Part 1: Software Security and Static Analysis, Dynamic Analysis, and Concolic Analysis

Part 2: Pervasive ProblemsPart 3: Features and FlavorsPart 4: Analysis in Practice

Secure Programming程式安全

Course Outline

上課相關資訊 （課號： IOC5087 ）

上課地點EC022 （工程三館）

時間週二 C, D週四 H

教師黃世昆 skhuang@cs.nctu.edu.tw分機： 54721Office Hours: Tuesday, EF

助教許立文 lwhsu@cs.nctu.edu.tw林友祥 yslin@cs.nctu.edu.tw黃琨翰 coolham.csie91@nctu.edu.tw

教科書Secure Programming with Static Analysis

by Brian Chess; Jacob WestPublisher: Addison Wesley Professional Pub

Date: June 29, 2007 Print ISBN-10: 0-321-42477-8

Print ISBN-13: 978-0-321-42477-8Pages: 624http://proquest.safaribooksonline.com/

9780321424778

Motivation: Why Secure Programming ？

Yet Another Security Course ?Spectrum of Information Security

Information Security Related Courses

[DS] Data Security – Encryption/Public-key/Key Management Protocols

[NS] Network Security – Security Protocols[SS] System Security – William Stallings’s

Intruders/VirusesFirewalls

[SS2] Software Security – Building Secure Software

Data Security CourseData Security 80%Network Security 15%System Security 4.9%Software Security 0.1%

Network Security CourseData Security 56%Network Security 30%System Security 13%Software Security 1%

System Security CourseData Security 10%Network Security 20%System Security 60%Software Security 10%

Software Security CourseData Security 2%Network Security 8%System Security 20%Software Security 70%

Reliable SoftwareSecure Software Development

Secure Programming

Background

Traditional Engineering and Software EngineeringTraditional Engineering

Destructive Test Bridge and Building: Wind Tunnel, Earthquake TestMetal: Pressure Test

Or, Fall Down for the case of Tacoma Narrows BridgeA 600-foot section falling into the water in November 7, 1940 in Puget Sound, near the city of Tacoma, Washington, the

bridge had only been open for traffic a few months. the first suspension bridge collapsed due to wind-induced

vibrations

Software EngineeringFragile software Not with security in mind, but reactive technologies,

e.g. firewall

A 600-foot section of the Tacoma Narrows bridge crasheshttp://www.enm.bris.ac.uk/anm/tacoma/

tacoma.html

Seven Best Practices: TouchpointsWork Security Engineering into

RequirementsArchitecture

Architecture Risk Analysis (2) DesignCoding

Code Review with Static Analysis (1) TestingValidationMeasurementMaintenance

Software Security Touchpoints

Code ReviewFocus on Implementation Bugs

Notorious buffer overflowMisuse of vulnerable APIs (e.g., gets(), strcpy(),…)

Manually or by Static Analysis toolWhat the bugHow to correct the bug

Software ErrorsTwo decades of buffer overflow

vulnerabilities1988 Morris worm

Internet programming community aware Buffer Overflow could lead to security breach

2004, Buffer overflow still the number one cause o security problem by the CVE (common vulnerabilities and exposures project)

Software Engineering and Worms

1968 (conference on software crisis after IC invention, with more complex software)

1988 (Nov 2) Internet Worm2001 (July 19) Code Red Worm (after 1988)2003 (Aug 11) Blaster Worm (impact MS)2005

Worms Anywhere and Anytime Microsoft Software auto-updates more frequently

Course ObjectivesUse static analysis tools to identify coding

errors before they can be exploitedIntroduce Concepts

Software SecurityStatic Source Code AnalysisDynamic AnalysisConcolic Analysis

Part Ia: Software Security and Static AnalysisThe Software Security ProblemIntroduction to Static Analysis

Introduction and static tools surveyStatic Analysis as Part of the code Review

ProcessHow to effectively use the tools

Static Analysis InternalsHow static analysis tools work

Software Security ProblemDefensive Programming is not EnoughSecurity Features != Secure FeaturesSoftware Quality and Software Security

Testing Specified v.s. Unspecified Features

Part Ib: Software Security and Dynamic AnalysisRun-time Error Detections

Memory Leak DetectionPointer Access Range DetectionInteger Security Detection

Bug Localization and ForensicsDeduce/Induce faults from failed outputsExploiting Bug from inspected Faults

Part Ic: Software Security and Concolic AnalysisIntroduction to Symbolic Evaluation and

Concrete EvaluationCombining Symbolic and Concrete

Evaluation (Concolic)Explicit Software Model Checking

Part II: Pervasive ProblemsHandling Input

Tainted Input AnalysisBuffer OverflowBride of Buffer Overflow (Integer Security)Errors an Exceptions

Connections between error handling and recovery

Approaches to logging and debugging

Part III: Features and Flavors (Guidance for Secure Coding)Web ApplicationsXML and Web ServicesPrivacy and SecretsPrivileged Programs

Part IV: Static/Dynamic/Concolic Analysis in PracticeSecurity Analysis for JavaSecurity Analysis for C

ToolsStatic Analysis Tools

MOPS, BLAST, Fortify SCADynamic Analysis Tools

Fuzz TestCRED, Valgrind (memcheck)

Concolic ToolsCute, JCute, Alert

ShellCode ToolMetasploit

Course Activities and GradingAttending Class Lectures (Joining Discussion) 10%Wargaming (40%)

1. Exploiting a Bug without ShellCode2. Exploiting a Bug with Command Injection3. Exploiting a Buffer Overlfow Bug with ShellCode Injection4. Integer Overflow/Signedness with Heap Overflow Exploits5. Uninitialized Variables/Format String Exploits6. Web Application Analysis and Exploit Development

Developing Real Exploits (60%)1. Project 1: Searching for Bugs (15%)2. Project 2: Converting Bugs into Vulnerabilities

(15%)3. Project 3: Mitigations (15%)4. Project 4: Exploit Development (15%)

P1: Searching for Potentially Exploitable BugsStatic Analysis

PREFAST , SLAM, BLAST, CQUALDynamic Analysis

Fuzzing (zzuf, peach)Unstructured FuzzingStructured Data Fuzzing

Conclic Fuzzing (catchconv)Fuzzing with Taintness Analysis

P2: Converting Bugs into VulnerabilitiesFailure Analysis (bug forensics)

Memcheck (valgrind plugin)Crash Detection/Recovery (beagle)Fault Localization (delta-debugging)Dynamic Tainted Analysis

P3: MitigationsOff-by-one ExploitNonexecutable Statck/Stack and Heap

integrity checkReturn-to-libcReturn-oriented programming

Address-space randomizationSearching for fixed entry points

P4: Exploit DevelopmentTesting Exploitability

Tainted Path AnalysisControlling Crash/Tainting

Shell Code ForgingMetasploit

Plug-into Worm Kit/Take a BotnetCommand/Controlling Botnet

Other ReferencesRobert C. Seacord, “Secure Coding in C and

C++”, Addison-Wesley, 2005http://www.cert.org/books/secure-coding/

Michael Howard and David LeBlanc, “Writing Secure Code “, 2nd Edition, Microsoft Press, 2003,.