AIT 681 Secure Software Engineering

Topic #1 Introduction

Instructor: Dr. Kun Sun

About Instructor

• Dr. Kun Sun, Associate Professor, Department of Information Science and Technology– http://csis.gmu.edu/ksun/– http://sunlab.gmu.edu– Phone: (703) 993-1715– Email: ksun3@gmu.edu– Office: Research Hall, #421– Office hours

10:00am-noon, Wednesday, or by appointment

2

About TAs

• Name: Shaik Sai Saahil• Email: sshaik2@masonlive.gmu.edu• Office hour: Tuesday 3-5pm, Engineering Building 5503

3

This Course

• What is it NOT about?– Not a software engineering course– Not a security software course

• What is it about?– Understand basic software security concepts and their

impacts– Introduce systematic software security design and

development along project management– Practical skills for writing and testing secure software– Program analysis for identifying security vulnerabilities

and defending security attacks

4

Prerequisites

• Programming experience in C is required to understand the secure coding topics.

• Installing and using Ubuntu virtual machines (VMs) on VirtualBox to do lab exercises.

5

Course Outline

• General Topic 1: Secure Software Concept– Recommended textbook

• [McGraw] Software Security: Building Security In, by Gary McGraw, Publisher: Addison-Wesley Professional, February 2, 2006, ISBN-10: 0321356705 ISBN-13: 978-0321356703

• General Topic 2: Secure Coding– Recommended textbook

• [Du] Computer Security: A Hands-on Approach, by Wenliang Du, ISBN-13: 978-1548367947, ISBN-10: 154836794X

• [Seacord] Secure Coding in C and C++ (2nd Edition) (SEI Series in Software Engineering), by Robert C. Seacord , ISBN-13: 978-0321822130ISBN-10: 0321822137

• General Topic 3: Program Analysis– No recommended textbook– All materials covered in the slides

6

Secure Software Concept

• Basic Security Problems• Software Security Fundamentals• Risk Management• 7 touchpoints

1. Code Review2. Architectural Risk Analysis3. Penetration Testing4. Risk-Based Security Testing5. Abuse Cases6. Security requirements7. Security Operations

7

Secure Coding

• String management• Point subterfuge• Dynamic memory management• Integer security• Formatted output• Race condition• Web security

8

Program Analysis for Secure Vulnerability

• Fundamentals• Program representation• Dynamic Analysis• Static Analysis • Symbolic Execution

9

On-line Resources

• Course website:– https://csis.gmu.edu/ksun/AIT681-s20/index.html

• Lab website:– https://csis.gmu.edu/ksun/AIT681-s20/lab.html

• Check course website frequently.– Course materials, e.g., lecture slides, lab

material, homework, tools, etc., will be updated frequently.

10

Grading

• 2 Homework: 20%• Midterm exam: 20%• Lab exercises: 60%

Note:1. Must use text editor (e.g. MS Word, latex) to complete your homework

and project proposal/report. Handwritten submissions are not accepted.2. Must submit an e-copy through blackboard.3. Exams are closed book, closed note. No laptop/tablet/smartphone, etc.

11

Transferring to letter grades:– 95-100: A+– 90-95: A– 85-90: A-– 80-85: B+– 75-80: B– 70-75: B-– 65-70: C+– 60-65: C– < 60: F

Lab Exercises

• We use SEED labs, hands-on labs for security education, developed by Dr. Kevin Du at Syracuse University.

• Single Student Lab• 6 lab exercises (report + demo)

12

Lab Exercise Report Due Date Demo Due DateLab 1: Buffer Overflow Vulnerability 2/26/2020 n/aLab 2: Format String Vulnerability 3/11/2020 3/18/2020Lab 3: Race Condition Vulnerability 4/01/2020 4/08/2020Lab 4: XSS attacks 4/08/2020 4/15/2020Lab 5: Return-to-Libc Attack 4/15/2020 4/22/2020Lab 6: Dirty COW Attack 4/22/2020 4/29/2020

Demo of Lab Exercises

• For each lab exercise, 6-8 students will be randomly chosen to demo the exercise steps to GTA. – All report due dates are on Wednesday.– Demo notification will be sent by GTA on that Friday .– You are responsible for scheduling a demo time slot and

showing your demo to GTA before the next Wednesday.

• If no demo is given, you will receive 0 point on that lab exercise. Moreover, you will be chosen by default for the next round of demo.

• If the demo results do not match the report, you will receive 0 point on that lab. If it happens twice, you will be reported as a violation of honor code.

13

Policies on Late Assignments

• Homework and lab exercise deadlines will be hard.

• Late homework submissions will be accepted with a 10% reduction in grade for each day they are late by.

14

Policies on Exam Absences and Makeup

• You may be excused from an exam only with a university approved condition, with proof. For example, if you cannot take an exam because of a sickness, we will need a doctor's note.

• Events such as going on a business trip or attending a brother's wedding are not an acceptable excuse for not taking an exam at its scheduled time and place.

