example, if the access control policy defines the access rights of students,
then when new students are registered, they all get these rights by default

Software Security & Privacy 63

Access Control Lists
Figure 7.8 Access control lists

User Permissions
All Read
Staff Create, Edit
Resource Access
Sysadmin Delete
A

B User Permissions
All Execute
C
Sysadmin Create, Delete
D

User Permissions
...
Admin Create, Read, Edit
Teaching staff Read, Edit
Student Read

if student = student_id

if department = dept_id

Software Security & Privacy 64

Access Control Lists
• Access control lists (ACLs) are used in most file and database systems to
implement access control policies
• Access control lists are tables that link users with resources and specify what
those users are permitted to do.
• For example, for a book, I would like to be able to set up an access control list
to a book file that allows reviewers to read that file and annotate it with
comments. However, they are not allowed to edit the text or delete the file
• If access control lists are based on individual permissions, then these can become
very large
• However, you can dramatically cut their size by allocating users to groups and
then assigning permissions to the group

Software Security & Privacy 65

Encryption
• Encryption is the process of making a document unreadable by applying an
algorithmic transformation to it
• A secret key is used by the encryption algorithm as the basis of this
transformation. You can decode the encrypted text by applying the reverse
transformation
• Modern encryption techniques are such that you can encrypt data so that it is
practically uncrackable using currently available technology
• However, history has demonstrated that apparently strong encryption may be
crackable when new technology becomes available
• If commercial quantum systems become available, we will have to use a
completely different approach to encryption on the Internet

Software Security & Privacy 66

Encryption and Decryption

Figure 7.9 Encryption and decryption

Secret Secret
key key

Plain Encrypted Plain

Encrypt Decrypt
text text text

Software Security & Privacy 67

Symmetric Encryption Figure 7.10 Symmetric encryption

Alice Bob

• In a symmetric encryption scheme, the same

encryption key is used for encoding and decoding
the information that is to be kept secret Encryption key Encryption key

• If Alice and Bob wish to exchange a secret a7Dr6yYt9F... a7Dr6yYt9F...

message, both must have a copy of the
encryption key. Alice encrypts the message with
this key. When Bob receives the message, he encrypt decrypt
decodes it using the same key to read its contents
• The fundamental problem with a symmetric
encryption scheme is securely sharing the Secret message Encrypted text Secret message
encryption key
• If Alice simply sends the key to Bob, an attacker
may intercept the message and gain access to the
key. The attacker can then decode all future
secret communications

Software Security & Privacy 68

Asymmetric Encryption Figure 7.11 Asymmetric encryption

Alice Bob
• Asymmetric encryption, does not require
secret keys to be shared
• An asymmetric encryption scheme uses Bob’s public key Bob’s private key
different keys for encrypting and decrypting
messages dr5ts3TR9dt hTr34BbfsDy
x4ztmRsYY... 9r3g5HHt76...
• Each user has a public and a private key.
Messages may be encrypted using either key
but can only be decrypted using the other key encrypt decrypt

• Public keys may be published and shared by

the key owner. Anyone can access and use a
Secret message
published public key Secret message Encrypted text

• However, messages can only be decrypted by

the user’s private key, so is only readable by
the intended recipient

Software Security & Privacy 69

Encryption and Authentication
Figure 7.12 Encryption for authentication
• Asymmetric encryption can also be used to
authenticate the sender of a message by Bob Alice

encrypting it with a private key and decrypting it

with the corresponding public key
• Say Alice wants to send a message to Bob, and Bob’s private key Bob’s public key
she has a copy of his public key hTr34BbfsDy dr5ts3TR9dt
9r3g5HHt76... x4ztmRsYY...
• However, she is not sure whether or not the
public key that she has for Bob is correct, and
she is concerned that the message may be sent encrypt decrypt
to the wrong person
• Private/public key encryption can be used to I am really I am really
verify Bob’s identity Bob
Encrypted text
Bob

• Bob uses his private key to encrypt a message

and sends this to Alice. If it can be decrypted
using Bob’s public key, then Alice has the correct
key

