LA JOLLA, Calif. -- One reason software security vulnerabilities are so tough to fix is because they are so hard to find. Unlike other bugs that become apparent when an application acts up, security holes tend to hide from normal view. And that's just how the hacker underground likes it.
"If we want to master finding, fixing and remediating security vulnerabilities, it's these side behaviors we have to understand," explained computer scientist James A. Whittaker, co-author of How to Break Software Security, during Wednesday's Secure Software Summit in San Diego. The three-day conference is tailored to those who manage and create software applications, which now are estimated to account for 75% of hacker attacks.
Much of the event focused on ways to better build apps and then audit them for holes that hackers can exploit. But speakers like Whittaker, who works at both the Florida Institute of Technology and application security provider Security Innovations, also urged developers to understand their adversaries. Hackers, he said, tend to be one-trick ponies. "They've perfected their method of getting into your software and that's it… All they need to get into your network is one hole," he said.
"Hackers also are not tied to shipment schedules or stockholders. They don't
"Their entry points are very obscure and if you can't think like a hacker or attacker or someone who wants to do you harm, you will have a very hard time finding these vulnerabilities," he said. Four likely entry points for the malicious-minded include an application's user input (such as login screens and Web forms); remote, corrupt or secret files; libraries and networks (missing libraries, corrupt packets, bandwidth attacks); and operating systems (through resource starvation, for example). In addition to social engineering, attackers typically breach a system by sending input it can't handle; rigging the environment; or turning a program's own logic against itself.
Sending input a system can't or shouldn't handle
Bad input, such as manipulating data values in Web services, is a growing threat. Developers typically pay little attention to default values because they've assigned them and don't expect a user to change them. That makes a development team less likely to check default values for tampering. During a demonstration, Whittaker was able to introduce a negative number into the 1-10 quantity selections for an online bookstore order form. The result, of course, was an order that produced a negative dollar total, essentially paying the buyer, rather than seller. He referred to these as "smoking inputs" -- inputs that are bad for the health of the system.
Rigging the environment
A hacker also can rig a software environment by hiding code in files and installing Trojans that monitor browser activity. This manipulation allows remote control of a machine, frequently without anyone detecting subtle changes.
Turning a program's logic against itself
Logic flaws are most difficult to find. Because compilers are getting better at detecting buffer overflows, hackers are turning more attention to using a systems' logic against itself. For instance, attackers will manipulate "loops" or change code paths to reverse a program's intent. A pop-up warning against accepting a task, such as launching a forbidden executable, can be changed to do the opposite -- and install malicious code -- if the user complies and clicks the "No" button to reject the task.
Whittaker, whose company recently released a controversial report showing Windows' vulnerability record was better than Linux's, also cautioned against placing too much faith in any operating system, since all have been found to contain security flaws. Also, targets constantly shift. "If your software is on a machine that is doing something important, it's a target."