11.4 Software Design
- Page ID
- 91540
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)
( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\id}{\mathrm{id}}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\kernel}{\mathrm{null}\,}\)
\( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\)
\( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\)
\( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)
\( \newcommand{\vectorA}[1]{\vec{#1}} % arrow\)
\( \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow\)
\( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vectorC}[1]{\textbf{#1}} \)
\( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)
\( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)
\( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\(\newcommand{\avec}{\mathbf a}\) \(\newcommand{\bvec}{\mathbf b}\) \(\newcommand{\cvec}{\mathbf c}\) \(\newcommand{\dvec}{\mathbf d}\) \(\newcommand{\dtil}{\widetilde{\mathbf d}}\) \(\newcommand{\evec}{\mathbf e}\) \(\newcommand{\fvec}{\mathbf f}\) \(\newcommand{\nvec}{\mathbf n}\) \(\newcommand{\pvec}{\mathbf p}\) \(\newcommand{\qvec}{\mathbf q}\) \(\newcommand{\svec}{\mathbf s}\) \(\newcommand{\tvec}{\mathbf t}\) \(\newcommand{\uvec}{\mathbf u}\) \(\newcommand{\vvec}{\mathbf v}\) \(\newcommand{\wvec}{\mathbf w}\) \(\newcommand{\xvec}{\mathbf x}\) \(\newcommand{\yvec}{\mathbf y}\) \(\newcommand{\zvec}{\mathbf z}\) \(\newcommand{\rvec}{\mathbf r}\) \(\newcommand{\mvec}{\mathbf m}\) \(\newcommand{\zerovec}{\mathbf 0}\) \(\newcommand{\onevec}{\mathbf 1}\) \(\newcommand{\real}{\mathbb R}\) \(\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}\) \(\newcommand{\laspan}[1]{\text{Span}\{#1\}}\) \(\newcommand{\bcal}{\cal B}\) \(\newcommand{\ccal}{\cal C}\) \(\newcommand{\scal}{\cal S}\) \(\newcommand{\wcal}{\cal W}\) \(\newcommand{\ecal}{\cal E}\) \(\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}\) \(\newcommand{\gray}[1]{\color{gray}{#1}}\) \(\newcommand{\lgray}[1]{\color{lightgray}{#1}}\) \(\newcommand{\rank}{\operatorname{rank}}\) \(\newcommand{\row}{\text{Row}}\) \(\newcommand{\col}{\text{Col}}\) \(\renewcommand{\row}{\text{Row}}\) \(\newcommand{\nul}{\text{Nul}}\) \(\newcommand{\var}{\text{Var}}\) \(\newcommand{\corr}{\text{corr}}\) \(\newcommand{\len}[1]{\left|#1\right|}\) \(\newcommand{\bbar}{\overline{\bvec}}\) \(\newcommand{\bhat}{\widehat{\bvec}}\) \(\newcommand{\bperp}{\bvec^\perp}\) \(\newcommand{\xhat}{\widehat{\xvec}}\) \(\newcommand{\vhat}{\widehat{\vvec}}\) \(\newcommand{\uhat}{\widehat{\uvec}}\) \(\newcommand{\what}{\widehat{\wvec}}\) \(\newcommand{\Sighat}{\widehat{\Sigma}}\) \(\newcommand{\lt}{<}\) \(\newcommand{\gt}{>}\) \(\newcommand{\amp}{&}\) \(\definecolor{fillinmathshade}{gray}{0.9}\)CVE's
Common Vulnerabilities and Exposures
Managed by the MITRE corporation,the canonical list of CVE's is comprised of a list of publicly disclosed security flaws33.
Because CISA (overseen by the Department of Homeland Security) funds the CVE program, perhaps one of the clearest places to find a directory of recent CVE's is at the Known Exploited Vulnerabilities Catalog (hosted at CISA).
Of course, a searchable database may be easier to use when looking up CVE's by number.
Design Considerations
Authentication
Authentication is perhaps one of the most commonly used security functions. Nearly all apps and websites use some form of authentication in order to assert that a user is who they claim to be. Authentication often appears in the form of a username and password. More recently multiple factor authentication has risen in popularity.
Before we even go into the more technical issues with authentication, check out this innovative scam that requires little technical understanding. Gmail accounts have a “dots don’t matter” feature. That means that the address thisisnotanactualaddress@gmail.com is the same as this.is.not.an.actual.address@gmail.com as far as logging in and receiving email is concerned. However, many user accounts at other websites would consider these as two different accounts. Netflix is one of these accounts. And you don’t need to verify your email account to start watching videos on Netflix.
Someone who had a Netflix account with the email thisisnotanactualaddress@gmail.com is insecure. I could create an account at Netflix with a very similar email address - this.is.not.an.actual.address@gmail.com - and when it came time to enter payment information, Netflix would email the account holder at this.is.not.an.actual.address@gmail.com asking for payment information. But that email would actually go to thisisnotanactualaddress@gmail.com. Since the email would actually come from Netflix and would seem legitimate, the Gmail user with the email thisisnotanactualaddress@gmail.com might inadvertently enter payment information for my account34!
Now let’s look at some of the more technical issues. Implementing security, particularly
authentication, has been shown historically to be hard to accomplish. In fact, at least 3 of the OWASP Top 10 are related to authentication.
A02:2021 – Cryptographic Failures35
While not specific to authentication, "Cryptographic Failures" does have a place within authentication. In particular, consider these points
-
Using weak or compromised algorithms for encrypting persisted data can make is easier for intruders to obtain sensitive data such as passwords or personal information
-
Prefer storing derivable sensitive information over encrypted (or plain-text) values; for example, storing a salted and hashed password (which is derivable) instead of the plain-text password should be preferred
A04:2021 – Insecure Design36
Again, this tenet is not specific to authentication but does play a large role. Have you seen these poor security practices implemented?
