ࡱ; D  !"#$%&'()*+,-./0123456789:;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry  !r\V)䰱 PresentationStarImpress 5.0(zKSfxDocumentInfo Steven M. Bellovin 01eSteven Bellovin {1(Q {1YSecurity and IPv6 Info 0 Info 1 Info 2 Info 3 {1YT` < TASK,0,1,H 1,0,100,1,Oh+'0$ h t 12@Vv@0v@]HΟ@,&/Steven BellovinSteven M. BellovinXOutdevItemPool 1   )     &'()*+,-./06789:;UVWXYZ[\]c !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstt      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefd0\'@q XX',@X'R@2#GXXXX&X.X6'h@sYellowXX X2XD'@sArrow Arrowdd linestart linestartXXXSXX'@<ArrowddlineendlineendXXX_X':@,oXXXX&'.@,oXXX'@XX'@X@/X@OX@mX@X@X@X@X'@ XX'@̙̙XX X2XDXVXhXzX'6@ 22ddX'(@K X'"@y BMvv(@@SD@x^SI 0 s\ z 46ZBn8x)1̔.<觔B+̄ ޢ40:prf |q]~+H~|WFMbP@aoCē[ȡz6~U{߃XFXNXVX^XfXnXvKK@8XX(L @VMM"@| XXNN"@ XXOO"@ {XXPP"@ {XXQQ(@6 XXXRR @XSS @nTT @UU@ XXVV2@XXXX WW @XX @YY @,ZZ @B[[ @X\\ @n]] @__ @`` @aa @bb @cc @dd @ee @@'''''''''  ''' '''''' ''' ''''''''' ''''''''''''XXX X,X8XDXJXbXnXzXXXXXXXXp\@''''''E'''''''' '' H'' $'' ' '''''''XXX&X,X>XPXbXtXXXXXXXXX **P@XXXX X&X,X277 @ &,,,,],,(,,,, H,,  XXXX&X2X>XDXJXVXbXnXtHH @ +'#+'+'' XXX X&X,X2X8XDXJX\ff@0QQVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVVQQVV JJKKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV  JJKKMMNNOOPPQQUUVV  JJKKMMNNOOPPQQUUVV  JJKKMMNNOOPPQQUUVV JJKK JJKK JJKKMMNNOOPPQQUUVV JJ KKMMNNOOPPQQUUVVJJ JJ KKMMNNOOPPQQUUVV JJ KKMMNNOOPPQQUUVV JJ KKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVV JJ KKMMNNOOPPQQUUVV JJKKMMNNOOPPQQUUVVJJKKXXX&X,XhXXXX.XjXXXX0XBX~XXXX>XzXXX.8pBF Q0Nl<\|B` 8 V t  - K s  1 O m    C q -Ck-CYoc PHJEditEngineItemPool 6fD03cg*6@U Z,StarBats :,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats dZ "X,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - Z,StarBats d,StarBats d ,StarBats d,StarBats d3Times New Romand3Times New Roman,,d3Times New Romand3Times New Romand3Times New RomandZ Z,StarBats d,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats ddd,StarBats ddd,StarBats ddd,StarBats ddd,StarBats dddZ Z,StarBats d,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats  d,StarBats d,StarBats d,StarBats @@d,StarBats @@dZZ,StarBats dZ ZS3Times New RomandH,StarBats d,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New RomandddS3Times New RomandddS3Times New RomandddS3Times New RomandddZ  Z,StarBats 2,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats dZ  ZS3Times New RomandH,StarBats d,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandZ  ZS3Times New RomandH,StarBats W,StarBats dg ,StarBats d],StarBats dS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandZ  Z,StarBats ,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats dZ  ZS3Times New RomandH,StarBats d,StarBats Ug ,StarBats d],StarBats dS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandS3Times New RomandZ Z,StarBats d,StarBats d ,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats d,StarBats dZXX.XNXn XKXkXXX_X!X%X*X3.X}2 @U@UmXXC@ "WdddxxdddxYXdddY  ddd YD dddYDdddYDdddYD8ddd8YDXdddXYDxdddxYD!ddd!YDXX!X:XSXlXXXXXX<( n@ WX  XXXX X&X,X2X8X>XD (@ Z StarBats!"- StarBats!de StarBats!dU StarBats!d StarBats!d StarBats{!d StarBats{!dTimes New Roman{!d ddTimes New Roman{!d  StarBats!d  StarBats!W  StarBats!UXXGXXXX+XdXXXXVX@'@\dddddXdddd ddddddg dddg ]ddd] SdddSdddYddHdVdddYHdddYg dddg Y]ddd]YSdddSYXX!X4XGXZXmXXXXXXXXX6A'@ ]ddddddddO dd dd dd dd dd ddddddddXXX&X2X>XJXVXbXnXzXX1'7@h]$d2P ZXXX$+'2@]XXXX 'O@_ . . . . '. 1. ;. tE. `O. LY. 8c. $m.  3. . . #. -. 7. A. K. U. _. ki.  . . . . ). x3. d=. PG. . G. Q. [.  q. ]. I. 5%. !/. 9. B. L. V. 4 . . . '. 