cs527 software security
play

CS527 Software Security Secure Software Lifecycle Mathias Payer - PowerPoint PPT Presentation

Dec 19, 2023 •484 likes •725 views

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

  1. CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security

  2. Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor intensive Software life-time can outlive hardware Mathias Payer CS527 Software Security

  3. Example: Ubuntu security evolution Figure 1: Mathias Payer CS527 Software Security

  4. Example: Ubuntu security evolution Configuration Subsystems Mandatory Access Control (MAC) Filesystem encryption Trusted Platform Module Userspace Hardening: Kernel Hardening See https://wiki.ubuntu.com/Security/Features Mathias Payer CS527 Software Security

  5. Example: Ubuntu security evolution Configuration: No Open Ports; Password hashing; SYN cookies; Automatic security updates; Kernel Livepatches Mathias Payer CS527 Software Security

  6. Example: Ubuntu security evolution Subsystems: Filesystem Capabilities; Configurable Firewall; Cloud PRNG seed; PR_SET_SECCOMP Mathias Payer CS527 Software Security

  7. Example: Ubuntu security evolution Mandatory Access Control (MAC): AppArmor; SELinux; SMACK Mathias Payer CS527 Software Security

  8. Example: Ubuntu security evolution Filesystem encryption: Encrypted LVM; eCryptfs Mathias Payer CS527 Software Security

  9. Example: Ubuntu security evolution Trusted Platform Module Mathias Payer CS527 Software Security

  10. Example: Ubuntu security evolution Userspace Hardening (1/2): Stack Protector; Heap Protector; Pointer Obfuscation; Address Space Layout Randomisation (ASLR): Stack ASLR; Libs/mmap ASLR; Exec ASLR; brk ASLR; VDSO ASLR Mathias Payer CS527 Software Security

  11. Example: Ubuntu security evolution Userspace Hardening (2/2): Built as PIE; Built with Fortify Source; Built with RELRO; Built with BIND_NOW; Non-Executable Memory; /proc/$pid/maps protection; Symlink restrictions; Hardlink restrictions; ptrace scope Mathias Payer CS527 Software Security

  12. Example: Ubuntu security evolution Kernel Hardening (1/2): 0-address protection; /dev/mem protection; /dev/kmem disabled; Block module loading; Read-only data sections; Stack protector; Module RO/NX; Kernel Address Display Restriction; Kernel Address Space Layout Randomisation Mathias Payer CS527 Software Security

  13. Example: Ubuntu security evolution Kernel Hardening (2/2): Blacklist Rare Protocols; Syscall Filtering; dmesg restrictions; Block kexec; UEFI Secure Boot (amd64) Mathias Payer CS527 Software Security

  14. Secure SE versus SE What is the difference between software engineering and secure software engineering? If we have secure SE, why not also {reliable | robust | resilient | reproducible | trusted | verifiable | . . . } SE? Mathias Payer CS527 Software Security

  15. Secure SE versus SE Software engineering (SE) is concerned with developing and maintaining software systems that behave reliably and efficiently, are affordable to develop and maintain, and satisfy all the requirements that customers have defined for them. It is important because of the impact of large, expensive software systems and the role of software in safety-critical applications. It integrates significant mathematics, computer science and practices whose origins are in engineering. See http://computingcareers.acm.org/?page_id=12 Mathias Payer CS527 Software Security

  16. Why do we need secure SE? Prevent loss/corruption of data Prevent unauthorized access to data Prevent unauthorized computation Prevent escalation of privileges Prevent downtime of resources Note, this is not a SE class. We will not focus on waterfall, incremental, extreme, spiral, agile, or continuous integration/continuous delivery. Examples follow the traditional SE approach, leaving it up to you to generalize to your favorite SE approach. Mathias Payer CS527 Software Security

  17. Secure SE lifecycle Requirements/Specification Design Implementation Testing Updates and patching Mathias Payer CS527 Software Security

  18. Requirements/Specification Regular SE requirement specification plus Security specification Asset identification Assess environment Use cases and abuse cases Mathias Payer CS527 Software Security

  19. Design Regular SE design plus Threat modeling Security design Execution environment and actors Design review Design documentation (prose) Mathias Payer CS527 Software Security

  20. Implementation Regular SE implementation plus Source code repository/version control Coding standards (assertions, documentation) Source code review process Mathias Payer CS527 Software Security

