software and web security deel 1 deel 1
play

Software and Web Security deel 1 deel 1 sws1 About this course: - PDF document

Jul 19, 2023 •445 likes •943 views

1 Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t Peter Schwabe S h b Pol van Aubel Ko Stoffelen Ko Stoffelen sws1 2 About this course: topics & goals g Standard

  1. 1 Software and Web Security deel 1 deel 1 sws1

  2. About this course: people • Erik Poll P t Peter Schwabe S h b • Pol van Aubel • • Ko Stoffelen Ko Stoffelen sws1 2

  3. About this course: topics & goals g • Standard ways in which software can be exploited – understanding how such attacks work d t di h h tt k k – understanding what makes these attacks possible – doing some attacks in practice doing some attacks in practice • Root cause analysis: why are things so easy to hack? • This involves understanding – programming languages, compilers, and operating systems, programming languages compilers and operating systems and the abstractions that they provide – the languages, representations, and interpretations involved – the potential for trouble – in the form of software vulnerabilities - that all this introduces sws1 3

  4. Software and Web Security - part 1 & 2 y • part 1 – security problems in machine code, it bl i hi d compiled from C(++) sources (as usual), running on standard CPU and operating system running on standard CPU and operating system • part 2 – security problems in software for the web, using web browsers and web applications using web browsers and web applications, and typically some back-end database. sws1 4

  5. Prerequisites • Imperatief Programmeren – we won’t use C++, but C – biggest change: using printf instead of >> ? gg g g p • Processoren – what is the functionality that a typical CPU offers, on which we what is the functionality that a typical CPU offers on which we have to run our software written in higher-level languages? sws1 5

  6. Lectures & lab sessions • 8 lectures and 6 lab sessions • Lab sessions Tuesdays 8:45-10:30 in terminal room HG00.075 • Course material will be on http://www.cs.ru.nl/~erikpoll/sws1 sws1 6

  7. Lab exercises Weekly lab session with weekly programming/hacking exercise • • Exercises to be done in pairs Exercises to be done in pairs • Doing the exercises is obligatory to take part in the exam; • Exercises will be lightly graded to provide feedback, with nsi-regeling : you can have only one exercise niet-serieus-ingeleverd • But beware: exercises of one week will build on knowledge & skills from the previous week • Also: turning up for the lab sesions might be crucial to sort out Also: turning up for the lab sesions might be crucial to sort out practical problems (with C, gcc, Linux, ...) Eg coming Tuesday at 8:45: a demo of the Linux command line, university servers, ... sws1 7

  8. Lab exercises We use • C C as programming language, not C++ i l t C++ • Linux from the command line aka shell • the compiler gcc the compiler gcc So no fancy graphical user interfaces (GUIs) for the operating system (OS) or the compiler Why? • GUIs are nice but hide what OS and compiler are doing GUIs are nice, but hide what OS and compiler are doing • the command line is clumsy at first, – using commands instead of pointing & clicking using commands instead of pointing & clicking but gives great power – we can write shell scripts: programs that interact with the OS sws1 8

  9. Caveat: you are our guinea pigs y g g • This course is new - to you, to us & the world... Most universities won’t teach this material in the first year M t i iti ’t t h thi t i l i th fi t • There are lots of things involved: understanding compilers and operating systems, C, pointers, memory management, Linux, the command line Makefiles scripting command line, Makefiles, scripting, ... • So please ask if things are not clear! sws1 9

  10. 10 Intro sws1

  11. Fairy tales: a problem... y Many discussions of security begin with Alice and Bob Eve Alice Bob Problem: how can Alice communicate securely with Bob, when Eve can modify or eavesdrop on the communication? sws1 11

  12. This is an i interesting problem, i bl but it is not the but it is not the biggest problem sws1 12

  13. Fairy tales... a bit more realistic y How can Alice’s computer communicate securely with Bob’s computer when Eve can modify or eavesdrop on the communication? But... even if Alice can trust Bob, can she trust his computer? sws1 13

  14. Reality & the bigger problem y Alice’s computer is communicating with some other computer on the internet on the internet Alice’s possibly malicious input computer computer how can we prevent Alice’s computer from being hacked , when it communicates with some other computer? p NB solving the first problem - securing the communication - does not help here! sws1 14

  15. Why is this a problem? Why can’t we solve it? y y • Why can PCs, laptops, tablets, smartphones, web-sites, servers, routers printers smartcards cars ATMs routers, printers, smartcards, cars, ATMs .... be hacked? be hacked? – Easily & frequently Because there is software inside! • Software is the most complex artifact mankind has ever created • The good news: software is incredibly powerful & flexible, and shaping the world • • The bad news: The bad news: we are not (yet?) capable of producing software without bugs • By sending malicious input to software, attackers can try to exploit such bugs sws1 15

