Developing secure applications

So you are a small company that develops software, and your customers are becoming more paranoid about the security of your code. With companies being held responsible for their sloppy coding practices, no more "As long as it works, that's all you need". One of the first instances I saw of this was the "The Trustworthy Computing Security Development Lifecycle" developed by Microsoft.


"Security development lifecycle (SDL)
Microsoft designed SDL to ensure that the development of software is as secure as possible.

The process is made up of a series of security-focused activities and targets for each of the phases of Microsoft's software development process.

These include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing.

Before software can be released, it must undergo a final security review by a team independent from its development group."

Microsoft used this methodology in order to develop the Vista Operating System. Microsoft claims from implementing this methodology Vista has had fewer first-year vulnerabilities then Windows XP, Red Hat, Mac OSX, etc... Now Microsoft does release this methodology free for anyone to use and they are implementing this in their development tools. You can read all about on the SDL website linked to above.

Another checklist I have found useful for software developers is the Application and Development Checklist developed by the Defense Information Systems Agency. I find this an easy to use checklist to show software buyers that any software being developed is going through a strict security engineering process to ensure security is not an after thought.

Another great resource is the SAFECode, they have multiple publications on ensuring you are developing secure code.

"The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp."

If you are developing software, customers are requesting not only working code but also secure code. There is also an on-going trend in the software industry that business are including "secure code clauses" in their contracts with application developers.

Keep the code secure, use a secure engineering process!

Let Loose the Pings

Photo Courtesy Sean Hawkey
Our lab contains this very expensive hardware based traffic generator. This device is not easily configured and can be a pain to used. But once you set it up the device can generate any type of traffic and network transactions. The problem comes in that somebody changed the admin password, and nobody knew the new one. Now the device can still be used without the admin password however you cannot configure the interfaces without it. We were in a time crunch and needed to perform a simple network test, and did not have time to reset the password. The problem came in that whoever reset the admin password changed the IP address on the interface. The problem is we needed to figure out the IP address of the interface in order to configure the test. Easy, there are only 4 billion addresses to ping, by the way the device was set to respond to pings. Well it gets better we knew the address was 10.x.0.11, so we only have to try at the most 255 addresses. Well my co-worker starts pinging one at a time, and i think he is crazy, we are programmers, lets write a quick vbscript and run it with wsh. Basically this script runs through 10.0-255.0.11 addresses and parses the output from the ping. If it receives a Reply then the script prints that address and exits. The script could be modified with more loops to go through more addresses however the script is slow because it only processes one ping at a time, if you need more pings a c program would work much faster.

Basic operation - for loop going through 0-255 (each number is output the screen), a variable is used to build the ping statement, a shell is created for the ping command to be executed, the output from the ping command which is in stdout is parsed looking for the word Reply, if Reply is found then the ip address is echoed to the screen and the script exits. When running this script ensure you use cscript or you will have windows popping up for each ping. This script worked extremely well, we took a break while the script ran and came back and the magic number was 42 - imagine that.

for i = 0 to 255
y = 1
wscript.echo i
a = "ping -n 1 10." & i & ".0.11"
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec(a)
Set objStdOut = objWshScriptExec.StdOut
While Not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if mid(strLine,1,5) = "Reply" then
y = y + 1
end if
Wend
if y > 1 then
wscript.echo a
exit for
end if
next

Are you on the Juice?

Altris, now owned by Symantec, has developed application virtualization called the Software Virtualization Solution (SVS). Did I mention, its free for personal use, how cool is that. I am going to give a brief overview of the software, but you should visit the Altris Juice site to get in on this action. The Juice web site provides articles, tools, and tips to help you maximize the benefits of Software Virtualization Solution.

I think of Application Virtualization as VMWare for applications, why virtualize the whole operating system when virtualizing the application will do. With SVS the following things are possible:

- If an application becomes corrupted, reset it to its original installed state, with ability to save user data.
- Allow multiple versions of the same application to be installed, or the ability to install applications without causing conflicts.
- Prevent applications from corrupting the operating system, such as preventing the installation of older versions of DLLs.

