Scribd
Upload
25 views5 pages

Engineering Secure Software Systems Notes

The document outlines the importance of software security and assurance, defining them as processes to ensure software functions correctly and securely. It discusses common threats such as buffer overflow and SQL injection, sources of insecurity, and the benefits of early detection of security issues. Additionally, it highlights properties of secure software and defenses against memory-based attacks, emphasizing the need for integrating security into the software development life cycle.

Uploaded by

petri.success
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views5 pages

Engineering Secure Software Systems Notes

The document outlines the importance of software security and assurance, defining them as processes to ensure software functions correctly and securely. It discusses common threats such as buffer overflow and SQL injection, sources of insecurity, and the benefits of early detection of security issues. Additionally, it highlights properties of secure software and defenses against memory-based attacks, emphasizing the need for integrating security into the software development life cycle.

Uploaded by

petri.success
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

lOMoARcPSD|46270988

ESSS - Unit 1 - Engineering Secure Software System Unit 1


Notes
engineering secure software systems (Anna University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university


Downloaded by Judith Petrizia ([Link]@[Link])
lOMoARcPSD|46270988

ENGINEERING SECURE SOFTWARE SYSTEMS

UNIT I: NEED OF SOFTWARE SECURITY AND LOW-LEVEL ATTACKS

1. SOFTWARE ASSURANCE AND SOFTWARE SECURITY

Software Assurance

 Definition: Confidence that software functions as intended and is free from


vulnerabilities.

 Goal: Ensure software is built to meet requirements securely and reliably.

 Importance: Prevents unauthorized access and reduces security risks.

Software Security

 Definition: Process of designing, developing, and maintaining software that


continues to function correctly under malicious attack.

 Focus: Security is built-in rather than added-on after development.

2. THREATS TO SOFTWARE SECURITY

Common Threats:

 Bu er Overflow: Writing more data to a bu er than it can hold.

 SQL Injection: Injecting malicious SQL queries into input fields.

 Cross-Site Scripting (XSS): Inserting scripts into web pages viewed by others.

 Denial of Service (DoS): Overloading a system to make it unavailable.

 Privilege Escalation: Gaining unauthorized access to higher permissions.

Why They Matter:

 Can cause data theft, financial loss, downtime, and reputational damage.

 Often arise from insecure code, poor validation, or unsafe libraries.

Downloaded by Judith Petrizia ([Link]@[Link])


lOMoARcPSD|46270988

3. SOURCES OF SOFTWARE INSECURITY

Source Description

Mistakes like not validating inputs, using unsafe functions like


Coding Errors
strcpy.

Design Flaws Insecure architectures, ignoring threat models.

Configuration Issues Misconfigured servers, open ports, weak passwords.

Human Errors Lack of developer training, social engineering.

Third-party
Vulnerabilities in libraries, plugins, APIs.
Components

4. BENEFITS OF DETECTING SOFTWARE SECURITY ISSUES EARLY

Benefit Explanation

Cost E ective Fixing vulnerabilities early is cheaper than after deployment.

Faster Development Reduces time fixing bugs later in the lifecycle.

Improved Security Early detection reduces chances of breaches.

Compliance Helps meet regulations like GDPR, HIPAA, ISO 27001.

User Trust Secure systems gain more user confidence.

5. PROPERTIES OF SECURE SOFTWARE

Property Description

Confidentiality Prevents unauthorized access to sensitive data.

Integrity Protects against unauthorized modifications.

Availability Ensures system and services are always accessible.

Downloaded by Judith Petrizia ([Link]@[Link])


lOMoARcPSD|46270988

Property Description

Authentication Confirms user identity.

Authorization Grants permissions based on roles.

Non-repudiation Ensures actions are traceable (logging, auditing).

6. MEMORY-BASED ATTACKS

Memory corruption vulnerabilities often allow attackers to take control of a system.

Stack-Based Attacks

 Bu er Overflow:

o Data exceeds allocated bu er size.

o Overwrites return address in the stack.

o Example: Use of gets() or strcpy().

Heap-Based Attacks

 Use-After-Free:

o Accessing memory after it has been freed.

 Heap Spraying:

o Injecting code into predictable memory locations.

Format String Attacks

 Occur when user input is passed as the format string in functions like printf().

 Can allow reading/writing to memory addresses.

7. DEFENSE AGAINST MEMORY-BASED ATTACKS

Defense Technique Description

Safe Functions Use strncpy, fgets instead of strcpy, gets.

Downloaded by Judith Petrizia ([Link]@[Link])


lOMoARcPSD|46270988

Defense Technique Description

Input Validation Sanitize and validate all user inputs.

Random values between bu ers and return


Stack Canaries
addresses to detect corruption.

ASLR (Address Space Layout Randomizes memory address space to prevent


Randomization) predictability.

DEP (Data Execution


Prevents execution of non-code memory regions.
Prevention)

Use languages like Python, Java to avoid manual


Memory-Safe Languages
memory management.

Conclusion

 Software security is critical to protect systems from evolving cyber threats.

 Early detection, secure design, and understanding low-level attacks like bu er


overflow and heap exploitation are essential.

 Integrating security into the Software Development Life Cycle (SDLC) improves
overall software robustness and reduces long-term risks.

Downloaded by Judith Petrizia ([Link]@[Link])

You might also like