Lecture Notes on Risk Analysis for Software | CS 475, Study Guides, Projects, Research of Cryptography and System Security

Material Type: Project; Professor: Greenstadt; Class: Computer and Network Security; Subject: Computer Science; University: Drexel University; Term: Winter 2009;

Typology: Study Guides, Projects, Research

Pre 2010

Uploaded on 08/19/2009

koofers-user-mj8
koofers-user-mj8 🇺🇸

10 documents

1 / 52

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cs 475: Lecture 4
Software Security Defenses
Rachel Greenstadt
January 15, 2009
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34

Partial preview of the text

Download Lecture Notes on Risk Analysis for Software | CS 475 and more Study Guides, Projects, Research Cryptography and System Security in PDF only on Docsity!

Cs 475: Lecture 4

Software Security Defenses

Rachel Greenstadt

January 15, 2009

Reminders

Blog posts (or comments) due today

Security reviews also due today (11:59 pm)

gdb example up on website (start project!)

Common Defense

Methods

Security by Correctness (no more bugs)

“Safe” programming languages

Code verification

Fuzz testing

Security by Architecture (hard to exploit bugs)

Stack protection mechanisms

Obfuscation

Security by Isolation (Sandboxing - Tuesday)

Security by Response (Patching)

“Safe” Programming

Languages

Just write it in (Java, C#, ML, Haskell, etc)?

Memory safety - Can’t arbitrarily copy bits from one location to another

Type Safety “A language is type-safe if the only operations that can be

performed on data in the language are those sanctioned by the type of

the data."

Bugs still exist

Still a good idea (like birth control that way)

Not all code can be written (or rewritten) in these languages practically

Efficiency, low-level access needed, legacy code

Manual Code

Verification

A lot of evidence that peer reviews help find bugs,

improve software quality

People write better code if their colleagues are

going to look at it

Teaches people about secure software

Good code review catches ~50% of bugs

[McGraw]

Michael Howard’s 19 Deadly Sins of Software

  • Buffer Overflows
  • Format String problems
  • SQL injection
  • Command injection
  • Failure to handle errors
  • Cross-site scripting
  • Failing to protect network traffic
  • Use of "magic" URLs and hidden forms
  • Improper use of SSL
  • Use of weak password-based systems
  • Failing to store and protect data
    • Information leakage
    • Improper file access
    • Integer range errors
    • Trusting network address information
    • Signal race conditions
    • Unauthenticated key exchange
    • Failing to use cryptographically strong random numbers
    • Poor usability

Two Types of Static Analysis

  • The type you write in 100 lines of python.
    • (^) Look for known unsafe string functions strncpy(), sprintf(), gets()
    • Look for unsafe functions in your source base
    • Look for recurring problem code (problematic interfaces, copy/ paste of bad code, etc.)
  • The type you get a PhD for
    • Buy this from coverity, fortify, etc.
    • Built into visual studio
    • Roll your own on top of LLVM or Phoenix if hardcore

Static Analysis Basics

  • Model program properties abstractly, look for problems
  • Tools come from program analysis
    • Type inference, data flow analysis, theorem proving
  • Usually on source code, can be on byte code or disassembly
  • Strengths
    • Complete code coverage (in theory)
    • Potentially verify absence/report all instances of whole class of bugs
    • Catches different bugs than dynamic analysis
  • Weaknesses
    • High false positive rates
    • Many properties cannot be easily modeled
    • Difficult to build
    • Almost never have all source code in real systems (operating system,

shared libraries, dynamic loading, etc.)

Example: Where is the bug? int read_packet(int fd) { char header[50]; //model (header, 50) char body[100]; //model (body, 100) size_t bound_a = 50; size_t bound_b = 100; read(fd, header, 100); read(fd, body, 100); return 0; }

Example: Where is the bug? int read_packet(int fd) { char header[50]; //model (header, 50) char body[100]; //model (body, 100) size_t bound_a = 50; size_t bound_b = 100; read(fd, header, 100); //constant propagation read(fd, body, 100); //constant propagation return 0; }

Example: Where is the bug? int read_packet(int fd) { char header[50]; //model (header, 50) char body[100]; //model (body, 100) size_t bound_a = 50; size_t bound_b = 100; //check read(fd, 50 >= 100) => SIZE MISMATCH!! read(fd, header, 100); //constant propagation read(fd, body, 100); //constant propagation return 0; }

Rarely are Things This Clean

  • Need information across functions
  • Ambiguity due to pointers
  • Lack of association between size and data type…
  • Lack of information about program inputs/ runtime state…

Care and Feeding of Static Analysis Tools

  • Run and Fix Errors Early and Often
    • otherwise false positives can be overwhelming.
  • Use Annotations
    • Will catch more bugs with few false positives
  • Write custom rules!
    • Static analysis tools provide institutional memory
  • Take advantage of what your compiler provides
    • gcc -Wall, /analyze in visual studio
  • Bake it into your build or source control

Normal Dynamic Analysis

  • Run program in instrumented execution environment - Binary translator, Static instrumentation, emulator
  • Look for bad stuff
    • Use of invalid memory, race conditions, null pointer deref, etc.
  • Examples: Purify, Valgrind, Normal OS exception handlers (crashes)