How Attackers Break Programs and How to Write Programs Securely Matt Bishop, University of California, Davis Who should attend: Intrusions exploit vulnerabilities, and the vast majority of those vulnerabilities are the result of programming errors. Security professionals and developers who know the difference between safe and unsafe code can be key players in two critical endeavors writing software that doesn't create new vulnerabilities and evaluating code to determine whether it is vulnerable. The goal of this course is to enable the attendee to write a secure setuid or setgid program in C (or any code that runs as root with privileges), and to know when it is (and is not) appropriate to write such a program. The course covers common errors in designing and writing privileged programs, and presents them in the context of where they were discovered and exploited. In this way, the course provides a prescription for safe programming and anecdotal information about why ignoring each of the prescriptions can lead to real-world compromise. This course also exposes program errors and shows how to avoid them. Topics include: Matt Bishop earned his Ph.D. at Purdue University, where he began working on problems of security in computer systems in general, and UNIX systems in particular. He subsequently worked at the Research Institute for Advanced Computer Science at NASA and taught courses in operating systems, computer security, and software engineering at Dartmouth College. He chaired the first USENIX Security Workshop and plays an active role in identifying and thwarting security threats. In 1993, Matt joined the faculty at the University of California at Davis. Network Security Profiles: A Collection (Hodgepodge) of Stuff Hackers Know About You Brad Johnson, SystemExperts Corporation Who should attend: This course will be useful for anyone with any TCP/IP-based system--a UNIX, WindowsXX, Windows NT, or mainframe operating system, or a router, firewall, or gateway network host. Whether network-based host intrusions come from the Internet, an extranet, or an intranet, they typically follow a common methodology: reconnaissance, vulnerability research, and exploitation. This tutorial will review the tools and techniques hackers (determined intruders) use to perform these activities. You will learn what types of protocols and tools they use, and you will become familiar with a number of current methods and exploits. The course will show how you can generate vulnerability profiles of your own systems. Additionally, it will review some of the important management policies and issues related to these network-based probes. The course will focus primarily on tools that exploit many of the common TCP/IP based protocols, such as WWW, SSL, DNS, ICMP, and SNMP, that underlie virtually all Internet applications, including Web technologies, network management, and remote filesystems. Some topics will be addressed at a detailed technical level. This course will concentrate on examples drawn from public domain tools, because these tools are widely available and commonly used by hackers (and are free for you to use). Topics include: Topics NOT covered: Brad Johnson is a well-known authority in the field of distributed systems. He has participated in seminal industry initiatives including the Open Software Foundation, X/Open, and the IETF, and has published often about open systems. At SystemExperts Brad has led numerous security probes for major companies, revealing significant unrealized exposures. Prior to joining SystemExperts, Brad was one of the original members of the OSF DCE Evaluation Team, the group that identified, evaluated, and selected technology to become the industry's first true interoperable middleware. Cryptography From the Basics Through PKI in 23,400 Seconds Daniel Geer, CertCo, Inc. Who should attend: This course addresses what is and is not possible in network security, and examines the tradeoffs between security, cryptographic complexity, accountability, and cost. We approach cryptography as a tool, not a calling, and we approach the idea of a Public Key Infrastructure as an investment you may or may not choose to make. Upon completing this course, you will be in a position to confidently evaluate and buy security technologies. We will cover, as interactively as possible, what security really is and how to buy no more than you need. You will learn about alternatives for deploying and managing security in general and Public Key Infrastructure in particular, plus some guidance in evaluating them with respect to your needs. While we cannot solve your problems for you, we'd welcome students who are stalled out over seemingly unfathomable forks in the road, e.g., "How many CAs does a company need?" Possible answers include: one per hiring office, precisely one globally, it doesn't matter, none Ñ you outsource, however many you already have plus one for cross-certification, etc. We'll help you discover which answers are better (and why), and which approach is right for you. Daniel E. Geer, Jr., is Vice President and Senior Strategist for CertCo, Inc., the market leader in digital certification for electronic commerce. Daniel was previously Director of Engineering at Open Market, Inc. He has been a successful entrepreneur in network security and distributed systems management culminating in the successful sale of his own company to OpenVision Technologies, where he subsequently served as Chief Scientist, Vice President of Technology, and Managing Director. He arranged the Public Key Infrastructure track of the Third USENIX Workshop on Electronic Commerce. His book with Marcus Ranum and Aviel Rubin, The Web Security Sourcebook (Wiley & Sons). He co-chaired the recent USENIX workshops on Embedded Systems and Intrusion Detection. Aviel D. Rubin is a Principal Technical Staff Member at AT&T Labs Research, in the secure systems research department. He is also Adjunct Professor of Computer Science at New York University, where he teaches cryptography and computer security. He is the co-author of The Web Security Sourcebook. Avi holds a B.S., M.S.E., and Ph.D. from the University of Michigan in Ann Arbor ('89, '91, '94) in Computer Science and Engineering. He has served on several program committees for major security conferences and as the program chair for USENIX Security '98, USENIX Technical '99, and ISOC NDSS 2000. His URL is http://cs.nyu.edu/rubin. |
Need help? Use our Contacts page. First posted: May 1999 Last changed: May 1999 |
|