1. Information Systems 365/765
Lecture 11
Software Security (Vulnerabilities) and
Physical Security

2. Vulnerability
• Applied to a weakness in a
system which allows an
attacker to violate the
integrity of that system.
Vulnerabilities may result from
weak passwords, software
bugs, a computer virus or
other malware, a script code
injection, or a SQL injection.

3. Vulnerability vs. Exploit
• A security risk is classified as a
vulnerability if it is recognized as a
possible means of attack.
• A security risk with one or more
known instances of working and
fully-implemented attacks is
classified as an exploit.

4. Causes
• There are multiple causes of
vulnerabilities
• Password Management
Flaws
• Fundamental Operating
System Design Flaws
• Software Bugs
• Unchecked User Input

5. Password Management
Flaws
• The computer user uses weak
passwords that could be
discovered by brute force.
• The computer user stores the
password on the computer
where a program can access
it.
• Users re-use passwords
between many programs and
websites.

7. Operating System Design Flaws
• The operating system designer chooses
to enforce sub optimal policies on
user/program management. F
• or example operating systems with
policies such as default permit grant
every program and every user full
access to the entire computer.
• This operating system flaw allows
viruses and malware to execute
commands on behalf of the
administrator

8. Software Bugs
• The programmer
leaves an exploitable
bug in a software
program.
• The software bug may
allow an attacker to
misuse an application
through (for example)
bypassing access
control checks or
executing commands
on the system hosting
the application.

9. Software Bugs
• Also the programmer's
failure to check the
size of data buffers,
which can then be
overflowed, causing
corruption of the stack
or heap areas of
memory (including
causing the computer
to execute code
provided by the
attacker).

10. Unchecked User Input
• The program
assumes that all
user input is safe.
Programs that do
not check user
input can allow
unintended direct
execution of
commands or SQL
statements
(known as Buffer
overflows, SQL
injection or other
non-validated
inputs).

11. Vulnerability Disclosure
• The method of disclosing
vulnerabilities is a topic of debate
in the computer security
community.
• Some advocate immediate full
disclosure of information about
vulnerabilities once they are
discovered.
• Others argue for limiting disclosure
to the users placed at greatest
risk, and only releasing full details
after a delay, if ever.
• What do you think?

12. Vulnerability Disclosure
• Benefit to limited disclosure:
• Such delays may allow those
notified to fix the problem by
developing and applying
patches,
• Drawback to limited disclosure
• May increase the risk to those
not privy to full details.

13. Full Disclosure
• Disclose all the details of a security
problem which are known. It is a
philosophy of security
management completely opposed
to the idea of security through
obscurity

14. Full Disclosure
• The theory behind full disclosure is
that releasing vulnerability
information immediately results in
quicker fixes and better security.
• Fixes are produced faster because
vendors and authors are forced to
respond in order to save face.
• Security is improved because the
window of exposure, the amount
of time the vulnerability is open to
attack, is reduced.

15. Responsible Disclosure
• Some believe that in the
absence of any public exploits
for the problem, full and
public disclosure should be
preceded by disclosure of the
vulnerability to the vendors or
authors of the system. This
private advance disclosure
allows the vendor time to
produce a fix or workaround.

16. Limited Disclosure
• With full details going to a
restricted community of
developers and vendors, and
only the existence of the
problem being released to the
public, is another possible
approach
• Nick doesn’t like Limited
Disclosure

17. A.C. Hobbs - Locksmith
• A commercial, and in some respects a
social doubt has been started within the
last year or two, whether it is right to
discuss so openly the security or
insecurity of locks. Many well-meaning
persons suppose that the discussion
respecting the means for baffling the
supposed safety of locks offers a
premium for dishonesty, by showing
others how to be dishonest. This is a
fallacy. Rogues are very keen in their
profession, and know already much
more than we can teach them respecting
their several kinds of roguery.

18. Security Through Obscurity
• Attempts to use secrecy (of
design, implementation, etc.) to
provide security.
• A system relying on security
through obscurity may have
theoretical or actual security
vulnerabilities, but its owners or
designers believe that the flaws
are not known, and that attackers
are unlikely to find them.

