software assurance ( swa) in education, training ......software assurance ( swa) in education,...
TRANSCRIPT
![Page 1: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/1.jpg)
Software Assurance (SwA) in Education, Training & Certification
Pocket Guide v2.1
Robin A. GandhiNebraska University Center on Information Assurance (NUCIA)
University of Nebraska at Omaha
1
![Page 2: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/2.jpg)
What is a Pocketguide?
• Self-contained
• Concise
• Enumeration of resources
• Theme
• Living document
• Reprints and redistribution possible
• Fits in the coat pocket
2
![Page 3: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/3.jpg)
SwA ETC Pocketguide Theme
• Educating the Educator/Trainer on available SwA resources
• Purpose:– Awareness resource for “getting started” in
educating, training and sustaining a workforce capable of producing secure software
– An “index” in to a vast amount of resources, tools, curricula, and certification and training opportunities for software assurance
3
![Page 4: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/4.jpg)
4
Purple, v 2.1, March 2011
![Page 5: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/5.jpg)
Software Assurance?
• The basis for the belief that software will work as expected– Claims, arguments, evidences that span the
software lifecycle from cradle to grave
– People, Process, Technology that enable us to promote assurances in the software that is mission and business critical
5
![Page 6: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/6.jpg)
6
![Page 7: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/7.jpg)
SwA Knowledge Areas and Efforts
7
Measurement
Acquisition and Outsourcing
Measurement Frameworks
Technology, Tool and Product Evaluation
Making Security Measureable
Measuring Functionality and Capability of SwA Tools(SAMATE)
Security-EnhancedSoftware Acquisition and Outsourcing
Supply chain Risk Management
Risk-based approach to Software Acquisition
Acquisition Measurement
Reference Guide:SwA in Aquisition
CVE, CCE, CPE, OVAL, CVSS
Functional Specifications
Test suites
Business Case
Making a Business Case for SwA
Cost/Benefit Models
Measurement
Workforce Education and Training
Curriculum Guides
Security Principles and Guidelines
Knowledge necessary to DevelopSustain, Acquire and Assure
Secure Software (SwABoK)
Logical and In-depth organization of
Principles and Guidelines
Processes and Practices
Enhancement ofDevelopment Lifecycle
Capability Maturity Model Integration
Integrating Security into the Software Development Lifecycle
Harmonizing and Extendingexisting Security Capability
Maturity Models
Mapping AssuranceGoals and Practices
to CMMI for Development
Practical Measurement Frameworkfor Software Assurance and
Information Security
Tool Metrics
CWE, CWSS
Malware
Malware Dictionaries
Novel Approaches to Malware
Malware Attribute Enumeration and Characterization (MAEC)
Workforce Development and Improvement
Competency and Functional Framework for
IT Security Workforce (EBK)
State of the Art Reports (SOAR)
Workforce Credentials
Guidebooks (NASA, DACS)
Key Practices for MitigatingSoftware Weaknesses
Secure Coding Standards(CERT)
Requirements and Analysis
Architecture and Design Considerations
Risk-Based Security Testing
Maturity Model
Building Security In Maturity Model (BSIMM)
Software AssuranceMaturity Model (SAMM)
Metamodels for SoftwareAssets and Operational Environments
Abstract Syntax Tree Metamodel (ASTM)
Knowledge Discovery Metamodel (KDM)
Software Metrics Metamodel (SMM)
Practices to EnhanceSwA in Purchasing
Due diligenceQuestionnaires
Sample Contract Provisions and Language
Application Security Procurement Language
Measurements Goals and Questions Lists
Risk
Prioritization
Process Improvement
Globalization
Case Studies and Examples
Organizational Development
Key Software Assurance Knowledge Areas and Efforts
Reference Curriculum (MSwA2010, Undergrad outline)
![Page 8: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/8.jpg)
SwA Knowledge Areas and Efforts
8
Acquisition and Outsourcing
Technology, Tool and Product Evaluation
Making Security Measureable
Measuring Functionality and Capability of SwA Tools(SAMATE)
Security-EnhancedSoftware Acquisition and Outsourcing
Supply chain Risk Management
Risk-based approach to Software Acquisition
Reference Guide:SwA in Aquisition
CVE, CCE, CPE, OVAL, CVSS
Functional Specifications
Test suites
Workforce Education and Training
Curriculum Guides
Security Principles and Guidelines
