liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Contributions to Specification, Implementation, and Execution of Secure Software
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, The Institute of Technology.
2013 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis contributes to three research areas in software security, namely security requirements and intrusion prevention via static analysis and runtime detection.

We have investigated current practice in security requirements by doing a field study of eleven requirement specifications on IT systems. The conclusion is that security requirements are poorly specified due to three things:  inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions. A follow-up interview study addressed the reasons for the inconsistencies and the impact of poor security requirements. It shows that the projects had relied heavily on in-house security competence and that mature producers of software compensate for poor requirements in general but not in the case of security and privacy requirements specific to the customer domain.

Further, we have investigated the effectiveness of five publicly available static analysis tools for security. The test results show high rates of false positives for the tools building on lexical analysis and low rates of true positives for the tools building on syntactical and semantical analysis. As a first step toward a more effective and generic solution we propose decorated dependence graphs as a way of modeling and pattern matching security properties of code. The models can be used to characterize both good and bad programming practice as well as visually explain code properties to programmers. We have implemented a prototype tool that demonstrates how such models can be used to detect integer input validation flaws.

Finally, we investigated the effectiveness of publicly available tools for runtime prevention of buffer overflow attacks. Our initial comparison showed that the best tool as of 2003 was effective against only 50 % of the attacks and there were six attack forms which none of the tools could handle. A follow-up study includes the release of a buffer overflow testbed which covers 850 attack forms. Our evaluation results show that the most popular, publicly available countermeasures cannot prevent all of these buffer overflow attack forms.

Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2013. , 249 p.
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1503
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:liu:diva-88330ISBN: 978-91-7519-681-7 (print)OAI: oai:DiVA.org:liu-88330DiVA: diva2:611283
Public defence
2013-04-22, Visionen, hus B, Campus Valla, Linköpings universitet, Linköping, 13:15 (English)
Opponent
Supervisors
Available from: 2013-03-15 Created: 2013-02-01 Last updated: 2017-03-28Bibliographically approved
List of papers
1. Security Requirements---A Field Study of Current Practice
Open this publication in new window or tab >>Security Requirements---A Field Study of Current Practice
2005 (English)In: Symposium on Requirements Engineering for Information Security,2005, 2005Conference paper, Published paper (Refereed)
Abstract [en]

The number of security flaws in software is a costly problem. In 2004 more than ten new security vulnerabilities were found in commercial and open source software every day. More accurate and consistent security requirements could be a driving force towards more secure software. In a field study of eleven software projects including e-business, health care and military applications we have documented current practice in security requirements. The overall conclusion is that security requirements are poorly specified due to three things: inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions. We show how the requirements could have been enhanced by using the ISO/IEC standard for security management.

Keyword
security requirements, requirements engineering, public procurement
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-29496 (URN)14851 (Local ID)14851 (Archive number)14851 (OAI)
Conference
13th IEEE International Requirements Engineering Conference, August 29th-September 2nd, Paris, France
Available from: 2009-10-09 Created: 2009-10-09 Last updated: 2013-03-15Bibliographically approved
2. The Impact of Neglecting Domain-Specific Security and Privacy Requirements
Open this publication in new window or tab >>The Impact of Neglecting Domain-Specific Security and Privacy Requirements
2007 (English)In: Proceedings of the 12th Nordic Workshop on Secure IT Systems (Nordsec 2007), 2007Conference paper, Published paper (Other academic)
Abstract [en]

In a previous field study of eleven software projects including e-business, health care and military applications we documented current practice in security requirements. The overall conclusion of the study was that security requirements are poorly and inconsistently specified. However, two important questions remained open; what are the reasons for the inconsistencies, and what is the impact of such poor security requirements? In this paper we seek the answers by performing in-depth interviews with three of the customers from the previous study. The interviews show that mature producers of software (in this case IBM, Cap Gemini, and WM-Data) compensate for poor requirements in areas within their expertise, namely software engineering. But in the case of security and privacy requirements specific to the customer domain, such compensation is not found. In all three cases this has led to security and/or privacy flaws in the systems. Our conclusion is that special focus needs to be put on domain-specific security and privacy needs when eliciting customer requirements.

