Choosing Technologies

Slides:



Advertisements
Similar presentations
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Advertisements

Dynamic Typing COS 441 Princeton University Fall 2004.
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Chapter 3.2 C++, Java, and Scripting Languages. 2 C++ C used to be the most popular language for games Today, C++ is the language of choice for game development.
Object-Oriented Analysis and Design Lecture 10 Implementation (from Schach, “O-O and Classical Software Engineering”)
Chapter 3.2 C++, Java, and Scripting Languages “The major programming languages used in game development.”
Reasons to study concepts of PL
Chapter 3.2 C++, Java, and Scripting Languages hacked by jeffery.
Software Development Unit 6.
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
Name: Md. Iqbal Hossain Roll : Computer programming  Programming is a lot of fun and extraordinarily useful. While you learn to program,
CSC 142 A 1 CSC 142 Introduction to Java [Reading: chapter 0]
Open Source: It's Already Here Dave Cross Magnum Solutions Ltd
CIS 451: Servers, CGI and Log Files Dr. Ralph D. Westfall January, 2009.
Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.
Scripting Languages Intro Jan Stelovsky, ICS 215.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.
Lecture 13 Page 1 CS 136, Fall 2014 Secure Programming Computer Security Peter Reiher December 2, 2014.
Scons Writing Solid Code Overview What is scons? scons Basics Other cools scons stuff Resources.
Eagle: Maturation and Evolution 17th Annual Tcl Conference Joe Mistachkin.
240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.
Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Introduction Why are virtual machines interesting?
Lecture 14 Page 1 CS 136, Fall 2012 Secure Programming CS 136 Computer Security Peter Reiher November 15, 2012.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Lecture 15 Page 1 CS 236 Online Choosing Technologies Different technologies have different security properties –Operating systems –Languages –Object management.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Lecture 15 Page 1 CS 136, Fall 2011 Secure Programming CS 136 Computer Security Peter Reiher November 15, 2011.
Lecture 13 Page 1 CS 136, Spring 2016 Secure Programming Computer Security Peter Reiher May 17, 2016.
Unit 3 Computer Systems. What is software? unlike hardware it can’t be physically touched it’s the missing link between the computer hardware and the.
CIS 234: Object-Oriented Programming with Java
Secure Programming Dr. X
Secure Programming Computer Security Peter Reiher February 23, 2017
Major Problem Areas for Secure Programming
Why don’t programmers have to program in machine code?
Leverage your Business with Selenium Automation Testing
Presentation On Computer programming
Protecting Memory What is there to protect in memory?
Licenses and Interpreted Languages for DHTC Thursday morning, 10:45 am
High or Low Level Programming Language? Justify your decision.
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Outline Introduction Principles for secure software
Outline What does the OS protect? Authentication for operating systems
Secure Programming CS 136 Computer Security Peter Reiher May 20, 2014
Software Chapter 11.
CPSC 315 – Programming Studio Spring 2012
Outline What does the OS protect? Authentication for operating systems
PHP / MySQL Introduction
Engineering Secure Software
Parallel Programming in Contemporary Programming Languages (Part 2)
Design and Programming
Portability CPSC 315 – Programming Studio
Prof. Jason Eisner MWF 3-4pm (sometimes 3-4:15)
JavaScript.
Unit 6 part 2 Test Javascript Test.
The Challenge of Cross - Language Interoperability
Eagle: Maturation and Evolution
Engineering Secure Software
Programming Languages, Preliminaries, History & Evolution
C++/Java/COM Interoperability
Secure Programming CS 136 Computer Security Peter Reiher March 2, 2010
Outline Introduction Memory protection Buffer overflows
Outline Introduction Principles for secure software
Choosing Technologies
Collaborative Security: Securing Open Source Software
Presentation transcript:

Choosing Technologies Different technologies have different security properties Operating systems Languages Object management systems Libraries Important to choose wisely Understand the implications of the choice

Choices and Practicalities You usually don’t get to choose the OS The environment you’re writing for dictates the choice E.g., commercial software often must be written for Windows Or Linux is the platform in your company Might not get choice in other areas, either But exercise it when you can

Operating System Choices Rarely an option, and does it matter anyway? Probably not, any more All major choices have poor security histories No, Linux is not necessarily safer than Windows All have exhibited lots of problems In many cases, problems are in the apps, anyway Exception if you get to choose a really trusted platform E.g., SE Linux or Trusted Solaris Not perfect, but better At a cost in various dimensions

Language Choices More likely to be possible Though often hard to switch from what’s already being used If you do get the choice, what should it be?

C and C++ Probably the worst security choice Far more susceptible to buffer overflows than other choices Also prone to other reliability problems Often chosen for efficiency But is efficiency that important for your application?

Java Less susceptible to buffer overflows Also better error handling than C/C++ Has special built-in security features Which aren’t widely used But has its own set of problems E.g., exception handling issues And issues of inheritance 19 serious security flaws between 1996 and 2001 Multiple serious security problems in recent years

Scripting Languages Depends on language Many are type safe (or non-typed), limiting buffer overflow possibilities Javascript and CGIbin have awful security reputations Perl offers some useful security features But there are some general issues

Scripting Language Security Issues Might be security flaws in their interpreters More likely than in compilers Scripts often easily examined by attackers Obscurity of binary is no guarantee, but it is an obstacle Scripting languages often used to make system calls Inherently dangerous, esp. things like eval() If they call libraries, there can be overflows there E.g., Python buffer overflow in 2014 Many script programmers don’t think about security at all

Open Source vs. Closed Source Some argue open source software is inherently more secure The “many eyes” argument – Since anyone can look at open source code, More people will examine it Finding more bugs Increasing security

Is the “Many Eyes” Argument Correct? Probably not At least not in general Linux has security bug history similar to Windows Other open source projects even worse In many cases, nobody really looks at the code Which is no better than closed source

The Flip Side Argument “Hackers can examine open source software and find its flaws” Well, Windows’ security history is not a recommendation for this view Most commonly exploited flaws can be found via black-box approach E.g., typical buffer overflows

The Upshot? No solid evidence that open source or closed source produces better security Major exception is crypto At least for crypto standards Maybe widely used crypto packages Criticality and limited scope means many eyeballs will really look at it

One More Consideration The Snowden leaks suggest some companies put trapdoors in software Especially security-related software When it’s closed source, nobody else can check that When it’s open source, maybe they can Emphasis on the “maybe,” though