understanding security mistakes developers make
play

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative - PowerPoint PPT Presentation

Jan 14, 2023 •144 likes •1.64k views

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis From Build It, Break It, Fix It Daniel Votipka , Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland, College Park 1 SOLVED

  1. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  2. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  3. SECURE LOG PROBLEM Event Log Event Log Event Log log : Time User Action Where Time Time User User Action Action Where Where 8:00 AM 8:00 AM Bob Bob Enter Enter Gallery Gallery 8:01 AM Alice Enter Office X ./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log ./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log ./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office 17

  4. SECURE COMMUNICATIONS PROBLEM 18

  5. SECURE COMMUNICATIONS PROBLEM ./bank –s auth 18

  6. SECURE COMMUNICATIONS PROBLEM ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  7. SECURE COMMUNICATIONS PROBLEM ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  8. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth auth : XDFLKJSLJDLJFLKJLSDF 18

  9. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth bob balance: 1000 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  10. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  11. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  12. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  13. SECURE COMMUNICATIONS PROBLEM ./atm –s auth –c card –a bob –n 1000 ./bank –s auth ./atm –s auth –c card –a bob –d 50 bob balance: 1050 1000 450 ./atm –s auth –c card –a bob –w 600 auth : XDFLKJSLJDLJFLKJLSDF card : DFLLKSDF 18

  14. MULTIUSER DATABASE PROBLEM 19

  15. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** 19

  16. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** 19

  17. MULTIUSER DATABASE PROBLEM as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" *** as principal alice password ”alices_password" do return msg *** as principal bob password ”bobs_password" do return msg *** 19

  18. RESEARCH QUESTIONS 20

  19. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? 20

  20. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? 20

  21. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary? 20

  22. RESEARCH QUESTIONS What types of vulnerabilities do developers introduce? How severe are the vulnerabilities? If exploited, what is the effect on the system? How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary? 21

  23. ANALYSIS APPROACH 22

  24. ANALYSIS APPROACH Examine projects and associated exploits in detail 22

  25. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding 22

  26. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 22

  27. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits 22

  28. ANALYSIS APPROACH Examine projects and associated exploits in detail Iterative open coding Two independent researchers with high reliability 76 projects with 866 submitted exploits Both qualitative and quantitative analysis performed 22

  29. RESULTS 23

  30. Vulnerability classes No implementation Misunderstanding Mistake Bad Unintuitive Conceptual Error Intuitive Choice 24

  31. Vulnerability classes No implementation 25

  32. Vulnerability classes • Missed something “Intuitive” No implementation Intuitive 26

  33. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation Intuitive 26

  34. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation • No access control (MD) Intuitive 26

  35. Vulnerability classes • Missed something “Intuitive” • No encryption (log, ATM) No implementation • No access control (MD) • Missed something “Unintuitive” • No MAC (log) Unintuitive Intuitive 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland MANY REAL VULNERABILITIES

611 views • 34 slides
Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast

Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast

Make Cheaper Mistakes Anna Marie Clifton Product Manager, Yammer Clearly Product podcast @TweetAnnaMarie We make mistakes Make better, faster, cheaper mistakes An incredibly expensive Yammer mistake A whole new Android App A

1.34k views • 72 slides
Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk

Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk

Lessons Learned from the War for the Ground in San Francisco " make honest mistakes ... talk about those mistakes openly and share what was done to correct those mistakes with other[s]" Froward, Handbook , "Establishing a Lesson

585 views • 30 slides
My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them. Youll Grow Even Faster. Jason M. Lemkin SaaStr Managing Director, Storm VenturesSaaStr w/ Nicolas Dessaigne Founder/CEO EchoSign/Adobe;

463 views • 24 slides
Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham

Should I Protect You? Understanding Developers Behavior to Privacy-Preserving APIs Shubham Jain and Janne Lindqvist Department of Electrical and Computer Engineering Rutgers University Workshop on Usable Security (USEC14) February 23,

230 views • 21 slides
ANOVA There are only two mistakes one can make along the road to truth; not going all the

ANOVA There are only two mistakes one can make along the road to truth; not going all the

Cohen Chapter 16 (Two-Way) Mixed ANOVA There are only two mistakes one can make along the road to truth; not going all the way, and not starting. Buddha Dr. Professor is interested in determining whether the average man wants to

715 views • 9 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes

Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes

Smartphones Can Make Anyone Look Stupid Kevin D. Murray, CPP , CISM, CFE, MPSC Simple Mistakes Drownings Spyware Photos Backups The Lost Phone Trick Simple Phone / Tablet Mistakes Applying weird do-it-yourself hacks. Not properly cleaning

