Secure Programming - some relevant links

• Hayo Thielecke's Home Page
• Publications

Teaching 2011-2012

• Secure Programming
• Principles of Programming Languages
• Software Systems Components 1 (SSC1)

PhD and MSc topics

• PhD research topics
• MSc Computer Security topics
• MSc Advanced CS topics
• MSc Computer science topics

On software security in general

The Protection of Information in Computer Systems, an old but classic paper defining some key concepts, such as Least Privilege. (Part I.A is required reading; the rest is a little dated.)

CERT's secure coding guidelines, mainly on C.

Common Vulnerabilities and Exposures List (CVE) You can search for terms like "buffer" or "race" and see plenty of examples.

Command injection attacks

Classification of SQL Injection Attacks and Countermeasures goes into more depth about SQLCIA without getting too technical. See in particular for second-order SQL injection attacks.

XML and regex DoS

XML Denial of Service Attacks and Defenses - Microsoft tutorial from 2009

Regular Expression Denial of Service Attacks and Defenses - Microsoft tutorial from May 2010

For a deeper explanation of regular expression matching automata and backtracking, see Cox's article.

Buffer overflow attacks

Smashing The Stack For Fun And Profit an infamous how-to on buffer overflow written from the point of view of attackers. The article describes the kind of old-style stack buffer overflow attack that compiler defences can now prevent.

A lot of the buffer overflow and memory corruption problems are consequences of the design of C and current stock hardware. As a historical note, some systems that did not succeed commercially had inherently much better security. See the Wikipedia article on the Stack in the Burroughs architecture. (Note: Wikipedia is not a reliable source, but OK for things that are interesting but not critically important.)

One of the most advanced techniques for defeating buffer overflow defences is return-oriented programming, as it does not require code injection for arbitrary behaviour. This tecnnique has been in the news in connection with another voting machine exploit.

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms - a paper from 2009 using the return-oriented technique.

Static analysis for secure coding

Finding Security Vulnerabilities in Java Applications with Static Analysis gives an overview.

Here are some automatic tools that statically find bugs and potential vulnerabilities in Java code:

• Klocwork
• Findbugs
• PMD
• Griffin

There are many more program analysis tools, but the above seem to be the ones most relevant to security and Java.

Concurrency attacks

Exploiting Concurrency Vulnerabilities in System Call Wrappers presents concurrency (as in TOCTOU) vulnerabilities in security software.

Java security and stack inspection

Understanding Java Stack Inspection explains how Java stack inspection works.

Comparing Java and .NET security: Lessons Learned and Missed

The Calendar bug is an example of Java stack inspection gone wrong.

Amusements

Topical comic on SQLCIA from xkcd:

If you accidentally recompute the base encryption hash key, fake a virus attack.