Knowledge necessary to DevelopSustain, Acquire and Assure
Secure Software (SwABoK)
Logical and In-depth organization of
Principles and Guidelines
Processes and Practices
Enhancement ofDevelopment Lifecycle
Capability Maturity Model Integration
Integrating Security into the Software Development Lifecycle
Harmonizing and Extendingexisting Security Capability
Maturity Models
Mapping AssuranceGoals and Practices
to CMMI for Development
Tool Metrics
CWE, CWSS
Workforce Development and Improvement
Competency and Functional Framework for
IT Security Workforce (EBK)
State of the Art Reports (SOAR)
Workforce Credentials
Guidebooks (NASA, DACS)
Requirements and Analysis
Architecture and Design Considerations
Risk-Based Security Testing
Maturity Model
Building Security In Maturity Model (BSIMM)
Metamodels for SoftwareAssets and Operational Environments
Abstract Syntax Tree Metamodel (ASTM)
Knowledge Discovery Metamodel (KDM)
Software Metrics Metamodel (SMM)
Practices to EnhanceSwA in Purchasing
Due diligenceQuestionnaires
Sample Contract Provisions and Language
Application Security Procurement Language
Key Software Assurance Knowledge Areas and Efforts
Reference Curriculum (MSwA2010, Undergrad outline)
![Page 9: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/9.jpg)
The Various WGs and Deliverables
9
Measurement
Acquisition and Outsourcing
Measurement Frameworks
Measuring Functionality and Capability of SwA Tools(SAMATE)
Security-EnhancedSoftware Acquisition and Outsourcing
Supply chain Risk Management
Risk-based approach to Software Acquisition
Acquisition Measurement
Reference Guide:SwA in Aquisition
CVE, CCE, CPE, OVAL, CVSS
Functional Specifications
Test suites
Business Case
Making a Business Case for SwA
Cost/Benefit Models
Measurement
Security Principles and Guidelines
Knowledge necessary to DevelopSustain, Acquire and Assure
Secure Software (SwABoK)
Logical and In-depth organization of
Principles and Guidelines
Processes and Practices
Enhancement ofDevelopment Lifecycle
Capability Maturity Model Integration
Integrating Security into the Software Development Lifecycle
Harmonizing and Extendingexisting Security Capability
Maturity Models
Mapping AssuranceGoals and Practices
to CMMI for Development
Practical Measurement Frameworkfor Software Assurance and
Information Security
Tool Metrics
CWE, CWSS
Malware
Malware Dictionaries
Novel Approaches to Malware
Malware Attribute Enumeration and Characterization (MAEC)
Workforce Development and Improvement
Competency and Functional Framework for
IT Security Workforce (EBK)
State of the Art Reports (SOAR)
Workforce Credentials
Guidebooks (NASA, DACS)
Key Practices for MitigatingSoftware Weaknesses
Secure Coding Standards(CERT)
Requirements and Analysis
Architecture and Design Considerations
Risk-Based Security Testing
Maturity Model
Building Security In Maturity Model (BSIMM)
Software AssuranceMaturity Model (SAMM)
Metamodels for SoftwareAssets and Operational Environments
Abstract Syntax Tree Metamodel (ASTM)
Knowledge Discovery Metamodel (KDM)
Software Metrics Metamodel (SMM)
Practices to EnhanceSwA in Purchasing
Due diligenceQuestionnaires
Sample Contract Provisions and Language
Application Security Procurement Language
Measurements Goals and Questions Lists
Risk
Prioritization
Process Improvement
Globalization
Case Studies and Examples
Organizational Development
Key Software Assurance Knowledge Areas and Efforts
Reference Curriculum (MSwA2010, Undergrad outline)
![Page 10: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/10.jpg)
10
![Page 11: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/11.jpg)
11
![Page 12: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/12.jpg)
12
![Page 13: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/13.jpg)
13
![Page 14: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/14.jpg)
14
![Page 15: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/15.jpg)
15
![Page 16: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/16.jpg)
16
![Page 17: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/17.jpg)
17
![Page 18: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/18.jpg)
18
![Page 19: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/19.jpg)
Job Roles
• What kind of jobs can I get ?– Jobs and career planning
• http://www.sans.org/20coolestcareers
19
![Page 20: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/20.jpg)
20
![Page 21: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/21.jpg)
21
![Page 22: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/22.jpg)
Got Content?
