SlideShare une entreprise Scribd logo

Application and Website Security -- Designer Edition: Using Formal Specification Techniques To Discover Design Flaws

Télécharger en tant que PPTX, PDF
D
Daniel Owens

This document discusses using formal specification techniques like UML, Alloy, and Prolog to discover design flaws related to application and website security. It provides examples of how these techniques can be used to find issues with input validation, data flow, and access control by modeling the system and its requirements. Formal modeling allows exploring complex behaviors and edge cases that may lead to security vulnerabilities. The document advocates applying a "cocktail" of different modeling approaches to more thoroughly test for flaws during design.

Technologie
1  sur  43
Application and Website Security – Designer Edition: Using Formal Specification Techniques To Discover Design Flaws Daniel Owens IT Security Professional
INTRODUCTION
Introduction • Systems generally come in two forms – Single Level Security Systems (SLSS) and Multilevel Security Systems (MLSS) – In an SLSS, the system processes information of the same sensitivity or privilege level, ignoring the user’s need-to-know and clearance, but still enforce access controls – In an MLSS, the system must take into account sensitivity levels, privileges, need-to-know, clearance levels, and enforce access controls • This work is generalized enough to apply to both
Previous Works • Many previous works have looked for specific flaws in specific systems – The works were never intended to be general, simply to provide analysis of a specific flaw in a specific system – This means that much of the works available are difficult to apply to current or more general problems • Additionally, most works ignore that functional and security flaws stem from the same issues
Common Root Causes • Most flaws only become problems after the flaw or data forged by the flaw has successfully passed through multiple checkpoints – Any of the checkpoints could have prevented the flaw – There are instances, such as faulty subsystems upon which the current software relies • Even these can be tested for, but that becomes a never-ending and very costly thing to do, so we assume that those we have no choice but to rely on have been heavily tested • There is no such thing as a strictly ‘security’ or strictly functionality flaw
Common Root Causes (cont) • In 1996, Alph1 [5] clearly showed how buffer overflows can be used to escalate privileges and execute arbitrary code on the victim – Buffer overflows cause visible functionality problems too – most notably, the software being overflowed into and the software doing the overflow will likely crash, have inconsistent data, or operate in an unintended fashion • More recently, Watchfire [32]made public an exploitation technique to use dangling pointers to execute arbitrary code on the victim – Dangling pointers may cause visible functionality problems too – again, most notably, the software could crash, have inconsistent data, or operate in an unintended fashion
Common Root Causes (cont) • Even weak passwords, often regarded as strictly a security problem can create undesirable functionality flaws – The Morris worm exploited weak passwords and caused a substantial degradation of services – Conficker, which exploited a Windows bug and weak passwords, and many other worms rely on bugs and weak passwords • Even the most seemingly benign flaws, like off-by-one errors can cause disastrous security and functionality flaws – Such flaws can be exploited to execute arbitrary code, but also can be triggered by mere use and cause the system to crash or have degraded services [13][15][19]
INPUT VALIDATION
Input Validation • Input validation flaws arise when input (data egressing the process or thread from a source outside of the process or thread) is not properly verified and sanitized prior to use – These include come buffer overflows, format string flaws, integer overflows, SQL injection, LDAP injection, SMTP injection, code injection, command injection, Cross-Site Scripting, and many other problems • Proper and complete design documentation can help stop these • The flaws can be discovered using a variety of different techniques, but no single technique can stop them all, only a ‘cocktail’
Finding Input Validation Flaws With UML • Many input validation flaws can be found using UML diagrams and use case scenarios, or can be protected against using well-crafted OCL statements that are translated into code during implementation – This includes detecting or preventing certain instances of injection attacks (SQL, XSS, command, code, LDAP, SMTP, JSON, etc) and overflows (buffer, off-by-one, etc)
UML Input Validation Example • There is the potential that query could allow SQL injection (DBHandler performs the Database handling), or that the user could enter otherwise incorrectly formatted information – OCL and supporting documentation comes into effect here – context GUI inv: query.matchesRegEx(“a-zA-Z0-9 ”) and query.size()<40 • Note that this requires an OCL extension be written that accepts regular expressions • This also forces the design team to clearly specify all data
Sidenote • Regular expressions that dictate data content should be whitelists, not blacklists – Whitelists dictate what is allowed, blacklists dictate what is not • All input should have OCL constraints that dictate the allowable content (a whitelist) and the maximum (and minimum in certain cases) size – This helps to stop overflows and injection, as well as providing carefully crafted and examined whitelists that conform to the requirements, while providing input validation • Of course if keywords and characters with special meaning are in the whitelist, the input will have to be properly escaped in the code – hard to convey in UML diagrams, but pre conditions and invariants can be used to do this with more OCL extensions
DATA FLOW
Data Flow • Data flow flaws arise when data take paths that are untrusted or can present various problems – Many of these issues concern integrity and confidentiality – The data may be modified while it traverses the less trusted/untrusted path such that it causes problems – note that such data should be examined prior to use • Examples include traversing a hostile environment, traversing faulty systems, and experiencing the data loss that is normal in any environment
Data Flow (cont) • It is extremely important to know data flow in environments where there are levels of trust or in MLSSs – Most kernels implement a limited form of hierarchical protection domains, or ‘protection rings’ • This prevents problems in outer rings from impacting the inner ring (both functionality and security benefits) • The military and systems requiring high fault tolerance benefit • Limiting access points by having ‘gates’ can help prevent or limit the scale of compromises, as well as contain damage should a fault occur
Finding Data Flow Flaws With UML • Certain data flow flaws can be exposed by UML diagrams, but mostly in Use Case diagrams – This involves ensuring that data re-entering the system has not be tampered with or is not malicious (in some cases, both should be checked) • This is similar to input validation, since the data reentering the system is assumed to be data from an external source
Use Case Data Flow Example Use Case Number 1 Use Case Name Initial Data Distribution Overview Follows the distribution of initial data in the distributed system Type Primary Actors Master (P0) and Slave Processors (P1-PN) Properties Performance O(n) Security Data crosses system’s boundaries prior to use Preconditions Other All slaves are up and waiting for the master to communicate Flow Main Flow: 1. Master prepares each matrix segment (one per slave) 2. Master sends each matrix segment to the responsible slave 3. Master enters waiting state pending responses 4. Slaves receive matrix segment 5. Slaves transmit go-ahead to master
Use Case Data Flow Example (cont.) • What happens if the slaves never receive the matrix segments sent to them? – The master will wait forever – This should be handled as an Alternate Flow in the Use Case • What happens if some of the data in the matrix segment is lost or modified? – At best the result will be inaccurate – At worst the slave may become compromised or crash, resulting in the master waiting forever for the slave to respond – This should be handled as subflows – the master should hash the matrix segment and send the hash along with the segment • The hash should also be encrypted or signed if the environment is hostile • What if someone injects a slave response (affirmative or negative)? – Perhaps random network chatter – Perhaps a malefactor – This should be handled as a subflow (if it is a concern) – the master and slave should use encrypted channels or traffic • All environments outside the software (the network and even the system’s bus) should be assumed buggy/malicious in most cases
UML Data Flow Example • Data flowing between the two packages (VideoLibrarySystem and Users) should be protected – This is easiest by providing ‘chokepoints’ – normally making a single class on each side (frontend, backend, middleware, etc) that handles interprocess/internetwork communication and protecting all methods in that class • Classification should actually be placed in each package – This not only serves to decouple the interface and backend, but also helps to serve as another sanity check and reduce the likelihood of a fault in one package effecting the other package
