h/w
INFA 670
Assignment on Software Vulnerability
Software vulnerabilities, especially vulnerabilities in code, are a major security problem today. Not all bug or flaws in software become security vulnerabilities, but some of them do. An attacker can exploit these vulnerabilities to cause major disruption to a business. An exploit can result in a variety of damages including crash of a system, taking the role of a super user, deleting of information in a file or an entire file, changing critical content in a database or a file, stealing valuable proprietary information, planting of malware, turning a system into a bot so to launch attacks on other systems.
Common software code vulnerabilities include:
· Buffer overflow
· Logic error or logic bombs
· Race conditions
· Format string vulnerability
· Cross-site scripting
· Cross-site request forgery
· SQL and other command injection
· Memory leak
· Incomplete mediation
· Integer overflow, underflow, and sign conversion errors
· Insufficient data validation
The name of vulnerability and the name of an attack that exploits it are often called by the same name. For example, the attack that exploits the buffer overflow vulnerability is known as the buffer overflow attack. Similarly, a race-condition attack leverages a race condition vulnerability. An attacker can and have exploited more than one vulnerability in the same attack to cause more damage than would be possible with a single vulnerability.
Two organizations focus on improving software security and thus track the various vulnerabilities on a continual basis. They are (1) Common Weakness Enumeration (CWE) by SANS/Mitre
https://cwe.mitre.org/index.html
), and (2) The Open Web Application Security Project (OWASP) (see
https://www.owasp.org/index.php/About_OWASP
). I am attaching two documents here, CWE Top 25 and OWASP Top 10. Please note the vulnerabilities or the type of vulnerabilities are not the same in these two lists. This is because, OWASP’s focuses only on web applications. Also, the two lists are also not exactly the same as the above bulleted list. They do, however, overlap.
In this exercise, you will investigate two vulnerabilities of your choice from these two lists or any other reputable source. For each of the two vulnerabilities you have chosen, you will explain the vulnerability including where it occurs (e.g., C language, database, web browser, etc.), and an example attack that exploited it. You will also describe how the vulnerability can be minimized, prevented or mitigated. All the description should be in your own words. You may use code excerpt to illustrate the vulnerability or remove the flaw that is the source of the vulnerability.
Your report should not be more than two pages long (double-spaced) for each vulnerability. You need to consult at least two references for each vulnerability. If you have a good C/C++ programming background, you may want to explore the following site:
http://www.cis.syr.edu/~wedu/seed/labs.html
(See Software Security and Web Security Labs.) There is an in-depth technical description and even a video class room presentation on many of these vulnerabilities, and how to exploit them and mitigate them in a lab setting. Feel free to try the one or more of these laboratory exercises using the Ubuntu VM you can download from the site, but you are on your own. I would certainly like to hear about your experience if you have actually tried one or more of these lab exercises.
The assignment will be graded using the following rubric:
· Description of the Vulnerability: 50%
· Mitigation/Prevention Techniques: 30%
· Bibliography: 10%
· Grammar/English: 10%
The entire assignment is worth 10% of your final grade.
OWASP Top 10 – 2013
2011_cwe_sans_top25