Security of Web Design

1.1 “Adopting Strict Content Security Policy for XSS Protection”

In this workshop, we will present common flaws in current Content Security Policy deployments that reduce or remove the security value of adopting a CSP policy. Content Security Policy is a mechanism designed to prevent the exploitation of XSS – the most common high-risk web application flaw. We will work with an example production application to explain the process of refactoring the markup and client-side code to make it compatible with strict CSP. In addition, we will demonstrate several support tools (not yet released) we specifically designed for prototyping and adopting a strict policy.

The tutorial is meant for web developers with a security focus, and security specialists interested in web mitigation techniques. After the tutorial developers will be able to adopt strict CSP based on nonces/hashes instead of whitelists and should be able to avoid common mistakes that usually undermine most security guarantees CSP can offer.

2.1 “Safe Client/Server Web Development with Haskell”

In this tutorial, we demonstrate how two Haskell libraries – Reflex-Dom and Servant – provide a powerful and complete web development framework which uses typechecking to guarantee many security and correctness properties on both the client and the server. We will provide a cloneable repository containing each code example in the tutorial. The examples will progress cumulatively, e.g., the first example will present a single hello-world REST handler and static client page, the next example will provide two REST handlers for a two-step client webapp workflow, the third example will add error reporting between the server and client, etc.
The tutorial will consist of roughly four parts: (1) a summary of Haskell’s syntax and the type system, (2) an overview of Servant for backend server development, (3) an overview of Functional Reactive Programming and Reflex for frontend client development, and (4) strategies for seamlessly connecting the backend and frontend to ensure typelevel security properties are preserved through the entire codebase and across refactorings.
The audience is expected to have some basic familiarity with web development in any traditional server-side language (e.g., Ruby, Java, Python) and an awareness of commonly discussed limitations in JavaScript testability and maintainability. Prior familiarity with functional programming idioms may be useful in modifying the examples and completing exercises individually, but answers and explanations will be provided for all exercises in order to avoid focus on specifics of Haskell syntax.
As a result of this tutorial, attendees should take away:
• Understanding how type systems can enforce correctness and security properties across a large codebase
• Benefits of transitioning from test-driven-development to type-driven-development, and sharing the same language on the server and client
• An introduction to Functional Reactive Programming for managing event-based control flow

Static Analysis Techniques

1.2 “How to Find and Fix Software Vulnerabilities with Coverity Static Analysis”

This hands-on workshop will combine minimal instruction with strong hands-on emphasis on practical lab exercises for attendees to practice the topics covered — the expected duration will be 90 minutes:

• Introduction to Coverity static code analysis
• Integration of Analysis into Development Cycle
– “Clean after Check-in” Approach
– “Clean before Check-in” Approach
– “Continuous Clean” Approach
• Category of Security Vulnerabilities
– Quality Defects that can be exploits
– Web Application Security flaws
• How to find and fix them with Coverity

The hands-on labs will give attendees the opportunity to run real-time Coverity analysis on a number of given codebases, to find vulnerabilities in both (a) and (b) categories (buffer overruns, cross-site scripting XSS, SQL Injections etc. with actionable advice on approaches and options to eliminate them

The workshop attendees will be given access to their own dedicated virtual machines in our cloud-based lab platform. The VMs will be pre-configured with all the necessary software and sample codebases. Participant should bring their laptops with Wi-Fi network card, and a contemporary browser, such as Chrome, IE, FF, Safari, or similar with HTML5 support, which they should run to validate compliance with our pre-check test: https://synopsys.instructorled.training/precheck.

At the session start, attendees will be provided with access codes to remotely connect to their virtual lab machines at https://synopsys.instructorled.training, using the Wi-Fi connectivity provided by the IEEE SecDev 2016 Conference.

2.2 “Auditing Code for Security Vulnerabilities with CodeSonar”

In this tutorial you will get a security-oriented introduction to CodeSonar, its program model, and its analyses. Attendees will be given access to a live CodeSonar instance, and will be shown how to explore a code base and review analysis results. Finally, a taste of how to extend CodeSonar will be given. CodeSonar is a static analysis tool for finding programming errors and security vulnerabilities in C, C++, and Java source code as well as x86, x86_64, and ARM machine code programs.

This tutorial is aimed at researchers or practitioners interested in code-level security vulnerabilities, particularly in C and C++. Attendees will learn how to:

• Use CodeSonar to find and understand code-level issues.
• Use CodeSonar as a platform for custom analyses.

Dynamic Testing Techniques

1.3 “Continuous fuzzing with libFuzzer and AddressSanitizer”

In this tutorial you will learn how to build a guided fuzzer for a C/C++ project of your choice, how to fuzz it manually with libFuzzer (in-process guided fuzzer) and AddressSanitizer (memory error detector), and how to set up a simple continuous fuzzing bot. Bonus topics will include AFL-fuzz, more sanitizers, coverage analysis, and more.