Keyword
security and privacy requirements, requirements engineering
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-90026 (URN)
Conference
The 12th Nordic Workshop on Secure IT Systems (Nordsec 2007), October 11-12, 2007, Reykjavik, Iceland
Available from: 2013-03-15 Created: 2013-03-15 Last updated: 2013-03-25
3. A Comparison of Publicly Available Tools for Static Intrusion Prevention
Open this publication in new window or tab >>A Comparison of Publicly Available Tools for Static Intrusion Prevention
2002 (English)In: Nordic Workshop on Secure IT Systems NordSec,2002, Karlstad, Sweden: Karlstad University Studies , 2002, 68- p.Conference paper, Published paper (Refereed)
Abstract [en]

The size and complexity of today's software systems is growing, increasing the number of bugs and thus the possibility of security vulnerabilities. Two common attacks against such vulnerabilities are buffer overflow and format string attacks. In this paper we implement a testbed of 44 function calls in C to empirically compare five publicly available tools for static analysis aiming to stop these attacks. The results show very high rates of false positives for the tools building on lexical analysis and very low rates of true positives for the tools building on syntactical and semantical analysis.

Place, publisher, year, edition, pages
Karlstad, Sweden: Karlstad University Studies, 2002
Keyword
Security intrusions, intrusion prevention, static analysis, security testing, bu↵er overflow, format string attack
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-29494 (URN)14849 (Local ID)14849 (Archive number)14849 (OAI)
Conference
7th Nordic Workshop on Secure IT Systems, "Towards Secure and Privacy-Enhanced Systems", 7-8 November 2002, Karlstad University, Sweden
Available from: 2009-10-09 Created: 2009-10-09 Last updated: 2013-03-15Bibliographically approved
4. Modeling and Visualizing Security Properties of Code using Dependence Graphs
Open this publication in new window or tab >>Modeling and Visualizing Security Properties of Code using Dependence Graphs
2005 (English)Conference paper, Published paper (Other academic)
Abstract [en]

In this paper we discuss the problem of modeling security properties, including what we call the dual modeling problem, and ranking of potential vulnerabilities. The discussion is based on the results of a brief survey of eight existing static analysis tools and our own experience. We propose dependence graphs decorated with type and range information as a generic way of modeling security properties of code. These models can be used to characterize both good and bad programming practice as shown by our examples. They can also be used to visually explain code properties to the programmer. Finally, they can be used for pattern matching in static security analysis of code.

Keyword
Security properties; dependence graphs; static analysis
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-90027 (URN)
Conference
Fifth Conference on Software Engineering Research and Practice in Sweden, October 2o-21, 2005, Västerås, Sweden
Available from: 2013-03-15 Created: 2013-03-15 Last updated: 2013-03-25Bibliographically approved
5. Pattern Matching Security Properties of Code using Dependence Graphs
Open this publication in new window or tab >>Pattern Matching Security Properties of Code using Dependence Graphs
2005 (English)Conference paper, Published paper (Other academic)
Abstract [en]

In recent years researchers have presented several tools for statically checking security properties of C code. But they all (currently) focus on one or two categories of security properties each. We have proposed dependencegraphs decorated with type-cast and range information as a more generic formalism allowing both for visual communication with the programmer and static analysis checking several security properties at once. Our prototype tool GraphMatch currently checks code for input validation flaws. But several research questions are still open. Most importantly we need to address the complexity of our algorithm for pattern matching graphs, the accuracy of our security models, and the generality of our formalism. Other questions regard the impact of security property visualization and heuristics for ranking of potential flaws found.

