Chapter 1

Introduction
 Software
Bugs
• Software bugs cost
US economy $59.5
billion annually
(NIST)
 Not all
bugs are
equal!
• Why security bugs are
more dangerous?
 The Lingo
• What does secure mean anyway? It means
“free from or not exposed to danger or harm;
safe.”
• A vulnerability is simply a design flaw or an
implementation bug that allows a potential
attack on the software in some way.
• A threat is a possible exploit of a vulnerability
while an attack is the actual use of such an
exploit.
 Vulnerability
• Informally, a bug with security consequences
• A vulnerability is a weakness or gap in our protection efforts.

• A design flaw or poor coding that may allow an attacker to exploit

software for a malicious purpose
– Non-software equivalent to “lack of shoe-examining at the airport”
– E.g. allowing easily-guessed passwords (poor coding)
– E.g. complete lack of passwords when needed (design flaw)
– 50% are coding mistakes, 50% are design flaws

• Alternative definition: “an instance of a fault that violates an

[implicit or explicit] security policy
 Exploit and Threat
• Exploit: a piece of software, a chunk of data, or a sequence of commands
that takes advantage of a vulnerability to cause unintended or unanticipated
behavior
– i.e. maliciously using a vulnerability
– Can be manual or automated
– Many ways to exploit just one vulnerability

• Threat – A hypothetical event that has the potential to cause some

performing damage to an organization's business and other processes.
– A threat is what we’re trying to protect against.
– For example, social engineering, phishing, DDoS, etc. are typical threats. To explain
non-typical threats, one of the best examples would be when you leave your data
open on your phone which later gets stolen and used for adversarial events.
– Even though most of the threats involve an exploit, they mostly don’t cause any
damage unless they are being actualized by threat actors or hackers.
 Vulnerability vs. Exploit
• If a vulnerability is the open window into the
system, an exploit is the rope or ladder the
thief uses to reach the open window. An
exploit is simply a tool created to leverage a
specific vulnerability.
• without vulnerabilities, there’s nothing to
exploit.
 Vulnerability vs. Exploit
• Although both exploits and malware can have damaging effects on a device or
system, they are different.

• Malware refers to any type of malicious software, including viruses,

ransomware, spyware, etc.

• An exploit, in contrast, is code that allows a hacker to leverage a vulnerability

— for example, they can use an exploit to gain access to a computer system
and then install malware on it. Though an exploit attack can contain malware,
the exploit itself is not malicious.

• To go back to our house-and-window example, if a vulnerability is the open

window into a system, the exploit is the means by which a hacker reaches the
window — and they may be carrying a piece of malicious code (malware) in
their backpack.
 Vulnerability vs. Threat
• Threat: Adversaries might install malware in
computer so that they can steal SSN for identity
theft.
• Vulnerability: The computers do not have up to
date virus definitions for the anti-malware
software.
• Threat: Thieves could break into our facility and
steal equipment.
• Vulnerability: The lock is easy to pick or break.
[Exploit | Threat | Vulnerability] Protection

• Protect against exploits?

– Anti-virus, intrusion detection, firewalls, etc.

• Protect against threats?

– Use forensics to find & eliminate
– Policy, incentives, deterrents, etc.

• Protect against vulnerabilities?

– Engineer secure software!
 Why Software Security
• Developed nations’ economies and defense depend, in
large part, on the reliable execution of software.
• Software is ubiquitous, affecting all aspects of our
personal and professional lives.
• Software vulnerabilities are equally ubiquitous,
jeopardizing:
– Personal identities
– Intellectual property
– Consumer trust
– Business services, operations, & continuity
– Critical infrastructures & government
 Why Software Security
• Most successful attacks result from:
– Targeting and exploiting known, non-patched
software vulnerabilities
– Insecure software configurations

• Many of these are introduced during software

design & development

Refer to Polydys & Wisseman. “Software Assurance in Acquisition: Mitigating Risks to the Enterprise.” 2007.
https://buildsecurityin.us-cert.gov/daisy/bsi/resources/dhs/908.html?branch=1&language=1
 What is Software Security?