Finding Data Flow Flaws With Models • UML cannot be easily used to find many of the more complex data flow flaws – Alloy, ORC, and SMV, as well as similar modeling languages can find many of the more complex data flow flaws • Examples include verifying that algorithms effectively protect against or detect data tampering, spoofing, denial of service (to the extent possible), and information disclosure • More than anything, modeling can help to verify the adequacy of controls, but (as a consequence) also detect when the data flow could potentially expose the system to threats
Alloy Data Flow Example /** Program to verify enforcement of the x86 protection rings **/ abstract sig Ring{} one sigRingZero, RingOne, RingTwo, RingThreeextends Ring{} one sig Policy{order:Ring->Ring} {order=(RingThree->RingTwo)+(RingTwo->RingOne)+(RingOne->RingZero)+(RingZero->Ring)+(RingOne->Ring)+ (RingTwo->RingTwo)+(RingTwo->RingThree)+(RingThree->RingThree)} sig Program{onRing: one Ring} sig State{programs: setProgram,connections: programs->programs} { -- Note that we are allowing programs to connect to themselves (this is common) noprog: Program | prognot in programs -- Ensures all Programs are in our state no progA, progB: Program | progA->progBin connections and progA.onRing->progB.onRingnot in Policy.order-- Enforce Policy.order } assert verifyDataFlow{all state: State | not getAnInvalidDataFlow[state]} predgetAnInvalidDataFlow[state: State]{ -- Attempts to find an invalid data flow (one that violates Policy.order some progA, progB: Program | progA->progBinstate.connectionsand progA.onRing->progB.onRingnot in Policy.order } • Models can be used to verify control of data flow • They can also show that algorithms to protect or contain damage are accurate • Boolean logic models can even check fault tolerance, like examining mechanisms that automatically adjust data flow to route around faulty paths – This ensures that the algorithm works
ACCESS CONTROL
Access Control • Access control flaws occur when access to a resource is improperly granted or denied – Can exist under numerous circumstances: • Race conditions, improperly assigning access control restrictions, improperly protecting resources, shared resources, etc. • A tremendous amount of work has been done concerning access control violations and modeling – The works tend to pick on specific access control violations, like time-to-check-time-to-use and breaking Bell-La Padula model
Finding Access Control Flaws With UML • Many access control flaws can be exposed by UML diagrams – Sequence diagrams can expose race conditions, some instances of starvation and deadlock, and time-to-check- time-to-use – Use cases and design diagrams can expose some instances of improperly protected resources and instances where shared resources can lead to access control flaws • Note that UML will expose these flaws in the design and may not expose flaws in algorithms or internal working mechanisms – for that models must be used
Use Case Access Control Example • In this example of a basic medical record system, there are four actors – the Doctor, Nurse, Records Office, and Front Desk – The Front Desk can create a record (person) and delete a record – The Records Office can only view records – Doctors can view and modify records – Nurses can view and modify records • There are multiple potential access control flaws – Deletion is often as good as modification – Modification can include deletion (erase all of the data in the record is the same as deleting the record and creating a new one) • In fact, the two can replace most of each other’s functionality and capability, with regard to the destructive force/results
UML Race Condition Example • In this example, a parallel Branch and Bound Knapsack solver written in Java spawns multiple threads that then attempt to solve the knapsack problem – Each of the thread (ParallelKnapsackWorker) works for a period of time, say 5 seconds and then the thread notifies ParallelBranchAndBoundthe best knapsack found thusfar • If the thread has finished, it posts a final notification and is joined – The threads sleep immediately after sending notification so that ParallelBranchAndBound can then grab the current data from the thread (to prevent a race condition where the data is changing as the parent retrieves it) – The parent then calls notify() to wake the thread • This can, itself, create race conditions, deadlock, and starvation because Java doesn’t allow the program to specify which thread to wake
UML Race Condition Example (cont) • Note that we now have two threads notifying ParallelBranchAndBound at the same time – This means that one of the notifies is either going to go unheard (image on the left) or… – …We have a very serious race condition where what we were trying to protect from (ParallelBranchAndBoundgrabbing data while it is being updated) occurs and worse – we have the complete loss of data as one thread wakes another instead of ParallelBranchAndBound, who then performs another notify() – potentially accidentally waking another thread and causing a complete loss of control
UML Access Control Example • Without any OCL to prevent it, a Student can rent a scientific video – something that the requirements clearly stated should not be possible – If implemented as the diagram dictates, the system does not meet the required access control capabilities… OCL should be included
UML Access Control Violations • Carefully examine privileges – Fields should always be private unless they are marked ‘final’ – Methods should be private unless there is good reason • In most cases only constructors, getters, and setters should be anything other than private – Getters and setters should be limited and only available when required • Carefully examine sequence diagrams for potential starvation, deadlock, and race conditions • Examine OCL to ensure that it prevents instances where access to certain resources is inadvertently granted by the diagram were the OCL incorrect or missing – Common examples include bypassing the login to gain access to protected data and using input validation flaws to gain access
Finding Access Control Flaws With Models • UML can find many of the access control flaws, but may also create some – As in the example where the lack of OCL allowed a violation of the requirements and a breech • Modeling, however, can help to discover complex or covert access control flaws – Models trivially discover covert channels and side channels – Models also can be used to define the rules that will enforce intended controls • They can also prove that intended controls fail to achieve the desired effect – Models have even been used to discover previously unknown access control flaws
Prolog Access Control Example /** Excerpt from [14] -- a model to ensure database subtransactions are atomic, do not conflict, and can be rolledback/recovered from **/ haveto(Node1, Action1, Node2, Action2) :- catch(not(maynot(Node1, Action1, Node2, Action2)), _, true). cdefs(a, A, B) :- cdefs(t, A, B), haveto(A, abort, B, abort). cdefs(b, A, B) :- checkorder(A, begin, B, _). cdefs(ba, A, B) :- cannot(A, commit, B, _), checkorder(A, abort, B, _). cdefs(bc, A, B) :- cannot(A, abort, B, _), checkorder(A, commit, B, _). cdefs(c, A, B) :- checkorder(A, commit, B, commit). cdefs(ex, A, B) :- haveto(A, commit, B, abort). • The full model identified several new subtransaction conflicts as well as the previously unknown state of ‘ignored dependencies’ that were easy to discover using a logic model – Conflicts include instances where race conditions are present, the database cannot rollback/recover if something fails, access control mechanisms are violated, or two subtransactions are attempting to perform conflicting operations like committing and strongly committing the same link • Using Prolog, similar flaws are trivial to detect and correct – Alloy can also be used to find certain access control flaws – Prolog is generally better, though
ENCRYPTION
Encryption • Cryptographic flaws exist in all known crypto schemes and their implementations – Some flaws are far more egregious than others – Flaws includepoor randomness, poor entropy collection, poor keys, weak S-boxes, key exchange flaws, key sizes, and reversibility of the algorithm • Evil oracles have always been the Achilles’ heel and allowed the reversing of the entire MD5 family (MD5, SHA, etc) • Modeling and diagramming have uncovered previously undiscovered flaws in common software – Web-browsers have been shown to be trivial to hijack sessions from because of the way they handle SSL
Finding Encryption Flaws With UML • UML can be used to find some common cryptographic flaws – Most of the flaws are found in state and sequence diagrams – Encryption flaws found in state diagrams are usually just for that ‘oracle’ • If a state diagram shows a flaw in OpenSSL’s handling of SSL, a similar flaw may or may not exist in other implementations of SSL – Flaws discovered in sequence diagrams are likely flaws in the actual algorithm • These flaws, of course, exclude mathematical errors, other than to point out that the particular implementation relies on a library that provides weak entropy or randomness (e.g. rand)
