cs527 software security - introduction · 2020-06-25 · cs527softwaresecurity introduction...
TRANSCRIPT
![Page 1: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/1.jpg)
CS527 Software SecurityIntroduction
Mathias Payer
Purdue University, Spring 2018
Mathias Payer CS527 Software Security
![Page 2: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/2.jpg)
About me
Instructor: Mathias PayerResearch area: system/software security
Memory/type safetyMitigating control-flow hijackingCompiler-based defensesBinary analysis and reverse engineering
Founded b01lers CTF team in 2014.Homepage: http://nebelwelt.net
Mathias Payer CS527 Software Security
![Page 3: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/3.jpg)
Support
TA: Bader AlBassamResearch area: software securityCTF playerB01lers team leader
Mathias Payer CS527 Software Security
![Page 4: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/4.jpg)
Course outline
Secure software lifecycleSecurity policiesAttack vectorsDefense strategiesCase studies: browser/web/mobile security
Mathias Payer CS527 Software Security
![Page 5: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/5.jpg)
Why should you care?
Security impacts everybody’s day-to-day lifeSecurity impacts your day-to-day lifeUser: make safe decisionsDeveloper: design and build secure systemsResearcher: identify flaws, propose mitigations
Mathias Payer CS527 Software Security
![Page 6: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/6.jpg)
Software Engineering versus Security
Software engineering aims for
Dependability: producing fault-free softwareProductivity: deliver on time, within budgetUsability: satisfy a client’s needsMaintainability: extensible when needs change
Software engineering combines aspects of PL, networking, projectmanagement, economics, etc.Security is secondary and often limited to testing.
Mathias Payer CS527 Software Security
![Page 7: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/7.jpg)
Definition: Security
Security is the application and enforcement of policiesthrough mechanisms over data and resources.
Policies specify what we want to enforceMechanisms specify how we enforce the policy (i.e., animplementation/instance of a policy).
Mathias Payer CS527 Software Security
![Page 8: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/8.jpg)
Definition: Software Security
Software Security is the area of Computer Science thatfocuses on (i) testing, (ii) evaluating, (iii) improving, (iv)enforcing, and (v) proving the security of software.
Mathias Payer CS527 Software Security
![Page 9: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/9.jpg)
Why is software security difficult?
Human factorConcept of weakest linkPerformanceUsability
Mathias Payer CS527 Software Security
![Page 10: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/10.jpg)
Best practices?
Always lock your screen (on mobile/desktop)Unique password for each serviceTwo-factor authenticationEncrypt your transport layer (TLS)Encrypt your messages (GPG)Encrypt your filesystem (DM-Crypt)Disable password login on SSHOpen (unkown) executables/documents in an isolatedenvironment
Mathias Payer CS527 Software Security
![Page 11: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/11.jpg)
Definition: Software Bug
A software bug is an error, flaw, failure, or fault in acomputer program or system that causes it to produce anincorrect or unexpected result, or to behave in unintendedways. Bugs arise from mistakes made by people in either aprogram’s source code or its design, in frameworks andoperating systems, and by compilers.
Source: Wikipedia
Mathias Payer CS527 Software Security
![Page 12: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/12.jpg)
Definition: Software Vulnerability
A vulnerability is a software weakness that allows anattacker to exploit a software bug. A vulnerability requiresthree key components (i) system is susceptible to flaw, (ii)adversary has access to the flaw (e.g., through informationflow), and (iii) adversary has capability to exploit the flaw.
Mathias Payer CS527 Software Security
![Page 13: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/13.jpg)
Course goals
Software running on current systems is exploited by attackersdespite many deployed defence mechanisms and best practices fordeveloping new software.Goal: understand state-of-the-art software attacks/defenses acrossall layers of abstraction: from programming languages, compilers,runtime systems to the CPU, ISA, and operating system.
Mathias Payer CS527 Software Security
![Page 14: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/14.jpg)
Learning outcomes
Understand causes of common weaknesses.Identify security threats, risks, and attack vector.Reason how such problems can be avoided.Evaluate and assess current security best practices and defensemechanisms for current systems.Become aware of limitations of existing defense mechanismsand how to avoid them.Identify security problems in source code and binaries, assessthe associated risks, and reason about severity andexploitability.Assess the security of given source code.
