CSSE3002 Lecture Notes - Lecture 9: Attack Surface, Multitenancy, Regular Expression
28 Jun 2018
School
Department
Course
Professor
Secure Languages (Guest Lecture: Cristina Cifuentes)
Buffer errors – number one issue - more than 3 different buffer errors get exploited on a daily
basis over the past 5 years
Injection errors – number 2 (comes in a lot of different forms)
Information leak – more and more prevalent these days – two new issues per day (e.g.
Facebook, social medias, cloud platforms etc)
53% of labelled data in NVD – these three types of errors
In 1995, there were only 25 new exploits to vulnerabilities every year. Numbers keep going
up yearly. Even though there are solutions for these exploits, software overall could be
exploited to many issues in any point of time.
When there is a data breach, it averagely cost the company $4 million dollars. The cost
increases if it is about health records.
Languages that are being affected, any languages that we usually use. Affects any kind of
application, happening worldwide.
Why is this still happening even after all the research that has been done throughout the
years?
From the security point of view, what solutions do they provide, for example to avoid buffer
errors? Look at the bubbles – Java, C# etc able to avoid errors that happen in low level
languages such as C/C++. No language is a full-proof of three issues.
Two different axes – performance & cognitive. Performance is always something that needs
to be taken account. Cognitive load – if you provide an abstraction, can developers
understand the abstraction? It will be safer if there is a lot of abstraction but it is not going to
be practical because it is too hard to use.
Buffer errors – unsafe abstraction, for low level languages – good performance though
Solutions – using managed memory, such as Java JS etc but can’t be implemented with
embedded system because of the performance overhead // Rust – new abstraction, cost of
cognitive load because not many people know how to use it, but in terms of performance it is
pretty good.
Rust Language provides memory safety
-Meant to be prevent memory corruption and thread safety
-Introduction to two new concepts – ownership and borrowing
-Borrowing – want to share a pointer, can have a shared borrow (can use it but can’t
mutate it), mutable borrow (able to borrow the pointer and mutate, but only one
person is able to mutate it)
-Ownership (used in C++ language too) – resources can only be owned by one
particular owner
-Example
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Buffer errors number one issue - more than 3 different buffer errors get exploited on a daily basis over the past 5 years. Injection errors number 2 (comes in a lot of different forms) Information leak more and more prevalent these days two new issues per day (e. g. facebook, social medias, cloud platforms etc) 53% of labelled data in nvd these three types of errors. In 1995, there were only 25 new exploits to vulnerabilities every year. Even though there are solutions for these exploits, software overall could be exploited to many issues in any point of time. When there is a data breach, it averagely cost the company million dollars. The cost increases if it is about health records. Languages that are being affected, any languages that we usually use. Look at the bubbles java, c# etc able to avoid errors that happen in low level languages such as c/c++. No language is a full-proof of three issues.
