March 1, 2011—The following technical reports and technical notes were published recently by the Software Engineering Institute. For the latest SEI technical reports and papers, see http://www.sei.cmu.edu/library/reportspapers.cfm.
Richard C. Linger, Tim Daly, & Mark Pleszkoch
For several years, the Software Engineering Institute (SEI) at Carnegie Mellon University has been engaged in a project to compute the behavior of software with mathematical precision to the maximum extent possible. Air Force Office of Scientific Research (AFOSR) sponsorship has played a key role in this effort. The general thrust of the research for AFOSR has been in technology for (1) overcoming difficult aspects of behavior computation and (2) analyzing and manipulating computed behavior. In 2009, the research focused on computing the behavior of loops, a process subject to theoretical limitations. This resulted in practical methods for loop computation that minimize the effects of these constraints. The 2010 research focused on foundations and implementations of algorithms that employ computed behavior and semantic reduction theorems to determine the true control flow of malware programs as an essential first step in computing overall malware behavior. Determining the true control flow of a program in the presence of computed jumps and jump table operations has been a difficult problem for some time. Syntactic methods of control flow analysis exhibit limitations that reduce their effectiveness. The semantic methods employed by behavior computation can produce improved results. The findings of this research have been implemented in a system for malware analysis and have improved capabilities for behavior computation in other applications. At the same time, the research has revealed a potential new approach to both reverse engineer and forward engineer software based on rigorous specification and verification in the context of behavior computation.
William Anderson, Archie Andrews, Nanette Brown, Cory Cohen, Christopher Craig, Tim Daly, Dionisio de Niz, Andres Diaz-Pace, Peter Feiler, David Fisher, David Gluch, Jeffrey Hansen, Jörgen Hansson, John Hudak, Karthik Lakshmanan, Richard Linger, Howard Lipson, Gabriel Moreno, Ed Morris, Onur Mutlu, Robert Nord, Ipek Ozkaya, Dan Plakosh, Mark Pleszkoch, Ragunathan (Raj) Rajkumar, Joe Seibel, Soumya Simanta, Charles Weinstock, & Lutz Wrage
The Software Engineering Institute (SEI) annually undertakes several independent research and development (IRAD) projects. These projects serve to (1) support feasibility studies investigating whether further work by the SEI would be of potential benefit and (2) support further exploratory work to determine whether there is sufficient value in eventually funding the feasibility study work as an SEI initiative. Projects are chosen based on their potential to mature and/or transition software engineering practices, develop information that will help in deciding whether further work is worth funding, and set new directions for SEI work. This report describes the IRAD projects that were conducted during fiscal year 2010 (October 2009 through September 2010).
Michael Hanley, Tyler Dean, Will Schroeder, Matt Houy, Randall F. Trzeciak, & Joji Montelibano
Since 2001, the Insider Threat team at the Software Engineering Institute’s CERT program has built an extensive library and comprehensive database containing more than 550 cases of insider crimes. More than 80 of those crimes involved theft of an organization’s intellectual property by a malicious insider. These crimes can be particularly damaging to an organization because it is often difficult or impossible to recover from a loss of confidentiality. This report provides an overview of techniques employed by malicious insiders to steal intellectual property, including the types of assets targeted and the methods used to remove the information from a victim organization’s control. The report closes with a brief discussion of mitigating factors and strategic items that an organization should consider when defending against insider attacks on intellectual property.
Dan Shoemaker, Nancy R. Mead, & Jeff Ingalsbe
Training personnel to assure the secure development, sustainment, and acquisition of software code is a national priority. However, in the secure software domain, there is no single, commonly accepted point of reference to direct software assurance education and training. In response to this problem, the CERT Program at Carnegie Mellon University’s Software Engineering Institute recently led the development of a Master of Software Assurance (MSwA) Reference Curriculum. This report examines how the recommendations of the MSwA Reference Curriculum might be integrated into the model curriculum recommendations for a Master of Science in Information Systems (MSIS). This integration is important because IS programs constitute a key portion of computer education programs in the United States. The report describes the content areas of the MSIS curriculum that appear to be most relevant to secure software assurance practice. It also details the places in the current MSIS curriculum model where recommendations of the MSwA Reference Curriculum appear to fit. In addition the report explains how those recommendations can be integrated into a conventional MSIS curriculum and provides an example of an existing MSIS curriculum that embodies them.
This report models the approach a focused attacker would take in order to breach an organization through web-based protocols and provides detection or prevention methods to counter that approach. It discusses the means an attacker takes to collect information about the organization’s web presence. It also describes several threat types, including configuration management issues, authorization problems, data validation issues, session management issues, and cross-site attacks. Individual threats within each type are examined in detail, with examples (where applicable) and a potential network monitoring solution provided. For quick reference, the appendix includes all potential network monitoring solutions for the threats described in the report. Due to the ever-changing entity that is the web, the threats and protections outlined in the report are not to be taken as the definitive resource on web-based attacks. This report is meant to be a starting reference point only.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.