User

Authentication
NIST SP 800-63-3 (Digital Authentication
Guideline, October 2016) defines digital user
authentication as:

“The process of establishing

confidence in user identities that
are presented electronically to an
information system.”
 Table 3.1 Identification and Authentication Security Requirements ( SP 800-171)

Basic Security Requirements:

1 Identify information system users, processes acting on behalf of users, or devices.
2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite
to allowing access to organizational information systems.

Derived Security Requirements:

3 Use multifactor authentication for local and network access to privileged accounts and for
network access to non-privileged accounts.
4 Employ replay-resistant authentication mechanisms for network access to privileged and
non-privileged accounts.
5 Prevent reuse of identifiers for a defined period.
6 Disable identifiers after a defined period of inactivity.
7 Enforce a minimum password complexity and change of characters when new passwords
are created.
8 Prohibit password reuse for a specified number of generations.
9 Allow temporary password use for system logons with an immediate change to a
permanent password.
10 Store and transmit only cryptographically-protected passwords.
11 Obscure feedback of authentication information.
 Registration, Credential Issuance,
and Maintenance
Registration Identity Proofing Subscriber/ Authenticated Session Relying
Authority (RA) User Registration Claimant Party (RP)
Au
th
Registration l e Authenticated
ntia nce nt
i
Confirmation e Ex cat Assertion
red ssua ch e d
n, C on/I an Pr
ke ati ge oto
To istr co
l
g
Re
Credential
Token/Credential
Service Verifier
Provider (RA) Validation

E-Authentication using
Token and Credential

Figure 3.1 The NIST SP 800-63-2 E-Authentication Architectural Model

 The four means of authenticating
user identity are based on:

• Password, PIN,
answers to • Smartcard, • Fingerprint,
prearranged electronic retina, face
questions • Voice pattern,
keycard, handwriting,
physical key typing rhythm
 Authentication
logic using Authentication
f rst factor logic using
second factor

ol on

ol on
oc t i

oc t i
ot ica

ot ica
pr ent

pr ent
th

th
Au

Au
Pass Pass

Fail Fail
Client Client

Figure 3.2 Multifactor Authentication

 Risk Assessment for
User Authentication

Assurance
• There are
three Level
separate
concepts: Potential
impact

Areas of
risk
 More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
The degree of confidence
degree of in the vetting process
•Little or no confidence in the
asserted identity's validity
used to establish the
certainty that a identity of the individual
to whom the credential Level 2
user has was issued •Some confidence in the asserted
identity’s validity
presented a
credential that Level 3
•High confidence in the asserted
The degree of confidence
refers to his or her that the individual who
identity's validity

identity uses the credential is the

individual to whom the Level 4
credential was issued •Very high confidence in the
asserted identity’s validity
• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
• An authentication error could be expected to have a
serious adverse effect
o High
• An authentication error could be expected to have a
severe or catastrophic adverse effect
 Password-Based
Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login

• The user ID:

o Determines that the user is authorized to access the system
o Determines the user’s privileges
o Is used in discretionary access control
Password Vulnerabilities
Offline Password
guessing Workstation Electronic
dictionary against hijacking monitoring
attack single user

Exploiting
Specific Popular Exploiting
multiple
account password user
password
attack attack mistakes
use
 Password
Password File
User ID Salt Hash code
Salt

•
slow hash Load •
function •

(a) Loading a new password

Password File
User id
User ID Salt Hash code

Salt

Select Password

slow hash
function

Hashed password
Compare
(b) Verifying a password

Figure 3.3 UNIX Password Scheme

Password Cracking
Dictionary attacks Rainbow table attacks
• Develop a large dictionary • Pre-compute tables of
of possible passwords and hash values for all salts
try each against the • A mammoth table of hash
password file values
• Each password must be • Can be countered by using
hashed using each salt a sufficiently large salt
value and then compared value and a sufficiently
to stored hash values large hash length

Password crackers John the Ripper

exploit the fact that • Open-source password
people choose easily cracker first developed in
guessable passwords in 1996
• Uses a combination of
• Shorter password lengths brute-force and dictionary
are also easier to crack
techniques
 Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords

• However password-cracking techniques

have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use
Password File Access Control
Can block offline guessing attacks by denying access to
encrypted passwords

Make
available
only to
Vulnerabilities
privileged
users

Weakness Accident Users with

Sniff
in the OS with same Access from
passwords
Shadow that allows permissions password backup
in network
password access to the making it on other media
traffic
file file readable systems
Password Selection Strategies
User education
Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords

Computer generated passwords

Users have trouble remembering them

Reactive password checking

System periodically runs its own password cracker to find guessable passwords

Complex password policy

User is allowed to select their own password, however the system Goal is to eliminate guessable passwords while allowing the user to
checks to see if the password is allowable, and if not, rejects it select a password that is memorable
 Proactive Password
Checking
• Rule enforcement
o Specific rules that passwords must adhere to

• Password checker
o Compile a large dictionary of passwords not to use

• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
 Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction
 Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display
for human/token interaction
• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
 Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed
 Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Name (PIN)

Biometric Feature
sensor extractor Biometric
database

User interface
(a) Enrollment

Name (PIN)

Biometric Feature
sensor extractor Biometric
database

User interface Feature

true/false
matcher One template
(b) Verification

Biometric Feature
sensor extractor Biometric
database

User interface user's identity or Feature

"user unidentified" matcher N templates
(c) Identification

Figure 3.9 A Generic Biometric System. Enrollment creates

an association between a user and the user's biometric
characteristics. Depending on the application, user
authentication either involves verifying that a claimed user is
the actual user or identifying an unknown user.
 Electronic Identity Cards
(eID)
Use of a smart card as a national Most advanced deployment is the
identity card for citizens German card neuer Personalausweis

Can serve the same purposes as other national Has human-readable data printed on its
ID cards, and similar cards such as a driver ’s surface
license, for access to government and •Personal data
commercial services •Document number
•Card access number (CAN)
•Machine readable zone (MRZ)

Can provide stronger proof of identity and can

be used in a wider variety of applications

In effect, is a smart card that has been verified

by the national government as valid and
authentic
 est
io n re q u
ticat
A uthen
4. e
r e que s
t
e xc hang
N ocol eID
5. PI prot ect
c at ion r r edir server
n ti lt f o
ut he resu
7. A t ion
6. User enters PIN tica
Au then
8.

