Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to Safe Programming l Producing Safe Code l Source code audits l Software Forensics –Black Box, White Box Techniques l Improvements outside.

Published byReynold Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Introduction to Safe Programming l Producing Safe Code l Source code audits l Software Forensics –Black Box, White Box Techniques l Improvements outside."— Presentation transcript:

1 1 Introduction to Safe Programming l Producing Safe Code l Source code audits l Software Forensics –Black Box, White Box Techniques l Improvements outside the language –Compiler –OS –Kernel –Application Controls

2 2 Safe Code as an issue of Assurance l What is safe code? l What is Assurance?

3 3 Topics in Safe Programming l Compiler Design l Operating Systems Programming »C/C++, shell, OS design l Network Programming »RPC, Sockets, Socks, MPI, etc. l Applications Programming »Kerberos, DCE, extending applications, PKI l Mobile Code »Java, Active-X, Javascript, CGI l Database Programming l Software Life Cycle Development and Management

4 4 How does one write safe code? l We use the C programming language as our example l General Design Principles (Jerome Saltzer) –Least Privilege –Economy of Mechanism –Ease of Use –Modularity –Input Checking

5 5 System Libraries l C System Libraries l General Use and vulnerabilities »gets( ) streadd( ) »printf()strecpy( ) »strcpy()strtns( ) »strcat( ) »scanf( ) »sscanf( ) »vsprintf ( ) »realpath( ) »getopt( ) »getpas( )

6 6 General C Syntax Errors

7 7 General Logic Errors l Haste l Ignorance l Carelessness/Laziness l Race Conditions l Faulty Random Generators (Internally generated) l Dependence on system clock l Use of ethernet and hw serial numbers

8 8 Poor Design l No bounds checking l Trusting Input (Argument length, type & number) l Not checking argument passed to system functions l Not having programs exit or die cleanly l Not checking return codes l Obfuscated Code l No documentation l No logging l Bad design or lack of a design l Poor nomenclature

9 9 Spafford’s Recommendation l See Spafford’s Security Checklist for a good list of common ports and usage l Check general principles provided for safe programming l Learn to keep good programming principles during program inception l Use Code checking and Peer review l Use Saltzer’s Seven Rules to analyze your code

Download ppt "1 Introduction to Safe Programming l Producing Safe Code l Source code audits l Software Forensics –Black Box, White Box Techniques l Improvements outside."

Similar presentations

Week 4 – Functions Introduction. Functions: Purpose Breaking a large problem into a series of smaller problems is a common problem- solving technique.

Week 4 – Functions Introduction. Functions: Purpose Breaking a large problem into a series of smaller problems is a common problem- solving technique.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
Chapter 1: An Overview of Computers and Programming Languages

Chapter 1: An Overview of Computers and Programming Languages
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:

Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Project Proposal Implementing library support for the Virgil programming language Ryan Hall Advisor: Jens Palsberg January 23, 2007.

Project Proposal Implementing library support for the Virgil programming language Ryan Hall Advisor: Jens Palsberg January 23, 2007.
Course: Introduction to Computers

Course: Introduction to Computers
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
C++ Programming: From Problem Analysis to Program Design, Fifth Edition Chapter 1: An Overview of Computers and Programming Languages Updated by: Dr\Ali-Alnajjar.

C++ Programming: From Problem Analysis to Program Design, Fifth Edition Chapter 1: An Overview of Computers and Programming Languages Updated by: Dr\Ali-Alnajjar.
What Exactly are the Techniques of Software Verification and Validation www.softwaretestinggenius.com A Storehouse of Vast Knowledge on Software Testing.

What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.
I/O Systems ◦ Operating Systems ◦ CS550. Note:  Based on Operating Systems Concepts by Silberschatz, Galvin, and Gagne  Strongly recommended to read.

I/O Systems ◦ Operating Systems ◦ CS550. Note:  Based on Operating Systems Concepts by Silberschatz, Galvin, and Gagne  Strongly recommended to read.
1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)

1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)

Similar presentations

Ads by Google