Lecture 5 Outline (April 8, 2015)

Lecture 5 Outline (April 8, 2015)

Reading: [Chr11,OWA13]
Assignment: Program 1, due April 15, 2015
  1. Discussion problem of the day
  2. Some common vulnerabilities
    1. Catalogues: CVE (Common Vulnerabilities and Exposures), CWE (Common Weakness Enumeration)
    2. 2011 MITRE/SANS Top 25 Most Dangerous Software Errors
    3. OWASP Top 10 – 2013 rc1 The Ten Most Critical Web Application Security Risks
  3. MITRE/SANS list
    1. Insecure interactions among components
      1. SQL injection
      2. OS command injection
      3. Cross-site scripting
      4. Unrestricted upload of file with dangerous type
      5. Cross-site request forgery
      6. URL redirect to untrusted site
    2. Risky resource management
      1. Buffer copy without checking size of input
      2. Improper limitation of a pathname to a restricted directory
      3. Download of code without integrity check
      4. Inclusion of functionality from untrusted control sphere
      5. Use of potentially dangerous function
      6. Incorrect calculation of buffer size
      7. Uncontrolled format string
      8. Integer overflow or wraparound
    3. Porous defenses
      1. Missing authentication for critical function
      2. Missing authorization
      3. Use of hard-coded credentials
      4. Missing encryption of sensitive data
      5. Reliance on untrusted inputs in a security decision
      6. Execution with unnecessary privileges
      7. Incorrect authorization
      8. Incorrect permission assignment for critical resource
      9. Use of a broken or risky cryptographic algorithm
      10. Improper restriction of excessive authentication attempts
      11. Use of a one-way hash without a salt
  4. OWASP list
    1. Injection
    2. Broken authentication and session management
    3. Cross-site scripting
    4. Insecure direct object references
    5. Security misconfiguration
    6. Sensitive data exposure
    7. Missing function level access control
    8. Cross-site request forgery
    9. Using known vulnerable components
    10. Unvalidated redirects and forwards
  5. Comparison
    1. Everything on the OWASP list is also on the MITRE/SANS list
    2. Injection is #1 on both lists
    3. The MITRE/SANS list covers vulnerabilities generally; OWASP covers only web vulnerabilities



Discussion Problem. You discover a security flaw in the operating system on your company’s computer. The flaw enables any user to read any other user’s files, regardless of their protection. You have several choices: you can keep quiet and hope no-one else discovers the flaw, or tell the company, or tell the system vendor, or announce it on the Internet.

  1. Suppose an exploitation of the vulnerability could be prevented by proper system configuration. Which of the above courses of action would you take, and why?
  2. If an exploitation of the vulnerability could be detected (but not prevented) by system administrators, how would this change your answer to the first question?
  3. Now suppose no exploitation of the vulnerability can be detected or prevented. Would this change your answer, and if so, how?

You can also obtain a PDF version of this. Version of April 8, 2015 at 7:15AM