2. Se
rvic
e re q
1. User requests service 3. R uest
(e.g., via Web browser) edir
ect t
9. A o eID
uthe mes
ntica sage
tion
10. S r esul
ervi t for
ce g war
rant ded
ed

Host/application
server

Figure 3.7 User Authentication with eID

 Password Authenticated
Connection Establishment (PACE)

For offline applications,

either the MRZ printed
on the back of the card
For online applications, or the six-digit card
access is established by access number (CAN)
the user entering the 6- printed on the front is
Ensures that the digit PIN (which should used
contactless RF chip in only be known to the
the eID card cannot be holder of the card)
read without explicit
access control
 Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
 Name (PIN)

Biometric Feature
sensor extractor Biometric
database

User interface
(a) Enrollment

Name (PIN)

Biometric Feature
sensor extractor Biometric
database

User interface Feature

true/false
matcher One template
(b) Verification

Biometric Feature
sensor extractor Biometric
database

User interface user's identity or Feature

"user unidentified" matcher N templates
(c) Identification

Figure 3.9 A Generic Biometric System. Enrollment creates

an association between a user and the user's biometric
characteristics. Depending on the application, user
authentication either involves verifying that a claimed user is
the actual user or identifying an unknown user.
Remote User Authentication
• Authentication over a network, the Internet,
or a communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a password,
replaying an authentication sequence that has
been observed

• Generally rely on some form of a challenge-

response protocol to counter threats
 Eavesdropping
Adversary attempts to
learn the password by
some sort of attack that
Host Attacks
Denial-of-Service involves the physical
proximity of user and Directed at the user
Attempts to disable a adversary file at the host where
user authentication passwords, token
service by flooding the passcodes, or
service with numerous biometric templates
authentication are stored
attempts

Trojan Horse Replay

An application or
physical device Adversary repeats a
masquerades as an Client Attacks previously captured
authentic application Adversary attempts to user response
or device for the achieve user
purpose of capturing a authentication
user password, without access to the
passcode, or biometric remote host or the
intervening
communications path
 Iris Iris Iris
scanner scanner scanner

Iris workstation Iris workstation Iris workstation

LAN switch

Iris Merge
Remote

Iris
database

Iris Engine 1 Iris Engine 2

Network
switch

Figure 3.14 General Iris Scan Site Architecture for UAE System
Thank You!

• Questions?
Firewalls and Intrusion
Prevention Systems
 The Need For Firewalls
• Internet connectivity is essential
• However it creates a threat
• Effective means of protecting LANs
• Inserted between the premises network and the
Internet to establish a controlled link
• Can be a single computer system or a set of two or more systems
working together
• Used as a perimeter defense
• Single choke point to impose security and auditing
• Insulates the internal systems from external networks
 Firewall Characteristics
Design goals

All traffic from inside to outside, and vice versa, must pass
through the firewall

Only authorized traffic as defined by the local security policy will

be allowed to pass

The firewall itself is immune to penetration

 Firewall Access Policy
• A critical component in the planning and
implementation of a firewall is specifying a suitable
access policy
• This lists the types of traffic authorized to pass through the firewall
• Includes address ranges, protocols, applications and content types
• This policy should be developed from the organization’s
information security risk assessment and policy
• Should be developed from a broad specification of which
traffic types the organization needs to support
• Then refined to detail the filter elements which can then be
implemented within an appropriate firewall topology
 Firewall Filter
Characteristics
• Characteristics that a firewall access policy could use to filter
traffic include:

IP address
Application User Network
and protocol
protocol identity activity
values
This type of
filtering is used by This type of
packet filter and filtering is used by
stateful inspection Typically for
an application- Controls access
firewalls inside users who
level gateway that based on
identify
relays and considerations
themselves using
monitors the such as the time or
some form of
exchange of request, rate of
secure
information for requests, or other
authentication
Typically used to specific activity patterns
technology
limit access to application
specific services protocols
Firewall Capabilities And Limits
Capabilities:
• Defines a single choke point
• Provides a location for monitoring security
events
• Convenient platform for several Internet
functions that are not security related
• Can serve as the platform for IPSec

Limitations:
• Cannot protect against attacks bypassing
firewall
• May not protect fully against internal threats
• Improperly secured wireless LAN can be
accessed from outside the organization
• Laptop, PDA, or portable storage device may be
infected outside the corporate network then
used internally
 Internal (protected) network External (untrusted) network
(e.g. enterprise network) Firewall (e.g. Internet)

(a) General model

End-to-end Application End-to-end End-to-end Application End-to-end

transport transport transport transport
connection connection connection connection
Transport Transport

Internet Internet

Network Network
access access

Physical State Physical

info

(b) Packet filtering firewall (c) Stateful inspection firewall

Application proxy Circuit-level proxy

Internal Application Application External Internal Application Application External

transport transport transport transport
connection connection connection connection
Transport Transport Transport Transport

Internet Internet Internet Internet

Network Network Network Network

access access access access

Physical Physical Physical Physical

(d) Application proxy firewall (e) Circuit-level proxy firewall

Figure 9.1 Types of Firewalls

 Packet Filtering Firewall
• Applies rules to each incoming and outgoing IP packet
• Typically a list of rules based on matches in the IP or TCP header
• Forwards or discards the packet based on rules match

Filtering rules are based on information contained in a network packet

• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface

• Two default policies:

• Discard - prohibit unless expressly permitted
• More conservative, controlled, visible to users
• Forward - permit unless expressly prohibited
• Easier to manage and use but less secure
 Packet-Filtering Examples

