Software Security II Overview Command Injection Validating Input Input Fuzzing Cybercrime Source http mashable com CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II perl finger CGI script CGI Finger 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 This CGI script retrieves the desired info from the server based on what is passed to it as the value of user as a parameter From where is the value of user passed usr bin perl finger cgi finger CGI script using Perl5 CGI module use CGI use CGI Carp p q qw fatalsToBrowser q new CGI create query object display HTML header print q header q start html Finger i User q h1 Finger User print pre get name of user and display their finger details user q param user print usr bin finger sh user display HTML footer print pre print q end html CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Finger Form for example CSCI 415 Computer and Network Security Dr Nazli Hardy Invokes cgi script Takes user as input User is passed as parameter to finger cgi Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Command Injection 14 15 16 17 18 If the user is legit then it s all good But instead if a command is the input this will be passed to finger cgi e g list all the users in this directory finger cgi thinks the command is coming from a Web server metacharacters often f used in commands get name of user and display their finger details user q param user q p die The specified user contains illegal characters unless user w print usr bin finger sh user a solution to add a test that ensures that the user input contains only expected tokens e g alphanumerics and not metacharacters CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Recall SQL Injection Data may be altered to conform to what is expected by escaping metacharacters and thus rendering the input safe making the input usable name REQUEST name query SELECT FROM suppliers WHERE name name result mysql query query name REQUEST name query SELECT FROM suppliers WHERE name mysql real escape string name result mysql query query CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Validating Input Given that the programmer cannot control the content of input data it is necessary to ensure that such data conform with any assumption made about the data e g e g for textual textual data contain only alphanumeric data or for numeric only int and double 2 possible principles can be followed compare input data with known dangerous values accept onl only kno known n safe data Which is better and why CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Input Fuzzing good alternative is called fuzzing developed by Dr Barton Miller U of Wisconsin Madison in 1989 software testing technique that uses randomly generated data as inputs to a program range g of inputs p may y be very y large g textual graphic g p random network requests q random parameter values passed to system functions etc the intent is to determine where the program function correctly tl h handles dl allll such h abnormal b l iinputs t crashes fails to respond appropriately identifies reliability or lack of and security deficiencies Fuzzing simple but effective and low costs to generate these inputs Limitations CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Computer Crime vs Cybersecurity The term cybercrime has a connotation of the use of networks specifically whereas computer crime may or may not involve networks The U S Th US D Department t t off Justice J ti categorizes t i computer t crime i based b d on th the role that the computer plays in the criminal activity as follows Computers as targets to acquire information stored on that computer system without authorization or payment theft of service Computers as storage devices as a passive storage medium e g for stolen password lists credit card or calling card numbers proprietary corporate information pornographic image files or warez pirated commercial software Computers as communications tools often traditional crimes committed online e g the illegal sale of prescription drugs controlled substances alcohol etc CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Examples of Cybercrime theft of intellectual property theft of other proprietary info including customer records financial records DOS attacks virus worms and other malware attacks fraud over the Net illegal generation of spam email webpage defacement intentional exposure p of p private or sensitive info spyware but not including adware others CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Intellectual Property Intellectual property is any intangible asset that consists of human knowledge and ideas The legal Th l l protection t ti iis against i t infringement i fi t which hi h iis th the iinvasion i off th the rights secured by copyrights trademarks and patents e right g t to see seek ccivil recourse ecou se aga against st a anyone yo e infringing g g his so or her e p property ope ty The is granted to the IP owner CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Intellectual Property Relevant to Computer and Network Security misuse of software all programs produced by vendors databases all data and db protected by copyright digital content audio video files multimedia courseware website content and other original content Algorithms improvement of software or function CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Software Security II Privacy considerable overlap with computer security in a