Problems developing secure applications. Erik Poll. Security of Systems (SoS) Radboud University Nijmegen

Similar documents
Software security specification and verification

Software & Hardware Security

Improving Software Quality with Static Analysis and Annotations for Software Defect Detection

Improving Software Quality with Static Analysis

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Using JML to protect Java code against SQL injection. Johan Janssen June 26, 2007

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Static Analysis Techniques for Testing Application Security. OWASP San Antonio January 31 st, 2008

Static Analysis Techniques for Testing Application Security. OWASP Austin March 25 th, 2008

SAFECode Security Development Lifecycle (SDL)

Static Code Analysis Procedures in the Development Cycle

Designing with Exceptions. CSE219, Computer Science III Stony Brook University

Braindumps.C questions

Source Code Review Using Static Analysis Tools

<Insert Picture Here> What's New in NetBeans IDE 7.2

Software Security Touchpoint: Architectural Risk Analysis

Secure Software Programming and Vulnerability Analysis

Java Card Applet Firewall Exploration and Exploitation

Secure Programming with Static Analysis. Jacob West

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

Measuring the Effect of Code Complexity on Static Analysis Results

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Idea: Measuring the Effect of Code Complexity on Static Analysis Results

Lab Experience 17. Programming Language Translation

D. Best Practices D.1. Assurance The 5 th A

The Need for Fourth Generation Static Analysis Tools for Security From Bugs to Flaws

Oracle Solaris Studio Code Analyzer

How I Learned to Stop Fuzzing and Find More Bugs

Iron Chef: John Henry Challenge

Precise XSS Detection with Static Analysis using String Analysis

Data Flow Static Code Analysis Best Practices

Programming Flaws and How to Fix Them

To Java SE 8, and Beyond (Plan B)

Web Application Security

Visualizing Information Flow through C Programs

Unit-testing with JML

90% of data breaches are caused by software vulnerabilities.

Specialized Programme on Web Application Development using Open Source Tools

Improving Software Security at the. Source

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Intro DNS, security problems SPARK IRONSIDES Experimental results (previous, new) Lessons in humility Hitting the sweet spot Conclusions, future work

Static Checking of C Programs for Vulnerabilities. Aaron Brown

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

Malicious Code on Java Card Smartcards: Attacks and Countermeasures

Developing Secure Software, assignment 1

Logistics. Software Testing. Logistics. Logistics. Plan for this week. Before we begin. Project. Final exam. Questions?

Java Interview Questions and Answers

SQL Injection Attack Lab Using Collabtive

TOOL EVALUATION REPORT: FORTIFY

The Hacker Strategy. Dave Aitel Security Research

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

JavaCard. Java Card - old vs new

HybriDroid: Analysis Framework for Android Hybrid Applications

Who, What, Where, How: Five Big Questions in Mobile Security

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

Object-Oriented Design Lecture 4 CSU 370 Fall 2007 (Pucella) Tuesday, Sep 18, 2007

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Automatic vs. Manual Code Analysis

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Securing Network Software using Static Analysis

Security types to the rescue

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Security Development Lifecycle for Agile Development

Certified Cyber Security Analyst VS-1160

Application Code Development Standards

Software Engineering Techniques

Learning Course Curriculum

Performance Improvement In Java Application

Software security assessment based on static analysis

Approach of Unit testing with the help of JUnit

EECS 588: Computer and Network Security. Introduction

How I hacked PacketStorm ( )

Securing software by enforcing data-flow integrity

Seven Deadly Sins of Debugging

Programming with the Microsoft.NET Framework Using Microsoft Visual Studio 2005 (VB)

Top Signs You re Prime for a Data Breach in 2014

C++ INTERVIEW QUESTIONS

NWEN405: Security Engineering

CSE 373: Data Structure & Algorithms Lecture 25: Programming Languages. Nicki Dell Spring 2014

Effective Patch Management: How to make the pain go away. Adam Shostack

Introduction to Static Analysis for Assurance

JSR-303 Bean Validation

Countering The Faults Of Web Scanners Through Byte-code Injection

Organization of Programming Languages CS320/520N. Lecture 05. Razvan C. Bunescu School of Electrical Engineering and Computer Science

Logi Ad Hoc Reporting System Administration Guide

Application Security Testing How to find software vulnerabilities before you ship or procure code

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Computer and Network Security

CSC230 Getting Starting in C. Tyler Bletsch

Using the Juliet Test Suite to compare Static Security Scanners

Content Author's Reference and Cookbook

Performance Measurement of Dynamically Compiled Java Executions

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Building accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory

Programming with Data Structures

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Transcription:

Problems developing secure applications Erik Poll Security of Systems (SoS) Radboud University Nijmegen

This talk security group in Nijmegen why security is difficult some things you can do our research on software security topics for discussion Erik Poll Radboud Universiteit Nijmegen 2

Informatica Security of Systems (SoS) group largest Dutch research group in computer security Master in Computer Security together with TUE and UT in Erik Poll Radboud Universiteit Nijmegen 3

Research topics in our group software security for Java on smartcards (JavaCard) & mobile phones (J2ME) for C++ hypervisor (OS microkernel) security protocols & applied cryptography for low power devices, eg. RFID identity-centric security privacy, anonymity identity management Erik Poll Radboud Universiteit Nijmegen 4

Some activities LaQuSo Laboratory for Quality Software collaboration with TU Eindhoven contract research to bridge gap from university to industry Cycris - Centre for CyberCrime Studies with law faculties of Nijmegen & Tilburg Erik Poll Radboud Universiteit Nijmegen 5

Software security up to the late 1990s, security was about crypto operating systems recent realisation: it's the software!! Erik Poll Radboud Universiteit Nijmegen 6

Why is security such a problem? Security is always a secondary concern Primary goal is functionality Secondary goal is restricting this functionality to make things secure in the short term, there is no motivation or reward whatsoever for improving security This problem occurs at many different levels in programs... but also in programming languages, training,... Erik Poll Radboud Universiteit Nijmegen 7

Security as secondary concern in programming languages Algol 60 introduces array bound checks, in 1960 C doesn't use this, in 1970s...... 3 decades later, we're still trying to get rid of buffer overflows early 2000s: people start using safestr.h Erik Poll Radboud Universiteit Nijmegen 8

Security as secondary concern in training many students learn programming in C(++) nobody tells them about buffer overflows or safestring libraries a case of criminal negligence? Erik Poll Radboud Universiteit Nijmegen 9

The bad news: people keep making the same mistakes public fields in Java included for efficiency reasons... SQL injection string concatenation is a convenient way to build SQL queries... will we be chasing SQL injection faults in 30 years time, just as we're still chasing buffer overflow attacks? insist on use of eg. PreparedStatement? PHP PHP is a convenient way to quickly build a website... Erik Poll Radboud Universiteit Nijmegen 10

Functionality vs security : PHP "..., I've come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort.... PHP's raison d'etre is that it is simple to pick up and make it do something useful. There needs to be a major push... to make it safe for the likely level of programmers - newbies. Newbies have zero chance of writing secure software unless their language is safe. " [http://www.greebo.cnet] Erik Poll Radboud Universiteit Nijmegen 11

Security in Software Development Life Cycle But WHY bother with all this? Erik Poll Radboud Universiteit Nijmegen 12

Why bother with security at all? The only reasons to take security seriously economic but many companies have been successful without being overly concerned with security things seem to be slowly changing eg telco's are seriously worried about the quality of code on their mobile phones legal Sarbanes-Oxley privacy and data protection legislation software liability Erik Poll Radboud Universiteit Nijmegen 13

Security in Software Development Life Cycle But HOW to introduce all this? Look how others have done this, eg Microsoft Erik Poll Radboud Universiteit Nijmegen 14

Typical software security vulnerabilities 17% 0% 26% 37% buffer overflow input validation code defect design defect crypto 20% Security bugs found in Microsoft bug fix month (2002) Erik Poll Radboud Universiteit Nijmegen 15

Microsoft's SDL (Security Development Lifeycle) 1. Education & Awareness 2. Define & Follow Best Practices 3. Product Risk Assessment and Analysis 4. Secure Coding Policies incl. checklists & source code analysis tools 5. Secure Testing Policies 6. Security Response Planning & Execution Erik Poll Radboud Universiteit Nijmegen 16

Quality assurance at Microsoft Original process: manual code inspection effective when team & system are small too many paths/interactions to consider as system grew Early 1990s: add massive system & unit testing Test tooks week to run different platforms & configurations huge number of tests Inefficient detection of security holes Early 2000s: enter static analysis Erik Poll Radboud Universiteit Nijmegen 17

Spot the defects class Student { int idnr; String name; equals(student s) does not override equals(object o), but overloads it public boolean equals(student s){ if (s==null);{ return false;} return (idnr == s.idnr & name == s.name); } empty statement is legal Java, but probably a mistake use.equals, not == for Strings Erik Poll Radboud Universiteit Nijmegen 18

The "good" news: people keep making the same mistakes We can make checklists for common mistakes We can implement tools that check them source code analysers aka static analysis tools Static analysis tools for C(++) Coverity, Fortify, jtest, PolySpace, PREfast, PREfix,... C/C++ checkers focus on memory-related issues and for Java CheckStyle, Findbugs, PMD, Fortify, jtest, IntelliJ,... Erik Poll Radboud Universiteit Nijmegen 19

Spot the defect {... if (spec!=null) f.add(spec); if(iscomplete(spec)) prefs.add(spec);...} boolean iscomplete(preference spec){ return spec.getcolorkey()!= null && spec.getcolorvalue()!= null && spec.gettextkey()!= null; } iscomplete should not get a null argument Erik Poll Radboud Universiteit Nijmegen 20

Spot the defect {... if (spec!=null) f.add(spec); if(iscomplete(spec)) prefs.add(spec);...} annotation expresses intent and makes analysis by human or tool - easier boolean iscomplete(@nonnull Preference spec){ return spec.getcolorkey()!= null && spec.getcolorvalue()!= null && spec.gettextkey()!= null; } Erik Poll Radboud Universiteit Nijmegen 21

Java metadata tags introduced in Java 1.5 (JSR 175) JSR 305 "Annotations for Software Defect Detection" currently in progress @NonNull, @Nullable @Tainted, @Untainted to find input validation problems @NonNegative @WillClose, @WillNotClose @CheckReturnValue allows enhanced static analysis tainting analysis (data flow analysis) intra-procedural analysis Erik Poll Radboud Universiteit Nijmegen 22

beyond Java tags: JML public class ChipKnip{ private int balance; //@ invariant 0 <= balance && balance < 500; //@ requires amount >= 0; //@ ensures balance <=\old(balance); //@ signals (BankException) balance == \old(balance); public debit(int amount) { if (amount > balance) throw(new BankException("No way")); balance = balance amount; } Erik Poll Radboud Universiteit Nijmegen 23

JML Specification language for Java Properties can be specified in Design-By-Contract style, using pre/postconditions and invariants Various tools to check JML specifications by eg runtime checking program verification/static analysis at compile time Related work Spec# for C# by Microsoft SparkAda for Ada EauClaire for C by Brian Chess Erik Poll Radboud Universiteit Nijmegen 24

Ongoing work on using JML Can we specify & statically check for a J2ME mobile phone application display sticks to this navigation graph only opens a limited number of sms:// connections only connects to approved numbers? Erik Poll Radboud Universiteit Nijmegen 25

Other annotation languages PREfast static analysis tool (in Visual Studio 2005) uses SAL (Standard Annotation Language) to mark up C/C++ code. Eg checkreturn void *malloc( in size_t s); checkreturn means that caller must check the return value of malloc Erik Poll Radboud Universiteit Nijmegen 26

Conclusions Security is secondary concern in programming, language design, training,... left to itself, it will be ignored People keep making the same mistakes, which can be good news! education can prevent people making these mistakes checklists can catch common mistakes some in automatic checks by tools more with annotations in code Erik Poll Radboud Universiteit Nijmegen 27

To improve software security commitment (why) economic, legal at management level knowledge (what) common problems best practices implementing it (how) awareness checklists, tools, SDL spot-the-defect competitions Erik Poll Radboud Universiteit Nijmegen 28

Interesting reads The Security Development Lifecycle by Michael Howard and Steve Lipner 19 deadly sins of software security by Michael Howard, David LeBlanc, and John Viega Erik Poll Radboud Universiteit Nijmegen 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information