International Symposium on
Engineering Secure Software and Systems

February 27 - March 1, 2013
Paris (Rocquencourt), France

 

 

Tutorial on Techniques for Secure Programming

February 27, 2013 afternoon only

Abstract
Security is crucial to the software that we develop and use. With the growth of both Grid and Cloud services, security is becoming even more critical. This tutorial is relevant to anyone wanting to learn about minimizing security flaws in the software they develop. You will learn skills critical for software developers and analysts concerned with security. This tutorial presents coding practices subject to vulnerabilities, with examples of how they commonly arise, techniques to prevent them, and exercises to reinforce them. Most examples are in Java, C, C++, Perl and Python, and come from real code belonging to Cloud and Grid systems we have assessed.

Sections
1.    Introduction
2.    For each of the following categories we will
    2.1.    Description of vulnerability
    2.2.    Signs of presence in the code
    2.3.    Mitigations
    2.4.    Safer alternatives
3.    Lack of data validation
4.    Pointers and Strings
    4.1.    Stack smashing
    4.2.    Buffer overflows
5.    Numeric errors
    5.1.    Integer vulnerabilities
    5.2.    Parsing errors
6.    Error handling
7.    Insecure permissions
8.    Not dropping privileges
9.    File Systems
    9.1.    Race conditions: TOCTOU attacks
    9.2.    Path name manipulations
10.    Exceptions
11.    Privilege, Sandboxing and Environment
12.    Injection Attacks
    12.1.    Format string attacks
    12.2.    Command injection
    12.3.    SQL injection
13.    Quiz 3: Interactive class exercise
14.    Web Attacks
    14.1.    Cross-site scripting (XSS)
    14.2.    Cross-site request forgery (CSRF)
    14.3.    Session hijacking
    14.4.    Open redirect
15.    Memory management attacks
16.    Information leaks
17.    Denial of service
18.    Summary of the lessons learned

Bios

Barton P. Miller co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.
In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation”. Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation. Miller is a Fellow of the ACM.

Elisa Heymann is an Associate Professor in the Computer Architecture and Operating Systems Department at the Universitat Autonoma de Barcelona. She co-directs the MIST software vulnerability assessment project in collaboration with her colleagues at the University of Wisconsin.
She is also in charge of the Grid security group at the UAB, and participates in two major Grid European Projects:  EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include security and resource management for Grid and Cloud environments. Her research is supported by the Spanish government, the European Commission, and NATO.

 

View tutorial "Easily Fighting Murphy: High-level Application Development in the IoT with Fault Tolerance"