Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Secure Programming - A Way of Life or Death

advertisement 
Secure Programming:
A Way of Life (or Death)
Matt Bishop
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Disclaimer
ä
All opinions expressed here are not
necessarily those of the:
ä
ä
ä
ä
ä
ä
Computer Security Laboratory
Department of Computer Science
University of California
Any other organization mentioned in here
U.S. government and any of its agencies
Anyone else you can think of
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #2
Theme: Does It Matter?
ä
ä
How important is secure coding?
If it is so important, why aren’t we “priming
the pump” seriously?
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #3
Weinberg’s Second Law
If builders built buildings the way programmers
wrote programs . . .
then the first woodpecker to come along
would destroy civilization
The Psychology of Computer Programming (1971)
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #4
What Exactly Are We Talking
About?
ä
ä
ä
robust programming—prevents abnormal
termination, unexpected actions
secure programming—satisfies (stated or
implicit) security properties
Example: buffer overflows
ä
ä
Always non-robust programming
May or may not be non-secure programming
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #5
Robust vs. Secure Programming
Secure programming requires robust programming
You can’t have realistic security without robustness
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #6
Problem
ä
ä
We don’t build systems that meet security
requirements
We don’t write software that is robust
ä
ä
Some exceptions in special cases
Many different models for developing
software
ä
Agile, waterfall, rapid prototyping, . . .
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #7
Quality of Code
ä
Underlying all this is programming
ä
ä
ä
When coding, you make assumptions about
services, systems, input, output
Other components you rely on have bugs or
may act unexpectedly
Hard to have robust, secure software when
the infrastructure isn’t
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #8
Security is Cumulative
ä
ä
Composing non-secure modules produces
non-secure software
Can ameliorate this with shims to handle
non-secure results
ä
ä
ä
Shims provide the security
What if they themselves are written, installed,
etc. non-securely?
What if they can be bypassed?
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #9
More Problems
ä
Refactor code, use external libraries,
modules, services
ä
ä
Example: RSAREF2 library buffer overflow
(1999)
ä
ä
You inherit their bugs and assumptions!
Affected ssh, anything using that library
Move code into different environment,
assumptions may not hold
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #10
Basic Principles of Robustness
ä
ä
ä
ä
Paranoia
Assume maximum stupidity
Don’t hand out dangerous implements
“Can’t happen” means it can
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #11
Helping Solve the Technical
Problem
ä
Isolate assumptions, make them explicit
ä
ä
ä
ä
Not just your code, but also about what your code
calls
Allows you to build (informal) preconditions,
postconditions for others to use
Make them part of the documentation (or
comments)
Identify those relating to security explicitly
ä
Good judgment needed here
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #12
Test to These!
ä
Make sure your assumptions hold in the
environment(s) you intend the software to
be used
ä
ä
ä
If you state them explicitly, users can check
them
Think autoconf to check these on installation
Warn if not met!
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #13
What Will Drive Improvement?
ä
Commercial incentives
ä
ä
ä
ä
ä
Financial savings from not cleaning up so many
messes
Maintenance simpler
Better reputation (of products, company)
Easier to bring new programmers, software
engineers up to speed on products
Issues of software liability
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #14
What Will Drive Improvement?
ä
Government incentives
ä
ä
ä
Financial savings from not cleaning up so many
messes
Maintenance simple
Better defenses for national security
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #15
Software Liability
ä
You can’t say “I’m not responsible for anything”
ä
ä
You can limit liability somewhat by defining use,
environment
ä
ä
Chain of distribution (ie, supply chain) liability exists
now
Then you’re liable in that context but (probably) not in
others
It is coming . . .
ä
EULAs may not be enforceable (“contracts of
adhesion”)
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #16
So What’s Holding Us Back?
ä
Commercial
ä
ä
ä
ä
No legal liability for bad software
More expensive to make; longer time to market
Lack of people who write robust code
Government
ä
ä
ä
Need to spend more money to get it
Need to pay more attention to installation,
maintenance, use
Need to recruit people who can use it well
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #17
So What’s Holding Us Back?
ä
Academic
ä
Robust coding not seen as integral to programming
ä
ä
Lack of support for enforcing and grading for it in
non-introductory classes
ä
ä
Textbooks loaded with examples of non-robust
programming
Ties into lack of graders who really know about this
Lack of faculty who understand robust
programming
ä
And intimidation factor for those who know they don’t
understand it
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #18
Lack of Resources
ä
Assurance costs!
ä
ä
Industry expected to deliver secure, robust
products without offset for the extra effort in
delivering them
Academia expected to teach and reinforce
robust programming without offset for the extra
effort in supporting this
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #19
Lack of People
ä
Need to teach people how to write robust
programming
ä
ä
Need to emphasize this in the practice,
supporting it both in education and industry
Continuous practice is central to
reinforcing, maintaining, extending skills
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #20
Focus for Rest of Talk
ä
How can industry and government work
with academic institutions to do this?
ä
ä
ä
ä
Carrots, not sticks
Security tuned to environment, use
What is “secure” varies among companies and
government organizations
Everyone lacks resources!!!
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #21
How Do We Teach Secure
Programming?
ä
SESS report has suggestions
ä
ä
http://nob.cs.ucdavis.edu/~bishop/notes/2011-sess/2011-sess.pdf
Key conclusion: no one sector can improve
the state of the practice on its own
ä
“We must all hang together, or we shall all
hang separately” (B. Franklin)
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #22
Questionable Idea #1: Testing
Students’ Knowledge
ä
ä
ä
ä
ä
Who creates the tests?
Who is being tested?
How do you know that you are testing what
is important (that is, the “right thing”)?
Who determines what is an acceptable
result?