UML Encryption Flaw Example (cont) • Note the Trusted Third Party – What if this trust were undue? • The entire algorithm could be broken • SSH suffers this problem as well • What if the attacker spoofed the client, rather than the server? – The client never posts a certificate, so can be trivially spoofed • SSHv1 suffered this flaw; SSHv2 and TLSv1/TLSv1.1 normally ‘authenticate’ the client (weakly) • What if the attacker downgraded the cipher spec? – This would allow the attacker to more easily retrieve the session key • This is common and normally done by spoofing the client • In many cases the client or server downgrades as a matter of course – Compatibility being the major reason – The result is a much weaker algorithm
Finding Encryption Flaws With Models • UML can only find encryption and cryptographic flaws that are ‘surface level’ – Flaws in S-boxes, the underlying mathematical assumptions, etc, are invisible in any UML diagram • Modeling, however, can be used to discover many of the flaws that UML and OCL are unable to find – Models easily evaluate truth statements, such as those about trust and who knows what when • As well as who trusts whom and when – Models can also help determine why levels of trust are what they are – Most importantly, models can verify the math behind the algorithm
Prolog Encryption Flaw Example /** Excerpt from a model to ensure the proper sharing of cryptographic keys**/ trust(Node1, Level1, Node2, Level2) :- catch(not(violatesTrust(Node1,Level1, Node2, Level22)), _, true). keyExchange(Key, A, B) :- trust(A,_,B,high). keyExchange(Key, A, B, C):- trust(A,high,C,high), trust(B,high,C,high). sessionKeyExchange(Key,A,B):- trust(A,high,B,high), keyExchange(Key,A,B). • The full model explains how most systems perform key exchange – Or more correctly how most systems should perform the key exchange • Models like this can help prevent a system from performing a poor key exchange or one that leaves a system vulnerable to hijacking before, during, or after the key exchange • Using Prolog, logic statements like those governing trust and security decisions can prevent the mistakes of SSHv1 and SSL – The mathematics could be proven in Prolog, but there are much better tools for that…
Coq Encryption Flaw Example /** Excerpt from a model to prove mutual exclusion of a cryptographic algorithm**/ Lemma correct:forallmemo:Memo,Cycle memo->Oracle->CorrectTrace. refine (cofix choice : forallmemo:Memo,Cycle memo->Oracle->CorrectTrace := fun (memo:Memo)(cycle:Cycle memo)(oracle:Oracle)=> SCons _ _ memo _ (choice (proc (hd oracle) memo) _ (tl oracle))). • Numerous languages exist to help prove the correctness of cryptographic algorithms – Many of them rely on Prolog to provide the knowledge base and logic • Coq and PVS are commonly used to prove the underlying mathematical theorems – In the example above, Coq is proving the lemma that illustrates a key property of mutual exclusivity – Failing this lemma means that the algorithm fails to provide mutual exclusion • By using a mixture of Prolog-based languages and theorem solvers, most common encryption flaws can be eliminated or reduced – Alloy generally fails to provide the capabilities and is much more difficult in this realm than Prolog-based solutions
IN EXIGO
Conclusion • Formal Specification Techniques can be used to detect design flaws – In some cases, after-the-fact models and diagrams have detected flaws in implementations • These are more costly and difficult to remedy than had they been caught in the design phase • In most instances, the flaws can be caught through both modeling and to some degree with diagrams – Many of the flaws can be seen through sequence diagrams and use cases – Other flaws can be caught with class diagrams • Prolog is a powerful language that enables most modeling languages to discover some of the more complex flaws – This is particularly true with flaws that require changing states or heavy logic and a powerful knowledge base
Acknowledgements • This work relied heavily on previous works of mine for examples, to include the modeling examples provided
References [1] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “A Security Domain Model to Assess Software for Exploitable Covert Channels,” Proceedings of the ACM SIGPLAN Third Workshop on Programming Languages and Analysis for Security, ACM Press, 2008. [2] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “A Security Domain Model for Implementing Trusted Subject Behaviors,” Unpublished. *3+ Alan Shaffer, “A Security Domain Model for Static Analysis and Verification of Software Programs,” Proceedings of the 20th International Conference on Software Engineering and Knowledge Engineering, Redwood City, California, 2008, pp. 673-678. [4] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “Toward a Security Domain Model for Static Analysis and Verification of Information Systems,” Proceedings of the 7th OOPSLA Workshop on Domain-Specific Modeling, 2007. *5+ Aleph1, “Smashing The Stack For Fun And Profit,” Phrack, 7(49), 1996. [6] AliakseiTsitovich, “Detection of Security Vulnerabilities Using Guided Model Checking,” Lecture Notes in Computer Science, Springer- Verlag, Berlin, 2008, pp. 822-823. [7] Andrei Lapets, “Formal representation and reasoning approaches in modeling cryptographic protocols”, Unpublished. *8+ Catherine Meadows, “Formal Verification of Cryptographic Protocols: A Survey,” Lecture Notes in Computer Science, Springer, 1995, pp. 135-150. *9+ Chad R Dougherty, “Vulnerability Note VU#395412: Apache mod_rewrite contains off-by-one error in ldap scheme handling,” US-CERT, US Department of Homeland Security. [10] C.R. Ramakrishnan and R. Sekar, “Model-based analysis of configuration vulnerabilities,” In Journal of Computer Science, IOS Press, 10(1- 2), 2002, pp. 189-209. [11] Daniel Jackson, Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge, Mass, 2006. [12] Daniel Owens. Application and Website Security - Fundamental Edition, National Aeronautics and Space Administration, 2009. [13] Daniel Owens. Application and Website Security – Developer Edition, National Aeronautics and Space Administration, 2010. [14] Daniel Owens. Automated analysis of dependencies in advanced transaction models, SystemSecurities, 2006. [15] Daniel Owens. Certification Test & Evaluation Report for the Common Link Integration Processing (CLIP) Release 1.2.1.26, Certification Test and Evaluation Report, Booz Allen Hamilton, 2008. [16] Daniel Owens. Common Link Integration Processing (CLIP) Integrity, Whitepaper, Booz Allen Hamilton, 2008. [17] Daniel Owens. Integrating Software Security Into The Software Development Lifecycle, SystemSecurities, 2008. [18] Daniel Owens. IT Security Threats: Improper or Inadequate Change Management, National Aeronautics and Space Administration, 2009.
References (cont) [19] Daniel Owens. Fault Tolerance In Sensitive Embedded and Real-Time Information Technology Systems, SystemSecurities, 2009. [20] Jim Arlow and IlaNeustadt, UML 2 and the Unified Process: Practical Object-Oriented Analysis and Design, 2nded, Addison-Wesley Professional, 2005. [21] Junfeng Yang, Paul Twohey, Dawson Engler, Madanlal, Musuvathi. “Using model checking to find serious file system errors,” USENIX Symposium on Operating Systems Design and Implementation, 2004. [22] Michael Howard and D. LeBlanc, Writing Secure Code. 2nded, Microsoft Press, 2002. [23] Mikhail Auguston, Alan Shaffer, “Security Domain Model and Implementation Modeling Language Reference Manual, version 2.0,” Unpublished, May 2008. [24] MusabAlTurki and Jose Meseguer, “Reduction Semantics and Formal Analysis of Orc Programs,” Electronic Notes in Theoretical Computer Science, 200 (3), 2008, pp. 25-41. [25] O.H. Alhazmi, Y.K. Malaiya, I. Ray, “Measuring, analyzing and predicting security vulnerabilities in software systems,” Computes & Security, 26 (3), 2007, pp. 219-228. [26] R. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” In Proceedings of the IEEE Symposium on Security and Privacy, 2001, pp. 156-165. [27] Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang, “A Systematic Approach to Uncover Security Flaws in GUI Logic,” in IEEE Symposium on Security and Privacy, Oakland, California, 2007. [28] Shuo Chen, ZbigniewKalbarczyk, Jun Xu, Ravinshankar K. Iyer, “A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities,” IEEE International Conference on Dependable Systems and Networks, 2003, pp. 605-614. [29] Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang, “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments,” 2009 30th IEEE Symposium on Security and Privacy, 2009, pp. 347-359. [30] SMV. SMV: A Symbolic Model Checker. http://www.cs.cmu.edu/~modelcheck/. [31] Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed: Network Security Secrets and Solutions. 6thed, McGraw-Hill Osborne Media, 2009. [32] Watchfire, “Dangling Pointer: Smashing the Pointer for Fun and Profit,” Blackhat Convention, 2007. *33+ Y. Shin and L. Williams, “An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics,” Proceedings of the 2nd International Symposium on Emperical Software Engineering and Measurement, Association for Computing Machinery, New York, 2008, pp. 315-317.

