Secure Application Development

AAA, Malware
Authentication
● Proving the identity of an entity (User ←→Program, Program ←→ Program)
● Authentication is basis of an authorization decision
○ All objectives depend on if you’re authorized
○ No authentication = No authorization
● Authentication approaches (first 3 traditional):
○ Something you know (passwords)
○ Something you have (key, token)
○ Something you are (biometrics)
● Most common approach: Passwords (“something you know”) to prove
username (identity)
● Strong authentication = more than one approach
● Two-factor = two different approaches both required
Problems
● Authentication approaches (first 3 traditional):
○ Something you know (passwords) = Something you forgot
○ Something you have (key, token) = Something you Lost
○ Something you are (biometrics) = something you may lose
● Be aware of each systems’ problems
○ Recovery mechanisms can be biggest weakness
○ Choose approach(es) appropriate to task
Password Problems
● Password with no user → no accountability
● User-created passwords often easily guessed
○ Often based on user name, personal traits, etc.
○ Often based on dictionaries with trivial substitutions
○ Often too short
● system-generated passwords often too hard to remember
● How many passwords do you have to remember?
○ If browser stores them, what if browser is subverted?
○ If reuse, breaking into one breaks into many
● Often passwords can be captured or discovered
○ E.g., keyloggers, confuse users into thinking they’re on different site
Attackers vs. passwords
● Capture password
○ Keyloggers, network eavesdropping, shoulder surfing
○ Break into server, capture passwords, reuse elsewhere
● Brute force attack
○ Try all combinations
● Dictionary attacks
○ Guess passwords using a password dictionary + permutations
○ Password dictionaries widely available
■ Include multiple human languages, terms from wide interests (e.g.,
Shakespeare and Star Trek), etc.
Defending passwords
● Encrypt connection carrying passwords, and strage holds password
● Require “good” passwords when user tries to set one
○ Long enough (most important), different symbol types, etc.
○ Check against dictionaries of “bad” passwords
● On server, don’t store passwords as clear text
○ Store as “salted hashes” so attacker cannot use directly
● Make it hard for attacker to exploit “lost my password”
● Alert user when the password is changed
○ E.G., via email
Alternatives to passwords
● Algorithms
○ One-time passwords
○ Shared secret
○ Public key cryptography
● Hardware
One-time passwords
● Password list – must use in order, can’t reuse
○ Give user a list, cross off each one as used
● Pros:
○ Counters network eavesdropping, shoulder surfing
○ Cheap to implement; tiny state to store at server
● Cons:
○ Harder to distribute list
○ Compromise of list allows impersonation
○ Users hate them (when implemented by hand)
Shared secret
● User & server have shared secret
● Authentication process:
○ Server generates nonce (random number), sends to client
○ Client encrypts nonce with secret, sends back
○ Server also encrypts, compares with client value
○ If same, user must know the secret – ok!
● Pros:
○ Prevents network eavesdropping
● Cons:
○ If secret compromised, user can be impersonated
Hardware
● Challenge-response: Server sends number (nonce), devices receives
and generates response, response sent back to server
○ Could implement shared-secret or public key
● Time-based challenge-response: Uses current time to determine
what to send to server
○ Aka Time-based One-time Password (TOTP)
○ Server and token have to have time synchronized
○ Widely used in phone applications
● Smartcards: Contains user credentials
○ Better ones never yield credentials outside card
Authorization
● Once you have user identity and authentication, you can determine
what they’re authorized to do
● Discretionary Access Control
○ Data has owner, owner decides who can do what
● Mandatory Access Control
○ Data has certain properties, some access rights cannot be granted even by owner
(e.g., classification)
● Role Based Access Control (RBAC)
○ Assigns users into roles (static or dynamic)
○ Access granted to the role, not directly to the user
○ Sometimes membership restrictions (receiving clerk must not be purchasing
agent)
Accountability
● Record system actions, esp. security-relevant ones (e.g., log in)
● Detect unusual activity that might signal attack or exploitation
○ So you can take action: Disconnect that connection, take down system, prosecute,
…
○ May help recovery or preventing future exploitation (by knowing what happened)
○ Operational systems often send logs elsewhere
■ If system subverted, older log entries can’t be changed
Malicious software (Malware)
● Malicious software, or malware, arguably constitutes one of the
most significant
● categories of threats to computer systems.
● Malware are defined as “a program that is inserted into a system,
usually covertly, with the intent of compromising the confidentiality,
integrity, or availability of the victim’s data, applications, or
operating system or otherwise annoying or disrupting the victim.”
● Hence, we are concerned with the threat malware poses to
application programs, to utility programs, such as editors and
compilers, and to kernel-level programs.
Malware Characteristics
● Propagation mechanisms include infection of existing executable or interpreted
content by viruses that is subsequently spread to other systems; exploit of
software vulnerabilities either locally or over a network
● Payload actions performed by malware once it reaches a target system can
include corruption of system or data files; theft of service in order to make the
system a zombie agent of attack as part of a botnet; theft of information from
the system, especially of logins, passwords, or other personal details by
keylogging or spyware programs; and stealthing where the malware hides its
presence on the system from attempts to detect and block it.
● Dependent/Independent malware classification distinguished between those that
need a host program, being parasitic code such as viruses, and those that are
independent, self-contained programs run on the system such as worms
Blended Attack
● While early malware tended to use a single means of propagation to
deliver a single payload, as it evolved, we see a growth of blended
malware that incorporates a range of both propagation mechanisms
and payloads that increase its ability to spread, hide, and perform a
range of actions on targets.
● A blended attack uses multiple methods of infection or propagation,
to maximize the speed of contagion and the severity of the attack.
Some malware even support an update mechanism that allows it to
change the range of propagation and payload mechanisms utilized
once it is deployed.
Parasitic Software - Virus
● A computer virus is a piece of software that can “infect” other
programs, or indeed any type of executable content, by modifying them.
● The modification includes injecting the original code with a routine to
make copies of the virus code, which can then go on to infect other
content.
● computer virus has three parts:
○ Infection mechanism: The means by which a virus spreads or propagates, enabling it
to replicate. The mechanism is also referred to as the infection vector.
○ Trigger: The event or condition that determines when the payload is activated or
delivered, sometimes known as a logic bomb.
○ Payload: What the virus does, besides spreading. The payload may involve damage or
may involve benign but noticeable activity.
Parasitic Software - Virus
● During its lifetime, a typical virus goes through the following four phases:
○ Dormant phase: The virus is idle. The virus will eventually be activated by some event,
such as a date, the presence of another program or file, or the capacity of the disk
exceeding some limit. Not all viruses have this stage.
○ Propagation phase: The virus places a copy of itself into other programs or into certain
system areas on the disk. The copy may not be identical to the propagating version;
viruses often morph to evade detection. Each infected program will now contain a clone of
the virus, which will itself enter a propagation phase.
○ Triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a variety of
system events, including a count of the number of times that this copy of the virus has
made copies of itself.
○ Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.