软体品质与资讯安全

按一下以編輯母片標題樣式,按一下以編輯母片,第二層,第三層,第四層,第五層,*,軟體品質與資訊安全,交通大學資訊工程系,黃世昆,Outline,Background,Software Attack Basic,Software Process Vulnerability,Software Exploitability,Dynamic and Static Defense,Conclusion,Software Engineering and Worms,1968(conference on software crisis after IC invention,with more complex software),1988(Nov 2)Internet Worm,2001(July 19)Code Red Worm(after 1988),2003(Aug 11)Blaster Worm(impact MS),2005,Worms Anywhere and Anytime,Microsoft Software auto-updates more frequently,Software Attack Basic,The Strength of Cryptography,“128-bit keys mean strong security,while 40-bit keys are weak”,“triple-DES is much stronger than single DES”,“2,048 RSA is better than 1,024 bit RSA”,“lock your front door with four metal pins,each of which in one of 10 positions”.There will be 10,000 possible keys almost impossible to break in,NO!,Strength of Cryptography,Burglars wont try every possible keys or pick the lock.,They smash windows,kick in doors,and use chainsaw to the house wall.,Most of us design,analyze and break cryptographic system.Few try to do research on published algorithms,protocols and actual products.,From Bruce Schneier,We dont have to try every possible key or even find flaws in the algorithms.,We exploit,errors in design,errors in implementation,and,errors in installation.,Sometimes we invent a new trick to break a system,but most of the time we exploit the same old mistakes that designers make over and over again.,Security Attack,Dynamic Event occur during the execution of a piece of software.,Attack made possible:,weaknesses must exist in the system,sequence of weakness exploiting input signals to the system is required,Threat,threat:an agent outside of a software system to exploit a vulnerability through attacks,Vulnerability,potential,defect,or,weakness,in an information system,knowledge,required to exploit the defect,State Space Vulnerability,System state:current configuration of the entities in the system,Authorized or unauthorized state:given initial state using a set of state transitions defined by security policy,Vulnerability state:authorized state from which an unauthorized state can be reached using authorized state,Compromised state:the authorized state above,Attack:begins in vulnerability state,State Space Attack,Vulnerability State,Authorized State(compromised by the attack),Unauthorized State,Attack,軟體系統缺陷運用,軟體發展過程差異,狀態溢寫（,Y2K，malicious buffer overflow),密碼模組設計與實作弱點,可執行內涵的安全（Web Internet Platform Security),網路伺服應用軟體缺陷利用,Software Process Vulnerability,Imprecise Requirement Specification,Design Vulnerability,Implementation Flaws,Mismatch between development and run-time environment,Improper Configuration and Application,Software Attacks,Implementation flaws:Buffer Overflow Attacks,Stack Overflow,Heap Overflows,Data Segment,Shared Memory Segment,Environment mismatch:Type System Attacks,type containment not sound,mismatch between dynamic loaded library and actual arguments,Buffer Overflow Attacks,Internet Worm fingerd in Nov 2,1988.,Overflow the buffer of a remote daemon or a setuid program,inject malicious machine code to the programs address space,overwrite the return address of some function,Lack of a good string or buffer data type in C and misuse of the standard C librarys string function.,Overflow Attack Made Possible whenever Software Fault(bugs)not removed,Deviation between process transition(inter-process)and Phase inconsistency between analysis,design,implementation and application.,Inter-process inconsistency:communication flaws when requirement analysis,language type inconsistency when program implementation,improper configuration when in application,環境差異的安全問題,有缺陷的軟體,有缺陷的軟體環境,編譯環境與程式庫的差異,執行環境與發展環境的差異(Web security and Type system attack),Problems,Interface Compatibility,Semantics of linking differed between distributed environment,Semantic Gap between security protocols and implementation,Environment Transition,Restriction:A program can only change its type context,to a new type context in a way such that the new context is a consistent extension of the original context.,Component Composition:what is the consistent extension of component environment?,Security Problems Related to Software Quality,System Exploitability:the system can be compromised from an authorized state to any unauthorized states,Any System exploitable?How to exploit it?,Any System Failure exploitable?How to do it?,If the crash site detected,is the system exploitable?How to do it?,If the corrupt site detected,is the system exploitable?How to do it?,Imagination,We dont have solutions to the above problems,but can have a partial exploitation method with constraints.,Once I captured Microsoft window crash site information,a computer aided exploitation tool can be employed to test it.,To the bad,Once any Windows AP failed and waw caught,Microsoft will sit on thorns.(remember the RPC flaw,the Blaster worm,and the Sasser Worm?),To the good,We can better understand the system failures.,Thoughts,Though most COTS sof