1. ;. tE. `O. LY. 8c. $m. XXgXX XVXX!'J@S`DYXXX&X2'?@`$Times New RomanY StarBatsXX('@ >>9AAABBBBCz!QDrOb<SVDr&(+>BQDrXXgg fHome~LT~GliederungDrMPhJoeM8cjJDrML DrObSVDr&8cjJ'Home~LT~Hintergrund8cjJDrObSVDr&q[! Home~LT~Titelq[pxV4B1[#Click to edit the title text format Home~LT~Titel<( (@'DrObQSVDr&q[&B(Home~LT~Gliederung 1q[&B xV4B1 %Click to edit the outline text formatHome~LT~Gliederung 1<( (@'Second Outline LevelHome~LT~Gliederung 2 <( (@'Third Outline LevelHome~LT~Gliederung 3 <( (@'Fourth Outline LevelHome~LT~Gliederung 4<( (@'Fifth Outline LevelHome~LT~Gliederung 5<( (@'Sixth Outline LevelHome~LT~Gliederung 6<( ( @'Seventh Outline LevelHome~LT~Gliederung 7<( ( @'Eighth Outline LevelHome~LT~Gliederung 8<( ( @'Ninth Outline LevelHome~LT~Gliederung 9<(  (  DrObSVDr&qC[HStandardqC[HkxV4B1VStandardg*<( (@'+'DrXXHomegg ^Home~LT~GliederungDrMPsJoeMjJ8cDrML DrObuSVDr&jJ8cStandardjJ8cDrObSVDr&g q>,! Home~LT~Titely =,dxV4B1OClick to move the slide Home~LT~Titel<( (@'DrObSVDr& !/~@[#Home~LT~Notizen !/~@[mxV4B1XClick to edit the notes formatHome~LT~Notizen<( ( @'DrXXHomegg VHome~LT~GliederungDrPgcJoeMjJ8cDrML8DrMD,DrXXgg FHome~LT~GliederungDrPg_JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[O&! Home~LT~Titelq[O&txV4B1_!Security and Software Engineering Home~LT~Titel<( (@'DrObSVDr&+*VT0=&  Home~LT~UntertitelO+*VT0=0xV4B1Steven M. BellovinHome~LT~Untertitel<( (@'A'AT&T Labs ResearchHome~LT~Untertitel<( (@'A' http://www.research.att.com/~smbHome~LT~Untertitel<( (@'A'DrXX9!Security and Software Engineeringgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N1Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titel~q[_xV4B1JClick to add title Home~LT~Titel<( (@'DrObNSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1' If our software is buggy, what doesHome~LT~Gliederung 1g* <( (@'A''" that say about its security?Home~LT~Gliederung 1g* <( (@'A'"!"Home~LT~Gliederung 1g* <( (@'A'--Robert H. MorrisHome~LT~Gliederung 1g* <( (@'A'+'DrXX/PowerPoint Presentationgg RHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N2Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[xV4B1m'Some Principles ofSoftware Engineering Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1Simplicity is a virtue.Home~LT~Gliederung 1<( (@'A'KIf code is complex, you dont know if its correct (but it probably isnt).Home~LT~Gliederung 1<( (@'A'()GH;Break up complex systems into simple, well-defined modules.Home~LT~Gliederung 1<( (@'A'DrXX?'Some Principles of Software Engineeringgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N3Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[cxV4B1NSecurity is Hard Home~LT~Titel<( (@'DrObnSVDr&q[&B(Home~LT~Gliederung 1 q[&BxV4B1%Reasonable assumptions dont apply.Home~LT~Gliederung 1<( (@'A' $File name length bounds dont apply.Home~LT~Gliederung 2 <( (@'A' )Any input field can be arbitrarily weird.Home~LT~Gliederung 2 <( (@'A' +Your adversary is creating improbabilities.Home~LT~Gliederung 1<( (@'A'Race conditions will happen.Home~LT~Gliederung 2 <( (@'A' @Nature is subtle but not malicious but the hackers are both.Home~LT~Gliederung 1<( (@'A'#$%&DrXX(Security is Hardgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N4Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg^JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[}xV4B1hCase Study: rcp and rdist Home~LT~Titel<( (@' DrObSVDr&q[&B(Home~LT~Gliederung 1Cq[&B$xV4B1 #rcp and rdist use the rsh protocol.Home~LT~Gliederung 1<( (@'A' JThe rsh protocol requires that the client program be on a privileged port.Home~LT~Gliederung 1<( (@'A' Thus, rcp and rdist run as root.Home~LT~Gliederung 1<( (@'A' +Both