Recommandé

Dependable Systems - Summary (16/16)
Dependable Systems - Summary (16/16)Dependable Systems - Summary (16/16)
Dependable Systems - Summary (16/16)Peter Tröger
 
OpenSubmit - How to grade 1200 code submissions
OpenSubmit - How to grade 1200 code submissionsOpenSubmit - How to grade 1200 code submissions
OpenSubmit - How to grade 1200 code submissionsPeter Tröger
 
Fault Tolerance 101
Fault Tolerance 101 Fault Tolerance 101
Fault Tolerance 101 C4Media
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance Systemprakashjjaya
 
Fault tolerance
Fault toleranceFault tolerance
Fault toleranceGaurav Rawat
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance SystemEhsan Ilahi
 
Fault Tolerance (Distributed computing)
Fault Tolerance (Distributed computing)Fault Tolerance (Distributed computing)
Fault Tolerance (Distributed computing)Sri Prasanna
 
Distributed Middleware Reliability & Fault Tolerance Support in System S
Distributed Middleware Reliability & Fault Tolerance Support in System SDistributed Middleware Reliability & Fault Tolerance Support in System S
Distributed Middleware Reliability & Fault Tolerance Support in System SHarini Sirisena
 

Recommandé

Dependable Systems - Summary (16/16)
Dependable Systems - Summary (16/16)Dependable Systems - Summary (16/16)
Dependable Systems - Summary (16/16)Peter Tröger
 
OpenSubmit - How to grade 1200 code submissions
OpenSubmit - How to grade 1200 code submissionsOpenSubmit - How to grade 1200 code submissions
OpenSubmit - How to grade 1200 code submissionsPeter Tröger
 
Fault Tolerance 101
Fault Tolerance 101 Fault Tolerance 101
Fault Tolerance 101 C4Media
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance Systemprakashjjaya
 
Fault tolerance
Fault toleranceFault tolerance
Fault toleranceGaurav Rawat
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance SystemEhsan Ilahi
 
Fault Tolerance (Distributed computing)
Fault Tolerance (Distributed computing)Fault Tolerance (Distributed computing)
Fault Tolerance (Distributed computing)Sri Prasanna
 
Distributed Middleware Reliability & Fault Tolerance Support in System S
Distributed Middleware Reliability & Fault Tolerance Support in System SDistributed Middleware Reliability & Fault Tolerance Support in System S
Distributed Middleware Reliability & Fault Tolerance Support in System SHarini Sirisena
 
Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)Peter Tröger
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineeringguest90cec6
 
Distributed Systems: scalability and high availability
Distributed Systems: scalability and high availabilityDistributed Systems: scalability and high availability
Distributed Systems: scalability and high availabilityRenato Lucindo
 
Architecting for the cloud storage build test
Architecting for the cloud storage build testArchitecting for the cloud storage build test
Architecting for the cloud storage build testLen Bass
 
Distributed systems and scalability rules
Distributed systems and scalability rulesDistributed systems and scalability rules
Distributed systems and scalability rulesOleg Tsal-Tsalko
 
Lec 1
Lec 1Lec 1
Lec 1mohamed ali
 
Sw2 1
Sw2 1Sw2 1
Sw2 1Hungrymind Hms
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
chap-0 .ppt
chap-0 .pptchap-0 .ppt
chap-0 .pptLookly Sam
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
Building data intensive applications
Building data intensive applicationsBuilding data intensive applications
Building data intensive applicationsAmit Kejriwal
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxSakshiGawde6
 
