Your SlideShare is downloading. ×
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Security case buffer overflow
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security case buffer overflow

805

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
805
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security case – buffer overflowSecurity assurance case study, 2013 Slide 1
  • 2. Security cases • A structured body of evidence that supports an argument related to the security of a system • Intended to convince a regulator or system controller that the system is acceptably secure • Comparable to safety casesSecurity assurance case study, 2013 Slide 2
  • 3. The system is acceptably secure CLAIM SUBCLAIMRequirements OperationThere are no missing or Operational procedures guard againstExisting requirements that create Security deficienciesSecurity vulnerabilities Coding There are no implementation errors Design that create security vulnerabilities There are no design errors that Create security vulnerabilities Security assurance case study, 2013 Slide 3
  • 4. Coding There are no implementation errors that create security vulnerabilities Programmers trained Coding defects Programmers have been trained Security-threatening coding defects In secure coding practice for the have been identified and checked development language used Buffer overflowDescription of good coding There are no bufferpractice overflow possibilities in the code EVIDENCE Input checks Records of programmer All inputs checked for training validity Security assurance case study, 2013 Slide 4
  • 5. Buffer overflow There are no buffer overflow possibilities in the code System testingCode review Testing the code with invalid inputsCode reviews showed no (long strings) resulted in all invalidpotential buffer overflows Inputs being rejected Static analysis Static analysis tool did not Report buffer overflow possibilitiesSecurity assurance case study, 2013 Slide 5
  • 6. System testing Testing the code with invalid inputs (long strings) resulted in all invalid Inputs being rejectedTest selection analysis Test plan Test resultsJustification that the system The tests chosen Results of running theTests chosen were adequate and expected tests on the systemTo discover buffer overflow test results Security assurance case study, 2013 Slide 6
  • 7. Security arguments • Security should be based on multiple arguments rather than a single argument • Key elements – Competence of the development team – Conformance with recommended development processes – Use of manual and automated analysis of code, designs and documents – System testingSecurity assurance case study, 2013 Slide 7
  • 8. Tool support • Security and safety arguments depend on organising a large volume of records, documents, test results, etc. • Difficult to do manually so tool support for argumentation, reporting and document management is required • Commercial tools available to support this activity e.g. Adelard safety case editorSecurity assurance case study, 2013 Slide 8
  • 9. Security assurance case study, 2013 Slide 9
  • 10. Conclusions • Security cases involve making structured arguments, backed up by evidence about the security of a system. • Security cases will become increasingly important as regulators and managers will expect these to be produced before security-critical software is released • Interesting challenge of reconciling security cases (which rely on documentation) and agile software development (which relies on minimising documentation)Security assurance case study, 2013 Slide 10

×