Introduction

Secure Programming

Lecture 1

Welcome

You are currently in the first lecture of the Secure Programming module!


What will we do?

Introduce the principles, risks and mechanisms that impact software security, with emphasis on programming and related technologies

Welcome

What should you be able to do at the end of the module?


  1. explain the fundamental principles and mechanisms of software security
  2. identify the main security defects and threats in current software systems
  3. describe and evaluate techniques of secure coding
  4. evaluate applications in relation to their security

Why secure Programming?

CS education typically gives you solid design and programming skills...


But security is a key concern today:

  • most applications are available to everybody in the world by design
  • serious consequences for security vulnerabilities (money, time, effects on the real world)
  • attacks are increasing in number and severity
    (Stuxnet, APTs, etc.)

Course characteristics

Emphasis on practical aspects of security

  • in particular, exploiting vulnerabilities

Exposure to recent or seminal research work

  • assigned readings (roughly, one paper a week)
  • wherever possible, links to additional readings
    (for your personal interest)

Admin Stuff

Course schedule and material

Course design:

  • 3 lectures a week
  • Regular security challenges
    (roughly one every other week)
  • Course book?

Slides and news (check regularly!):

Topics

Security principles

  • Saltzer and Schroeder

Analysis: techniques for finding vulnerabilities


Vulnerabilities, exploits, and remediations

  • Buffer overflow and other memory corruption vulns
  • Command injection
  • DoS attacks
  • Race conditions

Assignments

“Hacking” challenges:

  • analyze a program and identify vulnerability
  • write an exploit

Environment:

  • small “hacking” server
  • can work from home/any computer

Submission:

  • hard deadline
  • automated checking

Grading

80% examination

closed book, pen and pencil
I will provide sample test in advance


20% continuous assessment

get points solving each challenge
hands-on, practical exercise
great preparation for final + real-world skills
fun!

What is expected from you

Background

  • Some programming knowledge and experience

Participate in lectures

  • Material is available but it does not cover everything
  • Be active: something is not clear? Ask questions!

Absolutely no plagiarism!

  • Be familiar with the School's plagiarism policy
  • It's OK to discuss with others, but everything you submit must be yours

My background

I started at Bham in 2010

I am currently in secondment at Lastline, Inc.

  • member of the founding team

I am active in the following main areas:

  • malware analysis
  • vulnerability analysis

I am interested in most areas of system security

Contacting me

Drop me an email
m.cova@cs.bham.ac.uk


Office hours
Tuesdays, 3pm-5pm
Room 207


Any problem, doubt, special need: come talk to me

The Basics

Terminology

Vulnerability
A flaw or weakness in a system's design or implementation that could be exploited to violate the system's security policy
Exploit
An attack that leverages a vulnerability to violate a system's security policy

Hacking, hackers

The term hacker was introduced at MIT in the '60s to describe computer wizards:
someone who lives and breathes computers


It has been eventually used to denote malicious hackers or crackers, that is, people that perform intrusions and misuse computer systems


Black-hats, white-hats, gray-hats

Vulnerabilities

Vulnerability statistics (source: NIST) Source: http://web.nvd.nist.gov/view/vuln/statistics

Incidents

Incident statistics (source: CERT)

Why does it stop at 2003?

Source: http://www.cert.org/stats/

Incidents

Given the widespread use of automated attack tools, attacks […] have become so commonplace that [their counts] provide little information with regard to assessing the scope and impact of attacks. Therefore, we stopped providing this statistic at the end of 2003.

Cost of vulnerabilities

Microsoft's Trustworthy Computing (2002)

  • Flaws […] affect […] our customers’ view of us as a company
  • Stop adding feature and focus on fixing issues
  • Reportedly cost $100M
  • Lots of good results: SDL, tools, etc.

Cost of vulnerabilities

R. Telang and S. Wattal, An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price IEEE TSE, vol. 33, issue 8, 2007

On average, a vendor loses around 0.6 percent value in stock price when a vulnerability is reported

Cost of vulnerabilities

DigiNotar compromise (2011)

  • Series of vulnerabilities leads to full compromise of CA (June 2011)
  • DigiNotar issues certificate for *.google.com, later used in Iran MITM attacks (July 2011)
  • Browsers remove trust in DigiNotar certificates (August/Sept 2011)
  • DigiNotar declares bankruptcy (20 September 2011)

Price of vulnerabilities

Ethics, Rules, Laws

Ethics

We will look at how to break software and discuss attacks (“attacker mindset”)

  • The goal is to educate and increase awareness
  • The goal is to teach how to build a more secure computing environment

None of this is in any way an invitation to undertake these attacks in any fashion other than with the informed consent of all involved parties

Ethics

Ethics is knowing the difference between what you have a right to do and what is right to do.

If unsure, come talk with me first!

SoCS Computer Policy

http://www.it.bham.ac.uk/policy

Any person who wilfully and knowingly gains unauthorised access to a computer system or attempts to disable a computer system commits a disciplinary offence.

SoCS Computer Policy

http://www.it.bham.ac.uk/policy

Any person who wilfully, knowingly and without authorisation introduces or attempts to introduce a virus or other harmful or nuisance program or file, or to modify or destroy data […] commits a disciplinary offence.

SoCS Computer Policy

http://www.it.bham.ac.uk/policy

Any person who wilfully, knowingly and without authorisation denies access or attempts to deny access […] commits a disciplinary offence

SoCS Computer Policy

http://www.it.bham.ac.uk/policy

Any unauthorised person who attempts to monitor traffic on the University Network or any person who attempts to connect an unauthorised device with the intention of monitoring traffic (ie eavesdropping) commits a disciplinary offence

Would you hire a (black-hat) hacker?

Yes!

No!

Some definitely would not

Screenshot of Panda Security post on (not) hiring hackers

Some definitely would not

So you may be wondering, will Sophos hire virus writers?
Not on your nelly mate.


http://nakedsecurity.sophos.com/2010/12/10/anti-virus-company-hires-convicted-chinese-malware-author/

(White-hat) hacking club

If your idea of fun includes finding and exploiting vulnerabilities, consider participating at the
hacking club [*]


Fridays, 3:30pm–5:30pm, Room 217


[*] stricly intended in the MIT original meaning

Take away points

This class will be quite a bit of work

What you get out it depends on how much you put in

Have fun

Play nice (regulations and ethics)

Next time

We discuss security principles

Read A. Barth, C. Jackson, C. Reis, and the Google Chrome Team, The Security Architecture of the Chromium Browser