Embed Size (px)
Citation preview
소프트웨어보안(Software Security)
조성제 (Cho, Seong-je)
Fall, 2019
Computer Security & OS Lab.
Dankook University
Many slides taken from Prof. Luio Bauer, Michael Hicks, and Dawn Song
• Michael Hicks, Software Security, hosted by Coursera (MOOC) (https://www.coursera.org/learn/software-security)
• Michael Hicks, CMSC 838G, Spring 2014: Software Security, UMD
( http://www.cs.umd.edu/class/spring2014/cmsc838g/)
• Luio Bauer, 18-732: Secure Software Systems, CMU, Spring 2019
(https://course.ece.cmu.edu/~ece732/s19/schedule.html)
• Dawn Song, CS161: Computer Security, Spring 2015, UC Berkeley (http://inst.eecs.berkeley.edu/~cs161/sp15/http://www.cs.berkeley.edu/~dawnsong/)
Many photos in presentation licensed from wikipedia or google image
Computer Security & OS Lab, DKU 2
Introduction
Instructor● 조성제교수 (Prof. Seong-Je Cho)
− Research interests: System security, SW security
− Advisor of Computer Security & OS Lab.
Dept. of Computer Science, Dankook Univ.− Faculty advisor of the Aegis, Computer Security Club
− Room 510, SW.ICT Hall
− sjcho at dankook.ac.kr ,
− Lecture notes (Webpage) http://securesw.dankook.ac.kr
3Computer Security & OS Lab, DKU
Software Security: Principles, Policies, and Protection (SS3P)
Instructor: Prof. Mathias Payer, 2019 at EPFL (2018 at Purdue)
A free book about software security.
● SS3P focuses on basic software security principles, secure software development from design over implementation to testing, software security policies (with a focus on memory and type unsafe language like C/C++), defense strategies with a focus on verification, testing, and mitigation, attack vectors, and reverse engineering.
● The different chapters are augmented with several case studies.
Topics● SW and System Security Principles
● Secure Software Life Cycle
● Memory and Type Safety
● Defense Strategies
● Attack Vectors
https://nebelwelt.net/SS3P/
https://nebelwelt.net/teaching/19-412-SoSe/ (2019) or https://nebelwelt.net/teaching/18-527-SoftSec/ (2018)
4Computer Security & OS Lab, DKU
Software Security
This course we will explore the foundations of software security.
We will consider important software vulnerabilities and attacks that exploit them --such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques.
Importantly, we take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.
Successful learners in this course typically have completed sophomore/junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++ and one other "managed" program language (like ML or Java), and have prior exposure to algorithms. Students not familiar with these languages but with others can improve their skills through online web tutorials.
Skills you can learn: Fuzz testing, Buffer overflow, SQL injection, Penetration test
Coursera (MOOC)
● https://www.coursera.org/learn/software-security
5Computer Security & OS Lab, DKU
CMPSC 447 (Penn State University)
Porf. Gang Tan, Spring 2019
● This course explores the fundamental concepts and engineering processes of software development and testing to produce software that is designed for security.
● This course is intended as a senior-level course for computational majors such as computer science and computer engineering since it covers the exploitation of programs based on computer architecture, systems, and software concepts.
Topics● Memory corruption vulnerabilities (Smashing the stack, Exploiting format string)
● Memory corruption defense and advanced attacks (ROP)
● Defensive programming
● Testing and fuzzing, Symbolic execution
● Reference monitors, Software-based fault isolation (SFI)
● Execution integrity
http://www.cse.psu.edu/~gxt29/teaching/cs447s19/schedule.html
6Computer Security & OS Lab, DKU
Software Security
Building secure software
Computer Security & OS Lab, DKU 7
Software Security
The practice of building software to be secure and to function properly under malicious attack
● The idea of engineering software so that it continues to function correctly under malicious attack
● Software security unifies the two sides of software security – attack and defense, exploiting and designing, breaking and building – into a coherent whole
− Software security requires a careful balance
8Computer Security & OS Lab, DKU
Software Security [from techopedia.com]
Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks.● Security is necessary to provide integrity, authentication and availability.
