Security on demand

Security experts generally believe that, “security cannot be added on, it must be designed from the beginning.” This dissertation shows that retrofitting security does not need to be a massive reengineering effort, nor does it need to be ad hoc. Security solutions can be added through systematic, general purpose security-oriented program transformations. We describe a catalog of security-oriented program transformations; so far the catalog contains thirty seven transformations. These security-oriented program transformations improve the traditional approaches of security engineering and keep software secure in the face of new security threats. Security-oriented program transformations are not silver bullets; using them requires skill and knowledge of the program being transformed. They are instead power tools that make it easier to add security to existing systems replacing the point solution of a typical patch with a more systematic removal of a vulnerability. When appropriate tools are built and the program transformations are easy enough to apply, then they will allow a software developer to add ‘security on demand’.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  Yannis Smaragdakis,et al.  J-Orchestra: Automatic Java Application Partitioning , 2002, ECOOP.

[3]  Ralph Johnson,et al.  Evolution of the MTA architecture: the impact of security , 2008 .

[4]  Spiros Mancoridis,et al.  Using program transformation to secure C programs against buffer overflows , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[5]  Martin Fowler,et al.  Refactoring - Improving the Design of Existing Code , 1999, Addison Wesley object technology series.

[6]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[7]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[8]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[9]  David Garlan,et al.  A compositional approach for constructing connectors , 2001, Proceedings Working IEEE/IFIP Conference on Software Architecture.

[10]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[11]  David Lorge Parnas,et al.  Software aging , 1994, Proceedings of 16th International Conference on Software Engineering.

[12]  David A. Wagner,et al.  Setuid Demystified , 2002, USENIX Security Symposium.

[13]  Peter Mell,et al.  Procedures for Handling Security Patches: Recommendations of the National Institute of Standards and Technology , 2003 .

[14]  Alistair Cockburn,et al.  Agile Software Development , 2001 .

[15]  Robert Hanmer,et al.  Patterns for Fault Tolerant Software , 2007 .

[16]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[17]  Peter Mell,et al.  Creating a Patch and Vulnerability Management Program , 2005 .

[18]  Mik Kersten,et al.  How are Java software developers using the Elipse IDE? , 2006, IEEE Software.

[19]  Terry Bollinger,et al.  Information Assurance for Enterprise Engineering , 2002 .

[20]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[21]  Galen C. Hunt,et al.  The Coign automatic distributed partitioning system , 1999, OSDI '99.

[22]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[23]  Dipanwita Sarkar,et al.  Flow-insensitive static analysis for detecting integer anomalies in programs , 2007 .

[24]  Claire Le Goues,et al.  Automatically finding patches using genetic programming , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[25]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[26]  W. W. Royce,et al.  Managing the development of large software systems: concepts and techniques , 1987, ICSE '87.

[27]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[28]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[29]  Wouter Joosen,et al.  On the Secure Software Development Process: CLASP and SDL Compared , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[30]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[31]  Murray Silverstein,et al.  A Pattern Language , 1977 .

[32]  Michael Gertz,et al.  Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs , 2006, DIMVA.

[33]  Torbjörn Ekman,et al.  Pluggable checking and inferencing of nonnull types for Java , 2007, J. Object Technol..

[34]  M. Hafiz A collection of privacy design patterns , 2006, PLoP '06.

[35]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[36]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[37]  Ralph E. Johnson,et al.  A Refactoring Tool for Smalltalk , 1997, Theory Pract. Object Syst..

[38]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[39]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[40]  Eelco Visser,et al.  Stratego: A Language for Program Transformation Based on Rewriting Strategies , 2001, RTA.

[41]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[42]  William Cheswick An evening with Berferd , 1997 .

[43]  Martin Vuagnoux,et al.  Autodafé: an Act of Software Torture , 2005 .

[44]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction , 1998 .