SVS supports Window OS's from 2000 thru Vista. However some applications do not work well, such as drivers, virus checkers, file encryption products, OS patches, computer management agents, and applications that have dedicated drivers.

SVS works using filters that intercept all file and registry calls and can redirect them to a folder. Basically a user creates a Virtual Software Package (VSP) for the application they want to install. SVS then builds a virtual environment for the application that mimics the Windows Registry and File system. For example, if you have an application that overwrites a DLL file with an older version, this could cause issues with other installed software. Using SVS, the application would instead be redirected to write the older DLL to a folder associated with that application. When the application is executed and calls for the DLL , the SVS filter redirects the request to the folder associated with that application. In essence the application cannot modify the operating system, however to the end user there is no difference between a virtual application and a non-virtual application.

Once the VSP is installed it can be activated, deactivated, and reset to the original configuration (like a VMWare Snapshot). Once activated all the files and settings for the application will appear to end user just like the application is actually installed. Once deactivated all the files and settings disappear from the user's view. When building a VSP, everything that is captured is contained in a “layer.” The layer represents all the files and registry settings that make up the virtualized application. Multiple layers can be used to create a layer for user data and a layer for the application itself, this allows you to reset the application without losing the user data contained in the application.

You can also create Virtual Software Archive (VSA) files which allow you to install the application on any computer by just importing the file into SVS. There are sample VSA files that you can download off Juice, try it out (Reminds me of Virtual Appliances in VMWare). These would be helpful in an enterprise environment, the administrator can deploy these VSA files to all the users and have the ability to easily reset them once the user screws up the application.

So what is all this good for - how about securing your computer against untrusted software. Browsing around the Internet one night you find some tool guaranteed to do what you have always wished for, how can this be true especially since the tool is located on the trojans -r-us site. But you just gotta try it, so you use SVS to virtualize the application. That way if you find out it is a malicious program all you have to do is deactivate the program and it cannot corrupt your operating system, awesome! Another thought is if they offer an API into SVS this could be used to perform security testing of an application akin to strace.

Software Assessement 3.0

Determining Network Resources, finishing out the series on software assessment, let's discuss how to determine the network resources required to operate the software. For this you will need a protocol analyzer to be able to capture the transactions that are happening. For my testing, I use Wire Shark, I am not going into great details on how to use Wire Shark, the documentation on Wire Shark is very detailed and easy to understand.

The basic process is to start a capture with Wire Shark, and then open the software and perform some basic functions. I usually go through the menu system and try out the features. We are especially looking for features that cause network traffic. The vendor documentation can be useful by giving a clue to what ports and protocols the software uses to connect to a server or other clients. Once you are finished trying out features in the software, stop the Wire Shark capture. Now it is time to analyze the capture file.

After reading the Wire Shark documentation and you have basic idea of TCP/IP protocol you should have the basic idea of how to look at the packets. One of the useful features in Wire Shark is follow TCP Stream, which shows the conservation between the software and the server or clients it is talking to in one screen. Of course this is only helpful if the software is using TCP. Also ensure that you have a filter set to only show traffic from the computer you are testing and only run the software under test, it can be annoying to have to sort through network traffic that has nothing to do with the software that is being tested.

While reading through the capture file, keep track of all the ports and protcols that are being used. Usually the software will select random ports above 1024 to send packets on, the random ports are not as important as the listening port on the server or client that is recieving the packets. The endpoint conversation window can be useful to view the ports and IP addresses that were connected to during the test.

What are we looking for?

- Ensure the software will comply to current firewall policy, if the software requires a range of ports to be opened on the firewall this can be a risk, I have seen software that requires 1,000 ports on the firewall to be opened to allow the server to make connections to the client, this was considered too much risk and the software was not allowed to be used. Now if the network communications are contained within the LAN instead of connecting outside to the Intrenet, this could be considered a lower risk.