• The pocket guide is a “work in progress”
• Plenty of opportunity to contribute content
• Join the Effort !– Your comments, suggestions, criticism/praise
are all very welcome
22
![Page 23: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/23.jpg)
Where to find the PocketGuide?
• https://buildsecurityin.us-cert.gov/swa/pocket_guide_series.html
• And many others…
23
![Page 24: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/24.jpg)
24
![Page 25: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/25.jpg)
25
![Page 26: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/26.jpg)
26
![Page 27: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/27.jpg)
Find me
• Robin A. Gandhi, Ph.D. Assistant Professor of Information Assurance University of Nebraska at Omaha
Voice: (402) 554 3363, Fax: (402) 554-3284
http://faculty.ist.unomaha.edu/rgandhi
27
![Page 28: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/28.jpg)
Acknowledgement
• Joe Jarzombek for giving me the opportunity to lead this effort
• Members of the SwA WG on Education and Training for insightful comments, reviews and content (Dan, Carol, Nancy, Art)
• Susan Morris, Walter Houser, Dominick Chiriyan
• And many others…
28
![Page 29: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/29.jpg)
Bonus Slides
29
![Page 30: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/30.jpg)
Why Johnny Can’t write secure code?
• Johnny, avoid these weaknesses…. Period!– Common Weaknesses Enumeration (CWE)
• Johnny…learn from your mistakes– Common Vulnerabilities and Exposures (CVE)
• Johnny…these are the ways of the bad guys– Common Attack Patterns Enumeration and
Classification (CAPEC)
• Johnny…these are ways to develop secure code– CERT secure coding guidelines
30
![Page 31: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/31.jpg)
Poor Johnny !
31
![Page 32: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/32.jpg)
Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories
32Me Harvey Siy Yan Wu
![Page 33: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/33.jpg)
The Paradox we face !
33
Source Code Differences after the fix
Log of Changes
Mailing list Discussions
Public Descriptions
Vulnerability Databases
Weakness Enumerations
Bug tracking databases
![Page 34: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/34.jpg)
Concept Extraction
34
CWE- 786 ACCESS OF MEMORY LOCATION BEFORE START OF
BUFFER
CWE- 131 INCORRECT
CALCULATION OF BUFFER SIZE
CWE-787 OUT-OF-BOUNDS
WRITE
CWE-123 WRITE-WHAT-WHERE
CONDITIONCWE- 788 ACCESS OF MEMORY LOCATION
AFTER END OF BUFFER
CWE- 125 OUT-OF-BOUNDS READ
