CIS 6614 meeting -*- Outline -*- * Summary and Review of the Course ------------------------------------------ SUMMARY AND REVIEW We will discuss the course So, please interact: - Offer opinions - Give feedback - Ask questions If you are watching on video, I welcome feedback by email or phone ------------------------------------------ ** The big picture ------------------------------------------ THE BIG PICTURE Why is software security important? Does the real world have complete security? ------------------------------------------ ... Because software increasingly controls the world ... No, keys are not foolproof, windows can be smashed, neighbors know when you leave, etc. Q: Why are incomplete techniques more effective in the real world? because: - attacks will be noticed in the real world but software breakins can remain hidden - attacks are not automated in the real world there aren't tireless computers carrying out the attacks - fewer neighbors (not the entire world) and maybe punishment is less certain? ** Review of syllabus ------------------------------------------ WHAT WE STUDIED Context: - Real World Security Bugs Defense Techniques - Threat Modeling - Static and Dynamic Analysis - Program Analysis - Symbolic Execution - Concolic Execution - Fuzzing - Taint Analysis - Information Flow Security Memory Attacks - Smashing the Stack attacks - Defenses: - Baggy Bounds Checking - W xor X permissions - ASLR - Reference Monitors (CFI, XFI) Web Attacks - XSS - CSRF (aka XSRF) - Defenses: - Allow lists - Output encoding - Taint tracking - CSP - Concolic execution (Andrilla) - Semantic/logic bugs (shop for free) - Formal methods (Alloy Analyzer) - Traffic Analysis (side channel attacks) ------------------------------------------ Q: What is the difference between static and dynamic analysis? static is before runtime (always) and dynamic needs/uses runtime information (in general) Q: What are the advantages and disadvantages of static techniques vs. dynamic techniques? Static techniques can give guarantees about lack of bugs, but will need to be conservative and so will have false errors/positives. Dynamic techniques can give concrete error scenarios (e.g., inputs) but may miss some bugs and so have false assurances/negatives. Q: Is it possible to combine static and dynamic techniques? Yes, and there is great promise there, as in concolic execution e.g., can use each to aid the other such as using dynamic techniques to validate possible errors found by static analysis (as in "soft typing") or using static techniques to target fuzz testing Q: Which defensive techniques are easiest to implement? probably Fuzzing Q: Which defensive techniques can completely prevent attacks? Q: If we can't stop an attack completely, what else can be done? We can make it harder, but that doesn't help if the attack is scripted We can slow down the attack, hoping that it can be caught and thwarted Q: Are there general techniques that work for the defense? Q: What topics have been omitted that should be taught? in class (fall 2022): - running tools or examples - more about real bugs (heartbleed, etc.) - attacks Q: What were the most interesting topics? in class (fall 2022): - real bugs (heartbleed, etc.) - attacks - threat modeling tools (force thinking about securtiy properties of a design) - project *** Lessons Learned? Q: What are the most important lesson(s) you learned? in class (fall 2022): - don't trust protocols - don't assume users will behave nicely - there are lots of exploits (so look for them) - use static analysis at a minimum Q: Are there general techniques (or attacks) that we can learn from? in class (fall 2022): - buffer overflows - taint checking to prevent injection attacks - not trusting user inputs - do negative testing Q: What are the most interesting thing(s) you learned? in class (fall 2022): - code coverage, that you might not get 100% due to state space explosion - different kinds of code coverage (path, branch, statement...) - different tools that are available in industry and open source Q: Where is more research and development needed? Q: What should a software development shop do for secure development? Q: What techniques do you plan to use in the future? *** Attack and Threat Models Q: What is an attack model? Why is it useful? It states the capabilities of an attacker, it gives a set of (worst case) assumptions about an attack that a defense should stop Q: How could we judge different attack models? The more general/powerful they are, the more powerful the defense needs to be; so can compare them by capabilities (supersets are stronger) Q: How is an attack model different from a threat model? An attack model says what an attacker is assumed to be able to do, during an attack. A threat model gives motivation for attacks and defenses, it says what an attacker would like to do, after a successful attack it says what a defender is trying to stop from happening Q: What is the use of a threat model? prioritizing defensive measures, making sure there are no obvious weak points *** Thinking like an attacker Q: Why is it useful to think like an attacker? So that the defenses can be better planned, attacks can be anticipated and thwarted in class (fall 2022): - helps in threat modeling - helps create new defenses Q: What are some general ideas/tactics found in the attacks studied? - buffer overflows are so common they are a given, - taking control of a program is hard to prevent (many different techniques, none completely successful) tactics: - look for a weakness, get around the assumptions so for defenders, need to be complete - use whatever information is available (e.g, traffic analysis) so for defenders, need to be realistic about actual attack model is ** Where do we go from here? *** practical/industry paths forward Q: What careers or contributions can be made in industry using what we have learned in this class? *** practical tools needed Q: What tools are needed to help make software more secure in practice? *** research needed Q: What are the gaps in our knowledge of software security? - how to completely stop certain kinds of attacks - how to make security usable and also safe - how to stop scripted attacks, 0-day attacks, etc. Q: Are there other areas (besides software security) that need research to make digital life more secure? Yes: - social engineering - User interfaces for usable security *** academic paths forward no more classes in the MS program, but... PhD study is possible working with a good professor and specialization are key find a good problem and solve it for users useful background: - networking (protocols) - computer architecture (side channels) - software engineering (UI, testing, debugging, reverse engineering) - programming languages (semantics) - formal methods (modeling and plugging weaknesses) ** about the class Q: What could be improved about the class? Q: What was omitted from the class that should have been discussed? Q: What was good about the class and shouldn't be changed? ------------------------------------------ CLASS OBJECTIVES main objective: you can supervise an enterprise's software system safety - [Strategize] plan a strategy to assure software safety - [Design] Design a set of mitigations to the likely and important threats - [Implement] Implement a tool to support a secure development process - [Evaluate] Evaluate the adequacy of a threat model and mitigations ------------------------------------------ Q: Did we give you background for doing those? Q: Are those the right objectives?