Module: Future of Secure Programming
|
|
- Abigail Arnold
- 6 years ago
- Views:
Transcription
1 Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1
2 Programmer s Little Survey Problem What does program for security mean? Implement a program Have you ever programmed for security? Without creating vulnerabilities When do you start to consider security when you What is a vulnerability? program? What do you try to do to make your code secure? When do you know you are done making your code secure? Should a programmer fix every flaw in their programs? Systems and and Internet Infrastructure Security Security (SIIS) (SIIS) Laboratory Laboratory 22
3 Programmer s Problem Implement a program Without creating vulnerabilities What is a vulnerability? Systems and Internet Infrastructure Security (SIIS) Laboratory 3
4 Systems and Internet Infrastructure Security Laboratory (SIIS) 4 Software Vulnerabilities Vulnerability combines A flaw Accessible to an adversary Who can exploit that flaw Which would you focus on to prevent vulnerabilities?
5 Systems and Internet Infrastructure Security Laboratory (SIIS) 5 Buffer Overflow Static Analysis For C code where char dest[len]; int n;... n = input();... strncpy(dest, src, n); Can this code cause a buffer overflow?
6 Systems and Internet Infrastructure Security Laboratory (SIIS) 6 Runtime Analysis One approach is to run the program to determine how it behaves Analysis Inputs Input Values - command line arguments Environment - state of file system, environment variables, etc. Question Can any input value in any environment cause a flaw (e.g., buffer overflow)? What are limitations of runtime analysis?
7 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 8 7 Runtime Static Analysis Analysis One approach is to run the program to determine how it behaves Explore all possible executions of a program! Analysis Inputs All possible inputs! Input Values - command line arguments All possible states! Environment - state of file system, environment variables, etc. Question Can any input value in any environment cause a flaw (e.g., buffer overflow)? What are limitations of runtime analysis?
8 Runtime Static Analysis One approach is to run the program to determine how it behaves Provides an approximation of behavior! Analysis Inputs Run in the aggregate! Input Values - command line arguments Rather than executing on ordinary states! Environment - state of file system, environment variables, etc. Finite-sized descriptors representing a collection of states! Question Run in non-standard way! Can any input value in any environment cause a flaw (e.g., buffer overflow)? Run in fragments! What are limitations of runtime analysis? Stitch them together to cover all paths! Runtime testing is inherently incomplete, but static analysis can cover all paths! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 10 8
9 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 11 9 Runtime Static Analysis Example One approach is to run the program to determine how it behaves Descriptors represent the sign of a value! Analysis Inputs Positive, negative, zero, unknown! Input Values - command line arguments For an expression, c = a * b! Environment - state of file system, environment variables, etc. If a has a descriptor pos! Question And b has a descriptor neg! Can any input value in any environment cause a flaw (e.g., buffer overflow)? What is the descriptor for c after that instruction?! What are limitations of runtime analysis? How might this help?!
10 Runtime Descriptors Analysis One approach is to run the program to determine how it behaves Choose a set of descriptors that! Analysis Inputs Abstracts away details to make analysis tractable! Input Values - command line arguments Preserves enough information that key properties hold! Environment - state of file system, environment variables, etc. Can determine interesting results! Question Using sign as a descriptor! Can any input value in any environment cause a flaw (e.g., buffer overflow)? Abstracts away specific integer values (billions to four)! Guarantees when a*b = 0 it will be zero in all executions! What are limitations of runtime analysis? Choosing descriptors is one key step in static analysis! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 12 10
11 Systems and Internet Infrastructure Security Laboratory (SIIS) 11 Buffer Overflow Static Analysis For C code where char dest[len]; int n; n = input(); strncpy(dest, src, n); Static analysis will try all paths of the program that impact variable n and flow to strncpy May be complex in general because Paths: Exponential number of program paths Interprocedural: n may be assigned in another function Aliasing: n s memory may be accessed from many places What descriptor values do you care about for n?
