ch12 - Computer Security: Principles and Practice Chapter...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 12 Chapter 12 Software Security Software Security
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Software Security many vulnerabilities result from poor programming practises cf. Open Web Application Security Top Ten include 5 software related flaws often from insufficient checking / validation of program input awareness of issues is critical
Background image of page 2
3 Software Quality vs Security software quality and reliability accidental failure of program from theoretically random unanticipated input improve using structured design and testing not how many bugs, but how often triggered software security is related but attacker chooses input distribution, specifically targeting buggy code to exploit triggered by often very unlikely inputs which common tests don’t identify
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Defensive Programming a form of defensive design to ensure continued function of software despite unforeseen usage requires attention to all aspects of program execution, environment, data processed also called secure programming assume nothing, check all potential errors rather than just focusing on solving task must validate all assumptions
Background image of page 4
5 Abstract Program Model
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Security by Design security and reliability common design goals in most engineering disciplines society not tolerant of bridge/plane etc failures software development not as mature much higher failure levels tolerated despite having a number of software development and quality standards main focus is general development lifecycle increasingly identify security as a key goal
Background image of page 6
7 Handling Program Input incorrect handling a very common failing input is any source of data from outside data read from keyboard, file, network also execution environment, config data must identify all data sources and explicitly validate assumptions on size and type of values before use
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 often have assumptions about buffer size eg. that user input is only a line of text size buffer accordingly but fail to verify size resulting in buffer overflow (see Ch 11) testing may not identify vulnerability since focus on “normal, expected” inputs safe coding treats all input as dangerous hence must process so as to protect program
Background image of page 8
9 Interpretation of Input program input may be binary or text binary interpretation depends on encoding and is usually application specific text encoded in a character set e.g. ASCII internationalization has increased variety also need to validate interpretation before use e.g. filename, URL, email address, identifier failure to validate may result in an exploitable vulnerability
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10 Injection Attacks flaws relating to invalid input handling which then influences program execution often when passed as a parameter to a helper
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/05/2011 for the course CS 2105 taught by Professor Ana during the Fall '09 term at National University of Singapore.

Page1 / 39

ch12 - Computer Security: Principles and Practice Chapter...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online