A Structured Approach to Classifying Security Vulnerabilities - Cert

More documents

Recommendations

Info

Exploits and vulnerabilities are, of course, inherently entwined. For example, the sample program in Figure 3 can be exploited by passing a malicious argument greater than the size of the first memory chunk. In this case, the unbounded string copy on line [9] will overwrite the end of the buffer and boundary tags at the end of the first chunk and at the front of the second chunk, as illustrated by Figure 4. These boundary tags can be overwritten in a manner that will cause an arbitrary address to be overwritten by another arbitrary address on the next call to free(). As a result, an attacker can exploit this vulnerability to transfer control to arbitrary code that may be part of this string or inserted elsewhere in memory. This particular exploit is diagramed in Figure 5 as a Unified Modeling Language (UML) activity diagram. Size of previous chunk, if allocated Size of chunk, in bytes P 666 bytes Size of chunk Size of previous chunk, if allocated Size of chunk, in bytes P 12 bytes Figure 4: Size of chunk Overwriting Boundary Tags The activity diagram for the exploit illustrates the relationship between the exploit and the vulnerable program. In particular, each activity is tagged with an attribute-value pair that represents the necessary preconditions for the exploit to succeed. Not surprisingly, these preconditions all exist in the vulnerable program from Figure 3. 6 CMU/SEI-2005-TN-003
Malicious string passed as argument Requires: Argument=“string” Flaw=“insufficient input validation” Shell code installed in heap Heap buffer overflow Boundary tags corrupted Requires: Flaw=“unbounded copy” Data location=“heap” Requires: malloc=“uses boundary tags” Memory=“contiguous” Requires: Flaw=“insufficient input validation” Location=“heap” Figure 5: UML Activity Diagram of Exploit Control passed to shell code Requires: Malloc-implementation=“dlmalloc” The relationship between vulnerable programs and exploits has important consequences. First, it makes sense to develop a common set of attributes (and valid values) that can simultaneously be used to describe both vulnerabilities and exploits. Second, if a database of attributes existed for programs with known vulnerabilities or other security implications, it would be possible to automatically produce a list of programs that might be vulnerable to a known exploit by matching the attributes required by the exploit with the known attributes for a program. Theoretically, this could also be used to evaluate existing programs against new (previously unknown) vulnerabilities, presuming the relevant attributes required by this exploit have been recorded. Mitigations and Vulnerabilities Relationships also exist between vulnerabilities and mitigations (and between exploits and mitigation techniques as well). Mitigations 2 include methods, techniques, processes, tools, and runtime libraries that can prevent or limit exploits against vulnerabilities. Mitigation may work by • eliminating a property of a program that represents a security flaw or other precondition necessary to create a vulnerability • preventing an exploit from achieving a required property 2. Alternatively referred to as countermeasures or avoidance strategies. CMU/SEI-2005-TN-003 7
Page 1: A Structured Approach to Classifyin
Page 4 and 5: This work is sponsored by the U.S.
Page 6 and 7: II CMU/SEI-2005-TN-003
Page 8 and 9: IV CMU/SEI-2005-TN-003
Page 10 and 11: VI CMU/SEI-2005-TN-003
Page 12 and 13: VIII CMU/SEI-2005-TN-003
Page 14 and 15: 1.1 Concepts Before we can discuss
Page 16 and 17: Table 1: Types of Software Vulnerab
Page 20 and 21: As a result, mitigations can be imp
Page 22 and 23: An example of a credential might be
Page 24 and 25: 2 Security-Related Software Attribu
Page 26 and 27: Integer Operations Fairly recently,
Page 28 and 29: 2.3 Program Versions Program versio
Page 30 and 31: 3 Representation and Automation Thi
Page 32 and 33: data such that emerging tools in th
Page 34 and 35: Where “?” indicates the “don
Page 36 and 37: 24 CMU/SEI-2005-TN-003
Page 38 and 39: [Klyne 04] Klyne, Graham & Carroll,

A Structured Approach to Classifying Security Vulnerabilities - Cert

Create successful ePaper yourself

Delete template?

Save as template?