- Is the data being encrypted or passed in clear text, In the past when security was an afterthought, we used to see username and passwords passed in clear text, some protocols are designed like this such as telnet and ftp this is why sftp and ssh were developed.

- Bandwidth, How much bandwidth does the software require, will it cause a denial of service to the other programs running on the network. If the software is downloading large image or video files constantly then this could tie up the network and not allow other services required to operate. This is a judgement call, but Wire Shark will give you an idea of the amount of traffice that is being generated and based on your current network use you should decide if the network can handle this new software.

An interesting example is you have a software product that performs periodic updates to istself, and we see this type of dialog
DNS request for the vendor website
Connect to the website, website sends a list of the program files with version numbers
Client checks the versions it recieved with the versions installed
Client downloads any files that have a newer version

Is this a risk?

If I was attacking this system, all I would have to do is ensure the DNS request points to my malicious server, then the client would automatially download any file I deemed as an updated. It is not that diffcult to modify and add code to a dll that is called evertime a program is run. Without any logins or encryption this could become a serious risk, the risk also depends on how important is the system that is running this software.

Staying on top with ntop

People have been complaining that not enough bandwidth is available on the lab network for performing testing. To get management to spend some extra money on a faster connection, we needed proof that in fact there is not enough bandwidth.

The lab network consists of a cable modem connection to the Internet. The cable modem connects through a firewall to an internal switch. From the switch multiple internal networks are connected. We needed to find a solution with the capability to easily track network statistics.

Within a short time a solution was theorized consisting of an old Dell laptop, Linux Mint 4.0 Live CD, and ntop. Using these tools, we were able to setup an awesome monitoring station.

By now you are asking what the heck is ntop, well check it out, ntop is a network traffic probe that shows network usage. ntop is based on libpcap and written to virtually run on every Unix platform and Win32. Users use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status and statistics. That sounds awesome right - well it is.

We used Linux Mint because, why not, somebody in the office had just downloaded it and wanted to try it out. Linux Mint is known to have excellent hardware support which is a good thing when using old hardware. Plugged the laptop into an empty switch port and turned on port mirroring in order to capture all the traffic on the network.

Install process:

- Boot machine with the Linux Mint CD

- Use Synaptic Package Manager to install ntop version 3.2, the current version in the Debian tree

- Part of the installation uses an init script to get the groundwork completed

- start ntop; ntop needs to be run as root from the command line. (sudo ntop -w 54321)

54321 denotes the port to run the the web server on that displays. As a side note, you can also use -W to create an https server ifsecurity is more of an issue.

ntop gives all sorts of stats like total bytes/packets sent and received, list all hosts that have sent packets, organizes traffic by application and protocol, and a whole host of other stats. Using the Round Robin Database plugin, you can keep detailed, long term statistics, and can print out nice fancy graphs. Hopefully with our new data statistics from ntop we will be upgrading the Internet connection.

CyberWars

Photo courtesy of altemark
Reading the latest news about Project Chanology, defined as a digital assault on the Church of Scientology, I amazed how people are using the Internet to spread their message. Here you have a site YouTube that lets people upload videos of anything they want. What a great creative outlet, I even admit I am one of the YouTube junkies. I mean, just the other day USA Today had a story about YouTube hooking up with World economic forum:

“What is different is the venue. The forum is not easy to attend and not cheap, either, but by linking up with YouTube, the forum is providing numerous clips of its sessions and speeches for all to see, hear and comment on.”

Through YouTube people have access to information they did not before, of course that can be said about the Internet in general. Now you find out YouTube is being used to instigate a cyberwar. It started when a video of Tom Cruise talking about Scientology was uploaded to YouTube. Parodies of the video were soon made (My Favorite). Anyway, the Church of Scientology steps in and claims copyright infringements and pressures YouTube to remove the video.

