software and web security deel 2 deel 2
play

Software and Web Security deel 2 deel 2 sws1 Software and Web - PDF document

Dec 16, 2023 •22 likes •672 views

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

  1. 1 Software and Web Security deel 2 deel 2 sws1

  2. Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k • part 1 part 1 security problems in machine code, compiled from C(++) usually, running on standard CPUs • part 2 part 2 security problems on the web/in software for the web, incl. in web browsers (at client side) and in web browsers (at client side) and in web applications and web application servers (at server side) and the interaction between them sws1 2

  3. Prerequisites • Security – esp. notions of confidentiality, integrity, and availability (CIA) esp notions of confidentiality integrity and availability (CIA) and authentication • D t b Databases and Security d S it – esp. SQL, since database in a web-application is an important target for attacker • (Software and Web Security 1) – useful to note the recurring patterns and trends in weaknesses and useful to note the recurring patterns and trends in weaknesses and attacks – knowledge of C(++) and associated memory weaknesses is NOT required q – read through the slides of first lecture of this course, if you did not take this course sws1 3

  4. Course materials Book: Introduction to Computer Security by Michael Goodrich and Roberto Tamassia b Mi h l G d i h d R b t T i (Pearson new international edition 2013/2014) Chapters 1, 5.1, 7 p , , Additional info & course material on http://www.cs.ru.nl/~erikpoll/sws2 sws1 4

  5. Lab exercises using OWASP WebGoat g Weekly lab session with web hacking exercises using WebGoat • T Tuesdays 8:45-10:30 in terminal room HG00.075 d 8 45 10 30 i t i l HG00 075 Ko Stoffelen and/or Willem Burgers will be there to help • Exercises to be done in pairs p • Doing the exercises is obligatory to take part in the exam • More importantly, exam questions will assume familiarity with the lab exercises i sws1 5

  6. Recap terminology and concepts p gy p from Software & Web Security 1 Software & Web Security 1 sws1 6

  7. weaknesses vs vulnerabilities Common use of terminology can be very confused & confusing: (security) weaknesses flaws vulnerabilities bugs errors coding defects (security) weaknesses, flaws, vulnerabilities, bugs, errors, coding defects, ... We can make a distinction between • security weakness/flaw: something that is wrong or could be better, and which might become a security problem • • security vulnerability security vulnerability a weakness/flaw that can actually be exploited by an attacker This requires the weakness to be q 1. accessible - attacker has to be able to get at it 2. exploitable - attacker has to be able to do some damage with it Eg by unplugging your network connection, many vulnerabilities become flaws sws1 7

  8. design vs implementation flaws g Software vulnerabilities can be introduced at different “levels” • d design flaws i fl focus of – fundamental error in the design this course • implementation flaws or coding error implementation flaws or coding error – introduced when implementing The precise border is not precise Vulnerabilities can also arise on higher levels (out of scope for this course) • configuration flaw when installing software on a machine configuration flaw when installing software on a machine • the user • unforeseen consequence of the intended functionality (eg. spam) unforeseen consequence of the intended functionality (eg. spam) sws1 8

  9. errors in program logic vs low-level coding defects g g g We can distinguish 1. 1 fl flaws that can be spotted just by looking at the program itself (and th t b tt d j t b l ki t th it lf ( d understanding what it is meant to do!) – eg. incorrectly nested if-statements Sometimes called logic errors, as opposed to syntax errors, or an error in the program logic 2 2. l lower-level, implementation flaws that arise due to interactions with l l i l t ti fl th t i d t i t ti ith the underlying platform – in the case of software running on a normal machine, the platform g p includes CPU, OS, and memory – in the case of software interacting over the web, this platform is “the web” ,incl. a web browser on the client side and a web server or web , application on the server side focus of this course sws1 9

  10. (malicious/untrusted) input as main source of trouble error in evil input evil input program logic program logic program in output execution execution lower-level coding defect, platform-dependent lots of . interactions interactions . complex “platform” The platform can be – the computer (CPU & memory) – “the web” sws1 10

  11. 11 Intro sws1

  12. brainstorm: surfing the web g What is the web? • What do we need to make the web? • What do we need to use the web? sws1 12

  13. brainstorm • the internet, connecting clients and servers • client side: li t id web browser, possibly with plugins, running on some OS, • server side: server side: web server or web application running on web application framework incl. back-end database, running on some OS • specifications to agree on common protocols and formats – IP, HTTP, HTTPS, HTML, DNS, wifi, ethernet, .. IP HTTP HTTPS HTML DNS wifi ethernet – URL/URI, IP addresses, email addresses, ... – jpg, png, mpeg, mp4, javascript, Flash, ActiveX, Ajax, ... – PHP, Java, Ruby,.. or some other scripting/programming language sws1 13

  14. What is the internet and the web? The internet and web consist of hardware and software • h hardware d – network: copper cables, optic cables, ... – ICT: servers, routers,... ICT: servers, routers,... • software – network drivers, browsers, web servers, ... Alternatively, we can say the internet or the web is simply a set of specifications that define specifications, that define • protocols (for communication) • languages and formats (for data) languages and formats (for data) that are somehow realised in HW/SW sws2 14

  15. protocol A procotol is a set of rules for two (or more) parties to interact or communicate t f l f t ( ) ti t i t t i t Protocols specify sequences of steps , Protocols specify sequences of steps , in which data is exchanged in specific formats Not just between computers; eg. think of protocol that people follow when they answer their phone. NB systems consisting of interacting/communicating parties are complex, as the number of states grows exponentially with the number of participants. sws2 15

  16. languages and formats g g Defining a language or formats involves • syntax t – what are allowed words/sentences/sequences of bytes? • semantics semantics – what do these mean? – hence: how should they be interpreted? sws2 16