Table 9.1 is a simplified example of a rule set for SMTP traffic

 Packet Filter
Advantages And Weaknesses
• Advantages
• Simplicity
• Typically transparent to users and are very fast
• Weaknesses
• Cannot prevent attacks that employ application
specific vulnerabilities or functions
• Limited logging functionality
• Do not support advanced user authentication
• Vulnerable to attacks on TCP/IP protocol bugs
• Improper configuration can lead to breaches
 Stateful Inspection
Firewall

Tightens rules for TCP traffic Reviews packet information

by creating a directory of but also records information
outbound TCP connections about TCP connections
•There is an entry for each •Keeps track of TCP sequence
currently established connection numbers to prevent attacks that
depend on the sequence number
•Packet filter allows incoming
traffic to high numbered ports •Inspects data for protocols like
only for those packets that fit the FTP, IM and SIPS commands
profile of one of the entries in this
directory
 Table 9.2
Example Stateful Firewall
Connection State Table
 Application-Level
Gateway
• Also called an application proxy
• Acts as a relay of application-level traffic
• User contacts gateway using a TCP/IP application
• User is authenticated
• Gateway contacts application on remote host and relays TCP
segments between server and user
• Must have proxy code for each application
• May restrict application features supported
• Tend to be more secure than packet filters
• Disadvantage is the additional processing overhead on
each connection
 Circuit-Level
Circuit level proxy
Gateway
• Sets up two TCP connections, one between itself and a TCP user
on an inner host and one on an outside host
• Relays TCP segments from one connection to the other without
examining contents
• Security function consists of determining which connections
will be allowed

Typically used when inside users are trusted

• May use application-level gateway inbound and circuit-level

gateway outbound
• Lower overheads
 SOCKS Circuit-Level
Gateway
• SOCKS v5 defined in RFC1928
• Designed to provide a
framework for client-server
applications in TCP/UDP
domains to conveniently and SOCKS-ified
SOCKS
client
securely use the services of a applications server
network firewall
• Client application contacts
SOCKS server, authenticates,
sends relay request SOCKS client
library
• Server evaluates and either
establishes or denies the
connection
Components
 Bastion Hosts
• System identified as a critical strong point in the
network’s security
• Serves as a platform for an application-level or
circuit-level gateway
• Common characteristics:
• Runs secure O/S, only essential services
• May require user authentication to access proxy or host
• Each proxy can restrict features, hosts accessed
• Each proxy is small, simple, checked for security
• Each proxy is independent, non-privileged
• Limited disk use, hence read-only code
 Host-Based Firewalls
• Used to secure an individual host
• Available in operating systems or can be provided as an
add-on package
• Filter and restrict packet flows
• Common location is a server

Advantages:
• Filtering rules can be tailored to the host
environment
• Protection is provided independent of topology
• Provides an additional layer of protection
 Personal Firewall
• Controls traffic between a personal computer or workstation
and the Internet or enterprise network
• For both home or corporate use
• Typically is a software module on a personal computer
• Can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Typically much less complex than server-based or stand-alone
firewalls
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms
and malware activity
 Internet

Boundary
router

Internal DMZ network

External
firewall

LAN
switch
Web Email DNS
server(s) server server

Internal protected network Internal

firewall

LAN
switch
Application and database servers

Workstations

Figure 9.2 Example Firewall Configuration

 User system
with IPSec
IP IPSec Secure IP
Header Header Payload
Public (Internet)
or Private Network

He
IP er H
yl I P

ad
Pa cure
d
oa

IP ader
Se

Se
e
c
ad c
He PSe
er

Se ayloa
I

cu
P
re d
He IP
er

IP
ad
Ethernet Ethernet
switch IP IP
switch IP IP
Header Payload Header Payload

Firewall Firewall
with IPSec with IPSec

Figure 9.3 A VPN Security Scenario

 Remote
users
Internet

Boundary
router
External
DMZ network

Web
server(s) External
firewall
Internal DMZ network

LAN
switch

Web Email DNS

server(s) server server
Internal
firewall
Internal protected network

LAN
switch

Application and database servers

host-resident
firewall

Workstations
Figure 9.4 Example Distributed Firewall Configuration
 Firewall Topologies
•Includes personal firewall software and firewall software
Host-resident firewall on servers

•Single router between internal and external networks with

Screening router stateless or full packet filtering

•Single firewall device between an internal and external

Single bastion inline router

•Has a third network interface on bastion to a DMZ where

Single bastion T externally visible servers are placed

Double bastion inline •DMZ is sandwiched between bastion firewalls

•DMZ is on a separate network interface on the bastion

Double bastion T firewall

Distributed firewall
•Used by large businesses and government organizations
configuration
 Intrusion Prevention Systems
(IPS)
• Also known as Intrusion Detection and Prevention
System (IDPS)
• Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
• Can be host-based, network-based, or distributed/hybrid
• Can use anomaly detection to identify behavior that is
not that of legitimate users, or signature/heuristic
detection to identify known malicious behavior can
block traffic as a firewall does, but makes use of the
types of algorithms developed for IDSs to determine
when to do so
 Host-Based IPS
(HIPS)
• Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
• Signature: focus is on the specific content of application network
traffic, or of sequences of system calls, looking for patterns that
have been identified as malicious
• Anomaly: IPS is looking for behavior patterns that indicate
malware
• Examples of the types of malicious behavior addressed by a
HIPS include:
• Modification of system resources
• Privilege-escalation exploits
• Buffer-overflow exploits
• Access to e-mail contact list
• Directory traversal
 HIPS
• Capability can be tailored to the specific platform
• A set of general purpose tools may be used for a desktop or
server system
• Some packages are designed to protect specific types of servers,
such as Web servers and database servers
• In this case the HIPS looks for particular application attacks
• Can use a sandbox approach
• Sandboxes are especially suited to mobile code such as Java
applets and scripting languages
• HIPS quarantines such code in an isolated system area then runs
the code and monitors its behavior
• Areas for which a HIPS typically offers desktop protection:
• System calls
• File system access
• System registry settings
• Host input/output
 The Role of HIPS
• Many industry observers see the enterprise endpoint, including
desktop and laptop systems, as now the main target for
hackers and criminals
• Thus security vendors are focusing more on developing endpoint
security products
• Traditionally, endpoint security has been provided by a collection
of distinct products, such as antivirus, antispyware, antispam,
and personal firewalls
• Approach is an effort to provide an integrated, single-product
suite of functions
• Advantages of the integrated HIPS approach are that the various
tools work closely together, threat prevention is more
comprehensive, and management is easier
• A prudent approach is to use HIPS as one element in a defense-
in-depth strategy that involves network-level devices, such as
either firewalls or network-based IPSs
 Network-Based IPS
(NIPS)
• Inline NIDS with the authority to modify or discard
packets and tear down TCP connections
• Makes use of signature/heuristic detection and anomaly
detection
• May provide flow data protection
• Requires that the application payload in a sequence of packets
be reassembled
• Methods used to identify malicious packets:

