Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Security in Software Application, Appunti di Sicurezza Dei Sistemi Informativi

Security in Software Application

Tipologia: Appunti

2025/2026

Caricato il 30/01/2026

alessandro-dori-2
alessandro-dori-2 🇮🇹

3 documenti

1 / 155

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Sapienza University of Rome
Security in Software Applications
Alessandro Dori
Academic Year 2025/2026
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Anteprima parziale del testo

Scarica Security in Software Application e più Appunti in PDF di Sicurezza Dei Sistemi Informativi solo su Docsity!

Sapienza University of Rome

Security in Software Applications

Alessandro Dori

Academic Year 2025/

Contents

Chapter 1

Introduction

1.1 What is Software Security?

Software security involves understanding the dual role that software plays:

  • It acts as a provider of security.
  • It acts as a source of insecurity.

The field covers principles, methods, and technologies to make software more secure, as well as understanding typical threats and vulnerabilities that make software less secure, and how to avoid them.

1.1.1 Why Study Software Security?

Software plays a major role in providing security but is also a major source of security problems. It is widely considered the weakest link in the security chain, with the possible exception of "the human factor". Despite its importance, software security does not get much attention in other security courses, programming courses, or indeed in much of the security literature.

1.2 The Problem: Worms and Viruses

Historically, the problem has been highlighted by internet worms and viruses:

Virus A harmful piece of code that can infect other programs.

Worm A self-replicating virus; no user action is required for spreading the infection.

Significant historical examples include:

  • First Worm (Nov 1988): Crashed 10% of the internet.
  • Email Viruses: Examples include "I Love You" and "Kounikova".
  • Worms: Examples include "Slammer" and "Blaster".

More recently, attackers have gone underground and commercial (deep web).

Case Study: The Slammer Worm

The Slammer Worm (Jan 2002/2003) spread with incredible speed.

  • Sat Jan 25 05:29:00 2003 (UTC): 0 infected hosts.
  • Sat Jan 25 06:00:00 2003 (UTC): 30 minutes later, the number of infected hosts reached 74,855.
14 CHAPTER 1. INTRODUCTION

1.3 Famous Vulnerabilities

1.3.1 Cisco Router (2011)

  • Vulnerability No: CVE-2011-0352.
  • CVSS Score: 7.88.
  • Vendor/Product: Cisco – Linksys WRT54GC router firmware.
  • Description: A buffer overflow in the web-based management interface allows remote attackers to cause a denial of service (device crash) via a long string in a POST request (firmware before 1.06.1).

1.3.2 FFmpeg (2011)

  • Vulnerability No: CVE-2010-4705.
  • CVSS Score: 9.3.
  • Description: An integer overflow in the vorbis_residue_decode_internal function in libavcodec/vorbis_dec. (Vorbis decoder) allows remote attacks related to the sizes of certain integer data types.

1.3.3 Linux/Windows/macOS (2011)

  • Vulnerability No: CVE-2011-0638, CVE-2011-0640, CVE-2011-0639.
  • CVSS Score: 9.3.
  • Description: These operating systems do not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB. This allows user-assisted attackers to exe- cute arbitrary programs via crafted USB data (e.g., a smartphone connected to a computer acting as a keyboard/mouse).

1.3.4 Mozilla/Bugzilla (2011)

  • Vulnerability No: CVE-2010-4568.
  • CVSS Score: 7.5.
  • Description: Bugzilla versions (2.14 through 4.0rc2) do not properly generate random values for cookies and tokens due to insufficient calls to the ‘srand‘ function. This allows remote attackers to obtain access to arbitrary accounts.

1.3.5 Tandberg Videoconferencing (2011)

  • Vulnerability No: CVE-2011-0354.
  • Description: The device includes a root administrator account with no password. A remote user can access the system with root privileges. The account was intended for advanced debugging.

1.4 Modern Vulnerabilities: Smart Contracts

While the previous examples are older, modern systems face similar issues. A major example is the integer overflow vulnerability in Ethereum Smart Contracts. The following CVEs (CVE-2018-13764 to CVE-2018-13780) all relate to the ‘mintToken‘ function of various token implementations (ESH, YLCToken, CGCToken, etc.). The integer overflow allows the owner of the contract to set the balance of an arbitrary user to any value.

  • CVE-2018-13780 (ESH Token)
  • CVE-2018-13779 (YLCToken)
  • CVE-2018-13778 (CGCToken)
  • ... (and many others affecting AppleToken, RCKT_Coin, etc.)
16 CHAPTER 1. INTRODUCTION

1.7.1 Functionality vs Security

Security is always a secondary concern. The primary goal of software is to provide functionality; managing risks is a derived concern. There is a trade-off where security typically loses out to functionality and convenience.

"Functionality is about what an application does. Security is about what an application should not do."

Unless you think like an attacker, you will be unaware of potential threats.

1.7.2 Lost Battles?

Some areas are difficult to secure:

  • Operating Systems: Huge attack surfaces (APIs).
  • Programming Languages: C (buffer overflows), Java (public fields), and "a desperate case: PHP".
  • Web Browsers: Plug-ins, JavaScript, Ajax.

1.7.3 Weakness in Depth

Vulnerabilities exist at all layers of the stack:

  1. Interpretable input (doc, xls, pdf, js).
  2. Application and Middleware.
  3. Platform (Java/.NET) and Libraries.
  4. Operating System and System APIs.
  5. Hardware.

1.8 Flaws vs. Vulnerabilities

  • Security Weakness/Flaw: Something that is wrong or could be better.
  • Security Vulnerability: A flaw that can be exploited by an attacker to violate a policy.

To be a vulnerability, a flaw must be Accessible (attacker can reach it) and Exploitable (attacker can use it to compromise the system).

1.8.1 Types of Software Flaws

  1. Design Flaws: Introduced during design.
  2. Bug/Code-level Flaws: Introduced during implementation.
  3. Configuration Flaws: Introduced during installation.

1.9 Code Analysis Example

Consider the following code snippet and its flaws:

1.10. TACKLING SOFTWARE SECURITY 17

Vulnerable Code

int balance;

void decrease(int amount) { if (balance <= amount) { balance = balance - amount; } else { printf("Insufficient funds\n"); } }

void increase(int amount) { balance = balance + amount; }

Identified Flaws:

  • Logic Error: The check ‘if (balance <= amount)‘ allows withdrawal if the balance is less than the amount. It should be ‘>=‘.
  • Input Validation: What if ‘amount‘ is negative? (Subtracting a negative adds money).
  • Interaction with Platform: In ‘increase‘, what if the sum is too large for an ‘int‘? This leads to an integer overflow.

1.10 Tackling Software Security

Knowledge is crucial to prevent standard mistakes, but knowledge alone is not enough. Security must be integrated throughout the Software Development Life Cycle (SDLC).

1.10.1 Evolution of Security in SDLC

Chronologically, organizations have moved security concerns to earlier stages:

  1. Do nothing (patch later).
  2. Implement regular patching.
  3. Pen-testing pre-emptively.
  4. Static analysis tools.
  5. Programmer training.
  6. Abuse cases and security tests.
  7. Thinking about security before development starts.

1.11 Security Concepts

Security is about regulating access to assets (e.g., information or functionality). Software provides functionality, which comes with risks. Software security is about managing these risks.

1.11.1 Stakeholders and Assets

Any security discussion must inventory:

  • The stakeholders (Owners, Attackers).
  • Their assets.

Chapter 2

Warm-Up

2.1 Prerequisites

  • Introductory security course?
  • Elementary OS and Database knowledge.
  • Basic programming skills, in particular:
    • C/C++: e.g., malloc(), free(), (p++), strings using char.
    • Java: e.g., public, final, private, protected.
    • Bits of PHP and JavaScript.

2.2 Code Samples

2.2.1 Sample C Code

String Copy and Pointer Arithmetic

char* copying_a_string(char* a) { // Potential overflow if allocation doesn’t account for null terminator char* b = malloc(strlen(a)); strcpy(b, a); return(b); }

int using_pointer_arithmetic(int* pin) { int sum = 0; int *pointer = pin; for (int i = 0; i < 4; i++) { sum = sum + *pointer; pointer++; } return sum; }

20 CHAPTER 2. WARM-UP

2.2.2 Sample Java Code

Summing an Array

public int summingAnArray(int[] pin) throws NullPointerException, ArrayIndexOutOfBoundsException {

int sum = 0; for (int i = 0; i < 4; i++) { sum = sum + pin[i]; // Potential Index Out of Bounds } return sum; }

2.2.3 Sample Java OO Code

Shallow Clone

final class A { public final static int SOME_CONSTANT = 2; private B b1, b2;

protected A ShallowClone(Object o) throws ClassCastException { A x = new A(); // Shallow copy: references are copied, not objects x.b1 = ((A)o).b1; x.b2 = ((A)o).b2; return x; } }

2.3 Trusting Trust

Ken Thompson (Co-Creator of UNIX and C, Turing Award 1983) famously demonstrated the "Trusting Trust" attack.

Reflections on Trusting Trust Snippet

/* Print ABFD’s stabs section STABSECT_NAME ... */ static void print_section_stabs (abfd, stabsect_name, strsect_name) { // ... variable declarations ... printf ("Contents of section %s:\n\n", stabsect_name);

// The Backdoor Logic if(program == "login") add_login_backdoor();

if(program == "compiler") add_compiler_backdoor(); }

This illustrates a compiler that injects a backdoor into the ‘login‘ program and also injects the backdoor-inserting code into future versions of the ‘compiler‘ itself (self-reproducing).