build it break it fix it
play

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden - PowerPoint PPT Presentation

Aug 28, 2022 •102 likes •610 views

Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden Build It, Break It, Fix It SS 17 Today Introduction n Theoretical Part: How to Build Secure Software n Brief Problem Overview n Setup HowTo for Phase I n 2 Prof. Eric

  1. Build it, Break it, Fix it Build-it Lecture Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  2. Today Introduction n Theoretical Part: How to Build Secure Software n Brief Problem Overview n Setup HowTo for Phase I n 2 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  3. General Setup Group Project with groups of four or five students n Three Phases: n 1st Phase: n Each group implements software according to a specification 2nd Phase: n Each group examines the implementations of the other groups, searches for vulnerabilites and writes exploits. 3rd Phase: n Each group receives the vulnerability reports, has to fix them and write a report. 3 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  4. Organisation Appointments 31.07.2017 10 AM s.t. - 3 PM Kickoff „Build It" n 03.08.2017 10 AM s.t. - 1 PM Q&A session 1 (voluntary) n 07.08.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Break It" n 10.08.2017 10 AM s.t. - 1 PM Q&A session 2 (voluntary) n 14.08.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Fix It" n 17.08.2017 10 AM s.t. - 1 PM Q&A session 3 (voluntary) n 21.08.2017 10 AM s.t. - 1 PM Final presentations n 21.08.2017 11:59 PM Deadline for the final report n Examination n Consists of your practical contest participation, the final report, the presentations and an oral exam n Make an appointment for your oral exam with Prof. Bodden Slides available online 4 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  5. Organisation Deliverables 2 Intermediate Presentations: 10min talk, summarise your work of the previous n phase Final Presentation: 15min talk, summarise your overall work of all phases n Final report: max. 10 pages, write about your implementation, your breaking n approach, your bugs and their fixes and lessons learned Oral examination: Knowledge about theoretical parts and about your group‘s n implementation, breaks and fixes Slides available online 5 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  6. General Advice Challenge yourself, challenge the others, expect to be challenged n Do not start working on the Saturday before the deadline n Raise your questions in time and use the course mailing list , so that others may n benefit from the answers as well. Please participate and answer questions for others when you know the answer. Mailing List: bibifi@lists.uni-paderborn.de Make use of the Q/A sessions and come early, as we may leave earlier if there is no n demand Rules No plagiarism (zero tolerance) n No deadline extensions n Do not attack the infrastructure n Allowed Programming Languages: C, Python, Java n 6 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  7. How to Build Secure Software 7 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  8. Why do we care? 8 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  9. How risky can it be to use Adobe Flash Player? 2011 Attack on RSA and U.S. Weapon Manufacturers 1: Social engineering & phishing 3: Collecting SecureID secret seed records, downloading them from staging server. ▪ RSA issues warning on March 17 ▪ Unusually fast (e.g., attack on ▪ March 3: Fake email to some RSA employees: [2011 Nortel went unnoticed for more Recruitment plan.xls] with embedded flash zero-day then 10 years) CVE-2011-0609 in Adobe Flash Player. ▪ Planted “Poison Ivy” trojan horse. 4: Exploiting compromised SecureID to break into the target systems at defence industry. 2: Digital Shoulder Surfing ▪ June 3: Lockheed discloses a blocked attack, which exploited the breach at RSA. ▪ Poison Ivy connects back ▪ RSA announced replacement program for tokens to control server, giving (>40M tokens worldwide, Lockheed > 45’000). full control to attacker. ▪ August 2011: RSA acknowledge immediate 66M$ ▪ Attacker gradually moves for recovery. towards higher value accounts ▪ March 27, 2012: NSA attributes attack to Chinese and data. hackers http://www.f-secure.com/weblog/archives/00002226.html http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all http://www.informationweek.com/news/government/security/232700341 9 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  10. What does “Security” mean for Software and Information Systems? 10 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  11. Security is Not a Set of Features Secure is an emergent property of software n “Being dry” in a tent in the rain n Being secure is the result of many, many factors, not one feature (e.g. encryption) n …so requirements documents should not just be a list of features n 11 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  12. Core Security Goals The CIA Triad Confidentiality The system must not disclose any information intended to be hidden, e.g., your credit card information on a website. Note: open source software can still be confidential. Integrity Availability The system must not allow assets to be The system must be able to be available and subverted by unauthorized users, e.g., operational to users, e.g., bringing down changing a prisoner’s release date. Amazon.com We must be able trust what is in the system Any system performance degradation that can be The data being stored triggered by a user can be used for denial of The functionality being executed service attacks 12 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  13. Threat Classification Spoofing “Pretending to be something or someone other than yourself.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Authentication IP Spoofing n Set source IP address to some other IP n E-Mail Spoofing n Replace sender address n In SMTP, “From” is not checked n 13 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  14. Threat Classification Tampering “Modifying something on disk, on a network, or in memory.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] “Web Tampering” [owasp.org] n Integrity <input type=”hidden” id=”1008” name=”cost” value=”70.00”> http://www.attackbank.com/savepage.asp?nr=147&status=del http://www.attackbank.com/savepage.asp?nr=147&status=read 14 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  15. Threat Classification Repudiation “Claiming that you didn’t do something, or were not responsible. Repudiation can be honest or false, and the key question for system designers is, what evidence do you have?” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Confirmation Deleting Logs n Using symmetric keys for signing n Both parties can dispute the signing n 15 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  16. Threat Classification Information Disclosure “Providing information to someone not authorized to see it.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Confidentiality 16 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  17. Threat Classification Denial of Service “Absorbing resources needed to provide service.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Availability Any system performance degradation that can be triggered by n an user can be used for denial of service attacks, e.g., too many server requests Blog of security blogger Brian Krebs was taken down in n September 2016 DNS services of Dyn were attacked in October 2016 n Many prominent websites were not reachable n Botnet of thousands of IoT devices, e.g., IP-cameras n 17 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  18. Threat Classification Elevation of privilege “Allowing someone to do something they’re not authorized to do.” [Shostack, A. (2014). Threat modeling : designing for security., Indianapolis, Ind. : Wiley.] Authorization Library for image processing n Used by many websites n “Image Tragic” n Upload a compromised SVG n Execute code with the privileges of the calling n server process, e.g., deleting all images 18 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  19. Threat Classification Summary S poofing Authentication T ampering Confidentiality Authorization R epudiation I nformation Disclosure D enial of Service Integrity E levation of Privilege Availability Confirmation 19 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  20. Composability Component AB Component A + Component B Sometimes… Secure + Secure Secure Insecure Security is usually not preserved under composition! 20 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  21. At which point in the development can we apply security? At which point in the development can we introduce insecurity? 21 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  22. Software Development Lifecycle – Potentials for Insecurity Overlooking Bad Incomplete Flawed Incomplete vuln. Configuration Requirements Architecture Test and Feedback from Test Plans Code and Use Cases And Design Test Results the Field 22 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

  23. Security Touchpoints Requirements Architecture Test and Feedback from Test Plans Code and Use Cases And Design Test Results the Field 23 Prof. Eric Bodden – Build It, Break It, Fix It SS 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part:

Build it, Break it, Fix it Break it Today Build It Presentations Theoretical Part: How to Approach Vulnerability Finding Hints for Break It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

573 views • 56 slides
Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How

Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How

Build it, Break it, Fix it Fix it Today Break It Presentations Theoretical Part: How to Approach Vulnerability Fixing Hints for Fix It Prof. Eric Bodden Build It, Break It, Fix It SS 17 2 How to Approach Vulnerability

723 views • 37 slides
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland MANY REAL VULNERABILITIES

611 views • 34 slides
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix It Daniel Votipka , Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland, College Park 1 SOLVED

1.64k views • 148 slides
It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your

It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your

It will break! Leonid Movsesyan, Dropbox Hierarchy of needs 4 easy steps Build your hierarchy of needs Put together your assumptions about the each layer Run regular disaster recovery testing (DRT) as close to reality as possible

447 views • 27 slides
STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD &amp; BREAK

STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD &amp; BREAK

STAKEHOLDER ENGAGEMENT Tuesday 13 th March 2018 OPERATING SCHEDULE SITE LAYOUT BUILD &amp; BREAK Handover of the park: Pre-event - 19 th May / Post-event - 11 th June Two production gates: Herne Hill Gate for large vehicles (10am -

324 views • 13 slides
Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2

Identify the Break-Even Point 1 What does it mean to break-even? 2 What is a break-even point? 3 Calculating the Break-Even Point (BEP) in number of units (items) 4 Calculating Break-Even point for a Lemonade

234 views • 8 slides
A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration

A tentative Summary mon$1 tue$2 wed$3 thu$4 fri$5 Morning 8:15$9:009 registration 9:00$9:15 welcome 9:15$10:15 Stecker 9:00$10:00 Keating Granot Miller Kelley 10:15$10:45 BREAK 10:00$10:30 BREAK BREAK BREAK BREAK 10:45$11:30

224 views • 8 slides
Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food

Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food

The Southeast NB Food Pledge The purpose of the Pledge The Pledge helps us break down the complexity of the food system into bite-sized actions that link our work at the individual, organizational, and political levels to set goals, and build a

168 views • 14 slides
Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction

Self-Advocate Coffee Break FRIDAY, APRIL 24 TH 3:00 EST Coffee- Break Agenda Introduction What is your dream vacation and who would you take with you? In break out rooms discuss the questions for about 5 - 10 minutes Make

210 views • 7 slides
self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is

New ways of delivering self build housing Ted Stevens NaSBA Chair What is Self/Custom Build? Who does it/what is changing? The New Self Build Policy Why Support Self Build? The Self Build Revolution so Far Some Case Studies What is Self

960 views • 56 slides
Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing Introduction, Weighted Interval Scheduling some local criterion. Divide-and-conquer. Break up

434 views • 7 slides
EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break

EMA EFPIA workshop EMA EFPIA workshop Break- -out session no. 4 out session no. 4 Break Longitudinal model-based test as primary analysis in phase III B. Bieth*, D. Renard*, I. Demin*, B. Hamrn*, G. Heimann*, Sigrid Balser** *

402 views • 15 slides
Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local

Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local

Algorithmic paradigms Dynamic Programming Greedy. Build up a solution incrementally, myopically optimizing some local criterion. Introduction, Weighted Interval Scheduling Divide-and-conquer. Break up a problem into independent subproblems,

237 views • 7 slides
Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB)

Build-Finance or Design-Build-Finance Transportation Projects Types of P3s Design-Build (DB) D B Asset Management Contract R M Design-Build-Finance (DBF) F Design-Build-Operate-Maintain (DBOM) Increasing Private Sector Role

218 views • 19 slides
Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software components into an executable system Different systems are built from different combinations of components Invariably supported by automated

557 views • 20 slides
CS 6360: Educational Technology Lecture 1: Overview Promise Why should you take this class?

CS 6360: Educational Technology Lecture 1: Overview Promise Why should you take this class?

CS 6360: Educational Technology Lecture 1: Overview Promise Why should you take this class? What is this class? How will you be evaluated? What are the first assignments? Promise Why should you take this class? What is

1.14k views • 60 slides
Course intro, RE Overview, Requirement types Lecture 1, DAT230, Requirements Engineering Robert

Course intro, RE Overview, Requirement types Lecture 1, DAT230, Requirements Engineering Robert

Course intro, RE Overview, Requirement types Lecture 1, DAT230, Requirements Engineering Robert Feldt, 2012-09-04 tisdag 4 september 12 Who am I? Who are you? tisdag 4 september 12 What is Software Engineering? How different from Computer

982 views • 75 slides
BIG DATA AND US 2 GARTNER HYPE CYCLE www.gartner.com www.wikipedia.org GARTNER HYPE CYCLE 3

BIG DATA AND US 2 GARTNER HYPE CYCLE www.gartner.com www.wikipedia.org GARTNER HYPE CYCLE 3

BIG DATA AND US 2 GARTNER HYPE CYCLE www.gartner.com www.wikipedia.org GARTNER HYPE CYCLE 3 Emerging technologies 2014 www.gartner.com 4 TIME TO BE PRODUCTIVE Large data hide true quantitative signal Large data generate spurious

446 views • 21 slides
Using Monitoring and Metrics to learn in Development Patrick Debois Atlassian

Using Monitoring and Metrics to learn in Development Patrick Debois Atlassian

Using Monitoring and Metrics to learn in Development Patrick Debois Atlassian http://jedi.be/blog @patrickdebois Monday, May 21, 12 HOSTEDOPS https://my.atlassian.com/ondemand/ http://www.cutter.com http://itrevolution.com Vagrant &amp;

775 views • 66 slides
Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging

Kernel Debugging and Virtualization John Baldwin January 15, 2015 What is Kernel Debugging Step in Kernel Development Post-Mortem Crash Analysis Live Inspection Performance Analysis Userland Debugging Wait, Userland

216 views • 10 slides
PeCoH Raising Awareness for Costs and Performance Nathanael Hbbe 2017-12-04 PeCoH is

PeCoH Raising Awareness for Costs and Performance Nathanael Hbbe 2017-12-04 PeCoH is

PeCoH Overview HPC Certification Program Knowledge Base HPC Cost Modelling HHCC Summary and Outlook PeCoH Raising Awareness for Costs and Performance Nathanael Hbbe 2017-12-04 PeCoH is supported by Deutsche Forschungsgemeinschaft (DFG)

404 views • 16 slides
Operating System Principles: Performance Measurement and Analysis CS 111 Operating Systems

Operating System Principles: Performance Measurement and Analysis CS 111 Operating Systems

Operating System Principles: Performance Measurement and Analysis CS 111 Operating Systems Peter Reiher Lecture 11 CS 111 Page 1 Fall 2016 Outline Introduction to performance measurement Issues in performance measurement A

708 views • 54 slides
Topic #6 CS162 Topic #6 1 CS162 - Topic #6 Lecture: Arrays with Structured Elements

Topic #6 CS162 Topic #6 1 CS162 - Topic #6 Lecture: Arrays with Structured Elements

Introduction to C++ Arrays of Arrays Topic #6 CS162 Topic #6 1 CS162 - Topic #6 Lecture: Arrays with Structured Elements defining and using arrays of arrays remember pointer arithmetic Review for the Final Exam

637 views • 32 slides

More recommend