Software Risk Analysis
Software Risk AnalysisSoftware Risk Analysis
Software Risk AnalysisBrett Leonard
 

Contenu connexe

Tendances

Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)Peter Tröger
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineeringguest90cec6
 
Distributed Systems: scalability and high availability
Distributed Systems: scalability and high availabilityDistributed Systems: scalability and high availability
Distributed Systems: scalability and high availabilityRenato Lucindo
 
Architecting for the cloud storage build test
Architecting for the cloud storage build testArchitecting for the cloud storage build test
Architecting for the cloud storage build testLen Bass
 
Distributed systems and scalability rules
Distributed systems and scalability rulesDistributed systems and scalability rules
Distributed systems and scalability rulesOleg Tsal-Tsalko
 

Tendances (8)

Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)Dependable Systems - System Dependability Evaluation (8/16)
Dependable Systems - System Dependability Evaluation (8/16)
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineering
 
Distributed Systems: scalability and high availability
Distributed Systems: scalability and high availabilityDistributed Systems: scalability and high availability
Distributed Systems: scalability and high availability
 
Architecting for the cloud storage build test
Architecting for the cloud storage build testArchitecting for the cloud storage build test
Architecting for the cloud storage build test
 
Distributed systems and scalability rules
Distributed systems and scalability rulesDistributed systems and scalability rules
Distributed systems and scalability rules
 
Lec 1
Lec 1Lec 1
Lec 1
 
Sw2 1
Sw2 1Sw2 1
Sw2 1
 

Similaire à Application and Website Security -- Designer Edition: Using Formal Specification Techniques To Discover Design Flaws

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
Building data intensive applications
Building data intensive applicationsBuilding data intensive applications
Building data intensive applicationsAmit Kejriwal
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxSakshiGawde6
 
Software Risk Analysis
Software Risk AnalysisSoftware Risk Analysis
Software Risk AnalysisBrett Leonard
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering Madhar Khan Pathan
 
Database applicationtesting
Database applicationtestingDatabase applicationtesting
Database applicationtestingRenuka Ballal
 
Illuminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningIlluminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningjClarity
 
Mba i-ifm-u-3 operating systems
Mba i-ifm-u-3 operating systemsMba i-ifm-u-3 operating systems
Mba i-ifm-u-3 operating systemsRai University
 

Similaire à Application and Website Security -- Designer Edition: Using Formal Specification Techniques To Discover Design Flaws (20)

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
chap-0 .ppt
chap-0 .pptchap-0 .ppt
chap-0 .ppt
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
Building data intensive applications
Building data intensive applicationsBuilding data intensive applications
Building data intensive applications
 
Unit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptxUnit 2 - Chapter 7 (Database Security).pptx
Unit 2 - Chapter 7 (Database Security).pptx
 
Software Risk Analysis
Software Risk AnalysisSoftware Risk Analysis
Software Risk Analysis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering
 
Database applicationtesting
Database applicationtestingDatabase applicationtesting
Database applicationtesting
 
L27
L27L27
L27
 
Illuminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine LearningIlluminate - Performance Analystics driven by Machine Learning
Illuminate - Performance Analystics driven by Machine Learning
 
Mba i-ifm-u-3 operating systems
Mba i-ifm-u-3 operating systemsMba i-ifm-u-3 operating systems
Mba i-ifm-u-3 operating systems
 

Dernier

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Application and Website Security -- Designer Edition: Using Formal Specification Techniques To Discover Design Flaws

  • 1. Application and Website Security – Designer Edition: Using Formal Specification Techniques To Discover Design Flaws Daniel Owens IT Security Professional
  • 3. Introduction • Systems generally come in two forms – Single Level Security Systems (SLSS) and Multilevel Security Systems (MLSS) – In an SLSS, the system processes information of the same sensitivity or privilege level, ignoring the user’s need-to-know and clearance, but still enforce access controls – In an MLSS, the system must take into account sensitivity levels, privileges, need-to-know, clearance levels, and enforce access controls • This work is generalized enough to apply to both
  • 4. Previous Works • Many previous works have looked for specific flaws in specific systems – The works were never intended to be general, simply to provide analysis of a specific flaw in a specific system – This means that much of the works available are difficult to apply to current or more general problems • Additionally, most works ignore that functional and security flaws stem from the same issues
  • 5. Common Root Causes • Most flaws only become problems after the flaw or data forged by the flaw has successfully passed through multiple checkpoints – Any of the checkpoints could have prevented the flaw – There are instances, such as faulty subsystems upon which the current software relies • Even these can be tested for, but that becomes a never-ending and very costly thing to do, so we assume that those we have no choice but to rely on have been heavily tested • There is no such thing as a strictly ‘security’ or strictly functionality flaw
  • 6. Common Root Causes (cont) • In 1996, Alph1 [5] clearly showed how buffer overflows can be used to escalate privileges and execute arbitrary code on the victim – Buffer overflows cause visible functionality problems too – most notably, the software being overflowed into and the software doing the overflow will likely crash, have inconsistent data, or operate in an unintended fashion • More recently, Watchfire [32]made public an exploitation technique to use dangling pointers to execute arbitrary code on the victim – Dangling pointers may cause visible functionality problems too – again, most notably, the software could crash, have inconsistent data, or operate in an unintended fashion
  • 7. Common Root Causes (cont) • Even weak passwords, often regarded as strictly a security problem can create undesirable functionality flaws – The Morris worm exploited weak passwords and caused a substantial degradation of services – Conficker, which exploited a Windows bug and weak passwords, and many other worms rely on bugs and weak passwords • Even the most seemingly benign flaws, like off-by-one errors can cause disastrous security and functionality flaws – Such flaws can be exploited to execute arbitrary code, but also can be triggered by mere use and cause the system to crash or have degraded services [13][15][19]
  • 9. Input Validation • Input validation flaws arise when input (data egressing the process or thread from a source outside of the process or thread) is not properly verified and sanitized prior to use – These include come buffer overflows, format string flaws, integer overflows, SQL injection, LDAP injection, SMTP injection, code injection, command injection, Cross-Site Scripting, and many other problems • Proper and complete design documentation can help stop these • The flaws can be discovered using a variety of different techniques, but no single technique can stop them all, only a ‘cocktail’
  • 10. Finding Input Validation Flaws With UML • Many input validation flaws can be found using UML diagrams and use case scenarios, or can be protected against using well-crafted OCL statements that are translated into code during implementation – This includes detecting or preventing certain instances of injection attacks (SQL, XSS, command, code, LDAP, SMTP, JSON, etc) and overflows (buffer, off-by-one, etc)
  • 11. UML Input Validation Example • There is the potential that query could allow SQL injection (DBHandler performs the Database handling), or that the user could enter otherwise incorrectly formatted information – OCL and supporting documentation comes into effect here – context GUI inv: query.matchesRegEx(“a-zA-Z0-9 ”) and query.size()<40 • Note that this requires an OCL extension be written that accepts regular expressions • This also forces the design team to clearly specify all data
  • 12. Sidenote • Regular expressions that dictate data content should be whitelists, not blacklists – Whitelists dictate what is allowed, blacklists dictate what is not • All input should have OCL constraints that dictate the allowable content (a whitelist) and the maximum (and minimum in certain cases) size – This helps to stop overflows and injection, as well as providing carefully crafted and examined whitelists that conform to the requirements, while providing input validation • Of course if keywords and characters with special meaning are in the whitelist, the input will have to be properly escaped in the code – hard to convey in UML diagrams, but pre conditions and invariants can be used to do this with more OCL extensions
  • 14. Data Flow • Data flow flaws arise when data take paths that are untrusted or can present various problems – Many of these issues concern integrity and confidentiality – The data may be modified while it traverses the less trusted/untrusted path such that it causes problems – note that such data should be examined prior to use • Examples include traversing a hostile environment, traversing faulty systems, and experiencing the data loss that is normal in any environment
  • 15. Data Flow (cont) • It is extremely important to know data flow in environments where there are levels of trust or in MLSSs – Most kernels implement a limited form of hierarchical protection domains, or ‘protection rings’ • This prevents problems in outer rings from impacting the inner ring (both functionality and security benefits) • The military and systems requiring high fault tolerance benefit • Limiting access points by having ‘gates’ can help prevent or limit the scale of compromises, as well as contain damage should a fault occur
  • 16. Finding Data Flow Flaws With UML • Certain data flow flaws can be exposed by UML diagrams, but mostly in Use Case diagrams – This involves ensuring that data re-entering the system has not be tampered with or is not malicious (in some cases, both should be checked) • This is similar to input validation, since the data reentering the system is assumed to be data from an external source
  • 17. Use Case Data Flow Example Use Case Number 1 Use Case Name Initial Data Distribution Overview Follows the distribution of initial data in the distributed system Type Primary Actors Master (P0) and Slave Processors (P1-PN) Properties Performance O(n) Security Data crosses system’s boundaries prior to use Preconditions Other All slaves are up and waiting for the master to communicate Flow Main Flow: 1. Master prepares each matrix segment (one per slave) 2. Master sends each matrix segment to the responsible slave 3. Master enters waiting state pending responses 4. Slaves receive matrix segment 5. Slaves transmit go-ahead to master
  • 18. Use Case Data Flow Example (cont.) • What happens if the slaves never receive the matrix segments sent to them? – The master will wait forever – This should be handled as an Alternate Flow in the Use Case • What happens if some of the data in the matrix segment is lost or modified? – At best the result will be inaccurate – At worst the slave may become compromised or crash, resulting in the master waiting forever for the slave to respond – This should be handled as subflows – the master should hash the matrix segment and send the hash along with the segment • The hash should also be encrypted or signed if the environment is hostile • What if someone injects a slave response (affirmative or negative)? – Perhaps random network chatter – Perhaps a malefactor – This should be handled as a subflow (if it is a concern) – the master and slave should use encrypted channels or traffic • All environments outside the software (the network and even the system’s bus) should be assumed buggy/malicious in most cases
  • 19. UML Data Flow Example • Data flowing between the two packages (VideoLibrarySystem and Users) should be protected – This is easiest by providing ‘chokepoints’ – normally making a single class on each side (frontend, backend, middleware, etc) that handles interprocess/internetwork communication and protecting all methods in that class • Classification should actually be placed in each package – This not only serves to decouple the interface and backend, but also helps to serve as another sanity check and reduce the likelihood of a fault in one package effecting the other package