Once the video is removed, a group named “Anonymous” posts a video declaring cyberwar against the Church of Scientology because “campaigns of misinformation, your suppression of dissent and your litigious nature. All of these things have caught our eye. With the leakage of your latest propaganda video into mainstream circulation the extent of your malign influence over those who have come to trust you as leaders has been made clear to us. Anonymous has therefore decided that your organization should be destroyed.".

Anonymous has been successful in knocking out the Scientology website, they accomplished this using a Distributed Denial of Service Attack (DDoS). Linuxhaxor.net has a good article on how the attack is being performed and how to participate.

This is just the latest in a list of cyber attacks that will be written about in the history books. Cyberspace has no boundaries, allowing people to accomplish anything they want. Who makes the judgment call to say that the Church of Scientology is bad and should not be allowed to pull videos that shows them in a bad light, well in cyberspace anybody can and actually have the power to attack. Of course if you are claiming free speech then that means everybody has free speech even if you don’t like them.

Establishments need to recognize, once it’s out there it’s there and you just have to wait for it to pass (Gawker.com still has the video posted). Establishments should realize that tactics that work in the real world do not necessary translate to the cyber world.

Note: CyberWar, Frontline has done an excellent program on the history of cyberwar and what it means to America. I highly suggest watching it.

Software Assessment 2.0

Up to this point, we have logged all the file and registry changes, and sorted through these changes to determine that the changes made by installing the software is a low risk to our secure machine. The next step, Research the product. As I think about it, this actually should be the first step.

Vendor Documentation, read through the documentation in order to get an understanding of what the software does and how it does it. I usually look for technical details, such as the ports and protocols the software uses. Note read through the user agreement, I have seen many times where it says if you install this software it gives us the right to collect information on your system or this software will phone home every so often.

An example is from the Google Earth license:

The Software may communicate with Google servers from time to time to check for available updates to the Software, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, "Updates"). By installing the Software, you agree to automatically request and receive Updates.

Your security policy might state not to allow automatic updates, so you would not allow this software.

Also you need to know the type of data that the software processes and ensure that data is protected. For example if you are working with health care data and the software has an internal database, then you need to ensure the software protects according to HIPAA policy by encrypting the data and only allowing authorized access. Vendor documentation usually states the safeguards, if not contact someone at the company and ask them.

Next a vulnerability check, check the software for known vulnerabilities and issues through the use of online vulnerability databases. You can quickly search for information regarding the security of the product on the following sites:

- National Vulnerability Database: U.S. government repository of standards based vulnerability management data
- SecurityFocus: vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs
- milw0rm:site promotes open source security by posting exploits found in popular programs

By searching these sites will give you an understanding of the vulnerabilities and problems with the software, and usually mitigation techniques.

Example if we search the National Vulnerability Database for Google Earth we get (I really don't mean to pick on Google its just an easy example):

Which basically says by introducing a bad mapping file you can cause a buffer overflow in the application. Now we know buffer overflows are possible through mapping files, to mitigate the risk, we would enact policy to state that users can only connect to a specific mapping server (Google Earth server) or only to trusted servers. Vulnerability websites can be very useful for determining the amount of risk brought to the network and to the secure computer. If you can't find anything on those sites try Google.

Another useful site is The National Checklist Program which is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. The checklist program can give detailed guidance to securely install certain software. Based on experiences it always good to have a configuration/checklist for installing software, this is to ensure that whenever or wherever the software is installed it is always in the same configuration. Most of the time it will be up to the security professional to create this list however sometimes there is already a checklist developed that can be used.

Do your research, if you want to introduce new software to your secure configuration, then you need to ensure all the homework has been done. As I said above I would actually perform this step first, you might be able to rule out installing software just based on the vulnerabilities found. If everything turns out good, then I highly suggest having an configuration/checklist guide for the software. Happy researching.