have a long history of security holesHome~LT~Gliederung 1<( (@'A'*+DrXX2Case Study: rcp and rdistgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N5Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =, DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titel{q[\xV4B1G Solutions Home~LT~Titel<( (@'DrObxSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1ODont implement the protocol directly in rcp and rdist; invoke the rsh command.Home~LT~Gliederung 1<( (@'A'),16CFgOr invoke a small, trusted program that sets up the connection and passes back an open file descriptor.Home~LT~Gliederung 1<( (@'A'1Best of all, use a real authentication mechanism.Home~LT~Gliederung 1<( (@'A'DrXX! Solutionsgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N6Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =, DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg#JoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[fxV4B1QUsing an Outboard Program Home~LT~Titel<( (@'DrObVSVDr&q['B( Home~LT~Gliederung 1q['BxV4B1Separates functionsHome~LT~Gliederung 1<( (@'Improves modularityHome~LT~Gliederung 1<( (@'Improves security.Home~LT~Gliederung 1<( (@'Maybe a small loss in efficiency -- but note the difference between "efficiency" and efficiency: why do the wrong thing quickly?Home~LT~Gliederung 1<( (@'UU__DrXXgg VHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =, DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[yxV4B1dCase Study: Kerberized telnet Home~LT~Titel<( (@'DrOb>SVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1JThe DES library wanted 56-bit keys plus proper parity, in a 64-bit number.Home~LT~Gliederung 1g* <( (@'A'  J[The generate a 64-bit random key code used by telnet didnt set the parity bits properly.Home~LT~Gliederung 1g* <( (@'A'  [!"06;<EWhen handed a bad key, the DES library treated the key as all zeroes.Home~LT~Gliederung 1g* <( (@'A'  EOWith probability 255/256, the session was encrypted with a known, constant key!Home~LT~Gliederung 1g* <( (@'A'  ODrXX6Case Study: Kerberized telnetgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N7Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg'JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelzq[[xV4B1FAnalysis Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1.q[&BxV4B1Interfaces matter.Home~LT~Gliederung 1<( (@'A'sInterfaces should be consistent why did the encryption routine and the key generation routine behave differently?Home~LT~Gliederung 1<( (@'A' !?If there was no key generation routine, there should have been.Home~LT~Gliederung 2 <( (@'A' Error-checking matters.Home~LT~Gliederung 1<( (@'A'DrXX Analysisgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N8Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg_JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[oxV4B1ZCase Study: Many C Programs Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1|QAbout half of all newly-reported security holes are due to buffer overflows in C.Home~LT~Gliederung 1<( (@'A'This shouldnt be possible!Home~LT~Gliederung 1<( (@'A' 9Tony Hoare warned us of this in his Turing Award lecture:Home~LT~Gliederung 1<( (@'A'DrXX4Case Study: Many C Programsgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8chDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8ccxV4B1N9Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg\JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObuSVDr&q ]Standardq ]DrObSVDr&q[! Home~LT~Titelq[xxV4B1cHoares Turing Award Lecture: Home~LT~Titel<( (@'DrOb3SVDr& \?Standard \?xV4B1$The first principle was security A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time