VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
Download as PPTX, PDF2 likes7,681 views
The document discusses past, present, and future vulnerabilities in computer systems, focusing on both software and hardware issues and their exploitation. It highlights significant past incidents of exploitation, the increase in identified vulnerabilities, and the prediction that certain vulnerabilities like C/C++ will remain critical threats. Quantitative studies reveal a persistent rise in vulnerabilities and underscore the impact of exploitation on various systems.
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
- 1. Vulnerabilities and Exploitation in Computer System - Past, Present and Future 03 September 2013 @ 27 Syawal 1434H Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan SISKOM 2013 Faculty of Computer and Mathematical Sciences UiTM Shah Alam, Selangor, Malaysia
- 2. Presentation Outline 1. Introduction 2. Quantitative Studies on Known Software Vulnerabilities 3. Impact Analysis 4. The Prediction 5. Conclusion
- 3. Introduction Vulnerabilities in Computer System Hardware vulnerabilities Software vulnerabilities
- 4. Introduction Software Vulnerabilities Flaws in software / codes System to behave abnormal Unintentionally triggered by user Exploit by hackers Definition (Stoneburner et al., 2002, OWASP Org., 2013, Kaspersky Lab, 2013) What is? Impact? Cause by Cause by Root Cause Improper Process Poor Design Programming errors/mistake Biezer, 1990 and Piessens, 2002 Alhazmi et al., 2006, Howard et al., 1998, Krsul, 1998, Longstaff et al. 1997, Moore, 2007, Vipindeep et al., 2005 Ahmad et al. 2011
- 5. Introduction Programming errors/mistake Ahmad et al. 2011 Limitation in Programming Language Incompetence programmers/software engineers Cause by Exploitation Impact 1. 1990 - Morris Worm (One, 1996) 2. Poland Train crash (Baker et al. 2008) 3. Iran nuclear attack (Chen 2011) 4. Toyota brake failure (Carty, 2010) Etc.
- 6. Summary • Quantitatively studies on known software vulnerabilities • Share the criticality and significances of the identified vulnerabilities • Predict the future Scope 1. Limited to quantity based on reported vulnerabilities 2. Limited to four classes-SQLi, XSS, Java, and C/C++ Introduction
- 7. Quantitative Studies on Known Software Vulnerabilities 1. Software vulnerabilities was detected since programming exist 2. The first unintended exploitation happens in late 80s 3. Microsoft introduce SDL starting from 2002 4. Program Analysis (static and dynamic analysis), Anti-virus, etc introduced as early as 1994 (Wagner) 5. Vulnerabilities still at large and exploitation increase exponentially with vulnerabilities. 19 well-known online vulnerability databases and organization 1. Microsoft Corporation 2. Homeland Security 3. NIST 4. OSVDB 5. OWASP 6. SANS Institutes 7. CSM etc.
