Entries Tagged as 'Secure Coding '

Java Zero Day Vulnerabilities

Java , Secure Coding No Comments »

By David Svoboda
Member of the Technical Staff
CERT Secure Coding Initiative

David SvobodaA zero-day vulnerability refers to a software security vulnerability that has been exploited before any patch is published. In the past, vulnerabilities were widely exploited even when a patch was available, which means they were not zero-day. Today, zero-day vulnerabilities are common. Notorious examples include the recent Stuxnet and Operation Aurora exploits. Vulnerabilities may arise from a variety of sources, but most vulnerabilities are the result of simple coding errors. Consequently, developers need to understand common traps and pitfalls in the programming language, libraries, and platform to produce code that is free of vulnerabilities. To address this problem, CERT published The CERT Oracle Coding Standard for Java in 2011. This book is version 1 of this standard and was written primarily for Java SE 6, but also covers features introduced in Java SE 7. This coding standard provides secure coding rules that help programmers recognize and avoid vulnerabilities in their products. Each rule provides simple instructions regarding what a programmer must and must not do. Each rule description is accompanied by noncompliant code examples, as well as compliant solutions that can be used instead. In this blog post, I examine a Java zero-day vulnerability, CVE 2012-0507, which infected half a million Macintosh computers, and consider how this exploit could have been prevented through adherence to two secure coding rules.

Read more...

Thread Safety Analysis in C and C++

Concurrency Analysis , Secure Coding , Thread Role Analysis No Comments »

By Aaron Ballman
Senior Member of the Technical Staff
CERT Secure Coding Initiative

Aaron BallmanWith the rise of multi-core processors, concurrency has become increasingly common. The broader use of concurrency, however, has been accompanied by new challenges for programmers, who struggle to avoid race conditions and other concurrent memory access hazards when writing multi-threaded programs. The problem with concurrency is that many programmers have been trained to think sequentially, so when multiple threads execute concurrently, they struggle to visualize those threads executing in parallel. When two threads attempt to access the same unprotected region of memory concurrently (one reading, one writing) logical inconsistencies can arise in the program, which can yield security concerns that are hard to detect. The ongoing struggle with concurrent threads of execution has introduced a whole class of concurrency-related issues, from race conditions to deadlock. Developers need help writing concurrent code correctly. This post, the second in a series on concurrency analysis, introduces Clang Thread Safety Analysis, a tool that was developed as part of a collaboration between Google and and the Secure Coding Initiative in the SEI's CERT Division. Clang Thread Safety Analysis uses annotations to declare and enforce thread safety policies in C and C++ programs.

Read more...

Performance of Compiler-Assisted Memory Safety Checking

Secure Coding No Comments »

By David Keaton
Senior Researcher
CERT Secure Coding Initiative

David KeatonAccording to a 2013 report examining 25 years of vulnerabilities (from 1998 to 2012), buffer overflow causes 14 percent of software security vulnerabilities and 35 percent of critical vulnerabilities, making it the leading cause of software security vulnerabilities overall. As of July 2014, the TIOBE index indicates that the C programming language, which is the language most commonly associated with buffer overflows, is the most popular language with 17.1 percent of the market. Embedded systems, network stacks, networked applications, and high-performance computing rely heavily upon C. Embedded systems can be especially vulnerable to buffer overflows because many of them lack hardware memory management units. This blog post describes my research on the Secure Coding Initiative in the CERT Division of the Carnegie Mellon University Software Engineering Institute to create automated buffer overflow prevention.

Read more...

The Latest Research from the SEI

Malware , Resilience Management Model (RMM) , Secure Coding , Systems Engineering No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in secure codingCERT Resilience Management Modelmalicious-code reverse engineering,systems engineering, and incident management. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website. 

Read more...

Android, Heartbleed, Testing, and DevOps: An SEI Blog Mid-Year Review

Android , Architecture , Big Data , DevOps , Secure Coding , Testing 1 Comment »

By Douglas C. Schmidt 
Principal Researcher

Douglas C. Schmidt In the first half of this year, the SEI blog has experienced unprecedented growth, with visitors in record numbers learning more about our work in big datasecure coding for Androidmalware analysisHeartbleed, and V Models for Testing. In the first six months of 2014 (through June 20), the SEI blog has logged 60,240 visits, which is nearly comparable with the entire 2013 yearly total of 66,757 visits. As we reach the mid-year point, this blog posting takes a look back at our most popular areas of work (at least according to you, our readers) and highlights our most popular blog posts for the first half of 2014, as well as links to additional related resources that readers might find of interest. 

Read more...