Scribd
Upload
29 views16 pages

Program Security

The document discusses program security and non-malicious errors. It defines key terms like bug, error, fault, and failure. It also discusses how flaws can be introduced through incomplete validation, domain errors, or boundary condition violations. Specific error types covered include buffer overflows, incomplete mediation, and time-of-check to time-of-use errors.

Uploaded by

Meher Fatima
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
29 views16 pages

Program Security

The document discusses program security and non-malicious errors. It defines key terms like bug, error, fault, and failure. It also discusses how flaws can be introduced through incomplete validation, domain errors, or boundary condition violations. Specific error types covered include buffer overflows, incomplete mediation, and time-of-check to time-of-use errors.

Uploaded by

Meher Fatima
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

َّ ‫الر ْح ٰم ِن‬

‫الر ِح ْي ِم‬ ِ ‫ِب ْس ِم‬


َّ ‫هللا‬
Email:
[email protected]
COMPUTER NETWORK SECURITY
PROGRAM SECURITY
&
NONMALICIOUS ERRORS

Group members:
Zohaib Akram(CPE-05). Habiba Kamran (CPE-03). Sana Fatima (CPE-04).

Email:
[email protected]
Bug: Cause to produce an incorrect or unexpected result.
Error: May lead to a fault.
Fault: A deviation from intended functionality.
Failure: System malfunction caused by fault.
4 ADD A FOOTER 14.12.2020

Note that:
• An error may cause many faults.
• Not every fault leads to a failure.
PROGRAM SECURITY

A security program is a documented set of your organization's


information security policies, procedures, guidelines, and
standards. Your security program should provide a roadmap for
effective security management practices and controls.

5 14.12.2020
PROGRAM SECURITY(cont’d)

security implies some degree of trust that the program


enforces expected confidentiality, integrity, and availability.

Program security is the ability of a system to protect itself


against accidental or intentional attacks.

Work on program security considers two questions:


1. How do we keep programs free from flaws?
2. How do we protect computing resources against programs
with flaws?

6 ADD A FOOTER 14.12.2020


Fixing faults
You might argue that a module in which 100 faults were discovered and fixed is better than
another in which only 20 faults were discovered and fixed.

 more rigorous analysis and testing had led to the finding of the larger number of
faults.

Early work in computer security was based on the paradigm of


"penetrate and patch (method of judging program security in which a Red
Team intentionally tries to crack a program)" in which analysts searched for
and repaired
faults.
7 ADD A FOOTER 14.12.2020
Fixing faults(cont’d)
However, the patch efforts were largely useless, making the system
less secure rather than more secure because they frequently
introduced new faults.
 Pressure – causes developer to focus on the fault, not on the context.
 The fault often had nonobvious side effects in places other than the
immediate area of the fault.
 Fixing one problem often caused a failure somewhere else.
 The fault could not be fixed properly because system functionality or
performance would suffer as a consequence.
8 ADD A FOOTER 14.12.2020
TYPES OF FLAWS
 validation error (incomplete or inconsistent): permission checks
 domain error: controlled access to data
 serialization and aliasing: program flow order
 inadequate identification and authentication: basis for authorization
 boundary condition violation: failure on first or last case
 other exploitable logic errors

9 14.12.2020
Non-malicious errors
Most of the mistakes made by the programmer are
unintentional and non-malicious.
Many such errors will not lead to more serious
vulnerabilities but few will put many security
professionals in trouble.

Lets take a look at three such classic error types

10 ADD A FOOTER 14.12.2020


Buffer overflow
A buffer (or array or string) is a space in which
data can be held. A buffer resides in memory.
Because memory is finite, a buffer's capacity is
finite. For this reason, in many programming
languages the programmer must declare the
buffer's maximum size so that the compiler can
set aside that amount of space.

12 ADD A FOOTER 14.12.2020


Buffer Overflow

A buffer overflow is the computing


equivalent of trying to pour one liter of
water into a half-liter of jar. Some water is
going to spill out and make a mess.

13 ADD A FOOTER 14.12.2020


Incomplete Mediation
Sensitive data in exposed or uncontrolled condition.
Usually non-malicious but has serious security consequences.
Example:
 URL generated by client’s browser during online purchase
https://www.---.com/order/final&custid=101&part=55A&qty=20&price=10&shipcost=5&total=205

 Instead user edits URL directly, changing price and total cost:
https://www.---.com/order/final&custid=101&part=55A&qty=20&price=1&shipcost=5&total=25

14 ADD A FOOTER 14.12.2020


Time-of-Check to Time-of-Use Errors
In computing:
The data are changed between the time they checked and the
time they use.(Bait and switch)
Seller shows customer a Real Rolex watch(Bait).
After buyer pays, switches real Rolex to forged one(Switch).
 The security implication here is pretty clear: Checking one action and
performing another is an example of ineffective access control. We
must be wary whenever a time lag or loss of control occurs, making
sure that there is no way to corrupt the check's results during that
interval.
15 14.12.2020
 Be aware of time lags.
THANK YOU!
ANY QUESTION?
Email:
[email protected]

You might also like