votd time of check time of use
play

VOTD: Time of Check, Time of Use Engineering Secure Software Last - PowerPoint PPT Presentation

Jul 26, 2023 •297 likes •383 views

VOTD: Time of Check, Time of Use Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Time of Check, Time of Use? Analogy: Jill asks Dan to have tea ready for her when

  1. VOTD: Time of Check, Time of Use Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

  2. What is Time of Check, Time of Use? Analogy: Jill asks Dan to have tea ready for her when she gets ● home from work. Dan checks that he has a clean cup, tea, and sugar for Jill’s cup of tea; there is just enough sugar. Satisfied that he can make Jill’s tea, Dan takes a nap. While napping, Dan & Jill’s son, Paul, makes a cup of tea and uses all of the sugar. When Dan wakes up to make tea for Jill, he sees that all of the sugar is gone and panics! SWEN-331: Engineering Secure Software Benjamin S Meyers 2

  3. What is Time of Check, Time of Use? Dan (Process 1): checks for sugar ● Paul (Process 2): uses all of the sugar ● Dan (Process 1): tries to use the sugar, but it isn’t there ● Dan and Paul are separate processes competing for the same ● resources This is a race condition , a change in the state of the system ● between when a condition was checked and when action is taken based on that condition SWEN-331: Engineering Secure Software Benjamin S Meyers 3

  4. Examples L1 Terminal Fault ● Microprocessors have different layers of cache (L1, L2, L3) ○ L1 cache is very small (32KB) ○ Processors use virtual and physical memory and try to swap data ○ between the two for optimization purposes A process could check the L1 cache, see that data is there, go do ○ other stuff, but then reference the memory address of that data, which has been swapped to virtual memory More information from the RedHat blog ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 4

  5. Examples PHP ● CVE-2004-0594 ○ The fix ○ Debian’s checkinstall script ● CVE-2008-2958 ○ Original bug report ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5

  6. Mitigations Whenever possible, make transactions as atomic as possible ● If the technology provides a way to check the data and act on it ○ in a single transaction, always do that If you can’t be atomic, reduce the time between the check ● and use as much as possible Limit the number of processes that can access a resource ● Recheck the resource for integrity after using it ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6

  7. Notes Sometimes, depending on the technology or the situation, ● TOCTOU vulnerabilities cannot be fully mitigated TOCTOU is usually a concurrency issue ● All of the best design practices for concurrency apply here ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

This webinar will start at 10:00 AM Eastern Time Please use to following link to check the local

This webinar will start at 10:00 AM Eastern Time Please use to following link to check the local

This webinar will start at 10:00 AM Eastern Time Please use to following link to check the local time in your country http://www.worldtimeserver.com/ The microphones will be muted until 10:00 AM (EST/DC) Open Government Partnership (OGP) Webinar

549 views • 42 slides
Information correct at time of delivery. Please check the university websites for the most up to

Information correct at time of delivery. Please check the university websites for the most up to

April 2019 Information correct at time of delivery. Please check the university websites for the most up to date information Explore England is a group of five distinctive, individual universities. From campus to city, urban to rural and large to

648 views • 26 slides
Timely Advice Time Occurs 599 Times In 546 Verses Time Is Important ! In The

Timely Advice Time Occurs 599 Times In 546 Verses Time Is Important ! In The

Timely Advice Time Occurs 599 Times In 546 Verses Time Is Important ! In The Year 2019 365 Days 8,760 Hours 525,600 Minutes 31,536,000 Seconds Timely Advice Yesterday is a cancelled check; tomorrow is a promissory

453 views • 18 slides
Time me Segmen ment Presenter 8:30 AM 9:20 AM Check-In/Scan Registrations 9:20 AM

Time me Segmen ment Presenter 8:30 AM 9:20 AM Check-In/Scan Registrations 9:20 AM

Time me Segmen ment Presenter 8:30 AM 9:20 AM Check-In/Scan Registrations 9:20 AM 9:30 AM Welcome/Introductions Division of LRES: Deliris Lorenzo/ Keyla Berry (Cuevas) 9:30 AM 9:50 AM Classroom Management Division of

374 views • 35 slides
E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
Ukulele Lesson Eight Play each string, 1 2 one at a time. Listen to the sound. Are your

Ukulele Lesson Eight Play each string, 1 2 one at a time. Listen to the sound. Are your

Ukulele Lesson Eight Play each string, 1 2 one at a time. Listen to the sound. Are your strings in tune? Check with your teacher or a tuner if you think the tuning is wrong. Check before you 4 try to change the 3 tuning. STOP C C

721 views • 25 slides
Ukulele Lesson Six Play each string, 1 2 one at a time. Listen to the sound. Are your

Ukulele Lesson Six Play each string, 1 2 one at a time. Listen to the sound. Are your

