َّ ‫الر ْح ٰم ِن‬

‫الر ِح ْي ِم‬ ِ ‫ِب ْس ِم‬

َّ ‫هللا‬
Email:
[email protected]
COMPUTER NETWORK SECURITY
 PROGRAM SECURITY
&
NONMALICIOUS ERRORS

Group members:
Zohaib Akram(CPE-05). Habiba Kamran (CPE-03). Sana Fatima (CPE-04).

Email:
[email protected]
Bug: Cause to produce an incorrect or unexpected result.
Error: May lead to a fault.
Fault: A deviation from intended functionality.
Failure: System malfunction caused by fault.
4 ADD A FOOTER 14.12.2020

Note that:
• An error may cause many faults.
• Not every fault leads to a failure.
 PROGRAM SECURITY

A security program is a documented set of your organization's

information security policies, procedures, guidelines, and
standards. Your security program should provide a roadmap for
effective security management practices and controls.

5 14.12.2020
PROGRAM SECURITY(cont’d)

security implies some degree of trust that the program

enforces expected confidentiality, integrity, and availability.

Program security is the ability of a system to protect itself

against accidental or intentional attacks.

Work on program security considers two questions:

1. How do we keep programs free from flaws?
2. How do we protect computing resources against programs
with flaws?

6 ADD A FOOTER 14.12.2020

Fixing faults
You might argue that a module in which 100 faults were discovered and fixed is better than
another in which only 20 faults were discovered and fixed.

 more rigorous analysis and testing had led to the finding of the larger number of
faults.

Early work in computer security was based on the paradigm of

"penetrate and patch (method of judging program security in which a Red
Team intentionally tries to crack a program)" in which analysts searched for
and repaired
faults.
7 ADD A FOOTER 14.12.2020
Fixing faults(cont’d)
However, the patch efforts were largely useless, making the system
less secure rather than more secure because they frequently
introduced new faults.
 Pressure – causes developer to focus on the fault, not on the context.
 The fault often had nonobvious side effects in places other than the
immediate area of the fault.
 Fixing one problem often caused a failure somewhere else.
 The fault could not be fixed properly because system functionality or
performance would suffer as a consequence.
8 ADD A FOOTER 14.12.2020
TYPES OF FLAWS
 validation error (incomplete or inconsistent): permission checks
 domain error: controlled access to data
 serialization and aliasing: program flow order
 inadequate identification and authentication: basis for authorization
 boundary condition violation: failure on first or last case
 other exploitable logic errors

9 14.12.2020
 Non-malicious errors
Most of the mistakes made by the programmer are
unintentional and non-malicious.
Many such errors will not lead to more serious
vulnerabilities but few will put many security
professionals in trouble.

Lets take a look at three such classic error types

10 ADD A FOOTER 14.12.2020

 Buffer overflow
A buffer (or array or string) is a space in which
data can be held. A buffer resides in memory.
Because memory is finite, a buffer's capacity is
finite. For this reason, in many programming
languages the programmer must declare the
buffer's maximum size so that the compiler can
set aside that amount of space.

12 ADD A FOOTER 14.12.2020

 Buffer Overflow

A buffer overflow is the computing

equivalent of trying to pour one liter of
water into a half-liter of jar. Some water is
going to spill out and make a mess.

13 ADD A FOOTER 14.12.2020

 Incomplete Mediation
Sensitive data in exposed or uncontrolled condition.
Usually non-malicious but has serious security consequences.
Example:
 URL generated by client’s browser during online purchase
https://www.---.com/order/final&custid=101&part=55A&qty=20&price=10&shipcost=5&total=205

 Instead user edits URL directly, changing price and total cost:
https://www.---.com/order/final&custid=101&part=55A&qty=20&price=1&shipcost=5&total=25

14 ADD A FOOTER 14.12.2020

 Time-of-Check to Time-of-Use Errors
In computing:
The data are changed between the time they checked and the
time they use.(Bait and switch)
Seller shows customer a Real Rolex watch(Bait).
After buyer pays, switches real Rolex to forged one(Switch).
 The security implication here is pretty clear: Checking one action and
performing another is an example of ineffective access control. We
must be wary whenever a time lag or loss of control occurs, making
sure that there is no way to corrupt the check's results during that
interval.
15 14.12.2020
 Be aware of time lags.
THANK YOU!
ANY QUESTION?
Email:
[email protected]