Your SlideShare is downloading. ×
0
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wouter Joosen, iMinds Security Department, iMinds The Conference 2013

337

Published on

Wouter Joosen, iMinds Security Department, iMinds The Conference 2013 …

Wouter Joosen, iMinds Security Department, iMinds The Conference 2013

Track 1, Disruptive Digital Research Technologies

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
337
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. News from the Software & Security Frontline Wouter Joosen, Director iMinds Security Department Dec 5th, 2013 @iminds #imindsconf
  • 2. @iminds #imindsconf
  • 3. @iminds #imindsconf
  • 4. TODAY IS DIFFERENT @iminds #imindsconf
  • 5. outline 1. Impact of software quality on security – two technologies 2. Future for embedded systems 3. System and software engineering AND system an software management: sneak preview on the DREAMAAS-ICON (20122103) with UPnxt, Noesis and Luciad… @iminds #imindsconf
  • 6. the impact of software quality on security @iminds #imindsconf
  • 7. impact of software quality on security • Specialists: verification technology – Direct assessment (A) • For any developer – Indirect assessment (B) @iminds #imindsconf
  • 8. <1A> VeriFast Software Quality @ Development time @iminds #imindsconf
  • 9. VeriFast C or Java source code Guarantees that program ● has no buffer overflows ● has no integer overflows ● has no data races ● uses APIs correctly ● satisfies specification Specification VeriFast Proof hints ~ 1s User can step through trace and inspect symbolic states or "0 errors found" Symbolic execution trace showing error @iminds #imindsconf
  • 10. VeriFast: verified programs -cases ● Fine-grained concurrent data structures ● ● JavaCard applets (incl. for Belgian eID card) ● ● Functional correctness Crash-freedom, safe API usage Linux device drivers Memory safety, data-race-freedom, safe API usage ● Embedded software (for Telefonica home gateway) ● ● Memory safety, data-race-freedom, safe API usage Cryptographic protocol implementations (RPC, Needham-Schroeder-Lowe) @iminds #imindsconf
  • 11. <1B> Fault Prediction, based on Text Mining Software Quality @ Development time @iminds #imindsconf
  • 12. Research question Can we build a (good quality) classifier that predicts vulnerable components in C++ applications? Idea: Analyze the tokens in each component's code (e.g., if, while, var names) and use them as predictors @iminds 12 #imindsconf
  • 13. Prediction in the future v 4.0 Build prediction model (using 1 version) v 5.0 ... v 12.0 Test performance of prediction model (in each of the following 8 version) @iminds 13 #imindsconf
  • 14. Benchmark ● Find at least 80% of the components containing vulnerabilities (cost) by inspecting at most 20% of the application components (benefit) @iminds 14 #imindsconf
  • 15. Results ● We exceedingly meet the benchmark ● ● For all the “future” versions Better than best results in the state-of-theart (i.e., Shin et al., TSE 37(6), 2011) @iminds 15 #imindsconf
  • 16. < 2> (EMBEDDED) SYSTEMS @iminds #imindsconf
  • 17. Emerging technology: PMA’s • Protected Module Architectures: – Low-level security architectures that implement an “inverse sandbox”: protect a module from a buggy or malicious environment • E.g. run code securely even on top of a kernel infected with malware @iminds #imindsconf
  • 18. Emerging technology: PMA’s • Implementations – Pioneering work by Parno et. al. at CMU: the Flicker system • https://sparrow.ece.cmu.edu/group/flicker.html • Bryan Parno was awarded the ACM 2010 doctoral thesis award for this work – Follow-up implementations, including several from iMinds: • Fides (Strackx et al, CCS 2012), Sancus (Noorman et al., Usenix Sec 2013) – INTEL publicly announced their implementation this summer: • http://software.intel.com/en-us/intel-isa-extensions#pid-19539-1495 @iminds #imindsconf
  • 19. Protected module architecture (simplified) • Modules consist of: – A code section, with designated entry points – A data section (also containing control data) • The PMA: – Controls creation/deletion of modules – Enforces a PC-based access control model @iminds #imindsconf
  • 20. Research challenges ahead • How can Protected Module Architectures efficiently, securely and reliably persist state? • What is the minimal hardware support required to implement PMA’s: – That support remote attestation – That support state continuity – That do not need software in the TCB @iminds #imindsconf
  • 21. Research challenges ahead • How do we offer higher-level abstractions for these low-level security architectures? – Key idea: maintain the modularity properties of source code at machine code level by secure compilation. • How do we provide assurance of the correctness of the protected module itself? – These modules might be small enough to be amenable to formal verification @iminds #imindsconf
  • 22. <3> Management Of Software and Systems @iminds #imindsconf
  • 23. An architecture for MultiCloud @iminds #imindsconf
  • 24. @iminds #imindsconf
  • 25. @iminds #imindsconf
  • 26. Where is the hype? <3> JUST IN TIME @iminds 26 #imindsconf
  • 27. Recap 3 dimensions, 3 illustrations 1. Impact of software quality on security (broad audience) 2. Future for embedded systems (quite a lot of ICT players in Flanders: 3. System and software engineering AND system an software management (DEVOPS). @iminds #imindsconf
  • 28. Wouter Joosen wouter.joosen@cs.kuleuven.be Join iMinds @iminds #imindsconf

×