  • 20. Finding Data Flow Flaws With Models • UML cannot be easily used to find many of the more complex data flow flaws – Alloy, ORC, and SMV, as well as similar modeling languages can find many of the more complex data flow flaws • Examples include verifying that algorithms effectively protect against or detect data tampering, spoofing, denial of service (to the extent possible), and information disclosure • More than anything, modeling can help to verify the adequacy of controls, but (as a consequence) also detect when the data flow could potentially expose the system to threats
  • 21. Alloy Data Flow Example /** Program to verify enforcement of the x86 protection rings **/ abstract sig Ring{} one sigRingZero, RingOne, RingTwo, RingThreeextends Ring{} one sig Policy{order:Ring->Ring} {order=(RingThree->RingTwo)+(RingTwo->RingOne)+(RingOne->RingZero)+(RingZero->Ring)+(RingOne->Ring)+ (RingTwo->RingTwo)+(RingTwo->RingThree)+(RingThree->RingThree)} sig Program{onRing: one Ring} sig State{programs: setProgram,connections: programs->programs} { -- Note that we are allowing programs to connect to themselves (this is common) noprog: Program | prognot in programs -- Ensures all Programs are in our state no progA, progB: Program | progA->progBin connections and progA.onRing->progB.onRingnot in Policy.order-- Enforce Policy.order } assert verifyDataFlow{all state: State | not getAnInvalidDataFlow[state]} predgetAnInvalidDataFlow[state: State]{ -- Attempts to find an invalid data flow (one that violates Policy.order some progA, progB: Program | progA->progBinstate.connectionsand progA.onRing->progB.onRingnot in Policy.order } • Models can be used to verify control of data flow • They can also show that algorithms to protect or contain damage are accurate • Boolean logic models can even check fault tolerance, like examining mechanisms that automatically adjust data flow to route around faulty paths – This ensures that the algorithm works
  • 23. Access Control • Access control flaws occur when access to a resource is improperly granted or denied – Can exist under numerous circumstances: • Race conditions, improperly assigning access control restrictions, improperly protecting resources, shared resources, etc. • A tremendous amount of work has been done concerning access control violations and modeling – The works tend to pick on specific access control violations, like time-to-check-time-to-use and breaking Bell-La Padula model
  • 24. Finding Access Control Flaws With UML • Many access control flaws can be exposed by UML diagrams – Sequence diagrams can expose race conditions, some instances of starvation and deadlock, and time-to-check- time-to-use – Use cases and design diagrams can expose some instances of improperly protected resources and instances where shared resources can lead to access control flaws • Note that UML will expose these flaws in the design and may not expose flaws in algorithms or internal working mechanisms – for that models must be used
  • 25. Use Case Access Control Example • In this example of a basic medical record system, there are four actors – the Doctor, Nurse, Records Office, and Front Desk – The Front Desk can create a record (person) and delete a record – The Records Office can only view records – Doctors can view and modify records – Nurses can view and modify records • There are multiple potential access control flaws – Deletion is often as good as modification – Modification can include deletion (erase all of the data in the record is the same as deleting the record and creating a new one) • In fact, the two can replace most of each other’s functionality and capability, with regard to the destructive force/results
  • 26. UML Race Condition Example • In this example, a parallel Branch and Bound Knapsack solver written in Java spawns multiple threads that then attempt to solve the knapsack problem – Each of the thread (ParallelKnapsackWorker) works for a period of time, say 5 seconds and then the thread notifies ParallelBranchAndBoundthe best knapsack found thusfar • If the thread has finished, it posts a final notification and is joined – The threads sleep immediately after sending notification so that ParallelBranchAndBound can then grab the current data from the thread (to prevent a race condition where the data is changing as the parent retrieves it) – The parent then calls notify() to wake the thread • This can, itself, create race conditions, deadlock, and starvation because Java doesn’t allow the program to specify which thread to wake
  • 27. UML Race Condition Example (cont) • Note that we now have two threads notifying ParallelBranchAndBound at the same time – This means that one of the notifies is either going to go unheard (image on the left) or… – …We have a very serious race condition where what we were trying to protect from (ParallelBranchAndBoundgrabbing data while it is being updated) occurs and worse – we have the complete loss of data as one thread wakes another instead of ParallelBranchAndBound, who then performs another notify() – potentially accidentally waking another thread and causing a complete loss of control
  • 28. UML Access Control Example • Without any OCL to prevent it, a Student can rent a scientific video – something that the requirements clearly stated should not be possible – If implemented as the diagram dictates, the system does not meet the required access control capabilities… OCL should be included
  • 29. UML Access Control Violations • Carefully examine privileges – Fields should always be private unless they are marked ‘final’ – Methods should be private unless there is good reason • In most cases only constructors, getters, and setters should be anything other than private – Getters and setters should be limited and only available when required • Carefully examine sequence diagrams for potential starvation, deadlock, and race conditions • Examine OCL to ensure that it prevents instances where access to certain resources is inadvertently granted by the diagram were the OCL incorrect or missing – Common examples include bypassing the login to gain access to protected data and using input validation flaws to gain access
  • 30. Finding Access Control Flaws With Models • UML can find many of the access control flaws, but may also create some – As in the example where the lack of OCL allowed a violation of the requirements and a breech • Modeling, however, can help to discover complex or covert access control flaws – Models trivially discover covert channels and side channels – Models also can be used to define the rules that will enforce intended controls • They can also prove that intended controls fail to achieve the desired effect – Models have even been used to discover previously unknown access control flaws
  • 31. Prolog Access Control Example /** Excerpt from [14] -- a model to ensure database subtransactions are atomic, do not conflict, and can be rolledback/recovered from **/ haveto(Node1, Action1, Node2, Action2) :- catch(not(maynot(Node1, Action1, Node2, Action2)), _, true). cdefs(a, A, B) :- cdefs(t, A, B), haveto(A, abort, B, abort). cdefs(b, A, B) :- checkorder(A, begin, B, _). cdefs(ba, A, B) :- cannot(A, commit, B, _), checkorder(A, abort, B, _). cdefs(bc, A, B) :- cannot(A, abort, B, _), checkorder(A, commit, B, _). cdefs(c, A, B) :- checkorder(A, commit, B, commit). cdefs(ex, A, B) :- haveto(A, commit, B, abort). • The full model identified several new subtransaction conflicts as well as the previously unknown state of ‘ignored dependencies’ that were easy to discover using a logic model – Conflicts include instances where race conditions are present, the database cannot rollback/recover if something fails, access control mechanisms are violated, or two subtransactions are attempting to perform conflicting operations like committing and strongly committing the same link • Using Prolog, similar flaws are trivial to detect and correct – Alloy can also be used to find certain access control flaws – Prolog is generally better, though
  • 33. Encryption • Cryptographic flaws exist in all known crypto schemes and their implementations – Some flaws are far more egregious than others – Flaws includepoor randomness, poor entropy collection, poor keys, weak S-boxes, key exchange flaws, key sizes, and reversibility of the algorithm • Evil oracles have always been the Achilles’ heel and allowed the reversing of the entire MD5 family (MD5, SHA, etc) • Modeling and diagramming have uncovered previously undiscovered flaws in common software – Web-browsers have been shown to be trivial to hijack sessions from because of the way they handle SSL
  • 34. Finding Encryption Flaws With UML • UML can be used to find some common cryptographic flaws – Most of the flaws are found in state and sequence diagrams – Encryption flaws found in state diagrams are usually just for that ‘oracle’ • If a state diagram shows a flaw in OpenSSL’s handling of SSL, a similar flaw may or may not exist in other implementations of SSL – Flaws discovered in sequence diagrams are likely flaws in the actual algorithm • These flaws, of course, exclude mathematical errors, other than to point out that the particular implementation relies on a library that provides weak entropy or randomness (e.g. rand)