- 8. Quantitative Studies on Known Software Vulnerabilities 0 1000 2000 3000 4000 5000 6000 7000 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 No. of Vulnerabilities By Year No. of Vulnerabilities Source: National Institute of Standards and Technology (NIST)Source: Open-Source Vulnerabilities Database (OSVDB)
- 9. Quantitative Studies on Known Software Vulnerabilities Other Scary Facts 1. > 2000 vulnerabilities identified per year 2. 20% is constantly C/C++ overflow vulnerabilities 3. 40% ranked with severity 7.0 to 10.0 4. SANS Institute continues release same classes of vulnerabilities in its top 25 Software errors since 2002 5. A single vulnerability if exploitable can cause huge impact 6. Symantec reported 42% increase in exploitation and an increase of ~50% of web attack 7. Some of latest attack still used old identified vulnerabilities (Kaspersky Lab)
- 10. Impact Analysis Fantastic Four SQLi XSS Java C/C++ overflow •95% has CVSS 4.0 – 6.9 •Severity between low - medium •70% has CVSS 4.0 – 6.9 •Severity between low - medium •85% has CVSS 7.0 – 10 •Severity is high •60% has CVSS 7.0 – 10 •Severity is high •Security bypass •Gain control / steal user identity (depending on user privileges •Security bypass •Gain control / steal user identity (depending on user privileges •With overflow vulnerabilities – access/control can be gain without used of user privileges •System malfunctions, accident, control system, etc (McGraw, 2013, Baker et al. , 2008, and Chen, 2010)
- 11. Impact Analysis •Windows-based OS – 90% •30% is Windows XP •Most mobile OS used is Android (> 60% market shares) Market shares •Used of Microsoft IE reduce possibility of being hacked •Safari (by Apple) and Chrome (runs on Android based mobile) increase the risk of being attacked Browser used •Only XSS, SQLi, and Java vulnerabilities is affected and shall increase the risk of being exploited Rise of online applications •Java – has built in security (JVM) •XSS and SQLi vulnerabilities is input related •C/C++ has no perfect defense Detection/Prevention Mechanism
- 12. The Prediction The Famous Four will remains for another decades C/C++ will prevail again
- 13. Conclusion • There are many sites support hackers – Shodan, Rapid7, Offensive Security and SecurityVuln • Old vulnerabilities is still relevant (Kaspersky Lab) • Compare to other classes of vulnerabilities, C/C++ is the most dangerous • Vulnerabilities and exploitations in computer systems will persist to exist • C/C++ overflow vulnerabilities will regain its domination
- 14. References 1. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2010a). Preventing Exploitation on Software Vulnerabilities: Why Most Static Analysis Is Ineffective? Conferences on Engineering and Technology Education. Kuching: World Engineering Congress. 2. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.- Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer. 3. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011c). Understanding Vulnerabilities by Refining Taxonomy. 7th International Conference on Information Assurance and Security (IAS) (pp. 25 - 29). Melaka: IEEE Computer Society. 4. Alhazmi, H. O. (2005). Quantitative vulnerability assessment of systems software. Annual Proceedings of Reliability and Maintainability Symposium (pp. 615 - 620). IEEE. 5. Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143). 6. Aslam, T. (1995). A Taxonomy of Security Faults in the UNIX Operating System. MSc Thesis, Department of Computer Sciences, Purdue University. 7. Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph: http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html 8. Beizer, B. (1990). Software Testing Technique (2nd Edition ed.). New York, USA: Van Nostrand Reinhold Co. 9. Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html 10. Cenzic Inc. (2013). Resources - Application Security Papers. Retrieved August 09, 2013, from CENZIC: http://www.cenzic.com/resources/application-security-papers/ 11. Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3. 12. CISCO. (2013). Cisco Security Report. Retrieved August 09, 2013, from Cisco: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html 13. Critical Patch Updates, Security Alerts and Third Party Bulletin. (2013). Retrieved August 09, 2013, from Oracle Technology Network: http://www.oracle.com/technetwork/topics/security/alerts-086861.html 14. CyberSecurity Malaysia. (2013). e-Security Bulleting. Retrieved August 09, 2013, from CyberSecurity Malaysia: http://www.cybersecurity.my/en/knowledge_bank/bulletin/content/main/detail/182/index.html?mytabsmenu=2 15. Department of Homeland Security. (2013). US-CERT. Retrieved August 09, 2013, from US-CERT (United States Computer Emergency Readiness Team): http://www.us-cert.gov/ 16. Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.