Attendees should bring:

• Laptop.
• Fluency in C or C++ and Linux shell.
• Access to a clean VM with Ubuntu 14.04 on x86_64, preferably with 2+ CPUs.
o Other flavors of Linux or OSX may work, but if not — we may not be able to help.
• VMs on GCE may be provided: if you need one please register on GCE and send your e-mail to kcc (at) google {dot} com in advance.

2.3 “Using Dr. Fuzz, Dr. Memory, and Custom Dynamic Tools for Secure Development”

This tutorial will present two tools that can be integrated into a secure software development approach, as well as describing how custom tools can be built utilizing the same underlying tool platform. The first tool is Dr. Fuzz, a fuzz-testing tool that targets functions. Dr. Fuzz allows users to repeatedly execute one function in a target application with different execution contexts or argument inputs. The second tool is Dr. Memory, a memory monitoring tool that identifies memory-related programming errors such as accesses of uninitialized memory, accesses to unallocated memory, accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks and GDI API usage errors. These tools are built on the DynamoRIO dynamic instrumentation tool platform. DynamoRIO’s API can be used to build custom tools that utilize dynamic code manipulation for a variety of instrumentation, profiling, analysis, and introspection tasks.

The tutorial will be slide-driven with extensive examples of how to use the tools, building up from simple to more substantial scenarios. The target audience is primarily software developers interested in the end-user tools and secondarily tool developers interested in the tool platform.

Security Engineering

1.4 “Beyond errno: Error Handling in ‘C'”

This tutorial covers error handling in C. In many modern languages the recommended mechanism for error handling is exceptions, but C does not support exceptions. Due to its age, C has acquired a plethora of technologies for handling errors. These range from return codes, errno, and abort() to more esoteric techniques like goto chains, setjmp()/longjmp(), and runtime constraint handlers. With the myriad techniques for handling errors, how then is a C programmer expected to handle errors securely? In this tutorial, we will examine the technologies available to the C developer for handling errors. Each technique has its own pros and cons, and we will examine correct and incorrect uses of each, with an eye towards software security and maintainability. We will briefly touch on C++ exceptions, but we intend to focus on platforms where exceptions are not available. The audience is expected to have a beginner’s understanding of C, and they will be given small code examples to understand throughout the tutorial in order to increase their understanding. They can expect to become aware of the most common error-handling technologies widely used and employed by C programmers.

In this tutorial you will learn the various techniques of handling errors in C. These range from return codes, errno, and abort() to more esoteric techniques like goto chains, setjmp()/longjmp(), and runtime constraint handlers. We will briefly touch on C++ exceptions, but we intend to focus on platforms where exceptions are not available. You are expected to possess at least a beginner’s understanding of C and be able to understand simple C code examples.

This tutorial is planned as a slide presentation and discussion. The audience is expected to participate in discussions about techniques, and answer questions like “What does this code do?” or “How could an attacker make this program crash?”

2.4 “Codiscope SecureAssist™ – The Developer’s Security Assistant”

With this tutorial, participants will learn the benefits of using SecureAssist to find security bugs earlier in the development cycle. I’ll also explain the ease with which this tool can be used without being counterproductive to the development process. This tutorial caters to developers and security experts who work closely with developers in remediation assistance. Participants of this tutorial are recommended to have Eclipse 4.3 and above installed on their systems. The agenda of this tutorial is as follows:

1) Vulnerabilities at different stages of the SDLC – SDLC, impact of bugs, detection tools, Agile development impact
2) Introduction to SecureAssist – What is it about? Other products in the market
3) Installation of SecureAssist in Eclipse – 10 mins
4) Walkthrough of features in Eclipse – Scanning code, identifying fixes, customization
5) Rulepack configuration – Customization to look for specific defects
6) How is the team progressing? – Reporting, effort Analysis and ROI
7) Reporting features
8) Open house – Queries and doubts

Secure Development Operations

1.5 “Software Vulnerabilities, Defects, and Design Flaws: A Technical Debt Perspective”

During this tutorial, we will draw from concrete industry examples and experience to offer software development practices to improve the management of technical debt and reduce its impact on security. By design, the briefing will provide new insights to attendees who are familiar with these topics individually. At the end of the tutorial, the attendees will be able to:

• Define technical debt and how it relates to defects, vulnerabilities, and design flaws
• Understand design flaws and their contribution to vulnerabilities and technical debt
• Write a clear description of a technical debt item

2.5 “Secure DevOps Process and Implementation”

Participants will come away with a solid understanding of the realities of Secure DevOps, from tools and techniques to culture and specific organizational security policy. By focusing on common pitfalls and missteps, instructors will help attendees navigate the challenging tasks of adapting Secure DevOps theories, practices, and tools to meet their particular application security needs, and to provide measurable value to their organizations.