1. r e s e a r c h January 10, 2006Survey of interesting secure programming examples1 Secure Programming for Fun and Profit (Real World Experiences in Secure Programming) Doctoral Student in CS Advisors: Aditya Mathur; Ray DeCarlo Security Analyst Arxan Research, Inc. Scott D. Miller

2. r e s e a r c h January 10, 2006Survey of interesting secure programming examples2 Build a Better Mousetrap… For most, it’s a game. –Much ego involved Secure programming boils down to –Enforcing access policy E.g. code execution rights –Anti-tamper/tamper detection –Protection of intellectual property

3. r e s e a r c h January 10, 2006Survey of interesting secure programming examples3 Attacker Objectives Network-based attacks –Unauthorized code execution –Key reconstruction Malicious users –Circumventing digital rights management –“Cracking” (Red-team) and unauthorized distribution Well-funded nation and corporate adversaries –Tampering and unadvertised functionality –Recovery of sensitive IP

4. r e s e a r c h January 10, 2006Survey of interesting secure programming examples4 Attack Method Analysis of Software Code –Statistical properties –Disassembling Analysis of Running Software –Timing/Power Analysis –Debugging and Emulating Injection/Modification of Code –Patching, loading libraries, etc. Stimulation with malicious data –Buffer overflows, unexpected values

5. r e s e a r c h January 10, 2006Survey of interesting secure programming examples5 Some Interesting Scenarios Secure Programming Examples in Industry

6. r e s e a r c h January 10, 2006Survey of interesting secure programming examples6 Code Injection Unexpected injection mechanisms –Through “social engineering” (old BBS days.) –Through the context menu! When prevention fails, use detection –Statistical profiling of system calls can be effective [For97, Hof98, Mic02, Mar00]. –(U.S. Air Force proposal.)

7. r e s e a r c h January 10, 2006Survey of interesting secure programming examples7 Vulnerability Broadcasting Consider a security patch to Apache, IE, etc. Diff the patched vs. un-patched version. How many people put off downloading security updates? Obfuscation and execution path randomization can hide the patch from static and dynamic analysis (funded in part by U.S. Air Force.)

8. r e s e a r c h January 10, 2006Survey of interesting secure programming examples8 Interesting Obfuscation Eventually, they will get the code [And96]. –Remember the U.S. fighter jet’s emergency landing in China? Obfuscating to match statistical code properties. Through numerical transforms –Data splitting (funded in part by U.S. Army.)

9. r e s e a r c h January 10, 2006Survey of interesting secure programming examples9                        Our Approach                        Program with Sensitive Content Non-sensitive Program Sensitive Program                           

10. r e s e a r c h January 10, 2006Survey of interesting secure programming examples10 Non-performance degrading AT For real-time systems (e.g. OSD Anti tamper requirements on all new weapons systems.) Security “co-processors” in FPGA (funded in part by Missile Defense Agency.)

11. r e s e a r c h January 10, 2006Survey of interesting secure programming examples11 RAM Anti-tamper Components Our Approach Peripherals CPUFPGA Sensitive Software Anti-tamper Components

12. r e s e a r c h January 10, 2006Survey of interesting secure programming examples12 Encryption Start Trigger FPGA-Aided Encryption Protection CPU FPGA Decryption Start Trigger Protected Program Encrypted Decrypted Unprotected

13. r e s e a r c h January 10, 2006Survey of interesting secure programming examples13 Summary There is no shortage of work for Secure Programming –Commercial, too (e.g. Microsoft, Boeing, Lockheed Martin, etc.) The threats are ever-evolving –Never do the same thing twice!

14. r e s e a r c h January 10, 2006Survey of interesting secure programming examples14 ? Questions?

15. r e s e a r c h January 10, 2006Survey of interesting secure programming examples15 References [And96] Anderson, R., and M. Kuhn. “Tamper Resistance – A Cautionary Note.” Proc. of Second Usenix Workshop on Electronic Commerce, Oakland, CA, Nov. 1996: 1-11. [For97] Stephanie Forrest, Steven A. Hofmeyr, and Anil Somayaji. Computer Immunology, Communications of the ACM, Vol. 40, No. 10, 1997, pp. 88- -96. [Hof98] Steven A. Hofmeyr, Anil Somayaji, and Stephanie Forrest. Intrusion detection using sequences of system calls. Journal of Computer Security, Vol. 6, 1998, pages 151—180. [Mar00] Carla Marceau, Characterizing the behavior of a program using multiple-length N-grams, Proceedings of the 2000 workshop on New security paradigms, September 2000, Ballycotton, County Cork, Ireland, pages 101—110. [Mic02] Christoph C. Michael, Anup K. Ghosh: Simple, state-based approaches to program-based anomaly detection. ACM Trans. Inf. Syst. Secur. Vol. 5, no. 3, 2002, pages 203-237.