from penetrate and patch to building security in
play

From Penetrate and Patch to Building Security In Michael Hicks - PowerPoint PPT Presentation

Apr 03, 2023 •147 likes •898 views

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015 Security breaches Just a few:

  1. From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015

  2. Security breaches Just a few: • TJX (2007) - 94 million records* • Adobe (2013) - 150 million records, 38 million users • eBay (2014) - 145 million records • Anthem (2014) - Records of 80 million customers • Target (2013) - 110 million records • Heartland (2008) - 160 million records *containing SSNs, credit card nums, other private info https://www.oneid.com/7-biggest-security-breaches-of-the-past-decade-2/

  3. Defects and Vulnerabilities • Many (if not all of) these breaches begin by exploiting a vulnerability • This is a security-relevant software defect (bug) or design flaw that can be exploited to effect an undesired behavior • The use of software is growing 50M LOC 2B LOC • So: more bugs and flaws • Especially in places that are new to using software … …

  4. Stuxnet specifically targets … processes such as those used to control … centrifuges for separating nuclear material . Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system …, then seeking out Siemens Step7 software. http://www.nytimes.com/ 2010/09/26/world/middleeast/ 26iran.html

  5. The result of their work was a hacking technique —what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control , via the Internet, to any of thousands of vehicles. http://www.wired.com/2015/07/ hackers-remotely-kill-jeep- highway/

  6. Considering Correctness • All software is buggy , isn’t it? Why not a problem from way back? • A normal user never sees most bugs , or figures out how to work around them • Therefore, companies fix the most likely bugs , to save money

  7. Considering Security Key difference: An attacker is not a normal user! • The attacker will actively attempt to find defects , using unusual interactions and features • A typical interaction with a bug results in a crash • An attacker will work to exploit the bug to do much worse , to achieve his goals

  8. Cyber-defense?

  9. Cyber-defense? Popular technologies such as firewalls , anti- virus , and intrusion detection/prevention , attempt to detect the attacks themselves. But new attacks can be produced that avoid detection but exploit the same vulnerabilities

  10. Penetrate and Patch 1. Find a vulnerability 2. Develop patch 3. Deploy patch (and detection signature) But : Still vulnerable to undiscovered bugs … and new bugs introduced by software upgrades

  11. and bugs in security products themselves! Security researcher Tavis Ormandy disclosed the existence of a vulnerability which impacts on Kaspersky [security] products . Hermansen, [another researcher,] publicly disclosed a zero-day vulnerability within cyberforensics firm FireEye's security product , complete with proof-of-concept code. http://www.zdnet.com/article/ fireeye-kaspersky-hit-with-zero- day-flaw-claims/

  12. Building Security In The long-term solution is to prevent all exploitable bugs before deploying Avoid the holes to start with!

  13. Analogy • How do you build a bridge that stands up despite harsh conditions? • Heavy use • Earthquakes • Extreme weather • Etc.

  14. Analogy • Study the problem. Develop the best Methods • Materials • Tools • • Then use them from Day 1!

  15. Analogy • Study the problem. Develop the best Methods • Materials • Tools • • Then use them from Day 1!

  16. Do not • Use methods that fail to incorporate larger lessons (i.e., from past bridges built and past failures) • Use cheap materials that are unresilient • Use unreliable tools that produce inconsistent results • Assume that you can do these things and everything will be OK (you can just patch problems later )

  17. Unless you want your bridge to fail

  18. Building Security In • What about software?

  19. Building Security In • What about software? Same idea: Security from Day 1 • Consider it in your design • Use the best tools and methods • Best programming languages • Best program development environment • Best testing and verification methods

  20. Building Security In Why not done already? • Ignorance • Unproven/insufficient technology • Concerns about cost • to change legacy programs • to (re)train staff in new process, technology, etc.

  21. Some of my work • Eliminating vulnerabilities at the outset with better languages and testing tools • Highlight: Cyclone : A safer “low level” programming language • Focusing attention on building, not breaking • Coursera on-line course on software security • Build-it, Break-it, Fix-it programming contest IT BUILD BREAK FIX

  22. From bugs to exploits

  23. Software Processor • Software consists of (CPU) instructions that tell a computer what to do • A program is a set of instructions to achieve a particular task • Instructions are kept Memory Data and within the computer’s (RAM) Instructions memory when executed by the processor

  24. Computing R = X Y • Goal: multiply X by itself a total of Y times • Program: R will contain the final result • Use a counter C to track of the number of multiplications • Like counting on your fingers!

