3.1 Memory Safe Violations

Memory safe violations modify the memory location contents where one of the most common techniques is buffer overflow. Overall, memory safety refers to preventing attackers from reading or writing to memory locations, other than those intended by the programmer.

With buffer overflow, this occurs when a program attempts to store more information in the buffer than can fit. This causes the additional overflow information to overflow into subsequent/nearby buffers which can overwrite and corrupt the data within those memory locations. This vulnerability allows exploiters to modify aspects of the process code and the integrity of the previously stored data.

Buffer overflow vulnerabilities are most at risk in C, which is widely used for systems programming. One particular weakness is that there is no automatic bounds-check for array and pointer access. So, if a programmer declares an array of size 4, it will not automatically throw an error if buffer[5] is accessed, and this must be checked to ensure that every memory access is within bounds. Subsequently, a buffer overflow bug is where the programmer does not provide adequate bounds checking, which results in an out-of-bounds memory access, yielding a write that is beyond the intended memory region. Attackers can exploit these accesses to alter the program’s designed behavior.

3.2 User Input Exploits

User input validation confirms that the inputted data follows rules where if this is not performed, it has the ability to lead to data corruption through user input attacks/exploits. One example of a user input attack is SQL injection, where injected SQL commands in user interfaces like a web form can be used to alter the database content or even worse, dump sensitive data and database information to the attacker. SQL injection attacks can lead to the leaking of information like credit card numbers and passwords. There are three main methods of SQL injection: Error Based SQL Injection, Boolean Error SQL Injection, and Time-Based Query SQL Injection.

With Error Based SQL Injection, hackers fetch database information like table names and content from the visible database errors on production servers. To prevent this vulnerability, programmers can avoid publicly displaying database error messages so attackers are unable to see this information and exploit it.

Similar to Error Based SQL injection, hackers can gain entry into the database in a vulnerable application with Boolean Error SQL Injection. However, in this case, attackers might not have a visible error message and instead, can see that when a SQL query fails, parts of the website disappear or do not load, indicating that the query is still going through, even if the error message is not viewable. With this confirmation, the jacker can test the vulnerability level of the application and the proximity of the data extraction with wrong queries such as: https://xyz.com/index.php?id=1+AND+1=2. Because this condition is false, the hacker knows that if the webpage is not visible, then the application is vulnerable and can be exposed to a SQL injection attack.

With Time-Based Query SQL Injection, the attacker uses a command to the database to pause for a certain time period before responding. An example query would be: https://xya.com/index.php?id=1+AND+IF(version()+LIKE+'8%',sleep(5),false). However, if the database responds right away without the pause, then the application is not vulnerable to this type of vulnerability.

3.3 Race Condition Errors

Race condition errors occur when the output of multiple processes occur in an unexpected order, which can cause various checks to fail, leading to a vulnerability. Exploiting and knowing about such flaws can be difficult to detect, and stresses the importance of techniques like test driven development, and planned flow of logic so that the tests can verify as many possibilities and conditions that can occur.

As seen in the diagram below, the success and impact of attackers depends on the processes of the scheduling algorithms of the server. Some potential impacts that can be caused by race condition exploits are being able to redeem the same coupon multiple times, being able to withdraw more money during a money transfer, and being able to cast multiple votes when a user should only have one vote.

Overall, web apps, file systems and networking environments are all susceptible to race condition attacks with targets like access control lists, payrolls, or financial ledgers being hefty targets. Race condition attacks typically occur less frequently, because they are difficult to engineer and rely on a very small window of opportunity. However, they are crucial to consider in the development process and test for since the effects can be devastating and be difficult to detect due to the nature of this situation.

3.4 User Access Privilege Errors

User access privilege errors occur when attackers exploit a bug to gain elevated access to resources. This leads to the attacker being able to have more privileges, allowing them to perform unauthorized actions like accessing protected secret keys or restricting access to actual administrators and user groups.

Vertical privilege escalation occurs when a user gains access to functionality that they are not permitted to access, such as when a non-admin user is able to access a admin page that can delete user accounts. One example is such as when a website hosts sensitive functionality at a URL like: https://insecure-website.com/admin. In this case, the url might be accessible and common so that attackers can find this location by guessing/or inspecting the javascript for such URLs. Furthermore, some applications might even determine the user’s access rights and role and login and store in a submitted value such as with: https://insecure-website.com/login/home.jsp?admin=true. This is insecure, because the values can be easily modified in the query string and gain administrative functions.

4.1 Human, Technical and Leadership Aspects for Effective Cybersecurity Frameworks

With the human aspects involved in cybersecurity, it is important to have a holistic view of the different parts that can lead to security vulnerabilities. Overall, when new parts of technology or a technology system are added, this requires more people and processes to manage the system. This leads to more operational complexity and because of this, the interactions between the technology, processes, and people increase accordingly. This can lead to loss of process visibility and control where it is difficult to manage new technologies which in turn decreases the cybersecurity effectiveness with poorer human performance and more incidents overall. With this in mind, it is important to develop supporting processes on the human end of development and implementation as a part of software development in order to best mitigate cybersecurity vulnerabilities.

4.2 Code Obfuscation

Code obfuscation transforms normal readable code into a transformed version that is different from the original, making it more complex and difficult to understand. This is often done in order to prevent the code from being reused for other applications with ease or to prevent malicious forms of reverse engineering from occurring. Depending on the level of obfuscation, it might take more or less resources and there are various mechanisms of code obfuscation such as splitting apart and minifying code. Overall, code obfuscation is a tool for preventing software vulnerabilities because it adds an additional layer for an attacker to decipher and find vulnerabilities in the software.