Keyword
Security properties; dependence graphs; static analysis
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-90028 (URN)
Conference
1st International Workshop on Code Based Software Security Assessments (CoBaSSA 2005), Pittsburgh, Pennsylvania, USA, November 7, 2005
Available from: 2013-03-15 Created: 2013-03-15 Last updated: 2013-03-25Bibliographically approved
6. A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
Open this publication in new window or tab >>A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
2003 (English)In: Proceedings of the 10th Network and Distributed System Security Symposium, 2003, Reston, Virginia, USA: Internet Society , 2003, 149- p.Conference paper, Published paper (Refereed)
Abstract [en]

The size and complexity of software systems is growing, increasing the number of bugs. Many of these bugs constitute security vulnerabilities. Most common of these bugs is the buffer overflow vulnerability. In this paper we implement a testbed of 20 different buffer overflow attacks, and use it to compare four publicly available tools for dynamic intrusion prevention aiming to stop buffer overflows. The tools are compared empirically and theoretically. The best tool is effective against only 50% of the attacks and there are six attack forms which none of the tools can handle.

Place, publisher, year, edition, pages
Reston, Virginia, USA: Internet Society, 2003
Keyword
Security intrusion; buffer overflow; intrusion prevention; dynamic analysis
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-29495 (URN)14850 (Local ID)14850 (Archive number)14850 (OAI)
Conference
The 10th Network & Distributed System Security Symposium 2003 (NDSS), San Diego, California, USA
Available from: 2009-10-09 Created: 2009-10-09 Last updated: 2013-03-15Bibliographically approved
7. RIPE: Runtime Intrusion Prevention Evaluator
Open this publication in new window or tab >>RIPE: Runtime Intrusion Prevention Evaluator
Show others...
2011 (English)In: Proceedings of the 27th Annual Computer Security Applications Conference, 2011, 41-50 p.Conference paper, Published paper (Other academic)
Abstract [en]

Despite the plethora of research done in code injection countermeasures, buffer overflows still plague modern software. In 2003, Wilander and Kamkar published a comparative evaluation on runtime buffer overflow prevention technologies using a testbed of 20 attack forms and demonstrated that the best prevention tool missed 50% of the attack forms. Since then, many new prevention tools have been presented using that testbed to show that they performed better, not missing any of the attack forms. At the same time though, there have been major developments in the ways of buffer overflow exploitation.

In this paper we present RIPE, an extension of Wilander's and Kamkar's testbed which covers 850 attack forms. The main purpose of RIPE is to provide a standard way of testing the coverage of a defense mechanism against buffer overflows. In order to test RIPE we use it to empirically evaluate some of the newer prevention techniques. Our results show that the most popular, publicly available countermeasures cannot prevent all of RIPE's buffer overflow attack forms. ProPolice misses 60%, LibsafePlus+TIED misses 23%, CRED misses 21%, and Ubuntu 9.10 with nonexecutable memory and stack protection misses 11%.

Keyword
Security intrusion; buffer overflow; intrusion prevention; dynamic analysis
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-90030 (URN)10.1145/2076732.2076739 (DOI)978-1-4503-0672-0 (ISBN)
Conference
27th Annual Computer Security Applications Conference (ACSAC 2011), December 5-9, Orlando, Florida, USA
Available from: 2013-03-15 Created: 2013-03-15 Last updated: 2013-03-25Bibliographically approved

Open Access in DiVA

Contributions to Specification, Implementation, and Execution of Secure Software(2225 kB)3413 downloads
File information
File name FULLTEXT01.pdfFile size 2225 kBChecksum SHA-512
2d344642e653d41e64c856cf53c3d49f6158b67a9b30733f25c11f132c056c5611660201afae19127c661267d977499e56c1323925b9ecee030d98c3283119d9
Type fulltextMimetype application/pdf
omslag(4437 kB)100 downloads
File information
File name COVER01.pdfFile size 4437 kBChecksum SHA-512
0c7aeab434901f0ba1f50d52336958053a76b7b9ee2409de4e833ec1e6d5da45d407e82cc62936655762b38a14be36c072563a307493a64a1833a9a7c7060ab1
Type coverMimetype application/pdf

Other links

Tweet about this thesis
By organisation
Software and SystemsThe Institute of Technology
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar
Total: 3413 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2266 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf