SlideShare a Scribd company logo

First Principles Vulnerability Assessment

Manuel Brugnoli
Manuel Brugnoli

This document describes a methodology called First Principles Vulnerability Assessment (FPVA) for identifying security vulnerabilities. FPVA is an analyst-centric and manual process that involves: 1) Analyzing a system's architecture and components, 2) Identifying key resources and privilege levels, 3) Evaluating components in-depth guided by the previous steps and knowledge of vulnerabilities, 4) Disseminating results to developers. FPVA was used to assess several grid middleware systems, finding over 50 vulnerabilities. While automated tools can help, manual assessment is still needed to identify new types of attacks not found by tools. Adopting FPVA leads to increased security awareness in development teams.

Technology
1 of 20
Download to read offline
First Principles Vulnerability Assessment Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann Manuel Brugnoli
2 The Bad News • The bad guys are trying to do really bad things to us. • They are smart, dedicated and persistent. • No single approach to security can be sufficient. • The attackers have a natural advantage over the defenders. We have to approach the defense of our systems as security in depth.
3 The Good News • We started by trying to do something simple: Increase our confidence in the security of some critical Grid middleware. • We ended up developing a new manual methodology: First Principles Vulnerability Assessment • We found some serious vulnerabilities … and more vulnerabilities … and more.
4 Key Issues for Security • Need independent assessment – Software engineers have long known that testing groups must be independent of development groups • Need an assessment process that is NOT based solely on known vulnerabilities – Such approaches will not find new types and variations of attacks
5 Our Piece of the Solution Space First Principles Vulnerability Assessment: • An analyst-centric (manual) assessment process. • You can’t look carefully at every line of code so: then identify key resources and privilege levels, component interactions and trust delegation, then focused component analysis. Don’t start with known threats … … instead, identify high value assets in the code and work outward to derive threats. • Start with architectural analysis,
First Principles Vulnerability Assessment Understanding the System Step 1: Architectural Analysis – Functionality and structure of the system, major components (modules, threads, processes), communication channels – Interactions among components and with users
Architectural Analysis: Condor condor & root OS privileges user master Condor submit host schedd shadow submit 1. fork 3. submit job ClassAd 8. fork master Condor execute host starter startd job 1. fork 8. fork 10. start job master Stork server host stork_server 1. fork Condor execute host master negotiator collector 1. fork 1. fork 5. Negotiator cycle 2. machine ClassAd 4. job ClassAd 5. Negotiator cycle 6. Report match 6. Report match 7. claim host 9. establish channel
First Principles Vulnerability Assessment Understanding the System Step 2: Resource Identification – Key resources accessed by each component – Operations allowed on those resources Step 3: Trust & Privilege Analysis – How components are protected and who can access them – Privilege level at which each component runs – Trust delegation
condor OS privileges root user generic Condor daemon (a) Common Resources on All Condor Hosts Condor Binaries & Libraries Condor Config etc Operational Data & Run-time Config Files spool Operational Log Files log ckpt_server (b) Unique Condor Checkpoint Server Resources Checkpoint Directory ckpt (d) Unique Condor Submit Resources shadow User’s Files user (c) Unique Condor Execute Resources User Job starter Job Execution Directories execute System Call Forwarding and Remove I/O (with Standard Universe Jobs) Send and Receive Checkpoints (with Standard Universe Jobs) Resource Analysis: Condor
First Principles Vulnerability Assessment Search for Vulnerabilities Step 4: Component Evaluation – Examine critical components in depth – Guide search using: Diagrams from steps 1-3 Knowledge of vulnerabilities – Helped by Automated scanning tools
First Principles Vulnerability Assessment Taking Actions Step 5: Dissemination of Results – Report vulnerabilities – Interaction with developers – Disclosure of vulnerabilities
First Principles Vulnerability Assessment Taking Actions
13 Studied Systems Condor, University of Wisconsin Batch queuing workload management system 15 vulnerabilities 600 KLOC of C and C++ SRB, SDSC Storage Resource Broker - data grid 5 vulnerabilities 280 KLOC of C MyProxy, NCSA Credential Management System 5 vulnerabilities 25 KLOC of C glExec, Nikhef Identity mapping service 5 vulnerabilities 48 KLOC of C Gratia Condor Probe, FNAL and Open Science Grid Feeds Condor Usage into Gratia Accounting System 3 vulnerabilities 1.7 KLOC of Perl and Bash Condor Quill, University of Wisconsin DBMS Storage of Condor Operational and Historical Data 6 vulnerabilities 7.9 KLOC of C and C++
14 Studied Systems Wireshark, wireshark.org Network Protocol Analyzer in progress 2400 KLOC of C Condor Privilege Separation, Univ. of Wisconsin Restricted Identity Switching Module 21 KLOC of C and C++ VOMS Admin, INFN Web management interface to VOMS data (role mgmt) 35 KLOC of Java and PHP CrossBroker, Universitat Autònoma de Barcelona Resource Mgr for Parallel & Interactive Applications in progress 97 KLOC of C++
15 In Progress for EMI ARGUS, wireshark.org gLite Authorization Service in progress glExec 0.8, Nikhef Identity mapping service in progress
What about Automated TOOLS? – Everyone asks for them – They may help but … ... they are definitely not enough!
Manual vs. Automated Vulnerability Assessment The literature on static analysis tools is self- limiting: – Missing comparison against a ground truth – Tool writers write about what they have found – Limited discussion of false positives Every valid new problem that a tool find is progress, but it’s easy to lose perspective on what these tools are not able to do
18 EMI • Roadmap needed: – gridFTP – CREAM – WMS • We need input from you!
23 How do You Respond? A change of culture within the development team: • When security becomes a first-class task, and when reports start arriving, awareness is significantly increased. • This effects the way developers look at code and the way that they write code. • A major landmark: when your developers start reporting vulnerabilities that they’ve found on their own.
24 Thank you. Questions? Elisa.Heymann@uab.es