Pattern Stateful Protocol Traffic Statistical

matching matching anomaly anomaly anomaly
 Digital Immune System

• Comprehensive defense against malicious behavior

caused by malware
• Developed by IBM and refined by Symantec
• Motivation for this development includes the rising
threat of Internet-based malware, the increasing speed of
its propagation provided by the Internet, and the need to
acquire a global view of the situation
• Success depends on the ability of the malware analysis
system to detect new and innovative malware strains
 Snort Inline
• Enables Snort to function Drop Reject Sdrop
as an intrusion prevention
system
Snort
• Includes a replace option rejects a
Packet is
rejected
which allows the Snort packet
and
based on
user to modify packets result is Packet is
the
rather than drop them options
logged rejected
and an but not
• Useful for a honeypot defined
error logged
implementation in the
message
rule and
• Attackers see the failure logs the
is
returned
but cannot figure out result
why it occurred
 Summary
• The need for firewalls • Firewall location and
configurations
• Firewall characteristics • DMZ networks
and access policy • Virtual private networks

• Types of firewalls • Distributed firewalls

• Firewall locations and
• Packet filtering firewall topologies
•
•
Stateful inspection firewalls
• Application-level gateway Intrusion prevention
• Circuit-level gateway systems
• Firewall basing • Host-based IPS

• Bastion host
• Network-based IPS

• Host-based firewalls
• Distributed or hybrid IPS

• Personal firewall
• Snort inline
Thank You!

• Questions?
Software
Security
Table
11.1
TOP 25
Most
Dangerous
Software
Errors
 Security Flaws
• Critical Web • These flaws occur as a
consequence of insufficient
application security checking and validation of
flaws include five data and error codes in
related to insecure programs
software code • Awareness of these issues is a
• Unvalidated input critical initial step in writing
• Cross-site scripting more secure program code
• Buffer overflow • Emphasis should be placed on
• Injection flaws the need for software
• Improper error developers to address these
handling known areas of concern
 Reducing Software
Vulnerabilities
• The NIST report NISTIR 8151 presents a range of
approaches to reduce the number of software
vulnerabilities
• It recommends:
• Stopping vulnerabilities before they occur by using
improved methods for specifying and building software

• Finding vulnerabilities before they can be exploited by using

better and more efficient testing techniques

• Reducing the impact of vulnerabilities by building more

resilient architectures
 Software Security,
Quality and Reliability
• Software quality and • Software security:
reliability:
• Attacker chooses probability
• Concerned with the accidental distribution, specifically
failure of program as a result targeting bugs that result in a
of some theoretically random, failure that can be exploited
unanticipated input, system
by the attacker
interaction, or use of incorrect
code • Triggered by inputs that
• Improve using structured differ dramatically from
design and testing to identify what is usually expected
and eliminate as many bugs as
possible from a program
• Unlikely to be identified by
common testing approaches
• Concern is not how many
bugs, but how often they are
triggered
 Defensive Programming
• Designing and implementing software so that it
continues to function even when under attack
• Requires attention to all aspects of program execution,
environment, and type of data it processes
• Software is able to detect erroneous conditions resulting
from some attack
• Also referred to as secure programming
• Key rule is to never assume anything, check all
assumptions and handle any possible error states
 Computer System

Program
executing algorithm, Network Link
processing input data,
generating output

GUI Display

Keyboard File System

& Mouse Other
Programs DBMS

Operating System
Database

Machine Hardware

Figure 11.1 Abstract View of Program

 Defensive Programming
• Programmers often make
assumptions about the type of
inputs a program will receive
and the environment it executes • Conflicts with
in business
pressures to keep
• Assumptions need to be validated
development
by the program and all potential
failures handled gracefully and times as short as
safely possible to
• Requires a changed mindset to maximize market
advantage
traditional programming
practices
• Programmers have to understand
how failures can occur and the
steps needed to reduce the chance
of them occurring in their
programs
 Security by Design
• Security and reliability are common design goals in
most engineering disciplines
• Software development not as mature
• Recent years have seen increasing efforts to improve
secure software development processes
• Software Assurance Forum for Excellence in Code
(SAFECode)
• Develop publications outlining industry best practices for
software assurance and providing practical advice for
implementing proven methods for secure software
development
Handling Program Input
Input is any source
of data from
outside and whose
Incorrect handling
value is not
is a very common
explicitly known by
failing
the programmer
when the code was
written

Explicitly validate
Must identify all assumptions on
data sources size and type of
values before use
 Input Size & Buffer
Overflow
• Programmers often make assumptions about the
maximum expected size of input
• Allocated buffer size is not confirmed
• Resulting in buffer overflow
• Testing may not identify vulnerability
• Test inputs are unlikely to include large enough inputs to
trigger the overflow

• Safe coding treats all input as dangerous

Interpretation of Program
Input
• Program input may be binary or text
• Binary interpretation depends on encoding and is usually
application specific
• There is an increasing variety of character sets being
used
• Care is needed to identify just which set is being used and
what characters are being read