- 15. References 17. Hewlett-Packard Development Company. (2013). Resource Center. Retrieved August 09, 2013, from HP Enterprise Security: http://www.hpenterprisesecurity.com/news/resource-center 18. Howard, J. D., & Longstaff, T. A. (1998). A Common Language for Computer Security Incidents. Sandia Technical Report, Sandia National Laboratories, Sandia Corporation. 19. Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill. 20. IBM X-Force. (2013). IBM X-Force Annual Trend and Risk Report. Retrieved August 09, 2013, from IBM X-Force: http://www- 03.ibm.com/security/xforce/downloads.html 21. iMPERVA. (2013). Imperva Web Application Attack Report. iMPERVA. 22. IT Security Research Group. (2013). Map Honeynet. Retrieved August 09, 2013, from The Honeynet Project: http://map.honeynet.org/ 23. Johnson, S. (2013, August 07). FortiGuard Labs sees fast rise of mobile malware in 2013. (TechTarget) Retrieved August 09, 2013, from SearchSecurity: http://searchsecurity.techtarget.com/news/2240203220/FortiGuard-Labs-sees-fast-rise-of-mobile-malware-in- 2013?asrc=EM_ERU_22893730&utm_medium=EM&utm_source=ERU&utm_campaign=20130808_ERU%20Transmission%20for%2008/08 /2013%20(UserUniverse:%20551200)_myka-rep 24. Kaspersky Lab. (2013b). Analysis. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis?genre=1 25. Kaspersky Lab. (2013). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis/204792255/ 26. Kaspersky Lab. (2013a). Software vulnerabilities. Retrieved August 09, 2013a, from SECURELIST: http://www.securelist.com/en/threats/vulnerabilities?chapter=35 27. Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University. 28. Lipner, S. (2013, May 14). The time is now. Security Development Must be a Priority for Everyone. Retrieved August 09, 2013, from Microsoft Trustworthy Computing: http://blogs.technet.com/b/trustworthycomputing/archive/2013/05/08/security-development- conference-2013.aspx 29. Longstaff, T. A., Ellis, J. T., Hernan, S. V., Lipson, H. F., McMillan, R. D., Pesante, L. H., et al. (1997). Security of the Internet. (M. Dekker, Ed.) The Froehlich/Kent Encyclopedia of Telecommunications , 15, pp. 231 - 255. 30. McGraw, G. (2013, August 09). Five major technology trends affecting software security assurance. Retrieved August 11, 2013, from SearchSecurity.com: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance 31. Microsoft Corporation. (2002, January 15). Memo from Bill Gates. Retrieved 2010, from Microsoft News Center: http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx 32. Microsoft Corporation. (2013b). Microsoft Security Advisories. Retrieved August 09, 2013b, from Security TechCenter: http://technet.microsoft.com/en-us/security/advisory/
- 16. References 33. Microsoft Corporation. (2013a). What is the Security Development Lifecycle? Retrieved August 09, 2013a, from Microsoft Security Development Lifecycle: http://www.microsoft.com/security/sdl/default.aspx 34. MITRE Corporation. (2011). Common Vulnerabilities And Exposures. Retrieved November 15, 2011, from CVE - Format String: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Format+String 35. Moore, H. D. (2007). Exploiting Vulnerabilities. Presentation Slide, Secure Application Development (Secappdev.org). 36. National Institute of Standards and Technology (NIST). (2013). CVE and CCE Statistics Query Page. Retrieved August 09, 2013, from National Vulnerability Database (NVD): http://web.nvd.nist.gov/view/vuln/statistics 37. Net Applications.com. (2013b). Desktop Browser Market Share. Retrieved August 11, 2013b, from NETMARKETSHARE: http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0 38. Net Applications.com. (2013). Desktop Operating System Market Share. Retrieved August 10, 2013, from NETMARKETSHARE: http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0 39. Offensive Security. (2013). Retrieved from Exploit Database: http://www.exploit-db.com/ 40. One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49). 41. Open Sourced Vulnerability Database (OSVDB). (2013). Open Sourced Vulnerability Database. Retrieved August 09, 2013, from OSVDB: http://osvdb.org/ 42. Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html 43. Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html 44. Oracle FAQ. (2012, January 2). Oracle Corporation. Retrieved January 10, 2012, from Oracle FAQ: http://www.orafaq.com/wiki/Oracle_Corporation 45. OWASP Organization. (2013). Category: Vulnerability. Retrieved August 09, 2013, from OWASP - The Open Web Applications Security Project: https://www.owasp.org/index.php/Category:Vulnerability 46. Passeri, P. (2013). 2012 Cyber Attack Statistics. Retrieved August 09, 2013, from Hackmageddon.com: http://hackmageddon.com/2012- cyber-attacks-statistics-master-index/ 47. Pierluigi, P. (2013). Security Affairs. Retrieved August 09, 2013, from Security Affairs: http://securityaffairs.co/wordpress/ 48. Piessens, F. (2002). A Taxonomy (with Examples) of Causes of Software Vulnerabilities in Internet Software. Technical Report, Katholieke Universiteit Leuven, Department of Computer Science. 49. Positive Research. (2012). Vulnerability Statistics for 2011. Positive Technologies. 50. Rapid7. (2013). Vulnerability and Exploit Database. Retrieved August 09, 2013, from Rapid7: http://www.rapid7.com/db/modules/
- 17. References 51. Rashid, F. Y. (2013, May 15). Microsoft Talks Secure Coding Practices, Standards at Security Development Conference. Retrieved August 09, 2013, from SECURITYWEEK: http://www.securityweek.com/microsoft-talks-secure-coding-practices-standards-security-development- conference 52. Red Hat Inc. (2013). Red Hat vulnerabilities by CVE name. Retrieved August 09, 2013, from redhat: https://access.redhat.com/security/cve/ 53. SANS Institute. (2013). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved August 09, 2013, from http://www.sans.org/top25- software-errors/ 54. Secunia. (2013). Advisories. Retrieved August 09, 2013, from Secunia: http://secunia.com/community/advisories/historic/ 55. SecurityVulns. (2013). Retrieved August 09, 2013, from Computer Security Vulnerabilities: http://securityvulns.com/ 56. SHODAN. (2013). Expose Online Devices. Retrieved August 09, 2013, from SHODAN: http://www.shodanhq.com/ 57. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems – Recommendation of the National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST). 58. Symantec Corporation. (2013). Internet Security Threat Report 2013 Volume 18. Symantec Corporation. 59. Symantec Corporation. (2013). Security Response Publications. Retrieved August 09, 2013, from Symantec: http://www.symantec.com/security_response/publications/threatreport.jsp 60. Vipindeep, V., & Jalote, P. (2005). List of Common Bugs and Programming Practices to avoid them. Technical Report, Indian Institute of Technology, Kanpur. 61.
- 18. THANK YOU Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan Email: masteramuk@yahoo.com / masteramuk@hotmail.com Twitter/LinkedIn: masteramuk / Nurul Haszeli Website: http://malaysiandeveloper.blogspot.com
Editor's Notes
- #3: Introduction on the scenario and problem statementPresent the past and present with few casesImpact analysis based on reports gatheredPredict the vulnerabilities that will persist for another decadesConclusions – present the significant of this studies
- #4: Hardware vulnerabilitiesExample: vulnerabilities in switches/router, chips, card, even TPMSoftware vulnerabilitiesFlaws exist in software causing abnormal behaviorWhy focus on software vulnerabilities?Most of hardware vulnerabilities caused by codes @ softwareSupport our argumentPublished by Reuters – German Federal Office for Info. Security (BSI) released report on insecure TPM due to weak link with Win 8.Sifu of TPM – Prof Ahmad-Reza Sadeghi in his lecture in 2011 share the same view on insecure of TPM ("Runtime Attacks: Buffer Overflow and Return-Oriented Programming," System Security Lab, TechnischeUniversitat Darmstadt Presentation Slide for Course Secure, Trusted and Trustworthy Computing, 2011.)Software vulnerabilities exist since human starts coding/systemize manual work with first vulnerability exploited in late 80s known as Morris Worm.
- #8: Microsoft SDL starts with Bill Gates memo to employee stress on important of having Trustworthy Computing (2002) and continues the vision until now (Rashid, 2013) and (Lipner, 2013).Actual program analysis starts by Anderson in 1974Question raised about the integrity of the data… Is it true? How many vulnerabilities exist? What kind of vulnerabilities? What about future?
- #10: Expert agreed with SANS – Passeri and PierluigiSample cases - 600,000 computers were infected by exploiting a vulnerability found in Apple iOS (Symantec Corporation, 2013) and become botnet.
