Software Security: Defenses & Principles CS 161: Computer - - PowerPoint PPT Presentation

software security defenses principles
SMART_READER_LITE
LIVE PREVIEW

Software Security: Defenses & Principles CS 161: Computer - - PowerPoint PPT Presentation

Apr 09, 2023 24 likes •445 views

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

slide-1
SLIDE 1

Software Security: Defenses & Principles

CS 161: Computer Security

  • Prof. Vern Paxson

TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

http://inst.eecs.berkeley.edu/~cs161/

January 25, 2011

slide-2
SLIDE 2

Testing for Software Security Issues

  • What makes testing a program for security problems

difficult?

– We need to test for the absence of something

  • Security is a negative property!

– “nothing bad happens, even in really unusual circumstances”

– Normal inputs rarely stress security-vulnerable code

  • How can we test more thoroughly?

– Random inputs (fuzz testing) – Mutation – Spec-driven

  • How do we tell when we’ve found a problem?

– Crash or other deviant behavior

  • How do we tell that we’ve tested enough?

– Hard: but code-coverage tools can help

slide-3
SLIDE 3

Testing for Software Security Issues

  • What makes testing a program for security problems

difficult?

– We need to test for the absence of something

  • Security is a negative property!

– “nothing bad happens, even in really unusual circumstances”

– Normal inputs rarely stress security-vulnerable code

  • How can we test more thoroughly?

– Random inputs (fuzz testing) – Mutation – Spec-driven

  • How do we tell when we’ve found a problem?

– Crash or other deviant behavior

  • How do we tell that we’ve tested enough?

– Hard: but code-coverage tools can help

slide-4
SLIDE 4

Testing for Software Security Issues

  • What makes testing a program for security problems

difficult?

– We need to test for the absence of something

  • Security is a negative property!

– “nothing bad happens, even in really unusual circumstances”

– Normal inputs rarely stress security-vulnerable code

  • How can we test more thoroughly?

– Random inputs (fuzz testing) – Mutation – Spec-driven

  • How do we tell when we’ve found a problem?

– Crash or other deviant behavior; enable expensive checks

  • How do we tell that we’ve tested enough?

– Hard: but code coverage tools can help

slide-5
SLIDE 5

int deref(int *p) { return *p; }

slide-6
SLIDE 6

/* requires: p != NULL (and p a valid pointer) */ int deref(int *p) { return *p; }

slide-7
SLIDE 7

int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; }

slide-8
SLIDE 8

/* requires: a != NULL && size(a) >= n */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; }

slide-9
SLIDE 9

/* requires: a != NULL && size(a) >= n */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; }

slide-10
SLIDE 10

/* requires: a != NULL && size(a) >= n */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* 0 <= i && i < n && n <= size(a) */ total += a[i]; return total; }

slide-11
SLIDE 11

int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; }

slide-12
SLIDE 12

/* requires: a != NULL && size(a) >= n && ??? */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; }

slide-13
SLIDE 13

/* requires: a != NULL && size(a) >= n && for all j in 0..n‐1, a[j] != NULL */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; }

slide-14
SLIDE 14

void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; }

slide-15
SLIDE 15

/* ensures: retval != NULL */ void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; }

slide-16
SLIDE 16

char *tbl[N]; int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-17
SLIDE 17

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-18
SLIDE 18

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) h = 257*h + (*s++) + 3; return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-19
SLIDE 19

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-20
SLIDE 20

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-21
SLIDE 21

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-22
SLIDE 22

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-23
SLIDE 23

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-24
SLIDE 24

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ int hash(char *s) { int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

Fix?

slide-25
SLIDE 25

char *tbl[N]; /* ensures: 0 <= retval && retval < N */ unsigned int hash(char *s) { unsigned int h = 17; /* 0 <= h */ while (*s) /* 0 <= h */ h = 257*h + (*s++) + 3; /* 0 <= h */ return h % N; /* 0 <= retval < N */ } bool search(char *s) { unsigned int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

slide-26
SLIDE 26

5 Minute Break

Questions Before We Proceed?

slide-27
SLIDE 27

TL‐15

slide-28
SLIDE 28

TL‐30

slide-29
SLIDE 29

TRTL‐30

slide-30
SLIDE 30

TXTL‐60

slide-31
SLIDE 31

“Security is economics.”

slide-32
SLIDE 32

This program can delete any file you can.

slide-33
SLIDE 33

This program can delete any file you can.

slide-34
SLIDE 34

“Least privilege.”

slide-35
SLIDE 35

Soda Hall wiring closet

slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39

“Use fail-safe defaults.”

slide-40
SLIDE 40
slide-41
SLIDE 41
slide-42
SLIDE 42