4.3 Reverse Engineering

Reverse engineering is the act of breaking down a good or in our case, program, into it’s elemental parts in order to understand the inner workings. There are many uses of reverse engineering where there are tricks and pitfalls for analyzing compiled code and obfuscated code. The process of reverse engineering can be exploited by malicious actors, but it can also be utilized to discover vulnerabilities before they are exploited. Overall, ethical hackers can utilize reverse engineering in order to test software systems for weaknesses and there a wide range of tools and techniques to aid in the process of reverse engineering.

4.4 User Input Validation

Input validation is what prevents malicious and improper data from being inputted into an information system. It can be carried out on the client-side and/or the server-side code in order to ensure security of the infrastructure. Client-side validation is important since it is fast and helps with user experience, however it should not be used on it’s own. This is because client-side validation is browser-dependent and can be tricker and should be used in tandem with server-side validation, which is more reliable in protecting a system’s database from any malformed data or malicious attacks.

With client-side validation, we check that the data follows basic guidelines and is in the expected format and data type. An example can be seen in the screenshot below of client-side input validation below where the different fields are being checked. Client-side validation occurs on the front-end of web applications (such is with an HTML form component) and responds quickly to the user’s input. This reduces the latency that occurs if only server-side was used for data validation.

As mentioned above, front-end code evaluates client-side input validation, and must be used with back-end code to handle server-side input validation. Server-side validation is done on the model-entity class by attaching attributes above the property declaration to define the data types that the property can accept. These specifications ensure that only proper data is accepted. Thus server-side validation is slower than client-side validation, but is more reliable and safe and overall improves user experience because of the improved security and error prevention.

4.5 Checksum and Integrity Checks

Checksum and integrity checks are a powerful technique to prevent data from becoming lost or corrupted and maintain data integrity. There are various methods of data integrity verification, such as the model shown below where an algorithm is used on the file/database to verify that the code checksum is the same. These algorithms are designed to be quick and effective for data verification. As a tool for preventing software-based cyberattacks, it can help to ensure that data integrity is maintained across read/write operations to the database. It can also help to detect if a program has been altered, and cause the program to fail if tampering is detected. Integrity checks can be static, checked only at startup, or dynamic, checked repeatedly when the program is executing. On the negative side, hackers can pinpoint check through breakpoints and code inspection. Additionally, these types of checks, might only be able to verify static properties and might not detect temporary instruction patches or runtime attacks.

References

Access control vulnerabilities and privilege escalation | Web Security Academy. (n.d.). Portswigger.net. https://portswigger.net/web-security/access-control

Borello, J. M., & Mé, L. (2008). Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, 4(3), 211-220.

Dosal, E. (2020, February 13). Top 9 Cybersecurity Threats and Vulnerabilities. Compuquip. https://www.compuquip.com/blog/cybersecurity-threats-vulnerabilities

Dwivedi, A. (2020, August 24). The biggest security threat in modern web applications. AFourTech: Software Product Engineering Services Company. https://afourtech.com/race-condition-the-biggest-security-threat-in-modern-web-applications/

Green, A. (2014, August 11). Top Five Most Dangerous Software Errors. Varonis. https://www.varonis.com/blog/top-five-dangerous-software-errors/

Input Validation: Client-Side & Server-Side Cybersecurity Deterrent. (2021, August 22). SecureCoding. https://www.securecoding.com/blog/input-validation/

Iryna, H. (2019, October 24). Top 25 Coding Errors Leading to Software Vulnerabilities. Waverley. https://waverleysoftware.com/blog/top-software-vulnerabilities/

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.

Liu, S., & Cheng, B. (2009). Cyberattacks: Why, what, who, and how. IT professional, 11(3), 14-21.

Palmer, D. (2020, February 4). These are the top ten software flaws used by crooks: Make sure you’ve applied the patches. ZDNet. https://www.zdnet.com/article/these-are-the-top-ten-software-flaws-used-by-crooks-make-sure-youve-applied-the-patches/

Shahid. (n.d.). How To Obfuscate JavaScript with Node.js. Code for Geek. Retrieved December 14, 2021, from https://codeforgeek.com/how-to-obfuscate-javascript-with-node-js/

Wagner, D., Weaver, N., Kao, P., Shakir, F., Law, A., & Ngai, N. (2021, August 1). Computer Security. https://textbook.cs161.org/

What is Buffer Overflow? Definition & FAQs. (n.d.). Avi Networks. Retrieved December 14, 2021, from https://avinetworks.com/glossary/buffer-overflow/

What is SQL Injection? | Types and Methods of SQL Injection. (2020, May 7). CWatch Blog. https://cwatch.comodo.com/blog/website-security/what-is-an-sql-injection-sqli/

Wilson, S., Hamilton, D., & Stallbaum, S. (2020, May 26). The Unaddressed Gap in Cybersecurity: Human Performance. MIT Sloan Management Review. https://sloanreview.mit.edu/article/the-unaddressed-gap-in-cybersecurity-human-performance/

Xu, G., Lai, M., Li, J., Sun, L., & Shi, X. (2018). A generic integrity verification algorithm of version files for cloud deduplication data storage. EURASIP Journal on Information Security, 2018(1), 1-15.