  17. internet vs web • internet – provides networking between computers p g p – offering the IP protocol family with UDP and TCP • web – one of the services that can run over the internet – using the HTTP/HTML protocol family using the HTTP/HTML protocol family sws2 17

  18. History of y (security worries on) the internet & the web the internet & the web sws2 18

  19. Evolution of the Internet 1. the internet 2 2. th the web b 3. dynamically generated web pages 4. 4. web 2.0 web 2.0 5. dynamic web pages 6. asynchronously executing content in web pages 7. mobile internet 8. web 3.0 aka the semantic web? sws2 19

  20. 1. internet • computer network linking computers worldwide • various services (aka applications) that can be provided over the i i ( k li ti ) th t b id d th internet: email, ftp, telnet, ssh, ... • built using several protocol layers g p y ... ... Application Layer pp y HTTP SMTP DNS VoIP TCP UDP Transport Layer Network Layer IP Li k L Link Layer Physical layer sws2 20

  21. security worries & problems? y 1. The internet is an important attack vector. For any computer connected to the internet, it threatens CIA of all data and services connected to the internet, it threatens CIA of all data and services on it, incl. availability of the computer itself 2. Lack of confidentiality, privacy, and anonymity – Any party observing the network traffic (eg router ISP Any party observing the network traffic (eg router, ISP, ...) can ) can see 1. the communication exchanged 2. the fact that two parties are communicating at all is seen by any party in the middle, incl. routers, ISP, government agencies, ... g g – Also, parties communicating know each other’s IP address NB an IP address counts as personal information (persoonsgegeven) in Dutch legislation g 3. Lack of integrity & authentication – when you communicate over the internet, you have no clue who is at the other end of the line or if information is genuine is at the other end of the line, or if information is genuine sws2 21

  22. integrity and authenticity g y y Of the trio confidentiality, integrity and availability (CIA), integrity is the trickiest & most confusing notion. i t it i th t i ki t & t f i ti Usually (always?) by integrity of message Usually (always?) by integrity of message we implicitly also mean authentication of the origin of the message Conversely, authentication of some party is usually pointless unless you also authenticate (ie. ensure the integrity of) the communication coming from that party coming from that party. sws2 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

1 Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t Peter Schwabe S h b Pol van Aubel Ko Stoffelen Ko Stoffelen sws1 2 About this course: topics & goals g Standard

943 views • 48 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel

Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel

Wayne County 4-H Achievement Record Workshop Presented by Doug Foxx Adapted from Erin Deel Dailey, Lisa McCutcheon, Allen Auck, and Ann Mumaws Presentation on Creating Effective Achievement Records Overview Welcome / Introduction

392 views • 21 slides
Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015

Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015

Raadslede, wykskomitee-lede en ander rolspelers interaksie. Saterdag 21 November 2015 Klinte-tevredenheidsopname Deel 1 Aantal responses ontvang Dorp Totaal 2011 Bevolking % Abbotsdale 21 3762 0.56% Chatsworth 27 2326 1.16%

1.26k views • 98 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
A Proposal for Climate Justice Professor Jeffrey D. Sachs Professor of Economics at Columbia

A Proposal for Climate Justice Professor Jeffrey D. Sachs Professor of Economics at Columbia

LOGOS Hosted by the Grantham Research Institute on Climate Change and the Environment A Proposal for Climate Justice Professor Jeffrey D. Sachs Professor of Economics at Columbia University, a leader in sustainable development and senior UN

313 views • 28 slides
Cadburys, court reform and redefining adulthood Max Rutherford, Barrow Cadbury Trust

Cadburys, court reform and redefining adulthood Max Rutherford, Barrow Cadbury Trust

The price of prejudice: when attitudes shape policy University of Strathclyde, 6 April 2017 Cadburys, court reform and redefining adulthood Max Rutherford, Barrow Cadbury Trust www.t2a.org.uk @T2AAlliance Cadburys Advertorial, 1904

467 views • 17 slides
Defining Category Management? The strategic management of product groups through trade

Defining Category Management? The strategic management of product groups through trade

Defining Category Management? The strategic management of product groups through trade partnerships which aims to maximise sales and profit by satisfying consumer and shopper needs. Institute of Grocery Distribution ~IGD Category management is

409 views • 9 slides
Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020

Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020

Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020 Peter Gallert (Goethe) Fake News and FactChecking 24 January 2020 1 / 30 Workshop Outline Participants Introduction 1 Topic Introduction

971 views • 51 slides
Stability and Rare Events in Stochastic Models Sergey Foss Heriot-Watt University, Edinburgh and

Stability and Rare Events in Stochastic Models Sergey Foss Heriot-Watt University, Edinburgh and

Stability and Rare Events in Stochastic Models Sergey Foss Heriot-Watt University, Edinburgh and Institute of Mathematics, Novosibirsk ANSAPW University of Queensland 8-11 July, 2013 1 Outline (I) Fluid Approximation Approach for

644 views • 30 slides
Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor

Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor

Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor Discovery Protocol IPv6 nodes on the same LAN use Neighbor Discovery (RFC4861) to to find routers and discover link and network parameters,

310 views • 10 slides
Mobility as an Integrated Service Through the Use of Naming Ran Atkinson, Extreme Networks

Mobility as an Integrated Service Through the Use of Naming Ran Atkinson, Extreme Networks

Mobility as an Integrated Service Through the Use of Naming Ran Atkinson, Extreme Networks Saleem Bhatti, University of St Andrews Steve Hailes, University College London 1 1. ILNPv6 - changing naming and addressing 2. Approach to mobility

550 views • 44 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides

More recommend