[45]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[46]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[47]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[48]  Laurie A. Williams,et al.  Using Automated Fix Generation to Secure SQL Statements , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[49]  David A. Wagner,et al.  Preventing Secret Leakage from fork(): Securing Privilege-Separated Applications , 2006, 2006 IEEE International Conference on Communications.

[50]  Konstantin Beznosov,et al.  Extreme Security Engineering: On Employing XP Practices to Achieve , 2003 .

[51]  Ralph E. Johnson,et al.  Organizing Security Patterns , 2007, IEEE Software.

[52]  Peter Mell,et al.  Procedures for handling security patches , 2002 .

[53]  Watts S. Humphrey,et al.  Introduction to the Team Software Process , 1999 .

[54]  Paul Clements,et al.  ATAM: Method for Architecture Evaluation , 2000 .

[55]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[56]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[57]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[58]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[59]  Tao Wei,et al.  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[60]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[61]  Ralph Johnson,et al.  A Catalog of Security-oriented Program Transformations , 2009 .

[62]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[63]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[64]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[65]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[66]  Richard F. Paige,et al.  Extreme Programming Security Practices , 2007, XP.

[67]  Ajith K. Narayanan Design of a safe string library for C , 1994, Softw. Pract. Exp..

[68]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[69]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[70]  Christopher G. Lasater,et al.  Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[71]  Todd C. Miller,et al.  strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation , 1999, USENIX Annual Technical Conference, FREENIX Track.

[72]  Prashant Jain,et al.  Pattern Oriented Software Architecture: Patterns for Resource Management , 2007, 2007 Working IEEE/IFIP Conference on Software Architecture (WICSA'07).

[73]  Richard F. Paige,et al.  Agile Security Using an Incremental Security Architecture , 2005, XP.

[74]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[75]  J. Hogg Web service security : scenarios, patterns, and implementation guidance for Web services enhancements (WSE) 3.0 , 2005 .

[76]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[77]  Munawar Hafiz Security oriented program transformations (or how to add security on demand) , 2008, OOPSLA Companion.

[78]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[79]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[80]  James R. Cordy,et al.  Source transformation, analysis and generation in TXL , 2006, PEPM '06.

[81]  Shigeru Chiba,et al.  A Bytecode Translator for Distributed Execution of "Legacy" Java Software , 2001, ECOOP.

[82]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[83]  Shane Markstrum,et al.  JavaCOP: Declarative pluggable types for java , 2010, TOPL.

[84]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[85]  Rick Kazman,et al.  Architecture, design, implementation , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[86]  André Spiegel PANGAEA: An Automatic Distribution Front-End for JAVA , 1999, IPPS/SPDP Workshops.

[87]  Dianxiang Xu,et al.  Threat-Driven Architectural Design of Secure Information Systems , 2018, ICEIS.

[88]  John Crupi,et al.  Core J2EE Patterns: Best Practices and Design Strategies , 2001 .

[89]  Joshua Kerievsky,et al.  Refactoring to Patterns , 2004, XP/Agile Universe.

[90]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[91]  De WinBart,et al.  On the secure software development process , 2009 .

[92]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[93]  David Garlan,et al.  Design fragments make using frameworks easier , 2006, OOPSLA '06.

[94]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[95]  Matt Bishop,et al.  Testing C Programs for Buffer Overflow Vulnerabilities , 2003, NDSS.

[96]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[97]  Mark C. Paulk,et al.  Capability Maturity Model , 1991 .

[98]  Richard F. Paige,et al.  Security Planning and Refactoring in Extreme Programming , 2006, XP.

[99]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[100]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[101]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[102]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[103]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[104]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[105]  Michael D. Ernst,et al.  Practical pluggable types for java , 2008, ISSTA '08.

[106]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[107]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[108]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[109]  Andrew P. Black,et al.  How we refactor, and how we know it , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[110]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[111]  Martin C. Rinard,et al.  Living in the comfort zone , 2007, OOPSLA.

[112]  Eduardo B. Fernández,et al.  More Patterns for Operating System Access Control , 2003, EuroPLoP.