12 Systems and Internet Infrastructure Security Laboratory (SIIS) 12 Limitations of Static Analysis Scalability Can be expensive to reason about all executions of complex programs False positives Overapproximation means that executions that are not really possible will be modeled Accuracy Alias analysis and other imprecision may lead to false negatives Sound methods (no false negatives) can exacerbate scalability and false positives problems Bottom line: Static analysis often must be directed
13 Preventing These Vulnerabilities What can the programmer do to secure their program in such cases? Systems and Internet Infrastructure Security Laboratory (SIIS) 13
14 Information Denning s Lattice Flow Model Control Formalizes information flow models! FM = {N, P, SC, /, >} Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14
15 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14
16 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Simple security & -property Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14
17 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Simple security & -property Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14
18 Implicit and explicit flows Information Flow Control Explicit! Direct transfer to b from a (e.g., b = a)! Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15
19 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15
20 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Simple security & -property Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15
21 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Simple security & -property Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15
22 Information Semantics Flow Control Program is secure if:! Explicit flow from S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16
23 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Explicit flow from S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!
24 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Simple Explicit security flow from & -property S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!
25 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Simple Explicit security flow from & -property S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!
26 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety
27 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety Example 1 Object obj; int i; obj = obj + i;
28 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety Example 1 Object obj; int i; obj = obj + i; X
29 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Example 1 Object obj; int i; obj = obj + i; X Systems and Internet Infrastructure Security Laboratory (SIIS) 17
30 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Example 1 Object obj; int i; obj = obj + i; X Type-safety is compositional. A function promises to maintain type safety. Systems and Internet Infrastructure Security Laboratory (SIIS) 17
31 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Type-safety is compositional. A function promises to maintain type safety. Example 1 Object obj; int i; obj = obj + i; X Example 2 String proc_obj(object o);... main() { Object obj; String s = proc_obj(obj);... }
32 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types
33 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l;
34 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X
35 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Systems and Internet Infrastructure Security Laboratory (SIIS) 18
36 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Security-typing is compositional Systems and Internet Infrastructure Security Laboratory (SIIS) 18
37 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Security-typing is compositional Example 2 String{low} proc_obj(object{high} o);... main() { Object{high} obj; String{low} s; s = proc_obj(obj);... }
38 Systems and Internet Infrastructure Security Laboratory (SIIS) 19 Implicit Flows Static (virtual) tagging int Low mydata = 0; int Low mydata2 = 0; if (test High ) mydata = 1; mydata contains information about test so it can no longer be Low,but mydata2 is outside the conditional, so it is untainted by test else mydata = 2; mydata2 = 0; print Low (mydata2); print Low (mydata); Causes type error at compile-time
39 Systems and Internet Infrastructure Security Laboratory (SIIS) 19 Implicit Flows Static (virtual) tagging int Low mydata = 0; int Low mydata2 = 0; if (test High ) mydata = 1; mydata contains information about test so it can no longer be Low,but mydata2 is outside the conditional, so it is untainted by test else mydata = 2; mydata2 = 0; print Low (mydata2); print Low (mydata); Causes type error at compile-time
40 Systems and Internet Infrastructure Security Laboratory (SIIS) 20 Preventing These Vulnerabilities What can the programmer do to secure their program? Decentralized Information Flow Control Programmer gives hints to operating system about information flows expected Operating system enforces those expectations To prevent link traversal attacks, programmers could just state that they require objects with an expected label And use that object safely with security types in program
41 Systems and Internet Infrastructure Security Laboratory (SIIS) 20 Preventing These Vulnerabilities What can the programmer do to secure their program? Decentralized Information Flow Control Programmer gives hints to operating system about information flows expected Operating system enforces those expectations To prevent link traversal attacks, programmers could just state that they require objects with an expected label Example 1 int{high} h1, h2; int{low} l; l = 5; h2 = open({high}); h1 = read_int(h2); And use that object safely with security types in program
42 Systems and Internet Infrastructure Security Laboratory (SIIS) 21 Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources!! What!is!authoriza,on?!! Resource user! Operation request! Response! Resource manager! Authorization Hooks! Reference monitor! Allowed?! YES/NO! Authorization policy! Alice, /etc/passwd, File_Read!
