Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Slides:



Advertisements
Similar presentations
h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
Advertisements

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Effective Patch Management: How to make the pain go away Adam Shostack
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,
Welcome to EECS 354 Network Penetration and Security.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Security David Wagner University of California at Berkeley.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
EECS 354 Network Security Introduction. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
CSCE 548 Secure Software Development Risk-Based Security Testing.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
May 2, 2007St. Cloud State University Software Security.
Computer Security and Penetration Testing
Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.
Microsoft Security Development Lifecycle
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)
CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References.
SECURE PROGRAMMING Chapter 1. Overview What is the problem Cost? Threat? Software Security Concepts Policy Flaws Vulnerabilities Exploits Mitigations.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.
03/06/18 1 Software Security for Open- Source Systems Crispin Cowan, Ph.D. Chief Scientist, Immunix Inc.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
David Evans The Bugs and the Bees Research in Swarm Programming and Security University of Virginia.
Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.
Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Role Of Network IDS in Network Perimeter Defense.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
Magic Bullets, Free Lunch, and other myths Ben Staab COSC5010 Computer Security.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Final Project: Advanced Security Blade IPS and DLP blades.
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
Antonio Hansford ITEC 400 Berkeley Software Design April 14, 2016.
Methods of Secure Information System Design
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Seminar On Ethical Hacking Submitted To: Submitted By:
5 minutes with vulners.com Kir Ermakov Skolkovo Cyberday, 2016.
CSCE 548 Secure Software Development Risk-Based Security Testing
Secure Software Development: Theory and Practice
CSCE 548 Secure Software Development Test 1 Review
Figure 6-4: Installation and Patching
Software Security.
Introduction to Internet Worm
Chapter 10. Mobile Device Security
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com

Reliability and Security Reliable software does what it is supposed to do.Secure software does what it is supposed to do … and nothing else. –Ivan Arce Security is very simple: only run perfect software … Oh, so we need a ‘plan B’. –Crispin

Open Source and Security: a 2-Edged Sword Open source gives greater power to analyze software for security … for good or bad –Attackers get enhanced capability to find holes to exploit –Defenders get enhanced capability to find holes to close So if you do nothing then Open Source is dangerous But if you leverage what Open Source gives you, then it is a defender’s advantage –… and there are tools to help you

Security Enhancing Tools for Software Code Auditing: static or dynamic analysis of programs to detect flaws, e.g. ITS4 and friends Vulnerability Mitigation: compiled in defense that block vulnerability exploitation at run-time, e.g. StackGuard and friends Behavior Management: OS features to control the behavior of programs Classic: mandatory access controls Behavior blockers: block known pathologies

Security Enhancing Tools and Open Source Most of these tools operate on source code Proprietary systems: –Only the vendor can apply the tools –Users must accept vendor’s level of diligence Open source systems: –Users can raise the level of diligence themselves –Motivated vendors can sell the same system (e.g. BSD, Linux) with higher levels of diligence (e.g. OpenBSD, Open Wall Linux, Immunix) Paper: to appear in the new IEEE Security and Privacy magazine

Way Too Reasonable … time to get outrageous :-)

“Buffer Overflows: We’re Past That” We’ll be “past that” when buffer overflows stop being a majority of all CERT advisories We’ll be well past it when buffer overflows slip from the #1 position (plurality) of CERT advisories

“Full Disclosure Zealots” Perhaps the zealots have a point... “Timing the Application of Security Patches for Optimal Uptime” –Crispin + WireX staff + Adam Shostack –USENIX LISA eattie.html

Main Result: When To Patch Not never: you’ll get hacked Not immediately: patch might be buggy As time advances –Chance of getting hacked rises –Chance of patch being buggy dropsOptimize Bad patch risk Penetration Risk

Hidden Result: “Responsible Disclosure” Does Not Help Some Microsoft security advisories politely acknowledge the “investigators” who reported the bug –Done only when the investigator cooperated with Microsoft With 93% confidence interval, “acknowledged” security patches are more likely to be defective than unacknowledged patches Conjecture: “responsible” disclosure does not help, and may in fact hurt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.