• Not the same as security software

– Firewalls, intrusion detection, encryption
– Protecting the environment within which the software
operates
• Engineering software so that it continues to function
under attack
• The ability of software to recognize, resist, tolerate, and
recover from events that threaten it
• The goal: Better, defect-free software that can function
more robustly in its operational production environment
 Common Vulnerabilities
• Lack of input validation
• Lack of bounds checking on arrays and buffers
• Unintentional disclosure
• A countermeasure is a means to eliminate the
possibility of an attack or at least to mitigate the
amount of damage caused if it occurs, such as
failing safely or successfully tolerating a fault.
• Anything or anyone who could potentially harm
your software is classified as a threat agent.
 The Usual Suspects
• The Human Element- Social engineering is a
dangerous tactic to even the most hardened
security. Because the human element is often
the weakest link in security, it only makes
sense that attackers would choose that as
their angle of attack.
– Social engineering is the art of manipulating
people so they give up confidential information.
 The Many Hats of Hackers
• The term hacker started out referring simply to
someone who was proficient with computers,
particularly in the field of networks, and they were the
foundation of what has led to the technology revolution
in which we all find ourselves.
• A Cracker is a person who wishes to use technical
proficiency to exploit weaknesses and break systems.
 The CIA Triad
• Confidentiality in an application means that the private and sensitive
data handled by the application cannot be read by anyone who is not
explicitly authorized to view it.
• Integrity means that the data processed by an application is not
modified by any unauthorized channels or any unauthorized persons.
• Availability is defined as system’s ability to remain operational even
in the face of failure or attack.
 The CIA Triad
• The two main ways to ensure confidentiality are cryptography and access control.
• Integrity preserves internal and external consistency:
– Internal consistency: Ensures that the data is internally consistent. For example, in an
organizational database, the total number of items owned by an organization must be
equal to the sum of the same items shown in the database as being held by each element
of the organization.
– External consistency: Ensures that the data stored in the database is consistent with the
real world. For instance, the total number of items physically sitting on the shelf must
match the total number of items indicated by the database.
– Hashing ensures integrity

• Availability
– Redundancy: Redundancy refers to systems that either are duplicated or fail over to other
systems in the event of a malfunction. Failover refers to the process of reconstructing a
system or switching over to other systems when a failure is detected. In the case of a
server, the server switches to a redundant server when a fault is detected. This strategy
allows service to continue uninterrupted until the primary server can be restored.
 Cryptography
• Cryptography is a mathematical approach to
transforming data such that, without the necessary
piece of information, a key to unlock it, the
information cannot be read.
• Cleartext or plaintext is information that is not
encrypted is said to be in the clear.
• Ciphertext is information that has been encrypted.
• Decryption- is the process of using a key you used
for encryption to turn data back to plaintext or
ciphertext.
 Public Key Cryptography
Plaintext + key = ciphertext:
hello + 2jd8932kd8 = X5xJCSycg14=
Ciphertext + key = plaintext:
X5xJCSycg14= + 2jd8932kd8 = hello

• Public key cryptography states that two keys

are needed for the process; one key is used to
encrypt, and one is used to decrypt. These
two distinct keys allow the process to happen
because the one used to encrypt does not
reveal any information about the one used to
decrypt.
 Integrity
• Integrity is used to prevent data modification,
insertion or deletion by unauthorized parties.
One means to accomplish this is using a
message digest or cryptographic hash.

Let’s say that your input is 27. This gives

an output of 2. Now, imagine that you
announce to the world that you’re using
the hash function X mod 5 = Y and that
your personal output is 2. Would anyone
X mod 5 = Y be able to guess your input?

Source: https://komodoplatform.com/cryptographic-hash-function/
 Availability
• Availability is the more difficult attribute of
security to ensure.
• Redundancy can be used to provide
availability.
• Off-site backup may work during an attack,
but it is costly to keep it running when there is
no emergency requiring it.
 Prevention
• Prevention is a tremendously difficult task.
This is an assertion that an attack absolutely
cannot happen to or through your system.
• One way to do this is to sandbox the
application, meaning you test to see what it
will do, given user input, before you allow it to
actually process.
 Avoidance
• Avoidance is a best attempt at making sure
that attacks do not affect your system. This
means that you make every effort in the
system to avoid compromise.
• A way to provide avoidance is to code
defensively.
• Closing off holes, restricting access, and
limiting points of entry into the system are all
ways to code defensively.
 Detection
• Handling exceptions in code is a good way to
approach this. When an attack occurs, it is
generally given that the application will stop
behaving as it is supposed to behave.
• Checkpoints in code are another way to do
this; these are just milestones of execution
that indicate everything is still working
correctly.
 Recovery
• The final option for response is recovery. In
this case, the attack is allowed to occur when
it happens.
• An example of this would be rolling back a
database to the state it was in before the
attack (something that can only be
accomplished if transactions are being
recorded) or restarting an application at the
last safe state that was recorded in memory.
 The Shape of Things
• Apply defense in depth
• Minimize the attack surface
• Fail safely
• Run with least privilege
• Avoid security by obscurity
• Keep security simple
• Detect intrusions and record compromise
 The Shape of Things
• Do not trust infrastructure
• Do not trust services
• Establish secure defaults
 Chapter Summary
• Software security is an increasing concern in
the modern era of connectivity with its
consistency of threats from attackers.
• An attacker can be an automated tool, an
intentional insider, an unintentional insider, a
malicious outsider, or even an external system
destruction.
 Home Assignment 1
• Visit the web:
https://cwe.mitre.org/top25/archive/2023/2023
_top25_list.html

• Pick one vulnerability from the list and study.

• Study the vulnerability:
– Description
– A Code Example (A Relevant CWE)
– Consequences
– Mitigation
 References
• https://www.avast.com/c-exploits
• https://www.cs.columbia.edu/~suman/
secure_sw_devel/intro.pdf