43 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 22 X Server & Many X Clients Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL
44 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 23 Retrofitting for Security Malicious Remote X Client Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL
45 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 24 Illegal Information Flow Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL
46 Retrofitting for Security Desirable Information Flow Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources LOCAL REMOTE Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 25
47 Systems and Internet Infrastructure Security Laboratory (SIIS) 26 What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized?
48 Inferring Sensitive Operations What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program Program Challenges Challenges Program User A User B Request Interface i A B o1 A. Identify securitysensitive resources F H C D E I J K L o2 o3 o4... on Programs manipulate many variables 7800 in X Server Of over 400 structures Many, many structuremember accesses Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 27
49 What Should a Programmer Do? Solution How would you ensure that all accesses to window objects in the X Server Requests are authorized? make choices In servers, client-request determines choices that client subjects can make in the program Choice : Resources: Determine which elements are chosen from containers. Operations: Determine which program path is selected for execution. Systems and and Internet Infrastructure Security (SIIS) Laboratory (SIIS) 28
50 Systems and and Internet Internet Infrastructure Security Security (SIIS) Laboratory Laboratory (SIIS) 29 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A Lookup Function using tainted variable User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 o3 D o4 E F I K H J L
51 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 30 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E F I K H J L
52 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 31 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the Program X Server are authorized? A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E Control Statement Predicated on a tainted variable F I K read v write v H J L
53 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 32 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 Choice of operations E F I K read v write v H J L Op1.1 Op1.2 Op1.3
54 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 33 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E Security sensitive operation F I K read v write v H J L Op1.1 Op1.2 Op1.3
55 Systems and Internet Infrastructure Security Laboratory (SIIS) 34 Take Away Programming for security is difficult Programmers create flaws that are often accessible and exploitable by adversaries (vulnerabilities) Program analysis can find some flaws Static and dynamic, but limitations for each May need to fix program - security types and choice The future of secure programming may look very different Now: use favorite language for achieving function and try to add security code without creating flaws Future: use favorite language for achieving function and retrofit based on a security program
Module: Future of Secure Programming
Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 17 - Language-based security October 25, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Engineering Disaster? Millions of Bots Compromised applications Programming
More informationCSE Computer Security (Fall 2006)
CSE 543 - Computer Security (Fall 2006) Lecture 22 - Language-based security November 16, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1 The Morris Worm Robert Morris, a 23 doctoral student from
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationModule: Programming Language Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Programming Language Security Professor Patrick McDaniel Spring 2009 1 Engineering Disaster? Millions of Bots Compromised applications Programming
More informationProducing Minimal Hook Placements to Enforce Authorization Policies
Producing Minimal Hook Placements to Enforce Authorization Policies Divya Muthukumaran, Nirupama Talele, and Trent Jaeger Prnn State University With Vinod Ganapathy (Rutgers) and Gang Tan (Lehigh) Security
More informationStatic Vulnerability Analysis
Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds
More informationModule: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Safe Programming Professor Trent Jaeger 1 1 Avoiding Vulnerabilities How do we write programs to avoid mistakes that lead to vulnerabilities?
More informationOperational Semantics of Cool
Operational Semantics of Cool Key Concepts semantics: the meaning of a program, what does program do? how the code is executed? operational semantics: high level code generation steps of calculating values
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationTopics in Systems and Program Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and
More informationAdvanced Systems Security: Symbolic Execution
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationStatic Analysis Basics II
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics
More informationToday Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding
More informationLecture 3 Notes Arrays
Lecture 3 Notes Arrays 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, André Platzer 1 Introduction So far we have seen how to process primitive data like integers in imperative
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationAdvanced Systems Security: Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationInformation Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo
Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE The University of Tokyo furuse@yl.is.s.u-tokyo.ac.jp e-society MEXT project toward secure and reliable software
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationLecture Notes on Arrays
Lecture Notes on Arrays 15-122: Principles of Imperative Computation July 2, 2013 1 Introduction So far we have seen how to process primitive data like integers in imperative programs. That is useful,
More informationProgramming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.
