Tagging Your Binaries with a Risk Analysis

Measurement from CWE/CWRAF

Robert A. Martin
10 April 2013

© 2012 The MITRE Corporation. All rights reserved.

Today Everything’s Connected
Your System is
attackable…

When this Other System gets subverted

through an un-patched vulnerability, a mis-
configuration, or an application weakness…
© 2012 The MITRE Corporation. All rights reserved.
CVE 1999 to 2013
2001
Vulnerability Type Trends:
A Look at the CVE List (2001 - 2007)
Removing and Preventing the Vulnerabilities
Requires More Specific Definitions…CWEs
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79)
• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)
9 • Improper Neutralization of Script in an Error Message Web Page (81)
• Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82)
• Improper Neutralization of Script in Attributes in a Web Page (83)
• Improper Neutralization of Encoded URI Schemes in a Web Page (84)
• Doubled Character XSS Manipulations (85)
• Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86)
• Improper Neutralization of Alternate XSS Syntax (87)
14
Improper Restriction of Operations within the Bounds of a Memory Buffer (119)
• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120)
• Write-what-where Condition (123)
19 • Out-of-bounds Read (125)
• Improper Handling of Length Parameter Inconsistency (130)
• Improper Validation of Array Index (129)
• Return of Pointer Value Outside of Expected Range (466)
• Access of Memory Location Before Start of Buffer (786)
• Access of Memory Location After End of Buffer (788)
• Buffer Access with Incorrect Length Value 805
• Untrusted Pointer Dereference (822)
• Use of Out-of-range Pointer Offset (823)
• Access of Uninitialized Pointer (824)
• Expired Pointer Dereference (825)

Path Traversal (22)

• Relative Path Traversal (23)
• Path Traversal: '../filedir' (24)
• Path Traversal: '/../filedir' (25)
• <------------8 more here -------------->
• Path Traversal: '....//' (34)
• Path Traversal: '.../...//' (35)
• Absolute Path Traversal (36)
• Path Traversal: '/absolute/pathname/here’ (37)
• Path Traversal: '\absolute\pathname\here’ (38)
• Path Traversal: 'C:dirname’ (39)
• Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)
Common Weakness Enumeration (CWE) – 700+

© 2012 The MITRE Corporation. All rights reserved.

Wouldn’t it be nice if the
Whatin software
weaknesses is wrong with
were as this picture?
easy to spot and their impact as
easy to understand as a screen
door in a submarine…
CWE Compatibility & Effectiveness Program
( launched Feb 2007)

cwe.mitre.org/compatible/

39
69
 Direct Contributors to the 2011 CWE/SANS Top 25

Mark J. Cox Red Hat Inc.

Carsten Eiram Secunia (Denmark)
Pascal Meunier CERIAS, Purdue University
Razak Ellafi & Bonsignour CAST Software
David Maxwell NetBSD
Cassio Goldschmidt & Mahesh Saptarshi Symantec Corporation
Chris Eng Veracode, Inc.
Paul Anderson Grammatech Inc.
Masato Terada IPA (Japan)
Bernie Wong IBM
Dennis Seymour Ellumen, Inc.
Kent Landfield McAfee
Hart Rossman SAIC
Jeremy Epstein SRI International
Matt Bishop UC Davis
Adam Hahn & Sean Barnum MITRE
Jeremiah Grossman White Hat Security
Kenneth van Wyk KRvW Associates
Bruce Lowenthal Oracle Corporation
Jacob West Fortify Software, an HP Company
Frank Kim ThinkSec
Christian Heinrich (Australia)
Ketan Vyas Tata Consultancy Services (TCS)
Joe Baum Motorola Solutions
Matthew Coles, Aaron Katz & Nazira Omuralieva RSA, the Security Division of EMC
National Security Agency (NSA) Information Assurance Division
Department of Homeland Security (DHS) National Cyber Security Division
© 2012 The MITRE Corporation. All rights reserved.
 CWE/SANS Top 25

3 years running

Latest version published in June 2011

Survey results from over 25 organizations

41 CWE entries nominated

CWSS 0.8 used to rank results
– Technical Impact, Prevalence,
Likelihood of Exploit

Published pocket guide for mitigating
the Top 25 (and other weaknesses, too)

© 2012 The MITRE Corporation. All rights reserved.

© 2011 MITRE
CWE Outreach: A Team Sport
May/June Issue of IEEE Security & Privacy…
16 July 2010
 | 25 |

© 2012 The MITRE Corporation. All rights reserved.

 | 26 |

© 2012 The MITRE Corporation. All rights reserved.

 | 27 |

© 2012 The MITRE Corporation. All rights reserved.