• Failure to validate may result in an exploitable

vulnerability
• 2014 Heartbleed OpenSSL bug is a recent example of a
failure to check the validity of a binary input value
 Injection Attacks
• Flaws relating to invalid handling of input data,
specifically when program input data can accidentally or
deliberately influence the flow of execution of the
program

Most often occur in scripting languages

• Encourage reuse of other programs and

system utilities where possible to save
coding effort
• Often used as Web CGI scripts
 Cross Site Scripting (XSS)
Attacks

Commonly seen in
Exploit
scripted Web
applications assumption that XSS reflection
Attacks where • Vulnerability involves
all content from vulnerability
input provided the inclusion of script one site is • Attacker
by one user is code in the HTML equally trusted
content includes the
subsequently • Script code may need to and hence is malicious script
output to access data associated permitted to content in data
with other pages
another user interact with supplied to a site
• Browsers impose
security checks and other content
restrict data access to
pages originating from
from the site
the same site
 Validating
Input Syntax

It is necessary
By only
to ensure that Alternative is
Input data accepting
data conform to compare the
should be known safe
with any input data with
compared data the
assumptions known
against what is program is
made about the dangerous
wanted more likely to
data before values
remain secure
subsequent use
 Alternate Encodings

Growing requirement to
May have multiple means of support users around the globe
encoding text and to interact with them using
their own languages

Unicode used for Canonicalization

internationalization •Transforming input data into a single,
•Uses 16-bit value for characters standard, minimal representation
•UTF-8 encodes as 1-4 byte sequences •Once this is done the input data can
be compared with a single
•Many Unicode decoders accept any
representation of acceptable input
valid equivalent sequence
values
 Validating Numeric Input
• Additional concern when input data represents numeric
values
• Internally stored in fixed sized value
• 8, 16, 32, 64-bit integers
• Floating point numbers depend on the processor used
• Values may be signed or unsigned

• Must correctly interpret text form and process consistently

• Have issues comparing signed to unsigned
• Could be used to thwart buffer overflow check
 Input Fuzzing
Software testing technique
Can also use templates to
that uses randomly
generate classes of known
generated data as inputs to
problem inputs
a program

Disadvantage is that
Range of inputs is very bugs triggered by other
large forms of input would
be missed
Developed by Professor Barton
Miller at the University of
Wisconsin Madison in 1989 Intent is to determine if Combination of
the program or approaches is needed
function correctly for reasonably
handles abnormal comprehensive
inputs coverage of the inputs

Simple, free of
assumptions, cheap

Assists with reliability

as well as security
 Writing Safe Program
Code
• Second component is processing of data by some
algorithm to solve required problem
• High-level languages are typically compiled and linked
into machine code which is then directly executed by the
target processor

Security issues:
• Correct algorithm implementation
• Correct machine instructions for algorithm
• Valid manipulation of data
 Correct Algorithm
Implementation
Another variant is when
Initial sequence numbers the programmers
Issue of good program used by many TCP/IP deliberately include
development technique implementations are too additional code in a
predictable program to help test and
debug it
Often code remains in
production release of a
program and could
Algorithm may not inappropriately release
correctly handle all information
Combination of the
problem variants
sequence number as
an identifier and May permit a user to bypass
authenticator of security checks and
packets and the failure perform actions they would
to make them not otherwise be allowed to
sufficiently perform
Consequence of unpredictable enables
deficiency is a bug in the attack to occur
the resulting program This vulnerability was
that could be exploited exploited by the Morris
Internet Worm
Ensuring Machine Language
Corresponds to Algorithm
• Issue is ignored by most programmers
• Assumption is that the compiler or interpreter generates or
executes code that validly implements the language
statements
• Requires comparing machine code with original
source
• Slow and difficult
• Development of computer systems with very high
assurance level is the one area where this level of
checking is required
Correct Data Interpretation
• Data stored as • Different languages
bits/bytes in provide different
computer capabilities for
restricting and
• Grouped as words or validating interpretation
longwords of data in variables
• Accessed and
manipulated in memory • Strongly typed languages are
or copied into processor more limited, safer
registers before being • Other languages allow more
used liberal interpretation of data
• Interpretation depends on and permit program code to
machine instruction explicitly change their
executed interpretation
 Correct Use of Memory
• Issue of dynamic memory allocation
• Unknown amounts of data
• Allocated when needed, released when done
• Used to manipulate Memory leak
• Steady reduction in memory available on the heap to the
point where it is completely exhausted
• Many older languages have no explicit support for
dynamic memory allocation
• Use standard library routines to allocate and release memory
• Modern languages handle automatically
 Race Conditions
• Without synchronization of accesses it is possible that
values may be corrupted or changes lost due to
overlapping access, use, and replacement of shared values
• Arise when writing concurrent code whose solution
requires the correct selection and use of appropriate
synchronization primitives
• Deadlock
• Processes or threads wait on a resource held by the other
• One or more programs has to be terminated
Operating System Interaction
Programs execute • Mediates and shares access to resources
on systems under • Constructs execution environment
the control of an • Includes environment variables and
arguments
operating system

• Resources are owned by a user and have

permissions granting access with various
Systems have a rights to different categories of users
• Programs need access to various resources,
concept of however excessive levels of access are
multiple users dangerous
• Concerns when multiple programs access
shared resources such as a common file
Environment Variables
Collection of string •Can affect the way a running
process behaves
values inherited by each •Included in memory when it is
process from its parent constructed

Can be modified by the

•Modifications will be passed to its
program process at any children
time

Another source of
untrusted program input

Most common use is by a •Goal is to subvert a program that

local user attempting to grants superuser or administrator
privileges
gain increased privileges
 Vulnerable Compiled
Programs
Programs can be vulnerable to PATH variable
manipulation
• Must reset to “safe” values