Software Security & Privacy 70

Injection Attack

• Injection attacks are a type of attack where a

malicious user uses a valid input field to input
malicious code or database commands
• These malicious instructions are then
executed, causing some damage to the
system
• Code can be injected that leaks system data
to the attackers
• Common types of injection attacks include
buffer overflow attacks and SQL poisoning
attacks

Software Security & Privacy 71

Buffer Overflow Attack
• It is possible when systems are programmed in C or C++
ü These languages do not automatically check that an assignment to an array element is within
the array bounds
ü You can declare a buffer as an array of a specific size, but the run-time system does not check
whether an input exceeds the length of that buffer
ü An attacker who understands how the system memory is organized can carefully craft an
input string that includes executable instructions
ü This overwrites the memory, and if a function return address is also overwritten, control can
then be transferred to the malicious code
• Most programming languages check for buffer overflows at run time and reject
long, malicious inputs
ü Operating systems and libraries are often written in C or C++
ü However. If inputs are passed directly from your system to an underlying system function,
buffer overflow is a possibility

Software Security & Privacy 72

SQL Poisoning Attack

• SQL poisoning attacks are attacks on software products that use an SQL database
• They take advantage of a situation where a user input is used as part of an SQL
command
• A malicious user uses a form input field to input a fragment of SQL that allows
access to the database
• The form field is added to the SQL query, which is executed and returns the
information to the attacker

Software Security & Privacy 73

Cross-site Scripting Attack
Figure 7.3 Cross-site scripting attack
• Cross-site scripting attacks are another form of 1. Product website
injection attack Attacker Introduce
malicious code
Browser Malicious code
• An attacker adds malicious Javascript code to the added to valid data
web page that is returned from a server to a client, Website

and this script is executed when the page is 3.

displayed in the user’s browser Malware script
sends session cookie
• The malicious script may steal customer to attacker

information or direct them to another website Valid request for data

from website

• This may try to capture personal data or display Browser

advertisements Victim
2.
Data delivered and malware
• Cookies may be stolen, which makes a session- script installed in victim’s browser

hijacking attack possible

• As with other types of injection attacks, cross-site
scripting attacks may be avoided by input
validation

Software Security & Privacy 74

Session Hijacking Attack

• When a user authenticates with a web app, a session is created

• A session is a time period during which the user’s authentication is valid. They don’t have to
re-authenticate for each interaction with the system
• The authentication process places a session cookie on the user’s device
• Session hijacking is a type of attack where an attacker gets hold of a session
cookie and uses this to impersonate a legitimate user
• An attacker can find out the session cookie value
• In cross-site scripting, the installed malware sends session cookies to the attackers
• In traffic monitoring, attackers capture the traffic between the client and server. The session
cookie can be identified by analyzing the data exchanged

Software Security & Privacy 75

Denial of Service (DoS) Attack

• Denial of service attacks are attacks on a software system that are intended to
make that system unavailable for normal use
• Distributed denial of service attacks (DDOS) are the most common
• These involve distributed computers, that have usually been hijacked as part of a botnet,
sending hundreds of thousands of requests for service to a web app. There are so many
requests that legitimate users are denied access
• Other types of denial of service attacks target application users
• User lockout attacks take advantage of a common authentication policy that locks out a user
after a number of failed authentication attempts. Their aim is to lock users out rather than
gain access and so deny service to these users
• Users often use their email as their login name so if an attacker has access to a database of
email addresses, they can try to login using these emails

Software Security & Privacy 76

Brute-force Attack

• Brute force attacks are attacks on a web app, where the attacker has some
information, such as a valid login name, but not the password
• The attacker creates different passwords and tries to login with each of these. If the login
fails, they then try again with a different password
• Attackers may use a string generator that generates every possible combination of letters and
numbers and use these as passwords
• To speed up the process of password discovery, attackers take advantage of the fact that
many users choose easy-to-remember passwords. They start by trying passwords from the
published lists of the most common passwords
• Brute force attacks rely on users setting weak passwords
• You can circumvent them by insisting that users set long passwords that are not in a
dictionary or are common words

Software Security & Privacy 77

Security vs. Safety
• Security specification has something in common with safety requirements specification –
in both cases, your concern is to avoid something bad happening.
• Four major differences
ü Safety problems are accidental – the software is not operating in a hostile environment. In security,
you must assume that attackers have knowledge of system weaknesses
ü When safety failures occur, you can look for the root cause or weakness that led to the failure.
When failure results from a deliberate attack, the attacker may conceal the cause of the failure.
ü Shutting down a system can avoid a safety-related failure. Causing a shut down may be the aim of
an attack.
ü Safety-related events are not generated from an intelligent adversary. An attacker can probe
defenses over time to discover weaknesses.

