Tuesday, December 30, 2014

[Basics] Software flaw vs. bug

Have you ever thought about the difference between a software flaw and bug? Or are they referring to the same thing? This mini post will explain.

It is true that both software flaws and bugs result in vulnerabilities that hackers can exploit, but these two terms refer to two different things. The former is more serious than the latter.

Software flaw - caused by a design failure
Software bug - cause by a implementation failure (design is perfectly fine)

Note that software can be vulnerable due to both software flaw and bug at the same time - incorrect design and incorrect implementation.

Let me quote a famous bug which was exploited to produce one of the first Internet worm, Morris worm, in 1988. Morris worm exploited a buffer overflow vulnerability in Unix finger daemon. Specifically, finger used get() function to obtain user input. The problem with get() is that it does not have provision to limit or check user input string length. So, the bug is not checking/validating input string. It is not a flaw as it is an implementation issue and has nothing to do with the design of finger.

Another recent one is heartbleed bug. It is a serious software bug in OpenSSL library. Exploiting this vulnerability, attackers can eavesdrop on OpenSSL encrypted communication, steal data from server and clients, and also impersonate either of the entity. It is caused by an implementation failure of the heartbeat part of OpenSSL library and it has nothing to do with the design of TLS.

Now let's look at a recent design flaw vulnerability. iOS 6 had a vulnerability in mobile hotspot passwords. A hacker can do a simple dictionary/brute-force attack to recover this password. This vulnerability is not an implementation issue, but rather resulted from the design flaw in how passwords are generated. This password is generated from a set of predefined words. These words are randomly selected and padded with a 4 digit random number. The flaw here is that selection of words from the pool of words is not truly random and also the number of words in the pool is also small.

Good read: Avoiding the top 10 software security design flaws

Bottom line is that use secure design principles and coding techniques to avoid such vulnerabilities.

No comments: