cs 527 software security
play

CS-527 Software Security Introduction Asst. Prof. Mathias Payer - PowerPoint PPT Presentation

Jul 23, 2023 •735 likes •1.03k views

CS-527 Software Security Introduction Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Staff Table of Contents Staff 1 Course

  1. CS-527 Software Security Introduction Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Staff Table of Contents Staff 1 Course overview 2 Software Security Fails 3 Course Mechanics 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 28

  3. Staff Mathias Payer MSc. ETH in 2006, Dr. sc. ETH in 2012, focusing on runtime mitigations for binaries: “ Safe Loading and Efficient Runtime Confinement: A Foundation for Secure Execution ”. Post doc in Dawn Song’s BitBlaze group at UC Berkeley, focusing on memory safety errors and compiler-based mitigations. Faculty at Purdue since fall 2014. Founded b01lers CTF team in 2014. Homepage: http://nebelwelt.net Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 28

  4. Staff HexHive: Research Focus Perfect security is unachievable, software will always have bugs. Goal: Protect software in the presence of vulnerabilities, ensure integrity and confidentiality of the system at all times. Several active research projects in compiler-based and binary rewriting-based memory safety, focus on strong defenses. Adversarial research exploiting limitations of software. Contact me (with ideas) for graduate research projects. Group homepage: http://hexhive.github.io Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 28

  5. Staff Kyriakos Ispoglou (Ispo) EMail: kispoglo@purdue.edu 3rd year PhD student Long-time CTF player and hacker Will supervise and organize the labs Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 28

  6. Course overview Table of Contents Staff 1 Course overview 2 Software Security Fails 3 Course Mechanics 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 28

  7. Course overview Why should you care? There are multiple levels of caring: Security impacts your day-to-day life. Security impacts everybody’s day-to-day life. Security-aware user: make safe decisions. Security-aware developer: design and build secure systems. Security researcher: identify security flaws, propose mitigations. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 28

  8. Course overview Security Definition: Security Security is the application and enforcement of policies through mechanisms over data and resources. Policies specify what we want to enforce. Mechanisms specify how we enforce the policy (i.e., an implementation/instance of a policy). Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 28

  9. Course overview Software Security Definition: Software Security Software Security is the area of Computer Science that focuses on (i) testing, (ii) evaluating, (iii) improving, (iv) enforcing, and (v) proving the security of software. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 28

  10. Course overview Software Security Goals Software running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course you will learn about security threats, attack vectors, and defence mechanisms on current systems. You will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems). Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 28

  11. Course overview Learning outcomes Understand causes of common weaknesses in software security. Identify security threats, risks, and attack vectors for software. Reason how such problems can be avoided in software. Evaluate and assess current security best practices and defense mechanisms for current software systems. Become aware of limitations of existing defense mechanisms and how to avoid them. Identify security problems in source code and binaries, assess the associated risks, and reason about severity and exploitability. Assess the security of given source code or applications. Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 28

  12. Course overview Syllabus Introduction to software security 1 Software vulnerabilities: memory (un-)safety 2 Introduction to reverse engineering 3 Dynamic defense mechanisms 4 Static protection through bug finding 5 Finding and exploiting vulnerabilities 6 Operating system security and forensics 7 Protecting data 8 Defense in practice 9 10 Web security 11 Browser security 12 Android/mobile security 13 Malware analysis Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 28

  13. Software Security Fails Table of Contents Staff 1 Course overview 2 Software Security Fails 3 Course Mechanics 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 28

  14. Software Security Fails Software Engineering versus Security Software engineering is a discipline whose aims are: Dependability: producing fault-free software. Productivity: deliver on time, within budget. Usability: satisfy a client’s needs. Maintainability: extensible when needs change. Software engineering combines aspects of computer science (PL, networking, OS, databases, and many more), project management, economics, and many more. Security is of secondary concern and often limited to testing. Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 28

  15. Software Security Fails Definitions (1) Software Bug A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program’s source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code. a a According to Wikipedia. Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 28

  16. Software Security Fails Definitions (2) Software Vulnerability A vulnerability is a software weakness that allows an attacker to exploit a software bug. A vulnerability requires three key components (i) system is susceptible to flaw, (ii) adversary has access to the flaw (e.g., through information flow), and (iii) adversary has capability to exploit the flaw. Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 28

  17. Software Security Fails Security Fails iCloud: leaked pictures HeartBleed: online accounts, passwords, keys Malware: $105B/year industry Stuxnet: governmentally sponsored attack against Iran’s nuclear program Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 28

  18. Software Security Fails iCloud: The Fappening More than 500 private pictures leaked on 4chan on Aug-31, 14 Obviously huge privacy invasion but what are the technical aspects of the attack? Initial assumption: hacker gained access to Apple’s servers In reality: brute-forcing of targeted passwords Apple ID has many authentication methods and huge API Access to FindMyiPhone API did not enforce limits on number of authentication attempts This API was then likely used to brute-force passwords to well-known logins Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 28

  19. Course Mechanics Table of Contents Staff 1 Course overview 2 Software Security Fails 3 Course Mechanics 4 Summary and Conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 28

  20. Course Mechanics The Lab and projects Software security is an acquired skill. We will expose you to a lot of practical security tasks: A semester long capture-the-flag (CTF) game. In this Jeopardy-style CTF we will release new challenges (riddles/tasks/questions) every week following the class topics. You will use your reverse engineering and hacking skills to solve these challenges. The earlier you solve the challenge, the more points you get. To discourage from “ sharing ” solutions, the amount of points is reduced with each additional person solving the challenge. Design and implementation of a small application in C. Security evaluation of your peers’ applications. Fixing any reported security vulnerabilities. Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 28

  21. Course Mechanics Grading policy, projects, exams, and homework Lab assignments (30% of grade) Programming projects (20% of grade) Midterm (15% of grade) Final (35% of grade) Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 28

  22. Course Mechanics Submitting homework and projects Class teaches formal aspects of software security, projects and homework allow practical experience: Use a source repository to check in solutions, Organize your project according to a design document, Peer review and comment the code of other students, Work with a large code base, develop extensions. Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Software Engineering Designing, building and maintaining large software systems CS 422

Software Engineering Designing, building and maintaining large software systems CS 422

Chapter 1 Chapter 1 An Introduction to Software Engineering Learning Objective ...to give an appreciation for and to introduce software engineering and to place it into context with the system engineering process , process models and some of the

191 views • 15 slides
Environmental Laboratory Ethics: Then and Now Dorothy Love Eurofins Environment Testing

Environmental Laboratory Ethics: Then and Now Dorothy Love Eurofins Environment Testing

9/22/2017 Analysis. Answers. Action. www.aphl.org Environmental Laboratory Ethics: Then and Now Dorothy Love Eurofins Environment Testing Larry Penfold TestAmerica Laboratories, Inc. 1 SPEAKER DISCLOSURE APHL adheres to established

749 views • 23 slides
for sustainability & green strategies Presented by Dimitrios Marinos, IRCs Working Group

for sustainability & green strategies Presented by Dimitrios Marinos, IRCs Working Group

IRCs Annual Meeting 2020 Building a shared road map for sustainability & green strategies Presented by Dimitrios Marinos, IRCs Working Group member What is SUSTAINABILITY? Is not a fashion / trend Is a change of the global environment

650 views • 24 slides
CS 5150 So(ware Engineering 23. People William Y. Arms Managing People So9ware development staff

CS 5150 So(ware Engineering 23. People William Y. Arms Managing People So9ware development staff

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering 23. People William Y. Arms Managing People So9ware development staff Professional staff are the major cost of so(ware Staff vary greatly in producGvity:

618 views • 38 slides
Introduction to Machine Learning Yifeng Tao School of Computer Science Carnegie Mellon

Introduction to Machine Learning Yifeng Tao School of Computer Science Carnegie Mellon

Introduction to Machine Learning Introduction to Machine Learning Yifeng Tao School of Computer Science Carnegie Mellon University Yifeng Tao Carnegie Mellon University 1 Logistics o Course website:

789 views • 40 slides
Graph U-Nets Hongyang Gao and Shuiwang Ji Texas A&M University Graph U-Nets - Department of

Graph U-Nets Hongyang Gao and Shuiwang Ji Texas A&M University Graph U-Nets - Department of

Graph U-Nets Hongyang Gao and Shuiwang Ji Texas A&M University Graph U-Nets - Department of Computer Science & Engineering 1 IMAGE VS. GRAPH Image can be treated as a special graph with well-defined locality. There is no locality

382 views • 8 slides
CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4

CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4

3/4/13 CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4 March 2013 Computer Science What Youll Learn Today Computer Science What is a communications network? What are the implications of

357 views • 11 slides
Network Data Repository for Researchers Saleem Bhatti, Tristan Henderson, Martin Bateman School

Network Data Repository for Researchers Saleem Bhatti, Tristan Henderson, Martin Bateman School

Network Data Repository for Researchers Saleem Bhatti, Tristan Henderson, Martin Bateman School of Computer Science, University of St Andrews Computer Science St. Andrews 1 Outline of talk 1. Outline of how to get started 2. What we have

659 views • 24 slides

More recommend