 [1] CWE-79 Cross-site Scripting | 28 |
[2] CWE-89 SQL Injection
CWE-119 [3] CWE-120 Classic Buffer Overflow
[4] CWE-352 Cross-Site Request Forgery (CSRF)
[5] CWE-285 Improper Authorization
[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7] CWE-22 Path Traversal
[8] CWE-434 Unrestricted Upload of File with Dangerous Type
[9] CWE-78 OS Command Injection
[10] CWE-311 Missing Encryption of Sensitive Data
CWE/SANS 2010 Top 25 Most Dangerous Software Errors

[11] CWE-798 Use of Hard-coded Credentials

[12] CWE-805 Buffer Access with Incorrect Length Value
[13] CWE-98 PHP File Inclusion
[14] CWE-129 Improper Validation of Array Index
[15] CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] CWE-209 Information Exposure Through an Error Message
[17] CWE-190 Integer Overflow or Wraparound
[18] CWE-131 Incorrect Calculation of Buffer Size
[19] CWE-306 Missing Authentication for Critical Function
[20] CWE-494 Download of Code Without Integrity Check
[21] CWE-732 Incorrect Permission Assignment for Critical Resource
[22] CWE-770 Allocation of Resources Without Limits or Throttling
[23] CWE-601 Open Redirect
[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25] CWE-362 Race Condition
[26] CWE-749 Exposed Dangerous Method or Function
[27] CWE-307 Improper Restriction of Excessive Auth. Attempts
[28] CWE-212 Improper Cross-boundary Removal of Sensitive Data
[29] CWE-330 Use of Insufficiently Random Values
CWE-706 [30] CWE-59 Link Following
[31] CWE-134 Uncontrolled Format String
[32] CWE-476 NULL Pointer Dereference
[33] CWE-681 Incorrect Conversion between Numeric Types
[34] CWE-426 Untrusted Search Path
[35] CWE-454 External Initialization of Trusted Variables or Data Stores
[36] CWE-416 Use After Free
[37] CWE-772 Missing Release of Resource after Effective Lifetime
CWE-834 [38] CWE-799 Improper Control of Interaction Frequency
[39] CWE-456 Missing Initialization
[40] CWE-672 Operation on a Resource after Expiration or Release
[41] CWE-804 Guessable CAPTCHA
CWE-637
 Leveraging and Managing to take Advantage of
the Multiple Perspectives of Analysis

• Environment Configuration Issues

• Null Pointer Dereference
• Threading Issues
• Issues in Dead Code
• Insecure Crypto Functions
• …
• Issues in integrations of modules
Total Potential • Runtime Privileges Issues
Security Weaknesses • Protocol Parser/Serializer Issues
• Issues in 3rd party components
• …

Static Dynamic
Analysis Analysis

• SQL Injection

Application Logic Issues • Cross Site Scripting
• HTTP Response Splitting
• OS Commanding
• LDAP Injection
• …
Engineering For Attack – ISO/IEC Technical Report 20004:
Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045

Known Attack Weaknesses Controls* Technical Operational

Threat Patterns (CWEs) System & Impacts Impacts
System Security
Actors (CAPECs) Engineering
Trades

Item Impact
Attack Weakness

Asset
Attack Weakness Item Impact
Function

Attack Weakness Impact

Asset
Weakness Item

* Controls include architecture choices, design choices, added security

functions, activities & processes, physical decomposition choices, code
assessments, design reviews, dynamic testing, and pen testing
Technical Impacts – Common Consequences
Technical Impacts –
Common Weakness Risk Analysis Framework (CWRAF)

1. Modify data
2. Read data
3. DoS: unreliable execution
4. DoS: resource consumption
5. Execute unauthorized code or
commands
6. Gain privileges / assume identity
7. Bypass protection mechanism
8. Hide activities
CWRAF/CWSS in a Nutshell

W
Wd

W is all possible weaknesses Wd is all known weaknesses (CWE)

 Common Weakness Risk Analysis Framework
(CWRAF)
Technical Impacts Weightings
1. Modify data W1=1
2. Read data 0
3. DoS: unreliable execution W2=0
4. DoS: resource consumption W3=0
5. Execute unauthorized code or commands W4=0
6. Gain privileges / assume identity W5=0
7. Bypass protection mechanism W6=0
8. Hide activities W7=0
W8=0
Technical Impact
Scorecard

Multiple pieces – we’ll focus on “Vignettes”