If dynamically linked may be vulnerable to

manipulation of LD_LIBRARY_PATH
• Used to locate suitable dynamic library
• Must either statically link privileged programs or prevent
use of this variable
 Use of Least Privilege
Privilege escalation
•Exploit of flaws may give attacker greater privileges

Least privilege
•Run programs with least privilege needed to complete their
function

Determine appropriate user and group privileges

required
•Decide whether to grant extra user or just group privileges

Ensure that privileged program can modify only

those files and directories necessary
Root/Administrator
Privileges
Programs with root/ •They provide highest levels of
administrator privileges system access and control
are a major target of •Are needed to manage access to
protected system resources
attackers

Often privilege is only

•Can then run as normal user
needed at start

Good design partitions •Provides a greater degree of

isolation between the components
complex programs in
•Reduces the consequences of a
smaller modules with security breach in one component
needed privileges •Easier to test and verify
 System Calls and
Standard Library Functions

Programmers make
assumptions about
their operation
Programs use system • If incorrect behavior is not what
is expected
calls and standard • May be a result of system
library functions for optimizing access to shared
common operations resources
• Results in requests for services
being buffered, resequenced,
or otherwise modified to
optimize system use
• Optimizations can conflict with
program goals
 Preventing Race
Conditions
• Programs may need to access a common system resource
• Need suitable synchronization mechanisms
• Most common technique is to acquire a lock on the shared file
• Lockfile
• Process must create and own the lockfile in order to gain access to the
shared resource
• Concerns
• If a program chooses to ignore the existence of the lockfile and access the
shared resource the system will not prevent this
• All programs using this form of synchronization must cooperate
• Implementation
 Safe Temporary Files
• Many programs use temporary files
• Often in common, shared system area
• Must be unique, not accessed by others
• Commonly create name using process ID
• Unique, but predictable
• Attacker might guess and attempt to create own file between
program checking and creating
• Secure temporary file creation and use requires the use
of random names
Other Program Interaction
Programs may use functionality and services of other
programs
• Security vulnerabilities can result unless care is taken with this interaction
• Such issues are of particular concern when the program being used did not
adequately identify all the security concerns that might arise
• Occurs with the current trend of providing Web interfaces to programs
• Burden falls on the newer programs to identify and manage any security issues that
may arise

Issue of data confidentiality/integrity

Detection and handling of exceptions and errors generated

by interaction is also important from a security perspective
 Handling Program
Output
• Final component is program output
• May be stored for future use, sent over net, displayed
• May be binary or text
• Important from a program security perspective that the
output conform to the expected form and interpretation
• Programs must identify what is permissible output
content and filter any possibly untrusted data to ensure
that only valid output is displayed
• Character set should be specified
 Summary
• Software security issues • Handling program
• Introducing software input
security and defensive
programming • Input size and buffer overflow
• Interpretation of program input
• Writing safe program •
•
Validating input syntax
Input fuzzing
code
• Correct algorithm
implementation
• Interacting with the
operating system and
• Ensuring that machine other programs
language corresponds to
algorithm • Environment variables
• Correct interpretation of • Using appropriate, least
data values privileges
• Correct use of memory • Systems calls and standard
library functions
• Preventing race conditions • Preventing race conditions with
with shared memory shared system resources
•
• Handling program •
Safe temporary file use
Interacting with other
output programs
Thank You!

• Questions?
 Operating
System Security
 Strategies
• The 2010 Australian Signals Directorate (ASD) lists the
“Top 35 Mitigation Strategies”
• Over 85% of the targeted cyber intrusions investigated
by ASD in 2009 could have been prevented
• The top four strategies for prevention are:
• White-list approved applications
• Patch third-party applications and operating system vulnerabilities
• Restrict administrative privileges
• Create a defense-in-depth system

• These strategies largely align with those in the “20

Critical Controls” developed by DHS, NSA, the
Department of Energy, SANS, and others in the United
States
 Operating System
Security
• Possible for a system to be compromised during the
installation process before it can install the latest patches
• Building and deploying a system should be a planned
process designed to counter this threat
• Process must:
• Assess risks and plan the system deployment
• Secure the underlying operating system and then the key applications
• Ensure any critical content is secured
• Ensure appropriate network protection mechanisms are used
• Ensure appropriate processes are used to maintain security
System Security Planning
The first step in
Plan needs to deploying a new system
identify is planning
appropriate
personnel and Planning should
training to install include a wide
and manage the security
system assessment of the
organization

Planning process needs

to determine security Aim is to
requirements for the maximize security
system, applications, while minimizing
data, and users costs
 System Security Planning
Process
The purpose of the
Who will administer the
system, the type of Any additional security
system, and how they
information stored, the measures required on the
will manage the system
applications and services system, including the use
(via local or remote
provided, and their of host firewalls, anti-
access)
security requirements virus or other malware
protection mechanisms,
and logging

The categories of users of What access the system

the system, the privileges has to information stored
they have, and the types on other hosts, such as
of information they can file or database servers,
access and how this is managed

How access to the

How the users are
information stored on the
authenticated
system is managed
 Operating Systems
Hardening
• First critical step in securing a system is to secure the
base operating system
• Basic steps
• Install and patch the operating system
• Harden and configure the operating system to adequately
address the identified security needs of the system by:
• Removing unnecessary services, applications, and protocols
• Configuring users, groups, and permissions
• Configuring resource controls
• Install and configure additional security controls, such as anti-
virus, host-based firewalls, and intrusion detection system (IDS)
• Test the security of the basic operating system to ensure that the
steps taken adequately address its security needs
 Initial Setup and Patching
Overall The integrity
boot and source of
process any additional
must also device driver
code must be
be secured
carefully
validated

System
security begins Initial
Should stage
installation
with the should install and validate all
installation of the minimum Critical that the patches on the
system be kept
the operating necessary for
up to date, with
test systems
system the desired before
all critical
system deploying them
security related
patches installed in production

