Software Security

Software is full of bugs, and bugs can cause all kinds of problems
- Examples:
- Therac-25 medical accelerator
  - Race condition existed that killed at least 5 patients
- Mars Climate Orbiter
  - Was destroyed due to a unit mismatch between software and hardware using it
- AT&T long distance network
  - Switches crashed when they received a certain message
- The iPhone message that would crash phones. Was a weird set of characters that could crash it
Software bugs can be very bad
- Much worse things can happen if someone intentionally tries to exploit them
  - Force code into the worst possible state
  - Violate security of system
Common class of bugs: Buffer Overflows
Buffer overflow in Berkely Unix finger daemon
- Exploited by the Morris Worm
- Was the first time a buffer overflow was majorly used
- Took advantage of known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords
- Infected about 6000 computers
- First significant worm
- Morris claimed it was intended to gauge the size of the internet but it accidentally replicated itself soooooo
- Morris is now a professor at MIT but was also the first (or one of the first) person’s caught by the Computer Abuse and Fraud Act
Software vulnerabilities are everywhere

What is software security?

System model - Software is used by several users simulatneouslay
Threat model - the adversary interacts with the API provided by the software
- There is some way the adversary can interact with the software. Config files, input, API, etc.
- We ignore physical access to the computer, if they have your computer you’re already done for
Properties - Confidentiality, integrity, and availability
Software bugs matter because they can be very bad
Even worse, when exploited, attackers can
- Crash a program: compromises availability
- Execute arbitrary code: compromises integrity
- Obtain sensitive information: compromises confidentiality