Teaching for the test, not the material
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #23
Questionable Idea #2:
Unsupported Mandates
ä
The support has to come from somewhere
ä
ä
It’s like a zero-sum game
What do you want to weaken?
ä
ä
If you only have so many resources, something
will have to give
You don’t want to weaken the core foundation
of understanding why certain programming
paradigms are critical
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #24
What Can Academia Do?
ä
ä
Include robustness in evaluation of
programs, programming projects
Create a “secure programming clinic”
ä
ä
Like an English clinic, or a writing clinic for
law schools
Provide supplementary material for
textbooks, classes
ä
These should emphasize robust programming
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #25
What Can Industry Do?
ä
ä
Key is to do more than say it is important
Make clear that the skills are important for
hiring
ä
ä
Mention their need in job openings
Preference to those with skill in this also helps
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #26
Work With Students and Faculty
ä
Internships
ä
ä
ä
Students love these; good recruiting tool
Tasks requiring robust programming emphasize
its importance to students
Help teach students
ä
ä
Review students’ code
Team with colleges in senior/capstone projects
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #27
What Will This Do?
ä
Increase student demand
ä
ä
If students see it as important, they will ask
about it in class, evaluate programs, faculty in
part on it
Increase your visibility
ä
ä
Good recruiting tools
A corporate “good citizen”
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #28
What Has SANS Done?
ä
SANS has a great track record
ä
ä
ä
Faculty workshop on exercises for secure
programming (Apr. 2008)
Participation in summits, other forums to
promote teaching secure programming,
contributing ideas and enthusiasm
Teaching secure programming in its courses
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #29
What Can SANS Do?
ä
Convene collaborative strategic planning effort
ä
ä
ä
ä
ä
Among industry, government, academic leaders
Identify specific goals; build on SESS results, ideas
Figure out how to move forward to implement
teaching robust programming on a large scale
Need to set priorities, actions to realize them
Must be done collaboratively
ä
That way, the goals and actions are not tied to selfinterest; they have more credibility and community
support
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #30
What Can SANS Do?
ä
Agitate for targeted, sufficient resources to
support the plans
ä
ä
ä
Evaluation mechanism to gauge effectiveness
Example: if such a plan endorses robust and secure
programming for both current students and
practitioners, how will we best achieve these goals?
More immediately: help link practitioners to
programs, clinics that need them
ä
Connecting people is the hardest part of getting
support to academic programs
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #31
Government Support
ä
ä
ä
Act like an industry (see above)
Government can also fund programs
Imperative: target funding towards this
specific purpose
ä
ä
That will require funding to be used for
supporting robust programming
If done as adjunct, it is likely to disappear in the
main purpose of the funding
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #32
NSF/DHS CAEIAE Program
ä
ä
ä
ä
Begun in 1997 with 7 universities
Office of the Assistant Secretary of Defense
for Networks and Information Integration
does oversight
Academia funded via IASP (scholarships)
and Capacity Building grants
Program has very limited funding
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #33
NSF Education and Human
Resources
ä
ä
Scholarships for Service supports graduate
students
Capacity building funds to improve state of
education in computer security
ä
ä
ä
Secure programming projects funded here are
prototypes
Focus on tool development, building awareness
Funding not large
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #34
NSF Funding Sources
ä
ä
ä
Program funded in the Commerce/Justice/
Science appropriations bill
Could add extra funding targeted to secure
programming projects specifically
Focus for NSF alone should be on
experimental projects to learn what works,
what doesn’t, and under what conditions
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #35
Critical Warning About NSF
Augment NSF’s budget to cover this
Otherwise, the state of computer security (and
other research) will degrade, impairing our
nation’s strengths in science and technology
as well as other areas
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #36
National Initiative for
Cybersecurity Education
ä
ä
ä
Run by Dept. of Education and NSF
Being transferred to NIST
Mission:
“bolster formal cybersecurity education programs
encompassing kindergarten through 12th grade,
higher education and vocational programs”
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #37
More About NICE
ä
Component 2 includes developing a
“cybersecurity capable workforce”
ä
ä
ä
Analogy between teaching cybersecurity and
subjects like reading, writing, science,
mathematics
Analogy with writing good English seems
appropriate
Seems to be a natural program to drive this
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #38
Key Point
ä
ä
Build on existing programs
Understand that academia is a different
environment—completely
ä
Business models don’t work well because the
“end product” is intangible
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #39
A Really, Really Important
Point!
ä
Academic institutions are rarely governed
hierarchically
ä
ä
Example: UC has an administration and an
Academic Senate
The Senate, not the administration, has
responsibility for the curriculum
Effect: no-one can order faculty to teach
something in a particular way
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #40
Conclusion
ä
ä
ä
ä
The state of practice can, and must, change
Teaching robust programming, and nothing
more, will not help
The marketplace must also change, as must
current practice
The public will be the main driver
ä
Unfortunately, probably through lawsuits . . .
Computer Security Laboratory
Dept. of Computer Science
University of California at Davis
Slide #41
Related documents
Welcome to Session 640 – Evolution of Diagnostics for Feline Asthma
Welcome to Session 640 – Evolution of Diagnostics for Feline Asthma
Welcome to Session 641 – Evolution of Therapeutics for Feline
Welcome to Session 641 – Evolution of Therapeutics for Feline
3rd Annual UC Davis Undergraduate Philosophy Essay Contest
3rd Annual UC Davis Undergraduate Philosophy Essay Contest
EIFFEL TECHHK
EIFFEL TECHHK
United States Department of Agriculture February 27, 2012 Neal
United States Department of Agriculture February 27, 2012 Neal
United States Department of Agriculture August 06, 2012 Neal Van
United States Department of Agriculture August 06, 2012 Neal Van
Sociolinguistics and General Linguistics
Sociolinguistics and General Linguistics
Download
advertisement