Full installation
Ideally new and hardening
systems process should
should be occur before the
constructed system is
on a protected deployed to its
network intended location
 Remove
Unnecessary
Services, • When performing the
Applications, initial installation the
Protocols supplied defaults should
not be used
• Default configuration is set
to maximize ease of use and
• If fewer software packages functionality rather than
security
are available to run the risk
is reduced • If additional packages are
• System planning process needed later they can be
installed when they are
should identify what is required
actually required for a
given system
 • System planning process
should consider:
Configure
• Categories of users on the system
Users, Groups,
and • Privileges they have

Authentication • Types of information they can

access
• How and where they are defined
and authenticated

• Default accounts included as

• Not all users with access to part of the system installation
a system will have the should be secured
same access to all data and • Those that are not required
resources on that system should be either removed or
• Elevated privileges should disabled
be restricted to only those • Policies that apply to
users that require them, authentication credentials
and then only when they configured
are needed to perform a
task
 Install
Configure
Additional
Resource
Security
Controls
Controls

• Once the users and groups are

defined, appropriate • Further security possible by
permissions can be set on data installing and configuring
and resources additional security tools:
• Anti-virus software
• Many of the security • Host-based firewalls
hardening guides provide lists • IDS or IPS software
of recommended changes to • Application white-listing
the default access
configuration
 • Checklists are included in
security hardening guides
Test the • There are programs
System specifically designed to:
Security • Review a system to
ensure that a system
meets the basic security
requirements
• Scan for known
• Final step in the process of vulnerabilities and poor
initially securing the base configuration practices
operating system is
security testing • Should be done following
• Goal: the initial hardening of the
system
• Ensure the previous security
configuration steps are correctly
implemented • Repeated periodically as
• Identify any possible
part of the security
vulnerabilities maintenance process
 Application
Configuration
• May include:
• Creating and specifying appropriate data storage areas for application
• Making appropriate changes to the application or service default
configuration details
• Some applications or services may include:
• Default data
• Scripts
• User accounts
• Of particular concern with remotely accessed services
such as Web and file transfer services
• Risk from this form of attack is reduced by ensuring that most of the
files can only be read, but not written, by the server
 Encryption Technology
Is a key
enabling
technology
that may be If secure network Cryptographic
services are provided file systems are
used to secure If secure network another use of
data both in Must be using TLS or IPsec
services are encryption
transit and configured and suitable public and provided using
when stored appropriate private keys must be SSH, appropriate
cryptographic generated for each of server and client
keys created, them keys must be
signed, and created
secured
 Security Maintenance
• Process of maintaining security is continuous
• Security maintenance includes:
• Monitoring and analyzing logging information
• Performing regular backups
• Recovering from security compromises
• Regularly testing system security
• Using appropriate software maintenance processes to patch and
update all critical software, and to monitor and revise
configuration as needed
 Logging
In the event of a system
Key is to ensure you
Can only inform you about breach or failure, system
capture the correct data and
bad things that have administrators can more
then appropriately monitor
already happened quickly identify what
and analyze this data
happened

Generates significant
Range of data acquired
Information can be volumes of information
should be determined
generated by the system, and it is important that
during the system planning
network and applications sufficient space is allocated
stage
for them

Automated analysis is
preferred
 Data Backup and Archive
Performing regular Needs and policy
backups of data is Backup Archive relating to
a critical control backup and
that assists with archive should be
maintaining the The process of The process of determined
integrity of the making copies of retaining copies of
during the system
data over extended
system and user data at regular
periods of time in planning stage
intervals
data order to meet legal
and operational
requirements to
May be legal or access past data
operational Kept online or
requirements for offline
the retention of
data

Stored locally or
transported to a
remote site
• Trade-offs include
ease of
implementation and
cost versus greater
security and
robustness against
different threats
 Linux/Unix Security
• Patch management
• Keeping security patches up to date is a widely recognized and critical
control for maintaining security

• Application and service configuration

• Most commonly implemented using separate text files for each
application and service
• Generally located either in the /etc directory or in the installation tree
for a specific application
• Individual user configurations that can override the system defaults are
located in hidden “dot” files in each user’s home directory
• Most important changes needed to improve system security are to
disable services and applications that are not required
 Linux/Unix Security
• Users, groups, and permissions
• Access is specified as granting read, write, and
execute permissions to each of owner, group, and
others for each resource
• Guides recommend changing the access permissions
for critical directories and files
• Local exploit
• Software vulnerability that can be exploited by an attacker to
gain elevated privileges
• Remote exploit
• Software vulnerability in a network server that could be
triggered by a remote attacker
 Linux/Unix Security

Remote access controls Logging and log rotation

•Several host firewall programs may •Should not assume that the default
be used setting is necessarily appropriate
•Most systems provide an
administrative utility to select which
services will be permitted to access
the system
 Linux/Unix Security
• chroot jail
• Restricts the server’s view of the file system to just a
specified portion
• Uses chroot system call to confine a process by mapping
the root of the filesystem to some other directory
• File directories outside the chroot jail aren’t visible or
reachable
• Main disadvantage is added complexity
 Windows Security

Users administration
Patch and access controls
management •Systems implement
discretionary access controls
• “Windows Update” and resources
“Windows Server
•Vista and later systems include
Update Service” assist mandatory integrity controls
with regular
•Objects are labeled as being of
maintenance and should
low, medium, high, or system
be used integrity level
• Third party applications •System ensures the subject’s
also provide automatic integrity is equal or higher than
update support the object’s level
•Implements a form of the Biba
Integrity model
 Windows Security
Users Administration and Access
Controls
Windows systems also define Combination of share and
privileges NTFS permissions may be
•System wide and granted to user used to provide additional
accounts security and granularity when
accessing files on a shared
resource

User Account Control (UAC) Low Privilege Service

•Provided in Vista and later systems Accounts
•Assists with ensuring users with •Used for long-lived service processes
administrative rights only use them such as file, print, and DNS services
when required, otherwise accesses
the system as a normal user
 Windows Security
Application and service
configuration