● Any compromise to integrity, authentication and availability makes a software unsecure.
● Software systems can be attacked to steal information, monitor content, introduce vulnerabilities and damage the behavior of software.
● Malware can cause DoS (denial of service) or crash the system itself.
9Computer Security & OS Lab, DKU
10Computer Security & OS Lab, DKU
Textbook
Gary McGraw, Software Security Building
Security In, Addison-Wesley, 2006.http://www.swsec.com/
http://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705
11Computer Security & OS Lab, DKU
Table of Contents (Tentative schedule)
Part 1: Software Security Fundamentals
Chapter 1: Defining a Discipline
Chapter 2: A Risk Management Framework
Part II: Seven Touchpoints for Software Security
Chapter 3: Introduction to Software Security Touchpoints
Chapter 4: Code Review with a Tool
Chapter 5: Architectural Risk Analysis
Chapter 6: Software Penetration Testing
Chapter 7: Risk-Based Security Testing
Chapter 8: Abuse Cases
Chapter 9: Software Security Meets Security Operations
Part III: Software Security Grows Up
Chapter 10: An Enterprise Software Security Program
Chapter 11: Knowledge for Software Security
Chapter 12: A Taxonomy of Coding Errors
Chapter 13: Annotated Bibliography and References
Microsoft SDL
Security Development Lifecycle● https://www.microsoft.com/en-us/securityengineering/sdl
● Microsoft’s industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before release.
Slide● Microsoft Security Development Lifecycle for IT, Rob Labbe
− https://www.owasp.org/images/d/d0/OWASP_SDL-IT.pdf
12Computer Security & OS Lab, DKU
M. Howard, D. LeBlanc, and J. Viega, 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, McGraw Hill, 2010
● Web application sins (4)− SQL injection, 서버관련취약점(XSS, XSRF, Response splitting), Client-related
vulnerabilities (XSS), Use of magic URLs, predictable cookies, and hidden form fields
● Implementation sins (14)− Buffer overruns, Format string problems, Integer overflows, C++ catastrophes,
Catching exceptions, Command injection, Failure to handle errors correctly, Information leakage, Race conditions, Poor usability, Not updating easily, Executing code with too much privilege, Failure to protect stored data, The sins of mobile code
● Cryptographic sins (3): Use of weak password-based systems, Weak random
numbers, Using cryptography incorrectly
● Networking sins (3): Failing to protect network traffic, Improper use of PKI,
especially SSL Trusting network name resolution index
Search “gea-PRISM/24 Deadly Sins of Software Security – Howard” on Google● You can find out the PDF file.
Other Suggested References
13
OWASP Top 10 for 2017
● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project● A1: Injection
● A2: Broken Authentication
● A3: Sensitive Data Exposure
● A4: XML External Entities (XXE)
Recommend Sites
14
OWASP Mobile Top 10 Risks
● https://www.owasp.org/index.php/OWASP_Mobile_Top_10
Recommend Sites
15
OWASP Cloud Top 10 Risks = OWASP Top 10 Cloud Security Risks
● OWASP Cloud Security Project
https://www.owasp.org/index.php/OWASP_Cloud_Security_Project
● Top 10 Cloud – Security Risks
https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Recommend Sites
16
2011 CWE/SANS Top 25 Most Dangerous Software Errors
● http://cwe.mitre.org/top25/1) XSS
2) SQL injection
3) Classic buffer overflow
4) CSRF (Cross-Site Request Forgery)
5) Authorization (Improper AC)
6) Reliance on untrusted inputs in a security decision
7) Improper limitation of a pathname to a restricted directory (‘Path traversal’)
8) Unrestricted upload of file with dangerous type
9) OS Command injection
10) Missing encryption of sensitive data
11) Use of hard-coded credentials
12) Buffer access with incorrect length value
Recommend Sites
17
13) PHP file inclusion14) Improper validation of array index15) Improper check for unusual or
exceptional conditions
16) Information exposure through an error message
17) Integer overflow or Wraparound18) Incorrect calculation of buffer size
• The CWE/ANS Top 25 Security Vulnerabilities: What They Mean for Embedded Developers, When It Matters, it runs on Wind River
https://events.windriver.com/wrcd01/wrcm/2016/08/WP-the-cwesans-top-25-security-vulnerabilities-what-they-mean-for-embedded-developers.pdf
• The SDL and the CWE/SANS Top 25 Most Dangerous Programming Errors 2010, Microsoft, Feb. 2010
https://www.microsoft.com/security/blog/2010/02/23/the-sdl-and-the-cwesans-top-25-most-dangerous-programming-errors-2010/