  • 35. UML Encryption Flaw Example (cont) • Note the Trusted Third Party – What if this trust were undue? • The entire algorithm could be broken • SSH suffers this problem as well • What if the attacker spoofed the client, rather than the server? – The client never posts a certificate, so can be trivially spoofed • SSHv1 suffered this flaw; SSHv2 and TLSv1/TLSv1.1 normally ‘authenticate’ the client (weakly) • What if the attacker downgraded the cipher spec? – This would allow the attacker to more easily retrieve the session key • This is common and normally done by spoofing the client • In many cases the client or server downgrades as a matter of course – Compatibility being the major reason – The result is a much weaker algorithm
  • 36. Finding Encryption Flaws With Models • UML can only find encryption and cryptographic flaws that are ‘surface level’ – Flaws in S-boxes, the underlying mathematical assumptions, etc, are invisible in any UML diagram • Modeling, however, can be used to discover many of the flaws that UML and OCL are unable to find – Models easily evaluate truth statements, such as those about trust and who knows what when • As well as who trusts whom and when – Models can also help determine why levels of trust are what they are – Most importantly, models can verify the math behind the algorithm
  • 37. Prolog Encryption Flaw Example /** Excerpt from a model to ensure the proper sharing of cryptographic keys**/ trust(Node1, Level1, Node2, Level2) :- catch(not(violatesTrust(Node1,Level1, Node2, Level22)), _, true). keyExchange(Key, A, B) :- trust(A,_,B,high). keyExchange(Key, A, B, C):- trust(A,high,C,high), trust(B,high,C,high). sessionKeyExchange(Key,A,B):- trust(A,high,B,high), keyExchange(Key,A,B). • The full model explains how most systems perform key exchange – Or more correctly how most systems should perform the key exchange • Models like this can help prevent a system from performing a poor key exchange or one that leaves a system vulnerable to hijacking before, during, or after the key exchange • Using Prolog, logic statements like those governing trust and security decisions can prevent the mistakes of SSHv1 and SSL – The mathematics could be proven in Prolog, but there are much better tools for that…
  • 38. Coq Encryption Flaw Example /** Excerpt from a model to prove mutual exclusion of a cryptographic algorithm**/ Lemma correct:forallmemo:Memo,Cycle memo->Oracle->CorrectTrace. refine (cofix choice : forallmemo:Memo,Cycle memo->Oracle->CorrectTrace := fun (memo:Memo)(cycle:Cycle memo)(oracle:Oracle)=> SCons _ _ memo _ (choice (proc (hd oracle) memo) _ (tl oracle))). • Numerous languages exist to help prove the correctness of cryptographic algorithms – Many of them rely on Prolog to provide the knowledge base and logic • Coq and PVS are commonly used to prove the underlying mathematical theorems – In the example above, Coq is proving the lemma that illustrates a key property of mutual exclusivity – Failing this lemma means that the algorithm fails to provide mutual exclusion • By using a mixture of Prolog-based languages and theorem solvers, most common encryption flaws can be eliminated or reduced – Alloy generally fails to provide the capabilities and is much more difficult in this realm than Prolog-based solutions
  • 40. Conclusion • Formal Specification Techniques can be used to detect design flaws – In some cases, after-the-fact models and diagrams have detected flaws in implementations • These are more costly and difficult to remedy than had they been caught in the design phase • In most instances, the flaws can be caught through both modeling and to some degree with diagrams – Many of the flaws can be seen through sequence diagrams and use cases – Other flaws can be caught with class diagrams • Prolog is a powerful language that enables most modeling languages to discover some of the more complex flaws – This is particularly true with flaws that require changing states or heavy logic and a powerful knowledge base
  • 41. Acknowledgements • This work relied heavily on previous works of mine for examples, to include the modeling examples provided
  • 42. References [1] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “A Security Domain Model to Assess Software for Exploitable Covert Channels,” Proceedings of the ACM SIGPLAN Third Workshop on Programming Languages and Analysis for Security, ACM Press, 2008. [2] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “A Security Domain Model for Implementing Trusted Subject Behaviors,” Unpublished. *3+ Alan Shaffer, “A Security Domain Model for Static Analysis and Verification of Software Programs,” Proceedings of the 20th International Conference on Software Engineering and Knowledge Engineering, Redwood City, California, 2008, pp. 673-678. [4] Alan Shaffer, Mikhail Auguston, Cynthia Irvine, and Timothy Levin, “Toward a Security Domain Model for Static Analysis and Verification of Information Systems,” Proceedings of the 7th OOPSLA Workshop on Domain-Specific Modeling, 2007. *5+ Aleph1, “Smashing The Stack For Fun And Profit,” Phrack, 7(49), 1996. [6] AliakseiTsitovich, “Detection of Security Vulnerabilities Using Guided Model Checking,” Lecture Notes in Computer Science, Springer- Verlag, Berlin, 2008, pp. 822-823. [7] Andrei Lapets, “Formal representation and reasoning approaches in modeling cryptographic protocols”, Unpublished. *8+ Catherine Meadows, “Formal Verification of Cryptographic Protocols: A Survey,” Lecture Notes in Computer Science, Springer, 1995, pp. 135-150. *9+ Chad R Dougherty, “Vulnerability Note VU#395412: Apache mod_rewrite contains off-by-one error in ldap scheme handling,” US-CERT, US Department of Homeland Security. [10] C.R. Ramakrishnan and R. Sekar, “Model-based analysis of configuration vulnerabilities,” In Journal of Computer Science, IOS Press, 10(1- 2), 2002, pp. 189-209. [11] Daniel Jackson, Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge, Mass, 2006. [12] Daniel Owens. Application and Website Security - Fundamental Edition, National Aeronautics and Space Administration, 2009. [13] Daniel Owens. Application and Website Security – Developer Edition, National Aeronautics and Space Administration, 2010. [14] Daniel Owens. Automated analysis of dependencies in advanced transaction models, SystemSecurities, 2006. [15] Daniel Owens. Certification Test & Evaluation Report for the Common Link Integration Processing (CLIP) Release 1.2.1.26, Certification Test and Evaluation Report, Booz Allen Hamilton, 2008. [16] Daniel Owens. Common Link Integration Processing (CLIP) Integrity, Whitepaper, Booz Allen Hamilton, 2008. [17] Daniel Owens. Integrating Software Security Into The Software Development Lifecycle, SystemSecurities, 2008. [18] Daniel Owens. IT Security Threats: Improper or Inadequate Change Management, National Aeronautics and Space Administration, 2009.
  • 43. References (cont) [19] Daniel Owens. Fault Tolerance In Sensitive Embedded and Real-Time Information Technology Systems, SystemSecurities, 2009. [20] Jim Arlow and IlaNeustadt, UML 2 and the Unified Process: Practical Object-Oriented Analysis and Design, 2nded, Addison-Wesley Professional, 2005. [21] Junfeng Yang, Paul Twohey, Dawson Engler, Madanlal, Musuvathi. “Using model checking to find serious file system errors,” USENIX Symposium on Operating Systems Design and Implementation, 2004. [22] Michael Howard and D. LeBlanc, Writing Secure Code. 2nded, Microsoft Press, 2002. [23] Mikhail Auguston, Alan Shaffer, “Security Domain Model and Implementation Modeling Language Reference Manual, version 2.0,” Unpublished, May 2008. [24] MusabAlTurki and Jose Meseguer, “Reduction Semantics and Formal Analysis of Orc Programs,” Electronic Notes in Theoretical Computer Science, 200 (3), 2008, pp. 25-41. [25] O.H. Alhazmi, Y.K. Malaiya, I. Ray, “Measuring, analyzing and predicting security vulnerabilities in software systems,” Computes & Security, 26 (3), 2007, pp. 219-228. [26] R. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” In Proceedings of the IEEE Symposium on Security and Privacy, 2001, pp. 156-165. [27] Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang, “A Systematic Approach to Uncover Security Flaws in GUI Logic,” in IEEE Symposium on Security and Privacy, Oakland, California, 2007. [28] Shuo Chen, ZbigniewKalbarczyk, Jun Xu, Ravinshankar K. Iyer, “A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities,” IEEE International Conference on Dependable Systems and Networks, 2003, pp. 605-614. [29] Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang, “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments,” 2009 30th IEEE Symposium on Security and Privacy, 2009, pp. 347-359. [30] SMV. SMV: A Symbolic Model Checker. http://www.cs.cmu.edu/~modelcheck/. [31] Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed: Network Security Secrets and Solutions. 6thed, McGraw-Hill Osborne Media, 2009. [32] Watchfire, “Dangling Pointer: Smashing the Pointer for Fun and Profit,” Blackhat Convention, 2007. *33+ Y. Shin and L. Williams, “An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics,” Proceedings of the 2nd International Symposium on Emperical Software Engineering and Measurement, Association for Computing Machinery, New York, 2008, pp. 315-317.