DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Attack.

Slides:



Advertisements
Similar presentations
Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.
Advertisements

Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.
Database System Concepts and Architecture
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Software Fault Tolerance (SWFT) Threat Modeling
1 OS II: Dependability & Trust Threat Modeling & Security Metrics Dependable Embedded Systems & SW Group Prof. Neeraj.
Auditing Computer Systems
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
® IBM Software Group © 2006 IBM Corporation Rational Software France Object-Oriented Analysis and Design with UML2 and Rational Software Modeler 04. Other.
1 STRUCTURE CHARTS Elements and Definitions. 2 Software System Design translates SRS into a ===> software system architecture: –system’s static structure.
A Similarity Measure for OWL-S Annotated Web Services Web Intelligence Laboratory, Sharif University of Technology, Tehran, Iran WI 2006 SeyedMohsen (Mohsen)
1 Software Testing and Quality Assurance Lecture 37 – Software Quality Assurance.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Department of Computer Science 1 CSS 496 Business Process Re-engineering for BS(CS)
Department of Computer Science 1 CSS 496 Business Process Re-engineering for BS(CS)
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
University of Toronto Department of Computer Science © 2001, Steve Easterbrook CSC444 Lec22 1 Lecture 22: Software Measurement Basics of software measurement.
October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.
WORKFLOW IN MOBILE ENVIRONMENT. WHAT IS WORKFLOW ?  WORKFLOW IS A COLLECTION OF TASKS ORGANIZED TO ACCOMPLISH SOME BUSINESS PROCESS.  EXAMPLE: Patient.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.
CYBERINFRASTRUCTURE FOR THE GEOSCIENCES High Performance Computing applications in GEON: From Design to Production Dogan Seber.
University of Kaiserslautern Department of Computer Science Integrated Communication Systems ICSY License4Grid: Adopting DRM for Licensed.
Chapter 5: General Computer Topics Department of Computer Science Foundation Year Program Umm Alqura University, Makkah Computer Skills /1436.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Virtual File Systems in Samba 3.0 Alexander Bokovoy Samba Team, Optifacio Software Services CIFS 2003 conference, San Jose, August.
Identification and Protection of Security-Critical Data Nora Sovarel University of Virginia Computer Science June 6, 2006 MCS Project Presentation.
MetriCon 1.0 An Attack Surface Metric Pratyusa K. Manadhata Jeannette M. Wing Carnegie Mellon University {pratyus,
REAL TIME GPS TRACKING SYSTEM MSE PROJECT PHASE I PRESENTATION Bakor Kamal CIS 895.
Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
Evaluation of the Advice Generator of an Intelligent Learning Environment Maria Virvou, Katerina Kabassi Department of Informatics University of Piraeus.
S. Shumilov – Zürich Analytical Visualization Framework - a visual data processing and knowledge discovery system Ivan Denisovich, Serge Shumilov Department.
Debbie Becker  Source code PHP  Database MySQL  Minimal jscript  No cookies, flash animation, add-ons.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
1. FINISHING FUNCTIONS 2. INTRODUCING PLOTTING 1.
Estimating “Size” of Software There are many ways to estimate the volume or size of software. ( understanding requirements is key to this activity ) –We.
FILE TRANSFER PROTOCOL (FTP) for PLATINUM ASSET DISCOVERY.
CPT 499 Internet Skills for Educators Overview of the Internet Session One.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Today’s Topic: Embedding and Linking an Excel Worksheet.
Abstract Modeling of Service Package Result Components 31 March – 3 April 2014 Noordwijkerhout, Netherlands John Pietras Global Science and Technology,
By: Dr. Mohammed Alojail College of Computer Sciences & Information Technology 1.
CSC 2720 Building Web Applications Basic Frameworks for Building Dynamic Web Sites / Web Applications.
Systems Design.  Application Design  User Interface Design  Database Design.
Aditya P. Mathur Professor Department of Computer Science Purdue University, West Lafayette Wednesday January 19, 2011 Capsules, Micropayments, and the.
Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics.
CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
Implementation of Classifier Tool in Twister Magesh khanna Vadivelu Shivaraman Janakiraman.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Tool Support for Testing
More Security and Programming Language Work on SmartPhones
Chapter 7: Modifiability
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Design Process.
Static Detection of Cross-Site Scripting Vulnerabilities
Chapter 3 Internet Applications and Network Programming
Statistical database Debbie Becker Developed by.
Software Design and Architecture
Geog 192 – Urban GIS Applications
Designing Software for Ease of Extension and Contraction
Introduction to Databases
An Attack Surface Metric
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Course Instructor: Supriya Gupta Asstt. Prof
COCOMO MODEL.
ONNX Training Discussion
Presentation transcript:

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Attack Surface in a Nutshell Daniel Germanus

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Motivation Measure for likelihood of an attack Minimize effort for manual source code audits

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Limitations Only applicable on software systems of similar nature No absolute measure Source code required

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology Attack Surface – the subset of a software system‘s resources an adversary might use to attack the system Resources are divided in three categories: Entry & Exit points, Channels and Untrusted Data Usage of Entry & Exit point framework...

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology – Entry & Exit point framework Methods receiving data from the environment are entry points. Direct entry points: User invokes method and passes parameter data Method reads from a data store Method invokes an API call to the environment and retrieves data

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology – Entry & Exit point framework Methods sending data to the system‘s environment are exit points. Direct exit points: User or another system calls a method and receives data. Method writes to a persistent data store. Method invokes an API call and sends data to the environment.

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology – Entry & Exit point framework Indirect entry and exit points: Existence of intermediate methods within the call chain data stores

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology Channels Data is submitted via channels Network protocols Sockets, RPC,... (not documents  untrusted data (carrier))

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology Untrusted data Files, Databases, Attachments,... Indirect send/receive opportunity for an adversary

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Terminology The Attack Surface can be seen as the triple consisting of Set of Entry and Exit points (M), Set of Channels (C), Set of Untrusted Data items (I)

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Measurement steps

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Measurement Weight mapping Naively: Count of resources Empirically: Higher weights on repeated vulnerability issues Economically: Concerning the related assets, assign a weight reflecting expected losses Damage Potential: Define ordering for each set of identified resources and assign numeric values

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Measurement Example: two FTP daemons, WU-FTPD and ProFTPD Identification of entry & exit points, channels, and data items Define Input and Output set of environmental methods Determine privilege level alternations in methods (static analysis) Determine access rights of methods (static analysis) Determine channels (runtime) Determine data items and their respective access rights (runtime)

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Measurement

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Measurement Damage potential estimation Define ordering in each resource class Assign values

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Calculation ProFTPD Attack Surface: WU-FTPD Attack Surface:

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Future directions / open questions Impacts of indirect entry and exit points Discovery / Modeling Software Connector Taxonomy Changes for object (component) oriented paradigm Annotations w.r.t. object coupling, attribute usage, data diffusion

DEEDS Meeting Oct., 26th That‘s it Thanks. Related papers have been copied to the DEEDS Wiki

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.