CWRAF/CWSS in a Nutshell
CWSS
Scoring “Vignette”
Engine
CWSS CWE
Score
97 CWE-79
95 CWE-78
94 CWE-22
W
94 CWE-434
94 CWE-798
Wd
93 CWE-120
93 CWE-250
92 CWE-770 Most
91 CWE-829 Important
91 CWE-190 Weaknesses
91 CWE-494
90 CWE-134 User-defined
90 CWE-772 cutoff
90 CWE-476
90 CWE-131
…
W is all possible weaknesses Wd is all known weaknesses (CWE)
What types of attacks should I test my system against?
CWSS
Scoring
Engine
CWSS
Score CWE
97 CWE-79 W
95 CWE-78
94 CWE-22 Wd
94 CWE-434
94 CWE-798
Most
93 CWE-120 Important
93 CWE-250 Weaknesses

92 CWE-770
91 CWE-829
91 CWE-190
91 CWE-494
90 CWE-134
CWE Related CAPEC ID’s
90 CWE-772
90 CWE-476 CWE-79 CAPEC-232, CAPEC-106, CAPEC-19,
90 CWE-131 …
… CWE-78 CAPEC-108, CAPEC-15, CAPEC-43,
CAPEC-6, …
… and Classification
Common Attack Pattern Enumeration …
Scoring Weaknesses Discovered in Code using CWSS
Organizations that have declared plans to support
CWSS in their future offerings and are working with
MITRE to help evolve CWSS to meet their
customer's and the community's needs for a
scoring system for software errors.
 CWE Coverage – Implemented…

CWE IDs mapped to Klocwork Java issue types - current http://www.klocwork.com/products/documentation/curren...

CWE IDs mapped to Klocwork Java issue

types
From current
CWE IDs mapped to Klocwork Java issue types

See also Detected Java Issues.

CWE ID Klocwork Checker Code and Description

20 (http://cwe.mitre.org SV.TAINT Tainted data
/data/definitions/20.html) SV.TAINT_NATIVE Tainted data goes to native code
SV.TMPFILE Temporary file path tampering
73 (http://cwe.mitre.org
SV.PATH Path and file name injection
/data/definitions/73.html)
SV.PATH.INJ File injection
www.cenzic.com | (866) 4-CENZIC (866-423-6942)
77 (http://cwe.mitre.org SV.EXEC Process Injection
/data/definitions/77.html) SV.EXEC.DIR Process Injection. Working Directory
SV.XSS.DB Cross Site Scripting (Stored XSS)
79 (http://cwe.mitre.org
Cenzic Product Suite is CWE Compatible SV.DATA.DB Data injection
/data/definitions/79.html)
SV.XSS.REF Cross Site Scripting (Reflected XSS)
Cenzic Hailstorm Enterprise ARC, Ce nzic Hailstorm Professional and Cenzic ClickToS ecure are 80 (http://cwe.mitre.org SV.XSS.DB Cross Site Scripting (Stored XSS)
compatible with the CWE standard or Common Weakness Enumeration as maintained by Mitre
/data/definitions/80.html) SV.XSS.REF Cross Site Scripting (Reflected XSS)
Corporation. Web security assessment result s from the Hailstorm product suite are mapped to
the relevant CWE ID's providing users with additional information to cla ssify and describe SV.SQL Sql Injection
common weaknesses found in Web applications. 89 (http://cwe.mitre.org SV.SQL.DBSOURCE Unchecked information from the
/data/definitions/89.html) database is used in SQL statements
For additional details on CWE, please visit: http://cwe.mitre.org/index.html
SV.DATA.DB Data injection
The following is a mapping between Cenzic’s SmartAttacks a nd CWE ID's: 103 (http://cwe.mitre.org
SV.STRUTS.VALIDMET Struts Forms: validate method
/data/definitions/103.html)
Cenzic
CWE ID/s 105 (http://cwe.mitre.org
SmartAttack SV.STRUTS.NOTVALID Struts Forms: inconsistent validate
/data/definitions/105.html)
Name
Application 113 (http://cwe.mitre.org
1 CWE-388: Error Handling SV.HTTP_SPLIT HTTP Response Splitting
Exception /data/definitions/113.html)
Application 117 (http://cwe.mitre.org
2 CWE-388: Error Handling SV.LOG_FORGING Log Forging
Exception (WS) /data/definitions/117.html)
Application Path 129 (http://cwe.mitre.org
3 CWE-200: Information Leak (rough match) SV.DOS.ARRINDEX Tainted index used for array access
Disclosure /data/definitions/129.html)
Authentication CWE-89: Failure to Sanitize Data into SQL Queries (aka
4
Bypass 'SQL Injection') (rough match)
Authorization CWE-285: Missing or Inconsistent Access Control, CWE-425:
5
Boundary Direct Request ('Forced Browsing')
1 of 4 2/26/11 10:35 AM
Blind SQL CWE-89: Failure to Sanitize Data into SQL Queries (aka
6
Injection 'SQL Injection')
Blind SQL CWE-89: Failure to Sanitize Data into SQL Queries (aka
7
Injection (WS) 'SQL Injection')
Browse HTTP CWE-200: Information Leak
8
from HTTPS List
9 Brute Force Login CWE-521: Weak Password Requirements
10 Buffer Overflow CWE-120: Unbounded Transfer ('Classic Buffer Overflow')
Buffer Overflow
11 CWE-120: Unbounded Transfer ('Classic Buffer Overflow')
(WS)
Check Basic Auth CWE-200: Information Leak
12
over HTTP
CWE-650: Trusting HTTP Permission Methods on the Server
Check HTTP
13 Side
Methods