CWE- 120 BUFFER COPY WITHOUT CHECKING SIZE
OF INPUT ('CLASSICBUFFER OVERFLOW')
CWE- 682 INCORRECT
CALCULATION
CWE- 128 WRAP-
AROUND ERROR
CWE- 190 INTEGER
OVERFLOW OR WRAPAROUND
CWE- 191 INTEGER UNDERFLOW (WRAP OR
WRAPAROUND)
CWE- 193 OFF-BY-ONE ERROR
CWE- 127 BUFFER UNDER-READCWE- 126 BUFFER
OVER-READ
CWE- 124 BUFFER UNDERWRITE
('BUFFER UNDERFLOW')
CWE- 122 HEAP-BASED BUFFER
OVERFLOW
CWE- 121 STACK-BASED BUFFER
OVERFLOW
CWE- 466 RETURN OF POINTER VALUE
OUTSIDE OF EXPECTED RANGE
CWE-119: FAILURE TO CONSTRAIN OPERATIONS WITHIN THE BOUNDS OF A
MEMORY BUFFER
CWE-19: DATA HANDLING
CWE-20 IMPROPER INPUT VALIDATION
CWE-118 IMPROPER ACCESS OF INDEXABLE RESOURCE
('RANGE ERROR')
CWE-129 IMPROPER VALIDATION OF ARRAY
INDEX
LEGEND
CAN PRECEED(DEVELOPMENT VIEW)
CAN PRECEED(RESEARCH VIEW)
CHILD OF(RESEARCH VIEW)
PEER OF(RESEARCH VIEW)
CATEGORY(DEVELOPMENT VIEW)
CATEGORY(RESEARCH VIEW)
CHILD OF(DEVELOPMENT VIEW)
CWE- 785USE OF PATH MANIPULATION FUNCTION WITHOUT MAX-SIZE
BUFFER
CWE- 231 IMPROPER HANDELING OF EXTRA
VALUES
CWE- 242 USE OF DANDEROUS FUNCTIONS
CWE- 227 API
ABUSE
CWE- 170 IMPROPER NULL TERMINATION
CWE- 416 USE AFTER FREE
CWE- 456MISSING INITIALIZATION
CWE- 196UNSIGNED TO SIGNED CONVERSION ERROR
CWE-789 UNCONTROLLED
MEMORY ALLOCATION
CWE- 195SIGNED TO UNSIGNED
CONVERSION ERROR
CWE-680 INTEGER OVERFLOW
TO BUFFER OVERFLOW
CWE- 251 STRING MGMT.
MISUSE
CWE- 415 DOUBLE FREE
CWE- 134 UNCONTROLLED FORMAT STRING
CWE-467: USE OF SIZEOF() ON A POINTER TYPE
CWE-468: INCORRECT
POINTER SCALING
CWE-130: IMPROPER HANDLING OF
LENGTH PARAMETER
INCONSISTENCY
CWE-192 INTEGER
COERCION ERROR
CWE-194: UNEXPECTED
SIGN EXTENSION
CWE-199: INFORMATION
MGMT. ERRORS
CWE-221: INFORMATION
LOSS OR OMMISSION
![Page 35: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/35.jpg)
Tangling of information in the CWE• CWE-119: Failure to Constrain Operations
within the Bounds of a Memory Buffer– The software performs operations on a memory
buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
– Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. As a result, an attacker may be able to executearbitrary code, alter the intended control flow, readsensitive information, or cause the system to crash.
35
Software Fault
Resource/Location
Consequence
Weakness
LEGEND
![Page 36: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/36.jpg)
Tangling of information in the CWE• CWE-120: Buffer Copy without Checking Size of
Input ('Classic Buffer Overflow')– The program copies an input buffer to an output
buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
– A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer.