Ukulele Lesson Six Play each string, 1 2 one at a time. Listen to the sound. Are your strings in tune? Check with your teacher or a tuner if you think the tuning is wrong. Check before you 3 4 try to change the tuning. STOP D

375 views • 12 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil & Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the

Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the

Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the weighted Expectation Continued: Tail Let Y be a RV that takes on values in B . average of a RV. Sum, Coupon Collector, and Let c R be a

505 views • 5 slides
virtual machines 1 last time access control lists user and group IDs in processes set-user-ID

virtual machines 1 last time access control lists user and group IDs in processes set-user-ID

virtual machines 1 last time access control lists user and group IDs in processes set-user-ID programs briefmy: time-of-check-to-time-of-use errors capabilities: token to address = permission token might allow getting other tokens can pass

1.24k views • 105 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization. If round-trip time is used, then accurate clocks are only needed at the anchors. 9/8/05 Jie Gao, CSE590-fall05 1 Time Difference of Arrival

830 views • 54 slides
International Time Use Community & Policy-Relevant Time Use Research Time Use Research

International Time Use Community & Policy-Relevant Time Use Research Time Use Research

International Time Use Community & Policy-Relevant Time Use Research Time Use Research Kimberly Fisher Secretary International Association for Time Use Research Centre for Time Use Research Early Time Use Developments Earliest

661 views • 34 slides
Resugaring: Lifting Evaluation Sequences through Syntactic Sugar Justin Pombrio, Shriram

Resugaring: Lifting Evaluation Sequences through Syntactic Sugar Justin Pombrio, Shriram

Resugaring: Lifting Evaluation Sequences through Syntactic Sugar Justin Pombrio, Shriram Krishnamurthi Brown University Syntactic Sugar 2 Syntactic Sugar desugar x + 2 x . _ _ a d d _ _ ( 2 ) 3 Syntactic Sugar desugar x

825 views • 67 slides
L ECTURE 3: D ECISION T REES Prof. Julia Hockenmaier juliahmr@illinois.edu Announcements Office

L ECTURE 3: D ECISION T REES Prof. Julia Hockenmaier juliahmr@illinois.edu Announcements Office

CS446 Introduction to Machine Learning (Fall 2013) University of Illinois at Urbana-Champaign http://courses.engr.illinois.edu/cs446 L ECTURE 3: D ECISION T REES Prof. Julia Hockenmaier juliahmr@illinois.edu Announcements Office hours start

838 views • 45 slides
CHATTAHOOCHEE RIVER DISTRICT PUBLIC MEETING FOLLOW-UP 1 July 14 Public Information/Open

CHATTAHOOCHEE RIVER DISTRICT PUBLIC MEETING FOLLOW-UP 1 July 14 Public Information/Open

CHATTAHOOCHEE RIVER DISTRICT PUBLIC MEETING FOLLOW-UP 1 July 14 Public Information/Open House 2 3 July 14 August 3 Public Comment 4 July 14 August 3 Public Comment 5 July 14 Market Recap 6 July 14 August 3 Public

422 views • 13 slides
APPLI LICATION ON DOM OMAIN: N: SENS NSOR OR NE NETWOR ORKS KS SENSOR NETWORK AS A

APPLI LICATION ON DOM OMAIN: N: SENS NSOR OR NE NETWOR ORKS KS SENSOR NETWORK AS A

APPLI LICATION ON DOM OMAIN: N: SENS NSOR OR NE NETWOR ORKS KS SENSOR NETWORK AS A CONTROL SYSTEM Know everything - must deploy resources Know nothing - must deploy resources Data fusion, build prob. map of to maximize benefit from

444 views • 13 slides
Syntac'c sugar : Syntax in a programming language that

Syntac'c sugar : Syntax in a programming language that

Syntac'c sugar : Syntax in a programming language that makes something easier to express. Example of syntac9c sugar int x = 1, y = 2; int

707 views • 13 slides
Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read

Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read

Words & their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read the syllabus Make sure you have access to piazza Get started on homework 1 due Wed Sep 5 by 11:59pm. Only

514 views • 37 slides
Distributed Representations CMSC 473/673 UMBC Some slides adapted from 3SLP Outline Recap

Distributed Representations CMSC 473/673 UMBC Some slides adapted from 3SLP Outline Recap

Distributed Representations CMSC 473/673 UMBC Some slides adapted from 3SLP Outline Recap Maxent models Basic neural language models Continuous representations Motivation Key idea: represent words with vectors Two common counting types

889 views • 60 slides
CSEP 517 Natural Language Processing Autumn 2018 Distributed Semantics & Embeddings Luke

CSEP 517 Natural Language Processing Autumn 2018 Distributed Semantics & Embeddings Luke

CSEP 517 Natural Language Processing Autumn 2018 Distributed Semantics & Embeddings Luke Zettlemoyer - University of Washington [Slides adapted from Dan Jurafsky, Yejin Choi, Matthew Peters] Why vector models of meaning? computing the

902 views • 89 slides

More recommend