  21. Testing Regular SE testing plus Security test plans Automatic testing Fuzzing Symbolic exceution Formal verification Red team testing Continuous integration testing (Jenkins, Travis, etc) Mathias Payer CS527 Software Security

  22. Updates and patching Dedicated security response team Continuous process: new features, security issues Regression testing Secure update deployment Mathias Payer CS527 Software Security

  23. Summary Software lives and evolves Security must be first class citizen Secure Requirements/specification Security-aware Design (Threats?) Secure Implementation (Reviews?) Testing (Read team, fuzzing, unit) Updates and patching Example: Ubuntu security features Mathias Payer CS527 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS527 Software Security Advanced mitigations

504 views • 26 slides
CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software Security Allow inteded use of software, prevent unintended use that may cause harm. Mathias Payer CS527

470 views • 25 slides
CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python:

710 views • 49 slides
CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Android statistics 1.4 billion users (1) Android generates $31 billion revenue (2) 4,000+ different devices (1)

157 views • 11 slides
CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Exploitation: Disclaimer This section focuses software exploitation We will discuss both basic and advanced

860 views • 49 slides
CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

391 views • 38 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Ubuntu Cloud Deploying Clouds with Ubuntu Nick Barcet <nick.barcet@canonical.com> Cloud

Ubuntu Cloud Deploying Clouds with Ubuntu Nick Barcet <nick.barcet@canonical.com> Cloud

Ubuntu Cloud Deploying Clouds with Ubuntu Nick Barcet <nick.barcet@canonical.com> Cloud Solutions Lead Canonical Who we are Commercial sponsor of the Ubuntu project 400+ employees, 30 countries 5 offices worldwide London,

540 views • 38 slides
rss rs r

rss rs r

tt st Prt rss rs r rr rst rr rs

243 views • 21 slides
Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug

Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug

Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug 2013, Tokyo, October 2013 Overview EX Live 2 introduction to T important configuration files infrastructure and package hierarchy

649 views • 52 slides
Lessons Learned Containerizing GlusterFS and Ceph with Docker and Kubernetes Huamin Chen

Lessons Learned Containerizing GlusterFS and Ceph with Docker and Kubernetes Huamin Chen

Lessons Learned Containerizing GlusterFS and Ceph with Docker and Kubernetes Huamin Chen @root_fs github: rootfs Emerging Technologies Red Hat Outline Background Containerizing Ceph and Gluster Working with Docker

505 views • 18 slides
Part 2: Emotional intelligence Bobby Brady-Sharp / OFA Training Projects Manager We will begin

Part 2: Emotional intelligence Bobby Brady-Sharp / OFA Training Projects Manager We will begin

SPRING 2018 OFA FELLOWS LEADERS Part 2: Emotional intelligence Bobby Brady-Sharp / OFA Training Projects Manager We will begin the training at 8 p.m. ET / 7 p.m. CT SPRING 2018 Fellows Leaders Guided worksheet Week 2

651 views • 53 slides
Title page of the first volume of the Encyclopdie , published in 1751. 1 This image is in the

Title page of the first volume of the Encyclopdie , published in 1751. 1 This image is in the

Title page of the first volume of the Encyclopdie , published in 1751. 1 This image is in the public domain . Map of the System of Human Knowledge (Volume 1, 1751) 2 This image is in the public domain . Encyclopdie , Frontispiece,

230 views • 10 slides
Introduction to Morita Therapy 2011-5-09/5-11 1-day workshop In Holstebro and Vejle (HOLD FAST)

Introduction to Morita Therapy 2011-5-09/5-11 1-day workshop In Holstebro and Vejle (HOLD FAST)

Introduction to Morita Therapy 2011-5-09/5-11 1-day workshop In Holstebro and Vejle (HOLD FAST) Denmark F. Ishu Ishiyama, Ph.D. University of British Columbia (c) Ishu Ishiyama, 2011-5-04 1 Shoma (Masatake) Morita (1874-1938) (c) Ishu

683 views • 40 slides
GDACS GDACS w w w .gdacs.org Field Coordination Support Section ( FCSS) OCHA ( I NSARAG

GDACS GDACS w w w .gdacs.org Field Coordination Support Section ( FCSS) OCHA ( I NSARAG

Global Disaster Alert Global Disaster Alert and Coordination System and Coordination System GDACS GDACS w w w .gdacs.org Field Coordination Support Section ( FCSS) OCHA ( I NSARAG Secretariat) Purpose of GDACS Purpose of GDACS

371 views • 14 slides

More recommend