Recommended

Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptx
Aditya Deshmukh
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
Ashwini Almad
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
FFRI, Inc.
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 

Recommended

Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptx
Aditya Deshmukh
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
Ashwini Almad
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
FFRI, Inc.
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Sung Kim
 
Who Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for AndroidWho Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for Android
MobileSoft
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
FFRI, Inc.
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
Kaspersky
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET Journal
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
Yn Reddy
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
UT, San Antonio
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
Kruti Sharma
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Manuel Brugnoli
 

More Related Content

What's hot

Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Sung Kim
 
Who Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for AndroidWho Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for Android
MobileSoft
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
FFRI, Inc.
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
Kaspersky
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET Journal
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
Yn Reddy
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
UT, San Antonio
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
Kruti Sharma
 

What's hot (20)

Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
 
Who Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for AndroidWho Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for Android
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
 

Viewers also liked

Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Manuel Brugnoli
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofours
jennyevans555
 
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core CaseVulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Manuel Brugnoli
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
AdaCore
 
Big data and social media, BAE Systems Detica
Big data and social media, BAE Systems DeticaBig data and social media, BAE Systems Detica
Big data and social media, BAE Systems Detica
Internet World
 
Hadoop Ecosystem
Hadoop EcosystemHadoop Ecosystem
Hadoop Ecosystem
Patrick Nicolas
 
Building a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystemBuilding a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystem
Gregg Barrett
 
Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview
Senthil Kumar
 
The Ecosystem is too damn big
The Ecosystem is too damn big The Ecosystem is too damn big
The Ecosystem is too damn big
DataWorks Summit/Hadoop Summit
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
Bernard Marr
 

Viewers also liked (11)

Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
 
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofours
 
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core CaseVulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
 
Big data and social media, BAE Systems Detica
Big data and social media, BAE Systems DeticaBig data and social media, BAE Systems Detica
Big data and social media, BAE Systems Detica
 
Hadoop Ecosystem
Hadoop EcosystemHadoop Ecosystem
Hadoop Ecosystem
 
Building a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystemBuilding a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystem
 
Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview
 
The Ecosystem is too damn big
The Ecosystem is too damn big The Ecosystem is too damn big
The Ecosystem is too damn big
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
 

Similar to First Principles Vulnerability Assessment

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
nitinscribd
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
Introduction to Software Engineering Notes
Introduction to Software Engineering NotesIntroduction to Software Engineering Notes
Introduction to Software Engineering Notes
Dr Anuranjan Misra
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
ShivamSharma909
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
EndgameInc
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
Lumension
 

Similar to First Principles Vulnerability Assessment (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Introduction to Software Engineering Notes
Introduction to Software Engineering NotesIntroduction to Software Engineering Notes
Introduction to Software Engineering Notes
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 

Recently uploaded

Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 

Recently uploaded (20)

Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 

First Principles Vulnerability Assessment

  • 1. First Principles Vulnerability Assessment Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann Manuel Brugnoli
  • 2. 2 The Bad News • The bad guys are trying to do really bad things to us. • They are smart, dedicated and persistent. • No single approach to security can be sufficient. • The attackers have a natural advantage over the defenders. We have to approach the defense of our systems as security in depth.
  • 3. 3 The Good News • We started by trying to do something simple: Increase our confidence in the security of some critical Grid middleware. • We ended up developing a new manual methodology: First Principles Vulnerability Assessment • We found some serious vulnerabilities … and more vulnerabilities … and more.
  • 4. 4 Key Issues for Security • Need independent assessment – Software engineers have long known that testing groups must be independent of development groups • Need an assessment process that is NOT based solely on known vulnerabilities – Such approaches will not find new types and variations of attacks
  • 5. 5 Our Piece of the Solution Space First Principles Vulnerability Assessment: • An analyst-centric (manual) assessment process. • You can’t look carefully at every line of code so: then identify key resources and privilege levels, component interactions and trust delegation, then focused component analysis. Don’t start with known threats … … instead, identify high value assets in the code and work outward to derive threats. • Start with architectural analysis,
  • 6. First Principles Vulnerability Assessment Understanding the System Step 1: Architectural Analysis – Functionality and structure of the system, major components (modules, threads, processes), communication channels – Interactions among components and with users
  • 7. Architectural Analysis: Condor condor & root OS privileges user master Condor submit host schedd shadow submit 1. fork 3. submit job ClassAd 8. fork master Condor execute host starter startd job 1. fork 8. fork 10. start job master Stork server host stork_server 1. fork Condor execute host master negotiator collector 1. fork 1. fork 5. Negotiator cycle 2. machine ClassAd 4. job ClassAd 5. Negotiator cycle 6. Report match 6. Report match 7. claim host 9. establish channel
  • 8. First Principles Vulnerability Assessment Understanding the System Step 2: Resource Identification – Key resources accessed by each component – Operations allowed on those resources Step 3: Trust & Privilege Analysis – How components are protected and who can access them – Privilege level at which each component runs – Trust delegation
  • 9. condor OS privileges root user generic Condor daemon (a) Common Resources on All Condor Hosts Condor Binaries & Libraries Condor Config etc Operational Data & Run-time Config Files spool Operational Log Files log ckpt_server (b) Unique Condor Checkpoint Server Resources Checkpoint Directory ckpt (d) Unique Condor Submit Resources shadow User’s Files user (c) Unique Condor Execute Resources User Job starter Job Execution Directories execute System Call Forwarding and Remove I/O (with Standard Universe Jobs) Send and Receive Checkpoints (with Standard Universe Jobs) Resource Analysis: Condor
  • 10. First Principles Vulnerability Assessment Search for Vulnerabilities Step 4: Component Evaluation – Examine critical components in depth – Guide search using: Diagrams from steps 1-3 Knowledge of vulnerabilities – Helped by Automated scanning tools
  • 11. First Principles Vulnerability Assessment Taking Actions Step 5: Dissemination of Results – Report vulnerabilities – Interaction with developers – Disclosure of vulnerabilities
  • 12. First Principles Vulnerability Assessment Taking Actions
  • 13. 13 Studied Systems Condor, University of Wisconsin Batch queuing workload management system 15 vulnerabilities 600 KLOC of C and C++ SRB, SDSC Storage Resource Broker - data grid 5 vulnerabilities 280 KLOC of C MyProxy, NCSA Credential Management System 5 vulnerabilities 25 KLOC of C glExec, Nikhef Identity mapping service 5 vulnerabilities 48 KLOC of C Gratia Condor Probe, FNAL and Open Science Grid Feeds Condor Usage into Gratia Accounting System 3 vulnerabilities 1.7 KLOC of Perl and Bash Condor Quill, University of Wisconsin DBMS Storage of Condor Operational and Historical Data 6 vulnerabilities 7.9 KLOC of C and C++
  • 14. 14 Studied Systems Wireshark, wireshark.org Network Protocol Analyzer in progress 2400 KLOC of C Condor Privilege Separation, Univ. of Wisconsin Restricted Identity Switching Module 21 KLOC of C and C++ VOMS Admin, INFN Web management interface to VOMS data (role mgmt) 35 KLOC of Java and PHP CrossBroker, Universitat Autònoma de Barcelona Resource Mgr for Parallel & Interactive Applications in progress 97 KLOC of C++
  • 15. 15 In Progress for EMI ARGUS, wireshark.org gLite Authorization Service in progress glExec 0.8, Nikhef Identity mapping service in progress
  • 16. What about Automated TOOLS? – Everyone asks for them – They may help but … ... they are definitely not enough!
  • 17. Manual vs. Automated Vulnerability Assessment The literature on static analysis tools is self- limiting: – Missing comparison against a ground truth – Tool writers write about what they have found – Limited discussion of false positives Every valid new problem that a tool find is progress, but it’s easy to lose perspective on what these tools are not able to do
  • 18. 18 EMI • Roadmap needed: – gridFTP – CREAM – WMS • We need input from you!
  • 19. 23 How do You Respond? A change of culture within the development team: • When security becomes a first-class task, and when reports start arriving, awareness is significantly increased. • This effects the way developers look at code and the way that they write code. • A major landmark: when your developers start reporting vulnerabilities that they’ve found on their own.