Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security David Wagner University of California at Berkeley.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Security David Wagner University of California at Berkeley."— Presentation transcript:

1 Software Security David Wagner University of California at Berkeley

2 Critical infrastructure is dependent on computer security

3

4

5 Security break-ins are all too prevalent Internet security incidents reported to CERT

6 Typical cause: Security defects in our software Software vulnerabilities reported to CERT

7 Talk Outline Why is our software so buggy? What can we do about software security?

8

9 What makes simple mechanical systems predictable? Linearity(or, piecewise linearity) Continuity(or, piecewise continuity) Small, low-dimensional statespaces Systems with these properties are (1) easier to analyze, and (2) easier to test. x y

10 Computers enable highly complex systems And today’s software is taking advantage of this –Highly non-linear behavior; large, high-dim. state spaces

11 Problem Summary Complexity breeds bugs and unpredictable behavior Bugs and unpredictability are the bane of security

12 Mitigating the Risks How can we improve software security? 1.Correctness by construction (e.g., K.I.S.S., defensive coding, least privilege) 2.Automated analysis of software, new models of software behavior 3.Formal verification: proving programs free of defects

13 Mitigating the Risks How can we improve software security? 1.Correctness by construction (e.g., K.I.S.S.) 2.Automated analysis of software 3.New models of software behavior 4.Formal verification: proving programs free of defects In this talk

14 Tools for Software Security If secure programming is hard, let’s build tools that make it easier to get security right –MOPS: scanning for bugs using software model checking –CQual: security-typed programming discipline –We’re finding--and fixing--vulnerabilities in open-source applications (Linux kernel, sendmail, Apache, wu-ftpd, …) Buggy, insecure application Warnings about undisciplined code MOPS Hard-working programmer

15 Conclusion Computer security problems are endemic. Our software is a weak spot. Network-layer defenses must make up for software inadequacies. The problem will likely remain with us as long as users value features (complexity) over security (simplicity).

16 And remember to look out for rakes… Questions?

Download ppt "Software Security David Wagner University of California at Berkeley."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling and Simulation By Lecturer: Nada Ahmed. Introduction to simulation and Modeling.

Modeling and Simulation By Lecturer: Nada Ahmed. Introduction to simulation and Modeling.
Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.

Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Nine Steps to Delivering Defect-Free Software By: Terence M. Colligan Presented by: Isaac Bailey.

Nine Steps to Delivering Defect-Free Software By: Terence M. Colligan Presented by: Isaac Bailey.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
OWASP Principles for GIS Data Security Keeping your GIS data secure.

OWASP Principles for GIS Data Security Keeping your GIS data secure.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
1 Static Analysis Methods CSSE 376 Software Quality Assurance Rose-Hulman Institute of Technology March 20, 2007.

1 Static Analysis Methods CSSE 376 Software Quality Assurance Rose-Hulman Institute of Technology March 20, 2007.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.
COMP 2007 R J Walters. COMP 2007 - 3 Remember - Documentation Defines your Engineering process Includes Requirements Design Testing User manuals Other.

COMP 2007 R J Walters. COMP Remember - Documentation Defines your Engineering process Includes Requirements Design Testing User manuals Other.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

Similar presentations

Ads by Google