secure coding practices nicholas weaver
play

"Secure" Coding Practices Nicholas Weaver based on David - PowerPoint PPT Presentation

Nov 11, 2022 •118 likes •732 views

Computer Science 161 Fall 2016 Nicholas Weaver "Secure" Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver 2 Computer Science 161 Fall

  1. Computer Science 161 Fall 2016 Nicholas Weaver "Secure" Coding Practices Nicholas Weaver based on David Wagner’s slides from Sp 2016 1

  2. Administrivia Computer Science 161 Fall 2016 Nicholas Weaver 2

  3. Computer Science 161 Fall 2016 Nicholas Weaver 3

  4. This is a Remarkably Typical C 
 Problem Computer Science 161 Fall 2016 Nicholas Weaver if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; • Someone attempted to add this checking code into the Linux kernel back in 2003 • It goes caught only because they didn't have proper write permission so it was flagged as anomalous • If you use the proper compiler flags, it should gripe when you do this 4

  5. Why does software have vulnerabilities? Computer Science 161 Fall 2016 Nicholas Weaver • Programmers are humans. 
 And humans make mistakes. • Use tools 
 • Programmers often aren’t security-aware. • Learn about common types of security flaws. 
 • Programming languages aren’t designed well for security. • Use better languages (Java, Python, …). 5

  6. Testing for Software Security Issues Computer Science 161 Fall 2016 Nicholas Weaver • What makes testing a program for security problems di ffi cult? • We need to test for the absence of something Security is a negative property! • • “nothing bad happens, even in really unusual circumstances” • Normal inputs rarely stress security-vulnerable code • How can we test more thoroughly? • Random inputs (fuzz testing) • Mutation • Spec-driven • How do we tell when we’ve found a problem? • Crash or other deviant behavior • How do we tell that we’ve tested enough? • Hard: but code-coverage tools can help 6

  7. Testing for Software Security Issues Computer Science 161 Fall 2016 Nicholas Weaver • What makes testing a program for security problems di ffi cult? • We need to test for the absence of something Security is a negative property! • • “nothing bad happens, even in really unusual circumstances” • Normal inputs rarely stress security-vulnerable code • How can we test more thoroughly? • Random inputs (fuzz testing) • Mutation • Spec-driven • How do we tell when we’ve found a problem? • Crash or other deviant behavior • How do we tell that we’ve tested enough? • Hard: but code-coverage tools can help 7

  8. Test For Failures... 
 Not Just Successes Computer Science 161 Fall 2016 Nicholas Weaver • Think about how your program might fail, not just succeed • Because the bad guys are going to look there • "Edge cases" are where your problems likely lie • Either barely erroneous or barely correct • E.g. if your function accepts strings up to length n • Be sure to test lengths 0, 1, n-1, n, n+1, 2n-1, 2n, and 2n+1 • A good guide by @eevee: • https://eev.ee/blog/2016/08/22/testing-for-people-who-hate-testing/ 8

  9. This Applies to 
 Both Sides... Computer Science 161 Fall 2016 Nicholas Weaver • When making your program robust, think like an attacker would • "Hmm, what if I spew random junk?" • "Hmm, what if I go for obvious corner cases?" • When attacking software, think like a dumb programmer? • "Hmm, what mistakes have I made in the past? Lets try those!" 9

  10. Try to Eliminate entire classes of problems Computer Science 161 Fall 2016 Nicholas Weaver • Stack Overflows: • Turn on compiler protections • Memory corruption attacks more generally • Use a safe language • Or barring that, turn on ALL defenses: W^X/DEP + 64b ASLR + put a timeout on crash recovery • • SQL Injection • Only use parameterized SQL libraries 10

  11. Working Towards Secure Systems Computer Science 161 Fall 2016 Nicholas Weaver • Along with securing individual components, we need to keep them up to date … • What’s hard about patching? • Can require restarting production systems • Can break crucial functionality • Vendor regression tests should prevent this but don't always! • Management burden: • It never stops (the “ patch treadmill ”) • User burden: • "Flaw in Flash, you need to manually update it..." • But absolutely essential: 0-days are pricey, N-days are free 11

