Part 1: Software Security and Static Analysis, Dynamic Analysis, and Concolic Analysis Part 2:...
-
Upload
carmel-hardy -
Category
Documents
-
view
228 -
download
0
Transcript of Part 1: Software Security and Static Analysis, Dynamic Analysis, and Concolic Analysis Part 2:...
Part 1: Software Security and Static Analysis, Dynamic Analysis, and Concolic Analysis
Part 2: Pervasive ProblemsPart 3: Features and FlavorsPart 4: Analysis in Practice
Secure Programming程式安全
Course Outline
上課相關資訊 (課號: IOC5087 )
上課地點EC022 (工程三館)
時間週二 C, D週四 H
教師黃世昆 [email protected]分機: 54721Office Hours: Tuesday, EF
助教許立文 [email protected]林友祥 [email protected]黃琨翰 [email protected]
教科書Secure Programming with Static Analysis
by Brian Chess; Jacob WestPublisher: Addison Wesley Professional Pub
Date: June 29, 2007 Print ISBN-10: 0-321-42477-8
Print ISBN-13: 978-0-321-42477-8Pages: 624http://proquest.safaribooksonline.com/
9780321424778
Motivation: Why Secure Programming ?
Yet Another Security Course ?Spectrum of Information Security
Information Security Related Courses
[DS] Data Security – Encryption/Public-key/Key Management Protocols
[NS] Network Security – Security Protocols[SS] System Security – William Stallings’s
Intruders/VirusesFirewalls
[SS2] Software Security – Building Secure Software
Data Security CourseData Security 80%Network Security 15%System Security 4.9%Software Security 0.1%
Network Security CourseData Security 56%Network Security 30%System Security 13%Software Security 1%
System Security CourseData Security 10%Network Security 20%System Security 60%Software Security 10%
Software Security CourseData Security 2%Network Security 8%System Security 20%Software Security 70%
Reliable SoftwareSecure Software Development
Secure Programming
Background
Traditional Engineering and Software EngineeringTraditional Engineering
Destructive Test Bridge and Building: Wind Tunnel, Earthquake TestMetal: Pressure Test
Or, Fall Down for the case of Tacoma Narrows BridgeA 600-foot section falling into the water in November 7, 1940 in Puget Sound, near the city of Tacoma, Washington, the
bridge had only been open for traffic a few months. the first suspension bridge collapsed due to wind-induced
vibrations
Software EngineeringFragile software Not with security in mind, but reactive technologies,
e.g. firewall
A 600-foot section of the Tacoma Narrows bridge crasheshttp://www.enm.bris.ac.uk/anm/tacoma/
tacoma.html
Seven Best Practices: TouchpointsWork Security Engineering into
RequirementsArchitecture
Architecture Risk Analysis (2) DesignCoding
Code Review with Static Analysis (1) TestingValidationMeasurementMaintenance
Software Security Touchpoints
Code ReviewFocus on Implementation Bugs
Notorious buffer overflowMisuse of vulnerable APIs (e.g., gets(), strcpy(),…)
Manually or by Static Analysis toolWhat the bugHow to correct the bug
Software ErrorsTwo decades of buffer overflow
vulnerabilities1988 Morris worm
Internet programming community aware Buffer Overflow could lead to security breach
2004, Buffer overflow still the number one cause o security problem by the CVE (common vulnerabilities and exposures project)
Software Engineering and Worms
1968 (conference on software crisis after IC invention, with more complex software)
1988 (Nov 2) Internet Worm2001 (July 19) Code Red Worm (after 1988)2003 (Aug 11) Blaster Worm (impact MS)2005
Worms Anywhere and Anytime Microsoft Software auto-updates more frequently
Course ObjectivesUse static analysis tools to identify coding
errors before they can be exploitedIntroduce Concepts
Software SecurityStatic Source Code AnalysisDynamic AnalysisConcolic Analysis
Part Ia: Software Security and Static AnalysisThe Software Security ProblemIntroduction to Static Analysis
Introduction and static tools surveyStatic Analysis as Part of the code Review
ProcessHow to effectively use the tools
Static Analysis InternalsHow static analysis tools work
Software Security ProblemDefensive Programming is not EnoughSecurity Features != Secure FeaturesSoftware Quality and Software Security
Testing Specified v.s. Unspecified Features
Part Ib: Software Security and Dynamic AnalysisRun-time Error Detections
Memory Leak DetectionPointer Access Range DetectionInteger Security Detection
Bug Localization and ForensicsDeduce/Induce faults from failed outputsExploiting Bug from inspected Faults
Part Ic: Software Security and Concolic AnalysisIntroduction to Symbolic Evaluation and
Concrete EvaluationCombining Symbolic and Concrete
Evaluation (Concolic)Explicit Software Model Checking
Part II: Pervasive ProblemsHandling Input
Tainted Input AnalysisBuffer OverflowBride of Buffer Overflow (Integer Security)Errors an Exceptions
Connections between error handling and recovery
Approaches to logging and debugging
Part III: Features and Flavors (Guidance for Secure Coding)Web ApplicationsXML and Web ServicesPrivacy and SecretsPrivileged Programs
Part IV: Static/Dynamic/Concolic Analysis in PracticeSecurity Analysis for JavaSecurity Analysis for C
ToolsStatic Analysis Tools
MOPS, BLAST, Fortify SCADynamic Analysis Tools
Fuzz TestCRED, Valgrind (memcheck)
Concolic ToolsCute, JCute, Alert
ShellCode ToolMetasploit
Course Activities and GradingAttending Class Lectures (Joining Discussion) 10%Wargaming (40%)
1. Exploiting a Bug without ShellCode2. Exploiting a Bug with Command Injection3. Exploiting a Buffer Overlfow Bug with ShellCode Injection4. Integer Overflow/Signedness with Heap Overflow Exploits5. Uninitialized Variables/Format String Exploits6. Web Application Analysis and Exploit Development
Developing Real Exploits (60%)1. Project 1: Searching for Bugs (15%)2. Project 2: Converting Bugs into Vulnerabilities
(15%)3. Project 3: Mitigations (15%)4. Project 4: Exploit Development (15%)
P1: Searching for Potentially Exploitable BugsStatic Analysis
PREFAST , SLAM, BLAST, CQUALDynamic Analysis
Fuzzing (zzuf, peach)Unstructured FuzzingStructured Data Fuzzing
Conclic Fuzzing (catchconv)Fuzzing with Taintness Analysis
P2: Converting Bugs into VulnerabilitiesFailure Analysis (bug forensics)
Memcheck (valgrind plugin)Crash Detection/Recovery (beagle)Fault Localization (delta-debugging)Dynamic Tainted Analysis
P3: MitigationsOff-by-one ExploitNonexecutable Statck/Stack and Heap
integrity checkReturn-to-libcReturn-oriented programming
Address-space randomizationSearching for fixed entry points
P4: Exploit DevelopmentTesting Exploitability
Tainted Path AnalysisControlling Crash/Tainting
Shell Code ForgingMetasploit
Plug-into Worm Kit/Take a BotnetCommand/Controlling Botnet
Other ReferencesRobert C. Seacord, “Secure Coding in C and
C++”, Addison-Wesley, 2005http://www.cert.org/books/secure-coding/
Michael Howard and David LeBlanc, “Writing Secure Code “, 2nd Edition, Microsoft Press, 2003,.