Monday, October 12, 2009
OGF 27, Banff, Alberta, Canada
Security is crucial in the software that we develop and use. This tutorial is relevant to anyone wanting to learn about assessing software for security flaws and for developers wishing to minimize security flaws in software they develop.
We share our experience in vulnerability assessment of grid middleware. You will learn skills critical for developers and analysts concerned about software security, and the importance of independent vulnerability assessment.
The first session of this tutorial presents the First Principles Vulnerability Assessment process to actively discover vulnerabilities. We show how to gather information about a system and how to use this to direct the search for vulnerabilities, and how to integrate this into the development cycle.
The second session of this tutorial examines coding practices to prevent vulnerabilities by describing more than many types of vulnerabilities with examples of how they commonly arise, and techniques to prevent them. Most examples are in C, C++, Perl, and the standard C and POSIX APIs.
The afternoon sessions describe the experience of the University of Wisconsin's Vulnerability Assessment Project's assessment of several grid middleware packages, the experience of the Condor project being assessed, and a round-table discussion of how the Open Science Grid's software providers should use vulnerability assessment.
| 9:00 - 10:00 |
First Principles Vulnerability Assessment Tutorial
Prof. Elisa Heymann, Universitat Autònoma de Barcelona This tutorial presents the First Principles Vulnerability Assessment process to actively discover vulnerabilities. We show how to gather information about a system and how to use this to direct the search for vulnerabilities, and how to integrate this into the development cycle. |
|
| 10:00 - 12:00 |
Secure Programming Tutorial
James A. Kupsch, University of Wisconsin This tutorial examines coding practices to prevent vulnerabilities by describing more than many types of vulnerabilities with examples of how they commonly arise, and techniques to prevent them. Most examples are in C, C++, Perl, and the standard C and POSIX APIs. |
|
| 12:00 - 13:00 | Lunch | |
| 13:00 - 14:30 | Keynote: Andrea Donnellan, Jet Propulsion Laboratory, NASA | |
| 14:30 - 15:00 | Coffee | |
| 15:00 - 15:30 |
Vulnerability Assessment: The Assessors Experience
Prof. Barton P. Miller, University of Wisconsin Prof. Miller will describe the evaluation team's experiences working with development groups on vulnerability assessment projects. He will discuss common misconceptions that groups have going into such activities, and strategies for making such efforts successful. He will also present a summary of the results from his group's assessment activities over the past few years. |
|
| 15:30 - 16:00 |
Vulnerability Assessment: The Assessees Experience
Zachary Miller, Condor Team, University of Wisconsin The Condor team describes its experience of having a vulnerability assessment performed on their software. They will present how the process worked from their point of view, and how the process changed the their development process. |
|
| 16:00 - 17:00 |
Questions and Answers
Open floor for any questions. |
|
| 17:00 - 18:00 |
Software Provider Round-Table
Round-table discussion of attendees' experiences in software vulnerability and assessment, current practices, how they think they can improve their current practices, if not, why not. |
The security of software is becoming increasingly important to anyone who uses or develops it. This tutorial will teach developers and assessors how to proactively reduce the number of vulnerabilities in their software. Just as independent QA testing is essential for assessing software reliability, testing for security is essential for assuring software security. Even projects that architect their software with security in mind still need independent vulnerability assessment to detect design flaws or coding problems that can arise in any project. Testing for security is an essential part of the development process and a unique skill that requires training.
This tutorial is an outgrowth of our experience in performing vulnerability assessment of grid middleware, which includes Condor from the University of Wisconsin, the Storage Resource Broker from the San Diego Supercomputer Center, and MyProxy from the National Center for Supercomputer Applications. The tutorial will teach the processes and skills that we developed and used in these activities.
This tutorial is relevant to anyone who wants to learn about analyzing software for security flaws and for developers wishing to minimize security flaws in software that they develop. It covers the two sides of security: the offensive--how to find problems through the use of proactive vulnerability assessment; and the defensive--how to prevent problems by showing many types of vulnerabilities that occur in code and what techniques can be used to prevent them.
The target audience for this tutorial is anyone involved with the development of software or anyone wishing to assess the security of software. To gain maximum benefit from this tutorial, attendees should be familiar with the process of developing software and the C programming language. A basic knowledge of the standard C library and the POSIX API will aid the participant.
This tutorial does not assume any prior knowledge of security assessment or vulnerabilities. Some of the examples will include less common APIs, or will be in a programming language other than the C programming language. In these instances, enough explanation will be given so the attendee unfamiliar with the topic would be able to understand the concepts.
The first part of this tutorial explains how to perform a vulnerability assessment. Our process is based on a deep assessment of the software, done by one who is working in cooperation with the development team and has access to source code, internal documents and developers. We emphasize understanding of the process of vulnerability assessment and developing the skills needed to conduct such an assessment.
The first step of a vulnerability assessment is to gain an in-depth understanding of the system. Without an understanding of how it works, it is impossible to know what are the critical assets and what are the threats to these assets. To do this, the tutorial will show a process to gather and document this information by performing an architectural, resource and privilege analysis. These steps are completed by meeting with the developers, reviewing design documents and end-user documentation, using the system, and looking at the code.
The architectural analysis consists of discovering and documenting the high level structures of the system: machines, configuration parameters, processes, function of processes, user interaction, interactions between processes, interactions with external systems, other communication channels, resources controlled by processes, and trust between components.
The resource and privilege analysis is the process of discovering and documenting the objects that the system can manipulate, such as in-memory data structures, database records, files, CPU cycles, and physical devices controlled by the computer. It also documents what actions can be performed on the resources in the system. The privilege analysis documents the privilege model defined by the system itself, and the configuration of privileges in the underlying operating system and external applications, such as databases.
The tutorial then shows how to create data flow diagrams from the results of the prior analyses. These diagrams contain much of the information collected earlier in a succinct fashion that allows the analyst to easily comprehend the system.
The tutorial then covers the process of performing a component analysis, which is looking for vulnerabilities in components of the system. Since it is not realistic to completely verify the security of the system, the tutorial will show how to use the previous steps of the analysis to focus the search to find both those that are likely to be easily found by outside attackers, and also those vulnerabilities that can lead to higher value targets such as the compromise of the host operating system or a subversion of the privilege system. Information in the second part of the tutorial will explain how to look for specific types of vulnerabilities.
The tutorial will also describe how to integrate the results of the vulnerability assessment process into the software development process, including writing vulnerability reports, the vulnerability disclosure process, fixing vulnerabilities, and releasing security updates.
The second part of this tutorial will focus on vulnerabilities. It will feature several interactive secure coding quizzes where the audience will be challenged to find as many vulnerabilities as they can in short code fragments. What the audience finds (and does not find) will then be discussed.
This section will also contain a discussion of the most common vulnerabilities and will be valuable to both developers and security assessors. Descriptions of each vulnerability will be presented with examples. It will be shown how the vulnerability typically occurs within code, pointing out API or techniques that commonly result in the vulnerability, and also how the vulnerability can be mitigated or eliminated through the use of other techniques or APIs. The causes and types of vulnerabilities covered will include: