• Home

  • Documents

  • Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls....
11
Chapter 1 The Software Security Problem

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Embed Size (px)

Citation preview

Page 1: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Chapter 1

The Software Security Problem

Page 2: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Goals of this course

Become aware of common pitfalls. Static Analysis and tools

Page 3: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Some common approaches to security

Defensive Programming Security Features (vs secure features) Improving Software Quality

Page 4: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Some common approaches to security

Defensive Programming Security Features (vs secure features) Improving Software Quality

(none of these approaches work!)

Page 5: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

So, what works?

Page 6: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Usual Software building cycle:

Requirements and Specifications Design Code Test and debug Integration test Deliver

Page 7: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Best way to detect vulnerable code

Through a Static Analysis Tool. However, hand/hard work is still necesary!

Page 8: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

Vulnerability Classification

Generic vs context-specific defects

Visible in the code vs visible only in the design

Seven pernicious kingdoms:

Input validation and representation API abuse Security Features Time and State Error Handling Code Quality Encapsulation Environment

Page 9: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools
Page 10: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

2009 CWE/SANS Top 25

Insecure Component Interaction

Faiulre to preserve page structure (Cross-site scripting)

Improper sanitation of SQL commands (SQL injection)

Cross-site request forgery

Unrestricted upload of file with dangerous type

Improper sanitation of OS command elements (OS command injetion)

Error Message Information leak

URL redirect to untrusted site (open redirect)

Race Condition

Risky Resource Management

Buffer overflow

Improper limitation of a pathname in a restricted directory

Buffer access woth incorrect length value

Improper check for unusual or exceptional conditions

Improper control of filename for include/require PHP statement

Improper validation of array index.

Integer overflow/wraparound

Incorrect buffer size calculation

Code download without integrity check.

Unlimited resource allocation

Page 11: Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools

2009 CWE/SANS Top 25 (cont)

Porous Defenses Improper Access control Reliance on untrusted inputs in a security decision Broken or risky cryptography Hard-coded credentials/passwords Missing authentication for critical function Incorrect Permission Assignment for critical

Resource Use of broken or risky cryptography.


User-aware privacy control via extended static-information ...publish.illinois.edu/science-of-security-lablet/... · User-aware privacy control via extended ... The example in Fig

User-aware privacy control via extended static-information ...publish.illinois.edu/science-of-security-lablet/... · User-aware privacy control via extended ... The example in Fig

Documents
Static Bus Schedule aware Scratchpad Allocation in Multiprocessors Sudipta Chattopadhyay Abhik Roychoudhury National University of Singapore

Static Bus Schedule aware Scratchpad Allocation in Multiprocessors Sudipta Chattopadhyay Abhik Roychoudhury National University of Singapore

Documents
Pitfalls Relational

Pitfalls Relational

Documents
Prototyping pitfalls

Prototyping pitfalls

Design
Ophthalmic Pitfalls

Ophthalmic Pitfalls

Documents
Pitfalls & Challenges Faced During a Microservices ...€¦ · 2 / Pitfalls & Challenges Faced During a Microservices Architecture Implementation. Microservices architecture pitfalls

Pitfalls & Challenges Faced During a Microservices ...€¦ · 2 / Pitfalls & Challenges Faced During a Microservices Architecture Implementation. Microservices architecture pitfalls

Documents
Geometry-Aware Video Object Detection for Static Cameras arXiv:1909.03140v1 [cs.CV… · 2019-09-10 · XU, XIE, ZISSERMAN: GEOMETRY-AWARE VIDEO OBJECT DETECTION 1 Geometry-Aware

Geometry-Aware Video Object Detection for Static Cameras arXiv:1909.03140v1 [cs.CV… · 2019-09-10 · XU, XIE, ZISSERMAN: GEOMETRY-AWARE VIDEO OBJECT DETECTION 1 Geometry-Aware

Documents
Digital Marketing Partner Organizer Knowledge Partners · Drafting Arbitration Clauses How to draft a good arbitration clause Pitfalls to be aware of Arbitration: Procedure Overview

Digital Marketing Partner Organizer Knowledge Partners · Drafting Arbitration Clauses How to draft a good arbitration clause Pitfalls to be aware of Arbitration: Procedure Overview

Documents
Characterizing CUDA Unified Memory (UM) -Aware MPI Designs ...hidl.cse.ohio-state.edu/static/media/talks/slide/karthik-sc19-booth... · Characterizing CUDA Unified Memory (UM) -Aware

Characterizing CUDA Unified Memory (UM) -Aware MPI Designs ...hidl.cse.ohio-state.edu/static/media/talks/slide/karthik-sc19-booth... · Characterizing CUDA Unified Memory (UM) -Aware

Documents
Utility-Aware Social Event-Participant Planningyongxintong.group/static/paper/2015/SIGMOD2015_Utility... · 2019. 10. 5. · Utility-Aware Social Event-Participant Planning Jieying

Utility-Aware Social Event-Participant Planningyongxintong.group/static/paper/2015/SIGMOD2015_Utility... · 2019. 10. 5. · Utility-Aware Social Event-Participant Planning Jieying

Documents
Datasize-Aware High Dimensional Configurations Auto-Tuning ...alchem.usc.edu/portal/static/download/dac.pdf · Datasize-Aware High Dimensional Configurations Auto-Tuning of In-Memory

Datasize-Aware High Dimensional Configurations Auto-Tuning ...alchem.usc.edu/portal/static/download/dac.pdf · Datasize-Aware High Dimensional Configurations Auto-Tuning of In-Memory

Documents
JavaFX Pitfalls

JavaFX Pitfalls

Software
Networking Pitfalls

Networking Pitfalls

Career
Geometry-Aware Video Object Detection for Static Camerasdanxu/uploads/2019/0218.pdfXU, XIE, ZISSERMAN: GEOMETRY-AWARE VIDEO OBJECT DETECTION 3 The main idea of these detectors is to

Geometry-Aware Video Object Detection for Static Camerasdanxu/uploads/2019/0218.pdfXU, XIE, ZISSERMAN: GEOMETRY-AWARE VIDEO OBJECT DETECTION 3 The main idea of these detectors is to

Documents
FFR: pitfalls

FFR: pitfalls

Documents
Microservice pitfalls

Microservice pitfalls

Software
Development pitfalls

Development pitfalls

Software
Structure-Aware Sparse Reconstruction and Applications to ...yiminzhang.com/pdf2/aes_mag16_pmr.pdf · Structure-Aware Sparse Reconstruction and Applications to Passive Multi-Static

Structure-Aware Sparse Reconstruction and Applications to ...yiminzhang.com/pdf2/aes_mag16_pmr.pdf · Structure-Aware Sparse Reconstruction and Applications to Passive Multi-Static

Documents
Algorithms for time-aware recommender systems · t Time-aware factor models –static factor model 20.12.2016 Algorithms for time-aware recommender systems 15 1 2 3 4 This approach

Algorithms for time-aware recommender systems · t Time-aware factor models –static factor model 20.12.2016 Algorithms for time-aware recommender systems 15 1 2 3 4 This approach

Documents
MILITARY PITFALLS

MILITARY PITFALLS

Documents
Constructing Path Efficient and Energy Aware Virtual Multicast Backbones in Static Ad Hoc Wireless Networks

Constructing Path Efficient and Energy Aware Virtual Multicast Backbones in Static Ad Hoc Wireless Networks

Documents
Emergency Pitfalls

Emergency Pitfalls

Health & Medicine
Scala pitfalls

Scala pitfalls

Documents
Cluster Pitfalls

Cluster Pitfalls

Documents
Model Pitfalls

Model Pitfalls

Documents
Divergence-Aware Warp Scheduling - UBC ECEece.ubc.ca/~aamodt/papers/tgrogers.micro2013.pdfDivergence-Aware Warp Scheduling detects this divergence and al- ... grammer, however static

Divergence-Aware Warp Scheduling - UBC ECEece.ubc.ca/~aamodt/papers/tgrogers.micro2013.pdfDivergence-Aware Warp Scheduling detects this divergence and al- ... grammer, however static

Documents
Dependency Injection with Static Analysis and Context ... · Dependency Injection with Static Analysis and Context-Aware Policy 3 The reduced coupling and increased exibility of dependency

Dependency Injection with Static Analysis and Context ... · Dependency Injection with Static Analysis and Context-Aware Policy 3 The reduced coupling and increased exibility of dependency

Documents
Modern static security checking of C / C++ programs - … · Modern static security checking of C / C++ programs ... class without false negatives) ... 11 . HAVOC: Heap Aware Verifier

Modern static security checking of C / C++ programs - … · Modern static security checking of C / C++ programs ... class without false negatives) ... 11 . HAVOC: Heap Aware Verifier

Documents
Reliability-Aware Frame Packing for the Static Segment of FlexRay

Reliability-Aware Frame Packing for the Static Segment of FlexRay

Documents
Operational Robustness of Accelerator Aware MPImug.mvapich.cse.ohio-state.edu/static/media/mug/... · 2017-07-18 · Quick Intro to GPU Aware MPI • Users point of view – MPI_xxxx

Operational Robustness of Accelerator Aware MPImug.mvapich.cse.ohio-state.edu/static/media/mug/... · 2017-07-18 · Quick Intro to GPU Aware MPI • Users point of view – MPI_xxxx

Documents