Visit to a blind student's school🧑🦯🧑🦯(community medicine)
Testingfor Sw Security
1. Testing for Software Security ECEN5053 Software Engineering of Distributed Systems University of Colorado, Boulder Testing for Software Security , Hebert Thompson, James Whittaker, Dr. Dobb’s Journal, November, 2002, pp. 24-34
2.
3. Intended vs. Implemented Behavior Traditional faults Intended Functionality Actual Software Functionality Unintended, undocumented, unknown functionality
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Notas do Editor
Media player plays flawlessly but manages to do so by writing the files out to unencrypted temporary storage. oops.
se.fit.edu Software Engineering Florida Institute of Technology?
Environmental stress refers to situations outside the program that cause poor performance/responses by the program. For example, if there is not enough memory, even though your program has no memory leak that is causing that, your app may crash if it isn’t programmed to handle that as a possible “return code” on a request for more memory, etc.
The authors scoured bug databases incident reports advisories etc. Identified 2 broad categories of attacks that can be used to expose vulnerabilities
Apps rely heavily on their environment to work properly: OS to provide memory, disk space, other resources Filesystem to read and write data Registry to store and retrieve information etc.
Need to integrate failures into tests to evaluate their impact on the security of the product itself and its data.
“ why” is on next slide -- namely, You redirect a particular system call to your own impostor function
Most extreme vulnerabilities is when password data or other sensitive data is stored unprotected in the registry. 1 for purchased 0 for trial
Subsequent slides explain these
Reveal unintended information -- example Reporting invalid username separately from invalid password for that username ... duh!
The “good guys” can get mad/ laid off/ etc. This was the hack used in the court case I testified in last year :$$ DATA