The Seven Pernicious Kingdoms

 

In this article, we going to look at software security in terms of The Seven Pernicious Kingdoms. Whilst software security has been a major concern in the modern world, analysts have realized that most of the problems found in the source-code itself. The security flaws surrounding web applications and websites are a result of how they are written. Developers in most cases work towards achieving what the user wants to accomplish and in most cases, they never look at the weaknesses in the code the use because all they aim to do is to fulfill the user requirements specifications.

 

In recent developments, as cyberattacks became common, there was a need to look at how and why these attacks occurred. With the help of releases such as the OWASP …, 2010, 2013, 2017 organizations had some sort of guide as to what to inspect in their web applications before they could deploy them. In the same manner, the Seven Pernicious Kingdoms is a taxonomy created by Tsipenyuk, Chess, and McGraw [Tsipenyuk, Chess, McGraw, 2005]. The term kingdom is used as biologists use it in their taxonomy of living organisms: to indicate a high-level grouping of similar members and in this case, it is used to refer to web security flaws.

 

The ordering of the kingdoms gives an estimate of their relative importance. The complete taxonomy can found here.

 

In this article, we are going to take a descriptive approach to the Seven Pernicious Kingdoms.

 

1. Input Validation and Representation
2. API Abuse
3. Security Features
4. Time and State
5. Errors
6. Code Quality
7. Encapsulation

 

One may wonder why they are called The Seven Pernicious Kingdoms and yet it’s a list of eight. This is based on the approach by George Miller who identified that people are good at keeping track of seven, plus or minus two things at a time.

 

Because organizations want to maintain security, developers are urged to develop applications that are secure at all costs but sometimes there is no knowing if the code they write is secure or not. At some stage, this pushed to the development of the Common Vulnerabilities and Exposures (CVE) database. The CVE database allows developers to submit vulnerabilities in a software or hardware product they would have discovered.

 

The CVE database would save the vulnerability with a unique ID, but it does not provide any categorization or structure for the vulnerability. This lack of categorization then led to the creation of The Seven Pernicious Kingdoms. It gives a structured way of classifying vulnerabilities (phylum) into larger, broader security flaws i.e. kingdoms. This will also help developers to write secure code as it highlights the key things to look out for.

 

A phylum is any particular coding error e.g. Command Injection. Command Injection is a phylum and is contained within the kingdom "Input Validation and Representation", which includes Command Injection, along with buffer overflows, SQL Injection among other similar flaws.

 

 

 

Most security problems are a result of user input. Trusting user input may be detrimental to the application's security. Through the use of malicious SQL/Commands, attackers may be able to gain unauthorized access to the system and cause harm to the organization. Input validation and representation problems are caused by meta-characters, numeric representation, and alternate encodings. Attacks such as Command Injection, SQL Injection, Cross-site Scripting, and buffer-overflow come under Input Validation and Representation.

 

 

Writing outside the bounds of allocated memory can corrupt data, crash the program, or cause the execution of an attack payload.

 

 

Executing commands from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.

 

 

Sending unvalidated data to a Web browser can result in the browser executing malicious code (usually scripts).

 

 

Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.

 

 

An API normally involves two parties, the first party that calls the API (caller) and the other that responds to the API (callee). In most cases, API Abuse is caused by the caller failing to honor its end of the bargain. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

 

 

Functions that cannot be used safely should never be used.

 

 

Improper use of the chroot() system call may allow attackers to escape a chroot jail.

 

 

Do not use realloc() to resize buffers that store sensitive information.

 

 

The J2EE standard forbids the direct management of connections.

 

 

Socket-based communication in web applications is prone to error.

 

 

Do not rely on the name the getlogin() family of functions returns because it is easy to spoof.

 

 

A dangerous function can throw an exception, potentially causing the program to crash.

 

 

Passing an inadequately sized output buffer to a path manipulation function can result in a buffer overflow.

 

 

Failure to adhere to the principle of least privilege amplifies the risk posed by other vulnerabilities.

 

 

Functions that manipulate strings to encourage buffer overflows.

 

 

Ignoring a method’s return value can cause the program to overlook unexpected states and conditions.

 

 

Security Features are concerned with authentication, access control, confidentiality, and cryptography as well as user privilege management. There is a need to get web application security features right in the first place. A good example of a security flaw is hard-coding the user default password.