Cenzic CWE Brochure | October 2009 1

Company Confidential
Cenzic®, Hailstorm® and ClickToSecure® are registered trademarks of Cenzic, Inc.
The Cenzic logo, Hailstorm Enterprise ARC, and GovShield are trademarks of Cenzic, Inc.
© 2009 Cenzic, Inc. All rights reserved.
 Utilizing CWE Coverage Claims
CWE’s a capability
claims to cover

Code
Review

Static
Analysis
Tool A
Most
Static Important
Analysis Weaknesses
(CWE’s)
Tool B

Pen
Testing Which static analysis
tools and Pen Testing
Services
services find the CWE’s
I care about?
Leveraging and Managing to take Advantage of
the Multiple Perspectives of Analysis

 Different perspectives are effective at finding different types of weaknesses

 Some are good at finding the cause and some at finding the effect

Static Penetration Data Code Architecture

Code Test Security Review Risk
Analysis Analysis Analysis

Cross-Site Scripting (XSS) X X X

SQL Injection X X X
Insufficient Authorization Controls X X X X
Broken Authentication and Session Management X X X X
Information Leakage X X X
Improper Error Handling X
Insecure Use of Cryptography X X X
Cross Site Request Forgery (CSRF) X X
Denial of Service X X X X
Poor Coding Practices X X
 Architecture Design Source Binary Automated Penetration Red Team

Review of Architecture

Review of Live System

Analysis Review Code Static Dynamic Testing Assessment
Static Analysis Analysis
Analysis

(1) Modify data

Review of Code
(2) Read Data

and Design
(3) DoS: unreliable
execution

(4) DoS: resource

consumption

(5) Execute
unauthorized
code or
commands
(6) Gain privileges
/ assume identity

(7) Bypass
protection
mechanism
(8) Hide activities
 Vulnerability Analysis Focus By Phase and Impact
Source Automated
Architecture Design Code Binary Static Dynamic Penetration Red Team
Analysis Review Static Analysis Analysis Testing Assessment
Analysis

(1) Modify data CWE-23 CWE-23 CWE-131 CWE-131 CWE-311 CWE-311 CWE-311
Relative Path Incorrect Calculation of Missing Encryption of Sensitive Data
Traversal Buffer Size

(2) Read Data CWE-14 CWE-14 CWE-129 CWE-129 CWE-209 CWE-209 CWE-209
Compiler Removal of Improper Validation of Information Exposure Through an
Buffer Clearing Array Index Error Messages

(3) DoS: unreliable CWE-36 CWE-36 CWE-476 CWE-476 CWE-406 CWE-406 CWE-406
execution Absolute Path Null Pointer
Network Amplification
Traversal Dereference

(4) DoS: resource CWE-395 CWE-395 CWE-190 CWE-190 CWE-412 CWE-412 CWE-412
consumption Use of
Integer Overflow Unrestricted Externally Accessible Lock
NullPointerException

(5) Execute CWE-88 CWE-88 CWE-120 CWE-120 CWE-120 CWE-79 CWE-79

unauthorized
code or Argument Injection Buffer Overflow Cross-site Scripting
commands
(6) Gain privileges CWE-96 CWE-96 CWE-489 CWE-489 CWE-309 CWE-309 CWE-309
/ assume identity Static Code Leftover Debug Code Use of Password System for Primary
Injection Authentication

(7) Bypass CWE-89 CWE-89 CWE-357 CWE-357 CWE-665 CWE-665 CWE-665

protection SQL Injection Insufficient UI Warning Improper Initialization
mechanism of Dangerous

(8) Hide activities CWE-78 CWE-78 CWE-168 CWE-168 CWE-444 CWE-444 CWE-444
OS Command Improper Handling of HTTP Request Smuggling
Injection Inconsistent
Contact Info

cwss@mitre.org

cwe@mitre.org