Software Security & Privacy 78

Privacy

• Privacy is a social concept that relates to the collection, dissemination and

appropriate use of personal information held by a third-party such as a company
or a hospital
• The importance of privacy has changed over time and individuals have their own
views on what degree of privacy is important
• Culture and age also affect peoples’ views on what privacy means
• Younger people were early adopters of the first social networks and many of them seem to
be less inhibited about sharing personal information on these platforms than older people
• In some countries, the level of income earned by an individual is seen as a private matter; in
others, all tax returns are openly published

Software Security & Privacy 79

Business Reasons for Privacy

• If you are offering a product directly to consumers and you fail to conform to
privacy regulations, then you may be subject to legal action by product buyers or
by a data regulator. If your conformance is weaker than the protection offered by
data protection regulations in some countries, you won’t be able to sell your
product in these countries
• If your product is a business product, business customers require privacy
safeguards so that they are not put at risk of privacy violations and legal action by
users
• If personal information is leaked or misused, even if this is not seen as a violation
of privacy regulations, this can lead to serious reputational damage. Customers
may stop using your product because of this

Software Security & Privacy 80

Data Protection Laws

• In many countries, the right to individual privacy is protected by data protection

laws
• These laws limit the collection, dissemination and use of personal data to the
purposes for which it was collected
• For example, a travel insurance company may collect health information so that they can
assess their level of risk. This is legal and permissible
• However, it would not be legal for those companies to use this information to target online
advertising of health products, unless their users had given specific permission for this

Software Security & Privacy 81

Data Protection Principles

• Awareness and control

• Users of your product must be made aware of what data is collected when they are using
your product, and must have control over the personal information that you collect from
them
• Purpose
• You must tell users why data is being collected and you must not use that data for other
purposes
• Consent
• You must always have the consent of a user before you disclose their data to other people
• Data lifetime
• You must not keep data for longer than you need to. If a user deletes their account, you must
delete the personal data associated with that account

Software Security & Privacy 82

Data Protection Principles

• Secure storage
• You must maintain data securely so that it cannot be tampered with or disclosed to
unauthorized people
• Discovery and error correction
• You must allow users to find out what personal data that you store. You must provide a way
for users to correct errors in their personal data
• Location
• You must not store data in countries where weaker data protection laws apply unless there is
an explicit agreement that the stronger data protection rules will be upheld

Software Security & Privacy 83

Privacy Policy
• You should to establish a privacy policy that defines how personal and sensitive information about
users is collected, stored and managed
• Software products use data in different ways, so your privacy policy has to define the personal
data that you will collect and how you will use that data
• Product users should be able to review your privacy policy and change their preferences regarding
the information that you store
• Your privacy policy is a legal document and it should be auditable to check that it is consistent
with the data protection laws in countries where your software is sold
• Privacy policies should not be expressed to users in a long ‘terms and conditions’ document that,
in practice, nobody reads
• The GDPR (General Data Protection Regulation) now require software companies to include a
summary of their privacy policy, written in plain language rather than legal jargon, on their
website

Software Security & Privacy 84

Security Validation

• Experience-based testing
ü The system is reviewed and analysed against the types of attack that
are known to the validation team.
• Penetration testing
ü A team is established whose goal is to breach the security of the
system by simulating attacks on the system.
• Tool-based analysis
ü Various security tools such as password checkers are used to analyse
the system in operation.
• Formal verification
ü The system is verified against a formal security specification.

Software Security & Privacy 85

Dependable Programming Guidelines

1. Limit the visibility of information in a program

2. Check all inputs for validity
3. Provide a handler for all exceptions
4. Minimize the use of error-prone constructs
5. Provide restart capabilities
6. Check array bounds
7. Include timeouts when calling external components
8. Name all constants that represent real-world values

Software Security & Privacy 86