I note with fear and horror that even in 1980, language designers and users have not learned this lesson.Standardg* <( (@'A'  y!!" y $#$DrXX5Hoares Turing Award Lecture:gg JHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O10Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg0JoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[nxV4B1YHow to Fix Buffer Overflows Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&BdxV4B1EWrite better C.Home~LT~Gliederung 1<( (@'A'LAdmittedly, that's hard, even with the best intent and the best programmers.Home~LT~Gliederung 2 <( (@'Use C++ with the string class.Home~LT~Gliederung 1<( (@'A' Use Java.Home~LT~Gliederung 1<( (@'A'Use Stackguard.Home~LT~Gliederung 1<( (@'A'#Use the bounds-checking C compiler.Home~LT~Gliederung 1<( (@'A'DrXX3How to Fix Buffer Overflowsgg NHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[kxV4B1VCase Study: ftpd Home~LT~Titel<( (@' DrObaSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1aOriginal Berkeley implementation (and many of its descendants) used yacc to parse network input.Home~LT~Gliederung 1g* <( ( @'A'  aEI%USER and PASS were separate commands.Home~LT~Gliederung 1g* <( ( @'A'  % kResult: flag-setting, ubiquitous flag-testing, global state and at least three different security holes.Home~LT~Gliederung 1g* <( ( @'A'  k=>SNewer ftpds have more complex access control mechanisms and more security holes.Home~LT~Gliederung 2g*  <( ( @'A' S  9:DrXX(Case Study: ftpdgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O11Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg"  JoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[lxV4B1WMain Loop of ftpd Home~LT~Titel<( (@' DrObSVDr&#%A@Q eDrObuSVDr&#%A@Q  Standard5%S~@? DrObSVDr&%'S>@  Standard%'S>@ `xV4B1K Read CommandStandard<( (@'+'DrXXDrObSVDr&#%#%@3/DrObuSVDr&#%#%@3/ Standard5%5%~@!/DrOb SVDr&&5%>"/ Standard&5%>"/xV4B1Parse command;Standard<( (@'+'check login stateStandard<( (@'+'DrXXDrObSVDr&#%13@A=DrObuSVDr&#%13@A= Standard5%C3~@/=DrObSVDr&%C3@0= Standard%C3@0=xV4B1Execute commandStandard<( (@'+' via parserStandard<( (@'+'DrXXDrObSVDr&/2+W4I& StandardC3? C35%DrObSVDr&/2 .W4W4 StandardC3!/C3C3DrObSVDr& 3 =f3@ StandardC3/=C3~@DrObSVDr& 3[@H@ StandardC3~@H~@DrObSVDr&HH@ StandardSSH~@HDrObSVDr& 3H' Standard||HC3DrObSVDr&/2W4g StandardC3C3SDrXX)Main Loop of ftpdgg JHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgkJoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[axV4B1LLogin Sequence Home~LT~Titel<( (@'DrObSVDr&][HStandardK][H, xV4B1 USER commandStandard<( (@'A'1'clear login stateStandard<( (@'A'1''Get /etc/passwd entryStandard<( (@'A'1''%Check for anonymous; set flag if so.Standard<( (@'A'1''  PASS commandStandard<( (@'A'1'"If not anonymous, check password;Standard<( (@'A'1'''If failure, clear state and exit PASSStandard<( (@'A'1''(Set directory and uid from passwd entryStandard<( (@'A'1''"If anonymous, use chroot()Standard<( (@'A'1''Set logged-in flagStandard<( (@'A'1''DrXX&Login Sequencegg JHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgDJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelzq[[xV4B1FSolution Home~LT~Titel<( (@'DrOb#SVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1&Separate the login code from the rest.Home~LT~Gliederung 1<( (@'A'1Put it in a separate, small program: ~100 lines.Home~LT~Gliederung 2 <( (@'A' LActivate your strong security measures (chroot, setuid) in the login module.Home~LT~Gliederung 1<( (@'A'(.06>The remaining thousands of lines of code can run unprivileged.Home~LT~Gliederung 1<( (@'A'1(Let the OS do access control its good at