1 / 15

Software Security

Software Security. David Wagner University of California at Berkeley. Critical infrastructure is dependent on computer security. Internet security incidents reported to CERT. Security break-ins are all too prevalent. Software vulnerabilities reported to CERT.

rubyp
Télécharger la présentation

Software Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Security David WagnerUniversity of California at Berkeley

  2. Critical infrastructure is dependent on computer security

  3. Internet security incidents reported to CERT Security break-ins are all too prevalent

  4. Software vulnerabilities reported to CERT Typical cause: Security defects in our software

  5. Talk Outline • Why is our software so buggy? • What can we do about software security?

  6. What makes simple mechanical systems predictable? Linearity (or, piecewise linearity) Continuity (or, piecewise continuity) Small, low-dimensional statespaces Systems with these properties are(1) easier to analyze, and (2) easier to test. x y

  7. Computers enable highly complex systems • And today’s software is taking advantage of this • Highly non-linear behavior; large, high-dim. state spaces

  8. Problem Summary • Complexity breeds bugsand unpredictable behavior • Bugs and unpredictabilityare the bane of security

  9. Mitigating the Risks How can we improve software security? • Correctness by construction(e.g., K.I.S.S., defensive coding, least privilege) • Automated analysis of software,new models of software behavior • Formal verification: proving programs free of defects

  10. X MOPS Warnings aboutundisciplined code Hard-workingprogrammer Buggy, insecureapplication Tools for Software Security • If secure programming is hard, let’s build tools that make it easier to get security right • MOPS: scanning for bugs using software model checking • CQual: security-typed programming discipline • We’re finding--and fixing--vulnerabilities in open-source applications (Linux kernel, sendmail,Apache, wu-ftpd, …)

  11. Conclusion • Computer security problems are endemic. • Our software is a weak spot.Network-layer defenses must make up for software inadequacies. • The problem will likely remain with us as long as users value features (complexity) over security (simplicity).

  12. Questions? And remember to look out for rakes…

More Related