20. Vulnerability Disclosure Date
• When can it be said that a
vulnerability has been disclosed?
• 1. The information is freely
available to the public
• 2. The vulnerability information is
published by a trusted and
independent channel/source
• 3. The vulnerability has
undergone analysis by experts
such that risk rating information is
included upon disclosure

21. Examples of Vulnerabilities
• Buffer overflows
• Dangling pointers
• Input validation errors, such as:
• Format string bugs
• Improperly handling shell metacharacters so they are
interpreted
• SQL injection
• Code injection
• E-mail injection
• Directory traversal
• Cross-site scripting in web applications
• Race conditions, such as:
• Time-of-check-to-time-of-use bugs
• Symlink races
• Privilege-confusion bugs, such as:
• Cross-site request forgery in web applications
• Privilege escalation
• User interface failures, such as:
• Warning fatigue or user conditioning
• Blaming the Victim Prompting a user to make a security
decision without giving the user enough information to
answer it.
• Race Conditions

22. Buffer Overflow
• A condition where
a process
attempts to store
data beyond the
boundaries of a
fixed-length
buffer.
• The result is that
the extra data
overwrites
adjacent memory
locations.

23. Buffer Overflow
• The overwritten data may include
other buffers, variables and
program flow data, and may result
in erratic program behavior, a
memory access exception,
program termination (a crash),
incorrect results or ― especially if
deliberately caused by a malicious
user ― a possible breach of
system security.

24. Basic example
• In the following example, a
program has defined two data
items which are adjacent in
memory: an 8-byte-long string
buffer, A, and a two-byte integer,
B. Initially, A contains nothing but
zero bytes, and B contains the
number 3. Characters are one byte
wide.
A B
0 0 0 0 0 0 0 0 0 3

25. Buffer Overflow Example
• Now, the program attempts to
store the character string
"excessive" in the A buffer,
followed by a zero byte to
mark the end of the string. By
not checking the length of the
string, it overwrites the value
of B:
A B
'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0

26. SQL Injection
• User input is either incorrectly
filtered for string literal escape
characters embedded in SQL
statements or user input is not
strongly typed and thereby
unexpectedly executed. It is in fact
an instance of a more general
class of vulnerabilities that can
occur whenever one programming
or scripting language is embedded
inside another.

27. SQL Injection Humor

28. Email Injection
• A security vulnerability that
can occur in Internet
applications that are used to
send e-mail messages. Like
SQL injection attacks, this
vulnerability is one of a
general class of vulnerabilities
that occur when one
programming language is
embedded within another.

30. Directory Traversal
• The goal of this attack is to order an
application to access a computer file
that is not intended to be accessible.
This attack exploits a lack of security
(the software is acting exactly as it is
supposed to) as opposed to exploiting
a bug in the code.
• Directory traversal is also known as
the ../ (dot dot slash) attack, directory
climbing, and backtracking.

31. Cross-Site Scripting
• (XSS) is a type of computer security
vulnerability typically found in web
applications which allow code injection
by malicious web users into the web
pages viewed by other users. Examples
of such code include HTML code and
client-side scripts. An exploited cross-
site scripting vulnerability can be used
by attackers to bypass access controls
such as the same origin policy.

33. Time-of-check-to-time-of-use
• TOCTTOU − pronounced "TOCK
too") is a software bug caused by
changes in a system between the
checking of a condition (such as a
security credential) and the use of
the results of that check. It is a
kind of race condition.

34. Confused Deputy
• A confused deputy is a computer
program that is innocently fooled
by some other party into misusing
its authority. It is a specific type of
privilege escalation. In information
security, the confused deputy
problem is often cited as an
example of why capability-based
security is important.
• Billing example

35. Blaming The Victim
• Prompting a
user to make a
security
decision
without giving
the user
enough
information to
answer it.