it.)Home~LT~Gliederung 2 <( (@'A' "#DrXX Solutiongg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O12Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgIJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[nxV4B1YCryptography is Even Harder Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1dAThe oldest (public) cryptographic protocol was published in 1978.Home~LT~Gliederung 1<( (@'A'1'A flaw was found in 1983.Home~LT~Gliederung 1<( (@'A'1'BThe original authors found a flaw in the revised protocol in 1994.Home~LT~Gliederung 1<( (@'A'1'.A new error in the original was found in 1996.Home~LT~Gliederung 1<( (@'A'1')Note: the protocol was only 5 lines long!Home~LT~Gliederung 1<( (@'A'1'DrXX3Cryptography is Even Hardergg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O13Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,!DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg^JoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[jxV4B1USample Protocol Failure Home~LT~Titel<( (@'DrObSVDr& S[C'Standard S[C'mxV4B1T A->S: A,BStandard<( (@'A'' S->A: CA, CBStandard<( (@'A'' A->B: CA, CB, {{Kab, Ta}Ka-1}KbStandard<( (@'A''   DrObSVDr& *M/Standard *M/wxV4B1b#We can replay a modified message 3:Standard<( (@'A'DrObISVDr& p2[L8Standard p2[L8xV4B1"B -> C: CA, CC, {{Kab, Ta}Ka-1}KcStandard<( (@'A''  !!"!"DrXX/Sample Protocol Failuregg JHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,#DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgNJoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[oxV4B1ZOther Rules for Cryptography Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1h.Dont invent your own cryptographic protocols.Home~LT~Gliederung 1<( (@'A'Dont invent your own ciphers.Home~LT~Gliederung 1<( (@'A'5And look askance at any product that has done eitherHome~LT~Gliederung 1<( (@'A'45DrXX4Other Rules for Cryptographygg NHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,%DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPg'JoeM8cjJDrML8DrMD,DrObSVDr&q[! Home~LT~Titelq[bxV4B1M Bug Fixes Home~LT~Titel<( (@'1'DrOb]SVDr&q[&B(Home~LT~Gliederung 1q[&BxV4B1ZMost system penetrations caused by known vulnerabilities, for which patches already exist.Home~LT~Gliederung 1<( (@'A'1'5But blindly patching production systems is dangerous.Home~LT~Gliederung 1<( (@'A'1'KTheres a new scheme afoot to have vendors automatically install patches...Home~LT~Gliederung 1<( (@'A'1'DrXX! Bug Fixesgg NHome~LT~GliederungDrPg|JoeMjJ8cDrML8DrMD,DrOb<SVDr&y =,'DrObSVDr& !/~@[#  Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXgg VHome~LT~GliederungDrPgmJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[mxV4B1XTodays Challenges Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1bq[&BCxV4B1&/Large-scale, heterogeneous distributed systems.Home~LT~Gliederung 1<( (@'A'$Must design for component failure.Home~LT~Gliederung 2 <( (@'A' "#ALimited security tools (firewalls, hardened hosts, cryptography).Home~LT~Gliederung 1<( (@'A'Ubiquitous networking.Home~LT~Gliederung 1<( (@'A'Mobile code or near-code.Home~LT~Gliederung 1<( (@'A'DrXX*Todays Challengesgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O15Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,)DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg [ JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[jxV4B1UFirewalls and Databases Home~LT~Titel<( (@'DrObSVDr&>$@2Standard< $]Y $$(D.L2 L2< D.