Reversing into the future - perspectives on •
Application Security
• • • •
[email protected] SMIEEE, MACM MComSoc!
The Attack Surface! Security Standards! Academic Research! Real-world Solutions! Future Internet Architecture
Problem Space • • • • • • •
Too many standards! Legacy and Silo Architecture! Pundit/Vendor led product set ! Poor strategy, technology, leadership! Old Internet Protocols! Internet of Everything! Out-of-date skillsets
Old and New Ideas • • • • • • •
Impact: • • • • • •
Significant Increase in Security! Real-time Everything! Seamless Data! Everything just works! Stronger authentication (biometric)! New skillsets required!
Business Process Modelling! CaaS: Configuration As A Service! Capabilities! New lanaguages, techniques and applications! HAG: Software Firewalls, bpfjit! MMOONs: Massive Message Orientated Overlay Networks ! Content orientated internet Timeline
BPMN Capabilities CoLoR
HAG
MMOONs 2015
2018
2021
2024
2027
2030
Attack Surface! "Distrust and caution are the parents of security." ! Benjamin Franklin
Application Attack Landscape OWASP Top 10 - mitigation ❖
A1 Injection! ❖
❖
A2 Broken Authentication and Session Management! ❖
❖
Validation libraries, Filter, HAG, Whitelists, code analysis, javascript/html escaping/disablement, closures (function references with local state).!
A4 Insecure Direct Object References! ❖
❖
encryption, session timeout, invalidation on logout, rotation, randomisation!
A3 Cross-Site Scripting (XSS)! ❖
❖
parameterised API, HAG, whitelist, escaping, filters (signatures, regex)!
Obfuscation/access control/per session references!
A5 Security Misconfiguration! ❖
config service, two way encryption, version management (BOM, tags), verification!
Application Attack Landscape OWASP Top 10 - mitigation ❖
A6 Sensitive Data Exposure! ❖
❖
A7 Missing Function Level Access Control! ❖
❖
Hidden token!
A9 Using Components with Known Vulnerabilities! ❖
❖
entitlements, whitelists, authentication, automated active config checks - lifecycle: audit, revoke and grant.!
A8 Cross-Site Request Forgery (CSRF)! ❖
❖
encryption, HAG, access logging and alerting, data management, ephemeral keys!
CVE, analytics (Skybox), development practises, code analysis, BOM!
A10 Unvalidated Redirects and Forwards! ❖
Whitelist, avoid altogether, HAG
Analysis and Discussion ❖
Attacks and flaws causes!
❖
Failure of crypto (MITM, openssl)!
❖
Monolithic Software Engineering!
❖
Lack of OS Support!
❖
Your thoughts?
❖ ❖
❖
The Standards Bodies! "The nice thing about standards is that you have so many to choose from."! Andrew S Tanenbaum
Security Standards ❖
ISO2700*, PCI-DSS, COBIT, BITS! ❖
Ontological frameworks designed to be tailored to your organisation then certified for compliance by external companies.!
❖
Paper frameworks - lack: operational integration, SLA monitoring, adaptive analytics, KPIs, dynamic threat discovery, !
❖
BSIMM - follow the herd - what every one else does - allegedly[2]!
❖
FFIEC - Federal Financial Institution Examination Council[3]! ❖
Another American FIST organisation - for home lending.!
❖
"helping to make banks less vulnerable and more resilient to cyber-attacks" - top priority!
❖
SAFECODE - developer education!
❖
Institute of Internal Auditor's GTAG 8 ! ❖
❖
Controls and static monitoring. !
All of the above have or no connection to the developer community
Analysis and Discussion ❖
Security Frameworks and Standards!
❖
Aid to problem definition understanding!
❖
2D, heirarchical!
❖
Static!
❖
Ignore complexity!
❖
Categorisation: multiple categories, limited number, trite analogies!
❖
Lack feedback mechanisms!
❖
Dissemination and updates!
❖
Tickbox audit!
❖
Disconnect from business processes, KPIs!
❖
Thoughts?
New Ideas ❖
The demise of MS Office - let's use proper tools!
❖
Internet generation Y!
❖
Business Process Modelling Notation!
❖
Process engines (Bonitasoft) - model, deploy and monitor!
❖
Visualisation
Academia! "Academics have 98% of the time and 2% of the data - in the real-world it's the other way round"! Professor Duncan Shaw, Warwick University, 2008
The Academic Landscape - The Good and Bad ❖
❖
Abstract Non-Interference! ❖
considers attackers as data-flow analysers, whose task is to reveal properties of confidential resources by analysing public ones!
❖
The reality is state and organised crime-sponsored hacking using intuition, inference and lateral analytics. !
Automated Vulnerability Testing! ❖
❖
XSS and SQLI attacks not found by many commercial tools [5]!
Applying OR, Sociology and Ecology Techniques ! ❖
A greater socio-technical focus necessary [6]!
❖
Monocultures are dangerous [7]
Application Security Analytics ❖
❖
Fuzzing Attacks! ❖
subject app to random data: mutation or generation-based!
❖
Coverage is not defined!
❖
Doesn't mitigate parameter manipulation attacks. Major failures discovered [1]!
DEA - Data Envelopment Analysis [8]! ❖
OR technique used to measure relative performance of business units!