36. Physical Security
• Physical security
describes measures
that prevent or
deter attackers
from accessing a
facility, resource, or
information stored
on physical media.
It can be as simple
as a locked door or
as elaborate as
multiple layers of
armed guardposts.

37. 3 Elements to Physical Security
• Obstacles, to frustrate trivial
attackers and delay serious ones;
• Alarms, security lighting, security
guard patrols or closed-circuit
television cameras, to make it
likely that attacks will be noticed;
and
• Security response, to repel, catch
or frustrate attackers when an
attack is detected.

38. 4 Layers to Physical Security
• Environmental design
• Mechanical and electronic
access control
• Intrusion detection
• Video monitoring

39. What Are Physical Security
Goals?
• The goal is to convince
potential attackers that the
likely costs of attack exceed
the value of making the
attack.
• If you are unable to convince
them, then the second goal
comes into play—to keep
them from entering

40. Layer One - Physical
• The initial layer of security for a
campus, building, office, or
physical space uses Crime
Prevention Through Environmental
Design to deter threats. Some of
the most common examples are
also the most basic - barbed wire,
warning signs and fencing,
concrete bollards, metal barriers,
vehicle height-restrictors, site
lighting and trenches.

41. Layer Two - Mechanical
• Includes gates, doors, and locks.
• Key control of the locks becomes a
problem with large user populations and
any user turnover.
• Keys quickly become unmanageable
forcing the adoption of electronic access
control.
• Electronic access control easily manages
large user populations, controlling for
user lifecycles times, dates, and
individual access points.
• For example a user's access rights could
allow access from 0700 to 1900 Monday
through Friday and expires in 90 days.

42. Layer Three – Intrusion
Detection
• Monitors for attacks. It is
less a preventative
measure and more of a
response measure,
although some would
argue that it is a
deterrent. Intrusion
detection has a high
incidence of false
alarms. In many
jurisdictions, law
enforcement will not
respond to alarms from
intrusion detection
systems.

43. Layer Four - Monitoring
• Typically video monitoring systems.
Like intrusion detection, these are not
much of a deterrent.
• Video monitoring systems are more
useful for incident verification and
historical analysis.
• For instance, if alarms are being
generated and there is a camera in
place, the camera could be viewed to
verify the alarms.
• In instances when an attack has
already occurred and a camera is in
place at the point of attack, the
recorded video can be reviewed.
• Monitoring is ALWAYS active

44. Intertwined in These Four
Layers are People
• Guards have a role in all layers.
• In the first as patrols and at
checkpoints.
• In the second to administer
electronic access control.
• In the third to respond to alarms.
The response force must be able
to arrive on site in less time than
it is expected that the attacker
will require to breach the
barriers.
• In the fourth to monitor and
analyze video.

45. Users Are Helpful Too
• Users obviously have a role also by
questioning and reporting suspicious
people.
• Aiding in identifying people as known
versus unknown are identification
systems.
• Often photo ID badges are used and are
frequently coupled to the electronic
access control system.
• Visitors are often required to wear a
visitor badge.

46. Examples of Physical Security
• ATMs (cash dispensers) are
protected, not by making them
invulnerable, but by spoiling the
money inside when they are
attacked. Thieves quickly learned
that it was futile to steal or break
into an ATM if all they got was
worthless money covered in dye.

47. Examples Continued
• Safes are rated in terms
of the time in minutes
which a skilled, well
equipped safe-breaker is
expected to require to
open the safe. These
ratings are developed by
highly skilled safe
breakers employed by
insurance agencies, such
as Underwriters
Laboratories. In a
properly designed
system, either the time
between inspections by
a patrolling guard should
be less than that time,
or an alarm response
force should be able to
reach it in less than that
time.

48. How Is Physical Security Like
Software Security?
• Hiding the resources, or hiding the
fact that resources are valuable, is
also often a good idea as it will
reduce the exposure to opponents
and will cause further delays
during an attack, but should not be
relied upon as a principal means of
ensuring security
• Security through obscurity can
be used in the cases of
software security and physical
security!
• Video!