Programming Languages and Compilers Qualifying Examination Fall 2017 Answer 4 of 6 questions. GENERAL INSTRUCTIONS 1. Answer each question in a separate book. 2. Indicate on the cover of each book the
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationLecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far
Lecture Outline Operational Semantics of Cool Lecture 13 COOL operational semantics Motivation Notation The rules Prof. Aiken CS 143 Lecture 13 1 Prof. Aiken CS 143 Lecture 13 2 Motivation We must specify
More informationTowards Automatic Generation of Vulnerability- Based Signatures
Towards Automatic Generation of Vulnerability- Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha (presented by Boniface Hicks) Systems and Internet Infrastructure Security
More informationCryptographically Sound Implementations for Typed Information-Flow Security
FormaCrypt, Nov 30. 2007 Cryptographically Sound Implementations for Typed Information-Flow Security Cédric Fournet Tamara Rezk Microsoft Research INRIA Joint Centre http://msr-inria.inria.fr/projects/sec/cflow
More informationLecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.
Lecture Outline Operational Semantics of Cool COOL operational semantics Motivation Adapted from Lectures by Profs. Alex Aiken and George Necula (UCB) Notation The rules CS781(Prasad) L24CG 1 CS781(Prasad)
More informationOperational Semantics. One-Slide Summary. Lecture Outline
Operational Semantics #1 One-Slide Summary Operational semantics are a precise way of specifying how to evaluate a program. A formal semantics tells you what each expression means. Meaning depends on context:
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationSecure Programming Lecture 15: Information Leakage
Secure Programming Lecture 15: Information Leakage David Aspinall 21st March 2017 Outline Overview Language Based Security Taint tracking Information flow security by type-checking Summary Recap We have
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationSECURE PROGRAMMING A.A. 2018/2019
SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY SECURITY FLAWS The integers are formed by the natural numbers including 0 (0, 1, 2, 3,...) together with the negatives of the nonzero natural numbers
More informationCSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018 Previous Class Buffer overflows can be devastating It occurs when the access
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationCOMPUTER SCIENCE TRIPOS
CST1.2018.4.1 COMPUTER SCIENCE TRIPOS Part IB Monday 4 June 2018 1.30 to 4.30 COMPUTER SCIENCE Paper 4 Answer five questions: up to four questions from Section A, and at least one question from Section
More informationRetrofitting Legacy Code for Authorization Policy Enforcement
Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy, Trent Jaeger, and Somesh Jha Presented by Kevin Butler CSE 544-13 February 2007 Systems and Internet Infrastructure Security
More informationBouncer: Securing Software by Blocking Bad Input
Bouncer: Securing Software by Blocking Bad Input Sathish Kuppuswamy & Yufei Fu Department of computer Science University of Texas at Dallas March 21 st, 2012 Outline Bouncer Existing Techniques Bouncer
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationSemantic Analysis. How to Ensure Type-Safety. What Are Types? Static vs. Dynamic Typing. Type Checking. Last time: CS412/CS413
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 13: Types and Type-Checking 19 Feb 07 Semantic Analysis Last time: Semantic errors related to scopes Symbol tables Name resolution This lecture:
More informationAdvanced System Security: Vulnerabilities
Advanced System Security: Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University CSE544 -Advanced
More informationTyped Lambda Calculus. Chapter 9 Benjamin Pierce Types and Programming Languages
Typed Lambda Calculus Chapter 9 Benjamin Pierce Types and Programming Languages t ::= x x. t t t Call-by-value small step perational Semantics terms variable v ::= values abstraction x. t abstraction values
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 7b Andrew Tolmach Portland State University 1994-2017 Values and Types We divide the universe of values according to types A type is a set of values and
More informationMoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationType Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.
Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationAdvanced Systems Security: Cloud Computing Security
Advanced Systems Security: Cloud Computing Security Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Cloudy Foundations Can customers move their services
More informationIntroduction. Background. Document: WG 14/N1619. Text for comment WFW-1 of N1618
Document: WG 14/N1619 Text for comment WFW-1 of N1618 Introduction Background An essential element of secure coding in the C programming language is a set of well-documented and enforceable coding rules.
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationRubicon: Scalable Bounded Verification of Web Applications
Joseph P. Near Research Statement My research focuses on developing domain-specific static analyses to improve software security and reliability. In contrast to existing approaches, my techniques leverage
More informationOutline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference
Type Checking Outline General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationGenerating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi
Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns,
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 17: Types and Type-Checking 25 Feb 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 17: Types and Type-Checking 25 Feb 08 CS 412/413 Spring 2008 Introduction to Compilers 1 What Are Types? Types describe the values possibly
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationAdvanced Systems Security: Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More information5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.
Feb 23, 2009 CSE, 409/509 Mitigation of Bugs, Life of an exploit 1) Bug inserted into code 2) Bug passes testing 3) Attacker triggers bug 4) The Attacker gains control of the program 5) Attacker causes
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 21 Tuesday, April 15, 2014 1 Static program analyses For the last few weeks, we have been considering type systems.
More informationCSI33 Data Structures
Outline Department of Mathematics and Computer Science Bronx Community College October 24, 2018 Outline Outline 1 Chapter 8: A C++ Introduction For Python Programmers Expressions and Operator Precedence
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationCMPSC 497 Attack Surface
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Attack Surface
More informationAutomatic Placement of Authorization Hooks in the Linux Security Modules Framework
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger tjaeger@cse.psu.edu Pennsylvania
More informationPractical Verification of System Integrity in Cloud Computing Environments
Practical Verification of System Integrity in Cloud Computing Environments Trent Jaeger Penn State NSRC Industry Day April 27 th, 2012 1 Overview Cloud computing even replaces physical infrastructure Is
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More information4.2 Variations on a Scheme -- Lazy Evaluation
[Go to first, previous, next page; contents; index] 4.2 Variations on a Scheme -- Lazy Evaluation Now that we have an evaluator expressed as a Lisp program, we can experiment with alternative choices in
More informationCOMPUTER SCIENCE TRIPOS
CST.2011.3.1 COMPUTER SCIENCE TRIPOS Part IB Monday 6 June 2011 1.30 to 4.30 COMPUTER SCIENCE Paper 3 Answer five questions. Submit the answers in five separate bundles, each with its own cover sheet.
More informationType Checking in COOL (II) Lecture 10
Type Checking in COOL (II) Lecture 10 1 Lecture Outline Type systems and their expressiveness Type checking with SELF_TYPE in COOL Error recovery in semantic analysis 2 Expressiveness of Static Type Systems
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationSECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris
SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 1 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision
More informationAdvanced Systems Security: Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationTracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. {livshits,
Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs {livshits, lam}@cs.stanford.edu 2 Background Software systems are getting bigger Harder to develop Harder to modify Harder
More informationDetecting and exploiting integer overflows
Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18 Context Binary representation Integers misinterpretation
More informationSAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES DINAKAR DHURJATI
SAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES BY DINAKAR DHURJATI B.Tech., Indian Institute of Technology - Delhi, 2000 DISSERTATION Submitted in partial fulfillment of the
More informationSymbolic Evaluation/Execution
Symbolic Evaluation/Execution Reading Assignment *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationLecture Notes on Common Subexpression Elimination
Lecture Notes on Common Subexpression Elimination 15-411: Compiler Design Frank Pfenning Lecture 18 October 29, 2015 1 Introduction Copy propagation allows us to have optimizations with this form: l :
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationSingularity Technical Report 1: Singularity Design Motivation
Singularity Technical Report 1: Singularity Design Motivation Galen C. Hunt James R. Larus December 17, 2004 MSR-TR-2004-105 Microsoft Research Microsoft Corporation One Microsoft Way Redmond, WA 98052
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More information