– Buffer overflows often can be used to execute arbitrary code…
– Buffer overflows generally lead to crashes
36
Software Fault
Resource/Location
Consequence
Weakness
LEGEND
![Page 37: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/37.jpg)
37
WEAKNESS
ACCESS AND OUT-OF-BOUNDS READ #125, #126,
#127, #786
ACCESS AND OUT-OF-BOUNDS WRITE
#787, #788, #124
FAILURE TO CONSTRAIN OPERATIONS WITHIN THEBOUNDS OF A MEMORY
BUFFER#119
IMPROPER-ACCESS-OF-INDEXABLE-RESOURCE #118
IS-AIS-A
IS-A
CAN-PRECEDE
OCCURS-IN
WRAP-AROUND
ERROR #128
CAN-PRECEDE
SOFTWARE-FAULT
INCORRECT-BUFFER-SIZE-CALCULATION
#131
INTEGER OVERFLOW #190 #680
OFF-BY-ONE#193
INCORRECT-CALCULATION
#682
IS-A
IS-AIS-A
IS-AIMPROPER-
INPUT-VALIDATION
#20
INTEGER UNDERFLOW
#191IS-A
RETURN OF POINTER VALUE OUTSIDE OF EXPECTED RANGE
#466
IMPROPER VALIDATION OF ARRAY INDEX
#129 #789
BUFFER COPY WITHOUT CHECKING SIZE OF INPUT
('CLASSIC BUFFER OVERFLOW')#120
WRITE-WHAT-WHERE CONDITION
#123
CONSEQUENCES
CAN-PRECEDE
RESOURCE/LOCATION
STACK-BASED#121
STATIC#129
HEAP-BASED#122
MEMORY-BUFFER
#119
BUFFER#119
INDEXABLE-RESOURCE
#118
IS-A
PART-OF
IS-AIS-AIS-AINDEX
(POINTER #466INTEGER #129)
PART-OF
IMPROPER HANDELING OF EXTRA VALUES
#231USE OF DANDEROUS
FUNCTIONS#242
API ABUSE#227
IMPROPER NULL TERMINATION
#170
IMPROPER USE OF FREED MEMORY
#415 #416
MISSING INITIALIZATION
#456SIGN ERRORS#194 #195
#196
STRING MANAGEMENT
API ABUSE# 785 #134 #251
UNCONTROLLED MEMORY
ALLOCATION#789
IS-A
INFORMATION LOSS OR
OMMISSION#199 #221
IS-A
POINTERERRORS#467 #468
IS-A
INTEGER COERCION
ERROR#192
IS-A
IMPROPER HANDLING OF LENGTH PARAMETER
INCONSISTENCY# 130
Buffer Overflow
![Page 38: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/38.jpg)
38
WEAKNESS
ACCESS AND OUT-OF-BOUNDS READ #125, #126,
#127, #786
ACCESS AND OUT-OF-BOUNDS WRITE
#787, #788, #124
FAILURE TO CONSTRAIN OPERATIONS WITHIN THEBOUNDS OF A MEMORY
BUFFER#119
IMPROPER-ACCESS-OF-INDEXABLE-RESOURCE #118
CAN-PRECEDE
OCCURS-IN
WRAP-AROUND
ERROR #128
CAN-PRECEDE
SOFTWARE-FAULT
INCORRECT-BUFFER-SIZE-CALCULATION
#131
INTEGER OVERFLOW #190 #680
OFF-BY-ONE#193
INCORRECT-CALCULATION
#682
IMPROPER-INPUT-
VALIDATION#20
INTEGER UNDERFLOW
#191 RETURN OF POINTER VALUE OUTSIDE OF EXPECTED RANGE
#466
IMPROPER VALIDATION OF ARRAY INDEX
#129 #789
BUFFER COPY WITHOUT CHECKING SIZE OF INPUT
('CLASSIC BUFFER OVERFLOW')#120
WRITE-WHAT-WHERE CONDITION
#123
CONSEQUENCES
CAN-PRECEDE
RESOURCE/LOCATION
STACK-BASED#121
ARRAY#129
HEAP-BASED#122
MEMORY-BUFFER
#119
BUFFER#119
INDEXABLE-RESOURCE
#118PART-OF
INDEX (POINTER #466INTEGER #129)
PART-OF
IMPROPER HANDELING OF EXTRA VALUES
#231USE OF DANDEROUS
FUNCTIONS#242
API ABUSE#227
IMPROPER NULL TERMINATION
#170
IMPROPER USE OF FREED MEMORY
#415 #416
MISSING INITIALIZATION
#456SIGN ERRORS#194 #195
#196
STRING MANAGEMENT
API ABUSE# 785 #134 #251
UNCONTROLLED MEMORY
ALLOCATION#789
INFORMATION LOSS OR
OMMISSION#199 #221
POINTERERRORS#467 #468
INTEGER COERCION
ERROR#192
IMPROPER HANDLING OF LENGTH PARAMETER
INCONSISTENCY# 130
[CVE Description]: Off-by-one error in the toAlphabetic function in rendering/RenderListMarker.cpp
[Change Log Issue Description]: The math was slightly off here, and we wound up trying to access an array at index -1 in some cases
[Change Log Fix Description]: We need to decrement numberShadow rather than subtracting one from the result of the modulo operation
[Code Change for Fix] : Line 105 decrement (--numberShadow;) and remove the subtraction of one in Line 106 (sequence[numberShadow % sequenceSize];)
1
[Change Log Issue Description]: ….trying to access an array at index -1 ….