-
Ability to reset a lost password merely by answering questions?
-
Such questions are often obvious or easy to guess or otherwise find the answer to
-
-
Are file uploads available?
-
A web server may be vulnerable if uploaded files are not restricted or validated. For example, uploading a malicious PHP file instead of a profile photo could put the server at risk because subsequent calls to the uploaded PHP file may result in arbitrary code running in an escalated environment.
-
-
Do default passwords exist?
-
It is common today to find devices with default usernames and passwords; for most consumers this is evident on home routers, though newer routers have started shipping with either unique credentials OR the requirement that users define credentials before the device can be used
-
A07:2021 – Identification and Authentication Failures37
The name alone indicates the relationship with authentication. This risk pertains to poorly implemented authentication. There are several ways to implement poor authentication, including some of the more common failures:
-
Allowing brute force attacks; throttling or limiting the number of login attempts can go a long way to mitigating this failure
-
Permitting weak or common passwords; doing so reduces security by allowing brute force attacks to become more successful. While not called out by OWASP specifically, limiting password length or valid characters also can be problematic for users
-
Not allowing multi factor authentication; the industry is moving to a multi factor authentication model because such a solution can offer greater security and (in some cases) more convenience
-
Providing clues about account information; invalid login attempts which specify "invalid user" or "invalid password" can be leveraged by hackers in an attempt to identify valid user names. Instead, consider a generic message along the lines of "invalid username or password", which does not provide any information about the existence of a username.
-
A03:2021 – Injection38
Injection does not refer solely to SQL injection, though SQL inject is perhaps the best-known type of injection attack.
An injection attack most frequently occurs when software uses user input without first validating that the user input is safe to use. The process of making sure that user input is safe is called "sanitizing" and is language-specific, meaning that sanitizing Java code is performed in a different manner than C#, for example.
Injection attacks can lead to leaking sensitive or confidential data, running arbitrary code or even causing a DOS (denial-of-service) attack on an affected machine.
There is no specific remediation for injection attacks, but it helpful to remember these key points when coding against such attacks:
-
Use an API or library to sanitize user data
-
NEVER TRUST USER DATA - injection attacks occur largely because of bad data supplied by the user (explicitly or otherwise)
-
A08:2021 – Software and Data Integrity Failures39
Just as user authentication is critical to software, so is validating data. This topic demonstrates the need for software to validate related software artifacts such as firmware updates, plugins and third party code (see section 9.2 for a detailed analysis of third party code).
Consider a router which has updateable firmware (most routers support updateable firmware and it is common for the user to perform the firmware update). If the firmware is not cryptographically signed by the manufacturer AND also validated on the router before an upgrade, then bad actors may be able to distribute malicious firmware to unwitting users.
Before looking at the next section - updating software - let’s look at one more common blunder in the wild with authentication. While Steve Gibson talked about this on the March 22, 2022 episode of Security Now, reports of this issue surfaced all the way back in 2018.
Duo is a third-party multi-factor authentication software owned by Cisco and has some default configurations that are… problematic. Specifically, two default configurations led to a catastrophic breach:
-
Allow for re-enrollment of a new device for dormant accounts
-
Fail-open (we’ll take a peek at that in just a minute)
At this point in this book, you are equipped with a robust understanding of hacks and vulnerabilities. This one is a wonderful example of chaining exploits together. Buckle your seatbelt40.
Hackers use brute force to log in to a network using simple, predictable, or popular passwords. Some of these accounts are dormant but still exist.
Here’s where the first default configuration issue comes into play. Duo’s MFA is disabled since the account is old and not used. But since Duo’s default configuration allows dormant accounts to enroll new devices, the bad actors are able to add a device to the MFA scheme.
This rudimentary network access isn’t sufficient, so the bad actors introduce an privilege escalation vulnerability known as PrintNightmare (this is an especially nasty bug that Windows tried fixing a few times and, well, could just not get it right41).
Once the bad actors were able to gain administrator access, they went in and modified the hosts file! Yes. You read that right. DNS poisoning at the source! They altered the IP address for Duo’s authentication servers to be localhost.
This move prevented authentication validation (since the computer couldn’t access Duo) and exploited the second default configuration - fail-open. When systems fail-closed that means it shuts down. From a security standpoint, that’s great. But from a convenience standpoint, it is annoying. Oddly Duo’s MFA default configuration is to fail-open - that means “the system remains ‘open’ and operations continue as if the system were not even in place42”. With this as the behavior for the device when connecting to VPN, the bad actors were able to connect to the Windows Domain Controller with Remote Desktop Protocol.
Game over.
Note that Duo does allow users to fix this issue. At the time of installation, these configurations can be changed. However, once the installation happens, the only way to change these settings is to change the key in the registry43 (which requires administrator privilege and specialized knowledge).
- What is a CVE?
- Gmail "dots don"t matter" feature exposes Netflix users to phishing attacks
- A02:2021 – Cryptographic Failures
- A04:2021 – Insecure Design
- A07:2021 – Identification and Authentication Failures
- A03:2021 – Injection
- A08:2021 – Software and Data Integrity Failures
- FBI Warns that Hackers Gain Network Access by Exploiting MFA and “PrintNightmare” Vulnerability
- Microsoft adds second CVE for PrintNightmare remote code execution
- Fail Closed, Fail Open, Fail Safe and Failover: ABCs of Network Visibility
- Duo Authentication for Windows Logon and RDP - FAQ