< ( $DrObSVDr&F)P$m<2 Standardi)s$]Y -s$7s$J<(J<K.7^2-^2i)K.i)(-s$DrObSVDr&#$q* Standard#@#)DrObSVDr&#+$7 Standard#",#7DrObSVDr& j6*X;Standard{ j6*X;\xV4B1GFirewallStandard<( (@'+'DrObSVDr&6 0)@.Standard6 0)@.jxV4B1UDatabaseStandardg*<( (@'+'DrObSVDr&*\(<J-Standard*\(<J-lxV4B1W Web ServerStandardg*<( (@'+' DrObSVDr&)(, Standard*'*DrOb)SVDr&C7W2StandardCZLH-*YH+$H+YH>,H,cIH-J-J.tK.K/HL,0L0Lj1M 2Ms2bOs2Ps2Q>2|R>2$T 2T16V1Vj1V0V/V.kV,6V+V-*U)U(VQ(V& W &sW$W#W"W!>WG!V!V bU St QSt Rt Q 6PNkPM6?KJcGGEZ?EZDD.lD7DkD C CG!C!D"7D%#D# E$?E6%E%Fs&}F'G|'G($H(HY)H-*DrOb#SVDr&K %R-StandardK %R-xV4B1TheStandardg*<( (@'+'NetStandardg*<( (@'+'DrObSVDr&"=)H/+ Standard*U+UE= +H*DrXX/Firewalls and Databasesgg JHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O16Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,+DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPg T JoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[cxV4B1NThe Wrong Choice Home~LT~Titel<( (@'DrObSVDr&>$@2Standard< $]Y $$(D.L2 L2< D.< ( $DrObSVDr&F)P$m<2 Standardi)s$]Y -s$7s$J<(J<K.7^2-^2i)K.i)(-s$DrObSVDr&@A) StandardRAlRA)DrObSVDr&@+A7 StandardRA",RA7DrObSVDr&6 0)@.Standard6 0)@.jxV4B1UDatabaseStandardg*<( (@'+'DrObSVDr&*\(<J-Standard*\(<J-lxV4B1W Web ServerStandardg*<( (@'+' DrObSVDr&)(, Standard*'*DrOb)SVDr&C7W2StandardCZLH-*YH+$H+YH>,H,cIH-J-J.tK.K/HL,0L0Lj1M 2Ms2bOs2Ps2Q>2|R>2$T 2T16V1Vj1V0V/V.kV,6V+V-*U)U(VQ(V& W &sW$W#W"W!>WG!V!V bU St QSt Rt Q 6PNkPM6?KJcGGEZ?EZDD.lD7DkD C CG!C!D"7D%#D# E$?E6%E%Fs&}F'G|'G($H(HY)H-*DrOb#SVDr&K %R-StandardK %R-xV4B1TheStandardg*<( (@'+'NetStandardg*<( (@'+'DrObSVDr&"=)H/+ Standard*U+UE= +H*DrObSVDr&:9G>Standard{:9G>\xV4B1GFirewallStandard<( (@'+'DrXX(The Wrong Choicegg JHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O17Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,-DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titel{q[\xV4B1G Firewalls Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1q[&B{xV4B1`CFirewalls are touted as a solution to the network security problem.Home~LT~Gliederung 1<( (@'A'1'GNonsense theyre the networks response to the host security problem.Home~LT~Gliederung 1<( (@'A'1' 15RThe real function of a firewall is to keep bad guys away from complex, buggy code.Home~LT~Gliederung 1<( (@'A'1'+Todays firewalls are getting very complexHome~LT~Gliederung 1<( (@'A'1'*+DrXX! Firewallsgg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O14Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,/DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrPgEJoeM8cjJDrML8DrMD,DrObuSVDr&qCHStandardqCHDrObuSVDr&GC[HStandardGC[HDrObuSVDr&!CRAHStandard!CRAHDrObSVDr&q[! Home~LT~Titelq[fxV4B1QWhere to From Here? Home~LT~Titel<( (@'DrObSVDr&q[&B(Home~LT~Gliederung 1Aq[&B"xV4B12Sound software engineering matters more than ever.Home~LT~Gliederung 1<( (@'A'=Shipping code on Internet time has exacerbated the problem.Home~LT~Gliederung 1<( (@'A' (But the economy seems to have solved itHome~LT~Gliederung 2 <( (@'A' '(GWe need to add a new dimension to our modular decomposition: security.Home~LT~Gliederung 1<( (@'A'DrXX+Where to From Here?gg NHome~LT~GliederungDrPgJoeMjJ8cDrMLdDrMD,DrMD,DrObuSVDr&+*jJ  Standard+*jJDrObSVDr&+*A^jJ8ciDrObuSVDr&+*B^jJ8c  Standard+*B^jJ8cDrObSVDr&+*A^jJ8c  Standard+*A^jJ8cdxV4B1O18Standardg* <( (@'+'DrXXDrObuSVDr&B^? 8c  StandardB^? 8cDrObuSVDr&?   Standard? DrOb<SVDr&} =,1DrObSVDr& !/~@[# Home~LT~Notizen !/~@[axV4B1LClick to add notesHome~LT~Notizen<( ( @'DrXXDrObuSVDr&iJ7cStandardiJ7cgg NHome~LT~GliederungDrXXFGeneric PrinterSGENPRT PostScriptH`Tld,,lprdefault_queueSGENPRT DrVwP SVDr SVDr:SVDr{{SVDrALayout:SVDr{{SVDr#SVDr SVDr# SVDr0 SVDr1 SVDr3 SVDr4SVDr@SVDr SVDrD SVDrP SVDrQ DrHL DrHL DrHL (zK Root Entry!r\V)䰱@CompObjEOle persist elements"SfxDocumentInfo uSfxWindowsSfxStyleSheetsV{SummaryInformation(TStarDrawDocument3$E(