 

 

Standard pseudo-random number generators cannot withstand cryptographic attacks.

 

 

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

 

 

When developers write their code they assume that their code will be executed sequentially as it is done in their local environment or on test servers. In the real-world, applications may operate on multi-tasking operating systems running on multi-core, multi-CPU, or distributed machines where these rules cannot be applied. These platforms juggle multiple users and multiple threads of control, two events may take place at exactly the same time. Distributed computation is about time and state. That is, in order for more than one component to communicate, the state must be shared, and all that takes time. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through the shared state: semaphores, variables, the file system, and, basically, anything that can store information.

 

 

Inconsistent locking discipline can lead to deadlock.

 

 

Using the same session identifier across an authentication boundary allows an attacker to hijack authenticated sessions.

 

 

The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.

 

 

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

 

 

A Web application should not attempt to shut down its container.

 

 

Thread management in a Web application is forbidden in some circumstances and is always highly error-prone.

 

 

Signal handlers may change the shared state relied upon by other signal handlers or application code causing unexpected behavior.

 

 

Error Handling deserves a kingdom of its own because of the way errors vary in a web application ranging from how API errors are handled to revealing too much information in an error message exception.

 

 

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

 

 

Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

 

 

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

 

 

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

 

 

Poor code quality provides an opportunity for attackers to manipulate the application and make it perform unintended functionalities. The application itself may also misbehave and cause poor usability. Entering an infinite loop may enable a denial-of-service attack and allow an attacker to take advantage of some poorly thought-out error handling code. There is a need for developers to ensure that their code meets specified quality before they can deploy their applications.

 

 

Calling free() twice on the same memory address can lead to a buffer overflow.

 

 

Functions with inconsistent implementations across operating systems and operating system versions cause portability problems.

 

 

Memory is allocated but never freed leading to resource exhaustion.

 

 

The program can potentially dereference a null pointer, thereby raising a NullPointerException.

 

 

The use of deprecated or obsolete functions may indicate neglected code.

 

 

The behavior of this function is undefined unless its control parameter is set to a specific value.

 

 

The program can potentially use a variable before it has been initialized.

 

 

The program can potentially fail to release a system resource.

 

 

Referencing memory after it has been freed can cause a program to crash.

 

 

Data hiding (encapsulation) means restricting data from being misused by other processes running concurrently. E.g. mobile code cannot be abused by other mobile code or differentiation between unvalidated data and validated or confidential data and data that is supposed to be displayed.

 

 

Comparing classes by name can lead a program to treat two classes as the same when they actually differ.

 

 

Permission to invoke EJB methods should not be granted to the ANYONE role.

 

 

Data can "bleed" from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool.

 

 

Debug code can create unintended entry points in an application.

 

 

Attackers can use Cloneable objects to create new instances of an object without calling its constructor.

 

 

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

 

 

Non-final public variables can be manipulated by an attacker to inject malicious values.

 

 

 

The contents of a private array may be altered unexpectedly through a reference returned from a public method.

 

 

Assigning public data to a private array is equivalent to giving the public access to the array.

 

 

Revealing system data or debugging information helps an adversary learn about the system and form an attack plan.

 

 

Commingling trusted and untrusted data in the same data structure encourages programmers to mistakenly trust unvalidated data.

 

 

This kingdom is concerned with any critical security issues concerning the product but not including source-code. Configuration files that govern the program’s behavior and compiler flags used to build the program are some of the examples in this kingdom. Everything else in the kingdoms has to do with source-code thus this kingdom is included to encompass other security issues beyond the source-code flaws.

 

 

Here is the mapping of the kingdoms to OWASP top 10,

• Input Validation and Representation
  
  
• Cross-Site Scripting (XSS) Flaws
• Injection Flaws
• Unvalidated Input
  
  
• API Abuse
• Security Features
  
  
• Broken Access Control
• Insecure Storage
  
  
• Time and State
  
  
• Broken Authentication
  
  
• Errors
  
  
• Improper Error Handling
  
  
• Code Quality
  
  
• Denial of Service
  
  
• Encapsulation
• Environment
  
  
• Insecure Configuration Management

 

The Seven Pernicious Kingdoms serve as a guide to developers, analysts, and organizations to use when developing their applications for deployment on the public internet.

This may save them from common attacks that are being used today, thereby saving them a lot of money and maintaining a good reputation with their users.