Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J....

15
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering Auburn University, Alabama [email protected]

  • date post

    22-Dec-2015

  • Category

    Documents

  • view

    213

  • download

    0

TAGS:

Transcript of Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J....

Page 1: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software

Security Vulnerabilities

Jay-Evan J. TevisDepartment of Computer Science and Software Engineering

Auburn University, Alabama

[email protected]

Page 2: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

2

Introduction

• Another software virus, another attack…is another security patch the best answer?

• How did the security vulnerability get there in the first place?– Flaw in a requirement? Part of the design?

– Already existed in source code or object code?

Page 3: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

3

Introduction

• Recommended security defense techniques– Filter all data followed by an accept or reject decision

– Assume all input is bad until proven otherwise

– Perform data validation both at input points and at the component level

– Accept command input from a user only after parsing it

– Make policy decisions based on a "default deny" rule

Page 4: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

4

Introduction

• Strategies to decrease security vulnerabilities– Audit all source code (via static code analysis)

– Perform formal software verification

– Authenticate all software

– Give security concerns a higher priority

– Apply experience-based validation to test against known attacks

– Use tiger teams to maliciously exploit the software

Page 5: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

5

Introduction

• This paper's focus: static analysis of source code– Strong point of analysis concentrates on functions

and data constructs that pose a security risk– Weak point of analysis uses a reactive approach to

problem detection

• Need a better answer to ensuring secure software…possibly a paradigm shift away from imperative programming and towards purely functional approaches

Page 6: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

6

Overview

• Specific security vulnerabilities to avoid in source code

• Inventory of static code security checkers• Critique of static code security checkers• Software security assurance from a functional

programming perspective• Related areas • Future work

Page 7: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

7

Specific Security Vulnerabilities To Avoid In Source Code

• Public enemy #1 Buffer overflow• Distance cousin Heap overflow• Array indexing…out of bounds access and assignment• Format string manipulation• System software…root privileges, system() call• Changes to system environment variables• Host name attacks…spoofing a DNS response• Signals…interrupting software in a privileged state• Core dumps…values of constants, variables, and registers

Page 8: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

8

Inventory of Static Code Security Checkers

• Static code security checkers– Identify potential security problems

– Find known or previously identified conditions

• Goal: focus the security analysis of the code• Subgoals: suggest remedies and provide

assessment• List of static code security checkers

Page 9: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

9

Page 10: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

10

Critique Of Static Code Security Checkers

• Focus mainly on Unix applications or standard C library function calls

• Require a high level of expert knowledge to evaluate the findings…manual analysis still catches overlooked problems

• Application library code is not automatically scanned• Analysis is time consuming…checker only cuts ¼ to 1/3 of

that effort• Nevertheless…every little bit helps, focuses attention,

finds real bugs

Page 11: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

11

Software Security Assurance From a Functional Programming Perspective

• Imperative programming assignment, control loops, environment state, array indexing, memory addresses

• Functional programming referential transparency, recursion, pattern matching, mathematical foundation, formal specification, proof of correctness

Page 12: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

12

Related Areas

• Runtime checkers– Located between application and operating system– Intercept and screen system calls– Examples: Libsafe, PurifyPlus, Immunix

• Use profiling of software– Observation period to identify normal behavior followed by

monitoring to watch for abnormal actions

• Testing for buffer overflow vulnerability– Examples: NTOMax, SendIP

Page 13: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

13

Future Work

• Consolidate and correlate measures used by static code checkers written in imperative languages

• Build prototype static code checkers in both logical and functional languages (i.e., Prolog and Haskell)

• Identify imperative-to-functional conversions of most common security-vulnerable imperative code

• Incorporate conversion recommendations into static code checkers

Page 14: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

14

Conclusion

• Threat from malicious users is real and the target is soft

• Methods exist to reduce security vulnerabilities

• Imperative approach may be the root cause to vulnerabilities

• Time for functional programming to prove its worth

• Move from the von Neumann paradigm into a mathematically sound paradigm…a functional paradigm

• May hold the key to building software that is provably secure

Page 15: Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

15

Questions?

[email protected]


Haskell and Cryptography Jay-Evan J. Tevis, Ph.D. Department of Computer Science Western Illinois University .

Haskell and Cryptography Jay-Evan J. Tevis, Ph.D. Department of Computer Science Western Illinois University .

FERNANDA + EVAN

FERNANDA + EVAN

SOFTWARE REVISION CONTROL WITH SUBVERSION Evan Dickinson & Andy Huang – 9 March 2011.

SOFTWARE REVISION CONTROL WITH SUBVERSION Evan Dickinson & Andy Huang – 9 March 2011.

THE HUSTLER Walter Tevis

THE HUSTLER Walter Tevis

Kathy, Evan, & Michael

Kathy, Evan, & Michael

Dear evan Hansen singalong - Brooklyn Conservatory of Music · 2017. 9. 15. · dear evan hansen: sincerely, me evan: dear connor murphy: thanks for ev’ry note you send evan: dear

Dear evan Hansen singalong - Brooklyn Conservatory of Music · 2017. 9. 15. · dear evan hansen: sincerely, me evan: dear connor murphy: thanks for ev’ry note you send evan: dear

Sunz2013 evan stubbs

Sunz2013 evan stubbs

Fusion Reactor Steel Sonny Martin Tevis Jacobs Yucheng ZhangJiawen Chen.

Fusion Reactor Steel Sonny Martin Tevis Jacobs Yucheng ZhangJiawen Chen.

Evan mokrismillionaire

Evan mokrismillionaire

© 2015 IBM Corporation IBM Software Defined Storage Solutions IBM Spectrum Protect in the Cloud Greg Tevis – IBM Storage Software Worldwide Solutions Architect.

© 2015 IBM Corporation IBM Software Defined Storage Solutions IBM Spectrum Protect in the Cloud Greg Tevis – IBM Storage Software Worldwide Solutions Architect.

Happy Birthday Evan October 201 Evan Anthony Brayden Annia ... · Happy Birthday Evan October 201 Evan Anthony Brayden Annia Tabaj Sat Happy Birthday Brayden Mon Ava No School Act

Happy Birthday Evan October 201 Evan Anthony Brayden Annia ... · Happy Birthday Evan October 201 Evan Anthony Brayden Annia Tabaj Sat Happy Birthday Brayden Mon Ava No School Act

A Security-centric Ring-based Software Architecture 1 Jay-Evan J. Tevis John A. Hamilton, Jr. Western Illinois University Auburn University Macomb, IL.

A Security-centric Ring-based Software Architecture 1 Jay-Evan J. Tevis John A. Hamilton, Jr. Western Illinois University Auburn University Macomb, IL.

Evan williams

Evan williams

Domjan Evan Lectures

Domjan Evan Lectures

Prescription Mode DDI Supporting Use Cases Joe W. Tevis.

Prescription Mode DDI Supporting Use Cases Joe W. Tevis.

Walsh Evan ingnite_presentation_keynote

Walsh Evan ingnite_presentation_keynote

Evan Daniels

Evan Daniels

Evan Smith

Evan Smith

Walter Tevis: Recollections of 'The Hustler'

Walter Tevis: Recollections of 'The Hustler'

Creating Wings in SolidWorks - University of Pennsylvaniamedesign.seas.upenn.edu/uploads/Software/SW_wing_tutorial.pdf · Creating Wings in SolidWorks Evan Dvorak University of Pennsylvania

Creating Wings in SolidWorks - University of Pennsylvaniamedesign.seas.upenn.edu/uploads/Software/SW_wing_tutorial.pdf · Creating Wings in SolidWorks Evan Dvorak University of Pennsylvania