  13. Working Towards Secure Systems Computer Science 161 Fall 2016 Nicholas Weaver • Along with securing individual components, need to keep them up to date … • What’s hard about patching? • Can require restarting production systems • Can break crucial functionality • Management burden: • It never stops (the “patch treadmill”) … • … and can be di ffi cult to track just what’s needed where • Other (complementary) approaches? • Vulnerability scanning: probe your systems/networks for known flaws • Penetration testing (“pen-testing”): pay someone to break into your systems … • … provided they take excellent notes about how they did it! 13

  15. Reasoning About Safety Computer Science 161 Fall 2016 Nicholas Weaver • How can we have confidence that our code executes in a safe (and correct, ideally) fashion? • Approach: build up confidence on a function-by-function / module-by-module basis • Modularity provides boundaries for our reasoning: • Preconditions : what must hold for function to operate correctly • Postconditions : what holds after function completes • These basically describe a contract for using the module • Notions also apply to individual statements (what must hold for correctness; what holds after execution) • Stmt #1’s postcondition should logically imply Stmt #2’s precondition • Invariants: conditions that always hold at a given point in a function 15

  16. Computer Science 161 Fall 2016 Nicholas Weaver int deref(int *p) { return *p; } Precondition ? 16

  17. Computer Science 161 Fall 2016 Nicholas Weaver /* requires: p != NULL (and p a valid pointer) */ int deref(int *p) { return *p; } Precondition : what needs to hold for function to operate correctly 17

  18. Computer Science 161 Fall 2016 Nicholas Weaver void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; } Postcondition ? 18

  19. Computer Science 161 Fall 2016 Nicholas Weaver /* ensures: retval != NULL (and a valid pointer) */ void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; } Postcondition : what the function promises will hold upon its return 19

  20. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } Precondition ? 20

  21. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 21

  22. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access? (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 22

  23. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 23

  24. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* ?? */ total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires? (3) Propagate requirement up to beginning of function 24

  25. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 
 0 <= i && i < size(a) */ total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function 25

  26. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 
 0 <= i && i < size(a) */ total += a[i]; return total; } General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function? 26

  27. Computer Science 161 Fall 2016 Nicholas Weaver int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 
 0 <= i && i < size(a) */ total += a[i]; return total; } Let’s simplify, given that a never changes. (It gets much worse when we have multiple threads) 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1

ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1

Netalyzr Weaver ICSI Updates: Netalyzr Nicholas Weaver International Computer Science Institute 1 Acknowledgements Where do I donate -User Feedback Netalyzr Weaver Joint Work with Christian Kreibich (ICSI), Martin Dam (Aalborg

417 views • 10 slides
The Golden Age of Bulk Surveillance Nicholas C Weaver About Me... The Golden Age of Internet

The Golden Age of Bulk Surveillance Nicholas C Weaver About Me... The Golden Age of Internet

The Golden Age of Bulk Surveillance Nicholas C Weaver About Me... The Golden Age of Internet Surveillance Nicholas Weaver LITE TOP SECRET//SI//REL TO USA, FVEY 2 Not NOBUS (Nobody But Us) The Golden Age of Internet Surveillance Nicholas

369 views • 34 slides
(and How To Break It) Nicholas C Weaver 1 Tor: The Onion Router Anonymous Websurfing CS 161

(and How To Break It) Nicholas C Weaver 1 Tor: The Onion Router Anonymous Websurfing CS 161

CS161 Computer Security Weaver and Popa (and How To Break It) Nicholas C Weaver 1 Tor: The Onion Router Anonymous Websurfing CS 161 Computer Security Weaver and Popa Tor actually encompasses many di ff erent components The Tor

599 views • 46 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer

Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer

Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer Architecture and Computer Sciences Department Operating Systems Department University of Wisconsin Universitat Autnoma de Barcelona

1.14k views • 110 slides
Netalyzr for Android: Challenges and opportunities Narseo Vallina-Rodriguez Nicholas Weaver

Netalyzr for Android: Challenges and opportunities Narseo Vallina-Rodriguez Nicholas Weaver