[Code] : Missing validation of array size in Line 106 (sequence[numberShadow% sequenceSize];)
2
[Change Log Issue Description]: ….….trying to access an array at index -1 in some cases
3[Change Log Issue Description]: ….….trying to access an array at index -1 …..
5
[Chrome Release Announcement]: ….Memory corruption in rendering….
4
[CVE Description]: ….cause a denial of service …..or possibly execute arbitrary code
7
[CVE Description]: ….allows remote attackers to obtain sensitive information…
6
CVE-2010-1773
IS-A
Buffer Overflow Semantic template
![Page 39: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/39.jpg)
Experiment
• The scenario…– A newbie programmer or occasional contributor to
open source project• How much effort does it take to study a vulnerability and
summarize lessons learned?
• 30 Computer Science students from a senior-level undergraduate Software Engineering course. – None to more than 5 years
– No prior knowledge of semantic templates
39
![Page 40: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/40.jpg)
Experiment
• H10:– There is no reduction in completion time for
subjects who use semantic templates compared to those who do not.
• H20:– There is no improvement in accuracy of
understanding of vulnerabilities for subjects who use semantic templates compared to those who do not.
40
![Page 41: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/41.jpg)
Variables
• The experiment manipulated these independent variables:– Group - refers to the group assigned (1 or 2).
– Round - refers to the experiment round (1 or 2).
• Vulnerability ID - the vulnerability under study (1-1, 1-2, 1-3, 2-1, 2-2, 2-3).– These self-reported subject variables were collected:
• Programming skill level
• Reading comprehension and writing skill levels - ability to read and write technical English documents.
41
![Page 42: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/42.jpg)
Variables• Dependent variables :
– Time to complete assignment
– CWE identification accuracy
– Fault identification accuracy• a score (scale of 1-5) on the accuracy of the identification of
the software fault that led to the vulnerability
– Failure identification accuracy• a score (scale of 1-5) on the accuracy of the description of
the nature of the vulnerability (the manifested problem, the resources impacted and the consequences)
42
![Page 43: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/43.jpg)
Initial Results and Findings
43
Table 1: p-values of one-tailed t-tests for Time data Round 1 (1-1) 0.3627 (1-2) 0.5855 (1-3) 0.1516 Round 2 (2-1) 0.0001 (2-2) 0.0030 (2-3) 0.0015
p-values of one-tailed t-tests for CWE precision
Round 1 (1-1) 0.9281 (1-2) 0.9957 (1-3) 0.5344
Round 2 (2-1) 0.1840 (2-2) 0.6023 (2-3) 0.0891
Table 1: p-values of one-tailed t-tests for CWE recall
Round 1 (1-1) 0.0683 (1-2) 0.9481 (1-3) 0.2286
Round 2 (2-1) 0.0141 (2-2) 0.0093 (2-3) 0.0021
![Page 44: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/44.jpg)
Future Work• Integrate with existing static and dynamic analysis
tools to enhance reporting capabilities– Provide layers of guidance to a developer upon
detection of a software flaw
– Organize and retrieve knowledge of past vulnerabilities
– Verify patch submissions
• Investigate project/developer specific coding errors and vulnerability fix patterns
• Other usage scenarios in the SDLC
44
![Page 45: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/45.jpg)
Acknowledgement
• This research is funded in part by Department of Defense (DoD)/Air Force Office of Scientific Research (AFOSR), NSF Award Number FA9550-07-1-0499, under the title “High Assurance Software”
45
![Page 46: Software Assurance ( SwA) in Education, Training ......Software Assurance ( SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center](https://reader034.vdocuments.site/reader034/viewer/2022050419/5f8e89ef5de5c164264f2732/html5/thumbnails/46.jpg)
Thank you for your Attention
46