  25. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = Set C to C - 1 If C > 0 repeat the above two instructions R =

  26. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 1

  27. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 1 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 1 3

  28. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 1 0 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 3 1 9 Done

  29. Computing R = X Y exp: movl $1, %eax Set R to 1 testl %esi, %esi Set C to Y jle .L3 Is C ≤ 0 ? .L6: If so, skip to the end imull %edi, %eax subl $1, %esi Set R to X · R jne .L6 Set C to C - 1 .L3: If C > 0 repeat the above two instructions machine instructions %edi = contains base value X %esi = contains exponent Y and counter C %eax = contains result R

  30. Programming Languages • Many machine instructions for simple programs - hard for humans to understand and maintain! • Programming languages designed to help • Higher level - Closer to human language • First ones (e.g., FORTRAN) in the 1950’s • Programs are translated (aka compiled ) into machine instructions to be executed by the processor • Many languages developed in the last 60 years! • Different languages have different strengths

  31. Programming Languages

  32. Programming Languages

  33. Programming Languages

  34. What is popular today? http://spectrum.ieee.org/static/interactive-the-top-programming-languages

  35. Our program in the C language int exp(int x, int y) { int r = 1; while (y > 0) { r = r * x; y = y - 1; } return r; } In Java it would look much the same, but that’s not true in general

  36. Our program in the Python language def exp(x, y): r = 1 while y > 0: r = r * x y = y - 1 return r

  37. Our program in the OCaml language let rec exp x y = if y = 0 then 1 else x * exp x (y-1)

  38. Our program in the Prolog language exp(X,0,1) :- !. exp(X,Y,R) :- Y1 is Y-1, exp(X,Y1,R1), R is X * R1.

  39. Software flaws and defects • Programmers make mistakes • So software often has defects (aka bugs ) int exp(int x, int y) { int r = 1; while (y ≥ 0) { r = r * x; should be “greater than” y = y - 1; not “greater than or equal to” } return r; }

  40. Exploitable bugs • Some bugs can be exploited • An attacker can control how the program runs so that any incorrect behavior serves the attacker • Many kinds of exploits have been developed over time, with technical names like Buffer overflow • • Use after free • SQL injection • Command injection • Cross-site scripting • Cross-site request forgery • …

  41. What is a buffer overflow? • A buffer overflow is a dangerous bug that affects programs written in C and C++ • Normally , a program with this bug will simply crash • But an attacker can alter the situations that cause the program to do much worse • Steal private information • Corrupt valuable information • Run code of the attacker’s choice

  42. Buffer overflows from 10,000 ft • Buffer = • Block of memory associated with a variable • Overflow = • Put more into the buffer than it can hold • Where does the overflowing data go?

  43. Normal interaction Password? abc123 Instructions Failed 1. print “Password?” to the screen Data 2. read input into variable X X 3. if X matches the password then log in abc123 X = 4. else print “Failed” to the screen

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

2 Software Engineering & Security UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan Jrjens insecure Competence Center for IT Security disruptive Software & Systems Engineering

219 views • 7 slides
0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

414 views • 17 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION Mr. S pea k e r , wish to dedicate this sectoral presentation to the hardworking, devoted and uncompromising I members of Jamaicas security

478 views • 21 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th IEEE International Workshop on Information Forensics and Security Wei Fan, Kai Wang, and Franc ois Cayre GIPSA-lab, Grenoble, France 18-11-2015

513 views • 19 slides
Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete 1 Threats Layer Stand - off Combined Arms Armies employ organic long-, mid-, and short-range systems to create operational and tactical

372 views • 9 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: "Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory Requirements Cyber Hygiene How to Develop a Culture of Security What is a Culture of Security A set of values, shared by everyone in an

350 views • 11 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI

PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI

PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent breaches Recent PCI-DSS changes

599 views • 25 slides
malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today: tourist attraction obligatory narcissism worked in IT security for > 10 years employed with the BT ethical hacking team contribute to

841 views • 45 slides
Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting

Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting

Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting joint work with Vincent Dorie and Nicole Carnegie (Montana State University), Dan Cervone (L.A. Dodgers), Masataka Harada (National Graduate

1.02k views • 72 slides
American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A.

American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A.

American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A. Tabak, DDS, PhD. Acting Deputy Director National Institutes of Health NIH is grateful to President Obama and Congress for the opportunity for NIH to

471 views • 20 slides
CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat Breeder Soil and Crop Sciences Department Colorado State University Fort Collins, Colorado wheat.colostate.edu Outline US Wheat Production

559 views • 31 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

Commerce PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w w w . f l i c k r . c o m / p h o t o s / s h a w n z l e a / 5 2 7 8 5 7 7 8 7 / W h o i s t

1.04k views • 79 slides

More recommend