• You will have one chance to take a makeup exam if your absence is excused. There will be no makeup for homework assignments.

15

Academic Integrity

• The university, college, and department policies against academic dishonesty will be strictly enforced.

• Honor code– Students are required to follow Mason’s Honor

System.– Don’t copy the lab exercise reports from other

students.

16

Check the website for details!

17

Topic #1. Basic Security Concepts

18

What is Computer Security?

• Most developers and operators are concerned with correctness: achieving desired behavior– A working banking web site, word processor, blog,

…• Security is concerned with preventing

undesired behavior – Considers an enemy/opponent/hacker/adversary

who is actively and maliciously trying to circumvent any protective measures you put in place

19

Significant security breaches

• Marriott International, November 2018– Stole 500 million customers data, including contact info,

passport number, travel information, and credit card numbers of more than 100 million customers.

• Equifax, July 2017– Personal information (including Social Security Numbers,

birth dates, addresses, and in some cases drivers' license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.

• Yahoo, September 2016– 3 billion user accounts are compromised, including

names, dates of birth, email addresses, passwords, security questions and answers.

20

Contributing Factors

• Lack of awareness of threats and risks of information systems– Security measures are often not considered until an

Enterprise has been penetrated by malicious users– The situation is getting better, but …

• (Historical) Reluctance to invest in security mechanisms– The situation is improving

• Example: Windows 95 à Windows 2000 à Windows XP àWindows Vista àWindows 7 àWindows 8 àWindows 10

– But there exists legacy software– Supply chain security

• Wide-open network policies – Many Internet sites allow wide-open Internet access

21

Contributing Factors (Cont’d)

• Lack of security in TCP/IP protocol suite– Most TCP/IP protocols not built with security in mind– Work is actively progressing within the Internet Engineering

Task Force (IETF)• Complexity of security management and administration

– Security is not just encryption and authentication• Software vulnerabilities

– Example: buffer overflow vulnerabilities– We need techniques and tools to better software security

• Hacker skills keep improving– Cyber warfare

22

Compusec + Comsec = Infosec

Compsec Comsec

Infosec

Security

Computers Communications

23

Security Objectives

Confidentiality(Secrecy)

Integrity Availability(Denial of Service)

24

Security Objectives (CIA)

• Confidentiality — Prevent/detect/deter improper disclosure of information

• Integrity — Prevent/detect/deter improper modification of information

• Availability — Prevent/detect/deter improper denial of access to services provided by the system

• These objectives have different specific interpretations in different contexts

25

Commercial Example

• Confidentiality — An employee should not come to know the salary of his manager

• Integrity — An employee should not be able to modify the employee's own salary

• Availability — Paychecks should be printed on time as stipulated by law

26

Military Example

• Confidentiality — The target coordinates of a missile should not be improperly disclosed

• Integrity — The target coordinates of a missile should not be improperly modified

• Availability — When the proper command is issued the missile should fire

27

Achieving Security

• Security policy — What?• Security mechanism — How?• Security assurance — How well?

28

Security Policy

Organizational Policy

AutomatedInformation System

Policy

29

Security Mechanisms

• In general three types– Prevention • Example: Access control

– Detection• Example: Auditing and intrusion detection

– Tolerance• Example: Byzantine agreement

Good prevention and detection both require good authentication as a foundation

30

Security Mechanisms (Cont’d)

• Prevention is more fundamental– Detection seeks to prevent by threat of punitive action– Detection requires that the audit trail be protected from

alteration• Sometime detection is the only option, e.g.,– Accountability in proper use of authorized privileges– Modification of messages in a network

• Security functions are typically made available to users as a set of security services

• Cryptography underlies (almost) all security mechanisms

31

Security Services

• Security functions are typically made available to users as a set of security services through APIs or integrated interfaces

• Confidentiality: protection of any information from being exposed to unintended entities.– Information content.– Parties involved.– Where they are, how they communicate, how often, etc.

• Authentication: assurance that an entity of concern or the origin of a communication is authentic - it’s what it claims to be or from

• Integrity: assurance the information has not been tampered with

32

Security Services (Cont’d)

• Non-repudiation: offer of evidence that a party is indeed the sender or a receiver of certain information

• Access control: facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections

• Monitor & response: facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks

33

Security Assurance

• How well your security mechanisms guarantee your security policy

• Everyone wants high assurance• High assurance implies high cost– May not be possible

• Trade-off is needed• How to provide insurance on company IT

networks?

34

Security by Obscurity

• Security by obscurity– If we hide the inner workings of a system it will be

secure– E.g., steganography

• Less and less applicable in the emerging world of vendor-independent open standards

• Less and less applicable in a world of widespread computer knowledge and expertise

35

Security by Legislation

• Security by legislation says that if we instruct our users on how to behave we can secure our systems

• For example– Users should not share passwords– Users should not write down passwords– Users should not type in their password when someone

is looking over their shoulder

• User awareness and cooperation is important, but cannot be the principal focus for achieving security

36

Security Tradeoffs

Security Functionality

Ease of Use

COST

37