TDDC90 Software Security (6 ECTS)

HT2

Literature - Additional

LAB 1: PONG

Here are some papers and other resources on manual code inspection. They are provided as a starting point for you; you are not required to read them all.

		OWASP Code Review Guide (Note that this guide is focused towards reviews of web applications, and not C programs such as Pong.)
		Jack Ganssle: A Guide to Code Inspections
		Michael Fagan: Design and code inspections to recude errors in program development (IBM Systems Journal 1976)
		E.P. Doolan: Experience with Fagan's Inspection Method (Software Practice and Experience 1991)

The following links to catalogs of vulnerability types may be helpful when trying to figure out what to look for in code reviews.

		CWE - Common Weakness Enumeration
		CLASP Vulnerability view

These are two reports on security reviews conducted on electronic voting machine software. These reviews used a combination of methods to arrive at the results.

		J. Calandrino, A. Feldman, J. A. Halderman, D. Wagner, H. Yu, W. Zeller: Source Code Review of the Diebold Voting System
		A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Medeiros, G. Tyson, M. Shamos, M. Burmester: Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware

The following classical paper on how to exploit stack-based buffer overflows may be helpful for the exploit-part of the lab.

Aleph One. Smashing The Stack For Fun and Profit. Phrack 49, 14. 1996.

A paper on setuid (useful when fixing PONG).

H. Chen, D. Wagner, D. Dean: Setuid Demystified (11th Usenix Security Symposium, 2002)

Vulnerabilities, exploits and prevention

			R. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In Proceedings of WOOT'07, the First USENIX Workshop on Offensive Technologies. 2007.
			Anonymous. Once upon a free()... Phrack 0x0b(0x39), phile #0x09.
			scut, team teso. Exploiting format string vulnerabilities.
			H. Shacham, M. Page, B. Pfaff, E-J. Goh, N. Modadugu, D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS'04. October, 2004.
			Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack 0x0b(0x3a), phile #0x04.
			G. Kc, A. Keromytis, V. Prevelakis. Countering code-injection attacks with instruction-set randomization
			Michel "MaXX" Kaempf. Vudo - an object superstitiously believed to embody magical powers. Phrack 0x0b(0x39), phile #0x08.
			Documentation for the PaX project
			H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). 2007.

Secure software development and secure design

This list of resources is made available as-is. There may be little or no overlap with what is discussed in the course, however it is a good starting point for those who want to dive deeper into some topics.

			N. Davis. Secure Software Development LifeCycle Processes
			P. Hope, S. Lavenhar, G. Peterson. Architectural Risk Analysis
			G. McGraw. Risk Management Framework
			N. Mead. Security Requirements Engineering
			N. Mead. SQUARE Process
			S. Lipner, M. Howard. The Trustworthy Computing Security Development Lifecycle
			S. B. Lipner. The trustworthy comuting security development lifecycle. In Proceedings of the 20th Annual Computer Security Application Conference (ACSAC), Dec. 2004.
			Common Criteria Portal
			D. Byers, N. Shahmehri. Design of a process for software security. In Proceedings of the International Conference on Availability, Reliability and Security (ARES) 2007.
			Secure Software Inc. The CLASP application security process. 2005.
			J. McDermott, C. Fox. Using abuse case models for security requirements analysis. In the Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC), 1999.
			N. Mead, T. Stehny. Security quality requirements engineering (SQUARE) Methodology. In the Proceedings of the Workshop on Software Engineering for Secure Systems (SESS), 2005.
			D. Firesmith. Engineering security requirements. Journal of Object Technology, vol. 2, no. 1, January-February 2003. pp. 53-68.
			D. Mellado, E. Fernï¿½ndez-Medina, M. Piattini. A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards & Interfaces, vol 29. 2007. pp. 244-253.
			J. Wilander, J. Gustavsson. Security Requirements-A Field Study of Current Practice. In the E-Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 2005), 2005.
			J. Viega. Building security requirements with CLASP. In the Proceedings of the Workshop on Software Engineering for Secure Systems (SESS), 2005.
			D. Wheeler. Secure Programmer: Minimizing Privileges
			P. Torr. Demystifying the threat modeling process. IEEE Security & Privacy. 2005.
			N. Provos, M. Friedl, P. Honeyman. Preventing privilege escalation. In Proceedings of the 12th USENIX Security Symposium. August 2003.

Security testing

P. Godefroid, M. Levin, D. Molnar. Automated Whitebox Fuzz Testing. Microsoft Research Technical Report MSR-TR-2007-58.

Software engineering reviews

1028-2008 - IEEE Standard for Software Reviews and Audits (section 6 only) Available via the LiU-library website.

Page responsible: Ulf Kargén
Last updated: 2023-10-29

IDA - Department of Computer and Information Science