- #11: Four classes of vulnerabilities contributes to 80% of overall vulnerabilities (Positive Research, 2012, and iMPERVA, 2013)These four classes are – SQLi, XSS, Java and C/C++ vulnerabilities (C/C++ stays top 4 for the past 3 decades (Howard, 2010))Based on analysis done on the online vulnerability databases and organization ((MITRE Corporation, 2011), (National Institute of Standards and Technology (NIST), 2013) and (Open Sourced Vulnerability Database (OSVDB), 2013))95% of XSS vulnerabilities carries Common Vulnerability Scoring System (CVSS) base of 4.0 to 6.9. This indicates the impact of this class of vulnerability is ranked within low to medium severity.70% of Java vulnerabilities recorded in most online vulnerabilities databases have CVSS base of 4.0 to 6.9, of which indicates that the severity of this class of vulnerability is yet to be highly criticalSQLi vulnerability class on the other end has an average of 85% of its vulnerabilities given with CVSS base of 7.0 to 10. This shows that most of vulnerabilities within this class are identified as critical and has severe impact to community. This same intensity is shared with C/C++ vulnerabilities, whereby 60% of reported vulnerabilities in this class are ranked with highly critical and severe impact.
- #12: CVSS is NOT the only factors that is used to measure the impact of vulnerabilities and hence justified our prediction (beside the numbers of vulnerabilities released as presented earlier), we also observed on the other factors as well.Market SharesBased on Net Applications.com – 90% OS is dominated by Windows with 30% is still using the obsolete Windows XP. Used of open-sources OS; that is Linux based such as Centos, Ubuntu, Fedora, etc. also plays important roles. And the most effected vulnerabilities is no other than C/C++ - C/C++ is still at the top four in the list.Being the most popular mobile OS, Android, has contributes to the increase of Java and C/C++ overflow vulnerabilities and exploitation (CISCO, 2013), (IBM X-Force, 2013) and (Symantec Corporation, 2013) and this will continue in-parallel with the emergence of mobile computing (Symantec Corporation, 2013) and (McGraw, 2013).Browser used - Used of Chrome and Safari contributes to increase of exploitation on XSS, Java or C/C++ vulnerabilities (Symantec Corp, 2013) – Todays we have more than 60% mobile computer/phone is using either Chrome, Safari, or IE.Java has virtual machine developed to runs java applications and all vulnerabilities will has difficulties to escape from this virtual machine (Oracle Corporation, 2010), (Oracle Corporation, 2012) and (Fritzinger, et al., 1996). Most of Java vulnerabilities can be contaminated and can be prevented from impacting the user. Many of XSS and SQLi vulnerabilities affecting computer systems through invalidated input. Hence, by validating all input, the vulnerabilities can be prevented and therefore reduce its severity impact (Alhazmi, et al., 2006). Whereas, according to Ahmad et. al. 2011, there is no perfect defense from C/C++ overflow vulnerabilities yet which contributes to the persistency of the vulnerability.
- #13: The fantastic four will remains at least another decades due to emerging mobile tech and online system which is yet to mature.With advancement of detection/prevention – there is probability to suppress the vulnerabilities except C/C++ overflowC/C++ overflow vulnerabilities will prevail againFaster and high memory processing is demanded and as of now, only C/C++ successfully implementedIncreasing trend of cloud services and computerize legacy system in utility, transportation, defense, etc
- #14: Shodan – expose devices connected via the netRapid7 (metasploit), Offensive Security and SecurityVulns – exploit database and toolkitC/C++ is regards as the most dangerous becauseC/C++ is embedded in the language it self and is well-known for more than three decades yet to concrete solutionsOthers do have security mechanism/library/etcDevelopers can be trained (SDL by Microsoft)There is yet a substitute to C/C++ as an efficient language and thus it shall be used as the core language of all systems. On top of that, there is lack of defensive and preventive mechanism of C/C++ language. Therefore, C/C++ overflow vulnerabilities will regain its position and it is predict that it shall happen in the near future