May 2020: Is your code safe from attack?
The science and cyberinfrastructure community writes a huge quantity of software in the form of services, web applications, and infrastructure to support its mission. Each deployed software component can open your organization to the risk of attack, creating violations of data integrity and privacy, and provide unauthorized access to your computing and science infrastructure. An important part of preventing such attacks is an in-depth review of your code.
The goal of an in depth code review is to understand the structure of your software, identify the critical parts of code and the resources they control, understand trust and privilege, and then use this information to focus key parts of the code. Such a review can identify design issues, coding problems, and deployment mistakes. By focusing on the software structure and resources, you can anticipate types of vulnerabilities that have not yet been seen in the wild. This type of review can take beyond the capabilities of penetration testing.
We will briefly describe our First Principles Vulnerability Assessment (FPVA), which we have applied to a wide variety of real-world software, under the aegis of TrustedCI and other organizations. This software has included systems such as HTCondor, Wireshark, Singularity, Google Chrome, and even software that controls almost half the container shipping ports in the world.
We will describe our experiences with such assessments and discuss how you, as an organization that writes or deploys custom software can access or create such an assessment and how you would work with the assessment team. And, importantly, we will discuss how you respond to the identification of vulnerabilities in your software.
Speaker Bios:
Barton Miller is the Vilas Distinguished Achievement Professor, and Amar & Belinder Professor of Computer Sciences at the University of Wisconsin-Madison. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility, leads the software assurance effort for the NSF Cybersecurity Center of Excellence (TrustedCI), and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.
In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation". Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.
Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.
Elisa Heymann is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin-Madison, and an Associate Professor at the Autonomous University of Barcelona. She co-directs the MIST software vulnerability assessment at the Autonomous University of Barcelona, Spain.
She coordinates in-depth vulnerability assessments for NFS Trusted CI, and was also in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include software security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.