Mathias Payer CS527 Software Security
![Page 15: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/15.jpg)
Syllabus: Basics
Secure software lifecycle: Design; Implementation; Testing;Updates and patchingBasic security principles: Threat model; Confidentiality,Integrity, Availability; Least privileges; Privilege separation;Privileged execution; Process abstraction; Containers;CapabilitiesReverse engineering: From source to binary; Process memorylayout; Assembly programming; Binary format (ELF)
Mathias Payer CS527 Software Security
![Page 16: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/16.jpg)
Syllabus: Policies and Attacks
Security policies: Compartmentalization; Isolation; Memorysafety; Type safetyBug, a violation of a security policy: Arbitrary read;Arbitrary write; Buffer overflow; Format string bug; TOCTTOUAttack vectors: Confused deputy; Control-flow hijacking;Code injection; Code reuse; Information leakage;
Mathias Payer CS527 Software Security
![Page 17: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/17.jpg)
Syllabus: Defenses
Mitigations: Address Space Layout Randomization; DataExecution Prevention; Stack canaries; Shadow stacks;Control-Flow Integrity; Sandboxing; Software-based faultisolationTesting: Test-driven development; Beta testing; Unit tests;Static analysis; Fuzz testing; Symbolic execution; FormalverificationSanitizer: Address Sanitizer; Valgrind memory checker;Undefined Behavior Sanitizer; Type Sanitization (HexType)
Mathias Payer CS527 Software Security
![Page 18: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/18.jpg)
Syllabus: Case studies
Browser security: Browser security model; Adversarialcomputation; Protecting JIT code; Browser testingWeb security: Web frameworks; Command injection;Cross-site scripting; SQL injectionMobile security: Android market; Permission model; Updatemechanism
Mathias Payer CS527 Software Security
![Page 19: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/19.jpg)
Course material
Software security is rapidly evolvingThere are no standard text books
Research papersArticles and tutorialsRemzi H. Arpaci-Dusseau and Andrea C. Arpaci-Dusseau.Operating Systems: Three Easy PiecesTrent Jaeger, Operating System Security
Labs and exercises
Mathias Payer CS527 Software Security
![Page 20: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/20.jpg)
Capture-The-Flag!Security awareness is an acquired skill. This class heavilyinvolves programming and security exercises.A semester long Capture-The-Flag (CTF) to train securityskills:
Binary analysisReverse engineeringExploitation techniquesWeb challenges
Mathias Payer CS527 Software Security
![Page 21: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/21.jpg)
Course project (1/2)Design and implementation of a project in CSecurity evaluation of your peers’ applicationsFixing any reported security vulnerabilitiesTeams of up to 3 people allowed
Mathias Payer CS527 Software Security
![Page 22: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/22.jpg)
Course project (2/2)Use a source repository to check in solutions,Organize your project according to a design document,Peer review and comment the code of other students,Work with a large code base, develop extensions.
Mathias Payer CS527 Software Security
![Page 23: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/23.jpg)
Grading
Lab assignments (CTF): 25%Programming project: 25%Midterm: 20%Final: 30%The grade will be curved.
Mathias Payer CS527 Software Security
![Page 24: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/24.jpg)
Academic Integrity
All work that you submit in this course must be your own.Unauthorized group efforts are considered academic dishonesty.You are allowed to discuss the problem with your peers but you maynot copy or reuse any part of an existing solution.We will use automatic tools to compare your solution to those ofother current and past students. The risk of getting caught is toohigh!
Mathias Payer CS527 Software Security
![Page 25: CS527 Software Security - Introduction · 2020-06-25 · CS527SoftwareSecurity Introduction MathiasPayer PurdueUniversity,Spring2018 Mathias Payer CS527 Software Security](https://reader033.vdocuments.site/reader033/viewer/2022043012/5fa99498322d2169eb1b52c3/html5/thumbnails/25.jpg)
Summary
Software Security is the area of Computer Science that focuseson (i) testing, (ii) evaluating, (iii) improving, (iv) enforcing,and (v) proving the security of software.Learn to identify common security threats, risks, and attackvectors for software systems.Assess current security best practices and defense mechanismsfor current software systems.Design and evaluate secure software.Have fun!
Mathias Payer CS527 Software Security