Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Slides:



Advertisements
Similar presentations
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Advertisements

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Assurance CBK and University Curricula Matt Bishop Sophie Engle.
Software Process and Product Metrics
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
CSCI 5801: Software Engineering
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
SEC835 Database and Web application security Information Security Architecture.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
Chapter 2 The process Process, Methods, and Tools
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Operating system Security By Murtaza K. Madraswala.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Information Security What is Information Security?
Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.
Chapter 12: Computer Programming 1 Computer Programming Chapter 12.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Writing Secure Programs. Program Security CSCE Farkas/Eastman - Fall Program Flaws Taxonomy of flaws: how (genesis) when (time) where (location)
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
CS223: Software Engineering Lecture 21: Unit Testing Metric.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.
CS 5150 Software Engineering Lecture 21 Reliability 2.
Buffer Overflow Defenses
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Manuel Brugnoli, Elisa Heymann UAB
Chapter 7: Identifying Advanced Attacks
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Security Issues Formalization
Compliance with hardening standards
Intercept X for Server Early Access Program Sophos Tester
Chapter 12: Computer Programming
Software Security Lesson Introduction
Intrusion Detection system
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
CSC-682 Advanced Computer Security
CS5123 Software Validation and Quality Assurance
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering Auburn University, Alabama

2 Introduction Another software virus, another attack…is another security patch the best answer? How did the security vulnerability get there in the first place? –Flaw in a requirement? Part of the design? –Already existed in source code or object code?

3 Introduction Recommended security defense techniques –Filter all data followed by an accept or reject decision –Assume all input is bad until proven otherwise –Perform data validation both at input points and at the component level –Accept command input from a user only after parsing it –Make policy decisions based on a "default deny" rule

4 Introduction Strategies to decrease security vulnerabilities –Audit all source code (via static code analysis) –Perform formal software verification –Authenticate all software –Give security concerns a higher priority –Apply experience-based validation to test against known attacks –Use tiger teams to maliciously exploit the software

5 Introduction This paper's focus: static analysis of source code –Strong point of analysis  concentrates on functions and data constructs that pose a security risk –Weak point of analysis  uses a reactive approach to problem detection Need a better answer to ensuring secure software…possibly a paradigm shift away from imperative programming and towards purely functional approaches

6 Overview Specific security vulnerabilities to avoid in source code Inventory of static code security checkers Critique of static code security checkers Software security assurance from a functional programming perspective Related areas Future work

7 Specific Security Vulnerabilities To Avoid In Source Code Public enemy #1  Buffer overflow Distance cousin  Heap overflow Array indexing…out of bounds access and assignment Format string manipulation System software…root privileges, system() call Changes to system environment variables Host name attacks…spoofing a DNS response Signals…interrupting software in a privileged state Core dumps…values of constants, variables, and registers

8 Inventory of Static Code Security Checkers Static code security checkers –Identify potential security problems –Find known or previously identified conditions Goal: focus the security analysis of the code Subgoals: suggest remedies and provide assessment List of static code security checkers

9

10 Critique Of Static Code Security Checkers Focus mainly on Unix applications or standard C library function calls Require a high level of expert knowledge to evaluate the findings…manual analysis still catches overlooked problems Application library code is not automatically scanned Analysis is time consuming…checker only cuts ¼ to 1/3 of that effort Nevertheless…every little bit helps, focuses attention, finds real bugs

11 Software Security Assurance From a Functional Programming Perspective Imperative programming  assignment, control loops, environment state, array indexing, memory addresses Functional programming  referential transparency, recursion, pattern matching, mathematical foundation, formal specification, proof of correctness

12 Related Areas Runtime checkers –Located between application and operating system –Intercept and screen system calls –Examples: Libsafe, PurifyPlus, Immunix Use profiling of software –Observation period to identify normal behavior followed by monitoring to watch for abnormal actions Testing for buffer overflow vulnerability –Examples: NTOMax, SendIP

13 Future Work Consolidate and correlate measures used by static code checkers written in imperative languages Build prototype static code checkers in both logical and functional languages (i.e., Prolog and Haskell) Identify imperative-to-functional conversions of most common security-vulnerable imperative code Incorporate conversion recommendations into static code checkers

14 Conclusion Threat from malicious users is real and the target is soft Methods exist to reduce security vulnerabilities Imperative approach may be the root cause to vulnerabilities Time for functional programming to prove its worth Move from the von Neumann paradigm into a mathematically sound paradigm…a functional paradigm May hold the key to building software that is provably secure

15 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.