The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Automotive electronic control units (ECUs) have been the focus of many security researchers who have demonstrated the ability to affect the deterministic operation of safety critical vehicle cyber physical systems. Flaws in software design that have direct impacts to the functional safety of a target vehicle have been discovered. The rapid increase in data connectivity within a modern automobile has...
Although it is well-known that API design has a large and long-term impact on security, the literature contains few substantial guidelines for practitioners on how to design APIs that improve security. Even fewer of those guidelines have been evaluated empirically. Security professionals have proposed that software engineers choose immutable APIs and architectures to enhance security. Unfortunately,...
Computing systems produce large amounts of system log information at a scale wildly disproportionate to the growth of computing and bandwidth resources. This growth outpaces the ability of human auditors and administrators to digest such quantities of data via manual analysis. This situation is only expected to worsen over time as more and more data become available due to expanded technological reach...
Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising...
Software developers need to address security risks and elicit security requirements in the early stages of the Software Development Life Cycle. It is important to investigate how novices can incorporate security in the early stages of the SDLC.
We argue that C is unsuitable for writing timingchannel free cryptographic code that is both fast and readable. Readable implementations of crypto routines would contain highlevel constructs like if statements, constructs that also introduce timing vulnerabilities. To avoid vulnerabilities, programmers must rewrite their code to dodge intuitive yet dangerous constructs, cluttering the codebase and...
Developing secure software is inherently difficult, and is further hampered by a rush to market, the lack of cybersecurity-trained architects and developers, and the difficulty of identifying flaws and deploying mitigations. To address these problems, we advocate for an alternative paradigm–layering security onto applications from global control points, such as the browser, operating system, or network...
Modern processors are becoming increasingly complex with features that improve performance and add new functionality. However, such improvements are a double-edged sword: they improve performance and functionality but also introduce security-critical bugs into the processor that attackers can leverage to bypass a system's security policies. Existing solutions require hardware extensions and often...
Software is becoming increasingly more complex, and vul-nerabilities more subtle Better approaches are required to effectively analyze modern binaries, efficiently identify deeply buried defects, and intelligently assist human analysts with specific software reversing tasks Tons of good techniques and approaches regarding binary analysis have recently emerged from both academia and industry, many...
There is widening chasm between the ease of creating software and difficulty of "building security in". This paper reviews the approach, the findings and recent experiments from a seven-year effort to enable consistency across a large, diverse development organization and software portfolio via policies, guidance, automated tools and services. Experience shows that developing secure software...
Security Risk Assessments (SRA) play a key role in the Security Development Lifecycle (SDL). At an early stage of the project, the SRA helps allocate security resources and identifies SDL requirements and activities. In this paper, we present key findings from a machine learning approach toward the SRA that seeks to learn from a database of previous product security risk assessments and associated...
This tutorial provides developers with practical guidance for securely implementing Java Serialization. Java deserialization is a clear and present danger as its widely used both directly by applications and indirectly by Java subsystems such as RMI (Remote Method Invocation), JMX (Java Management Extension), JMS (Java Messaging System). Deserialization of untrusted streams can result in remote code...
This hands-on tutorial teaches participants how to audit static analysis alerts, using an auditing lexicon and rules. There is no widely-accepted lexicon or standard set of rules for auditing static analysis alerts in the software engineering community. Auditing rules and a lexicon should guide different auditors to make the same determination for an alert. Standard terms and processes are necessary...
Input-handling vulnerabilities have been a constant source of security problems for decades. Many famous recent bugs are in fact input-handling bugs. We argue that the techniques for writing parsers in its present form are insufficient, and hence we propose a new pattern. In this tutorial, we will show participants a new design pattern for designing and implementing parsers using this new method....
This paper examines the security provided by different implementations of Address Space Layout Randomization (ASLR). ASLR is a security mechanism that increases control-flow integrity by making it more difficult for an attacker to properly execute a buffer-overflow attack, even in systems with vulnerable software. The strength of ASLR lies in the randomness of the offsets it produces in memory layouts...
Provides an abstract for each of the keynote presentations and a brief professional biography of each presenter. The complete presentations were not made available for publication as part of the conference proceedings.
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.