Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Published byMonica Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com."— Presentation transcript:

1 Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com

2 Reliability and Security Reliable software does what it is supposed to do.Secure software does what it is supposed to do … and nothing else. –Ivan Arce Security is very simple: only run perfect software … Oh, so we need a ‘plan B’. –Crispin

3 Open Source and Security: a 2-Edged Sword Open source gives greater power to analyze software for security … for good or bad –Attackers get enhanced capability to find holes to exploit –Defenders get enhanced capability to find holes to close So if you do nothing then Open Source is dangerous But if you leverage what Open Source gives you, then it is a defender’s advantage –… and there are tools to help you

4 Security Enhancing Tools for Software Code Auditing: static or dynamic analysis of programs to detect flaws, e.g. ITS4 and friends Vulnerability Mitigation: compiled in defense that block vulnerability exploitation at run-time, e.g. StackGuard and friends Behavior Management: OS features to control the behavior of programs Classic: mandatory access controls Behavior blockers: block known pathologies

5 Security Enhancing Tools and Open Source Most of these tools operate on source code Proprietary systems: –Only the vendor can apply the tools –Users must accept vendor’s level of diligence Open source systems: –Users can raise the level of diligence themselves –Motivated vendors can sell the same system (e.g. BSD, Linux) with higher levels of diligence (e.g. OpenBSD, Open Wall Linux, Immunix) Paper: to appear in the new IEEE Security and Privacy magazine

6 Way Too Reasonable … time to get outrageous :-)

7 “Buffer Overflows: We’re Past That” We’ll be “past that” when buffer overflows stop being a majority of all CERT advisories We’ll be well past it when buffer overflows slip from the #1 position (plurality) of CERT advisories

8 “Full Disclosure Zealots” Perhaps the zealots have a point... “Timing the Application of Security Patches for Optimal Uptime” –Crispin + WireX staff + Adam Shostack –USENIX LISA 2002 http://www.usenix.org/events/lisa02/tech/b eattie.html

9 Main Result: When To Patch Not never: you’ll get hacked Not immediately: patch might be buggy As time advances –Chance of getting hacked rises –Chance of patch being buggy dropsOptimize Bad patch risk Penetration Risk

10 Hidden Result: “Responsible Disclosure” Does Not Help Some Microsoft security advisories politely acknowledge the “investigators” who reported the bug –Done only when the investigator cooperated with Microsoft With 93% confidence interval, “acknowledged” security patches are more likely to be defective than unacknowledged patches Conjecture: “responsible” disclosure does not help, and may in fact hurt

Download ppt "Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com."

Similar presentations

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Effective Patch Management: How to make the pain go away Adam Shostack

Effective Patch Management: How to make the pain go away Adam Shostack
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,

02/03/14 Copyright © 2002 WireX Communications, Inc. 1 Autonomix: Autonomic Defenses for Vulnerable Software Crispin Cowan, Ph.D WireX Communications,
Welcome to EECS 354 Network Penetration and Security.

Welcome to EECS 354 Network Penetration and Security.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
EECS 354 Network Security Introduction. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how.

EECS 354 Network Security Introduction. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Similar presentations

Ads by Google