•Much of the configuration information is

centralized in the Registry
• Forms a database of keys and values that may be
queried and interpreted by applications
•Registry keys can be directly modified
using the “Registry Editor”
• More useful for making bulk changes
 Windows Security
Other security controls
• Essential that anti-virus, anti-spyware, personal firewall, and other malware
and attack detection and handling software packages are installed and
configured
• Current generation Windows systems include basic firewall and malware
countermeasure capabilities
• Important to ensure the set of products in use are compatible

Windows systems also support a range of cryptographic

functions:
• Encrypting files and directories using the Encrypting File System (EFS)
• Full-disk encryption with AES using BitLocker

“Microsoft Baseline Security Analyzer”

• Free, easy to use tool that checks for compliance with Microsoft’s security
recommendations
 Virtualization
• A technology that provides an abstraction of the
resources used by some software which runs in a
simulated environment called a virtual machine (VM)
• Benefits include better efficiency in the use of the
physical system resources
• Provides support for multiple distinct operating systems
and associated applications on one physical system
• Raises additional security concerns
 Hypervisor
• Software that sits between the hardware and the VMs
• Acts as a resource broker
• It allows multiple VMs to safely coexist on a single
physical server host and share that host’s resources
• Virtualizing software provides abstraction of all physical
resources and thus enables multiple computing stacks,
called virtual machines, to be run on a single physical
host
• Each VM includes an OS, called the guest OS
• This OS may be the same as the host OS, if present, or a
different one
 Hypervisor Functions
• Execution management of VMs
• Devices emulation and access control
• Execution of privileged operations by
hypervisor for guest VMs
• Management of VMs (also called VM
The principal lifecycle management)
functions performed • Administration of hypervisor platform and
by a hypervisor are: hypervisor software
 Virtualized Systems
• In virtualized systems, the available hardware resources must
be appropriately shared among the various guest OS’s
• These include CPU, memory, disk, network, and other
attached devices
• CPU and memory are generally partitioned between these,
and scheduled as required
• Disk storage may be partitioned, with each guest having
exclusive use of some disk resources
• Alternatively, a “virtual disk” may be created for each guest,
which appears to it as a physical disk with a full file-system,
but is viewed externally as a single ”disk image” file on the
underlying file-system
• Attached devices such as optical disks, or USB devices are
generally allocated to a single guest OS at a time
 Software Defined
Networks (SDNs)
SDNs enable network segments to logically span multiple servers
within and between data centers, while using the same underlying
physical network

There are several possible approaches to providing SDNs,

including the use of overlay networks

• These abstract all layer 2 and 3 addresses from the underlying physical network into
whatever logical network structure is required
• This structure can be easily changed and extended as needed
• The IETF standard DOVE (Distributed Overlay Virtual Network) which uses
VXLAN (Virtual Extended Local Area Network) can be used to implement such an
overlay network
• With this flexible structure, it is possible to locate virtual servers, virtual IDS, and
virtual firewalls anywhere within the network as required
 Containers
• A recent approach to virtualization is known as container
virtualization or application virtualization
• In this approach, software known as a virtualization container,
runs on top of the host OS kernel and provides an isolated
execution environment for applications
• Unlike hypervisor-based VMs, containers do not aim to
emulate physical servers
• All containerized applications on a host share a common OS
kernel
• For containers, only a small container engine is required as
support for the containers
• Containerization sits in between the OS and applications and
incurs lower overhead, but potentially introduces greater
security vulnerabilities
 Virtualization Security
Issues
• Security concerns include:
• Guest OS isolation
• Ensuring that programs executing within a guest OS may
only access and use the resources allocated to it
• Guest OS monitoring by the hypervisor
• Which has privileged access to the programs and data in
each guest OS
• Virtualized environment security
• Particularly image and snapshot management which
attackers may attempt to view or modify
Securing Virtualization
Systems
• Carefully plan the
Organizations security of the
virtualized system
using • Secure all elements of
a full virtualization
virtualization solution and maintain
their security
should:
• Ensure that the
hypervisor is properly
secured

• Restrict and protect

administrator access
to the virtualization
solution
 Hypervisor Security
• Should be
• Secured using a process similar to securing an operating system
• Installed in an isolated environment
• Configured so that it is updated automatically
• Monitored for any signs of compromise
• Accessed only by authorized administration

• May support both local and remote administration so must be

configured appropriately
• Remote administration access should be considered and secured in the
design of any network firewall and IDS capability in use
• Ideally administration traffic should use a separate network with very
limited access provided from outside the organization
 Virtualized
Infrastructure Access to VM
image and

Security snapshots must

be carefully
controlled

Access must
be limited to
just the
appropriate
guest OSs
Systems
manage access
to hardware
resources
 Virtual Firewall
Provides firewall capabilities for the network traffic flowing
between systems hosted in a virtualized or cloud
environment that does not require this traffic to be routed
out to a physically separate network supporting traditional
firewall services

VM Host-Based
VM Bastion Host Hypervisor Firewall
Firewall

Where a separate VM is used as a Where host-based firewall

bastion host supporting the same capabilities provided by the Guest Where firewall capabilities are
firewall systems and services that OS running on the VM are provided directly by the
could be configured to run on a configured to secure that host in hypervisor
physically separate bastion, including the same manner as used in
possibly IDS and IPS services physically separate systems
 Summary
• Introduction to operating • Linux/Unix security
system security • Patch management
• System security planning • Application and service configuration
• Operating systems •
•
Users, groups, and permissions
Remote access controls
hardening • Logging and log rotation
• Operating system installation: • Application security using a chroot jail
initial setup and patching
• Remove unnecessary services, • Security testing
applications and protocols • Windows security
• Configure users, groups, and • Patch management
authentications • Users administration and access
• Configure resource controls controls
• Install additional security controls • Application and service configuration
• Test the system security • Other security controls
• Application security • Security testing
• Application configuration • Virtualization security
• Encryption technology • Virtualization alternatives
• Security maintenance •
•
Virtualization security issues
• Logging Securing virtualization systems
• Data backup and archive
Thank You!

• Questions?