636 views • 29 slides
Mat Maths hs! We take our time for deeper understanding. We are learning ng to be math

Mat Maths hs! We take our time for deeper understanding. We are learning ng to be math

Swindon Village Primary School We have a go. We make mistakes and learn from them. We ask questions. Le Lear arni ning ng fr from om We think about what we are doing. We talk about what we are doing. each ea h ot othe

428 views • 30 slides
It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy Vaillancourt-Sals amy@thinkshout.com @AmyVSHorn Why Hire Junior Devs? Challenging to find senior developers Cost benefits Productivity

1.03k views • 34 slides
It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy

It Takes Two to Make a Thing Go Right: Support for Junior Developers in the Workplace Amy Vaillancourt-Sals amy@thinkshout.com @AmyVSHorn Why Hire Junior Devs? Challenging to find senior developers Cost benefits Productivity

671 views • 31 slides
Success does not consist in never making mistakes but in never making the same one a second time.

Success does not consist in never making mistakes but in never making the same one a second time.

Success does not consist in never making mistakes but in never making the same one a second time. George Bernard Shaw Repeat offenders make mistakes by NOT: Utilising key learnings from Yr. 11 Mapping assessment schedules Linking

530 views • 23 slides
Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard macslist . org | @Macs_List | @Mac_Prichard Todays Agenda How to Land a Four job hunting mistakes to avoid My first job search How to find

642 views • 21 slides
Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton

Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton

Why do we make mistakes in morphological diagnosis how can we improve? Michelle Brereton & John Burthem Manchester, UK UK NEQAS(H) DM scheme 1. Select up to 5 significant morphological features from a defined list 2. Place these in

901 views • 42 slides
grow...... May they see me as patient and understanding, for then they will be more willing to

grow...... May they see me as patient and understanding, for then they will be more willing to

"May the Children in My Care" a poem by Genie Graveline May the children in my care learn so much more from me than what is contained in books...... May I teach them by example that it's all right to make mistakes, for that is how we

497 views • 17 slides
Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you

Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you

Java One 2015 Deep Dive T op Performance Mistakes And other Tips & T ricks to make you a Performance Expert More on http://blog.dynatrace.com Andreas Grabner - @grabnerandi Safe Harbor AND MANY MORE 0.01ms 0.02ms 15

1.01k views • 78 slides
Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and

Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and

Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and responsibilities of the parties involved in an electronic funds transfer (EFT) The CFPB has rulemaking authority 12 CFR 1005 Examples of EFTs

608 views • 40 slides
Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days,

Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days,

Agent-Based Modelling of Hazards in ATM Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days, Braunschweig, Germany, Nov 27-29, 2012 vrije Universiteit amsterdam Contents 1. MAREA project and motivation 2.

257 views • 24 slides
PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II

PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II

PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II viernes 17 de julio de 2009 LECTURE II Matter matters Degenerate physics Design your experiment viernes 17 de julio de 2009 TRAVEL IN

301 views • 18 slides
ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen

ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen

ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen shen@arl.wustl.edu Jeyashankher Ramamirtham jai@arl.wustl.edu Outline ATM signaling project overview Project current status Demo setting

464 views • 17 slides
Excep&ons and Threads Excep&ons What do you do when

Excep&ons and Threads Excep&ons What do you do when

Excep&ons and Threads Excep&ons What do you do when a program encounters an anomalous, unusual event? Try to open a file and it's

559 views • 37 slides
. BP = T where VP of a L is = atm P Triple pt. = s, l and g states Normal BP = boiling T at 1 atm

. BP = T where VP of a L is = atm P Triple pt. = s, l and g states Normal BP = boiling T at 1 atm

Vapor pressure of liquid determined by: Phase Diagram Pure substance in closed system Strength of IMFs T Topic 7.5 S Pressure atm L Define BP in terms of VP: phase diagrams . BP = T where VP of a L is = atm P Triple pt. = s, l and

38 views • 3 slides
From Use Cases to Post Conditions Martin Giese and Rogardt Heldal Chalmers Tekniska Hgskola,

From Use Cases to Post Conditions Martin Giese and Rogardt Heldal Chalmers Tekniska Hgskola,

From Use Cases to Post Conditions Martin Giese and Rogardt Heldal Chalmers Tekniska Hgskola, Gteborg, Sweden KeY Workshop, June 7, 2004 p.1/26 Motivation . . . for the crowd: Until now, the KeY method starts at the design phase:

391 views • 36 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ T

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ T

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ T odays lecture Examples of undecidable languages Examples of decidable languages Reductions Reading: Chapter 5 Previously Diag

569 views • 20 slides

More recommend