Netalyzr for Android: Challenges and opportunities Narseo Vallina-Rodriguez Nicholas Weaver Christian Kreibich Vern Paxson ICSI-UC Berkeley AIMS CAIDA, San Diego 03/26/2014 The problem: People care about their

562 views • 14 slides
Sho Show Me the Money w Me the Money Characterizing Spam-advertised Revenue Nicholas Weaver

Sho Show Me the Money w Me the Money Characterizing Spam-advertised Revenue Nicholas Weaver

Sho Show Me the Money w Me the Money Characterizing Spam-advertised Revenue Nicholas Weaver Damon McCoy Chris Kanich Tristan Halvorson Christian Kreibich Kirill Levchenko Vern Paxson Geoffrey M. Voelker Stefan Savage UC San Diego

1.07k views • 22 slides
and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max

and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max

The Case for a General and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max Planck Institute for Software Systems (MPI-SWS) 2 ICSI &amp; UC Berkeley Sample Web Page Content Optimized with Ad web

855 views • 28 slides
CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and Todd Austin Presented by Dan Amelang Background Rise of the Internet created demand for fast and efficient cryptographic processing

309 views • 14 slides
Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09 Rome, December 1 s t 2009 2009-12-01 2009-12-01 How do we protect the user without dwarfing the web experience? Nature of the web has changed

464 views • 30 slides
Edge Caches and Localization Nicholas Weaver International Computer Science Institute

Edge Caches and Localization Nicholas Weaver International Computer Science Institute

Edge Caches and Localization Nicholas Weaver International Computer Science Institute (Apologies for my absence) Bulk data P2P shifts costs By default, bulk-data P2P shifts the deliver costs from the content provider to the retail ISPs

302 views • 6 slides
Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Defensive Coding vs. Risk Analysis Risk Analysis All about domain, assets,

561 views • 24 slides
Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Last Time... Always code defensively Validating input Principles

476 views • 19 slides
Linux Qualification - Coding Style / Type issues in IEC 61508 Nicholas Mc Guire &lt;

Linux Qualification - Coding Style / Type issues in IEC 61508 Nicholas Mc Guire &lt;

Linux Qualification - Coding Style / Type issues in IEC 61508 Nicholas Mc Guire &lt; safety@osadl.org &gt; December 1, 2016 Outline Linux Qualification - Coding Style / Type issues in IEC 61508 Nicholas Mc Guire &lt; safety@osadl.o

746 views • 19 slides
LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned Hackers take advantage of any opening provided But most also lazy (talk to struggling 115/116 student) Any easy success in breaking code encourages

835 views • 58 slides
Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Motivation java.lang.NullPointerException

561 views • 30 slides
Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

void print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT Problem 1: Javas type checking Type

801 views • 37 slides
CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from Dan Klein, Luke Zettlemoyer What is NLP? Fundamental goal: deep understand of broad language Not just string processing or keyword matching

828 views • 47 slides
Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. You need to get into a vault Try

1.35k views • 79 slides
1 After the first cesarean After the first cesarean Risks for abnormal placentation

1 After the first cesarean After the first cesarean Risks for abnormal placentation

Disclosures No financial disclosures LEADING THE QUEST FOR HEALTH No off-label use of medications Nulliparous Term Singleton Vertex (NTSV): Is Healthy People 2020 Goal Possible? Kimberly D. Gregory MD, MPH Vice Chair Womens

339 views • 22 slides
Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation Different kinds of simulation Friday: Simherd: This morning: SimFlock This afternoon: Sexed semen model Sexed Semen Economics Budgetting:

373 views • 25 slides
Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri

Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri

Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri Bhaskar Parikshit Shah Gonnguo Tang imaging astronomy seismology spectroscopy k X c j e i 2 f j t x ( t ) = DOA Estimation j =1 Sampling GPS

955 views • 40 slides
Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic Oehlert Selma Saidi Heiko Falk Institute of Embedded Systems Hamburg University of Technology firstname.surname@tuhh.de 30th Euromicro Conference on

963 views • 77 slides

More recommend