  16. From simple attacks to malware • You can exploit vulnerabilities in software – to simply crash a program t i l h – to reveal or corrupt some data on that computer – to interfere with services offer by that computer to interfere with services offer by that computer • To do more interesting damage, you want to get some software running on your victim’s computer . malware = software with some malicious intent malware = software with some malicious intent NB here the power & flexibility of software is used against us.. sws1 16

  17. 17 A brief history of malware sws1

  18. pre-history of hacking y g In 1950s, Joe Engressia showed the telephone network could be hacked by phone phreaking: ld b h k d b h h ki ie. whistling at right frequencies http://www.youtube.com/watch?v=vVZm7I1CTBs p y In 1970s, before founding Apple together with Steve Jobs, Steve Wozniak sold Blue Boxes for phone phreaking at university St W i k ld Bl B f h h ki t i it sws1 18

  19. (Aside: a modern variant is hacking phones via SMS) Using an USRP (Universal Software Radio Peripheral) we can send malicious SMS messages via GSM to attack your phone sws1 19

  20. history of malware y • 1982: First computer virus spread via floppy disks Hi h Highschool student Rick Scrent wrote the Elk Cloner, h l t d t Ri k S t t th Elk Cl a computer virus for Apple II that spread via floppy disk • 1988. First internet worm, the Morris worm, University student Robert Morris wrote a program that could replicate itself over the internet Unintentionally it crashed 10% of the internet over the internet. Unintentionally, it crashed 10% of the internet. This led to the first conviction under the 1986 US Computer Fraud and Abuse Act. • late 1990/early 2000s: many more viruses and worms – Email viruses: I Love You Kournikova Email viruses: I Love You, Kournikova, ... – Worms: Slammer, Nimda, .. Later viruses also spread via XSS on social networking websites sws1 20

  21. Slammer Worm (Jan 2003) ( ) Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Ni h l Nicholas Weaver W 21

  22. Slammer Worm (Jan 2003) ( ) Pictures taken from The Spread of the Sapphire/Slammer Worm , by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Ni h l Nicholas Weaver W 22

  23. malware: worms, viruses,Trojans j The only goal of early malware was to spread (and crash things). • worm – piece of software that can spreads automonously i f f h d l • virus – require some user interaction to spread eg clicking an email attachment eg clicking an email attachment • Trojan – apparently benign program with hidden malicious functionality so the victim will willingly install it Modern malware is much more versatile, so the distinction between viruses and worms is no longer so interesting – or indeed clear. i d i l i t ti i d d l Eg is spreading an XSS worm just by looking at a webpage user interaction? Some modern malware is not meant to spread, eg. targetted attacks on one person, by a PDF attachment sent by email or via linkedin sws1 23

  24. history of malware: turning professional y g After hacking for “fun” (if massive DoS attacks can be consider “fun”) hackers went underground and turned professional h k t d d d t d f i l Malware evolved to do more interesting - and profitable – things Malware evolved to do more interesting and profitable things besides crashing things, eg. • stealing user data (usernames & passwords, credit card no’s, ...) • sending spam, eg for phishing • interfering with internet transactions (eg internet banking) • • infecting other computers infecting other computers • new business models for making money: adware, scareware, or ransomware • creating botnets, large collections of infected computers (bots), that can then be used for all of the above sws1 24

  25. 25 example scareware sws1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel

Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel

Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel Dailey, Lisa McCutcheon, Allen Auck, and Ann Mumaws Presentation on Creating Effective Achievement Records Overview Welcome / Introduction

392 views • 21 slides
Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015

Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015

Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015 Klinte-tevredenheidsopname Deel 1 Aantal responses ontvang Dorp Totaal 2011 Bevolking % Abbotsdale 21 3762 0.56% Chatsworth 27 2326 1.16%

1.26k views • 98 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap) Post-Mortem Analysis

666 views • 40 slides
Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative thinking Encourage thinking beyond the incremental Some important problems require multiple approaches over long periods of time Big

677 views • 52 slides
Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &

738 views • 53 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

CSE 127: Computer Security Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage When is a program secure? When it does exactly what it should? Not more Not less But how do we know what

1.42k views • 119 slides
WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The Story So Far WHOIS is a rudimentary protocol that originated in the early days of

268 views • 5 slides
Hyperconverged Infrastructure Internet as a global system Seamless integration of compute,

Hyperconverged Infrastructure Internet as a global system Seamless integration of compute,

Hyperconverged Infrastructure Internet as a global system Seamless integration of compute, network and storage Performance vs. Layering New technologies New Applications CSci8211: Introduction 1 Subjects

682 views • 50 slides

More recommend