❖
Applied to IT security solutions to discover best practices
Analysis and Discussion ❖
Significant broad research activity!
❖
Reputation driven, siloed, variability!
❖
Lack of data a key problem!
❖
Often highlight problems, but provide few solutions!
❖
Some excellent innovation (Capsicum e.g.)!
❖
Weak links with industry!
❖
Framework and abstract model thinking!
❖
Thoughts?
Ideas ❖
Solve the data issue whilst maintaining privacy!
❖
Stronger collaboration with industry players!
❖
Focus on solutions!
❖
Better research!
❖
Industry peer review!
❖
Thoughts?
The Real World! "The new garbage collector is an arena-based, quad-color incremental, generational, non-copying, high-speed, cacheoptimised garbage collector."! Mike Pall, LuaJIT.org
Application Configuration ❖
Static Configuration is a very bad idea! ❖
Developer initiated, support controlled!
❖
Badly documented, rarely versioned!
❖
Separation of duties breaks change lifecycle!
❖
Syntax errors, duplication, bloat!
❖
Rarely in the integration test lifecycle!
❖
Hand crafted for particular instances!
❖
Wrong version picked up on startup!
❖
No dynamic capability
CaaS: Configuration as a Service ❖
App talks to a config servers over secure channels !
❖
Encrypted session initiated from servers to app!
❖
App certifies server with server pool (quorum, n of m)!
❖
Servers certifies the app (fingerprint, checksum)!
❖
Configuration pulled from server n!
❖
Verification program from m!
❖
Config checked and audited!
❖
Connection maintained!
❖
Config or auth can be changed in realtime!
❖
Usage data collected - service level established
Capabilities ❖
Unforgeable tokens of authority !
❖
Implemented in the OS!
❖
Capsicum [10] now built into freeBSD (augmented file descriptors)!
❖
Greater security than hardware alone!
❖
Compartmentalisation of Unix code with minimal alteration!
❖
Create logical applications formed of many parts.!
❖
Simple and minimalist API!
❖
CHERI [11]: Capabilities to replace pointers (base, length and acl)!
❖
Byte-granularity memory protection!
❖
Bittau's Wedge and Crowbar [12] - auto-compartmentalisation tool!
❖
Performance
High Assurance Guard - Software Firewalls ❖
CloudFlare ! ❖
XSS, SQL Injection, bot crawlers, email harvesters and DOS mitigation!
❖
WAF uses LuaJIT regex engine ! ❖
20,000 complex regexes/second !
❖
New attacks on their network recognised instantaneously!
❖
Browser protection, visitor reputation, whitelist!
❖
Delivers the content you want, rejects the rest!
❖
Collective intelligence!
❖
Instant VPN (ssl tunnel)!
❖
Threat Analytics Dashboard
Massive Message-Orientated Overlay Networks ❖
In the 1970's The US Naval Fleet Supply Line automated by the IATA protocol on message switch networks.!
❖
PubNub is pretty the same technology in software!
❖
Device agnostic, massively scalable, multiple APIs!
❖
Playback and storage, push, streaming!
❖
Presence: joining/leaving, occupancy!
❖
Pub/Sub, broadcast, unicast, multiplex!
❖
Fine-grained Access Control, encryption, certified data centers
Analysis and Discussion ❖
The ascii protocol driven universe (FIX, JSON, node.js)!
❖
From client/server to BYOD and beyond!
❖
Cloud of Things, Internet of Everything!
❖
Intolerable threat enviroment!
❖
OS security features enhance application security!
❖
Sophistication of design required!
❖
The weak hacked off the internet!
❖
Thoughts?
Future Internet! "Ending is better than mending"! Aldous Huxley
Future Internet[9] ❖
Information Centric - not Host Centric! ❖
Location and application independent data!
❖
Separate Inter and intra domain protocols!
❖
Efficient Support for Mobility - seamless data migration!
❖
Efficient Support for Multi-Homing! ❖
❖
Enhanced Security! ❖
❖
control incoming traffic!
Enhanced Scalability! ❖
❖
connection to multiple networks!
efficient routing!
Deployability: minimum cost and change
Conclusion! ! "It's more fun to arrive at a conclusion than justify it"! Malcolm Forbes!
References 1 Scanning of Real-world Web Applications for ParameterTampering Vulnerabilities. Fung et al.! 2 The Building Security In Maturity Model http://www.bsimm.com/! 3 The Federal Financial Institutions Examination Council http://www.ffiec.gov/infosystem.htm! 4 Safecode http://safecode.org/! 5 State of the Art: Automated Black-Box Web Application Vulnerability Testing http://tinyurl.com/kuvcy93! 6 Towards a Holistic Understanding of Security Process http://tinyurl.com/pvflgcz! 7 Measuring Software Diversity, with Applications to Security http://xxx.lanl.gov/pdf/1310.3307.pdf! 8 DEA APPLIED TO THE SECURITY OF IT BASED INFORMATION S YSTEMS http://tinyurl.com/plvhvcy! 9 Color: An Information-Centric Internet Architecture for Innovations http://tinyurl.com/nt3e32w! 10 The CHERI capability model: Revisiting RISC in an age of risk http://tinyurl.com/krvc5ul! 11 Capsicum: practical capabilities for UNIX http://tinyurl.com/qxdqvse! 12 Bittau's Wedge http://tinyurl.com/lvntbmy!