INFSCI 2620 - DEVELOPING SECURE SYSTEMS
Prof. James Joshi / Sidney Faber, University of Pittsburgh
Key topics
1. Secure development methodologies/models, assurance techniques (certification, validation, etc.)
2. Secure programming issues/practices and tools
3. Software assurance and Security analysis - tools and techniques
4. Secure design, testing and systems security engineering (e.g., protocol verification, model-based techniques, etc.)
5. Supply Chain Security, Life-Cycle Security, Security Risk Analysis
http://www.sis.pitt.edu/jjoshi/courses/IS2620/Fall18/
https://psmobile.pitt.edu/app/catalog/classsection/UPITT/2201/26445
18Computer Security & OS Lab, DKU
Secure Software & Software Assurance
(ISC)2 White Papers● The Need for Secure Software
− It addresses the “Why” of securing software
● Software Assurance: A Kaleidoscope of Perspectives
− It addresses the “What” of software assurance in terms of the varied perspectives that need to be considered when building secure software
● Software Security: Being Secure in an Insecure World
− It addresses the “How-Tos” of designing, developing, and deploying secure software.
19Computer Security & OS Lab, DKU
Class rules
Presentation A chapter of textbooks, or A paper related to the software security
Every student has to present the chapter/paper on a designated date. If not, he fails
좋은학점받기위해서는, 반드시발표, 과제물제출, 시험응시
발표주제선정, 발표날짜및발표시간엄수
● 발표날짜약속불이행시: 학점상한제도입
− 2 weeks delay presentation: under B+,
− 3 weeks delay presentation: under C+
● 발표시간: 1인최소 30분이상
21Computer Security & OS Lab, DKU
Class rules
토론및질문장려
● 좋은질문및수업태도에는가산점
● 그외옆사람과대화금지
앞자리착석장려
Turn off your cell phone
특별한사정이없는한지각금지, 강의중출입금지
No cheating and No plagiarism
Exceptional work will be awarded as appropriate
Grading
Presentation & Discussion 30 %
Final exam 30 %
Project (Homework) 20 %
Attendance, Class participation 20 %
Field Experience (현장체험) +10% (Bonus)
22Computer Security & OS Lab, DKU
Tentative grading ( subject to change)
현장 체험은 Workshop, Conference 등의 참석 등을 포함함
23Computer Security & OS Lab, DKU
Course Project examples
중간고사대신다음중하나를선택● 2~3인이한팀
1) Secure programming− 안전하지않은프로그램의예를보이고분석
− 안전한프로그램작성예를보이고분석
− 전과후에, 감소한버그의수등을보임
2) SW Security testing− 프로그램의안전도를테스트
• White-box testing (Static analysis)
• Black-box testing (Dynamic analysis): Fuzzing
− Fuzzer, Fault-injection tool, Wrapper
● Other assignments: BoF, Taint analysis, Vulnerability analysis
Format strings and reverse engineering
Ideal Course Projects
Goal: Synthesize knowledge
Done in groups of up to 3
30% of grade
Phases:
1) Outline area
2) Presentation of research problem
3) Research checkpoint
4) Working draft
5) Final report or paper
Should look like paper as read in class
24Computer Security & OS Lab, DKU
Any questions?
Hardships, The way of suffering ● Passion, An unremitting effort, Sincerity, Diligence
------------------------------------------------------------------
Expert, Specialist
Black hat vs. White hat
Computer Security & OS Lab.
